HTTP Header Reference

Informs the server about the media types the client can process in the response. The server uses content negotiation to select one of the proposed formats.

Indicates which content encoding (compression algorithm) the client supports. The server may compress the response body using one of these methods.

Indicates which natural languages the client prefers. The server uses this for content negotiation to return the appropriate language version.

Contains credentials to authenticate the client with the server. Commonly used for Bearer tokens, Basic auth, and API keys.

Specifies caching directives for both requests and responses. Controls how and for how long content is cached by browsers and intermediate caches.

Controls whether the network connection stays open after the current transaction. HTTP/2 and HTTP/3 prohibit using this header for connection management.

Indicates how the response content should be displayed. Can suggest a filename for download or indicate inline display.

Indicates which compression algorithm was applied to the response body. The client must use the same algorithm to decompress the data.

Indicates the size of the response body in bytes. Helps the client know how much data to expect and when the response is complete.

Indicates the media type (MIME type) of the resource being sent. Tells the client how to interpret the response body.

Sends stored HTTP cookies from the client to the server. Contains name-value pairs that maintain session state across requests.

Part of the CORS (Cross-Origin Resource Sharing) system. Indicates whether the response can be shared with requesting code from a different origin.

Contains the date and time when the message was originated. Every HTTP response should include this header.

An identifier for a specific version of a resource. Used for cache validation and conditional requests to avoid re-downloading unchanged content.

Specifies the domain name of the server and optionally the TCP port number. Mandatory in HTTP/1.1 requests.

Makes the request conditional. The server responds with 304 Not Modified if the resource's ETag matches the provided value. Otherwise returns the full resource with 200.

Makes the request conditional. The server responds with 304 Not Modified if the resource has not been modified since the specified date.

Indicates the date and time when the resource was last modified. Used for cache validation with If-Modified-Since.

Indicates the URL to redirect a client to. Used in 3xx redirect responses and 201 Created responses.

Indicates where the request originates from. Used in CORS to determine if the server allows cross-origin requests.

HTTP/1.0 header for implementation-specific directives. Mostly replaced by Cache-Control in HTTP/1.1. The most common usage is Pragma: no-cache.

Contains the address of the previous page from which the current page was requested. Used for analytics, logging, and cache optimization.

Indicates how long the client should wait before making a follow-up request. Commonly used with 429 Too Many Requests and 503 Service Unavailable.

Contains information about the software used by the origin server to handle the request. May include version numbers.

Sends cookies from the server to the client. The client stores them and sends them back with subsequent requests via the Cookie header.

Tells the browser to only communicate with the server over HTTPS, never HTTP. Protects against protocol downgrade attacks.

Specifies the transfer encoding applied to the message body. Chunked encoding is used when the response size is not known in advance.

Identifies the client software making the request. Contains information about the application, operating system, and version.

Determines how the response should be cached based on request headers. Ensures caches serve the correct version based on varying request criteria.

Identifies the originating IP address of a client connecting through a proxy or load balancer. The standard Forwarded header is preferred in modern applications.

Indicates the authentication scheme that should be used to access the requested resource. Sent alongside 401 Unauthorized responses.

Identifies that the request was made with JavaScript (e.g., via XMLHttpRequest). Commonly used to distinguish AJAX requests from normal browser navigation.

Controls which resources the browser is allowed to load. A critical security header that prevents XSS and data injection attacks.