HTTP Headers#
Reference of HTTP request and response headers, with notes on operator-relevant security headers, caching, content negotiation, and the modern set introduced in HTTP/2 / HTTP/3.
For HTTP status codes, see HTTP Status Codes. For protocols broadly, see Network Protocols.
Request headers#
Header |
Notes |
|---|---|
Host |
|
User-Agent |
client identification; routinely spoofed. |
Accept |
MIME types client accepts ( |
Accept-Encoding |
|
Accept-Language |
locale preferences (BCP 47). |
Authorization |
|
Cookie |
client-side state; server-set via |
Referer |
[sic] page-of-origin; controlled by |
Origin |
cross-origin request origin (CORS). |
If-Match |
conditional; require matching ETag. |
If-None-Match |
conditional; do not return matching ETag. |
If-Modified-Since |
conditional; modification-time check. |
Range |
byte-range requests ( |
Content-Length |
body bytes. |
Content-Type |
MIME type of body. |
DNT |
deprecated “do not track”; widely ignored. |
Sec-Fetch-{Site,Mod |
e,Dest,User} modern fetch metadata; CORS-style anti-CSRF in browser-originated requests. |
Sec-CH-UA / -Mobile |
/ -Platform User-Agent Client Hints; Chrome’s replacement for legacy User-Agent string. |
Forwarded / |
proxy chain identification (RFC 7239 vs older |
X-Forwarded-For X-Forwarded-Host X-Forwarded-Proto |
X-Forwarded-* family). |
True-Client-IP |
Cloudflare-style. |
CF-Connecting-IP |
Cloudflare original client IP. |
X-Real-IP |
nginx convention. |
X-Request-ID |
per-request correlation. |
Trace headers |
|
Cache-Control |
per-direction; client also sends |
Upgrade |
protocol switch ( |
Connection |
per-hop hop-by-hop. |
TE / Trailer |
transfer-encoding negotiation. |
Expect |
|
Response headers#
Header |
Notes |
|---|---|
Server |
server identification; routinely scrubbed. |
Date |
response time (RFC 7231). |
Content-Type |
|
Content-Length |
body bytes. |
Content-Encoding |
|
Content-Disposition |
|
Content-Range |
partial response. |
Content-Language |
locale of body. |
Vary |
cache-key axis ( |
ETag |
opaque resource version; pair with conditional request. |
Last-Modified |
resource modification time. |
Cache-Control |
caching policy. |
Expires |
legacy absolute-time expiration. |
Pragma |
legacy |
Set-Cookie |
set client cookie; attributes: HttpOnly, Secure, SameSite=Strict|Lax|None, Path, Domain, Max-Age, Expires, Partitioned. |
Location |
redirect target (3xx). |
Allow |
permitted methods (405). |
Retry-After |
seconds or HTTP-date for retries (429 / 503). |
WWW-Authenticate |
challenge for 401. |
Proxy-Authenticate |
proxy challenge. |
Strict-Transport- Security |
|
Content-Security- Policy |
modern XSS / injection mitigation. |
Content-Security- Policy-Report-Only |
report-only variant. |
X-Content-Type- Options |
|
X-Frame-Options |
legacy clickjacking protection ( |
X-XSS-Protection |
legacy / deprecated; CSP supersedes. |
Referrer-Policy |
control Referer header ( |
Permissions-Policy |
control browser features ( |
Cross-Origin-Embedd |
er-Policy |
Cross-Origin-Opener |
|
Cross-Origin-Resour |
ce-Policy per-resource isolation. |
Reporting-Endpoints |
destination for CSP violation / NEL reports. |
NEL (Network Error Logging) |
network-error logging. |
Expect-CT |
deprecated; CT enforcement. |
Public-Key-Pins |
deprecated; use CT instead. |
Server-Timing |
per-request timing for client analysis. |
Alt-Svc |
advertise HTTP/3 endpoints. |
Link |
|
CORS headers#
Header (response) |
Notes |
|---|---|
Access-Control- Allow-Origin |
allowlist origin (or * or echo). |
Access-Control- Allow-Methods |
allowed methods. |
Access-Control- Allow-Headers |
allowed request headers. |
Access-Control- Allow-Credentials |
|
Access-Control- Max-Age |
preflight cache lifetime. |
Access-Control- Expose-Headers |
headers exposed to JS. |
Compression / encodings#
Encoding |
Notes |
|---|---|
gzip |
near-universal. |
deflate |
rarely-used; ambiguous spec. |
br |
Brotli; widely supported. |
zstd |
Zstandard; rising browser + CDN support 2024+. |
identity |
no encoding. |
HTTP/2 + HTTP/3 specifics#
Concept |
Notes |
|---|---|
Pseudo-headers |
|
HPACK / QPACK |
header compression (HTTP/2 / HTTP/3). |
Header normalisatio |
n lowercase only; host -> |
Settings frame |
per-connection limits. |
Push |
server-push; deprecated in Chrome 2022. |
Alt-Svc |
advertise HTTP/3. |
Trailers |
rare; gRPC primary use. |
Frame types |
DATA, HEADERS, PRIORITY, RST_STREAM, SETTINGS, PUSH_PROMISE, PING, GOAWAY, WINDOW_UPDATE, CONTINUATION. |
Quick security baseline#
A modern web app should ship at least:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-...'; ...
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Cross-Origin-Resource-Policy: same-site
Cookies should always be Secure; HttpOnly; SameSite=Lax
(or Strict) at minimum; __Host- / __Secure- prefixes
for cookies that require strict scoping.