HTTP message headers are used to precisely describe the resource being fetched or the behavior of the server or the client. Custom proprietary headers can be added using the 'X-' prefix; others are listed in an IANA registry, whose original content was defined in RFC 4229. IANA also maintain a registry of proposed new HTTP message headers.

The following list summaries the headers and their usage:

Header Description More information Standard
Accept lists the MIME types expected by the user agent HTTP Content Negotiation HTTP/1.1
Accept-Charset lists the character sets supported by the user agent HTTP Content Negotiation HTTP/1.1
Accept-Features   HTTP Content Negotiation RFC 2295, §8.2
Accept-Encoding lists the compression methods supported by the user agent HTTP Content Negotiation HTTP/1.1
Accept-Language lists the languages the user agent expect the page in HTTP Content Negotiation HTTP/1.1
Accept-Ranges      
Access-Control-Allow-Credentials   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Access-Control-Allow-Origin   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Access-Control-Allow-Methods   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Access-Control-Allow-Headers   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Access-Control-Max-Age   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Access-Control-Expose-Headers   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Access-Control-Request-Method   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Access-Control-Request-Headers   HTTP Access Control and Server Side Access Control W3C Cross-Origin Resource Sharing
Age      
Allow      
Alternates   HTTP Content Negotiation RFC 2295, §8.3
Authorization      
Cache-Control   HTTP Caching FAQ  
Connection      
Content-Encoding      
Content-Language      
Content-Length      
Content-Location      
Content-MD5   Unimplemented (see bug 232030)  
Content-Range      
Content-Security-Policy Controls the resources a user agent is allowed to load for use on a given page.  CSP (Content Security Policy) W3C Content Security Policy
Content-Type Indicates the MIME type of the served document. This helps the user agent (browser) to understand what to do with the received data.    
Cookie     RFC 2109
DNT With a value of 1, indicates that the user explicitly opts out of any form of online tracking. Supported by Firefox 4, Firefox 5 for mobile, IE9, and a few major companies. Tracking Preference Expression (DNT)
Date      
ETag   HTTP Caching FAQ  
Expect      
Expires   HTTP Caching FAQ  
From      
Host      
If-Match      
If-Modified-Since   HTTP Caching FAQ  
If-None-Match   HTTP Caching FAQ  
If-Range      
If-Unmodified-Since      
Last-Event-ID gives the id of the last events received by the server on a previous HTTP connection. Used to synchronize a stream of text/event-stream. Server-Sent Events Server-Sent Events spec
Last-Modified   HTTP Caching FAQ  
Link equivalent to the HTML <link> element, but on the HTTP layer, gives an URL related to the fetched resource, and the kind of relation.

For the rel=prefetch case, see Link Prefetching FAQ

Introduced in HTTP 1.1's RFC 2068, section 19.6.2.4, it was removed in the final HTTP 1.1 spec, then reintroduced, with some extensions, in RFC 5988

Location      
Max-Forwards      
Negotiate   HTTP Content Negotiation RFC 2295, §8.4
Origin   HTTP Access Control and Server Side Access Control More recently defined in the Fetch spec (see Fetch API.) Originally defined in W3C Cross-Origin Resource Sharing
Pragma   for the pragma: nocache value see HTTP Caching FAQ  
Proxy-Authenticate      
Proxy-Authorization      
Range      
Referer (note that the orthographical error introduced in HTTP/0.9 spec had to be conserved in subsequent version of the protocol)    
Retry-After      
Sec-Websocket-Extensions      Websockets
Sec-Websocket-Key      Websockets
Sec-Websocket-Origin      Websockets
Sec-Websocket-Protocol      Websockets
Sec-Websocket-Version      Websockets
Server      
Set-Cookie     RFC 2109
Set-Cookie2     RFC 2965
Strict-Transport-Security   HTTP Strict Transport Security IETF reference
TCN   HTTP Content Negotiation RFC 2295, §8.5
TE      
Trailer lists the headers that will be transmitted after the message body, in a trailer block. This allows servers to compute some values, like Content-MD5: while transmitting the data. Note that the Trailer: header must not list the Content-Length:, Trailer: or Transfer-Encoding: headers.   RFC 2616, §14.40
Transfer-Encoding      
Upgrade      
User-Agent   for Gecko's user agents see the User Agents Reference  
Variant-Vary   HTTP Content Negotiation RFC 2295, §8.6
Vary lists the headers used as criteria for choosing a specific content by the web server. This server is important for efficient and correct caching of the resource sent. HTTP Content Negotiation & HTTP Caching FAQ  
Via      
Warning      
WWW-Authenticate      
X-Content-Duration   Configuring servers for Ogg media  
X-Content-Security-Policy   Using Content Security Policy  
X-DNSPrefetch-Control   Controlling DNS prefetching  
X-Frame-Options   The XFrame-Option Response Header  
X-Requested-With Often used with the value "XMLHttpRequest" when it is the case   Not standard

Notes

Note: The Keep-Alive request header is not sent by Gecko 5.0; previous versions did send it but it was not formatted correctly, so the decision was made to remove it for the time being. The Connection: or Proxy-Connection: header is still sent, however, with the value "keep-alive".

See also

Wikipedia page on List of HTTP headers

Document Tags and Contributors

Last updated by: Sheppy,