HTTP Headers

HTTP headers are key-value pairs sent between a client and server in HTTP requests and responses. They provide essential information about the request or response, such as content type, encoding, caching policies, and more. Understanding these headers is crucial for web developers, as they can significantly impact how resources are fetched, cached, and displayed.
This guide categorizes HTTP headers, explains their purposes, and provides links to learn more about each header.

HTTP Headers

Here’s a comprehensive list of commonly used HTTP headers, grouped by their primary function:

Authentication

• WWW-Authenticate: Defines the authentication method for accessing a resource.
• Authorization: Carries credentials to authenticate a user agent with a server.
• Proxy-Authenticate: Defines the authentication method for accessing a resource behind a proxy server.
• Proxy-Authorization: Contains credentials to authenticate a user agent with a proxy server.

Caching

• Age: The time, in seconds, an object has been in a proxy cache.
• Cache-Control: Directives for caching mechanisms in both requests and responses.
• Clear-Site-Data: Clears Browse data (cookies, storage, cache) associated with the requesting website.
• Expires: The date/time after which the response is considered stale.
• No-Vary-Search (Experimental): Specifies rules for how a URL’s query parameters affect cache matching.

Conditionals

• Last-Modified: The last modification date of the resource, used for comparisons. Less accurate than ETag but easier to calculate.
• ETag: A unique string identifying the version of the resource.
• If-Match: Makes the request conditional; applies the method only if the stored resource matches one of the given ETags.
• If-None-Match: Makes the request conditional; applies the method only if the stored resource doesn’t match any of the given ETags. Used for cache updates or preventing new resource uploads.
• If-Modified-Since: Makes the request conditional; resource transmitted only if modified after the given date. Used to transmit data only when the cache is out of date.
• If-Unmodified-Since: Makes the request conditional; resource transmitted only if not modified after the given date. Ensures coherence for fragmented resources or optimistic concurrency control.
• Vary: Determines how to match request headers to decide whether a cached response can be used.

Connection Management

• Connection: Controls whether the network connection stays open after the transaction.
• Keep-Alive: Controls how long a persistent connection should stay open.

Content Negotiation

• Accept: Informs the server about the types of data that can be sent back.
• Accept-Encoding: The compression algorithm that can be used on the returned resource.
• Accept-Language: Informs the server about the human language the server is expected to send back.
• Accept-Patch: A request content negotiation response header that advertises which media type the server can understand in a PATCH request.
• Accept-Post: A request content negotiation response header that advertises which media type the server can understand in a POST request.

Controls

• Expect: Indicates expectations that need to be fulfilled by the server to properly handle the request.
• Max-Forwards: When using TRACE, indicates the maximum number of hops the request can do before being reflected.

Cookies

• Cookie: Contains stored HTTP cookies previously sent by the server with Set-Cookie.
• Set-Cookie: Sends cookies from the server to the user agent.

CORS

• Access-Control-Allow-Credentials: Indicates whether the response can be exposed when the credentials flag is true.
• Access-Control-Allow-Headers: Used in response to a preflight request to indicate which HTTP headers can be used in the actual request.
• Access-Control-Allow-Methods: Specifies the methods allowed when accessing the resource in response to a preflight request.
• Access-Control-Allow-Origin: Indicates whether the response can be shared.
• Access-Control-Expose-Headers: Indicates which headers can be exposed as part of the response by listing their names.
• Access-Control-Max-Age: Indicates how long the results of a preflight request can be cached.
• Access-Control-Request-Headers: Used in a preflight request to inform the server about HTTP headers for the actual request.
• Access-Control-Request-Method: Used in a preflight request to inform the server about the HTTP method for the actual request.
• Origin: Indicates where a fetch originates from.
• Timing-Allow-Origin: Specifies origins allowed to see values of attributes retrieved via Resource Timing API features.

Downloads

• Content-Disposition: Indicates if the resource should be displayed inline or handled as a download.

