List of HTTP Headers: Definitions, Types, Usage, Syntax, and Directives

List of HTTP Headers contain the security, server, client hint, redirect, and other types of HTTP Headers based on their types, syntaxes, and uses. HTTP Headers are to let web servers serve additional information as a response to an HTTP request or response. The format of the HTTP Headers contains an HTTP Header with case-insensitive form, a “:” and white space for its value. HTTP Headers contain prefixes such as “X-” for the custom proprietary headers. The RFC 6648, RFC 4229, RFC 3229, RFC 2616, and more define the uses and syntax of the HTTP Headers. Every HTTP Header can be seen via a curl command, or from a web browser. The Ianıa Registry Permanent Message Headers contain all of the permanent HTTP Headers.

Contents of the Article show

What is the format of HTTP Headers?

The header fields are transmitted after the request line (in case of a request HTTP message) or the response line (in case of a response HTTP message), which is the first line of a message. Header fields are colon-separated key-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. The end of the header section is indicated by an empty field line, resulting in the transmission of two consecutive CR-LF pairs. In the past, long lines could be folded into multiple lines; continuation lines are indicated by the presence of a space (SP) or horizontal tab (HT) as the first character on the next line. This folding is now deprecated. Below, an example of HTTP Header format can be found.

HTTP-Header: Directive
Second-HTTP-Header: Directive

What are the Field Names for HTTP Headers?

Internet Engineering Task Force (IETF) standardized the field names of the HTTP Headers in RFCs 7235, 7234, 7231, 7233, and 7230. Header field names are case-insensitive, and HTTP 2 made some restrictions for the non-standard field names. The X- prefix was traditionally used to mark non-standard header fields, but this convention was deprecated in June 2012 due to inconveniences it caused when non-standard fields became standard. March 2013 marked the end of an earlier restriction on the use of Downgraded-.

What are the Field Values for HTTP Headers?

Field Values can be used within the Content Negotiations. HTTP Header Field Values can contain an equal sign or a semi-colon. The “q” can be used with an equal sign as a key-value pair. Below, you can see an example of the field value used for HTTP Headers.

Accept-Language: en; q=2.0, en; q=1 

What is the size limit for HTTP Headers?

There is no size limit for HTTP Headers. The HTTP Headers can be many as possible, and they can belong as much as they can. But, because of the page loading performance issues, and security reasons, the proxy servers, and the web servers limit the size of HTTP Headers. For instance, Apache Servers limits the HTTP Header size is 8,190 bytes and 100 HTTP Headers.

What are the types of HTTP Headers?

There are six types of HTTP Headers. The types of HTTP Headers are listed below.

  • Response HTTP Headers
  • Representation HTTP Headers
  • Payload HTTP Headers
  • Request HTTP Headers
  • End-to-end HTTP Headers
  • Hop-by-hop HTTP Headers

1. HTTP Request Headers and Fields

The Request HTTP Headers can be seen with their descriptions, examples, status, and RFC Document references in the HTTP Request Headers Table below.

Request HTTP HeadersDescriptionExampleStatusStandard
A-IMInstance manipulations are acceptable for the request.A-IM: feedPermanentRFC 3229
AcceptAcceptable media types for responses.Accept: text/htmlPermanentRFC 2616, 7231
Accept-CharsetAcceptable character sets.Accept-Charset: utf-8PermanentRFC 2616
Accept-DatetimeAcceptable times.Accept-Datetime: Thu, 31 May 2007 20:35:00 GMTProvisionalRFC 7089
Accept-EncodingAcceptable encodings.Accept-Encoding: gzip, deflatePermanentRFC 2616, 7231
Accept-LanguageAcceptable human languages.Accept-Language: en-USPermanentRFC 2616, 7231
Access-Control-Request-Method,Access-Control-Request-HeadersRequests can be performed across origins while sharing the origin.Access-Control-Request-Method: GETPermanent: standard
AuthorizationCredentials used for HTTP authentication.Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Permanent
Cache-ControlAll caching mechanisms along the request-response chain must follow these directives.Cache-Control: no-cachePermanent
ConnectionOptions for controlling the current connection, including the hop-by-hop request fields. Must not be used with HTTP/2.Connection: keep-aliveConnection: UpgradePermanent
Content-Encoding The type of encoding used on the data. Content-Encoding: gzipPermanent
Content-LengthThere are eight bits in each octet of the body of the request.Content-Length: 348Permanent
Content-MD5Contains a Base64-encoded binary MD5 sum of the request body.Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==Obsolete
Content-TypePOST and PUT requests use this type of body.Content-Type: application/x-www-form-urlencodedPermanent
CookieThe server previously sent an HTTP cookie with Set-Cookie..Cookie: $Version=1; Skin=new;Permanent: standard
DateIn “HTTP-date” format according to RFC 7231 Date/Time Formats, this is the date and time at which the message was originated.Date: Tue, 15 Nov 1994 08:12:31 GMTPermanent
ExpectClients require particular server behaviors in this case.Expect: 100-continuePermanent
ForwardedProvide original information about a client connecting to a web server through an HTTP proxy.Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43 Forwarded: for=192.0.2.43, for=198.51.100.17Permanent
FromThe email address of the person making the request.From: [email protected]Permanent
HostFor virtual hosting, the domain name and TCP port number of the server are to be used. If the requested service is provided over the standard port, the port number may be omitted.Host: en.wikipedia.org:8080Host: en.wikipedia.orgPermanent
HTTP2-SettingsUpgraded requests from HTTP/1.1 to HTTP/2 MUST include exactly one HTTP2-Setting header field. An HTTP2-Settings header field contains parameters governing the HTTP/2 connection. It is included in anticipation of the upgrade request being accepted by the server.HTTP2-Settings: token64Permanent: standard
If-MatchOnly execute the action if the client-supplied entity matches the server-supplied entity. It’s primarily used by methods like PUT to only update resources if they haven’t been modified since the last update.If-Match: “734062cd8c284d8af7ad3082f2w9582d”Permanent
If-Modified-SinceProvides a 304 Not Modified response if the content has not changed.If-Modified-Since: Sun, 24 Oct 1294 13:41:32 GMTPermanent
If-None-MatchIf the content has not been modified, it will return a 304 Not Modified response code.If-None-Match: “737060cd8c284d8af7ad3082f209582d”Permanent
If-RangeSend me the missing part(s) of the entity, or send me the entire new entity if it’s unchanged.If-Range: “737060cd8c284d8af7ad3082f209582d”Permanent
If-Unmodified-SinceSend the response only if the entity hasn’t been modified since a certain time.If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMTPermanent
Max-ForwardsThe message can only be forwarded through proxy servers or gateways a certain number of times.Max-Forwards: 10Permanent
OriginSends a request for cross-origin resource sharing (asks the server for Access-Control-* response fields).Origin: http://www.example-social-network.comPermanent: standard
PragmaFields that are specific to an implementation and may have effects anywhere along the request-response chain.Pragma: no-cachePermanent
PreferAllows the client to request the server to employ certain behaviors during the processing of a request.Prefer: return=representationPermanentRFC 7240
Proxy-AuthorizationConnecting to a proxy requires authorization credentials.Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==Permanent
RangePartially request an entity. Bytes start at 0.Range: bytes=500-999Permanent
RefererLinks to the currently requested page were followed from the previous web page. It has become standard usage to spell “referrer” correctly, as well as incorrectly spelled in virtually all implementations.Referer: http://en.wikipedia.org/wiki/Main_PagePermanent
TEThe encoding the user agent is willing to accept: the same values as for the response header field Transfer-Encoding, plus the “trailers” value (related to chunked transfers) indicating it expects to receive further fields in the trailer after the last chunk.TE: trailers, deflatePermanent
TrailerA trailer with chunked transfer coding contains the specified set of header fields. This value indicates that the trailer contains the given set of header fields.Trailer: Max-ForwardsPermanent
Transfer-EncodingBy encoding, the entity can be sent safely to the user. Methods currently defined are chunked, compress, deflate, gzip, and identity. Cannot be used with HTTP/2.Transfer-Encoding: chunkedPermanent
User-AgentThe user agent string of the user agent (client).User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0Permanent
UpgradeUpgrade the server to another protocol. Not compatible with HTTP/2.Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocketPermanent
ViaProvides the server with information about the proxy through which the request was sent.Via: 1.0 fred, 1.1 example.com (Apache/1.1)Permanent
WarningThe entity-body may have problems.Warning: 199 Miscellaneous warningPermanent

The common non-standard Request HTTP Headers can be seen with their descriptions and examples in the Non-standard HTTP Request Headers Table below.

