HTTP Header Fields

Content types that are acceptable for the response

Accept: text/plain

Status: Permanent

Character sets that are acceptable

Accept-Charset: utf-8

Status: Permanent

List of acceptable encodings

Accept-Encoding: gzip, deflate

Status: Permanent

List of acceptable human languages for response

Accept-Language: en-US

Status: Permanent

Authentication credentials for HTTP authentication

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Status: Permanent

Used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain

Cache-Control: no-cache

Status: Permanent

What type of connection the user-agent would prefer

Connection: keep-alive

Status: Permanent

The length of the request body in octets (8-bit bytes)

Content-Length: 348

Status: Permanent

A Base64-encoded binary MD5 sum of the content of the request body

Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==

Status: Permanent

The MIME type of the body of the request (used with POST and PUT requests)

Content-Type: application/json

Status: Permanent

The date and time that the message was sent (in HTTP-date format as defined by RFC 2616)

Date: Tue, 15 Nov 1994 08:12:31 GMT

Status: Permanent

Indicates that particular server behaviors are required by the client

Expect: 100-continue

Status: Permanent

The email address of the user making the request

From: user@example.com

Status: Permanent

The domain name of the server (for virtual hosting), and the TCP port number on which the server is listening. The port number may be omitted if the port is the standard port for the service requested. Mandatory since HTTP/1.1. Although domain name are specified as case-insensitive, it is not specified whether the contents of the Host field should be interpreted in a case-insensitive manner and in practice some implementations of virtual hosting interpret the contents of the Host field in a case-sensitive manner

Host: en.wikipedia.org

Status: Permanent

Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like PUT to only update a resource if it has not been modified since the user last updated it

If-Match: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

Allows a 304 Not Modified to be returned if content is unchanged

If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

Status: Permanent

Allows a 304 Not Modified to be returned if content is unchanged

If-None-Match: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

If the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity

If-Range: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

Only send the response if the entity has not been modified since a specific time

If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT

Status: Permanent

Limit the number of times the message can be forwarded through proxies or gateways

Max-Forwards: 10

Status: Permanent

Implementation-specific headers that may have various effects anywhere along the request-response chain

Pragma: no-cache

Status: Permanent

Authorization credentials for connecting to a proxy

Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Status: Permanent

Request only part of an entity. Bytes are numbered from 0

Range: bytes=500-999

Status: Permanent

This is the address of the previous web page from which a link to the currently requested page was followed. The word “referrer” is misspelled in the RFC as well as in most implementations

Referer: http://en.wikipedia.org/wiki/Main_Page

Status: Permanent

The transfer encodings the user agent is willing to accept: the same values as for the response header Transfer-Encoding can be used, plus the trailers value (related to the chunked transfer method) to notify the server it expects to receive additional headers (the trailers) after the last, zero-sized, chunk

TE: trailers, deflate

Status: Permanent

The user agent string of the user agent

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

Status: Permanent

Informs the server of proxies through which the request was sent

Via: 1.0 fred, 1.1 example.com (Apache/1.1)

Status: Permanent

A general warning about possible problems with the entity body

Warning: 199 Miscellaneous warning

Status: Permanent

An HTTP cookie previously sent by the server with Set-Cookie

Cookie: $Version=1; Skin=new;

Status: Permanent - Standard

Initiates a request for cross-origin resource sharing (asks server for an Access-Control-Allow-Origin response header)

Origin: http://www.example-social-network.com

Status: Permanent - Standard

Acceptable version in time

Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT

Status: Provisional

Mainly used to identify Ajax requests. Some JavaScript frameworks send this field with value of XMLHttpRequest, such as jQuery.

