What is the X-REQUEST-ID http header?

I have already googled a lot this subject, read various articles about this header, its use in Heroku, and projects based on Django.

However, it's still all confused in my head.

  • What is the purpose of this header?
  • Does it violate user privacy?
  • Can it help tracking a user?

When you're operating a webservice that is accessed by clients, it might be difficult to correlate requests (that a client can see) with server logs (that the server can see).

The idea of the X-Request-ID is that a client can create some random ID and pass it to the server. The server then include that ID in every log statement that it creates. If a client receives an error it can include the ID in a bug report, allowing the server operator to look up the corresponding log statements (without having to rely on timestamps, IPs, etc).

As this ID is generated (randomly) by the client it does not contain any sensitive information, and should thus not violate the user's privacy. As a unique ID is created per request it does also not help with tracking users.


Purpose: Idempotency

With an ID that changes for every request, but stays the same in case of a retry of a request, the receiver can ensure the request won't get processed more than once.

This is a quote from some API provider:

All POST, PUT, and PATCH HTTP requests should contain a unique X-Request-Id header which is used to ensure idempotent message processing in case of a retry

If you make it a random string, unique per request, it won't infringe on your privacy, nor enable tracking.

If you want to know more of what idempotency has to offer, read this insightful article.

N.B. As Stefan Kögl comments, this header is not standardized - hence the (deprecated) "X-" prefix.