Content-Digest

Verifying message content was not corrupted or tampered with during transmission requires an integrity digest. The Content-Digest request or response header provides this digest for the actual message content transmitted over the wire.

Table of Contents

Usage

The Content-Digest header enables verification of message content integrity by computing a digest over the literal bytes transmitted in the HTTP message. This digest reflects the content after applying transformations like Content-Encoding, matching exactly what travels across the network.

Servers send Content-Digest to allow recipients to verify the message content was not corrupted or modified during transmission. The header uses the Structured Fields Dictionary format, pairing algorithm identifiers with Base64-encoded digest values. Multiple algorithms appear in a single header when content negotiation or algorithm agility is needed.

The header differs from Repr-Digest, which computes digests over the selected representation before encoding or transformation. Content-Digest focuses on the actual transmitted bytes, making the header suitable for detecting transmission errors and verifying message-level integrity.

Clients request specific digest algorithms using Want-Content-Digest. Servers respond with preferred algorithms when no explicit request is made. Both headers work in requests and responses, and both support trailer fields when computing digests incrementally.

Algorithms

sha-256

The sha-256 algorithm produces a 256-bit digest using the SHA-256 cryptographic hash function. This algorithm suits most integrity verification needs and is widely supported.

sha-512

The sha-512 algorithm produces a 512-bit digest using the SHA-512 cryptographic hash function. This algorithm provides stronger cryptographic properties for contexts requiring additional security margin.

md5

The md5 algorithm is not defined for Content-Digest (RFC 9530 defines only sha-256 and sha-512). The legacy Digest header supported MD5, but MD5 is cryptographically broken and unsuitable for integrity verification.

Example

A server sends a SHA-256 digest of the transmitted message content. The Base64-encoded value represents the digest computed over the literal bytes sent after applying any content encoding.

Content-Digest: sha-256=:RK/0qy18MlBSVnWgjwz6lZEWjP/lF5HF9bvEF8FabDg=:

Multiple algorithms appear when the server supports algorithm negotiation. The recipient selects the strongest recognized algorithm and verifies the content against the corresponding digest value.

Content-Digest: sha-256=:RK/0qy18MlBSVnWgjwz6lZEWjP/lF5HF9bvEF8FabDg=:, sha-512=:YMAam51Jz/jOATT6/zvHrLVgOYTGFy1d6GJiOHTohq4yP+pgk4vf2aCsyRZOtw8MjkM7iw7yZ/WkppmM44T3qg==: