HTTP responses include a set of headers that provide additional information about the response. This blog post aims to provide a comprehensive list of these headers and their descriptions.
Standard Headers
Accept-Patch
Specifies the patch document formats supported by the server.
Accept-Ranges
Indicates the range types (e.g., bytes) supported for partial content retrieval.
Age
Shows the age of the object in a cache, in seconds.
Allow
Specifies the valid methods for a resource, used in 405 Method Not Allowed responses.
Alt-Svc
Used in HTTP/2 to indicate alternative network locations or protocols for accessing resources.
Cache-Control
Defines caching directives, such as max-age and no-cache, to control how responses are cached.
Connection
Controls options for the current connection and lists hop-by-hop response fields. Deprecated in HTTP/2.
Content-Disposition
Suggests a filename or triggers a file download dialogue for the resource.
Content-Encoding
Indicates the encoding used for the response data, such as gzip for HTTP compression.
Content-Language
Specifies the natural language of the content intended for the audience.
Content-Length
The size of the response body in bytes.
Content-Location
Provides an alternate location for the response data.
Content-Range
Indicates the range of the partial content within a full body message.
Content-Type
Specifies the MIME type of the response content.
Date
The date and time that the response was sent.
Delta-Base
Specifies the delta-encoding entity tag of the response.
ETag
Provides a unique identifier for a specific version of a resource.
Expires
Indicates the date/time after which the response is considered stale.
IM
Defines instance-manipulations applied to the response.
Last-Modified
Specifies the last modified date of the requested object.
Link
Expresses a typed relationship with another resource.
Location
Used in redirection or to indicate the location of a newly created resource.
Pragma
Contains implementation-specific fields that can affect the request-response chain.
Proxy-Authenticate
Requests authentication to access a proxy.
Public-Key-Pins
Announces the hash of the website’s authentic TLS certificate for HTTP Public Key Pinning.
Retry-After
Instructs the client to retry after a specified period of time or date.
Server
Identifies the name of the server.
Set-Cookie
Sets an HTTP cookie with the specified attributes.
Strict-Transport-Security
Specifies a HSTS Policy to cache the HTTPS-only policy and apply it to subdomains.
Trailer
Indicates that a set of header fields is present in the trailer of a chunked transfer-coded message.
Transfer-Encoding
Specifies the form of encoding used to safely transfer the entity to the user.
Tk
Provides a tracking status header in response to a Do Not Track (DNT) request.
Upgrade
Requests the client to upgrade to another protocol. Deprecated in HTTP/2.
Vary
Informs downstream proxies how to match future request headers with a cached response.
Via
Includes information about the proxies used in the response.
Warning
Provides a general warning about possible problems with the entity body.
WWW-Authenticate
Indicates the authentication scheme needed to access the requested entity.
CORS Headers
Access-Control-Allow-Origin
Access-Control-Allow-Credentials
Access-Control-Expose-Headers
Access-Control-Max-Age
Access-Control-Allow-Methods
Access-Control-Allow-Headers
Non-standard Headers
Content-Security-Policy
Helps protect against XSS attacks.
Refresh
Redirects to a URL after a specified delay.
X-Powered-By
Used by servers to send their name and version information.
X-Request-ID
Passes a request ID from the server to the client.
X-UA-Compatible
Specifies the version of Internet Explorer compatibility to use.
X-XSS-Protection
Used in older browsers to prevent page loading when an XSS attack is detected.