HTTP Header Fields

Enjoy this cheat sheet at its fullest within Dash, the macOS documentation browser.

Requests

Accept

Content types that are acceptable for the response

Accept: text/plain

Status: Permanent

Accept-Charset

Character sets that are acceptable

Accept-Charset: utf-8

Status: Permanent

Accept-Encoding

List of acceptable encodings

Accept-Encoding: gzip, deflate

Status: Permanent

Accept-Language

List of acceptable human languages for response

Accept-Language: en-US

Status: Permanent

Authorization

Authentication credentials for HTTP authentication

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Status: Permanent

Cache-Control

Used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain

Cache-Control: no-cache

Status: Permanent

Connection

What type of connection the user-agent would prefer

Connection: keep-alive

Status: Permanent

Content-Length

The length of the request body in octets (8-bit bytes)

Content-Length: 348

Status: Permanent

Content-MD5

A Base64-encoded binary MD5 sum of the content of the request body

Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==

Status: Permanent

Content-Type

The MIME type of the body of the request (used with POST and PUT requests)

Content-Type: application/json

Status: Permanent

Date

The date and time that the message was sent (in HTTP-date format as defined by RFC 2616)

Date: Tue, 15 Nov 1994 08:12:31 GMT

Status: Permanent

Expect

Indicates that particular server behaviors are required by the client

Expect: 100-continue

Status: Permanent

From

The email address of the user making the request

From: user@example.com

Status: Permanent

Host

The domain name of the server (for virtual hosting), and the TCP port number on which the server is listening. The port number may be omitted if the port is the standard port for the service requested. Mandatory since HTTP/1.1. Although domain name are specified as case-insensitive, it is not specified whether the contents of the Host field should be interpreted in a case-insensitive manner and in practice some implementations of virtual hosting interpret the contents of the Host field in a case-sensitive manner

Host: en.wikipedia.org

Status: Permanent

If-Match

Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like PUT to only update a resource if it has not been modified since the user last updated it

If-Match: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

If-Modified-Since

Allows a 304 Not Modified to be returned if content is unchanged

If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

Status: Permanent

If-None-Match

Allows a 304 Not Modified to be returned if content is unchanged

If-None-Match: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

If-Range

If the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity

If-Range: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

If-Unmodified-Since

Only send the response if the entity has not been modified since a specific time

If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT

Status: Permanent

Max-Forwards

Limit the number of times the message can be forwarded through proxies or gateways

Max-Forwards: 10

Status: Permanent

Pragma

Implementation-specific headers that may have various effects anywhere along the request-response chain

Pragma: no-cache

Status: Permanent

Proxy-Authorization

Authorization credentials for connecting to a proxy

Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

Status: Permanent

Range

Request only part of an entity. Bytes are numbered from 0

Range: bytes=500-999

Status: Permanent

Referer

This is the address of the previous web page from which a link to the currently requested page was followed. The word “referrer” is misspelled in the RFC as well as in most implementations

Referer: http://en.wikipedia.org/wiki/Main_Page

Status: Permanent

TE

The transfer encodings the user agent is willing to accept: the same values as for the response header Transfer-Encoding can be used, plus the trailers value (related to the chunked transfer method) to notify the server it expects to receive additional headers (the trailers) after the last, zero-sized, chunk

TE: trailers, deflate

Status: Permanent

User-Agent

The user agent string of the user agent

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36

Status: Permanent

Via

Informs the server of proxies through which the request was sent

Via: 1.0 fred, 1.1 example.com (Apache/1.1)

Status: Permanent

Warning

A general warning about possible problems with the entity body

Warning: 199 Miscellaneous warning

Status: Permanent

Cookie

An HTTP cookie previously sent by the server with Set-Cookie

Cookie: $Version=1; Skin=new;

Status: Permanent - Standard

Origin

Initiates a request for cross-origin resource sharing (asks server for an Access-Control-Allow-Origin response header)

Origin: http://www.example-social-network.com

Status: Permanent - Standard

Accept-Datetime

Acceptable version in time

Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT

Status: Provisional

Common Non-Standard Request Headers

X-Requested-With

Mainly used to identify Ajax requests. Some JavaScript frameworks send this field with value of XMLHttpRequest, such as jQuery.

