Is Strict-Transport-Security HTTP header name case-sensitive?

Shnatsel asked:

I’m digging into the HTTP Strict-Transport-Security specification, https://tools.ietf.org/html/rfc6797

It specifies the syntax of the header like this:

Strict-Transport-Security: max-age=15768000 ; includeSubDomains

The RFC specifies that directive names such as “max-age” are case-insensitive, but does explicitly state whether the header name, “Strict-Transport-Security”, is case-sensitive. Are there any more general rules to govern that? Or perhaps I’m missing something in the RFC?

My answer:


All HTTP header field names are case-insensitive. RFC 7230 § 3.2 states:

Each header field consists of a case-insensitive field name followed by a colon (“:”), optional leading whitespace, the field value, and optional trailing whitespace.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.