Are HTTP headers space/case/order sensitive?

Question

Let us assume I have these header:

Strict-Transport-Security: max-age=<expire-time>
Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
Strict-Transport-Security: max-age=<expire-time>; preload

For purpose of writing regex, I need to know:

Are headers space sensitive? e.g. max-age=<expire-time> vs. Max-age=<expire-time> Are they case-sensitive? e.g. max-age= <expire-time> vs. Max-age=<expire-time> Are they order-sensitive? e.g. max-age=<expire-time>; preload vs. preload; max-age=<expire-time>;

Answer 1

The source for answering this kind of question is the standard - that's what standards are for. To cite from RFC 7230 section 3.2:

Each header field consists of a case-insensitive field name followed by a colon (":"), optional leading whitespace, the field value, and optional trailing whitespace.

As for the field values, this depends on the actual header. For examples in Set-Cookie the values are case-sensitive. For Strict-Transport-Security you have to look at the relevant standard. In RFC 6797 it says in section 6.1:

1. The order of appearance of directives is not significant.
   ...
2. Directive names are case-insensitive.

Answer 2

You should read the relative RFC specifications.

In general HTTP Header names are case insensitive and should not contain white space. HTTP/2 goes further and states that HTTP Header names should be lower case, and also white space there causes errors.

HTTP Header values can be case sensitive depending on the header. For the Strict-Transport-Security header your questions are covered in that RFC, specifically:

It is based on the Generic Grammar defined in Section 2 of [RFC2616] (which includes a notion of "implied linear whitespace", also known as "implied *LWS").

Which basically means white space is not important.

And then the HSTS RFC goes on to say:

1. The order of appearance of directives is not significant.

...

3. Directive names are case-insensitive.