List of HTTP header fields: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 01:52, 24 March 2011 edit Pleasancoder (talk \| contribs) 76 edits m →Common non-standard headers ← Previous edit		Latest revision as of 16:41, 25 August 2025 edit undo Mindmatrix (talk \| contribs) Autopatrolled, Administrators 188,534 edits revert - rm promotional link Tag: Manual revert
(905 intermediate revisions by more than 100 users not shown)
Line 1: {{Short description\|None}} ~~{{No footnotes\|date=September 2010}}~~ {{~~Refimprove~~Use mdy dates\|date=~~September~~June ~~2010~~2019}} {{Use American English\|date=June 2019}} {{HTTP}} '''HTTP header fields''' are a list of [[string (computer science)\|string]]s sent and received by both the client program and server on every HTTP request and response. These [[Header (computing)\|headers]] are usually invisible to the [[end-user]] and are only processed or [[computer data logging\|logged]] by the server and client applications. They define how information sent/received through the connection are encoded (as in [[HTTP compression#Content-Encoding tokens\|Content-Encoding]]), the session verification and identification of the client (as in [[browser cookies]], IP address, [[user-agent]]) or their anonymity thereof (VPN or proxy masking, user-agent spoofing), how the server should handle data (as in [[Do-Not-Track]] or [[Global Privacy Control]]), the age (the time it has resided in a shared [[web cache\|cache]]) of the document being downloaded, amongst others. In the [[Hypertext Transfer Protocol]] (HTTP), '''HTTP header fields''' contain the operating parameters of an HTTP request or response. With the request or response line (first line of message), they form the message header. ==General format== The header fields define various characteristics of the data transfer that is requested or the data that is provided in the message body. Header fields start with the field name, terminated with a colon character, followed by the field value. Field names and values may be any application-specific [[String (computer science)\|strings]], but a core set of fields is standardized by the [[Internet Engineering Task Force]] (IETF) in RFC 2616 and other updates and extension documents (e.g., RFC 4229), and are commonly understood by all compliant protocol implementations. In HTTP version 1.x, header fields are transmitted after the request line (in case of a request HTTP message) or the response line (in case of a response HTTP message), which is the first line of a message. Header fields are colon-separated key-value pairs in clear-text [[String (computer science)\|string]] format, terminated by a [[carriage return]] (CR) and [[line feed]] (LF) character sequence. The end of the header section is indicated by an empty field line, resulting in the transmission of two consecutive CR-LF pairs. In the past, long lines could be folded into multiple lines; continuation lines are indicated by the presence of a space (SP) or horizontal tab (HT) as the first character on the next line. This folding was deprecated in RFC 7230.<ref>{{Cite ietf \|date=June 2014 \|rfc=7230 \|title=Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing \|section=3.2.4 \|sectionname=Field Parsing}}</ref> Many parameters may be followed by a quality or 'q' value, giving a weight to use in content negotiation.<ref>[http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.9 RFC 2616 §3.9]</ref> The HTTP message header is separated from the message body by a [[Newline\|blank line]]. [[HTTP/2]]<ref name="rfc9113">{{cite ietf \|rfc=9113 \|title=HTTP/2 \|date=June 2022}}</ref> and [[HTTP/3]] instead use a [[Communication protocol#Binary\|binary protocol]], where headers are encoded in a single <code>HEADERS</code> and zero or more <code>CONTINUATION</code> frames using HPACK<ref name="rfc7541">{{cite journal\|url=https://tools.ietf.org/html/rfc7541\|title=HPACK: Header Compression for HTTP/2\|publisher=[[IETF]]\|date=May 2015\|doi=10.17487/RFC7541 \|access-date=2021-12-13\|last1=Peon \|first1=R. \|last2=Ruellan \|first2=H. \|url-access=subscription}}</ref> (HTTP/2) or QPACK (HTTP/3), which