Integrity Digests

• Content-Digest: (Experimental): Provides a digest of the stream of octets framed in an HTTP message.
• Repr-Digest: (Experimental): Provides a digest of the selected representation of the target resource before transmission.
• Want-Content-Digest: (Experimental): States the wish for a Content-Digest header.
• Want-Repr-Digest: (Experimental): States the wish for a Repr-Digest header.

Message Body Information

• Content-Length: The size of the resource in bytes.
• Content-Type: Indicates the media type of the resource.
• Content-Encoding: Specifies the compression algorithm.
• Content-Language: Describes the human language(s) intended for the audience.
• Content-Location: Indicates an alternate location for the returned data.

Preferences

• Prefer: Indicates preferences for specific server behaviors during request processing.
• Preference-Applied: Informs the client which preferences specified in Prefer were applied by the server.

Proxies

• Forwarded: Contains information from the client-facing side of proxy servers.
• Via: Added by proxies (both forward and reverse) and can appear in request and response headers.

Range Requests

• Accept-Ranges: Indicates if the server supports range requests and the unit in which the range can be expressed.
• Range: Indicates the part of a document that the server should return.
• If-Range: Creates a conditional range request fulfilled only if the given ETag or date matches the remote resource.
• Content-Range: Indicates where in a full body message a partial message belongs.

Redirects

• Location: Indicates the URL to redirect a page to.
• Refresh: Directs the browser to reload the page or redirect to another.

Request Context

• From: Contains an Internet email address for a human user who controls the requesting user agent.
• Host: Specifies the domain name of the server and (optionally) the TCP port number.
• Referer: The address of the previous web page from which a link to the currently requested page was followed.
• Referrer-Policy: Governs which referrer information sent in the Referer header should be included.
• User-Agent: Contains a characteristic string identifying the application type, OS, vendor, or version of the requesting software.

Response Context

• Allow: Lists the set of HTTP request methods supported by a resource.
• Server: Contains information about the software used by the origin server.

Security

• Cross-Origin-Embedder-Policy: Allows a server to declare an embedder policy for a document.
• Cross-Origin-Opener-Policy: Prevents other domains from opening/controlling a window.
• Cross-Origin-Resource-Policy: Prevents other domains from reading the response of resources to which this header is applied.
• Content-Security-Policy: Controls resources the user agent is allowed to load for a given page.
• Content-Security-Policy-Report-Only: Allows web developers to experiment with policies by monitoring, but not enforcing, their effects.
• Expect-CTExpect-CT (Deprecated): Lets sites opt in to reporting and enforcement of Certificate Transparency.
• Permissions-Policy: Provides a mechanism to allow and deny the use of browser features.
• Reporting-Endpoints: (Experimental): Response header that allows website owners to specify endpoints for receiving error reports.
• Strict-Transport-Security: Force communication using HTTPS instead of HTTP.
• Upgrade-Insecure-Requests: Sends a signal to the server expressing the client’s preference for an encrypted and authenticated response.
• X-Content-Type-Options: Disables MIME sniffing and forces the browser to use the type given in Content-Type.
• X-Frame-Options: Indicates whether a browser should be allowed to render a page in an <iframe>, <frame>, <embed>, or <object>.
• X-Permitted-Cross-Domain-Policies: Overrides cross-domain policy files to block unwanted requests from clients like Adobe Acrobat or Apache Flex.
• X-Powered-By: May be set by hosting environments or frameworks, but provides no usefulness to the application or visitors. Unset to avoid exposing vulnerabilities.
• X-XSS-Protection: Enables cross-site scripting filtering.

Fetch Metadata Request Headers

These headers provide information about the context from which the request originated, allowing servers to make decisions about whether a request should be allowed.

• Sec-Fetch-Site: Indicates the relationship between a request initiator’s origin and its target’s origin.
• Sec-Fetch-Mode: Indicates the request’s mode to a server.
• Sec-Fetch-User: Indicates whether a navigation request was triggered by user activation.
• Sec-Fetch-Dest: Indicates the request’s destination.

The following headers are not strictly “fetch metadata request headers” but similarly provide context:

• Sec-Purpose: Indicates the purpose of the request, when the purpose is something other than immediate use by the user-agent (e.g., prefetch).
• Service-Worker-Navigation-Preload: A request header sent in preemptive request to Workspace() a resource during service worker boot.

