HTTP headers

HTTP header requests.
Header	Description	Example
Accept	Content-Types that are acceptable.	Accept: text/plain
Accept-Charset	Character sets that are acceptable.	Accept-Charset: utf-8
Accept-Encoding	Acceptable encodings. See HTTP compression.	Accept-Encoding:
Accept-Language	Acceptable languages for response.	Accept-Language: en-US
Authorization	Authentication credentials for HTTP authentication.	Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Cache-Control	Used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain.	Cache-Control: no-cache
Connection	What type of connection the user-agent would prefer.	Connection: close
Content-Length	The length of the request body in octets (8-bit bytes).	Content-Length: 348
Content-MD5	A Base64-encoded binary MD5 sum of the content of the request body.	Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==
Content-Type	The mime type of the body of the request (used with POST and PUT requests).	Content-Type: application/x-www-form-urlencoded
Cookie	An HTTP cookie previously sent by the server with Set-Cookie.	Cookie: $Version=1; Skin=new;
Date	The date and time that the message was sent.	Date: Tue, 15 Nov 1994 08:12:31 GMT
DNT	Non standard. Requests a web application to disable their tracking of a user. This is Mozilla's version of the X-Do-Not-Track header (since Firefox 4.0 Beta 11). Safari and IE9 also have support for this header. On March 7, 2011, a draft proposal was submitted to IETF.	DNT: 1
Expect	Indicates that particular server behaviors are required by the client.	Expect: 100-continue
From	The email address of the user making the request.	From: user@example.com
Host	The domain name of the server (for virtual hosting), mandatory since HTTP/1.1.	Host: en.wikipedia.org
If-Match	Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like PUT to only update a resource if it has not been modified since the user last updated it.	If-Match: "737060cd8c284d8af7ad3082f209582d"
If-Modified-Since	Allows a 304 Not Modified to be returned if content is unchanged.	If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
If-None-Match	Allows a 304 Not Modified to be returned if content is unchanged, see HTTP ETag.	If-None-Match: "737060cd8c284d8af7ad3082f209582d"
If-Range	If the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity.	If-Range: "737060cd8c284d8af7ad3082f209582d"
If-Unmodified-Since	Only send the response if the entity has not been modified since a specific time.	If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT
Max-Forwards	Limit the number of times the message can be forwarded through proxies or gateways.	Max-Forwards: 10
Pragma	Implementation-specific headers that may have various effects anywhere along the request-response chain.	Pragma: no-cache
Proxy-Authorization	Authorization credentials for connecting to a proxy.	Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Range	Request only part of an entity. Bytes are numbered from 0.	Range: bytes=500-999
Referer	This is the address of the previous web page from which a link to the currently requested page was followed. (The word “referrer” is misspelled in the RFC as well as in most implementations.).	Referer: http://en.wikipedia.org/wiki/Main_Page
TE	The transfer encodings the user agent is willing to accept: the same values as for the response header Transfer-Encoding can be used, plus the "trailers" value (related to the "chunked" transfer method) to notify the server it accepts to receive additional headers (the trailers) after the last, zero-sized, chunk.	TE: trailers, deflate
Upgrade	Ask the server to upgrade to another protocol.	Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11
User-Agent	The user agent string of the user agent.	User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Via	Informs the server of proxies through which the request was sent.	Via: 1.0 fred, 1.1 nowhere.com (Apache/1.1)
Warning	A general warning about possible problems with the entity body.	Warning: 199 Miscellaneous warning
X-Do-Not-Track	Non standard. Requests a web application to disable their tracking of a user. Note that, as of yet, this is largely ignored by web applications. It does however open the door to future legislation requiring web applications to comply with a user's request to not be tracked. Mozilla implements the DNT header with a similar purpose.	X-Do-Not-Track: 1
X-Requested-With	Non standard. Mainly used to identify Ajax requests. Most JavaScript frameworks send this header with value of XMLHttpRequest	X-Requested-With: XMLHttpRequest
HTTP header responses.
