Custom HTTP headers : naming conventions

Question

Several of our users have asked us to include data relative to their account in the HTTP headers of requests we send them, or even responses they get from our API.

Answer 1

RFC6648 recommends that you assume that your custom header "might become standardized, public, commonly deployed, or usable across multiple implementations." Therefore, it recommends not to prefix it with "X-" or similar constructs.

However, there is an exception "when it is extremely unlikely that [your header] will ever be standardized." For such "implementation-specific and private-use" headers, the RFC says a namespace such as a vendor prefix is justified.