List of HTTP response headers

Each HTTP response can have a set of headers.

This article aims to list all these headers and describe them.

• Standard header
  • Accept-Patch
  • Accept-Ranges
  • Age
  • Allow
  • Alt-Svc
  • Cache-Control
  • Connection
  • Content-Disposition
  • Content-Encoding
  • Content-Language
  • Content-Length
  • Content-Location
  • Content-Range
  • Content-Type
  • Date
  • Delta-Base
  • ETag
  • Expires
  • IM
  • Last-Modified
  • Link
  • Location
  • Pragma
  • Proxy-Authenticate
  • Public-Key-Pins
  • Retry-After
  • Server
  • Set-Cookie
  • Strict-Transport-Security
  • Trailer
  • Transfer-Encoding
  • Tk
  • Upgrade
  • Vary
  • Via
  • Warning
  • WWW-Authenticate
• CORS header
• Non-standard header:
  • Content-Security-Policy
  • Refresh
  • X-Powered-By
  • X-Request-ID
  • X-UA-Compatible
  • X-XSS-Protection

Standard header

Accept-Patch

Accept-Patch: text/example;charset=utf-8

Specify the patch document format supported by this server

Accept-Ranges

Accept-Ranges: bytes

Which partial content range types are supported by this server through byte service

Age

Age: 12

The age of the object in the proxy cache (in seconds)

Allow

Allow: GET, HEAD

Effective methods for specifying resources. Not allowed for 405 method

Alt-Svc

Alt-Svc: http/1.1= "http2.example.com:8001"; ma=7200

The server uses the "Alt-Svc" header (representing an alternative service) to indicate that it can also access its resources in other network locations (host or port) or using different protocols. when using itHTTP/2, The server should send ALTSVC frames instead

Cache-Control

Cache-Control: max-age=3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate

in caseno-cacheuse,Cache-ControlThe header can tell the browser to never use the cached version of the resource without first checking the ETag value.

max-ageIn seconds

More strictno-storeThe option tells the browser (and all intermediate network devices) not to even store the resource in its cache:

Cache-Control: no-store

Connection

Connection: close

Control options for the current connection and list of hop-by-hop response fields. Deprecated in HTTP/2

Content-Disposition

Content-Disposition: attachment; filename="file.txt"

There is an opportunity to trigger a "file download" dialog box for known MIME types in binary format, or to suggest file names for dynamic content. Quotation marks must have special characters

Content-Encoding

Content-Encoding: gzip

The type of encoding used on the data. See HTTP compression

Content-Language

Content-Language: en

One or more natural languages of the intended audience of the accompanying content

Content-Length

Content-Length: 348

The length of the response body, expressed in 8-bit bytes

Content-Location

Content-Location: /index.htm

Alternate location for returning data

Content-Range

Content-Range: bytes 21010-47021/47022

Where is this part of the message in the body message

Content-Type

Content-Type: text/html; charset=utf-8

MIME type of this content

Date

Date: Tue, 15 Nov 1994 08:12:31 GMT

The date and time the message was sent (using the "HTTP Date" format defined by RFC 7231)

Delta-Base

Delta-Base: "abc"

Specify the incrementally encoded entity tag of the response

ETag

ETag: "737060cd8c284d8a[...]"

Identifier for the specific version of the resource, usually a message digest

Expires

Expires: Sat, 01 Dec 2018 16:00:00 GMT

Give the date/time when the response is considered obsolete (using the "HTTP-Date" format defined by RFC 7231)

IM

IM: feed

Instance operation applied to response

Last-Modified

Last-Modified: Mon, 15 Nov 2017 12:00:00 GMT

The last modification date of the requested object (using the "HTTP Date" format defined by RFC 7231)

Link

Link: </feed>; rel="alternate"

Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988

Location

Location: /pub/WWW/People.html

Used for redirection, or when creating new resources

Pragma

Pragma: no-cache

Implementation-specific fields may have various effects anywhere in the request-response chain.

Proxy-Authenticate

Proxy-Authenticate: Basic

Request authentication to access the proxy

Public-Key-Pins

The HTTP public key is fixed, and the hash value of the website’s real TLS certificate is announced

Retry-After

Retry-After: 120 Retry-After: Fri, 07 Nov 2014 23:59:59 GMT

If the entity is temporarily unavailable, this will instruct the client to try again later. The value can be a specified time period (in seconds) or HTTP date

Server

Server: Apache/2.4.1 (Unix)

server nickname

Set-Cookie

Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1

HTTP cookie

Strict-Transport-Security

Strict-Transport-Security: max-age=16070400; includeSubDomains

HSTS policy, informing the HTTP client how long to cache only the HTTPS policy and whether the policy is applicable to the subdomain

Trailer

Trailer: Max-Forwards

The Trailer regular field value indicates that the given header field set is present in the tail of the message encoded using block transfer coding

Transfer-Encoding

Transfer-Encoding: chunked

The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity. Deprecated in HTTP/2

Tk

Tk: ?

Tracking status header, it is recommended to send the value in response to DNT (do not track), possible values: "!"-🚧under construction 🚧 "?"-dynamic "G"-gateway to multiple parties "N"-no Tracking "T"-Tracking "C"-Agree to Tracking "P"-Tracking "D" only with consent-Ignore DNT "U"-Updated

Upgrade

Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket

Ask the client to upgrade to another protocol. Deprecated in HTTP/2

Vary

Vary: Accept-Language Vary: *

Tell the downstream proxy how to match future request headers to determine whether the cached response can be used instead of requesting a new response from the original server

Via

Via: 1.0 fred, 1.1 example.com (Apache/1.1)

Notify the client agent to send a response through the agent

Warning

Warning: 199 Miscellaneous warning

General warning about possible problems with the entity

WWW-Authenticate

WWW-Authenticate: Basic

Indicates the authentication scheme of the entity used to access the request

CORSHeader

• Access-Control-Allow-Origin
• Access-Control-Allow-Credentials
• Access-Control-Expose-Headers
• Access-Control-Max-Age
• Access-Control-Allow-Methods
• Access-Control-Allow-Headers

Non-standard header:

Content-Security-Policy

Helps preventXSSattack.For more details, see MDN

Refresh

Refresh: 10;http://www.example.org/

Redirect to URL after arbitrary delay in seconds

X-Powered-By

X-Powered-By: Brain/0.6b

The server can use it to send its name and version

X-Request-ID

Allow the server to pass the request ID that the client can send back, so that the server can associate the request

X-UA-Compatible

Set which version of Internet Explorer compatibility layer should be used. Use it only when you need to support IE8 or IE9.See StackOverflow

X-XSS-Protection

Now byContent-Security-PolicyHeader, used in older browsers to stop page loading when XSS attacks are detected

More web tutorials:

• Introduction to WebSockets
• How HTTP requests work
• List of HTTP request headers
• List of HTTP response headers
• HTTP and HTTPS
• What is RFC?
• HTTP protocol
• HTTPS protocol
• The curl guide for HTTP requests
• HTTP cache
• List of HTTP status codes
• What is CDN?
• HTTP/2 protocol
• What is the port
• DNS, Domain Name System
• TCP protocol
• UDP protocol
• Introduction to REST API
• How to install a local SSL certificate in macOS
• How to generate a local SSL certificate
• How to configure Nginx for HTTPS
• A simple Nginx reverse proxy for serving multiple Node.js applications from subfolders
• What is a reverse proxy?