← Back to home

HTTP Headers

Browse common HTTP headers with explanations, syntax examples, use cases, and related headers used in web APIs and browsers.

68 results — select a header to view details

Indicates which media types the client can understand in the response.

Accept-Encoding

Indicates which content encodings the client can understand.

Accept-Language

Indicates which natural languages the client prefers in the response.

Indicates that the server supports range requests for the resource.

Access-Control-Allow-Credentials

Indicates whether credentials such as cookies or authorization headers can be included in cross-origin requests.

Access-Control-Allow-Headers

Specifies which request headers can be used in a cross-origin request.

Access-Control-Allow-Methods

Specifies which HTTP methods are allowed when accessing the resource cross-origin.

Access-Control-Allow-Origin

Specifies which origin is allowed to access the resource in cross-origin requests.

Access-Control-Expose-Headers

Specifies which response headers are safe to expose to frontend JavaScript in cross-origin responses.

Access-Control-Max-Age

Specifies how long the result of a CORS preflight request can be cached.

Access-Control-Request-Headers

Lists which request headers will be used in the actual cross-origin request during a preflight request.

Access-Control-Request-Method

Indicates which HTTP method will be used in the actual cross-origin request during a preflight request.

Indicates the number of seconds a cached response has been stored in a proxy cache.

Advertises alternative services that can serve the same resource, typically over a different protocol or port.

Carries authentication credentials for accessing a protected resource.

Defines caching rules for browsers, CDNs, and other intermediaries.

Clear-Site-Data

Instructs the browser to clear stored data associated with a website.

Controls whether the network connection stays open after the current transaction.

Content-Disposition

Specifies whether content should be displayed inline or downloaded as an attachment.

Content-Encoding

Indicates what additional encoding has been applied to the response body.

Specifies the size of the message body in bytes.

Describes which part of the resource is included in the response body.

Content-Security-Policy

Controls which sources of content are allowed to load in the browser.

Specifies the media type of the resource being sent to the client or server.

Sends previously stored cookies from the client to the server.

Cross-Origin-Embedder-Policy

Controls whether a document is allowed to load cross-origin resources that are not explicitly permitted.

Cross-Origin-Opener-Policy

Controls whether a top-level document can share its browsing context group with cross-origin documents.

Cross-Origin-Resource-Policy

Tells browsers which origins are allowed to load a given resource.

Contains the date and time at which the message was originated.

Expresses the user's tracking preference.

Provides a unique identifier for a specific version of a resource.

Indicates that the client expects the server to acknowledge a condition before sending the request body.

Specifies a date/time after which the response is considered stale.

Exposes original client connection information that is altered or lost when a proxy is involved.

Specifies the domain name of the server and optional port number.

Makes the request conditional on the resource matching the given ETag value.

If-Modified-Since

Makes the request conditional on the resource being modified after the given date.

Makes the request conditional based on an ETag value.

Indicates the date and time at which the origin server believes the resource was last modified.

Associates the current resource with related resources or metadata.

Indicates the URL to redirect to or the URL of a newly created resource.

Limits the number of times a request can be forwarded by proxies or gateways.

Network Error Logging

Defines a policy for reporting network errors observed by the browser.

Indicates the origin that initiated the request, mainly used in CORS and security contexts.

Permissions-Policy

Controls which browser features can be used in the current document or its embedded frames.

Allows clients to signal the relative priority of an HTTP request.

Requests only part of a resource rather than the entire body.

Indicates the address of the previous web page from which the current request originated.

Referrer-Policy

Controls how much referrer information should be sent with requests.

Tells the client how long to wait before making a follow-up request.

Identifies the software handling the request on the server side.

Instructs the client to store a cookie.

Strict-Transport-Security

Instructs browsers to only access the site over HTTPS for a specified period.

Specifies the transfer encodings the client is willing to accept in the response.

Lists the header fields that will be present in the trailer of a chunked transfer-encoded message.

Transfer-Encoding

Specifies the form of encoding used to safely transfer the message body.

Upgrade-Insecure-Requests

Signals that the client prefers an encrypted and authenticated response.

Identifies the client software making the request.

Indicates which request headers influence the selected response representation.

Tracks the intermediate proxies and gateways that forwarded a request or response.

WWW-Authenticate

Defines the authentication method that should be used to access a protected resource.

X-Content-Type-Options

Tells browsers not to MIME-sniff a response away from the declared Content-Type.

X-Forwarded-For

Carries the original client IP address when requests pass through proxies or load balancers.

X-Forwarded-Host

Indicates the original Host requested by the client before proxy forwarding.

X-Forwarded-Proto

Indicates the original protocol used by the client before the request passed through a proxy.

X-Frame-Options

Controls whether the page can be embedded inside a frame, iframe, embed, or object.

Indicates the server-side technology or framework powering the application.

Carries a unique identifier for a request so it can be traced across systems.