HTTP responses include a set of headers that provide additional information about the response. This blog post aims to provide a comprehensive list of these headers and their descriptions.

Standard Headers

Accept-Patch

Specifies the patch document formats supported by the server.

Accept-Ranges

Indicates the range types (e.g., bytes) supported for partial content retrieval.

Age

Shows the age of the object in a cache, in seconds.

Allow

Specifies the valid methods for a resource, used in 405 Method Not Allowed responses.

Alt-Svc

Used in HTTP/2 to indicate alternative network locations or protocols for accessing resources.

Cache-Control

Defines caching directives, such as max-age and no-cache, to control how responses are cached.

Connection

Controls options for the current connection and lists hop-by-hop response fields. Deprecated in HTTP/2.

Content-Disposition

Suggests a filename or triggers a file download dialogue for the resource.

Content-Encoding

Indicates the encoding used for the response data, such as gzip for HTTP compression.

Content-Language

Specifies the natural language of the content intended for the audience.

Content-Length

The size of the response body in bytes.

Content-Location

Provides an alternate location for the response data.

Content-Range

Indicates the range of the partial content within a full body message.

Content-Type

Specifies the MIME type of the response content.

Date

The date and time that the response was sent.

Delta-Base

Specifies the delta-encoding entity tag of the response.

ETag

Provides a unique identifier for a specific version of a resource.

Expires

Indicates the date/time after which the response is considered stale.

IM

Defines instance-manipulations applied to the response.

Last-Modified

Specifies the last modified date of the requested object.

Expresses a typed relationship with another resource.

Location

Used in redirection or to indicate the location of a newly created resource.

Pragma

Contains implementation-specific fields that can affect the request-response chain.

Proxy-Authenticate

Requests authentication to access a proxy.

Public-Key-Pins

Announces the hash of the website’s authentic TLS certificate for HTTP Public Key Pinning.

Retry-After

Instructs the client to retry after a specified period of time or date.

Server

Identifies the name of the server.

Sets an HTTP cookie with the specified attributes.

Strict-Transport-Security

Specifies a HSTS Policy to cache the HTTPS-only policy and apply it to subdomains.

Trailer

Indicates that a set of header fields is present in the trailer of a chunked transfer-coded message.

Transfer-Encoding

Specifies the form of encoding used to safely transfer the entity to the user.

Tk

Provides a tracking status header in response to a Do Not Track (DNT) request.

Upgrade

Requests the client to upgrade to another protocol. Deprecated in HTTP/2.

Vary

Informs downstream proxies how to match future request headers with a cached response.

Via

Includes information about the proxies used in the response.

Warning

Provides a general warning about possible problems with the entity body.

WWW-Authenticate

Indicates the authentication scheme needed to access the requested entity.

CORS Headers

  • Access-Control-Allow-Origin
  • Access-Control-Allow-Credentials
  • Access-Control-Expose-Headers
  • Access-Control-Max-Age
  • Access-Control-Allow-Methods
  • Access-Control-Allow-Headers

Non-standard Headers

Content-Security-Policy

Helps protect against XSS attacks.

Refresh

Redirects to a URL after a specified delay.

X-Powered-By

Used by servers to send their name and version information.

X-Request-ID

Passes a request ID from the server to the client.

X-UA-Compatible

Specifies the version of Internet Explorer compatibility to use.

X-XSS-Protection

Used in older browsers to prevent page loading when an XSS attack is detected.