Common non-standard request fieldsDescriptionExample
Upgrade-Insecure-RequestsAn HTTP -> HTTPS server (possibly in the middle of migration) is informed that the client prefers a redirect to HTTPS and is able to handle Content-Security-Policy: upgrade-insecure-requests cannot be used with HTTP/2Upgrade-Insecure-Requests: 1
X-Requested-WithIdentifies Ajax requests (most JavaScript frameworks send the value XMLHttpRequest); also identifies Android apps that use the WebViewX-Requested-With: XMLHttpRequest
DNTDisables the tracking of a user in a web application. (since Firefox 4.0 Beta 11) This is Mozilla’s version of the X-Do-Not-Track header field. It is also supported by Safari and Internet Explorer 9. An IETF draft proposal was submitted on March 7, 2011. A specification is being written by the W3C Tracking Protection Working Group.DNT: 1 (Do Not Track Enabled)DNT: 0 (Do Not Track Disabled)
X-Forwarded-ForThe de-facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. Replaced by Forwarded header.X-Forwarded-For: client1, proxy1, proxy2X-Forwarded-For: 129.78.138.66, 129.78.64.103
X-Forwarded-HostThe de-facto standard for identifying the original host requested by the client in the Host HTTP request header, since the reverse proxy (load balancer) may differ from the original server handling the request. Replaced by the Forwarded header.X-Forwarded-Host: en.wikipedia.org:8080X-Forwarded-Host: en.wikipedia.org
X-Forwarded-ProtoAn HTTP request’s originating protocol can easily be determined by a reverse proxy (or a load balancer) by communicating with the webserver via HTTP even if the web server’s response is HTTPS. Google clients communicating with Google servers use a different header (X-ProxyUser-Ip). This is no longer used.X-Forwarded-Proto: https
Front-End-HttpsMicrosoft applications and load balancers use this non-standard header fieldFront-End-Https: on
X-Http-Method-OverrideA request that overrides the method specified in the request (typically POST) with the method specified in the header field (typically PUT or DELETE). Sometimes, user agents and firewalls prevent PUT or DELETE methods from being sent directly (note that this is either the result of a software issue, which should be fixed or an intentional configuration, in which case bypassing it may be the right thing to do).X-HTTP-Method-Override: DELETE
X-ATT-DeviceIdEasy parsing of the MakeModel/Firmware that is usually found in AT&T devices’ User-Agent stringsX-Att-Deviceid: GT-P7320/P7320XXLPG
X-Wap-ProfileProvides a link to an XML file on the Internet containing a full description and details about the device currently connected. An example of an XML file for an AT&T Samsung Galaxy S2 can be found to the right.x-wap-profile: http://wap.example.com/uaprof/SGH-I777.xml
Proxy-ConnectionA misunderstanding of the HTTP specifications led to this implementation. It was common in early implementations of HTTP. Identical to the standard Connection field. Not compatible with HTTP/2.Proxy-Connection: keep-alive
X-UIDHA unique ID inserted into a server-side packet to identify Verizon Wireless customers; also known as a “permacookie” or “supercookie”X-UIDH: …
X-Csrf-TokenThis prevents cross-site request forgery. X-CSRFToken and X-XSRF-TOKEN are alternative header namesX-Csrf-Token: i8XNjC4b8KVok4uw5RftR38Wgp2BFwql
X-Request-ID, X-Correlation-IDCoordinates HTTP requests between a client and a server.X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5
Save-DataDevelopers can deliver lighter, faster applications to users by using the Save-Data client hint request header available in Chrome, Opera, and Yandex browsers.Save-Data: on

2. HTTP Response Headers and Fields

The standard common HTTP Response Headers can be seen with their descriptions, examples, status, and RFC Document references in the standard HTTP Response Headers Table below.

Field nameDescriptionExampleStatusStandard
Accept-CHRequests HTTP Client HintsAccept-CH: UA, PlatformExperimentalRFC 8942
Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Allow-Methods,Access-Control-Allow-HeadersSpecifying which websites are eligible to participate in cross-origin resource sharingAccess-Control-Allow-Origin: *Permanent: standard
Accept-PatchProvides information about the patch document formats supported by this serverAccept-Patch: text/example;charset=utf-8Permanent
Accept-RangesWhat types of partial content ranges this server supportsAccept-Ranges: bytesPermanent
AgeThe time the object has been in a proxy cache in secondsAge: 12Permanent
AllowMethods that are valid for a given resource. To be used for an error 405Allow: GET, HEADPermanent
Alt-SvcUsing the “Alt-Svc” header (meaning Alternative Services), a server can indicate that its resources are also available over a different network location (host or port). When using HTTP/2, servers should instead send an ALTSVC frame.Alt-Svc: http/1.1=”http2.example.com:8001″; ma=7200Permanent
Cache-ControlAllows caching mechanisms from the server to the client to cache this object. A second represents the duration.Cache-Control: max-age=3600Permanent
ConnectionOptional controls for the current connection and a list of hop-by-hop response fields. Not compatible with HTTP/2.Connection: closePermanent
Content-DispositionProviding a “File Download” dialogue box for a known MIME type with binary format or suggesting a filename for dynamic content. Special characters require quotes.Content-Disposition: attachment; filename=”fname.ext”Permanent
Content-EncodingThe encoding method is used on the data. For more information, see HTTP compression.Content-Encoding: gzipPermanent
Content-LanguageNatural language or languages of the intended audience for the enclosed contentContent-Language: daPermanent
Content-LengthOctets are the length of the response body (8-bit bytes)Content-Length: 348Permanent
Content-LocationA different location where the data will be returnedContent-Location: /index.htmPermanent
Content-MD5Base64-encoded binary MD5 sum of the response contentContent-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==Obsolete[14]
Content-RangeThis partial message belongs in a full body massageContent-Range: bytes 21010-47021/47022Permanent
Content-TypeThis content’s MIME type isContent-Type: text/html; charset=utf-8Permanent
DateDate and time of the message’s transmission (in “HTTP-date” format as defined by RFC 7231)Date: Tue, 15 Nov 1994 08:12:31 GMTPermanent
Delta-BaseThis entity-tag specifies the delta-encoding of the response.Delta-Base: “abc”Permanent
ETagVersion identifier, often a message digest, for a specific resourceETag: “737060cd8c284d8af7ad3082f209582d”Permanent
ExpiresSpecifies the date/time following which a response is considered stale (in HTML-date format as defined by RFC 7231).Expires: Thu, 01 Dec 1994 16:00:00 GMTPermanent: standard
IMResponses are subjected to instance manipulations.IM: feedPermanent
Last-ModifiedThe last modified date (in “HTTP-date” format, as defined in RFC 7231) for the requested objectLast-Modified: Tue, 15 Nov 1994 12:45:26 GMTPermanent
LinkA typed relationship between two resources, where the relation type is defined by RFC 5988Link: </feed>; rel=”alternate”Permanent
LocationWhen redirecting or creating a new resource, this parameter is used.Example 1: Location: http://www.w3.org/pub/WWW/People.htmlExample 2: Location: /pub/WWW/People.htmlPermanent
P3PP3P:CP=”your_compact_policy” is supposed to be the P3P policy. While most browsers have not fully implemented P3P, a lot of websites set this field with fake policy text, enough to convince browsers of the existence of the P3P policy and grant permission for third-party cookies.P3P: CP=”This is not a P3P policy! See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info.”Permanent
PragmaFields that are specific to an implementation and may have effects anywhere along the request-response chain.Pragma: no-cachePermanent
Preference-AppliedThis value indicates which Prefer tokens were honored by the server and used in the processing of the request.Preference-Applied: return=representationPermanentRFC 7240
Proxy-AuthenticateFor access to the proxy, you must request authentication.Proxy-Authenticate: BasicPermanent
Public-Key-PinsAn authentic TLS certificate’s hash is announced by HTTP Public Key PinningPublic-Key-Pins: max-age=2592000; pin-sha256=”E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=”;Permanent
Retry-AfterThe client is instructed to try again later if an entity is temporarily unavailable. A specified period of time (in seconds) or an HTTP date could be used as the value.Example 1: Retry-After: 122Example 3: Retry-After: Fri, 02 Nov 2016 13:59:59 GMTPermanentRFC 2616, 7231
ServerName of the webserverServer: Apache/2.4.1 (Unix)Permanent
Set-CookieSpecify a cookie for the web serverSet-Cookie: UserID=KTG; Max-Age=3100; Version=1Permanent: standard
Strict-Transport-SecurityHSTS Policies tell HTTP clients how long to cache HTTPS only policies and whether they apply to subdomains.Strict-Transport-Security: max-age=16320300; includeSubDomainsPermanent: standard
TrailerTrailer general field values indicate which header fields are included in the trailer of a chunked-transfer-coded message.Trailer: Max-ForwardsPermanent
Transfer-EncodingEncoding is used to safely transfer entities between users. The following methods are currently defined: chunked, compress, deflate, gzip, and identity. HTTP/2 implementation is not allowed.Transfer-Encoding: chunkedPermanent
Tk“!” – under construction “?” – dynamic “T” – tracking with consent “C” – tracking if consented to “P” – tracking only with consent “D” – disregarding DNT “U” – updated “N” – not trackingTk: ?Permanent
UpgradeUpgrade the client’s protocol. Not compatible with HTTP/2Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocketPermanent
VaryProvides instructions to downstream proxies on how to match future request headers to determine whether a cached response can be used instead of requesting a fresh one from the origin server.Example 1: Vary: *Example 2: Vary: Accept-LanguagePermanent
ViaProvides the client with a list of proxy servers through which the response was sent.Via: 1.0 fred, 1.1 example.com (Apache/1.1)Permanent
WarningThe entity-body may have problems.Warning: 199 Miscellaneous warningPermanent
WWW-AuthenticateEstablishes the authentication scheme that should be used to access the requested entity.WWW-Authenticate: BasicPermanent
X-Frame-OptionsClickjacking protection: deny – no rendering within a frame, same-origin – no rendering if origin mismatches, allow-from – allow from a specified location, allow all – non-standard, allow from any locationX-Frame-Options: denyObsolete

