HTTP Header Fields

Requests

Accept	Content types that are acceptable for the response Accept: text/plain Status: Permanent
Accept-Charset	Character sets that are acceptable Accept-Charset: utf-8 Status: Permanent
Accept-Encoding	List of acceptable encodings Accept-Encoding: gzip, deflate Status: Permanent
Accept-Language	List of acceptable human languages for response Accept-Language: en-US Status: Permanent
Authorization	Authentication credentials for HTTP authentication Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Status: Permanent
Cache-Control	Used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain Cache-Control: no-cache Status: Permanent
Connection	What type of connection the user-agent would prefer Connection: keep-alive Status: Permanent
Content-Length	The length of the request body in octets (8-bit bytes) Content-Length: 348 Status: Permanent
Content-MD5	A Base64-encoded binary MD5 sum of the content of the request body Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ== Status: Permanent
Content-Type	The MIME type of the body of the request (used with `POST` and `PUT` requests) Content-Type: application/json Status: Permanent
Date	The date and time that the message was sent (in `HTTP-date` format as defined by RFC 2616) Date: Tue, 15 Nov 1994 08:12:31 GMT Status: Permanent
Expect	Indicates that particular server behaviors are required by the client Expect: 100-continue Status: Permanent
From	The email address of the user making the request From: user@example.com Status: Permanent
Host	The domain name of the server (for virtual hosting), and the TCP port number on which the server is listening. The port number may be omitted if the port is the standard port for the service requested. Mandatory since HTTP/1.1. Although domain name are specified as case-insensitive, it is not specified whether the contents of the Host field should be interpreted in a case-insensitive manner and in practice some implementations of virtual hosting interpret the contents of the Host field in a case-sensitive manner Host: en.wikipedia.org Status: Permanent
If-Match	Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like `PUT` to only update a resource if it has not been modified since the user last updated it If-Match: "737060cd8c284d8af7ad3082f209582d" Status: Permanent
If-Modified-Since	Allows a `304 Not Modified` to be returned if content is unchanged If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT Status: Permanent
If-None-Match	Allows a `304 Not Modified` to be returned if content is unchanged If-None-Match: "737060cd8c284d8af7ad3082f209582d" Status: Permanent
If-Range	If the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity If-Range: "737060cd8c284d8af7ad3082f209582d" Status: Permanent
If-Unmodified-Since	Only send the response if the entity has not been modified since a specific time If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT Status: Permanent
Max-Forwards	Limit the number of times the message can be forwarded through proxies or gateways Max-Forwards: 10 Status: Permanent
Pragma	Implementation-specific headers that may have various effects anywhere along the request-response chain Pragma: no-cache Status: Permanent
Proxy-Authorization	Authorization credentials for connecting to a proxy Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Status: Permanent
Range	Request only part of an entity. Bytes are numbered from 0 Range: bytes=500-999 Status: Permanent
Referer	This is the address of the previous web page from which a link to the currently requested page was followed. The word “referrer” is misspelled in the RFC as well as in most implementations Referer: http://en.wikipedia.org/wiki/Main_Page Status: Permanent
TE	The transfer encodings the user agent is willing to accept: the same values as for the response header `Transfer-Encoding` can be used, plus the `trailers` value (related to the `chunked` transfer method) to notify the server it expects to receive additional headers (the trailers) after the last, zero-sized, chunk TE: trailers, deflate Status: Permanent
User-Agent	The user agent string of the user agent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36 Status: Permanent
Via	Informs the server of proxies through which the request was sent Via: 1.0 fred, 1.1 example.com (Apache/1.1) Status: Permanent
Warning	A general warning about possible problems with the entity body Warning: 199 Miscellaneous warning Status: Permanent
Cookie	An HTTP cookie previously sent by the server with Set-Cookie Cookie: $Version=1; Skin=new; Status: Permanent - Standard
Origin	Initiates a request for cross-origin resource sharing (asks server for an `Access-Control-Allow-Origin` response header) Origin: http://www.example-social-network.com Status: Permanent - Standard
Accept-Datetime	Acceptable version in time Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT Status: Provisional

Common Non-Standard Request Headers

X-Requested-With

Mainly used to identify Ajax requests. Some JavaScript frameworks send this field with value of XMLHttpRequest, such as jQuery.

