HTTP Headers Reference

Indicates the media type of the resource or the data being sent. For responses it tells the client how to interpret the body; for requests it tells the server the format of the submitted data.

Indicates the size of the message body in bytes. Helps the recipient know when the body ends and is required for keep-alive connections when Transfer-Encoding is not used.

Specifies the encoding (compression algorithm) applied to the body, so the recipient knows how to decode it. Common values are gzip, deflate, and br (Brotli).

Describes the natural language(s) of the intended audience for the message body, useful for content negotiation and accessibility.

Specifies the transfer encoding applied to the message body between nodes. The most common value is chunked, which allows streaming responses without knowing content length in advance.

Controls whether the network connection stays open after the current transaction finishes. Use keep-alive to reuse the connection or close to terminate it.

Contains the date and time at which the message was originated. Servers must send this header in responses; it is expressed in HTTP-date format (RFC 7231).

Added by proxies, both forward and reverse, to track message forwarding and avoid request loops. Lists each proxy and the protocol version it used.

Carries additional information about possible problems with a message that may not be reflected in the status code. Deprecated in favour of including warnings in the response body.

An HTTP/1.0 header used mainly for backward compatibility. The only defined directive is no-cache, which has the same effect as Cache-Control: no-cache.

Tells the server which content types the client can process, specified as MIME types with optional quality factors. The server should respond with one of the accepted types.

Indicates which content-encoding (compression) algorithms the client understands. The server may use any of the listed encodings to compress the response body.

Indicates the natural language and locale the client prefers. Servers use this for content negotiation and to serve localised responses when available.

Advertises which character encodings the client understands. UTF-8 is universally supported so this header is rarely sent by modern browsers.

Specifies the host and port number of the server to which the request is being sent. Required in all HTTP/1.1 requests; used by servers to select the correct virtual host.

A string that lets servers and network peers identify the application, operating system, vendor, and version of the requesting user agent.

Contains the URL of the page that linked to the requested resource. Servers use it for analytics and access control. Note: the header name is a historical misspelling of "referrer".

Indicates the origin (scheme, host, port) that caused the request. Sent with cross-origin requests and CORS preflight requests so the server can decide whether to allow access.

Sends stored HTTP cookies previously set by the server via Set-Cookie. Carries all cookies matching the current domain, path, and security attributes.

Contains credentials to authenticate the client with the server. The value depends on the authentication scheme — commonly Basic (base64) or Bearer (JWT or OAuth token).

Makes the request conditional: the server only processes it if the resource's ETag matches one of the listed tags. Commonly used to prevent mid-air collision in concurrent edits.

Makes the request conditional: the server returns 304 Not Modified if the resource ETag matches, allowing the client to use its cached copy and saving bandwidth.

Makes the request conditional on the resource having been modified after the specified date. Returns 304 if unchanged, allowing the client to use the cached version.

Makes the request conditional: the server processes it only if the resource has not been modified since the given date. Used to prevent overwrites of stale data.

Requests only a portion of a resource, enabling partial GET requests. Used for resumable downloads and video streaming. The server responds with 206 Partial Content.

Specifies which transfer encodings the client is willing to accept in the response, and whether it supports chunked transfer with trailers.

Indicates that the client requires particular server behaviours before sending the request body. The only defined value is 100-continue, which asks the server to confirm it will accept the upload.

Contains an internet email address of the human user who controls the requesting user agent, primarily used by web crawlers to allow site operators to contact the bot owner.

Used with TRACE and OPTIONS methods to limit the number of times the request can be forwarded by proxies. Each proxy decrements the value before forwarding.

Contains credentials to authenticate the client with a proxy server, analogous to Authorization but directed at an intermediate proxy rather than the origin server.

Allows the client to request a protocol upgrade, for example from HTTP/1.1 to WebSocket. The server confirms with a 101 Switching Protocols response.

A de-facto standard header added by proxies and load balancers to identify the originating IP address of the client. Contains a comma-separated list as the request passes through multiple proxies.

Identifies Ajax requests. Commonly sent as "XMLHttpRequest" by JavaScript frameworks to distinguish asynchronous requests from full page loads on the server side.

Lists the HTTP methods supported by the resource. Returned in a 405 Method Not Allowed response to inform the client which methods are valid for this endpoint.

Indicates whether the response body should be displayed inline in the browser or treated as an attachment (file download). Also sets the suggested filename for downloads.

Indicates an alternate location for the returned data, providing a direct URL to the resource when content negotiation is used and the URL differs from the request URL.

