HTTP Headers

Request and response header fields: caching, authentication, CORS, security, and content negotiation.

CacheCaching12 headers
Cache-ControlDirectives for caching mechanisms in both requests and responses, such as max-age, no-cache, no-store, and must-revalidate.
both
ETagAn opaque identifier for a specific version of a resource, used for cache validation and conditional requests.
res
If-MatchMakes a request conditional: the server only processes the request if the resource's ETag matches one of the listed ETags.
req
If-None-MatchMakes a request conditional: the server returns 304 Not Modified if the resource's ETag matches one of the listed ETags.
req
If-Modified-SinceMakes a request conditional: the server returns the resource only if it has been modified after the given date.
req
If-Unmodified-SinceMakes a request conditional: the server processes it only if the resource has not been modified since the given date.
req
Last-ModifiedThe date and time at which the server believes the resource was last modified.
res
ExpiresThe date/time after which the response is considered stale. Superseded by Cache-Control max-age when both are present.
res
AgeThe number of seconds the object has been in a proxy cache.
res
VaryIndicates which request headers a cache should use to determine whether a cached response can be used.
res
PragmaImplementation-specific directives; no-cache is the only standard directive. Superseded by Cache-Control.
bothdeprecated
Clear-Site-DataClears browsing data (cookies, storage, cache) associated with the requesting website.
res
AuthAuthentication4 headers
AuthorizationCredentials to authenticate a user agent with a server, typically a Bearer token or Basic base64-encoded credentials.
req
WWW-AuthenticateDefines the authentication method that should be used to access a resource, sent with a 401 Unauthorized response.
res
Proxy-AuthorizationCredentials to authenticate a user agent with a proxy server.
req
Proxy-AuthenticateDefines the authentication method required to access a resource behind a proxy, sent with a 407 response.
res
CORSCORS9 headers
OriginThe origin of the cross-site access request or preflight request: scheme, hostname, and optionally port.
req
Access-Control-Allow-OriginIndicates which origins are permitted to read the response. Either a specific origin or * for any origin.
res
Access-Control-Allow-MethodsSpecifies the HTTP methods allowed in a cross-origin request, used in preflight responses.
res
Access-Control-Allow-HeadersIndicates which HTTP headers can be used during an actual cross-origin request.
res
Access-Control-Allow-CredentialsWhether the response to the request can be exposed when credentials (cookies, auth headers) are included.
res
Access-Control-Expose-HeadersLists which headers can be exposed as part of the response by listing their names.
res
Access-Control-Max-AgeHow long (in seconds) the results of a preflight request can be cached.
res
Access-Control-Request-HeadersUsed in preflight requests to tell the server which HTTP headers will be used in the actual request.
req
Access-Control-Request-MethodUsed in preflight requests to tell the server which HTTP method will be used in the actual request.
req
SecSecurity11 headers
Content-Security-PolicyControls resources the user agent can load, helping prevent XSS attacks by declaring approved content sources.
res
Content-Security-Policy-Report-OnlyMonitors (but does not enforce) a CSP policy and reports violations to a specified URI.
res
Strict-Transport-SecurityTells browsers to only access the site using HTTPS for a specified duration (HSTS).
res
X-Frame-OptionsIndicates whether a browser should render the page in a frame, iframe, embed, or object. Superseded by CSP frame-ancestors.
res
X-Content-Type-OptionsPrevents browsers from MIME-sniffing a response away from the declared Content-Type. Value is always nosniff.
res
Referrer-PolicyControls how much referrer information is included with requests: no-referrer, same-origin, strict-origin, etc.
both
Permissions-PolicyAllows a site to control which browser features and APIs can be used in the browser (formerly Feature-Policy).
res
Cross-Origin-Embedder-PolicyPrevents documents from loading cross-origin resources that don't grant explicit permission (require-corp, unsafe-none).
res
Cross-Origin-Opener-PolicyAllows a document to isolate itself from cross-origin window references, enabling use of SharedArrayBuffer.
res
Cross-Origin-Resource-PolicyPrevents other domains from reading the response by restricting which origins can load the resource.
res
X-XSS-ProtectionEnables the cross-site scripting filter built into older browsers. Non-standard and largely superseded by CSP.
resdeprecated
ContentContent Negotiation9 headers
AcceptInforms the server about the types of data the client can process, expressed as MIME types with optional quality factors.
