All references

HTTP reference

HTTP Headers Reference

Search common HTTP request, response, security, caching and authentication headers.

27 headers

Accept

Request

Specifies the media types that the client can understand in the response.

Syntax

Accept: <media-type>

Example

Accept: application/json

Common values

application/jsontext/htmlapplication/xml*/*

Accept-Encoding

Request

Indicates which content encodings the client can decode.

Syntax

Accept-Encoding: <encoding>

Example

Accept-Encoding: gzip, br

Common values

gzipbrdeflateidentity

Accept-Language

Request

Indicates the languages preferred by the client.

Syntax

Accept-Language: <language-tag>

Example

Accept-Language: en-US, en;q=0.9

Common values

en-USen-GBes-ES*

Authorization

Authentication

Carries credentials used to authenticate the client with a server.

Syntax

Authorization: <scheme> <credentials>

Example

Authorization: Bearer eyJhbGciOi...

Common values

Bearer <token>Basic <credentials>

Cache-Control

Caching

Defines caching rules for requests and responses.

Syntax

Cache-Control: <directive>

Example

Cache-Control: public, max-age=3600

Common values

no-storeno-cachepublicprivatemax-age=3600immutable

Connection

Request

Controls whether the network connection remains open after the current exchange.

Syntax

Connection: <option>

Example

Connection: keep-alive

Common values

keep-aliveclose

Content-Disposition

Response

Indicates whether content should be displayed inline or downloaded as an attachment.

Syntax

Content-Disposition: attachment; filename="<filename>"

Example

Content-Disposition: attachment; filename="report.csv"

Common values

inlineattachment

Content-Encoding

Representation

Specifies the encoding applied to the response body.

Syntax

Content-Encoding: <encoding>

Example

Content-Encoding: gzip

Common values

gzipbrdeflate

Content-Length

Representation

Reports the size of the message body in bytes.

Syntax

Content-Length: <number>

Example

Content-Length: 348

Content-Security-Policy

Security

Restricts which resources a browser may load and execute for a page.

Syntax

Content-Security-Policy: <policy-directives>

Example

Content-Security-Policy: default-src 'self'; img-src 'self' data:

Common values

default-srcscript-srcstyle-srcimg-srcconnect-srcframe-ancestors

Content-Type

Representation

Describes the media type and optional character encoding of the message body.

Syntax

Content-Type: <media-type>; charset=<encoding>

Example

Content-Type: application/json; charset=utf-8

Common values

application/jsontext/htmltext/plainmultipart/form-dataapplication/octet-stream

Cookie

Request

Sends cookies previously stored by the browser to the server.

Syntax

Cookie: <name>=<value>; <name>=<value>

Example

Cookie: session=abc123; theme=dark

ETag

Caching

Provides an identifier for a specific version of a resource.

Syntax

ETag: "<identifier>"

Example

ETag: "686897696a7c876b7e"

Host

Request

Identifies the domain and optional port of the target server.

Syntax

Host: <hostname>:<port>

Example

Host: api.example.com:443

If-Modified-Since

Caching

Requests the resource only when it has changed after the supplied date.

Syntax

If-Modified-Since: <http-date>

Example

If-Modified-Since: Wed, 15 Jul 2026 10:00:00 GMT

If-None-Match

Caching

Requests the resource only when its current ETag differs from the supplied value.

Syntax

If-None-Match: "<etag>"

Example

If-None-Match: "686897696a7c876b7e"

Location

Response

Provides the target URL for a redirect or the location of a newly created resource.

Syntax

Location: <url>

Example

Location: https://example.com/new-page

Origin

CORS

Identifies the origin that initiated a cross-origin request.

Syntax

Origin: <scheme>://<host>:<port>

Example

Origin: https://app.example.com

Referer

Request

Contains the address of the page that initiated the current request.

Syntax

Referer: <url>

Example

Referer: https://example.com/dashboard

Set-Cookie

Response

Creates or updates one cookie in the client.

Syntax

Set-Cookie: <name>=<value>; <attributes>

Example

Set-Cookie: session=abc123; Path=/; Secure; HttpOnly; SameSite=Lax

Common values

SecureHttpOnlySameSite=LaxSameSite=StrictSameSite=NoneMax-AgeExpires

Strict-Transport-Security

Security

Instructs browsers to access the domain only through HTTPS for a defined period.

Syntax

Strict-Transport-Security: max-age=<seconds>

Example

Strict-Transport-Security: max-age=31536000; includeSubDomains

Common values

max-age=31536000includeSubDomainspreload

User-Agent

Request

Identifies the client software making the request.

Syntax

User-Agent: <product>

Example

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Vary

Caching

Lists request headers that affect how a cached response was selected.

Syntax

Vary: <header-name>

Example

Vary: Accept-Encoding, Origin

Common values

Accept-EncodingOriginAccept-Language*

WWW-Authenticate

Authentication

Describes the authentication method required to access a protected resource.

Syntax

WWW-Authenticate: <scheme> realm="<realm>"

Example

WWW-Authenticate: Bearer realm="api"

X-Content-Type-Options

Security

Prevents browsers from guessing a response media type different from Content-Type.

Syntax

X-Content-Type-Options: nosniff

Example

X-Content-Type-Options: nosniff

Common values

nosniff

X-Forwarded-For

Request

Identifies the originating client IP address when requests pass through proxies.

Syntax

X-Forwarded-For: <client>, <proxy>

Example

X-Forwarded-For: 203.0.113.10, 198.51.100.7

X-Frame-Options

Security

Controls whether a browser may display the page inside a frame.

Syntax

X-Frame-Options: <directive>

Example

X-Frame-Options: DENY

Common values

DENYSAMEORIGIN