The non-standard common HTTP Response Headers can be seen with their descriptions, examples, status, and RFC Document references in the non-standard HTTP Response Headers Table below.

HTTP Non-standard Common Field NamesDescriptionExampleStatusStandard
Accept-CHRequests HTTP Client HintsAccept-CH: UA, PlatformExperimentalRFC 8942
Access-Control-Allow-Origin,
Access-Control-Allow-Credentials,
Access-Control-Expose-Headers,
Access-Control-Max-Age,
Access-Control-Allow-Methods,
Access-Control-Allow-HeadersSpecifying which websites are eligible to participate in cross-origin resource sharingAccess-Control-Allow-Origin: *Permanent: standard
Accept-PatchProvides information about the patch document formats supported by this serverAccept-Patch: text/example;charset=utf-8Permanent
Accept-RangesWhat types of partial content ranges this server supportsAccept-Ranges: bytesPermanent
AgeIn seconds, the age of the object in a proxy cacheAge: 12Permanent
AllowThere is a list of valid methods for a resource. To be used for a 405 Method not allowedAllow: GET, HEADPermanent
Alt-SvcServers use the “Alt-Svc” header (meaning Alternative Services) to indicate that their resources can also be accessed at other networks (hosts or ports) or with different protocolsAlt-Svc: http/1.1=”http2.example.com:8001″; ma=3200
Cache-ControlCaches this object for all caching mechanisms, from the server to the client. It takes a certain amount of time.Cache-Control: max-age=3600Permanent
ConnectionOptions for controlling the current connection and a list of hop-by-hop response fields. HTTP/2 is not supported.Connection: close
Content-DispositionProviding a “File Download” dialogue box for a known MIME type with binary format or suggesting a filename for dynamic content. Special characters require quotes.Content-Disposition: attachment; filename=”fname.ext”Permanent
Content-EncodingData encoding type.Content-Encoding: brotliPermanent
Content-LanguageLanguage(s) used by the intended audience for the enclosed contentContent-Language: daPermanent
Content-LengthThe response body length in octets (8-bit bytes)Content-Length: 348Permanent
Content-LocationAn alternative location for the returned dataContent-Location: /index.htmPermanent
Content-MD5Content of the response encoded in Base64 and MD5Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==Obsolete[14]
Content-RangeWhat part of a full body massage this partial message belongs toContent-Range: bytes 21110-42021/45022Permanent
Content-TypeThis content uses the MIME typeContent-Type: text/html; charset=utf-8Permanent
DateSender’s date and time (in “HTTP-date” format, as defined by RFC 7231)Date: Tue, 16 Nov 1974 09:12:32 GMTPermanent
Delta-BaseThis entity-tag specifies the delta-encoding of the response.Delta-Base: “azc”Permanent
ETagVersion identifier, often a message digest, for a specific resourceETag: “737060cd8c284d8af7ad3082f209582d”Permanent
ExpiresThe date/time after which the response is considered stale (in the “HTTP-date” format defined by RFC 7231).Expires: Thu, 01 Dec 1994 16:00:00 GMTPermanent: standard
IMResponses are subjected to instance manipulations.IM: feedPermanent
Last-ModifiedThe last modified date (in “HTTP-date” format, as defined in RFC 7231) for the requested objectLast-Modified: Tue, 15 Nov 1994 12:45:26 GMTPermanent
LinkRFC 5988 defines a typed relationship type with another resourceLink: </feed>; rel=”alternate”Permanent
LocationWhen redirecting or creating a new resource, this parameter is used.Example 1: Location: https://www.holisticseo.digital/homepage
Example 2: Location: https://www.holisticseo.digital/
Permanent
P3PP3P:CP=”your_compact_policy” is supposed to indicate P3P policy. Most browsers have never fully implemented P3P, and a lot of websites set this field with fake policy text, which was enough to fool browsers into thinking P3P existed, and thus grant permission for third-party cookies.P3P: CP=”This is not a P3P policy page! See https://example.org/info/Special:CentralAutoLogin/P3P for more info.”Permanent
PragmaFields that are specific to an implementation and may have effects anywhere along the request-response chain.Pragma: no-cachePermanent
Preference-AppliedThis value indicates which Prefer tokens were honored by the server and used in the processing of the request.Preference-Applied: return=representationPermanentRFC 7240
Proxy-AuthenticateRequest authentication to access the proxy.Proxy-Authenticate: BasicPermanent
Public-Key-PinsAn authentic TLS certificate’s hash is announced by HTTP Public Key PinningPublic-Key-Pins: max-age=2692000; pin-sha256=”E9CA9INDbd+2eWQozYqqbQ2yXLVKB9+xcprMF+44U1g=”;Permanent
Retry-AfterThe client is instructed to try again later if the entity is temporarily unavailable. You could specify a certain period of time (in seconds) or a specific value
Content-Security-PolicyProvides protection against the CORS and Man-in-the-middle attacks. CSP can be used for specifying which resource will be loaded from where.
X-Content-Security-PolicyA specific CSP HTTP Header for a single web page
X-WebKit-CSPDefinition of the CSPX-WebKit-CSP: default-src ‘self’
Expect-CTForce for Certificate TransparencyExpect-CT: max-age=604800, enforce, report-uri=”https://example.example/report”
NELLogging of network requests is configured here.NEL: { “report_to”: “name_of_reporting_group”, “max_age”: 12345, “include_subdomains”: false, “success_fraction”: 0.0, “failure_fraction”: 1.0 }
Permissions-PolicyTo enable or disable different browser features or APIs.Permissions-Policy: fullscreen=(), camera=(), microphone=(), geolocation=(), interest-cohort=()
RefreshRedirects to another resource or creates a new resource. After 5 seconds, this refresh redirects. Netscape header extension is supported by most web browsers. Part of HTML standard.Refresh: 5; url=http://www.w3.org/pub/WWW/People.html
Report-ToAn origin’s reporting endpoints are stored by the user agent.Report-To: { “group”: “csp-endpoint”, “max_age”: 10886400, “endpoints”: [ { “url”: “https-url-of-site-which-collects-reports” } ] }
StatusThe HTTP response status is specified in the CGI header. In RFC 7230, “Status-Line” is defined as a separate element in an HTTP response.Status: 200 OK
Timing-Allow-OriginIn Timing-Allow-Origin response headers, origins are permitted to see the values of attributes retrieved by the Resource Timing API that would otherwise be zero due to cross-origin restrictions.Timing-Allow-Origin: *
Timing-Allow-Origin: <origin>[, <origin>]*
X-Content-DurationOnly supported by Gecko browsers; provide the duration of the audio or video in secondsX-Content-Duration: 42.666
X-Content-Type-OptionsIE cannot MIME-sniff a response that is not declared as a content type if its only defined value is “nosniff”. Likewise, Google Chrome cannot MIME-sniff an extension that is not declared as a content type.X-Content-Type-Options: nosni
X-Powered-By(X-Runtime, X-Version, or X-AspNet-Version) identifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application.X-Powered-By: PHP/5.4.0
X-Redirect-ByProvides the component responsible for a particular redirect.X-Redirect-By: WordPress
X-Redirect-By: Polylang
X-Request-ID,
X-Correlation-IDCoordinates HTTP requests between a client and a server.X-Request-ID: f253ebd6-02f7-4w3f-142e-902344e3cde4
X-UA-CompatibleRecommends which rendering engine should be used to display the content (often a backward-compatibility option). This also allows internet explorer to use Chrome Frame. IE=edge is the only value defined in HTML Standard.X-UA-Compatible: IE=edge
X-UA-Compatible: IE=EmulateIE7
X-UA-Compatible: Chrome=1
X-XSS-ProtectionXSS (cross-site scripting) filterX-XSS-Protection: 1; mode=block