• XMLHttpRequest - Ajax request

X-Requested-With: XMLHttpRequest

Content-Types that are acceptable for the response

Accept: text/plain

Status: Permanent

Specifying which web sites can participate in cross-origin resource sharing

Access-Control-Allow-Origin: *

Status: Provisional

Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds:

Refresh: 5; url=http://www.w3.org/pub/WWW/People.html

Status: Proprietary/non-standard: a header extension introduced by Netscape and supported by most web browsers

Gives the date/time after which the response is considered stale

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Status: Permanent - Standard

An HTTP cookie

Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=

Status: Permanent - Standard

A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains

Strict-Transport-Security: max-age=16070400; includeSubDomains

Status: Permanent - Standard

Specifies which patch document formats this server supports

Accept-Patch: text/example;charset=utf-8

Status: Permanent

What partial content range types this server supports

Accept-Ranges: bytes

Status: Permanent

The age the object has been in a proxy cache in seconds

Age: 12

Status: Permanent

Valid actions for a specified resource. To be used for a 405 Method not allowed

Allow: GET, HEAD

Status: Permanent

Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds

Cache-Control: max-age=3600

Status: Permanent

Options that are desired for the connection

Connection: close

Status: Permanent

The type of encoding used on the data

Content-Encoding: gzip

Status: Permanent

The language the content is in

Content-Language: da

Status: Permanent

The length of the response body in octets (8-bit bytes)

Content-Length: 348

Status: Permanent

An alternate location for the returned data

Content-Location: /index.htm

Status: Permanent

A Base64-encoded binary MD5 sum of the content of the response

Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==

Status: Permanent

An opportunity to raise a "File Download" dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters

Content-Disposition: attachment; filename="fname.ext"

Status: Permanent

Where in a full body message this partial message belongs

Content-Range: bytes 21010-47021/47022

Status: Permanent

The MIME type of this content

Content-Type: text/html; charset=utf-8

Status: Permanent

The date and time that the message was sent (in HTTP-date format as defined by RFC 2616)

Date: Tue, 15 Nov 1994 08:12:31 GMT

Status: Permanent

An identifier for a specific version of a resource, often a message digest

ETag: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

The last modified date for the requested object (in HTTP-date format as defined by RFC 2616)

Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT

Status: Permanent

Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988

Link: </feed>; rel="alternate"

Status: Permanent

Used in redirection, or when a new resource has been created

Location: http://www.w3.org/pub/WWW/People.html

Status: Permanent

This header is supposed to set P3P policy, in the form of P3P:CP="your_compact_policy". However, P3P did not take off, most browsers have never fully implemented it, a lot of websites set this header with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Status: Permanent

Implementation-specific headers that may have various effects anywhere along the request-response chain

Pragma: no-cache

Status: Permanent

Request authentication to access the proxy

Proxy-Authenticate: Basic

Status: Permanent

If an entity is temporarily unavailable, this instructs the client to try again later. Value could be a specified period of time (in seconds) or a HTTP-date

Retry-After: 120; Retry-After: Fri, 07 Nov 2014 23:59:59 GMT

Status: Permanent

A name for the server

Server: Apache/2.4.1 (Unix)

Status: Permanent

The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer-coding

Trailer: Max-Forwards

Status: Permanent

The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity

Transfer-Encoding: chunked

Status: Permanent

Ask the server to upgrade to another protocol

Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11

Status: Permanent

Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server

Vary: *

Status: Permanent

A general warning about possible problems with the entity body

Warning: 199 Miscellaneous warning

Status: Permanent

Indicates the authentication scheme that should be used to access the requested entity

WWW-Authenticate: Basic

Status: Permanent

The HTTP status of the response

Status: 200 OK

Clickjacking protection:

• deny - no rendering within a frame
• sameorigin - no rendering if origin mismatch

X-Frame-Options: deny

Cross-site scripting (XSS) filter

X-XSS-Protection: 1; mode=block

Content Security Policy definition

X-WebKit-CSP: default-src "self"

The only defined value, nosniff, prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions

X-Content-Type-Options: nosniff

Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application (version details are often in X-Runtime, X-Version, or X-AspNet-Version)

X-Powered-By: PHP/5.4.0

Recommends the preferred rendering engine (often a backward-compatibility mode) to use to display the content. Also used to activate Chrome Frame in Internet Explorer

X-UA-Compatible: IE=EmulateIE7; X-UA-Compatible: IE=edge; X-UA-Compatible: Chrome=1