Generating the Server Response: HTTP Response Headers
A response from the Web server normally consists of a status line, one or more response headers,
a blank line, and the document.
A D V E R T I S E M E N T
Setting the HTTP response headers often goes hand in hand with the
setting the status codes in the status line. For example, several of the "document moved" status codes
have an accompanying Location header, and the 401 (Unauthorized) code must include an accompanying
The most general way to specify headers is by setHeader
method of HttpServletResponse, which takes two strings: the header
name and the header value. Like setting the status codes, this must be done
before any document content is sent.
There are also two specialized methods to set the headers that contain dates (setDateHeader)
and integers (setIntHeader). The first saves you trouble of
translating a Java date in milliseconds since the epoch (as returned by
System.currentTimeMillis or the getTime method applied to a
Date object) into a GMT time string. The second spares you the
minor inconvenience of the converting an int to a String.
Rather than setting the header outright, you can add a new header, in case a
header with that name already exists. Use addHeader,
addDateHeader, and addIntHeader for this. If it really
matters to you whether a specific header has already been set, use
containsHeader to check.
Finally, HttpServletResponse also supplies a number of
convenience methods for the specifying common headers.
The setContentType method sets Content-Type
header, and is used by the majority of servlets.
The setContentLength method sets Content-Length
header, useful if the browser supports persistent (keep-alive) HTTP
The addCookie method sets the cookie (there is no
corresponding setCookie, since it is normal to have multiple
And, as discussed in the previous section, the sendRedirect
method sets Location header as well as setting the status
code to 302.
Common Response Headers and their Meaning
What request methods (GET, POST, etc.)
does the server support?
What method was used to encode the document? You need to decode it
to get the type specified by the Content-Type header. Using
gzip to compress the document can dramatically reduce download times for
HTML files, but it is only supported by Netscape on Unix and IE 4 and 5
on Windows. On the other hand, gzipping HTML files can dramatically
reduce download times, and Java's GZIPOutputStream makes it
easy. So you should explicitly check if the browser supports this by
looking at the Accept-Encoding header (i.e. via
request.getHeader("Accept-Encoding")). That way, you can return
gzipped pages to browser that know how to unzip them, but still return
regular pages to other browsers.
How many bytes are being sent? This information is only needed if
the browser is using a persistent (keep-alive) HTTP connection. If you
want your servlet to take advantage of this when the browser supports
it, your servlet should write the document into a
ByteArrayOutputStream, look up its size when done, put that into
the Content-Length field, then send the content via
What is the MIME type of the following document? Default for
servlets is text/plain, but they usually explicitly specify
text/html. Setting this header is so common that there is a
special method in HttpServletResponse for it:
What is current time (in GMT)? Use the setDateHeader
method to specify this header. That saves you the trouble of formatting
the date string properly.
At what time should content be considered out of date and thus no
When was document last changed? Client can supply a date via an
If-Modified-Since request header. This is treated as a
conditional GET, with document only being returned if the
Last-Modified date is later than the specified date.
Otherwise a 304 (Not Modified) status line is returned. Again, use the
setDateHeader method to specify this header.
Where should client go to get document? This is usually set
indirectly, along with a 302 status code, via the sendRedirect
method of HttpServletResponse.
How soon should browser ask for an updated page (in seconds)?
Instead of just reloading current page, you can specify a specific page
to load via setHeader("Refresh", "5; URL=http://host/path").
Note that this is commonly set via <META HTTP-EQUIV="Refresh"
CONTENT="5; URL=http://host/path"> in the HEAD
section of the HTML page, rather than as an explicit header from the
server. This is because automatic reloading or forwarding is something
often desired by HTML authors who do not have CGI or servlet access. But
for servlets, setting the header directly is easier and clearer. Note
that this header means "reload this page or go to the specified URL in
N seconds." It does not mean "reload this page or go to
the specified URL every N seconds." So you have to send a
Refresh header each time, and sending a 204 (No Content)
status code stops the browser from reloading further, regardless of
whether you explicitly send the Refresh header or use
<META HTTP-EQUIV="Refresh" ...>. Note that this header is not
officially part of HTTP 1.1, but is an extension supported by both
Netscape and Internet Explorer.
What server am I? Servlets don't usually set this; the Web server
Specifies cookie associated with page. Servlets should not use
response.setHeader("Set-Cookie", ...), but instead use the
special-purpose addCookie method of
HttpServletResponse. See separate section on handling cookies.
What authorization type and realm should client supply in their
Authorization header? This header is required in responses
that have a 401 (Unauthorized) status line. E.g.
response.setHeader("WWW-Authenticate", "BASIC realm=\"executives\"").
Note that servlets do not usually handle this themselves, but instead
let password-protected Web pages be handled by the Web server's
specialized mechanisms (e.g. .htaccess).