3. Representation Headers

A representation HTTP Header represents a resource that is sent within an HTTP message body. A representation of a source can vary based on the resource type. Representations can be in different forms, and formatted as XML, or JSON. Some of the representation headers are below.

  • Content-type
  • Content-Encoding
  • Content-Language
  • Content-Location

4. Payload Headers

A Payload HTTP Header contains the payload data for constructing the representation of the resource. The length of the resource, encoding, and integrity information can be passed with payload headers. Some of the Payload HTTP Headers are listed below.

  • Content-length
  • Content-Range
  • Trailer
  • Transfer-Encoding

What are the Lists of HTTP Headers?

The lists of the HTTP Headers involve the HTTP Header Types with their purposes and contexts. The lists of the HTTP Headers are below.

  • Authentication HTTP Headers
  • Caching HTTP Headers
  • Device Client Hints
  • Network Client Hint HTTP Headers
  • Conditional HTTP Headers
  • Connection Management HTTP Headers
  • Content Negotiation HTTP Headers
  • Controls HTTP Headers
  • Cookies HTTP Head
  • CORS HTTP Headers
  • Downloads HTTP Headers
  • Message Body Information HTTP Head
  • Proxies HTTP Headers
  • Redirect HTTP Headers
  • Request Context HTTP Headers
  • Response Context HTTP Headers
  • Range Requests HTTP Headers
  • 16. Security HTTP Headers
  • 17. HTTP Public Key Pinning (HPKP) HTTP Headers
  • 18. Fetch Metadata Request HTTP Headers
  • Server-sent Events HTTP Headers
  • Transfer Coding HTTP Headers
  • WebSockets HTTP Headers
  • Other HTTP Headers

All of the HTTP Headers, their directives, syntaxes, and rules can be read with their purposes and usage from the next sections.

1. Authentication HTTP Headers

Authentication HTTP Headers are used for proxy and webserver authentication. They help with using a proxy server with only certain authentication information. Web servers are able to communicate with the user-agent and requester based on this information. The authentication response headers are listed below.

  • WWW-Authenticate: Determines the authentication method for a resource.
  • Authorization: contains the password, username, and other authentication user-agent information within the web server.
  • Proxy-Authenticate: Defines the authentication for a proxy server for a resource.
  • Proxy-Authorization: Defines the authentication for the entire proxy web server.

Authentication HTTP Headers should be used if a web server or proxy server is used by a developer for private web development or data storage purposes.

2. Caching HTTP Headers

Caching HTTP Headers are useful for caching resources that are necessary for a web page. Caching HTTP Headers can be used for images, javascript files, CSS files, font files, and other related resources such as manifest files. The caching HTTP Headers are listed belowç

Using the caching HTTP HEders is important for especially providing a better page loading experience and timing.

2. Client Hint HTTP Headers

Client Hint HTTP Headers are to provide information related to the network and device conditions of the client. It is important to sweb servers to optimize them based on the clients’ conditions. There are two types of Client Hint HTTP Headers, these are Device Client HTTP Headers and Network client HTTP Headers.

The most important and fundamental client HTTP Headers are listed below.

  • Accept-CH: only can be used within a TLS Connection. It can request the viewport width and device-width of the user.
  • Accept-CH-Lifetime: it requests the client hints for a lifetime for the further requests.

3. Device Client Hints

Device Client Hints are for providing information related to the client’s device.

  • Content-DPR: it is to provides an image device pixel ratio for choosing an image resource based on the DPR hint.
  • Device-Memory: It is part of Device Memory API. It is for learning the RAM memory of the user’s device.
  • DPR: It is for learning the client’s devices’ pixel ratio. It will affect the CSS Pixel position-related commands.
  • Viewport-Width: Layout with CSS Pixels can be provided with Viewport-Width.
  • Width: It represents the intrinsic size of an image directly.

4. Network Client Hint HTTP Headers

Network Client Hint HTTP Headers are for providing information related to the client’s network conditions. Below, you can see the Network Client Hint HTTP Headers as listed.

  • Downlink: it is for learning the range of bandwidth of the client’s internet connection in the Mbps unit. Downlink HTTP Header is a part of the Network Information API.
  • ECT: it stands for effective connection type or network profile. It is part of the Network Information API. It learns the latency of the connection for the webserver.
  • RTT: It is related to the Round Trip Time. It is part of the Network Information API.
  • Save-Data: It shows whether the user wants to save the size and cost while surfing the web or not.

5. Conditional HTTP Headers

Conditional HTTP Headers change the resource’s HTTP Status Code based on the conditions. Conditional HTTP Headers are useful for adaptive serving and the caching HTTP Headers’ implementation. Conditional HTTP Headers are listed below.

  • Last-Modified: It is to compare the several different versions of the resource that is requested. It helps a web server to make a change for the resource, based on the last modification date. It is similar to E-tag but less accurate. If-Modified-Since and If-Unmodified-Since can be used with Last-Modified.
  • ETag: E-tag is a unique identification string that defines a resource. If-match and If-None-Match can be used with E-tag Conditional HTTP Headers.
  • If-Match: it is for ETag value. If the Etag value of the client and the webserver matches, the resource will be served as it is.
  • If-None-Match: it is for Etag value. If the Etag HTTP Header value doesn’t match between the web server and the client, the cache will be updated.
  • If-Modified-Since: It is used with Last-Modified. If a resource is updated after a certain date, it can be refreshed within the cache.
  • If-Unmodified-Since: It is used with a Last-Modified HTTP Header value. If a resource is unmodified since a certain date, the resource won’t be updated within the browser cache.
  • Vary: It is used for matching the cached version with the requested version.

The conditional HTTP Headers are important to learn for web browsers’ working principle, and HTTP Caching Strategies.

4. Connection Management HTTP Headers

Connection Management HTTP Headers control the connection of the request. Whether to keep a connection alive or how long it should stay life can be determined with Connection Management HTTP Headers. The Connection Management HTTP Headers are listed below.

  • Connection: it is to determine whether the connection should stay alive or not after transferring a resource.
  • Keep-Alive: it is to control how long a connection should stay valid and open after the transaction of a resource from a web server to the web browser.

Connection Management HTTP Headers are important for adjusting the server overload, and the response time quality. Using the wrong connection management from a web server configuration can affect the Time to First Byte (TTFB).

5. Content Negotiation HTTP Headers

Content Negotiation HTTP Headers are to provide information for the encoding of the document, the language of the document, and what information will be accepted in terms of its type by the webserver. The Content Negotiation HTTP Headers are listed below.