req
Accept-EncodingIndicates the content-coding the client understands: gzip, deflate, br (Brotli), zstd, identity.
req
Accept-LanguageAdvertises which natural languages the client prefers, with optional quality factors (e.g., en-US,en;q=0.9).
req
Content-TypeIndicates the media type of the request or response body, e.g., application/json or text/html; charset=utf-8.
both
Content-EncodingLists the encodings applied to the body: gzip, deflate, br. The receiver must decode in reverse order.
both
Content-LanguageDescribes the natural language(s) intended for the audience of the response body.
both
Content-LengthThe size of the message body in bytes, used to delimit the end of the body in HTTP/1.1.
both
Content-LocationAn alternate location for the returned data, used to indicate the URL of the resource in the body.
both
Content-RangeIndicates where in a full body message a partial message belongs, used with 206 Partial Content.
res
ReqRequest14 headers
HostSpecifies the host and port number of the server to which the request is sent. Required in HTTP/1.1.
req
User-AgentA characteristic string identifying the application, OS, vendor, and version of the requesting client.
req
RefererThe URL of the previous web page from which the request was initiated. Note: intentionally misspelled in the spec.
req
CookieContains stored HTTP cookies previously sent by the server with Set-Cookie headers.
req
RangeIndicates the part of a document the server should return, used for resumable downloads (e.g., bytes=0-1023).
req
If-RangeMakes a Range request conditional: if the entity tag or date matches, the partial content is returned; otherwise the full resource.
req
ExpectIndicates expectations the server needs to fulfill before processing the request body (e.g., 100-continue).
req
ForwardedContains information from the client-facing side of proxy servers, standardizing X-Forwarded-For.
req
X-Forwarded-ForDe-facto standard for identifying the originating IP address of a client connecting through a proxy or load balancer.
req
X-Forwarded-HostIdentifies the original Host header as received by the client before being modified by a proxy.
req
X-Forwarded-ProtoIdentifies the protocol (HTTP or HTTPS) that a client used when connecting through a proxy.
req
FromAn Internet email address for a human user who controls the requesting user agent. Primarily used by bots.
req
TESpecifies the transfer encodings the client is willing to accept and whether chunked transfer is acceptable.
req
Upgrade-Insecure-RequestsSignals the client's preference for an encrypted and authenticated response, upgrading HTTP to HTTPS.
req
ResResponse9 headers
LocationIndicates the URL to redirect to in a 3xx redirect or the URL of the newly created resource in a 201 response.
res
ServerContains information about the software used by the origin server to handle the request.
res
Set-CookieSends a cookie from the server to the browser. Supports attributes like Expires, Path, Domain, Secure, HttpOnly, SameSite.
res
AllowLists the set of HTTP request methods supported by a resource, sent with a 405 Method Not Allowed response.
res
Retry-AfterIndicates how long the client should wait before making a follow-up request, used with 429 and 503 responses.
res
LinkProvides a means for serialising relationships between resources in the header, similar to HTML <link> elements.
res
Content-DispositionIndicates if the content should be displayed inline or downloaded as an attachment with an optional filename.
res
RefreshInstructs the browser to refresh the page or redirect after a given number of seconds.
res
X-Request-IDA unique identifier for the request, used for tracing and correlating requests across distributed systems.
both
ConnConnection6 headers
ConnectionControls whether the network connection stays open after the current transaction: keep-alive or close.
both
Keep-AliveControls how long a persistent connection should remain open (timeout and max parameters).
both
UpgradeAllows the client to specify additional communication protocols it supports, used to upgrade to WebSocket.
both
Transfer-EncodingSpecifies the encoding applied to the body when transferring between nodes: chunked, compress, deflate, gzip.
both
TrailerAllows the sender to include additional fields at the end of chunked transfer-encoded messages.
both
ViaAdded by proxies to track message forwards and identify protocol capabilities.
both
BodyTransfer & Body5 headers
Accept-RangesIndicates whether the server supports range requests for the resource: bytes or none.
res
Content-MD5An MD5 digest of the entity body for end-to-end message integrity checking. Deprecated in favour of Digest.
bothdeprecated
DigestA digest of the representation, providing integrity verification for the message body (e.g., sha-256=…).
both
Want-DigestRequests that the server include a Digest header in the response, specifying preferred algorithm.
req
Max-ForwardsLimits the number of times a request can be forwarded through proxies or gateways, used with TRACE and OPTIONS.
req