HTTP Headers Reference

Informs the server about the types of data that can be sent back. It is MIME-type information.

Indicates the content-encoding (usually a compression algorithm) that the client can understand.

Indicates the natural language and locale that the client prefers.

Indicates if the server supports range requests, and if so in which unit the range can be expressed.

Indicates whether the response can be shared with requesting code from the given origin (CORS).

The time in seconds the object has been in a proxy cache.

Contains the credentials to authenticate a user agent with a server, usually after the server has responded with 401.

Directives for caching mechanisms in both requests and responses. Caching directives are unidirectional.

Controls whether the network connection stays open after the current transaction finishes.

Indicates if the content is expected to be displayed inline or downloaded as an attachment.

Lists the encodings that have been applied to the entity-body, and the order in which they have been applied.

The length of the request/response body in octets (8-bit bytes).

Controls resources the user agent is allowed to load for a given page. Helps prevent XSS attacks.

Indicates the media type of the resource. In requests, the client tells the server what type of data is sent.

Contains stored HTTP cookies previously sent by the server with the Set-Cookie header.

An identifier for a specific version of a resource. Allows caches to be more efficient and saves bandwidth.

The date/time after which the response is considered stale.

Contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved.

Specifies the host and port number of the server to which the request is being sent.

Makes the request conditional: the server sends back the requested resource only if it has been modified after the given date.

Makes the request conditional: returns 304 Not Modified if the ETag matches, allowing conditional GET requests.

The last modification date of the resource, used to compare several versions of the same resource.

Indicates the URL to redirect a page to. It only provides a meaning when served with a 3xx or 201 status response.

Indicates where a fetch originates from. It includes the scheme, the hostname and port. Sent with CORS requests.

Contains the address of the previous web page from which a link to the currently requested page was followed.

Indicates how long the user agent should wait before making a follow-up request (used with 429 or 503).

Contains information about the software used by the origin server to handle the request.

Send cookies from the server to the user-agent so the user-agent can send them back later.

Lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP (HSTS).

Specifies the form of encoding used to safely transfer the payload body to the user.

Contains a characteristic string that allows the network protocol peers to identify the application type, OS, and software vendor/version.

Determines how to match future request headers to decide whether a cached response can be used or a fresh one must be requested.

Defines the authentication method that should be used to gain access to a resource (sent with 401 Unauthorized).

Indicates that the MIME types advertised in the Content-Type headers should be followed and not be changed.

Identifies the originating IP addresses of a client connecting through an HTTP proxy or a load balancer.

Indicates whether or not a browser should be allowed to render a page in a frame, iframe, embed or object. Used to prevent clickjacking.

The maximum number of requests that the consumer is permitted to make per rate limit window.

A unique identifier attached to each request for tracing and debugging purposes across distributed systems.

A feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected XSS attacks.