HTTP Headers Reference

Media types the client can process.

Compression algorithms the client supports.

Preferred natural languages for the response.

Credentials to authenticate the client with the server.

Directives for caching in both requests and responses.

Controls whether the network connection stays open after the transaction.

Size of the request or response body in bytes.

Media type of the resource or request body.

Stored HTTP cookies previously sent by the server.

Domain name and port of the server being requested. Required in HTTP/1.1.

Makes the request conditional — server returns 304 if not modified since this date.

Makes the request conditional based on ETag. Returns 304 if ETag matches.

Indicates the origin of a cross-site request. Used in CORS.

Address of the previous page that linked to the current request.

String identifying the client software making the request.

Identifies the originating IP address of a client behind a proxy or load balancer.

Identifies Ajax requests. Commonly set to XMLHttpRequest by JS frameworks.

Requests only part of a resource (used for resumable downloads).

Indicates expectations the server must meet to handle the request.

Standardized replacement for X-Forwarded-For with proxy information.

Specifies which origins can access the resource in cross-origin requests (CORS).

Specifies HTTP methods allowed in CORS preflight responses.

Specifies headers allowed in CORS requests.

How long (seconds) the CORS preflight response can be cached.

Time in seconds the object has been in a proxy cache.

Lists HTTP methods supported by the resource. Sent with 405 Method Not Allowed.

Indicates if content should be displayed inline or downloaded as an attachment.

Encoding applied to the response body (e.g., gzip).

Natural language(s) of the response content.

Indicates the range of bytes returned in a partial content response.

Identifier for a specific version of a resource. Used for caching and conditional requests.

Date/time after which the response is considered stale.

Date and time the resource was last modified.

URL to redirect the client to. Used with 3xx and 201 responses.

How long to wait before making a new request. Used with 429 and 503 responses.

Information about the server software handling the request.

Sends a cookie from the server to the client.

Encoding used to transfer the payload body (e.g., chunked).

Tells caches which request headers to use when deciding whether a cached response can be used.

Defines the authentication method to access the resource. Sent with 401 responses.

Controls which resources the browser is allowed to load. Primary XSS defense.

Forces browsers to use HTTPS for future requests. Prevents protocol downgrade attacks.

Prevents browsers from MIME-sniffing a response away from the declared content type.

Controls whether the page can be embedded in an iframe. Prevents clickjacking. Superseded by CSP frame-ancestors.

Legacy XSS filter for older browsers. Largely superseded by CSP.

Controls how much referrer information is included with requests.

Controls which browser features and APIs can be used (replaces Feature-Policy).

Isolates the browsing context to prevent cross-origin attacks (required for SharedArrayBuffer).

Prevents loading cross-origin resources without explicit permission.

Prevents other origins from reading the response of the resource.