both provide efficient header compression. The request or response line from HTTP/1 has also been replaced by several pseudo-header fields, each beginning with a colon (<code>:</code>). ~~==Requests==~~ ~~{\| class="wikitable sortable" style="width: 100%; clear:right;"~~ ! ==Field ~~name~~names== A core set of fields is standardized by the [[Internet Engineering Task Force]] (IETF) in {{IETF RFC\|9110\|9111\|leadout=and}}. The [https://www.iana.org/assignments/http-fields/http-fields.xhtml#field-names Field Names], [https://www.iana.org/assignments/message-headers/message-headers.xml#perm-headers Header Fields] and [https://www.iana.org/assignments/message-headers/message-headers.xml#prov-headers Repository of Provisional Registrations] are maintained by the [[Internet Assigned Numbers Authority\|IANA]]. Additional field names and permissible values may be defined by each application. Header field names are case-insensitive.<ref>{{Cite ietf \|date=June 2022 \|rfc=9110 \|title=HTTP Semantics \|section=5.1 \|sectionname=Field Names}}</ref> This is in contrast to HTTP method names (GET, POST, etc.), which are case-sensitive.<ref>{{Cite ietf \|date=June 2022 \|rfc=9110 \|title=HTTP Semantics \|section=9.1 \|sectionname=Methods: Overview}}</ref> [[HTTP/2]] makes some restrictions on specific header fields (see below). Non-standard header fields were conventionally marked by prefixing the field name with <code>X-</code> but this convention was deprecated in June 2012 because of the inconveniences it caused when non-standard fields became standard.<ref>{{cite journal\|url=http://tools.ietf.org/html/rfc6648\|title=RFC 6648\|author=Internet Engineering Task Force\|date=2012-06-01\|doi=10.17487/RFC6648 \|access-date=2012-11-12\|url-access=subscription}}</ref> An earlier restriction on use of <code>Downgraded-</code> was lifted in March 2013.<ref>{{cite web\|url=https://www.iana.org/assignments/message-headers/message-headers.xml \|title=Message Headers \|publisher=Iana.org \|date=2014-06-11 \|access-date=2014-06-12}}</ref> ==Field values== A few fields can contain comments (i.e. in User-Agent, Server, Via fields), which can be ignored by software.<ref>{{cite ietf \|date=June 2022 \|rfc=9110 \|title=HTTP Semantics \|section=5.6.5 \|sectionname=Comments}}</ref> Many field values may contain a quality (''q'') key-value pair separated by [[equals sign]], specifying a weight to use in [[content negotiation]].<ref>{{cite ietf \|date=June 2022 \|rfc=9110 \|title=HTTP Semantics \|section=12.4.2 \|sectionname=Quality Values}}</ref> For example, a browser may indicate that it accepts information in German or English, with German as preferred by setting the ''q'' value for <code>de</code> higher than that of <code>en</code>, as follows: <code>Accept-Language: de; q=1.0, en; q=0.5</code> ==Size limits== The standard imposes no limits to the size of each header field name or value, or to the number of fields. However, most servers, clients, and proxy software impose some limits for practical and security reasons. For example, the Apache 2.3 server by default limits the size of each field to 8,190 bytes, and there can be at most 100 header fields in a single request.<ref>{{cite web\|url=http://httpd.apache.org/docs/2.3/mod/core.html#limitrequestfieldsize\|archive-url=https://web.archive.org/web/20120509104709/https://httpd.apache.org/docs/2.3/mod/core.html#limitrequestfieldsize\|archive-date=2012-05-09 \|title=core - Apache HTTP Server \|publisher=Httpd.apache.org \|access-date=2012-03-13}}</ref> ==Request fields== ===Standard request fields=== {\| class="wikitable sortable" \|+ \|- ! Name ! class="unsortable" \| Description ! class="unsortable" \| Example ! Status !Standard \|- \| A-IM \|\| Acceptable instance-manipulations for the request.