Indicates where a partial message body fits within the full resource. Sent with 206 Partial Content responses to tell the client the byte range and total size returned.

A unique identifier for a specific version of a resource, typically a hash of the content. Clients store the ETag and send it in If-None-Match on subsequent requests to enable conditional caching.

Specifies the date and time after which the response is considered stale. Superseded by Cache-Control max-age when both are present. The value 0 or a past date makes the resource immediately stale.

Contains the date and time the server believes the resource was last changed. Used by clients in If-Modified-Since requests for conditional caching.

Indicates the URL to redirect to for 3xx responses, or the URL of the newly created resource for 201 Created responses.

Defines the authentication method that should be used to gain access to a resource behind a proxy, returned with a 407 Proxy Authentication Required response.

Indicates how long the client should wait before making a follow-up request. Used with 503 Service Unavailable and 429 Too Many Requests responses.

Contains information about the software used by the origin server to handle the request. Often intentionally vague to avoid revealing exploitable version details.

Sends a cookie from the server to the user agent. Multiple Set-Cookie headers can appear in one response. Supports directives like Secure, HttpOnly, SameSite, Path, Domain, and Max-Age.

Indicates which request headers were used by the server to select the response. Caches must store separate variants for each unique combination of the listed header values.

Defines the authentication scheme that should be used to access the resource, returned with 401 Unauthorized. Tells the client what credentials format to supply in the Authorization header.

Indicates the time in seconds the response has been in a proxy cache. A value of 0 means the response was fetched directly from the origin server.

Advertises that another network location (alternative service) can be used to access the same resource, enabling protocol upgrades like HTTP/3 over QUIC.

Forces browsers to use HTTPS for all future requests to the domain for the specified duration. Prevents SSL-stripping attacks. The preload directive allows inclusion in browser HSTS preload lists.

Defines approved sources for content (scripts, styles, images, etc.) that the browser may load. Mitigates XSS and data-injection attacks by blocking content from unapproved origins.

Prevents browsers from MIME-type sniffing — guessing a different content type than declared. The only valid value is nosniff, which blocks requests where the type doesn't match.

Controls whether the page can be embedded in a frame, iframe, or object. Prevents clickjacking attacks. Superseded by Content-Security-Policy frame-ancestors directive.

Enables the Cross-Site Scripting (XSS) filter built into older browsers. Modern browsers have dropped this feature in favour of Content-Security-Policy; the header is now largely obsolete.

Allows a site to control which browser features and APIs can be used in the page and in iframes, such as camera, microphone, geolocation, and payment requests.

Controls how much referrer information is included in the Referer header when navigating or loading resources. Stricter policies protect user privacy by limiting URL leakage.

Prevents a document from loading cross-origin resources that don't explicitly grant permission. Required (alongside COOP) to enable powerful isolation features like SharedArrayBuffer.

Allows you to ensure that a top-level document does not share a browsing context group with cross-origin documents, isolating it from potential Spectre-style attacks.

Signals that the browser should block no-cors cross-origin or cross-site requests to the resource, preventing cross-origin reads of sensitive resources like images or JSON.

Specifies which origin is permitted to access the resource. Use a specific origin for credentialed requests, or * to allow all origins for public resources.

Specifies which HTTP methods are allowed in CORS requests to the resource. Returned in preflight (OPTIONS) responses to inform the browser what methods the client may use.

Indicates which HTTP headers can be used during the actual CORS request. Returned in preflight responses when the request includes Access-Control-Request-Headers.

Indicates whether the response can be shared with JavaScript when the request's credentials (cookies, HTTP auth) are included. Must be true for credentialed cross-origin requests to work.

Indicates how long (in seconds) the results of a preflight request can be cached by the browser, avoiding repeated OPTIONS calls for subsequent requests.

Lists response headers (beyond the CORS-safe-listed defaults) that browsers are allowed to access from JavaScript in a cross-origin context.

Used during a CORS preflight OPTIONS request to tell the server which HTTP headers the actual request will include, so the server can confirm they are permitted.

Used in CORS preflight OPTIONS requests to notify the server which HTTP method will be used in the actual request, so the server can confirm it is permitted.

Holds directives (instructions) for both requests and responses that control caching behaviour in browsers and shared caches (proxies, CDNs). One of the most important headers for web performance.

Clears browsing data (cookies, storage, cache) associated with the requesting website. Useful for sign-out flows to ensure all locally stored data is purged.