HTTP Headers Reference
A complete reference for HTTP request and response headers — what they do, how to use them, and when they matter.
Lists the compression algorithms the client supports — so the server knows which encoding to use on the response body.
Lists the client's preferred natural languages for the response — the client's half of HTTP language negotiation.
Tells the client whether the server supports range requests for this resource.
Tells the server which content types the client can handle — the client's half of HTTP content negotiation.
How many seconds a cached response has been sitting in a shared cache — tells you how fresh the response still is.
Lists the HTTP methods the server supports for the requested resource — always sent with 405 Method Not Allowed.
Advertises alternative services for the origin — the mechanism servers use to announce HTTP/3 (QUIC) support and tell clients to upgrade.
Identifies which alternative service the client is currently using — sent by clients after connecting via an Alt-Svc advertisement.
Sent by the server after successful authentication to provide mutual auth confirmation and updated credentials — primarily used with Digest auth.
Carries the client's credentials to authenticate with the server — the most fundamental header in HTTP authentication.
The primary mechanism for controlling how and for how long responses are cached by browsers, CDNs, and proxies.
Tells the client exactly what each cache in the chain did with the request — hit, miss, stale, expired, or bypassed.
Like Cache-Control but targets only CDN caches — lets you set different TTLs for CDNs vs browsers from a single response.
Detects infinite request loops between CDN nodes — each CDN appends its identifier so loops are caught before they spiral.
Headers that make HTTP requests conditional — only proceed if the resource has (or hasn't) changed since you last saw it.
Controls whether the TCP connection stays open after the current request — and lists hop-by-hop headers to strip before forwarding.
Controls whether the browser displays the response inline or downloads it as a file, and sets the suggested filename.
Describes the compression or transformation applied to the message body, so the recipient knows how to decode it.
Describes the natural language(s) of the intended audience for the message body.
The size of the message body in bytes. Lets the recipient know exactly how much data to read.
Indicates the specific URL for the content being returned — useful when the request URL and the canonical content URL differ.
Indicates where a partial response body fits within the full content — sent alongside 206 Partial Content responses.
Tests a Content Security Policy without enforcing it — violations are reported but resources are still loaded.
Tells the browser exactly which sources are allowed to load scripts, styles, images, and other resources — the primary defence against XSS attacks.
Tells the recipient what media type the message body is, and how it's encoded — so it knows how to parse it.
Sends stored cookies back to the server — the client's half of the cookie mechanism, paired with Set-Cookie.
The 9 headers that make Cross-Origin Resource Sharing work — controlling which origins, methods, and headers are allowed across origins.
Requires all cross-origin resources loaded by this page to explicitly opt in — needed alongside COOP to enable SharedArrayBuffer.
Isolates your browsing context from cross-origin popups and windows — required to enable SharedArrayBuffer and high-resolution timers.
Restricts which origins can load this resource — a defence against cross-origin information leaks and Spectre-style attacks.
The date and time the message was generated — used for caching calculations and request timing.
A unique identifier for a specific version of a resource — used for cache validation and optimistic concurrency control.
Lets a client ask the server to check conditions before the client sends a large request body — avoiding wasted bandwidth on rejected requests.
An HTTP/1.0 header that sets an absolute expiry date for a cached response. Superseded by Cache-Control but still widely sent.
The standardised header for passing client IP and protocol info through proxies — the RFC 7239 replacement for X-Forwarded-For.
Contains the email address of the human user controlling the requesting agent — intended for automated bots to identify themselves.
Specifies which host and port the client wants to reach — the only mandatory HTTP/1.1 request header.
The date and time the server last changed the resource — used for cache validation and conditional requests.
The HTTP equivalent of the HTML <link> element — declares relationships between resources, powers preload/prefetch hints, and enables API pagination.
Points the client to a different URL — used for redirects and to identify newly created resources.
Limits how many times a request can be forwarded through proxies — used exclusively with TRACE and OPTIONS.
Network Error Logging — instructs browsers to report network-level failures like DNS errors, TCP failures, and TLS issues to a reporting endpoint.
Signals the relative priority of a request to servers and intermediaries — part of the Extensible Prioritization Scheme for HTTP.
Tells the client what authentication is needed to access a resource through a proxy — the proxy equivalent of WWW-Authenticate.
Sent by a proxy after successful authentication to provide mutual auth confirmation — the proxy equivalent of Authentication-Info.
Carries credentials to authenticate with an intermediate proxy — the client's response to a 407 Proxy Authentication Required challenge.
Provides structured information about what an intermediary proxy did with a request — errors, forwarding decisions, and why things failed.
Requests a specific portion of a resource by byte range — enabling resumable downloads and video seeking.
The URL of the page that linked to the current request — used for analytics, logging, and access control.
Controls how much URL information is sent in the Referer header when users navigate away from your site.
Tells the client how long to wait before making another request — used with 429, 503, and 3xx responses.
Four browser-set headers that tell servers exactly where a request is coming from and why — enabling server-side isolation policies.
Communicates server-side timing metrics for a request — how long the database took, cache lookup, rendering, and more.
Identifies the software the origin server used to handle the request — and a common target for security hardening.
Creates or updates a cookie in the browser — the server's mechanism for persisting state across HTTP requests.
Tells browsers to only ever connect to this site over HTTPS — and to remember that for a specified duration.
Carries distributed tracing context across service boundaries — the W3C standard for propagating trace IDs in microservices.
Carries vendor-specific distributed tracing metadata alongside Traceparent — allows multiple tracing systems to coexist on the same request.
Declares which header fields will appear in the trailer section at the end of a chunked message.
Specifies how the message body is encoded for transfer — the most important value being chunked, which allows streaming responses without a known Content-Length.
Asks the server to switch to a different protocol on the same connection — the mechanism behind WebSocket connections.
Identifies the client software making the request — browser, bot, or API client.
Tells caches which request headers affect the response — so they store separate cached versions per unique combination.
Tracks the intermediate proxies and gateways a message passed through — a breadcrumb trail of the request's journey.
The 5 headers that negotiate a WebSocket connection — turning an HTTP/1.1 connection into a persistent full-duplex WebSocket channel.
Tells the client what authentication scheme is required to access the resource — sent on 401 responses.
Stops browsers from guessing the content type and forces them to use what the server declared — preventing MIME sniffing attacks.
Controls whether the browser can render this page inside an iframe — preventing clickjacking attacks.