Server-Sent Events

• Reporting-Endpoints: Response header used to specify server endpoints where the browser should send warning and error reports using the Reporting API.
• Report-To: (Deprecated, Non-standard): Response header used to specify server endpoints where the browser should send warning and error reports using the Reporting API.

Transfer Coding

• Transfer-Encoding: Specifies the form of encoding used to safely transfer the resource.
• TE: Specifies the transfer encodings the user agent is willing to accept.
• Trailer: Allows the sender to include additional fields at the end of a chunked message.

WebSockets

Headers used by the WebSockets API in the WebSocket handshake:

• Sec-WebSocket-Accept: Response header indicating that the server is willing to upgrade to a WebSocket connection.
• Sec-WebSocket-Extensions: In requests, indicates supported WebSocket extensions. In responses, indicates the selected extension.
• Sec-WebSocket-Key: Request header containing a key that verifies the client explicitly intends to open a WebSocket.
• Sec-WebSocket-Protocol: In requests, indicates supported sub-protocols. In responses, indicates the selected sub-protocol.
• Sec-WebSocket-Version: In requests, indicates the WebSocket protocol version. In responses, sent only if the requested version isn’t supported and lists supported versions.

Other General Headers

• Alt-Svc: Used to list alternate ways to reach this service.
• Alt-Used: Used to identify the alternative service in use.
• Date: Contains the date and time at which the message originated.
• Link: Provides a means for serializing one or more links in HTTP headers, semantically equivalent to the HTML <link> element.
• Retry-After: Indicates how long the user agent should wait before making a follow-up request.
• Server-Timing: Communicates one or more metrics and descriptions for the given request-response cycle.
• Service-Worker: Included in fetches for a service worker’s script resource for monitoring purposes.
• Service-Worker-Allowed: Used to remove the path restriction by including this header in the response of the Service Worker script.
• SourceMap: Links to a source map so that debuggers can step through original source code.
• Upgrade: This HTTP/1.1 (only) header can be used to upgrade an already established client/server connection to a different protocol.
• Priority: Provides a hint about the priority of a particular resource request on a particular connection.

Experimental Headers

Attribution Reporting Headers

The Attribution Reporting API measures conversions without third-party tracking cookies, relying on these headers to register sources and triggers.

• Attribution-Reporting-Eligible: Indicates that the response is eligible for attribution reporting.
• Attribution-Reporting-Register-Source: Used to register an attribution source.
• Attribution-Reporting-Register-Trigger: Used to register an attribution trigger.

Client Hints

HTTP Client Hints are request headers that provide useful information about the client, allowing servers to optimize what is served. Servers proactively request client hint headers using Accept-CH.

• Accept-CH: Servers advertise support for Client Hints.
• Critical-CH (Experimental): Servers use this with Accept-CH to specify critical client hints.

User Agent Client Hints

These headers provide information about the user agent, its platform, and user preferences.

• Sec-CH-UA (Experimental): User agent’s branding and version.
• Sec-CH-UA-Arch (Experimental): User agent’s underlying platform architecture.
• Sec-CH-UA-Bitness (Experimental): User agent’s underlying CPU architecture bitness.
• Sec-CH-UA-Form-Factors (Experimental): User agent’s form-factors, describing user interaction.
• Sec-CH-UA-Full-Version (Deprecated): User agent’s full version string.
• Sec-CH-UA-Full-Version-List (Experimental): Full version for each brand in the user agent’s brand list.
• Sec-CH-UA-Mobile (Experimental): User agent is running on a mobile device or prefers a “mobile” experience.
• Sec-CH-UA-Model (Experimental): User agent’s device model.
• Sec-CH-UA-Platform (Experimental): User agent’s underlying operating system/platform.
• Sec-CH-UA-Platform-Version (Experimental): User agent’s underlying operating system version.
• Sec-CH-UA-WoW64 (Experimental): Whether the user agent binary is running in 32-bit mode on 64-bit Windows.
• Sec-CH-Prefers-Color-Scheme (Experimental): User’s preference of dark or light color scheme.
• Sec-CH-Prefers-Reduced-Motion (Experimental): User’s preference to see fewer animations and content layout shifts.
• Sec-CH-Prefers-Reduced-Transparency (Experimental): Indicates the user agent’s preference for reduced transparency.

