Content-MD5
The HTTP Content-MD5 representation header carried a Base64-encoded MD5 digest of the message body, serving as an end-to-end integrity check for HTTP transfers.
Legacy
Content-MD5 was originally specified and has been obsoleted. The HTTP/1.1 semantics specification formally removed Content-MD5 due to problematic interactions with Transfer-Encoding and Content-Encoding. The modern digest mechanism obsoleted the older Digest header and introduced Content-Digest and Repr-Digest as replacements, supporting SHA-256, SHA-512, and other algorithms through the Structured Fields framework. The MD5 algorithm is considered cryptographically broken for collision resistance, making Content-MD5 unsuitable for security-sensitive integrity verification.
Usage
Content-MD5 provided a way for senders to include a checksum of the message body, enabling receivers to verify the content arrived intact. The sender computed the MD5 hash of the message body (after any Content-Encoding but before transfer encoding), then Base64-encoded the 128-bit digest and placed the result in the header value.
A receiving client or server compared the declared hash against a locally computed digest of the received body. A mismatch indicated data corruption during transfer. This was particularly useful for large file downloads and API responses where silent corruption needed detection.
The header was limited by MD5's known weaknesses. MD5 is vulnerable to collision attacks, meaning two different inputs producing the same hash are constructible. For integrity checking against accidental corruption, MD5 was adequate. For protection against deliberate tampering, MD5 was insufficient. The HTTP/1.1 semantics specification removed Content-MD5. The broader digest mechanism was later modernized, replacing the Digest field with Content-Digest and supporting SHA-256, SHA-512, and other algorithms.
Values
Base64-encoded MD5 digest
The value is exactly 24 characters of Base64-encoded data (including padding) representing the 128-bit MD5 hash of the message body. The digest is computed over the content after content encoding but before any transfer encoding.
Example
A server responds with a binary resource and includes the
Content-MD5 header. The Base64 string
jG21fhMJ0ZgNW0LnF81thw decodes to the 16-byte MD5
hash of the response body, allowing the client to verify
the download was not corrupted in transit.
Content-MD5: jG21fhMJ0ZgNW0LnF81thw
An API response includes an MD5 digest alongside the Content-Length header. Both headers together confirm the body is the expected size and matches the expected checksum.
Content-Length: 48205
Content-MD5: NIyjIzOmL92ArTxJ81SeYQ
A response serving a small image includes the MD5 digest for quick integrity verification. The 24-character Base64 value maps directly to the 128-bit MD5 output.
Content-MD5: QKnRjIuBA9UFGc+rW/4POA
Takeaway
The Content-MD5 header provided Base64-encoded MD5 checksums for HTTP message body integrity verification. The HTTP/1.1 semantics specification removed Content-MD5 due to inconsistent implementation. Modern digest verification uses Content-Digest, which supports SHA-256 and SHA-512.
See also
- RFC 1864: The Content-MD5 Header Field (obsoleted)
- Digest
- Content-Encoding
- Content-Digest
- Content-Length
- HTTP headers