There is an error here
“If you need to add your own custom header, it’s generally better to use a vendor prefix, like Acme-Custom-Header or A-Custom-Header.”
must be:
On June 2011, the first IETF draft was posted to deprecate the recommendation of using the “X-” prefix for non-standard headers. The reason is that when non-standard headers prefixed with “X-” become standard, removing the “X-” prefix breaks backwards compatibility, forcing application protocols to support both names (E.g, x-gzip
& gzip
are now equivalent). So, the official recommendation is to just name them sensibly without the “X-” prefix.
stackoverflow .com/a/3561399/15107127
Course: Web Application Security for the Everyday Software Engineer - Learn Interactively
Lesson: How HTTP Works - Web Application Security for the Everyday Software Engineer