HTTP Headers Reference

Searchable reference of all HTTP request and response headers with descriptions and examples.

51 headers

AcceptRequest

Media types the client can process.

Accept: text/html, application/json

Accept-EncodingRequest

Compression algorithms the client supports.

Accept-Encoding: gzip, deflate, br

Accept-LanguageRequest

Preferred human language for the response.

Accept-Language: en-US, en;q=0.9

AuthorizationRequest

Credentials for authenticating the client.

Authorization: Bearer eyJhbGciOi...

Cache-ControlRequest/Response

Directives for caching in requests and responses.

Cache-Control: no-cache, max-age=3600

ConnectionRequest/Response

Control options for the current connection.

Connection: keep-alive

Content-DispositionResponse

Whether content is displayed inline or downloaded.

Content-Disposition: attachment; filename="file.pdf"

Content-EncodingResponse

Encoding applied to the response body.

Content-Encoding: gzip

Content-LengthRequest/Response

Size of the request or response body in bytes.

Content-Length: 1024

Content-Security-PolicySecurity

Controls resources the browser is allowed to load.

Content-Security-Policy: default-src 'self'

Content-TypeRequest/Response

Media type of the resource.

Content-Type: application/json; charset=utf-8

CookieRequest

Stored HTTP cookies sent by the client.

Cookie: session=abc123; theme=dark

Cross-Origin-Opener-PolicySecurity

Controls sharing of browsing context with cross-origin documents.

Cross-Origin-Opener-Policy: same-origin

Cross-Origin-Resource-PolicySecurity

Controls which origins can read the response.

Cross-Origin-Resource-Policy: same-site

DateResponse

Date and time the message was sent.

Date: Wed, 21 Oct 2024 07:28:00 GMT

ETagResponse

Identifier for a specific version of a resource.

ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

ExpectRequest

Indicates expectations the server must meet.

Expect: 100-continue

ExpiresResponse

Date after which the response is stale.

Expires: Thu, 01 Dec 2024 16:00:00 GMT

ForwardedRequest

Proxy-added info about the client connection.

Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43

HostRequest

Domain name of the server (required in HTTP/1.1).

Host: www.example.com

If-Modified-SinceRequest

Returns 304 if resource unchanged since given date.

If-Modified-Since: Wed, 21 Oct 2024 07:28:00 GMT

If-None-MatchRequest

Returns 304 if ETag unchanged.

If-None-Match: "33a64df5"

Keep-AliveRequest/Response

Parameters for persistent connections.

Keep-Alive: timeout=5, max=1000

Last-ModifiedResponse

Date the resource was last modified.

Last-Modified: Mon, 14 Oct 2024 00:00:00 GMT

LinkResponse

Typed relationships between a resource and other URIs.

Link: <https://example.com>; rel="canonical"

LocationResponse

URL to redirect the client to (3xx responses).

Location: https://www.example.com/new-page

OriginRequest

Indicates where a fetch originates from.

Origin: https://www.example.com

Permissions-PolicySecurity

Controls browser features and APIs.

Permissions-Policy: geolocation=(), microphone=()

PragmaRequest/Responsedeprecated

HTTP/1.0 cache control (deprecated in favour of Cache-Control).

Pragma: no-cache

Proxy-AuthorizationRequest

Credentials for proxy authentication.

Proxy-Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

RangeRequest

Partial resource request (byte ranges).

Range: bytes=200-1000

RefererRequest

Address of the previous page linking to the request.

Referer: https://www.example.com/page

Referrer-PolicySecurity

Controls how much referrer info is included with requests.

Referrer-Policy: strict-origin-when-cross-origin

Retry-AfterResponse

How long to wait before retrying (429/503 responses).

Retry-After: 120

ServerResponse

Software used by the origin server.

Server: nginx/1.25.0

Set-CookieResponse

Sends a cookie from server to client.

Set-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict

Strict-Transport-SecuritySecurity

Forces HTTPS connections (HSTS).

Strict-Transport-Security: max-age=31536000; includeSubDomains

TERequest

Transfer encodings the client is willing to accept.

TE: trailers, deflate

TrailerResponse

Fields present in the trailer of a chunked message.

Trailer: Expires

Transfer-EncodingResponse

Encoding used to transfer the payload body.

Transfer-Encoding: chunked

UpgradeRequest/Response

Request to switch to a different protocol.

Upgrade: websocket

User-AgentRequest

Browser/client software string.

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)...

VaryResponse

Which request headers affect the cached response.

Vary: Accept-Encoding, Accept-Language

ViaRequest/Response

Proxies through which the request/response passed.

Via: 1.1 proxy.example.com

WWW-AuthenticateResponse

Authentication method the server expects.

WWW-Authenticate: Bearer realm="api"

X-Content-Type-OptionsSecurity

Prevents MIME-type sniffing.

X-Content-Type-Options: nosniff

X-Forwarded-ForRequest

Client IP address when request passes through proxies.

X-Forwarded-For: 203.0.113.195, 70.41.3.18

X-Forwarded-HostRequest

Original host requested by the client.

X-Forwarded-Host: en.wikipedia.org

X-Frame-OptionsSecuritydeprecated

Controls embedding in iframes (use CSP frame-ancestors instead).

X-Frame-Options: DENY

X-Request-IDRequest/Response

Unique identifier for a request for tracing.

X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5

X-XSS-ProtectionSecuritydeprecated

Legacy XSS filter (deprecated — use CSP instead).

X-XSS-Protection: 1; mode=block