Device Client Hints

• Content-DPR (Deprecated, Non-standard): Response header used to confirm the image device to pixel ratio (DPR).
• Device-Memory: Approximate amount of available client RAM memory.
• DPR (Deprecated, Non-standard): Request header that provides the client device pixel ratio.
• Viewport-Width (Deprecated, Non-standard): Request header provides the client’s layout viewport width in CSS pixels.
• Width (Deprecated, Non-standard): Request header indicates the desired resource width in physical pixels.

Network Client Hints

These allow a server to choose what information is sent based on user choice, network bandwidth, and latency.

• Downlink (Experimental): Approximate bandwidth of the client’s connection to the server, in Mbps.
• ECT (Experimental): The effective connection type that best matches the connection’s latency and bandwidth.
• RTT (Experimental): Application layer round trip time (RTT) in milliseconds.
• Save-Data (Experimental): Indicates the user agent’s preference for reduced data usage.

Compression Dictionary Transport

This method uses a shared compression dictionary to reduce HTTP response transport size.

• Available-Dictionary (Experimental): A browser can use this to indicate the best dictionary it has available for compression.
• Dictionary-ID (Experimental): Used when a browser has a dictionary for a resource and the server provided an ID in Use-As-Dictionary.
• Use-As-Dictionary (Experimental): Lists matching criteria for dictionary use in future requests.

Privacy

• DNT (Deprecated, Non-standard): Request header indicating the user’s tracking preference (Do Not Track).
• Tk (Deprecated, Non-standard): Response header indicating the tracking status for the corresponding request. Used with DNT.
• Sec-GPC (Non-standard, Experimental): Indicates whether the user consents to a website or service selling or sharing their personal information.

Security (Experimental)

• Origin-Agent-Cluster (Experimental): Response header used to indicate that the associated Document should be placed in an origin-keyed agent cluster.

Server-Sent Events (Experimental)

• NEL (Experimental): Defines a mechanism that enables developers to declare a network error reporting policy.

Topics API

The Topics API enables use cases like interest-based advertising.

• Observe-Browse-Topics (Experimental, Non-standard): Response header used to mark topics of interest inferred from a calling site’s URL as observed.
• Sec-Browse-Topics (Experimental, Non-standard): Request header that sends selected topics for the current user, used by ad tech platforms for personalized ads.

Other Experimental Headers

• Accept-Signature (Experimental): A client can send this to indicate intention to take advantage of available signatures and supported signature kinds.
• Early-Data (Experimental): Indicates that the request has been conveyed in TLS early data.
• Set-Login (Experimental): Response header sent by a federated identity provider (IdP) to set its login status.
• Signature (Experimental): Conveys a list of signatures for an exchange.
• Signed-Headers (Experimental): Identifies an ordered list of response header fields to include in a signature.
• Speculation-Rules (Experimental): Provides a list of URLs pointing to text resources containing speculation rule JSON definitions.
• Sec-Speculation-Tags (Experimental): Contains one or more tag values from speculation rules that resulted in the speculation.
• Supports-Loading-Mode (Experimental): Set by a navigation target to opt-in to various higher-risk loading modes.

Non-Standard Headers

• X-Forwarded-For (Non-standard): Identifies the originating IP addresses of a client connecting through an HTTP proxy or load balancer.
• X-Forwarded-Host (Non-standard): Identifies the original host requested by a client connecting to a proxy or load balancer.
• X-Forwarded-Proto (Non-standard): Identifies the protocol (HTTP or HTTPS) a client used to connect to a proxy or load balancer.
• X-DNS-Prefetch-Control (Non-standard): Controls DNS prefetching.
• X-Robots-Tag (Non-standard): Indicates how a web page is to be indexed within public search engine results.