Searchable reference of common HTTP request and response headers and what they do.
43 of 43 entries — click any row to copy the header name
Caching directives for clients and intermediaries
Media type (MIME type) of the request or response body
Controls whether the network connection stays open after the transaction
Date and time at which the message was originated
Legacy header for backwards-compatible cache control directives
Lists protocols the sender wishes to switch to — e.g. websocket
Tracks intermediate proxies and gateways the message passed through
Media types the client can process — e.g. application/json
Compression algorithms the client supports — e.g. gzip, br
Preferred natural languages for the response
Credentials for authenticating the client — e.g. Bearer token
Stored cookies sent back to the server
Domain name and port of the server being requested
Conditional request — only return body if changed since date
Conditional request — compares ETag to skip unchanged resources
Origin of the request, used for CORS checks
Address of the previous page that linked to the requested resource
Identifies the client application, OS and version
Identifies AJAX requests — commonly XMLHttpRequest
Originating IP address of a client through a proxy/load balancer
CORS — which origins may access the resource
CORS — which HTTP methods are permitted
CORS — which request headers are permitted
Time in seconds the response has been cached
Indicates if content should be displayed inline or downloaded as a file
Compression algorithm applied to the response body
Size of the response body in bytes
Restricts sources for scripts, styles, images etc. to prevent XSS
Unique identifier for a specific version of a resource
Date/time after which the response is considered stale
Date/time the resource was last changed
URL to redirect to — used with 3xx status codes
Controls how much referrer information is sent with requests
How long to wait before making a follow-up request
Sends a cookie from the server to be stored by the client
Forces browsers to use HTTPS for future requests (HSTS)
Encoding used to safely transfer the body — e.g. chunked
Indicates which request headers affect the cached response
Indicates the authentication scheme required to access the resource
Prevents MIME-type sniffing — typically set to nosniff
Controls whether the page can be embedded in a frame/iframe
Reveals the technology powering the server (often removed for security)
Legacy header that enabled browsers' built-in XSS filters