XMLHttpRequest - Ajax request

X-Requested-With: XMLHttpRequest

Responses

Accept	Content-Types that are acceptable for the response Accept: text/plain Status: Permanent
Access-Control-Allow-Origin	Specifying which web sites can participate in cross-origin resource sharing Access-Control-Allow-Origin: * Status: Provisional
Refresh	Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds: Refresh: 5; url=http://www.w3.org/pub/WWW/People.html Status: Proprietary/non-standard: a header extension introduced by Netscape and supported by most web browsers
Expires	Gives the date/time after which the response is considered stale Expires: Thu, 01 Dec 1994 16:00:00 GMT Status: Permanent - Standard
Set-Cookie	An HTTP cookie Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version= Status: Permanent - Standard
Strict-Transport-Security	A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains Strict-Transport-Security: max-age=16070400; includeSubDomains Status: Permanent - Standard
Accept-Patch	Specifies which patch document formats this server supports Accept-Patch: text/example;charset=utf-8 Status: Permanent
Accept-Ranges	What partial content range types this server supports Accept-Ranges: bytes Status: Permanent
Age	The age the object has been in a proxy cache in seconds Age: 12 Status: Permanent
Allow	Valid actions for a specified resource. To be used for a 405 Method not allowed Allow: GET, HEAD Status: Permanent
Cache-Control	Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds Cache-Control: max-age=3600 Status: Permanent
Connection	Options that are desired for the connection Connection: close Status: Permanent
Content-Encoding	The type of encoding used on the data Content-Encoding: gzip Status: Permanent
Content-Language	The language the content is in Content-Language: da Status: Permanent
Content-Length	The length of the response body in octets (8-bit bytes) Content-Length: 348 Status: Permanent
Content-Location	An alternate location for the returned data Content-Location: /index.htm Status: Permanent
Content-MD5	A Base64-encoded binary MD5 sum of the content of the response Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ== Status: Permanent
Content-Disposition	An opportunity to raise a "File Download" dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters Content-Disposition: attachment; filename="fname.ext" Status: Permanent
Content-Range	Where in a full body message this partial message belongs Content-Range: bytes 21010-47021/47022 Status: Permanent
Content-Type	The MIME type of this content Content-Type: text/html; charset=utf-8 Status: Permanent
Date	The date and time that the message was sent (in `HTTP-date` format as defined by RFC 2616) Date: Tue, 15 Nov 1994 08:12:31 GMT Status: Permanent
ETag	An identifier for a specific version of a resource, often a message digest ETag: "737060cd8c284d8af7ad3082f209582d" Status: Permanent
Last-Modified	The last modified date for the requested object (in `HTTP-date` format as defined by RFC 2616) Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT Status: Permanent
Link	Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988 Link: </feed>; rel="alternate" Status: Permanent
Location	Used in redirection, or when a new resource has been created Location: http://www.w3.org/pub/WWW/People.html Status: Permanent
P3P	This header is supposed to set P3P policy, in the form of `P3P:CP="your_compact_policy"`. However, P3P did not take off, most browsers have never fully implemented it, a lot of websites set this header with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657 for more info." Status: Permanent
Pragma	Implementation-specific headers that may have various effects anywhere along the request-response chain Pragma: no-cache Status: Permanent
Proxy-Authenticate	Request authentication to access the proxy Proxy-Authenticate: Basic Status: Permanent
Retry-After	If an entity is temporarily unavailable, this instructs the client to try again later. Value could be a specified period of time (in seconds) or a HTTP-date Retry-After: 120; Retry-After: Fri, 07 Nov 2014 23:59:59 GMT Status: Permanent
Server	A name for the server Server: Apache/2.4.1 (Unix) Status: Permanent
Trailer	The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer-coding Trailer: Max-Forwards Status: Permanent
Transfer-Encoding	The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity Transfer-Encoding: chunked Status: Permanent
Upgrade	Ask the server to upgrade to another protocol Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11 Status: Permanent
Vary	Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server Vary: * Status: Permanent
Warning	A general warning about possible problems with the entity body Warning: 199 Miscellaneous warning Status: Permanent
WWW-Authenticate	Indicates the authentication scheme that should be used to access the requested entity WWW-Authenticate: Basic Status: Permanent
Status	The HTTP status of the response Status: 200 OK

Common Non-Standard Response Headers

X-Frame-Options	Clickjacking protection: `deny` - no rendering within a frame `sameorigin` - no rendering if origin mismatch X-Frame-Options: deny
X-XSS-Protection	Cross-site scripting (XSS) filter X-XSS-Protection: 1; mode=block
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP	Content Security Policy definition X-WebKit-CSP: default-src "self"
X-Content-Type-Options	The only defined value, `nosniff`, prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions X-Content-Type-Options: nosniff
X-Powered-By	Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application (version details are often in X-Runtime, X-Version, or X-AspNet-Version) X-Powered-By: PHP/5.4.0
X-UA-Compatible	Recommends the preferred rendering engine (often a backward-compatibility mode) to use to display the content. Also used to activate Chrome Frame in Internet Explorer X-UA-Compatible: IE=EmulateIE7; X-UA-Compatible: IE=edge; X-UA-Compatible: Chrome=1