Every HTTP request consists of a set of mandatory and optional headers. In this blog post, we will provide a comprehensive list of these headers along with their descriptions.

Standard Headers

A-IM

A-IM: feed

This header specifies the acceptable instance manipulations in the response. It is defined in RFC 3229.

Accept

Accept: application/json

The Accept header indicates the acceptable media type or types.

Accept-Charset

Accept-Charset: utf-8

The Accept-Charset header specifies the acceptable character set.

Accept-Encoding

Accept-Encoding: gzip, deflate

This header lists the acceptable encodings for the response.

Accept-Language

Accept-Language: en-US

The Accept-Language header indicates the acceptable languages.

Accept-Datetime

Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT

By using this header, you can request a past version of a resource prior to the provided datetime.

Access-Control-Request-Method

Access-Control-Request-Method: GET

This header is used in a CORS request to specify the requested method.

Access-Control-Request-Headers

Access-Control-Request-Headers: origin, x-requested-with, accept

In a CORS request, the Access-Control-Request-Headers header lists the acceptable request headers.

Authorization

Authorization: Basic 34i3j4iom2323==

The Authorization header contains the HTTP basic authentication credentials.

Cache-Control

Cache-Control: no-cache

This header sets the caching rules for the response.

Connection

Connection: keep-alive

The Connection header allows controlling the options for the current connection. It accepts keep-alive and close. Note that it is deprecated in HTTP/2.

Content-Length

Content-Length: 348

The Content-Length header specifies the length of the request body in bytes.

Content-Type

Content-Type: application/x-www-form-urlencoded

In a POST or PUT request, the Content-Type header indicates the content type of the request body.

Cookie: name=value

The Cookie header is used to send cookies along with the request. To learn more about cookies, visit this link.

Date

Date: Tue, 15 Nov 1994 08:12:31 GMT

The Date header indicates the date and time when the request was sent.

Expect

Expect: 100-continue

This header is typically used when sending a large request body. It expects the server to respond with a 100 Continue status if it can handle the request, or a 417 Expectation Failed status if it cannot.

Forwarded

Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43

The Forwarded header discloses original information about a client connecting through an HTTP proxy. It is only used for testing purposes, as it may reveal sensitive information.

From

From: [email protected]

The From header contains the email address of the user making the request. It can be used to indicate a contact email for bots, for example.

Host

Host: flaviocopes.com

The Host header specifies the domain name of the server and the TCP port number on which the server is listening. If the port is omitted, it is assumed to be 80. This header is mandatory in an HTTP request.

If-Match

If-Match: "737060cd8c284d8582d"

By providing one or more ETags, the server will only send the response if the current resource matches one of those ETags. This header is mainly used in PUT methods to update a resource only if it has not been modified since the user last updated it.

If-Modified-Since

If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

If the content remains unchanged since the specified date, this header allows for a 304 Not Modified response to be returned.

If-None-Match

If-None-Match: "737060cd882f209582d"

The If-None-Match header allows for a 304 Not Modified response to be returned if the content has not changed. It is the opposite of If-Match.

If-Range

If-Range: "737060cd8c9582d"

This header is used for resuming downloads. If the condition specified in the header (ETag or date) is matched, a partial response is returned; otherwise, the full resource is returned. For more information, refer to this link.

If-Unmodified-Since

If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT

The response will be sent only if the entity has not been modified since the specified time.

Max-Forwards

Max-Forwards: 10

The Max-Forwards header limits the number of times the message can be forwarded through proxies or gateways.

Origin

Origin: http://mydomain.com

In an OPTIONS HTTP request to ask the server for Access-Control response headers, the Origin header sends the current domain to perform a CORS request.

Pragma

Pragma: no-cache

This header is used for backwards compatibility with HTTP/1.0 caches.

Proxy-Authorization

Proxy-Authorization: Basic 2323jiojioIJOIOJIJ==

The Proxy-Authorization header contains authorization credentials for connecting to a proxy.

Range

Range: bytes=500-999

By using the Range header, you can request only a specific part of a resource.

Referer

Referer: https://flaviocopes.com

The Referer header specifies the address of the previous web page from which the link to the currently requested page was followed.

TE

TE: trailers, deflate

The TE header allows specifying the encodings that the client can accept. The accepted values are compress, deflate, gzip, and trailers. In HTTP/2, only trailers is supported.

User-Agent

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

The User-Agent header contains a string that identifies the user agent.

Upgrade

Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket

The Upgrade header requests the server to upgrade to another protocol. Note that this header is deprecated in HTTP/2.

Via

Via: 1.0 fred, 1.1 example.com (Apache/1.1)

The Via header informs the server of proxies through which the request was sent.

Warning

Warning: 199 Miscellaneous warning

The Warning header provides a general warning about possible problems with the message’s status. It accepts a special range of values (see more).

Non-standard Headers

There are also some widely used non-standard headers, including:

Dnt

DNT: 1

If enabled, the Dnt header asks servers not to track the user.

X-Requested-With

X-Requested-With: XMLHttpRequest

The X-Requested-With header identifies XHR (XMLHttpRequest) requests.

X-CSRF-Token

X-CSRF-Token: <TOKEN>

The X-CSRF-Token header is used to prevent CSRF (Cross-Site Request Forgery) attacks.