<ref name="rfc3229">{{cite IETF\|rfc=3229}}</ref>\|\|<code>A-IM: feed</code> \|\| Permanent ~~\| Accept \|\| Content-Types that are acceptable \|\| <code>Accept: text/plain</code>~~ \|{{IETF RFC\|3229}} \|- \|- id="accept-request-header" ~~\| Accept-Charset \|\| Character sets that are acceptable \|\| <code>Accept-Charset: utf-8</code>~~ \| Accept \|\| [[Media type\|Media type(s)]] that is/are acceptable for the response. See [[Content negotiation]]. \|\| <code>Accept: text/html</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| ~~[[HTTP compression\|~~Accept-~~Encoding]]~~Charset \|\| ~~Acceptable~~Character ~~encodings~~sets that are acceptable. \|\| <code>Accept-~~Encoding~~Charset: utf-8<~~[[compress]]~~/code> \| ~~[[gzip]]~~ \| ~~[[deflate]] \| identity></code>~~Permanent \|{{IETF RFC\|9110}} \|- id="Accept-Datetime" \| Accept-Datetime \|\| Acceptable version in time. \|\|<code>Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT</code>\|\| Provisional \|{{IETF RFC\|7089\|}} \|- id="Accept-Encoding" \| Accept-Encoding \|\| List of acceptable encodings. See [[HTTP compression]]. \|\|<code>Accept-Encoding: gzip, deflate</code>\|\| Permanent \|{{IETF RFC\|9110}} \|- id="Accept-Language" \| Accept-Language \|\| List of acceptable human languages for response. See [[Content negotiation]]. \|\|<code>Accept-Language: en-US</code>\|\| Permanent \|{{IETF RFC\|9110}} \|- id="access-control-request-header" \| {{nowrap\|Access-Control-Request-Method,<br />Access-Control-Request-Headers}}<ref name="CORS">{{cite web\|url=https://www.w3.org/TR/cors/ \|title=Cross-Origin Resource Sharing \|access-date=2017-07-24}}</ref>\|\| Initiates a request for [[cross-origin resource sharing]] with [[#origin-request-header\|Origin]] (below). \|\| <code>Access-Control-Request-Method: GET</code> \|\| {{nowrap\|Permanent: standard}} \| \|- \| Authorization \|\| Authentication credentials for [[Basic access authentication\|HTTP authentication]]. \|\| <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code> \|\| Permanent ~~\| Accept-Language \|\| Acceptable languages for response \|\| <code>Accept-Language: en-US</code>~~ \|{{IETF RFC\|9110}} \|- \| [[Cache-Control]] \|\| Used to specify directives that ''must'' be obeyed by all caching mechanisms along the request-response chain. \|\| <code>Cache-Control: no-cache</code> \|\| Permanent ~~\| Authorization \|\| Authentication credentials for HTTP authentication \|\| <code>Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>~~ \|{{IETF RFC\|9111}} \|- \|- id="connection-request-header" ~~\| Cache-Control \|\| Used to specify directives that MUST be obeyed by all caching mechanisms along the request/response chain \|\| <code>Cache-Control: no-cache</code>~~ \| Connection \|\| Control options for the current connection and list of hop-by-hop request fields.<ref name="rfc9110_connection">{{cite ietf \|rfc=9110 \|title=HTTP Semantics \|section=7.6.1 \|sectionname=Connection header \|date=June 2022 }}</ref> Must not be used with HTTP/2.<ref name="rfc9113_connection">{{cite ietf \|rfc=9113 \|title=HTTP/2 \|section=8.2.2 \|sectionname=Connection-Specific Header Fields \|date=June 2022 }}</ref> \|\| <code>Connection: keep-alive</code> <code>[[HTTP/1.1 Upgrade header\|Connection: Upgrade]]</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \|- id="content-encoding-request-header" ~~\| Connection \|\| What type of connection the user-agent would prefer \|\| <code>Connection: close</code>~~ \| Content-Encoding \|\| The type of encoding used on the data. See [[HTTP compression]]. \|\| <code>Content-Encoding: gzip</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- id="content-length-request-header" \| Content-Length \|\| The length of the request body in [[Octet (computing)\|octets]] (8-bit bytes). \|\| <code>Content-Length: 348</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Content-MD5 \|\| A [[Base64]]-encoded binary [[MD5]] sum of the content of the request body. \|\| <code>Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==</code> \|\| Obsolete<ref name="7231_appendixB">{{cite ietf \|rfc=7231 \|title=Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content \|appendix=B \|sectionname=Changes from RFC 2616 \|date=June 2014}}</ref> ~~\| [[HTTP Cookie\|Cookie]] \|\| an HTTP cookie previously sent by the server with <tt>Set-Cookie</tt> (below) \|\| <code>Cookie: $Version=1; Skin=new;</code>~~ \|{{IETF RFC\|1544\|1864\|4021}} \|- id="content-type-request-header" \| Content-Type \|\| The [[Media