What is the X-REQUEST-ID http header?
Purpose: Idempotency
With an ID that changes for every request, but stays the same in case of a retry of a request, the receiver can ensure the request won't get processed more than once.
This is a quote from some API provider:
All POST, PUT, and PATCH HTTP requests should contain a unique X-Request-Id header which is used to ensure idempotent message processing in case of a retry
If you make it a random string, unique per request, it won't infringe on your privacy, nor enable tracking.
If you want to know more of what idempotency has to offer, read this insightful article.
N.B. As Stefan Kögl comments, this header is not standardized - hence the (deprecated) "X-" prefix.
When you're operating a webservice that is accessed by clients, it might be difficult to correlate requests (that a client can see) with server logs (that the server can see).
The idea of the X-Request-ID
is that a client can create some random ID and pass it to the server. The server then include that ID in every log statement that it creates. If a client receives an error it can include the ID in a bug report, allowing the server operator to look up the corresponding log statements (without having to rely on timestamps, IPs, etc).
As this ID is generated (randomly) by the client it does not contain any sensitive information, and should thus not violate the user's privacy. As a unique ID is created per request it does also not help with tracking users.
Explanation using a story/analogy
Your internet is playing up (as usual), so you call up Tellstra and you're waiting on the phone forever......finally you give up and slam the phone down in frustration. (This is a failed call. And there is a record of it in Tellstra's call logs.)
"That's it, I'm calling the Ombudsman!"
But the Obmudsman has thousands of call records to go through (all the failed queries of Tellstra). If you tell them that you called Telstra, and that your call was unsuccessful, that won't be enough: how will the Ombudsman know, from all the call records of Tellstra, which one was yours - so that it can be further investigated??
That's where the X-Request-ID comes in - whenever you call Tellstra, you'd pass on a random number (the X-Request-ID) and this is logged in the Tellstra records. That way, the ombudsman (having access to all records) will be able to find your incoming call to find out what went wrong.
Application of story to HTTP
The same applies to http requests - it's an id used to help you (as the back end dev) find out what went wrong when a client issues you with an error or big report.
That's the basic summary of it. Any questions etc. just post a comment and I hope to clear it up.