  • Accept: It determines what types of data and resources can be sent back to the webserver.
  • Accept-Encoding: It represents the compression algorithm that has been used by the webserver for sending information to the web browser.
  • Accept-Language: It is to provide human language information the webserver is expected to send back, and it is an optional hint, not a command that can overwrite the preference of the web browser user.

The content negotiation HTTP Headers are especially important for using a proper server-side compression algorithm such as Brotli for better page speed.

6. Controls HTTP Headers

Control HTTP Headers are to determine how the expectations will be performed by the server while handling a request.

  • Expect: It is to provide conditions for certain types of situations. If the Content-Length is too much, and Expect HTTP Header can change the HTTP Status Code based on this.
  • Max-Forwards: it is to be used within the TRACE method to limit the number of requests from an IP Address. It helps a web server to protect itself from an excessive amount of requests from a proxy.

The Controls HTTP Headers are important to create different conditional webserver behavior variations.

7. Cookies HTTP Headers

Cookies HTTP Headers are to use the cookies within the HTTP Headers. It can be used for sending cookies or receiving cookies from the web servers. The list of the Cookies HTTP Headers is below.

  • Cookie: It contains all of the cookies that are determined with the Set-Cookie HTTP Header previously.
  • Set-Cookie: Set-Cookie is to provide cookies from the web server to the user agent.
  • Cookie2: it is to provide the obsolete cookies to the user-agent.
  • Set-Cookie2: it is to send the obsolete cookies from the web server to the web browser.

The Cookies HTTP Headers are important to use for protecting the users’ privacy, and security while providing a better user experience.

8. CORS HTTP Headers

CORS HTTP Headers are related to Web Security. CORS HTTP Headers are a part of the Security-related HTTP Headers. Cross-Origin Resource Sharing (CORS) is HTTP-header based system to provide a request and response policy between the different origins. The list of the CORS HTTP Headers is below.

  • Access-Control-Allow-Origin: Access-Control-Allow-Origin is to determine whether the response will be shared with third-party origins or not.
  • Access-Control-Allow-Credentials: Access-Control-Allow-Credentials is to determine whether the response to the request will be exposed if the credentials flag is used with True value.
  • Access-Control-Allow-Headers: Access-Control-Allow-Headers is to determine which HTTP Headers can be used for the actual request.
  • Access-Control-Allow-Methods: Access-Control-Allow-Methods is to determine which methods can be used for the response.
  • Access-Control-Expose-Headers: Access-Control-Expose-Headers is to determine whether the HTTP Response headers will be exposed or not.
  • Access-Control-Max-Age: The Access-Control-Max-Age is to determine how long the results for a preflight request will be cached.
  • Access-Control-Request-Headers: The Access-Control-Request-Headers is to let a web server which request headers will be used for an actual request.
  • Access-Control-Request-Method: Access-Control-Request-Method is to provide the information of which HTTP Method will be used for the actual request.
  • Origin: The Origin is let a web server know where a fetch request is originated from.
  • Timing-Allow-Origin: The Timing Allow-Origin is to specify origins that are able to see the time attributes via Resource Timing API. If it is not set, the values will be zero.

The CORS HTTP Headers are important for determining a communication between the web browser and the web server for preflight requests.

9. Downloads HTTP Headers

The downloads HTTP Header is only the “Content-Disposition”. The Content-Disposition is to provide a “Save As” dialog within the browser. It determines whether the content should be displayed inline, or it should be handled normally such as a download action.

10. Message Body Information HTTP Headers

The Message Body Information HTTP Headers are to determine the length, type, encoding, location, and language of the response body. It includes the information for the web page in terms of its characteristics. The list of Message-Body HTTP Headers is below.

  • Content-Length: Content-Length is to provide the length of the resource in decimal numbers of bytes.
  • Content-Type: Content-Type is to provide the media type of the resource that will be sent.
  • Content-Encoding: Content-Encoding is to provide the compression algorithm of the resource.
  • Content-Language: Content-Language is to provide the information of human language for the audience.
  • Content-Location: Content-Location is to provide an alternate location for the returned data.

The Message Body Information HTTP Headers are important to give the features of a resource within a web page.

11. Proxies HTTP Headers

The Proxies HTTP Headers are to provide information for the proxy servers and their behaviors. The list of Proxies HTTP Headers is below.

  • Forwarded: Forwarded Proxies HTTP Header is to provide information client-facing side of the proxy server when a proxy server information is lost and changed if the proxy is in the path of the request.
  • X-Forwarded-For: X-Forwarded-For Proxies HTTP Header is to identify the originating IP Address.
  • X-Forwarded-Host: X-Forwarded-Host HTTP Header is to provide information of the host requested for a client used to connect to a proxy or a load balancer.
  • X-Forwarded-Proto: The X-Forwarded-Proto Proxies HTTP Header is to specify the protocol between HTTP and HTTPS to connect a proxy or load balancer.
  • Via: The Via Proxies HTTP Header is to provide information for the forward and reverse proxies that can appear in the request and response headers.

The Proxies HTTP Headers are important to manage a Proxy Server.

12. Redirect HTTP Headers

There is only one Redirect HTTP Header which is “Location”. Location Redirect HTTP Header refers to the URL that a web page will be redirected.

13. Request Context HTTP Headers

The Request Content HTTP Headers are to provide context around the request for the webserver. The list of request context HTTP Headers can be seen below.

  • Form: The From Request Context HTTP Header is to provide an internet email address to a web user who controls the user-agent.
  • Host: Host Request Context HTTP Header is to specify the domain name of the webserver, and TCP Port Number.
  • Referer: The Referrer Request Context HTTP Header is to provide which web page URL is a referrer for the next web page URL that is navigated.
  • Referrer-Policy: Referrer-Policy Request Context HTTP Header is to determine what referrer information will be sent.
  • User-Agent: User-Agent Request Context HTTP Header is to provide a string that reflects the web browser, device, internet connection, application type, the operation system of the web browser user.

The Request Context HTTP Headers are important to perform a healthy log analysis for the web servers and protect the web browser user privacy.

14. Response Context HTTP Headers

The Response Context HTTP Headers is to provide the information related to the Response of the webserver. The list of the response context HTTP Headers is below.

  • Allow: Allow Response Context Header is to provide lists of the HTTP Request Methods that can be used for a resource from the webserver.
  • Server: Server Response Context HTTP Header is to server the information related to the webserver.

15. Range Requests HTTP Headers

Range Requests HTTP Headers can be used for providing information related to the range requests. The list of the range HTTP Headers is below.

  • Accept-Ranges: Accept-Ranges HTTP Header is to provide information related to the range request’s acceptance situation. It specifies the unit of the range request.
  • Range: Range Range Request HTTP Header is to provide information for the document that the server will return.
  • If-Range: If-Range Range Request HTTP Header is to provide information for conditional range requests. It will be performed based on the given Etag, or the date.
  • Content-Range: The Content-Range Range HTTP Request is to provide information for the related range request’s size.

The Range HTTP Requests Headers are useful to manage range requests properly.

16. Security HTTP Headers

Security HTTP Headers are to provide information related to the security needs of a response or the request. Security-related HTTP Headers are to protect the privacy of web users while protecting them from cybersecurity issues and vulnerabilities. The list of Security HTTP Headers can be seen below.

