HTTP Headers#

Reference of HTTP request and response headers, with notes on operator-relevant security headers, caching, content negotiation, and the modern set introduced in HTTP/2 / HTTP/3.

For HTTP status codes, see HTTP Status Codes. For protocols broadly, see Network Protocols.

Request headers#

Header

Notes

Host

Host: api.example.com; mandatory in HTTP/1.1. In HTTP/2+ becomes the :authority pseudo-header.

User-Agent

client identification; routinely spoofed.

Accept

MIME types client accepts (text/html, application/xml).

Accept-Encoding

gzip, br, zstd, deflate; declares supported compressions.

Accept-Language

locale preferences (BCP 47).

Authorization

Bearer ..., Basic ..., Digest ....

Cookie

client-side state; server-set via Set-Cookie.

Referer

[sic] page-of-origin; controlled by Referrer-Policy.

Origin

cross-origin request origin (CORS).

If-Match

conditional; require matching ETag.

If-None-Match

conditional; do not return matching ETag.

If-Modified-Since

conditional; modification-time check.

Range

byte-range requests (Range: bytes=0-1023).

Content-Length

body bytes.

Content-Type

MIME type of body.

DNT

deprecated “do not track”; widely ignored.

Sec-Fetch-{Site,Mod

e,Dest,User} modern fetch metadata; CORS-style anti-CSRF in browser-originated requests.

Sec-CH-UA / -Mobile

/ -Platform User-Agent Client Hints; Chrome’s replacement for legacy User-Agent string.

Forwarded /

proxy chain identification (RFC 7239 vs older

X-Forwarded-For X-Forwarded-Host X-Forwarded-Proto

X-Forwarded-* family).

True-Client-IP

Cloudflare-style.

CF-Connecting-IP

Cloudflare original client IP.

X-Real-IP

nginx convention.

X-Request-ID

per-request correlation.

Trace headers

traceparent, tracestate (W3C TraceContext).

Cache-Control

per-direction; client also sends no-cache / no-store etc. (most often a response header).

Upgrade

protocol switch (Upgrade: websocket).

Connection

per-hop hop-by-hop.

TE / Trailer

transfer-encoding negotiation.

Expect

100-continue.

Response headers#

Header

Notes

Server

server identification; routinely scrubbed.

Date

response time (RFC 7231).

Content-Type

text/html; charset=utf-8 etc.

Content-Length

body bytes.

Content-Encoding

gzip / br / zstd; matches client Accept-Encoding.

Content-Disposition

attachment; filename=....

Content-Range

partial response.

Content-Language

locale of body.

Vary

cache-key axis (Vary: Accept-Encoding, Accept-Language).

ETag

opaque resource version; pair with conditional request.

Last-Modified

resource modification time.

Cache-Control

caching policy.

Expires

legacy absolute-time expiration.

Pragma

legacy no-cache.

Set-Cookie

set client cookie; attributes: HttpOnly, Secure, SameSite=Strict|Lax|None, Path, Domain, Max-Age, Expires, Partitioned.

Location

redirect target (3xx).

Allow

permitted methods (405).

Retry-After

seconds or HTTP-date for retries (429 / 503).

WWW-Authenticate

challenge for 401.

Proxy-Authenticate

proxy challenge.

Strict-Transport- Security

max-age=63072000; includeSubDomains; preload (HSTS).

Content-Security- Policy

modern XSS / injection mitigation.

Content-Security- Policy-Report-Only

report-only variant.

X-Content-Type- Options

nosniff; prevent MIME sniffing.

X-Frame-Options

legacy clickjacking protection (DENY / SAMEORIGIN); superseded by CSP frame-ancestors.

X-XSS-Protection

legacy / deprecated; CSP supersedes.

Referrer-Policy

control Referer header (no-referrer, strict-origin-when-cross-origin, …).

Permissions-Policy

control browser features (geolocation=()).

Cross-Origin-Embedd

er-Policy require-corp; pair with COOP for isolation needed for high-resolution timers.

Cross-Origin-Opener

-Policy

same-origin; isolate browsing context.

Cross-Origin-Resour

ce-Policy per-resource isolation.

Reporting-Endpoints

destination for CSP violation / NEL reports.

NEL (Network Error Logging)

network-error logging.

Expect-CT

deprecated; CT enforcement.

Public-Key-Pins

deprecated; use CT instead.

Server-Timing

per-request timing for client analysis.

Alt-Svc

advertise HTTP/3 endpoints.

Link

</style.css>; rel=preload; as=style.

CORS headers#

Header (response)

Notes

Access-Control- Allow-Origin

allowlist origin (or * or echo).

Access-Control- Allow-Methods

allowed methods.

Access-Control- Allow-Headers

allowed request headers.

Access-Control- Allow-Credentials

true or absent; gates credentialed requests.

Access-Control- Max-Age

preflight cache lifetime.

Access-Control- Expose-Headers

headers exposed to JS.

Compression / encodings#

Encoding

Notes

gzip

near-universal.

deflate

rarely-used; ambiguous spec.

br

Brotli; widely supported.

zstd

Zstandard; rising browser + CDN support 2024+.

identity

no encoding.

HTTP/2 + HTTP/3 specifics#

Concept

Notes

Pseudo-headers

:method, :scheme, :authority, :path (req); :status (resp). Lowercase in HTTP/2+.

HPACK / QPACK

header compression (HTTP/2 / HTTP/3).

Header normalisatio

n lowercase only; host -> :authority.

Settings frame

per-connection limits.

Push

server-push; deprecated in Chrome 2022.

Alt-Svc

advertise HTTP/3.

Trailers

rare; gRPC primary use.

Frame types

DATA, HEADERS, PRIORITY, RST_STREAM, SETTINGS, PUSH_PROMISE, PING, GOAWAY, WINDOW_UPDATE, CONTINUATION.

Quick security baseline#

A modern web app should ship at least:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-...'; ...
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site

Cookies should always be Secure; HttpOnly; SameSite=Lax (or Strict) at minimum; __Host- / __Secure- prefixes for cookies that require strict scoping.

References#