3.1.5.1 HTTP Headers

The client SHOULD send an X-Vermeer-Content-Type header (as specified in [RFC2616] section 14.17) with the same value as the standard HTTP Content-Type header to safeguard against one-click attacks, as specified in section 5.1. The server MUST use this header, if present, to determine the Content-Type of the request. If this header is not present, the server SHOULD fail the request.

The client MUST also include the string "FrontPage" (case-sensitive) in its User-Agent header, as specified in [RFC2616] section 14.43. The server MAY alter its responses when the client does not do this.<19>

Except as specified in specific methods, server responses MUST have the HTTP Content-Type "application/x-vermeer-rpc".