1--- 2c: Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al. 3SPDX-License-Identifier: curl 4Title: CURLOPT_HTTPHEADER 5Section: 3 6Source: libcurl 7Protocol: 8 - HTTP 9 - SMTP 10 - IMAP 11See-also: 12 - CURLOPT_CUSTOMREQUEST (3) 13 - CURLOPT_HEADER (3) 14 - CURLOPT_HEADEROPT (3) 15 - CURLOPT_MIMEPOST (3) 16 - CURLOPT_PROXYHEADER (3) 17 - curl_mime_init (3) 18Added-in: 7.1 19--- 20 21# NAME 22 23CURLOPT_HTTPHEADER - set of HTTP headers 24 25# SYNOPSIS 26 27~~~c 28#include <curl/curl.h> 29 30CURLcode curl_easy_setopt(CURL *handle, CURLOPT_HTTPHEADER, 31 struct curl_slist *headers); 32~~~ 33 34# DESCRIPTION 35 36Pass a pointer to a linked list of HTTP headers to pass to the server and/or 37proxy in your HTTP request. The same list can be used for both host and proxy 38requests. 39 40When used within an IMAP or SMTP request to upload a MIME mail, the given 41header list establishes the document-level MIME headers to prepend to the 42uploaded document described by CURLOPT_MIMEPOST(3). This does not affect raw 43mail uploads. 44 45The linked list should be a fully valid list of **struct curl_slist** structs 46properly filled in. Use curl_slist_append(3) to create the list and 47curl_slist_free_all(3) to clean up an entire list. If you add a header that is 48otherwise generated and used by libcurl internally, your added header is used 49instead. If you add a header with no content as in 'Accept:' (no data on the 50right side of the colon), the internally used header is disabled/removed. With 51this option you can add new headers, replace internal headers and remove 52internal headers. To add a header with no content (nothing to the right side 53of the colon), use the form 'name;' (note the ending semicolon). 54 55The headers included in the linked list **must not** be CRLF-terminated, 56because libcurl adds CRLF after each header item itself. Failure to comply 57with this might result in strange behavior. libcurl passes on the verbatim 58strings you give it, without any filter or other safe guards. That includes 59white space and control characters. 60 61The first line in an HTTP request (containing the method, usually a GET or 62POST) is not a header and cannot be replaced using this option. Only the lines 63following the request-line are headers. Adding this method line in this list 64of headers only causes your request to send an invalid header. Use 65CURLOPT_CUSTOMREQUEST(3) to change the method. 66 67When this option is passed to curl_easy_setopt(3), libcurl does not copy the 68entire list so you **must** keep it around until you no longer use this 69*handle* for a transfer before you call curl_slist_free_all(3) on the list. 70 71Using this option multiple times makes the last set list override the previous 72ones. Set it to NULL to disable its use again. 73 74The most commonly replaced HTTP headers have "shortcuts" in the options 75CURLOPT_COOKIE(3), CURLOPT_USERAGENT(3) and CURLOPT_REFERER(3). We recommend 76using those. 77 78There is an alternative option that sets or replaces headers only for requests 79that are sent with CONNECT to a proxy: CURLOPT_PROXYHEADER(3). Use 80CURLOPT_HEADEROPT(3) to control the behavior. 81 82# SPECIFIC HTTP HEADERS 83 84Setting some specific headers causes libcurl to act differently. 85 86## Host: 87 88The specified hostname is used for cookie matching if the cookie engine is 89also enabled for this transfer. If the request is done over HTTP/2 or HTTP/3, 90the custom hostname is instead used in the ":authority" header field and 91Host: is not sent at all over the wire. 92 93## Transfer-Encoding: chunked 94 95Tells libcurl the upload is to be done using this chunked encoding instead of 96providing the Content-Length: field in the request. 97 98# SPECIFIC MIME HEADERS 99 100When used to build a MIME email for IMAP or SMTP, the following document-level 101headers can be set to override libcurl-generated values: 102 103## Mime-Version: 104 105Tells the parser at the receiving site how to interpret the MIME framing. 106It defaults to "1.0" and should normally not be altered. 107 108## Content-Type: 109 110Indicates the document's global structure type. By default, libcurl sets it 111to "multipart/mixed", describing a document made of independent parts. When a 112MIME mail is only composed of alternative representations of the same data 113(i.e.: HTML and plain text), this header must be set to "multipart/alternative". 114In all cases the value must be of the form "multipart/*" to respect the 115document structure and may not include the "boundary=" parameter. 116 117## 118 119Other specific headers that do not have a libcurl default value but are 120strongly desired by mail delivery and user agents should also be included. 121These are `From:`, `To:`, `Date:` and `Subject:` among others and their 122presence and value is generally checked by anti-spam utilities. 123 124# SECURITY CONCERNS 125 126By default, this option makes libcurl send the given headers in all HTTP 127requests done by this handle. You should therefore use this option with 128caution if you for example connect to the remote site using a proxy and a 129CONNECT request, you should to consider if that proxy is supposed to also get 130the headers. They may be private or otherwise sensitive to leak. 131 132Use CURLOPT_HEADEROPT(3) to make the headers only get sent to where you 133intend them to get sent. 134 135Custom headers are sent in all requests done by the easy handle, which implies 136that if you tell libcurl to follow redirects 137(CURLOPT_FOLLOWLOCATION(3)), the same set of custom headers is sent in 138the subsequent request. Redirects can of course go to other hosts and thus 139those servers get all the contents of your custom headers too. 140 141Starting in 7.58.0, libcurl specifically prevents "Authorization:" headers 142from being sent to other hosts than the first used one, unless specifically 143permitted with the CURLOPT_UNRESTRICTED_AUTH(3) option. 144 145Starting in 7.64.0, libcurl specifically prevents "Cookie:" headers from being 146sent to other hosts than the first used one, unless specifically permitted 147with the CURLOPT_UNRESTRICTED_AUTH(3) option. 148 149# DEFAULT 150 151NULL 152 153# %PROTOCOLS% 154 155# EXAMPLE 156 157~~~c 158int main(void) 159{ 160 CURL *curl = curl_easy_init(); 161 162 struct curl_slist *list = NULL; 163 164 if(curl) { 165 curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); 166 167 list = curl_slist_append(list, "Shoesize: 10"); 168 list = curl_slist_append(list, "Accept:"); 169 170 curl_easy_setopt(curl, CURLOPT_HTTPHEADER, list); 171 172 curl_easy_perform(curl); 173 174 curl_slist_free_all(list); /* free the list */ 175 } 176} 177~~~ 178 179# HISTORY 180 181Use for MIME mail added in 7.56.0. 182 183# %AVAILABILITY% 184 185# RETURN VALUE 186 187Returns CURLE_OK if HTTP is supported, and CURLE_UNKNOWN_OPTION if not. 188