  • XMLHttpRequest - Ajax request
X-Requested-With: XMLHttpRequest

Responses

Accept

Content-Types that are acceptable for the response

Accept: text/plain

Status: Permanent

Access-Control-Allow-Origin

Specifying which web sites can participate in cross-origin resource sharing

Access-Control-Allow-Origin: *

Status: Provisional

Refresh

Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds:

Refresh: 5; url=http://www.w3.org/pub/WWW/People.html

Status: Proprietary/non-standard: a header extension introduced by Netscape and supported by most web browsers

Expires

Gives the date/time after which the response is considered stale

Expires: Thu, 01 Dec 1994 16:00:00 GMT

Status: Permanent - Standard

Set-Cookie

An HTTP cookie

Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=

Status: Permanent - Standard

Strict-Transport-Security

A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains

Strict-Transport-Security: max-age=16070400; includeSubDomains

Status: Permanent - Standard

Accept-Patch

Specifies which patch document formats this server supports

Accept-Patch: text/example;charset=utf-8

Status: Permanent

Accept-Ranges

What partial content range types this server supports

Accept-Ranges: bytes

Status: Permanent

Age

The age the object has been in a proxy cache in seconds

Age: 12

Status: Permanent

Allow

Valid actions for a specified resource. To be used for a 405 Method not allowed

Allow: GET, HEAD

Status: Permanent

Cache-Control

Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds

Cache-Control: max-age=3600

Status: Permanent

Connection

Options that are desired for the connection

Connection: close

Status: Permanent

Content-Encoding

The type of encoding used on the data

Content-Encoding: gzip

Status: Permanent

Content-Language

The language the content is in

Content-Language: da

Status: Permanent

Content-Length

The length of the response body in octets (8-bit bytes)

Content-Length: 348

Status: Permanent

Content-Location

An alternate location for the returned data

Content-Location: /index.htm

Status: Permanent

Content-MD5

A Base64-encoded binary MD5 sum of the content of the response

Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==

Status: Permanent

Content-Disposition

An opportunity to raise a "File Download" dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters

Content-Disposition: attachment; filename="fname.ext"

Status: Permanent

Content-Range

Where in a full body message this partial message belongs

Content-Range: bytes 21010-47021/47022

Status: Permanent

Content-Type

The MIME type of this content

Content-Type: text/html; charset=utf-8

Status: Permanent

Date

The date and time that the message was sent (in HTTP-date format as defined by RFC 2616)

Date: Tue, 15 Nov 1994 08:12:31 GMT

Status: Permanent

ETag

An identifier for a specific version of a resource, often a message digest

ETag: "737060cd8c284d8af7ad3082f209582d"

Status: Permanent

Last-Modified

The last modified date for the requested object (in HTTP-date format as defined by RFC 2616)

Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT

Status: Permanent

Link

Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988

Link: </feed>; rel="alternate"

Status: Permanent

Location

Used in redirection, or when a new resource has been created

Location: http://www.w3.org/pub/WWW/People.html

Status: Permanent

P3P

This header is supposed to set P3P policy, in the form of P3P:CP="your_compact_policy". However, P3P did not take off, most browsers have never fully implemented it, a lot of websites set this header with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies

P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info."

Status: Permanent

Pragma

Implementation-specific headers that may have various effects anywhere along the request-response chain

Pragma: no-cache

Status: Permanent

Proxy-Authenticate

Request authentication to access the proxy

Proxy-Authenticate: Basic

Status: Permanent

Retry-After

If an entity is temporarily unavailable, this instructs the client to try again later. Value could be a specified period of time (in seconds) or a HTTP-date

Retry-After: 120; Retry-After: Fri, 07 Nov 2014 23:59:59 GMT

Status: Permanent

Server

A name for the server

Server: Apache/2.4.1 (Unix)

Status: Permanent

Trailer

The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer-coding

Trailer: Max-Forwards

Status: Permanent

Transfer-Encoding

The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity

Transfer-Encoding: chunked

Status: Permanent

Upgrade

Ask the server to upgrade to another protocol

Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11

Status: Permanent

Vary

Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server

Vary: *

Status: Permanent

Warning

A general warning about possible problems with the entity body

Warning: 199 Miscellaneous warning

Status: Permanent

WWW-Authenticate

Indicates the authentication scheme that should be used to access the requested entity

WWW-Authenticate: Basic

Status: Permanent

Status

The HTTP status of the response

Status: 200 OK

Common Non-Standard Response Headers

X-Frame-Options

Clickjacking protection:

  • deny - no rendering within a frame
  • sameorigin - no rendering if origin mismatch
X-Frame-Options: deny

X-XSS-Protection

Cross-site scripting (XSS) filter

X-XSS-Protection: 1; mode=block

Content-Security-Policy,
X-Content-Security-Policy,
X-WebKit-CSP

Content Security Policy definition

X-WebKit-CSP: default-src "self"

X-Content-Type-Options

The only defined value, nosniff, prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions

X-Content-Type-Options: nosniff

X-Powered-By

Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application (version details are often in X-Runtime, X-Version, or X-AspNet-Version)

X-Powered-By: PHP/5.4.0

X-UA-Compatible

Recommends the preferred rendering engine (often a backward-compatibility mode) to use to display the content. Also used to activate Chrome Frame in Internet Explorer

X-UA-Compatible: IE=EmulateIE7; X-UA-Compatible: IE=edge; X-UA-Compatible: Chrome=1