HTTP Headers
Searchable reference for common HTTP request, response, general, and entity headers — with example values and links to MDN. Free, private, browser-only.
97 of 97 headers
Request
38 entries| Header | Description | Example |
|---|---|---|
| Accept | Media types that are acceptable for the response. | text/html, application/json;q=0.9 |
| Accept-Charset | Character sets that are acceptable. | utf-8 |
| Accept-Encoding | List of acceptable encodings (gzip, br, deflate). | gzip, deflate, br |
| Accept-Language | List of acceptable human languages for response. | en-US,en;q=0.5 |
| Authorization | Authentication credentials for HTTP authentication. | Bearer eyJhbGciOi... |
| Cookie | An HTTP cookie previously sent by the server with Set-Cookie. | sessionid=abc123; theme=dark |
| DNT | Do Not Track. Indicates the user's tracking preference. | 1 |
| Expect | Expected behaviors that must be supported by the server in order to properly handle this request. | 100-continue |
| Forwarded | Discloses original information of a client connecting to a web server through an HTTP proxy. | for=192.0.2.60;proto=http;by=203.0.113.43 |
| From | The email address of the user making the request. | webmaster@example.com |
| Host | The domain name of the server (and optionally the TCP port number). | developer.mozilla.org |
| If-Match | Make request methods conditional on entity tags. | "bfc13a64729c4290ef5b2c2730249af3" |
| If-Modified-Since | Used to make a method conditional on the resource having been modified since a date. | Wed, 21 Oct 2015 07:28:00 GMT |
| If-None-Match | Performs the request only if no entity tags match. | "bfc13a64729c4290ef5b2c2730249af3" |
| If-Range | If unchanged, send the missing range; otherwise send the entire entity. | "abc123" |
| If-Unmodified-Since | Sends the response only if the resource has not been modified since the specified date. | Wed, 21 Oct 2015 07:28:00 GMT |
| Max-Forwards | Limit the number of times the message can be forwarded by proxies/gateways. | 10 |
| Origin | Indicates the origin (scheme, hostname, port) that caused the request. | https://example.com |
| Proxy-Authorization | Authentication credentials for connecting to a proxy. | Basic YWxhZGRpbjpvcGVuc2VzYW1l |
| Range | Request only part of an entity. Bytes are numbered from 0. | bytes=200-1000, 2000-6576 |
| Referer | The address of the previous web page from which a link to the currently requested page was followed. | https://example.com/page |
| TE | Specifies the transfer encodings the user agent is willing to accept. | trailers, deflate |
| User-Agent | Identifies the user agent (typically a browser) originating the request. | Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... |
| Sec-Fetch-Site | Indicates the relationship between a request initiator's origin and its target's origin. | same-origin |
| Sec-Fetch-Mode | Indicates the request's mode (e.g., navigate, cors, no-cors). | navigate |
| Sec-Fetch-User | Indicates whether a navigation was initiated by user activation. | ?1 |
| Sec-Fetch-Dest | Indicates the request's destination (e.g., document, image, script). | document |
| Sec-CH-UA | User-Agent client hint giving the user agent's brand. | "Chromium";v="120", "Not(A:Brand";v="24" |
| Sec-CH-UA-Mobile | User-Agent client hint indicating whether the user agent is on a mobile device. | ?0 |
| Sec-CH-UA-Platform | User-Agent client hint indicating the platform/OS. | "Windows" |
| Save-Data | Indicates the user prefers reduced data usage. | on |
| Upgrade-Insecure-Requests | Sends a signal to the server expressing the client's preference for an encrypted and authenticated response. | 1 |
| Access-Control-Request-Method | Used in CORS preflight to indicate which HTTP method will be used. | POST |
| Access-Control-Request-Headers | Used in CORS preflight to indicate which headers will be used. | Content-Type, X-Custom-Header |
| X-Requested-With | Non-standard header used to identify Ajax requests. | XMLHttpRequest |
| X-Forwarded-For | De-facto standard for identifying the originating IP through a proxy. | 203.0.113.195, 70.41.3.18 |
| X-Forwarded-Host | De-facto standard for identifying the original host requested by the client. | example.com |
| X-Forwarded-Proto | De-facto standard for identifying the protocol the client used to connect. | https |
Response
40 entries| Header | Description | Example |
|---|---|---|
| Accept-Ranges | Indicates if the server supports range requests, and what unit can be used. | bytes |
| Age | The time in seconds the object has been in a proxy cache. | 12 |
| Allow | Lists the set of methods supported by a resource. | GET, POST, HEAD |
| Alt-Svc | Used to indicate that an alternative service is available for the resource. | h3=":443"; ma=2592000 |
| Clear-Site-Data | Clears browsing data (cookies, storage, cache) associated with the requesting site. | "cache", "cookies" |
| Content-Disposition | Indicates whether the response should be displayed inline or downloaded. | attachment; filename="report.pdf" |
| Content-Security-Policy | Controls resources the user agent is allowed to load. Helps mitigate XSS. | default-src 'self'; img-src https: |
| Content-Security-Policy-Report-Only | Same as CSP but reports violations without blocking. | default-src 'self'; report-uri /csp |
| Cross-Origin-Embedder-Policy | Prevents a document from loading any cross-origin resources that don't explicitly grant permission. | require-corp |
| Cross-Origin-Opener-Policy | Allows you to ensure a top-level document doesn't share a browsing context group with cross-origin documents. | same-origin |
| Cross-Origin-Resource-Policy | Conveys a desire that the response only be loaded by same-origin/site/cross-origin requests. | same-origin |
| ETag | A version identifier for a specific representation of the resource. | "33a64df551425fcc55e4d42a148795d9f25f89d4" |