Header	Description	Example
Accept-Ranges	What partial content range types this server supports.	Accept-Ranges: bytes
Age	The age the object has been in a proxy cache in seconds.	Age: 12
Allow	Valid actions for a specified resource. To be used for a 405 Method not allowed.	Allow: GET, HEAD
Cache-Control	Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds.	Cache-Control: max-age=3600
Connection	Options that are desired for the connection.	Connection: close
Content-Disposition	An opportunity to raise a "File Download" dialogue box for a known MIME type	Content-Disposition: attachment; filename=fname.ext
Content-Encoding	The type of encoding used on the data.	Content-Encoding: gzip
Content-Language	The language the content is in.	Content-Language: da
Content-Length	The length of the response body in octets (8-bit bytes).	Content-Length: 348
Content-Location	An alternate location for the returned data.	Content-Location: /index.htm
Content-MD5	A Base64-encoded binary MD5 sum of the content of the response.	Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==
Content-Range	Where in a full body message this partial message belongs.	Content-Range: bytes 21010-47021/47022
Content-Type	The mime type of this content.	Content-Type: text/html; charset=utf-8
Date	The date and time that the message was sent.	Date: Tue, 15 Nov 1994 08:12:31 GMT
ETag	An identifier for a specific version of a resource, often a message digest.	ETag: "737060cd8c284d8af7ad3082f209582d"
Expires	Gives the date/time after which the response is considered stale.	Expires: Thu, 01 Dec 1994 16:00:00 GMT
Last-Modified	The last modified date for the requested object, in RFC 2822 format.	Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT
Link	Used to express a typed relationship with another resource, where the relation type is defined by RFC 5988.	Link: ; rel="alternate"
Location	Used in redirection, or when a new resource has been created.	Location: http://www.w3.org/pub/WWW/People.html
P3P	This header is supposed to set P3P policy, in the form of P3P:CP="your_compact_policy". However, P3P did not take off, most browsers have never fully implemented it, a lot of websites set this header with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies.	P3P: CP="This is not a P3P policy! See http://www.google.com/support/accounts/bin/answer.py?hl=en&an
Pragma	Implementation-specific headers that may have various effects anywhere along the request-response chain.	Pragma: no-cache
Proxy-Authenticate	Request authentication to access the proxy.	Proxy-Authenticate: Basic
Refresh	Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds. This is a proprietary, non-standard header extension introduced by Netscape and supported by most web browsers.	Refresh: 5; url=http://www.w3.org/pub/WWW/People.html
Retry-After	If an entity is temporarily unavailable, this instructs the client to try again after a specified period of time.	Retry-After: 120
Server	A name for the server.	Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Set-Cookie	An HTTP cookie.	Set-Cookie: UserID=JohnDoe; Max-Age=3600; Version=1
Strict-Transport-Security	A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.	Strict-Transport-Security: max-age=16070400; includeSubDomains
Trailer	The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer-coding.	Trailer: Max-Forwards
Transfer-Encoding	The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity.	Transfer-Encoding: chunked
Vary	Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server.	Vary: *
Via	Informs the client of proxies through which the response was sent.	Via: 1.0 fred, 1.1 nowhere.com (Apache/1.1)
Warning	A general warning about possible problems with the entity body.	Warning: 199 Miscellaneous warning
WWW-Authenticate	Indicates the authentication scheme that should be used to access the requested entity.	WWW-Authenticate: Basic
X-Content-Type-Options	Non standard. The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type.	X-Content-Type-Options: nosniff
X-Forwarded-For	Non standard. A de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.	X-Forwarded-For: client1, proxy1, proxy2
X-Forwarded-Proto	Non standard. A de facto standard for identifying the originating protocol of an HTTP request, since a reverse proxy (load balancer) communicates with a web server using HTTP.	X-Forwarded-Proto: https
X-Frame-Options	Non standard. Clickjacking protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch.	X-Frame-Options: deny
X-Powered-By	Non standard. Specifies the technology (ASP.NET, PHP, JBoss, e.g.) supporting the web application (version details are often in X-Runtime, X-Version, or X-AspNet-Version).	X-Powered-By: PHP/5.2.1
X-XSS-Protection	Non standard. Cross-site scripting (XSS) filter.	X-XSS-Protection: 1; mode=block