Content-Digest

The HTTP Content-Digest header provides integrity digests for the actual message content transmitted over the wire.

Usage

The Content-Digest header enables verification of message content integrity by computing a digest over the literal bytes transmitted in the HTTP message. This digest reflects the content after applying transformations like Content-Encoding, matching exactly what travels across the network.

Servers send Content-Digest to allow recipients to verify the message content was not corrupted or modified during transmission. The header uses the Structured Fields Dictionary format, pairing algorithm identifiers with Base64-encoded digest values. Multiple algorithms appear in a single header when content negotiation or algorithm agility is needed.

The header differs from Repr-Digest, which computes digests over the selected representation before encoding or transformation. Content-Digest focuses on the actual transmitted bytes, making the header suitable for detecting transmission errors and verifying message-level integrity.

Clients request specific digest algorithms using Want-Content-Digest. Servers respond with preferred algorithms when no explicit request is made. Both headers work in requests and responses, and both support trailer fields when computing digests incrementally.

Algorithms

sha-256

The sha-256 algorithm produces a 256-bit digest using the SHA-256 cryptographic hash function. This algorithm suits most integrity verification needs and is widely supported.

sha-512

The sha-512 algorithm produces a 512-bit digest using the SHA-512 cryptographic hash function. This algorithm provides stronger cryptographic properties for contexts requiring additional security margin.

md5

The md5 algorithm is deprecated. MD5 still serves as a basic check for accidental corruption but is unsuitable for adversarial settings such as signing for authenticity.

Example

A server sends a SHA-256 digest of the transmitted message content. The Base64-encoded value represents the digest computed over the literal bytes sent after applying any content encoding.

Content-Digest: sha-256=:RK/0qy18MlBSVnWgjwz6lZEWjP/lF5HF9bvEF8FabDg=:

Multiple algorithms appear when the server supports algorithm negotiation. The recipient selects the strongest recognized algorithm and verifies the content against the corresponding digest value.

Content-Digest: sha-256=:RK/0qy18MlBSVnWgjwz6lZEWjP/lF5HF9bvEF8FabDg=:, sha-512=:YMAam51Jz/jOATT6/zvHrLVgOYTGFy1d6GJiOHTohq4yP+pgk4vf2aCsyRZOtw8MjkM7iw7yZ/WkppmM44T3qg==:

Takeaway

The Content-Digest header carries integrity digests computed over the transmitted message content, enabling verification of the literal bytes sent across the network after applying encoding and transformation.

See also

• RFC 9530: Digest Fields
• Repr-Digest
• Want-Content-Digest
• Digest
• Content-Encoding
• HTTP headers