Accept | Request | Informs the server about the types of data the client can understand. | Accept: text/html, application/json |
Accept-Charset | Request | Advertises which character encodings the client understands. | Accept-Charset: utf-8, iso-8859-1;q=0.5 |
Accept-Encoding | Request | Advertises which content-encoding algorithms the client supports. | Accept-Encoding: gzip, deflate, br |
Accept-Language | Request | Advertises which languages the client is able to understand. | Accept-Language: en-US, en;q=0.9 |
Authorization | Request | Contains credentials to authenticate a user-agent with a server. | Authorization: Bearer eyJhbGciOiJIUzI1NiJ9... |
Cookie | Request | Contains stored HTTP cookies previously sent by the server. | Cookie: session_id=abc123; theme=dark |
Expect | Request | Indicates expectations the server must meet to handle the request. | Expect: 100-continue |
From | Request | Contains an Internet email address for a human user controlling the requesting agent. | From: user@example.com |
Host | Request | Specifies the host and port number of the server to which the request is being sent. | Host: www.example.com:443 |
If-Match | Request | Makes the request conditional; the server sends the resource only if it matches a given ETag. | If-Match: "737060cd8c284d8af7ad3082f209582d" |
If-Modified-Since | Request | Makes the request conditional; the server sends the resource only if it has been modified after the given date. | If-Modified-Since: Sat, 29 Oct 2023 19:43:31 GMT |
If-None-Match | Request | Makes the request conditional; returns 304 Not Modified if the ETag matches. | If-None-Match: "737060cd8c284d8af7ad3082f209582d" |
If-Range | Request | Makes a range request conditional; used to resume a download. | If-Range: "737060cd8c284d8af7ad3082f209582d" |
If-Unmodified-Since | Request | Makes the request conditional; server processes it only if unchanged since the given date. | If-Unmodified-Since: Sat, 29 Oct 2023 19:43:31 GMT |
Max-Forwards | Request | Limits the number of times the request can be forwarded by proxies. | Max-Forwards: 10 |
Origin | Request | Indicates where a cross-origin fetch originates from. | Origin: https://www.example.com |
Proxy-Authorization | Request | Contains credentials to authenticate a user agent with a proxy server. | Proxy-Authorization: Basic dXNlcjpwYXNz |
Range | Request | Specifies the part of a document the server should return. | Range: bytes=0-1023 |
Referer | Request | Contains the absolute or partial address of the page making the request. | Referer: https://www.example.com/page.html |
TE | Request | Specifies the transfer encodings the user agent is willing to accept. | TE: trailers, deflate |
Upgrade-Insecure-Requests | Request | Signals the client's preference for an encrypted and authenticated response. | Upgrade-Insecure-Requests: 1 |
User-Agent | Request | Contains a characteristic string that allows network protocol peers to identify the application. | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
X-Forwarded-For | Request | Identifies the originating IP address of a client connecting through a proxy. | X-Forwarded-For: 203.0.113.195, 70.41.3.18 |
X-Requested-With | Request | Used to identify Ajax requests by JavaScript frameworks. | X-Requested-With: XMLHttpRequest |
Accept-Ranges | Response | Indicates whether the server supports range requests for a resource. | Accept-Ranges: bytes |
Age | Response | Time in seconds the object has been in a proxy cache. | Age: 24 |
Allow | Response | Lists the set of HTTP request methods supported by a resource. | Allow: GET, POST, HEAD |
Content-Disposition | Response | Indicates how the content should be displayed; often used to trigger a file download. | Content-Disposition: attachment; filename="file.pdf" |
Content-Encoding | Response | Specifies the encoding applied to the response body. | Content-Encoding: gzip |
Content-Language | Response | Describes the language(s) intended for the response audience. | Content-Language: en-US |
Content-Location | Response | Indicates an alternate location for the returned data. | Content-Location: /documents/foo.json |
Content-Range | Response | Indicates where in the full body a partial message belongs. | Content-Range: bytes 200-1000/67589 |
ETag | Response | Identifier for a specific version of a resource, used for caching. | ETag: "737060cd8c284d8af7ad3082f209582d" |
Expires | Response | Contains the date/time after which the response is considered stale. | Expires: Wed, 21 Oct 2025 07:28:00 GMT |
Last-Modified | Response | Contains the date and time the server believes the resource was last modified. | Last-Modified: Wed, 21 Oct 2023 07:28:00 GMT |
Location | Response | Indicates the URL to redirect a page to, used with 3xx status codes. | Location: https://www.example.com/new-page |
Proxy-Authenticate | Response | Defines the authentication method to gain access to a proxy. | Proxy-Authenticate: Basic realm="Access to internal site" |
Retry-After | Response | Indicates how long to wait before making a follow-up request. | Retry-After: 120 |
Server | Response | Contains information about the software used by the origin server. | Server: Apache/2.4.1 (Unix) |
Set-Cookie | Response | Sends cookies from the server to the user agent. | Set-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict |
Strict-Transport-Security | Response | Informs browsers that the site should only be accessed using HTTPS (HSTS). | Strict-Transport-Security: max-age=31536000; includeSubDomains |
Trailer | Response | Specifies headers that will be present in the trailer of a chunked transfer encoded message. | Trailer: Expires |
Transfer-Encoding | Response | Specifies the form of encoding used to transfer the payload body. | Transfer-Encoding: chunked |
Vary | Response | Determines how to match future request headers to decide whether a cached response can be used. | Vary: Accept-Encoding, User-Agent |
WWW-Authenticate | Response | Defines the authentication method that should be used to access the resource. | WWW-Authenticate: Basic realm="Access to the site" |
X-Content-Type-Options | Response | Prevents MIME-sniffing attacks by instructing browsers to follow the declared content type. | X-Content-Type-Options: nosniff |
X-Frame-Options | Response | Controls whether a browser can render a page in a frame, used to prevent clickjacking. | X-Frame-Options: DENY |
X-XSS-Protection | Response | Enables cross-site scripting filtering in browsers (legacy; superseded by CSP). | X-XSS-Protection: 1; mode=block |
Cache-Control | Both | Holds directives for caching in both requests and responses. | Cache-Control: no-cache, no-store, must-revalidate |
Connection | Both | Controls whether the network connection stays open after the current transaction. | Connection: keep-alive |
Content-Length | Both | Size of the message body in bytes. | Content-Length: 348 |
Content-Security-Policy | Both | Controls resources the browser is allowed to load, helps prevent XSS. | Content-Security-Policy: default-src 'self'; img-src * |
Content-Type | Both | Indicates the media type of the resource or data being sent. | Content-Type: application/json; charset=utf-8 |
Date | Both | Contains the date and time at which the message was originated. | Date: Tue, 15 Nov 2023 08:12:31 GMT |
Forwarded | Both | Contains information from the client-facing side of proxy servers that is altered by proxies. | Forwarded: for=192.0.2.60; proto=http; by=203.0.113.43 |
Keep-Alive | Both | Controls how long a persistent connection should stay open. | Keep-Alive: timeout=5, max=1000 |
Pragma | Both | Implementation-specific header that may have various effects along the request-response chain. | Pragma: no-cache |
Upgrade | Both | Specifies that the client wishes to switch to a different protocol. | Upgrade: websocket |
Via | Both | Added by proxies to track message forwards and avoid request loops. | Via: 1.0 fred, 1.1 example.com |
Warning | Both | Carries additional information about the status of a message. | Warning: 199 Miscellaneous warning |