I got curious about what HTTP headers Chrome is requesting so I stood up a trivial HTTP server and this is what is on the wire.

Goodness that’s a lot of stuff! I still remember when even the Host header was optional (in HTTP/0.91). And my knowledge taps out around HTTP/1.1, the Connection: keep-alive and the Accept headers.. Anyway, what else is there?

The sec-ch-ua stuff is a modern replacement for User-Agent

DNT, sec-gpc, and permissions-policy are various requests to preserve my privacy. I just installed OptMeOwt, it is adding some of these. I think permissions-policy is a Google thing.

The Sec-Fetch stuff is about the intent of the request and is apparently used to make decisions related to CSRF, CORS, etc.

Upgrade-Insecure-Requests is telling the webserver to redirect me to https if it can.

In general sec- is a “forbidden request header“: only the browser is allowed to set these headers, not Javascript on the page. (Extensions can set them though.)

One other trivia I learned about: HTTP Trailers. This lets you set more headers at the end of an HTTP request instead of the start. Say data you only know about after a long POST or something. These date all the way back to 1997 and HTTP/1.1 apparently but I’ve never encountered them. They don’t work with the simplest request format since there’s no way to identify the end of the HTTP body. Chunked encoding allows for them and I imagine later encodings have something similar.