  • X-Frame-Options: X-Frame-Options Security HTTP Header is to provide protection against the clickjacking
  • X-Permitted-Cross-Domain-Policies: X-Permitted-Cross-Domain-Policies Security HTTP Header is to specify if a cross-domain policy file is allowed or not. The file can define the rules for the specific resources’ types share conditions and policy. X-Permitedd-Cross-Domain-Policies is related to the Cross-Domain Policy File Specification.
  • X-Powered-By: X-Powered-By Security HTTP Header is to provide information related to the hosting environments, and the frameworks that are used for the website.
  • X-XSS-Protection: X-XSS-Protection Security HTTP Header is to provide protection against the XSS Attacks.
  • Cross-Origin-Embedder-Policy: Cross-Origin-Embedder Security HTTP Header is to declare an embedded policy for the resources.
  • Cross-Origin-Opener-Policy: Cross-Origin-Opener-Policy is to prevent third-party origins from opening, and controlling a window for the previous window.
  • Content-Security-Policy: Content Security Policy Security HTTP Header is to control which resource type will be requested from which server.
  • Content-Security-Policy-Report-Only: Content-Security-Policy-Report-Only: Security HTTP Header is to provide a JSON HTTP Post for reporting the violations.
  • Expect-CT: Expect-CT Security HTTP Header is to provide information for the timestamp of the TLS Certificate. Certificate Transparency and CT Logs are related to the Expect-CT.
  • Feature-Policy: Feature-Policy SEcurity HTTP Header is to provide information for the mechanism of allowing, or denying a web browser feature.
  • Origin-Isolation: Origin-Isolation Security HTTP Header is to provide a mechanism for a web application for isolating their origins.
  • Strict-Transport-Security (HSTS): Strict-Transport-Security HTTP Header is to provide a forceful 307 Redirection to the HTTPS version of a website.
  • Upgrade-Insecure-Requests: Upgrade-Insecure-Requests Security HTTP Header is to force a web browser to use always HTTPS if the request is made to the HTTP.
  • X-Content-Type-Options: X-Content-Type-Options are to prevent MIME Snıffing cybersecurity vulnerability.
  • X-Download-Options: X-Download-Options are to prevent phishing attacks.

The HTTP Security Response Headers are critical for search engine optimization, user security, and web server security. To learn more about the HTTP Security Response Headers, read the related guide.

17. HTTP Public Key Pinning (HPKP) HTTP Headers

The HTTP Pubic Key Pinning (HPKP) HTTP Headers are important to provide information related to the

  • Public-Key-Pins
  • Public-Key-Pins-Report-Only

18. Fetch Metadata Request HTTP Headers

The Fetch Metadata Request Headers are to provide information for the context of the request. A web server can give different decisions based on the fetch metadata request headers.

  • Sec-Fetch-Sites: Sec-Fetch-Sites Fetch Metadata Request HTTP Header is to determine the relationship between a request’s origin, and its target. Since, it is a structured Header, it can have values with “cross-site”, “same-origin”, “same-site”, and “none”.
  • Sec-Fetch-Mode: Sec-Fetch-Mode Fetch Metadata Request HTTP Header is to provide information related to the mode of the request such as “cors”, “navigate,” “no-cors”, “same-origin”, “websocket”.
  • Sec-Fetch-User: Sec-Fetch-user Fetch Metadata Request HTTP Header is to provide information related to the navigation event’s request. If the navigation is triggered by the user the value of the Sec-Fetch-user will be “?1”, if it is not triggered by the user, it will be “?1”.
  • Sec-Fetch-Dest: Sec-Fetch-Dest Fetch Metadata Request HTTP Headers is a header that indicates the request’s destination to a server. It is a structured HTTP Header that contains tokens with the values “audio”, “audioworklet”, “empty”, “sharedworker”, “style”, “video”, “xlst”, “report”, “serviceworker”, “embed.

The Fetch Metadata Request HTTP Headers are prominent to see the characteristics of the Fetch Requests.

19. Server-sent Events HTTP Headers

Server-sent Events HTTP Headers are prominent to provide information related to the server events. There are 5 different Server-sent Events HTTP Headers. The list of Server-sent Events HTTP Headers is below.

  • Last-Event-ID: The Last-Event-ID Server-sent HTTP Haeder is to provide information for automatically reconnect requets if the network is interrupted.
  • NEL: NEL Server-sent Events HTTP Headers is to configure loggings for the network requests.
  • Ping-From: Ping-From Server-sent Events HTTP Header is to provide a ping information source.
  • Ping-To: Ping-To Server-sent Events HTTP Headers it o provide a ping information target.
  • Report-To: Report-To Server-sent Events HTTP Header is to provide a reporting endpoint.

Server-Sent Events HTTP Headers are rarely used, and they are useful for controlling server-sent events.

20. Transfer Coding HTTP Headers

Transfer-Encoding HTTP Headers is to determine the encoding of a resource transfer to a web user. There are three Transfer Coding HTTP Headers. The Transfer Coding HTTP Header list is below.

  • Transfer-Encoding: Transfer-Encoding Transfer Coding HTTP Header is to specify the encoding of the safely transferred resource.
  • TE: TE Transfer-Encoding HTTP Header is to make transfer encoding clear to the user-agent.
  • Trailer: Trailer Transfer-Encoding HTTP Header is to determine the additional fields for the sender’s message.

Transfer Coding HTTP Headers are related to the hop-by-hop headers.

21. WebSockets HTTP Headers

WebSockets HTTP Headers are used for the WebSockets. WebSockets are used for sending data and receiving data. A WebSocket can create two-way interactive communication between a web browser user and a web server. Thus, WebSocket HTTP Headers are prominent to improve the communication between users and the web server in an interactive and event-based way.

  • Sec-WebSocket-Key: Sec-WebSocket-Key is to prove that the client has taken the web server’s key for creating the WebSockets connection.
  • Sec-WebSocket-Extensions: Sec-WebSocket-Extensions WebSockets HTTP Header is to open handshake.
  • Sec-WebSocket-Accept: Sec-WebSocket-Accept WebSockets HTTP Header is to initiate a WebSocket connection.
  • Sec-WebSocket-Protocol: Sec-WebSocket-Protocol WebSocket HTTP Header is to choose a protocol between HTTP and HTTPS.
  • Sec-WebSocket-Version: Sec-WebSocket-Version WebSocket HTTP Header is to specify the version of the web socket.

WebSockets HTTP Headers are relevant to the WebSocket API.

22. Other HTTP Headers

Other HTTP Headers are HTTP Headers that are not classified under a contextual group. They can be related to the server push methods, or alternate methods to reach out to a server. In this context, there are 22 different HTTP Headers. The other HTTP Headers are listed below.

  • Accept-Push-Policy: Accept-Push-Policy refers to a specific server push policy.
  • Accept-Signatures: Accept-Signatures is to provide a signature that can be accepted.
  • Alt-Svc: Alt-SVC is to provide a list of alternate access methods to a server.
  • Date: Date HTTP Header is to provide a date for the message that is created.
  • Early-Data: Early-Data HTTP Header is to provides information on the data that is conveyed in TLS.
  • Large-Allocation: Large-Allocation HTTP Header is to provide signals that the webserver will perform a large load for the web browser.
  • Link: The link entity-header field provides a link declaration that is equal to the Link HTML Element.
  • Push-Policy: Push Policy HTTP Header provides a patterned behavior for performing a push request.
  • Retry-After: Retry-After HTTP Header Specifies how long a user-agent should wait to make a new request.
  • Signature: Signature Header field caries a signal for exhchange of information.
  • Signed-Headers: Signed Headers HTTP Header contains fileds to include within a signature. Signed-Headers is important for the Signed HTTP Exchanges.
  • Server-Timing: Server-Timing HTTP Header identifies a communication metric, and description for the request-response cycle.
  • Service-Worker-Allowed: Service-Worked-Allowed is used to specify the restricted paths for the Service Workers. Now, it can be contained within the service worker’s itself.
  • SourceMap: SourceMap HTTP Header is to provide a source URL for the compiled JS code during the debug process.
  • Upgrade: The Upgrade HTTP Header is to provide an increment for the HTTP Protocol. It is specified in the RFC 7230, section 6.7.
  • X-DNS-Prefetch-Control: X-DNS-Prefetch-Control is HTTP Header to control whether the web browser will be able to perform DNS Resolution or not.
  • X-Firefox-Spdy: X-Firefox-Spdy HTTP Header is obsolete, and it had been used for SPDY check within Firefox.
  • X-Pingback: X-Pingback HTTP Header is to provide a linkback possibility.
  • X-Requested-With: X-Requested-With is a HTTP Header for making clear that Ajax Libraries, or some other JQuery and Dojo Libraries are requested with XMLHttpRequest not by clicking a standard hyperlink.
  • X-Robots-Tag: X-Robots-Tag is prominent to SEO, and controlling other crawlers. X-Robots-Tag is to provide information for crawlers to whether the URL should be crawled or not.
  • X-UA-Compatible: X-UA-Compatible HTTP Header is prominent to determine which document mode will be used by the Internet Explorer.

