Acceptrequest Media types the client can process. Tells the server what content types are acceptable in the response. ▼
Accept-Charsetrequest Character sets the client accepts. ▼
Accept-Encodingrequest Content encoding (compression) algorithms the client supports. ▼
Accept-Languagerequest Natural languages the client prefers. ▼
Authorizationrequest Credentials for authenticating the client with the server. ▼
Cookierequest Previously stored cookies sent back to the server. ▼
Hostrequest Domain name and port of the server being requested. Required in HTTP/1.1. ▼
If-Modified-Sincerequest Makes request conditional: only return resource if modified since given date. ▼
If-None-Matchrequest Makes request conditional based on ETag. Returns 304 if ETag matches. ▼
Originrequest Origin of the request (scheme, hostname, port). Used in CORS preflight. ▼
Rangerequest Request only part of a resource (byte ranges). ▼
Refererrequest URL of the page that linked to the current request. ▼
User-Agentrequest String identifying the client software (browser, bot, etc.). ▼
Access-Control-Allow-Originresponse Specifies which origins can access the resource (CORS). ▼
Access-Control-Allow-Methodsresponse HTTP methods allowed when accessing the resource (CORS). ▼
Access-Control-Allow-Headersresponse Headers allowed in the actual request (CORS). ▼
Allowresponse Lists the HTTP methods supported by the resource. ▼
Locationresponse URL to redirect the client to. Used with 3xx status codes. ▼
Retry-Afterresponse How long the client should wait before making a follow-up request (with 503 or 429). ▼
Serverresponse Information about the server software. ▼
Set-Cookieresponse Send a cookie from the server to the client. ▼
WWW-Authenticateresponse Defines the authentication method to access a resource (sent with 401). ▼
Connectiongeneral Controls whether the network connection stays open after the transaction. ▼
Dategeneral Date and time the message was sent. ▼
Transfer-Encodinggeneral Encoding used to safely transfer the payload body. ▼
Upgradegeneral Ask the server to switch to a different protocol. ▼
Viageneral Indicates intermediate proxies or gateways the message passed through. ▼
Content-Encodingentity Compression algorithm applied to the message body. ▼
Content-Languageentity Natural language(s) of the content. ▼
Content-Lengthentity Size of the message body in bytes. ▼
Content-Typeentity Media type of the resource or data being sent. ▼
Content-Dispositionentity Indicates if content should be displayed inline or downloaded as attachment. ▼
Content-Rangeentity Where in a full body message a partial message belongs. ▼
ETagentity Unique identifier for a specific version of a resource. ▼
Last-Modifiedentity Date and time the resource was last changed. ▼
Content-Security-Policysecurity Controls which resources the browser is allowed to load for a page. Prevents XSS attacks. ▼
Strict-Transport-Securitysecurity Forces browsers to use HTTPS for future requests to the domain (HSTS). ▼
X-Content-Type-Optionssecurity Prevents MIME type sniffing. Forces browser to use declared Content-Type. ▼
X-Frame-Optionssecurity Controls whether the page can be loaded in an iframe. Prevents clickjacking. ▼
X-XSS-Protectionsecurity Enables cross-site scripting filter in older browsers (deprecated in favor of CSP). ▼
Referrer-Policysecurity Controls how much referrer information is sent with requests. ▼
Permissions-Policysecurity Controls which browser features can be used (camera, mic, geolocation, etc.). ▼
Cache-Controlcaching Directives for caching in both requests and responses. ▼
Expirescaching Date/time after which the response is considered stale (superseded by Cache-Control). ▼
Pragmacaching Implementation-specific caching directive (HTTP/1.0 backward compatibility). ▼
Agecaching Time in seconds the object has been in a proxy cache. ▼
Varycaching Determines how to match request headers to decide if a cached response can be used. ▼