Every HTTP response has a set of headers. This article aims to list all these headers and describe them
Each HTTP response can have a set of headers.
This article aims to list all these headers and describe them.
- Standard header
Accept-Patch
Accept-Ranges
Age
Allow
Alt-Svc
Cache-Control
Connection
Content-Disposition
Content-Encoding
Content-Language
Content-Length
Content-Location
Content-Range
Content-Type
Date
Delta-Base
ETag
Expires
IM
Last-Modified
Link
Location
Pragma
Proxy-Authenticate
Public-Key-Pins
Retry-After
Server
Set-Cookie
Strict-Transport-Security
Trailer
Transfer-Encoding
Tk
Upgrade
Vary
Via
Warning
WWW-Authenticate
- CORS header
- Non-standard header:
Standard header
Accept-Patch
Accept-Patch: text/example;charset=utf-8
Specify the patch document format supported by this server
Accept-Ranges
Accept-Ranges: bytes
Which partial content range types are supported by this server through byte service
Age
Age: 12
The age of the object in the proxy cache (in seconds)
Allow
Allow: GET, HEAD
Effective methods for specifying resources. Not allowed for 405 method
Alt-Svc
Alt-Svc: http/1.1= "http2.example.com:8001"; ma=7200
The server uses the "Alt-Svc" header (representing an alternative service) to indicate that it can also access its resources in other network locations (host or port) or using different protocols. when using itHTTP/2, The server should send ALTSVC frames instead
Cache-Control
Cache-Control: max-age=3600
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
in caseno-cache
use,Cache-Control
The header can tell the browser to never use the cached version of the resource without first checking the ETag value.
max-age
In seconds
More strictno-store
The option tells the browser (and all intermediate network devices) not to even store the resource in its cache:
Cache-Control: no-store
Connection
Connection: close
Control options for the current connection and list of hop-by-hop response fields. Deprecated in HTTP/2
Content-Disposition
Content-Disposition: attachment; filename="file.txt"
There is an opportunity to trigger a "file download" dialog box for known MIME types in binary format, or to suggest file names for dynamic content. Quotation marks must have special characters
Content-Encoding
Content-Encoding: gzip
The type of encoding used on the data. See HTTP compression
Content-Language
Content-Language: en
One or more natural languages of the intended audience of the accompanying content
Content-Length
Content-Length: 348
The length of the response body, expressed in 8-bit bytes
Content-Location
Content-Location: /index.htm
Alternate location for returning data
Content-Range
Content-Range: bytes 21010-47021/47022
Where is this part of the message in the body message
Content-Type
Content-Type: text/html; charset=utf-8
MIME type of this content
Date
Date: Tue, 15 Nov 1994 08:12:31 GMT
The date and time the message was sent (using the "HTTP Date" format defined by RFC 7231)
Delta-Base
Delta-Base: "abc"
Specify the incrementally encoded entity tag of the response
ETag
ETag: "737060cd8c284d8a[...]"
Identifier for the specific version of the resource, usually a message digest
Expires
Expires: Sat, 01 Dec 2018 16:00:00 GMT
Give the date/time when the response is considered obsolete (using the "HTTP-Date" format defined by RFC 7231)
IM
IM: feed
Instance operation applied to response
Last-Modified
Last-Modified: Mon, 15 Nov 2017 12:00:00 GMT
The last modification date of the requested object (using the "HTTP Date" format defined by RFC 7231)
Link
Link: </feed>; rel="alternate"
Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988
Location
Location: /pub/WWW/People.html
Used for redirection, or when creating new resources
Pragma
Pragma: no-cache
Implementation-specific fields may have various effects anywhere in the request-response chain.
Proxy-Authenticate
Proxy-Authenticate: Basic
Request authentication to access the proxy
Public-Key-Pins
The HTTP public key is fixed, and the hash value of the website’s real TLS certificate is announced
Retry-After
Retry-After: 120
Retry-After: Fri, 07 Nov 2014 23:59:59 GMT
If the entity is temporarily unavailable, this will instruct the client to try again later. The value can be a specified time period (in seconds) or HTTP date
Server
Server: Apache/2.4.1 (Unix)
server nickname
Set-Cookie
Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1
HTTP cookie
Strict-Transport-Security
Strict-Transport-Security: max-age=16070400; includeSubDomains
HSTS policy, informing the HTTP client how long to cache only the HTTPS policy and whether the policy is applicable to the subdomain
Trailer
Trailer: Max-Forwards
The Trailer regular field value indicates that the given header field set is present in the tail of the message encoded using block transfer coding
Transfer-Encoding
Transfer-Encoding: chunked
The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity. Deprecated in HTTP/2
Tk
Tk: ?
Tracking status header, it is recommended to send the value in response to DNT (do not track), possible values: "!"-🚧under construction 🚧 "?"-dynamic "G"-gateway to multiple parties "N"-no Tracking "T"-Tracking "C"-Agree to Tracking "P"-Tracking "D" only with consent-Ignore DNT "U"-Updated
Upgrade
Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket
Ask the client to upgrade to another protocol. Deprecated in HTTP/2
Vary
Vary: Accept-Language
Vary: *
Tell the downstream proxy how to match future request headers to determine whether the cached response can be used instead of requesting a new response from the original server
Via
Via: 1.0 fred, 1.1 example.com (Apache/1.1)
Notify the client agent to send a response through the agent
Warning
Warning: 199 Miscellaneous warning
General warning about possible problems with the entity
WWW-Authenticate
WWW-Authenticate: Basic
Indicates the authentication scheme of the entity used to access the request
CORSHeader
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Non-standard header:
Content-Security-Policy
Helps preventXSSattack.For more details, see MDN
Refresh
Refresh: 10;http://www.example.org/
Redirect to URL after arbitrary delay in seconds
X-Powered-By
X-Powered-By: Brain/0.6b
The server can use it to send its name and version
X-Request-ID
Allow the server to pass the request ID that the client can send back, so that the server can associate the request
X-UA-Compatible
Set which version of Internet Explorer compatibility layer should be used. Use it only when you need to support IE8 or IE9.See StackOverflow
X-XSS-Protection
Now byContent-Security-Policy
Header, used in older browsers to stop page loading when XSS attacks are detected
More web tutorials:
- Introduction to WebSockets
- How HTTP requests work
- List of HTTP request headers
- List of HTTP response headers
- HTTP and HTTPS
- What is RFC?
- HTTP protocol
- HTTPS protocol
- The curl guide for HTTP requests
- HTTP cache
- List of HTTP status codes
- What is CDN?
- HTTP/2 protocol
- What is the port
- DNS, Domain Name System
- TCP protocol
- UDP protocol
- Introduction to REST API
- How to install a local SSL certificate in macOS
- How to generate a local SSL certificate
- How to configure Nginx for HTTPS
- A simple Nginx reverse proxy for serving multiple Node.js applications from subfolders
- What is a reverse proxy?