What are the other classification methods of HTTP Headers?

The HTTP Headers can be grouped as below.

  • Response HTTP Headers
  • Representation HTTP Headers
  • Payload HTTP Headers
  • Request HTTP Headers
  • End-to-end HTTP Headers
  • Hop-by-hop HTTP Headers

Until now, the Response HTTP Headers, Payload HTTP Headers, Representation HTTP Headers, Request HTTP Headers are processed. The next section will explain the End-to-end HTTP Headers and the Hop-by-hop HTTP Headers.

1. End-to-end HTTP Headers

If you are sending a request, these headers must be sent to the server, and if you are sending a response, they must be sent to the client. Caches must store these headers and intermediate proxies must retransmit them without modification.

2. Hop-by-hop HTTP Headers

Only a single transport-level connection can benefit from these headers, and they should not be cached or retransmitted. Connection headers may only be set for hop-by-hop headers.

What are the HTTP Headers that are listed in IANA Registry?

The HTTP Headers that are listed in the IANA Registry can be seen in the table below with their RFC Reference Document, Status, Protocol, and Header Field Name.

HTTP Header Field NameProtocolHTTP Header StatusReference
Accept-Languagemail[RFC4021]
Also-Controlnetnewsobsoleted[RFC1849][RFC5536]
Alternate-Recipientmail[RFC4021]
Approvednetnewsstandard[RFC5536]
ARC-Authentication-Resultsmailexperimental[RFC8617]
ARC-Message-Signaturemailexperimental[RFC8617]
ARC-Sealmailexperimental[RFC8617]
Archivenetnewsstandard[RFC5536]
Archived-Atmailstandard[RFC5064]
Archived-Atnetnewsstandard[RFC5064]
Article-Namesnetnewsobsoleted[RFC1849][RFC5536]
Article-Updatesnetnewsobsoleted[RFC1849][RFC5536]
Authentication-Resultsmailstandard[RFC8601]
Auto-Submittedmailstandard[RFC3834 section 5]
Autoforwardedmail[RFC4021]
Autosubmittedmail[RFC4021]
BaseMIMEobsoleted[RFC1808][RFC2068 Section 14.11]
Bccmailstandard[RFC5322]
Bodynonereserved[RFC6068]
Cancel-Keynetnewsstandard[RFC8315]
Cancel-Locknetnewsstandard[RFC8315]
Ccmailstandard[RFC5322]
Commentsmailstandard[RFC5322]
Commentsnetnewsstandard[RFC5536][RFC5322]
Content-AlternativeMIME[RFC4021]
Content-BaseMIMEobsoleted[RFC2110][RFC2557]
Content-DescriptionMIME[RFC4021]
Content-DispositionMIME[RFC4021]
Content-DurationMIME[RFC4021]
Content-featuresMIME[RFC4021]
Content-IDMIME[RFC4021]
Content-Identifiermail[RFC4021]
Content-LanguageMIME[RFC4021]
Content-LocationMIME[RFC4021]
Content-MD5MIME[RFC4021]
Content-Returnmail[RFC4021]
Content-Transfer-EncodingMIME[RFC4021]
Content-Translation-TypeMIMEstandard[RFC8255]
Content-TypeMIME[RFC4021]
Controlnetnewsstandard[RFC5536]
Conversionmail[RFC4021]
Conversion-With-Lossmail[RFC4021]
DL-Expansion-Historymail[RFC4021]
Datemailstandard[RFC5322]
Datenetnewsstandard[RFC5536][RFC5322]
Date-Receivednetnewsobsoleted[RFC0850][RFC5536]
Deferred-Deliverymail[RFC4021]
Delivery-Datemail[RFC4021]
Discarded-X400-IPMS-Extensionsmail[RFC4021]
Discarded-X400-MTS-Extensionsmail[RFC4021]
Disclose-Recipientsmail[RFC4021]
Disposition-Notification-Optionsmail[RFC4021]
Disposition-Notification-Tomail[RFC4021]
Distributionnetnewsstandard[RFC5536]
DKIM-Signaturemailstandard[RFC6376]
Downgraded-Bccmailobsoleted[RFC5504][RFC6857]
Downgraded-Ccmailobsoleted[RFC5504][RFC6857]
Downgraded-Disposition-Notification-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Final-Recipientmailstandard[RFC6857 Section 3.1.10]
Downgraded-Frommailobsoleted[RFC5504][RFC6857 Section 3.1.10]
Downgraded-In-Reply-Tomailstandard[RFC6857 Section 3.1.10]
Downgraded-Mail-Frommailobsoleted[RFC5504][RFC6857 Section 3.1.10]
Downgraded-Message-Idmailstandard[RFC6857 Section 3.1.10]
Downgraded-Original-Recipientmailstandard[RFC6857 Section 3.1.10]
Downgraded-Rcpt-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Referencesmailstandard[RFC6857 Section 3.1.10]
Downgraded-Reply-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Bccmailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Ccmailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Frommailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Reply-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Sendermailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Return-Pathmailobsoleted[RFC5504][RFC6857]
Downgraded-Sendermailobsoleted[RFC5504][RFC6857]
Downgraded-Tomailobsoleted[RFC5504][RFC6857]
Encodingmail[RFC4021]
Encryptedmail[RFC4021]
Expiresmail[RFC4021]
Expiresnetnewsstandard[RFC5536]
Expiry-Datemail[RFC4021]
Followup-Tonetnewsstandard[RFC5536]
Frommailstandard[RFC5322][RFC6854]
Fromnetnewsstandard[RFC5536][RFC5322]
Generate-Delivery-Reportmail[RFC4021]
Importancemail[RFC4021]
In-Reply-Tomailstandard[RFC5322]
Incomplete-Copymail[RFC4021]
Injection-Datenetnewsstandard[RFC5536]
Injection-Infonetnewsstandard[RFC5536]
Keywordsmailstandard[RFC5322]
Keywordsnetnewsstandard[RFC5536][RFC5322]
Languagemail[RFC4021]
Latest-Delivery-Timemail[RFC4021]
Linesnetnewsdeprecated[RFC5536][RFC3977]
List-Archivemail[RFC4021]
List-Helpmail[RFC4021]
List-IDmail[RFC4021]
List-Ownermail[RFC4021]
List-Postmail[RFC4021]
List-Subscribemail[RFC4021]
List-Unsubscribemail[RFC4021]
List-Unsubscribe-Postmailstandard[RFC8058]
Message-Contextmail[RFC4021]
Message-IDmailstandard[RFC5322]
Message-IDnetnewsstandard[RFC5536][RFC5322]
Message-Typemail[RFC4021]
MIME-VersionMIME[RFC4021]
MMHS-Exempted-Addressmail[RFC6477][ACP123 Appendix A1.1 and Appendix B.105]
MMHS-Extended-Authorisation-Infomail[RFC6477][ACP123 Appendix A1.2 and Appendix B.106]
MMHS-Subject-Indicator-Codesmail[RFC6477][ACP123 Appendix A1.3 and Appendix B.107]
MMHS-Handling-Instructionsmail[RFC6477][ACP123 Appendix A1.4 and Appendix B.108]
MMHS-Message-Instructionsmail[RFC6477][ACP123 Appendix A1.
HTTP Headers that are registered within the IANA.

What are the IANA HTTP Headers that are proposed as New HTTP Headers?

The IANA HTTP Headers that are proposed as New HTTP Headers by IANA are in the table below with their status, reference RFC Document, and protocol.