| Expires | Date/time after which the response is considered stale. | Wed, 21 Oct 2025 07:28:00 GMT |
| Last-Modified | The last modification date of the resource, used to compare with If-Modified-Since. | Tue, 15 Nov 2024 12:45:26 GMT |
| Link | Provides relationships between the response and other resources, like preloads. | </style.css>; rel=preload; as=style |
| Location | Used in redirection or when a new resource has been created. | /index.html |
| Permissions-Policy | Allows or denies the use of browser features in a document or its frames. | geolocation=(), camera=(self) |
| Proxy-Authenticate | Defines the authentication method that should be used to gain access to a resource behind a proxy. | Basic realm="Access to internal site" |
| Referrer-Policy | Controls how much referrer information should be included with requests. | no-referrer-when-downgrade |
| Retry-After | Indicates how long to wait before making a follow-up request. | 120 |
| Server | Information about the software used by the origin server. | nginx/1.27.1 |
| Server-Timing | Communicates one or more metrics and descriptions for the given request-response cycle. | db;dur=53, app;dur=47.2 |
| Set-Cookie | Sends cookies from the server to the user agent. | sessionid=abc123; HttpOnly; Secure; SameSite=Lax |
| SourceMap | Links generated code to a source map. | /scripts/app.js.map |
| Strict-Transport-Security | Force communication using HTTPS instead of HTTP (HSTS). | max-age=63072000; includeSubDomains; preload |
| Timing-Allow-Origin | Specifies origins that are allowed to see values of attributes retrieved via Resource Timing API. | * |
| Vary | Determines how to match request headers to decide whether a cached response can be reused. | Accept-Encoding, User-Agent |
| WWW-Authenticate | Defines the authentication method that should be used to gain access to a resource. | Basic realm="Access to the staging site" |
| X-Content-Type-Options | Disables MIME-sniffing and forces the browser to use the type given in Content-Type. | nosniff |
| X-DNS-Prefetch-Control | Controls DNS prefetching, allowing browsers to proactively perform domain name resolution. | on |
| X-Frame-Options | Indicates whether a browser should be allowed to render a page in a <frame>, <iframe>, etc. | DENY |
| X-XSS-Protection | Legacy header that enabled cross-site scripting filtering. Deprecated. | 0 |
| X-Powered-By | Specifies the technology supporting the web application. Often removed for security. | PHP/8.3.0 |
| X-Robots-Tag | Controls how search engines crawl and index the page or asset. | noindex, nofollow |
| Access-Control-Allow-Origin | Indicates whether the response can be shared with requesting code from the given origin. | * |
| Access-Control-Allow-Credentials | Tells browsers whether to expose the response when credentials flag is true. | true |
| Access-Control-Allow-Headers | Lists headers that can be used in the actual request during preflight. | Content-Type, Authorization |
| Access-Control-Allow-Methods | Specifies the methods allowed when accessing the resource in CORS. | GET, POST, OPTIONS |
| Access-Control-Expose-Headers | Lists headers that browsers are allowed to expose to scripts. | Content-Length, X-Custom-Header |
| Access-Control-Max-Age | Indicates how long the results of a preflight request can be cached. | 86400 |
General
10 entries| Header | Description | Example |
|---|---|---|
| Cache-Control | Directives for caching mechanisms in both requests and responses. | no-cache, max-age=3600 |
| Connection | Controls whether the network connection stays open after the current transaction finishes. | keep-alive |
| Date | The date and time at which the message was originated. | Tue, 15 Nov 2024 08:12:31 GMT |
| Keep-Alive | Allows the sender to hint about how the connection may be used. | timeout=5, max=1000 |
| Pragma | Implementation-specific header that may have various effects along the request-response chain. Mostly superseded by Cache-Control. | no-cache |
| Trailer | Lists the set of header fields present in the trailer of a message encoded with chunked transfer coding. | Expires |
| Transfer-Encoding | The form of encoding used to safely transfer the entity to the user. | chunked |
| Upgrade | Allows the client to specify additional protocols that it supports and would like to use. | websocket |
| Via | Added by proxies, both forward and reverse, to track message forwards. | 1.1 vegur |
| Warning | General warning information about possible problems. | 199 Miscellaneous warning |
Entity
9 entries| Header | Description | Example |
|---|---|---|
| Content-Encoding | Used to compress the media-type. The list of accepted encodings is in Accept-Encoding. | gzip |
| Content-Language | Describes the human language(s) intended for the audience. | en-US |
| Content-Length | The size of the resource, in decimal number of bytes. | 3495 |
| Content-Location | Indicates an alternate location for the returned data. | /documents/foo.html |
| Content-MD5 | A Base64-encoded binary MD5 sum of the content of the response (legacy). | Q2hlY2sgSW50ZWdyaXR5IQ== |
| Content-Range | Indicates where in a full body message a partial message belongs. | bytes 200-1000/67589 |
| Content-Type | Indicates the media type of the resource. | application/json; charset=utf-8 |
| Digest | Provides a digest of the requested resource. | sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE= |
| Want-Digest | Used by clients to indicate the digest algorithms they support. | sha-256;q=1, sha-512;q=0.5 |
Header types
- Request. Sent by the client to indicate request context (auth, caching, content negotiation).
- Response. Sent by the server with information about the response or the server itself.
- General. Apply to both request and response messages, but not to the message body.
- Entity. Describe the body (representation) of a request or response (length, type, encoding).