HTTP Headers Reference

Media types the client can process (e.g. application/json, text/html).

Content encodings the client supports (gzip, deflate, br).

Preferred natural languages for the response.

Credentials for HTTP authentication.

Directives for caching mechanisms in both requests and responses.

Control options for the current connection.

Size of the request/response body in bytes.

Media type of the request/response body.

HTTP cookies previously sent by the server.

Domain name and port of the server. Required in HTTP/1.1.

Makes the request conditional; returns 304 if not modified.

Makes request conditional using ETags.

The origin that initiated the request (for CORS).

Address of the previous web page that linked to the current page.

Application, OS, vendor, and version of the requesting client.

Indicates whether the response can be shared with code from the given origin.

HTTP methods allowed when accessing the resource for CORS.

Headers that can be used during the actual CORS request.

Encoding applied to the response body (gzip, br, etc.).

Controls resources the user agent is allowed to load.

Identifier for a specific version of a resource (for caching).

Date/time after which the response is considered stale.

Date/time when the resource was last modified.

URL to redirect to for 3xx responses or the URL of the newly created resource.

How long to wait before making another request (rate limiting/503).

Send a cookie from the server to the user agent.

Force HTTPS for all future connections (HSTS).

Form of encoding used to safely transfer the payload body.

Determines which request headers to use for cache key.

Authentication method to access the resource (sent with 401).

Prevent MIME type sniffing.

Indicate whether the response can be framed (clickjacking protection).

Enable XSS filtering in older browsers (deprecated, use CSP instead).