Header Field NameProtocolStatusReference
Accept-Languagemail[RFC4021]
Also-Controlnetnewsobsoleted[RFC1849][RFC5536]
Alternate-Recipientmail[RFC4021]
Approvednetnewsstandard[RFC5536]
ARC-Authentication-Resultsmailexperimental[RFC8617]
ARC-Message-Signaturemailexperimental[RFC8617]
ARC-Sealmailexperimental[RFC8617]
Archivenetnewsstandard[RFC5536]
Archived-Atmailstandard[RFC5064]
Archived-Atnetnewsstandard[RFC5064]
Article-Namesnetnewsobsoleted[RFC1849][RFC5536]
Article-Updatesnetnewsobsoleted[RFC1849][RFC5536]
Authentication-Resultsmailstandard[RFC8601]
Auto-Submittedmailstandard[RFC3834 section 5]
Autoforwardedmail[RFC4021]
Autosubmittedmail[RFC4021]
BaseMIMEobsoleted[RFC1808][RFC2068 Section 14.11]
Bccmailstandard[RFC5322]
Bodynonereserved[RFC6068]
Cancel-Keynetnewsstandard[RFC8315]
Cancel-Locknetnewsstandard[RFC8315]
Ccmailstandard[RFC5322]
Commentsmailstandard[RFC5322]
Commentsnetnewsstandard[RFC5536][RFC5322]
Content-AlternativeMIME[RFC4021]
Content-BaseMIMEobsoleted[RFC2110][RFC2557]
Content-DescriptionMIME[RFC4021]
Content-DispositionMIME[RFC4021]
Content-DurationMIME[RFC4021]
Content-featuresMIME[RFC4021]
Content-IDMIME[RFC4021]
Content-Identifiermail[RFC4021]
Content-LanguageMIME[RFC4021]
Content-LocationMIME[RFC4021]
Content-MD5MIME[RFC4021]
Content-Returnmail[RFC4021]
Content-Transfer-EncodingMIME[RFC4021]
Content-Translation-TypeMIMEstandard[RFC8255]
Content-TypeMIME[RFC4021]
Controlnetnewsstandard[RFC5536]
Conversionmail[RFC4021]
Conversion-With-Lossmail[RFC4021]
DL-Expansion-Historymail[RFC4021]
Datemailstandard[RFC5322]
Datenetnewsstandard[RFC5536][RFC5322]
Date-Receivednetnewsobsoleted[RFC0850][RFC5536]
Deferred-Deliverymail[RFC4021]
Delivery-Datemail[RFC4021]
Discarded-X400-IPMS-Extensionsmail[RFC4021]
Discarded-X400-MTS-Extensionsmail[RFC4021]
Disclose-Recipientsmail[RFC4021]
Disposition-Notification-Optionsmail[RFC4021]
Disposition-Notification-Tomail[RFC4021]
Distributionnetnewsstandard[RFC5536]
DKIM-Signaturemailstandard[RFC6376]
Downgraded-Bccmailobsoleted[RFC5504][RFC6857]
Downgraded-Ccmailobsoleted[RFC5504][RFC6857]
Downgraded-Disposition-Notification-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Final-Recipientmailstandard[RFC6857 Section 3.1.10]
Downgraded-Frommailobsoleted[RFC5504][RFC6857 Section 3.1.10]
Downgraded-In-Reply-Tomailstandard[RFC6857 Section 3.1.10]
Downgraded-Mail-Frommailobsoleted[RFC5504][RFC6857 Section 3.1.10]
Downgraded-Message-Idmailstandard[RFC6857 Section 3.1.10]
Downgraded-Original-Recipientmailstandard[RFC6857 Section 3.1.10]
Downgraded-Rcpt-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Referencesmailstandard[RFC6857 Section 3.1.10]
Downgraded-Reply-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Bccmailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Ccmailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Frommailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Reply-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Sendermailobsoleted[RFC5504][RFC6857]
Downgraded-Resent-Tomailobsoleted[RFC5504][RFC6857]
Downgraded-Return-Pathmailobsoleted[RFC5504][RFC6857]
Downgraded-Sendermailobsoleted[RFC5504][RFC6857]
Downgraded-Tomailobsoleted[RFC5504][RFC6857]
Encodingmail[RFC4021]
Encryptedmail[RFC4021]
Expiresmail[RFC4021]
Expiresnetnewsstandard[RFC5536]
Expiry-Datemail[RFC4021]
Followup-Tonetnewsstandard[RFC5536]
Frommailstandard[RFC5322][RFC6854]
Fromnetnewsstandard[RFC5536][RFC5322]
Generate-Delivery-Reportmail[RFC4021]
Importancemail[RFC4021]
In-Reply-Tomailstandard[RFC5322]
Incomplete-Copymail[RFC4021]
Injection-Datenetnewsstandard[RFC5536]
Injection-Infonetnewsstandard[RFC5536]
Keywordsmailstandard[RFC5322]
Keywordsnetnewsstandard[RFC5536][RFC5322]
Languagemail[RFC4021]
Latest-Delivery-Timemail[RFC4021]
Linesnetnewsdeprecated[RFC5536][RFC3977]
List-Archivemail[RFC4021]
List-Helpmail[RFC4021]
List-IDmail[RFC4021]
List-Ownermail[RFC4021]
List-Postmail[RFC4021]
List-Subscribemail[RFC4021]
List-Unsubscribemail[RFC4021]
List-Unsubscribe-Postmailstandard[RFC8058]
Message-Contextmail[RFC4021]
Message-IDmailstandard[RFC5322]
Message-IDnetnewsstandard[RFC5536][RFC5322]
Message-Typemail[RFC4021]
MIME-VersionMIME[RFC4021]
MMHS-Exempted-Addressmail[RFC6477][ACP123 Appendix A1.1 and Appendix B.105]
MMHS-Extended-Authorisation-Infomail[RFC6477][ACP123 Appendix A1.2 and Appendix B.106]
MMHS-Subject-Indicator-Codesmail[RFC6477][ACP123 Appendix A1.3 and Appendix B.107]
MMHS-Handling-Instructionsmail[RFC6477][ACP123 Appendix A1.4 and Appendix B.108]
MMHS-Message-Instructionsmail[RFC6477][ACP123 Append
IANA HTTP Headers

Why is Web Browser important for HTTP Headers?

The main importance of a web browser for HTTP Headers is that a user agent uses a web browser for making a request to a web server. A web browser is an application for using websites with a graphical interface. Thus, a web browser will request resources, download, and render them for creating the web page for the web browser user. An HTTP Header can change how a web browser behaves, and the request HTTP Headers will be delivered from a web browser to the webserver. A web browser’s default request HTTP headers can be changed from its settings for different purposes. The importance of the relation between the HTTP Headers and the web browsers is prominent for understanding how the web works.

Why is Web Server is important for HTTP Headers?

A web server is important for HTTP Headers because a web server sends the HTTP Headers to the web browser user which is a user-agent. A web server can be configured for different HTTP Header usage based on its purpose. Web servers are prominent for web browsers since they send the resources that the browser will render and load. HTTP Headers control the communication between the web browsers and the web servers. A response HTTP Header from a web server will be created based on the request HTTP Header from a web browser. Thus, web servers are a prominent part of the HTTP Headers’ functionality.

Why is a Website important for HTTP Headers?

A website is stored within a web server and served to a web browser via HTTP Headers. A website and its web pages can be served differently based on the HTTP Headers. A website can have different website segments that contain different web pages. In this context, a website and its web pages will be served with certain HTTP Headers. For arranging the cache, security, and content negotiation between the web browser and the web server, the HTTP Headers will be used. HTTP Headers are prominent for websites in terms of conveying the websites to the specific web browser which represents a user agent for the requestor.

Last Thoughts on HTTP Headers and Holistic SEO

The HTTP Headers are prominent to determine which message will be passed from web user to web server, and from web server to the user-agent. The HTTP Headers involve different contexts and groups according to their purposes and usage methodologies. From different HTTP Status Codes to the redirection methods, an HTTP Header can signal multiple-meaning related to the software of the web server, or the encoding of the resource. HTTP Headers can be used for making the web page loading performance better or improving the web page security. Whether it is related to the web page security, or speed, and web server efficiency, HTTP Headers are prominent for SEO. Holistic SEO involves every vertical of SEO efforts. HTTP Headers are related to SEO, UX, and web development in the context of coding. In this context, knowing about HTTP Headers are prominent for an SEO to manage the web development teams for better HTTP Cache Strategies, web security precautions, and web server response efficiency.

The HTTP Header Guide will be updated over time.

Koray Tuğberk GÜBÜR
Latest posts by Koray Tuğberk GÜBÜR (see all)

1 thought on “List of HTTP Headers: Definitions, Types, Usage, Syntax, and Directives”

Leave a Comment

List of HTTP Headers: Definitions, Types, Usage, Syntax, and Directives

by Koray Tuğberk GÜBÜR time to read: 35 min
1