List of HTTP response headers

Every HTTP response has a set of headers. This article aims to list all these headers and describe them

Each HTTP response can have a set of headers.

This article aims to list all these headers and describe them.

Standard header


Accept-Patch: text/example;charset=utf-8

Specify the patch document format supported by this server


Accept-Ranges: bytes

Which partial content range types are supported by this server through byte service


Age: 12

The age of the object in the proxy cache (in seconds)


Allow: GET, HEAD

Effective methods for specifying resources. Not allowed for 405 method


Alt-Svc: http/1.1= ""; ma=7200

The server uses the "Alt-Svc" header (representing an alternative service) to indicate that it can also access its resources in other network locations (host or port) or using different protocols. when using itHTTP/2, The server should send ALTSVC frames instead


Cache-Control: max-age=3600 Cache-Control: no-cache, no-store, max-age=0, must-revalidate

in caseno-cacheuse,Cache-ControlThe header can tell the browser to never use the cached version of the resource without first checking the ETag value.

max-ageIn seconds

More strictno-storeThe option tells the browser (and all intermediate network devices) not to even store the resource in its cache:

Cache-Control: no-store


Connection: close

Control options for the current connection and list of hop-by-hop response fields. Deprecated in HTTP/2


Content-Disposition: attachment; filename="file.txt"

There is an opportunity to trigger a "file download" dialog box for known MIME types in binary format, or to suggest file names for dynamic content. Quotation marks must have special characters


Content-Encoding: gzip

The type of encoding used on the data. See HTTP compression


Content-Language: en

One or more natural languages of the intended audience of the accompanying content


Content-Length: 348

The length of the response body, expressed in 8-bit bytes


Content-Location: /index.htm

Alternate location for returning data


Content-Range: bytes 21010-47021/47022

Where is this part of the message in the body message


Content-Type: text/html; charset=utf-8

MIME type of this content


Date: Tue, 15 Nov 1994 08:12:31 GMT

The date and time the message was sent (using the "HTTP Date" format defined by RFC 7231)


Delta-Base: "abc"

Specify the incrementally encoded entity tag of the response


ETag: "737060cd8c284d8a[...]"

Identifier for the specific version of the resource, usually a message digest


Expires: Sat, 01 Dec 2018 16:00:00 GMT

Give the date/time when the response is considered obsolete (using the "HTTP-Date" format defined by RFC 7231)


IM: feed

Instance operation applied to response


Last-Modified: Mon, 15 Nov 2017 12:00:00 GMT

The last modification date of the requested object (using the "HTTP Date" format defined by RFC 7231)

Link: </feed>; rel="alternate"

Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988


Location: /pub/WWW/People.html

Used for redirection, or when creating new resources


Pragma: no-cache

Implementation-specific fields may have various effects anywhere in the request-response chain.


Proxy-Authenticate: Basic

Request authentication to access the proxy


The HTTP public key is fixed, and the hash value of the website’s real TLS certificate is announced


Retry-After: 120 Retry-After: Fri, 07 Nov 2014 23:59:59 GMT

If the entity is temporarily unavailable, this will instruct the client to try again later. The value can be a specified time period (in seconds) or HTTP date


Server: Apache/2.4.1 (Unix)

server nickname

Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1

HTTP cookie


Strict-Transport-Security: max-age=16070400; includeSubDomains

HSTS policy, informing the HTTP client how long to cache only the HTTPS policy and whether the policy is applicable to the subdomain


Trailer: Max-Forwards

The Trailer regular field value indicates that the given header field set is present in the tail of the message encoded using block transfer coding


Transfer-Encoding: chunked

The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity. Deprecated in HTTP/2


Tk: ?

Tracking status header, it is recommended to send the value in response to DNT (do not track), possible values: "!"-🚧under construction 🚧 "?"-dynamic "G"-gateway to multiple parties "N"-no Tracking "T"-Tracking "C"-Agree to Tracking "P"-Tracking "D" only with consent-Ignore DNT "U"-Updated


Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket

Ask the client to upgrade to another protocol. Deprecated in HTTP/2


Vary: Accept-Language Vary: *

Tell the downstream proxy how to match future request headers to determine whether the cached response can be used instead of requesting a new response from the original server


Via: 1.0 fred, 1.1 (Apache/1.1)

Notify the client agent to send a response through the agent


Warning: 199 Miscellaneous warning

General warning about possible problems with the entity


WWW-Authenticate: Basic

Indicates the authentication scheme of the entity used to access the request


  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers

Non-standard header:


Helps preventXSSattack.For more details, see MDN


Refresh: 10;

Redirect to URL after arbitrary delay in seconds


X-Powered-By: Brain/0.6b

The server can use it to send its name and version


Allow the server to pass the request ID that the client can send back, so that the server can associate the request


Set which version of Internet Explorer compatibility layer should be used. Use it only when you need to support IE8 or IE9.See StackOverflow


Now byContent-Security-PolicyHeader, used in older browsers to stop page loading when XSS attacks are detected

More web tutorials: