Every HTTP request consists of a set of mandatory and optional headers. In this blog post, we will provide a comprehensive list of these headers along with their descriptions.
Standard Headers
A-IM
A-IM: feed
This header specifies the acceptable instance manipulations in the response. It is defined in RFC 3229.
Accept
Accept: application/json
The Accept header indicates the acceptable media type or types.
Accept-Charset
Accept-Charset: utf-8
The Accept-Charset header specifies the acceptable character set.
Accept-Encoding
Accept-Encoding: gzip, deflate
This header lists the acceptable encodings for the response.
Accept-Language
Accept-Language: en-US
The Accept-Language header indicates the acceptable languages.
Accept-Datetime
Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT
By using this header, you can request a past version of a resource prior to the provided datetime.
Access-Control-Request-Method
Access-Control-Request-Method: GET
This header is used in a CORS request to specify the requested method.
Access-Control-Request-Headers
Access-Control-Request-Headers: origin, x-requested-with, accept
In a CORS request, the Access-Control-Request-Headers header lists the acceptable request headers.
Authorization
Authorization: Basic 34i3j4iom2323==
The Authorization header contains the HTTP basic authentication credentials.
Cache-Control
Cache-Control: no-cache
This header sets the caching rules for the response.
Connection
Connection: keep-alive
The Connection header allows controlling the options for the current connection. It accepts keep-alive and close. Note that it is deprecated in HTTP/2.
Content-Length
Content-Length: 348
The Content-Length header specifies the length of the request body in bytes.
Content-Type
Content-Type: application/x-www-form-urlencoded
In a POST or PUT request, the Content-Type header indicates the content type of the request body.
Cookie
Cookie: name=value
The Cookie header is used to send cookies along with the request. To learn more about cookies, visit this link.
Date
Date: Tue, 15 Nov 1994 08:12:31 GMT
The Date header indicates the date and time when the request was sent.
Expect
Expect: 100-continue
This header is typically used when sending a large request body. It expects the server to respond with a 100 Continue status if it can handle the request, or a 417 Expectation Failed status if it cannot.
Forwarded
Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43
The Forwarded header discloses original information about a client connecting through an HTTP proxy. It is only used for testing purposes, as it may reveal sensitive information.
From
From: [email protected]
The From header contains the email address of the user making the request. It can be used to indicate a contact email for bots, for example.
Host
Host: flaviocopes.com
The Host header specifies the domain name of the server and the TCP port number on which the server is listening. If the port is omitted, it is assumed to be 80. This header is mandatory in an HTTP request.
If-Match
If-Match: "737060cd8c284d8582d"
By providing one or more ETags, the server will only send the response if the current resource matches one of those ETags. This header is mainly used in PUT methods to update a resource only if it has not been modified since the user last updated it.
If-Modified-Since
If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
If the content remains unchanged since the specified date, this header allows for a 304 Not Modified response to be returned.
If-None-Match
If-None-Match: "737060cd882f209582d"
The If-None-Match header allows for a 304 Not Modified response to be returned if the content has not changed. It is the opposite of If-Match.
If-Range
If-Range: "737060cd8c9582d"
This header is used for resuming downloads. If the condition specified in the header (ETag or date) is matched, a partial response is returned; otherwise, the full resource is returned. For more information, refer to this link.
If-Unmodified-Since
If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT
The response will be sent only if the entity has not been modified since the specified time.
Max-Forwards
Max-Forwards: 10
The Max-Forwards header limits the number of times the message can be forwarded through proxies or gateways.
Origin
Origin: http://mydomain.com
In an OPTIONS HTTP request to ask the server for Access-Control response headers, the Origin header sends the current domain to perform a CORS request.
Pragma
Pragma: no-cache
This header is used for backwards compatibility with HTTP/1.0 caches.
Proxy-Authorization
Proxy-Authorization: Basic 2323jiojioIJOIOJIJ==
The Proxy-Authorization header contains authorization credentials for connecting to a proxy.
Range
Range: bytes=500-999
By using the Range header, you can request only a specific part of a resource.
Referer
Referer: https://flaviocopes.com
The Referer header specifies the address of the previous web page from which the link to the currently requested page was followed.
TE
TE: trailers, deflate
The TE header allows specifying the encodings that the client can accept. The accepted values are compress, deflate, gzip, and trailers. In HTTP/2, only trailers is supported.
User-Agent
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
The User-Agent header contains a string that identifies the user agent.
Upgrade
Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket
The Upgrade header requests the server to upgrade to another protocol. Note that this header is deprecated in HTTP/2.
Via
Via: 1.0 fred, 1.1 example.com (Apache/1.1)
The Via header informs the server of proxies through which the request was sent.
Warning
Warning: 199 Miscellaneous warning
The Warning header provides a general warning about possible problems with the message’s status. It accepts a special range of values (see more).
Non-standard Headers
There are also some widely used non-standard headers, including:
Dnt
DNT: 1
If enabled, the Dnt header asks servers not to track the user.
X-Requested-With
X-Requested-With: XMLHttpRequest
The X-Requested-With header identifies XHR (XMLHttpRequest) requests.
X-CSRF-Token
X-CSRF-Token: <TOKEN>
The X-CSRF-Token header is used to prevent CSRF (Cross-Site Request Forgery) attacks.