type]] of the body of the request (used with POST and PUT requests). \|\| <code>Content-Type: application/x-www-form-urlencoded</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Cookie \|\| An [[HTTP cookie]] previously sent by the server with <code>[[#innerlink set-cookie\|Set-Cookie]]</code> (below). \|\| <code>Cookie: $Version=1; Skin=new;</code> \|\| Permanent: standard ~~\| Content-Length \|\| The length of the request body in [[Octet (computing)\|octets]] (8-bit bytes) \|\| <code>Content-Length: 348</code>~~ \|{{IETF RFC\|2965\|6265}} \|- id="Content-Length" \|- \| Date \|\| The date and time at which the message was originated (in "HTTP-date" format as defined by [[rfc:9110#section-5.6.7\|RFC 9110: HTTP Semantics, section 5.6.7 "Date/Time Formats"]]). \|\| <code>Date: Tue, 15 Nov 1994 08:12:31 GMT</code> \|\| Permanent ~~\| Content-Type \|\| The [[mime type]] of the body of the request (used with POST and PUT requests) \|\| <code>Content-Type: application/x-www-form-urlencoded</code>~~ \|{{IETF RFC\|9110}} \|- \| ~~Date~~Expect \|\| ~~The~~Indicates ~~date~~that ~~and~~particular ~~time~~server ~~that~~behaviors ~~the~~are ~~message~~required ~~was~~by ~~sent~~the client. \|\| <code>~~Date~~Expect: ~~Tue, 15 Nov 1994 08:12:31 GMT~~100-continue</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Forwarded \|\| Disclose original information of a client connecting to a web server through an HTTP proxy.<ref>{{cite journal ~~\| Expect \|\| Indicates that particular server behaviors are required by the client \|\| <code>Expect: 100-continue</code>~~ \|url=http://tools.ietf.org/html/rfc7239#section-1 \|title=Forwarded HTTP Extension: Introduction \|publisher=[[IETF]] \|date=June 2014 \|doi=10.17487/RFC7239 \|access-date=2016-01-07 \|last1=Petersson \|first1=A. \|last2=Nilsson \|first2=M. \|url-access=subscription }} </ref> \|\| <code>Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43</code> <code>Forwarded: for=192.0.2.43, for=198.51.100.17</code> \|\| Permanent \|{{IETF RFC\|7239\|}} \|- \| From \|\| The email address of the user making the request. \|\| <code>From: user@example.com</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \|- id="host-request-header" ~~\| Host \|\| The ___domain name of the server (for [[virtual hosting]]), mandatory since HTTP/1.1 \|\| <code>Host: en.wikipedia.org</code>~~ \| Host \|\| The ___domain name of the server (for [[virtual hosting]]), and the [[List of TCP and UDP port numbers\|TCP port]] number on which the server is listening. The [[Port (computer networking)\|port]] number may be omitted if the port is the standard port for the service requested. Mandatory since HTTP/1.1.<ref>{{cite ietf \|rfc=9110 \|title=HTTP Semantics \|section=7.2 \|sectionname=Host and :authority \|date=June 2022 }}</ref> If the request is generated directly in HTTP/2, it should not be used.<ref name="rfc9113_Request_Pseudo_Header_Fields">{{cite ietf \|rfc=9113 \|title=HTTP/2 \|section=8.3.1 \|sectionname=Request Pseudo-Header Fields \|date=June 2022 }}</ref> \| colspan="1"\| <code>Host: en.wikipedia.org:8080</code> <code>Host: en.wikipedia.org</code> \|Permanent \|{{IETF RFC\|9110\|9113}} \|- \|HTTP2-Settings \| If-Match \|\| Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like PUT to only update a resource if it has not been modified since the user last updated it. \|\| <code>If-Match: "737060cd8c284d8af7ad3082f209582d"</code> \|A request that upgrades from HTTP/1.1 to HTTP/2 MUST include exactly one <code>HTTP2-Settings</code> header field. The <code>HTTP2-Settings</code> header field is a connection-specific header field that includes parameters that govern the HTTP/2 connection, provided in anticipation of the server accepting the request to upgrade.<ref>{{Cite web\|url=https://www.iana.org/assignments/message-headers/message-headers.xml\|title=Message Headers\|website=www.iana.org\|access-date=2018-11-26}}</ref><ref>{{Cite ietf \|rfc=7540 \|title=Hypertext Transfer Protocol Version 2 (HTTP/2) \|section=3.2.1 \|sectionname=HTTP2-Settings Header Field}}</ref> \|<code>HTTP2-Settings: token64</code> \|Obsolete \|{{IETF RFC\|7540\|9113}} \|- \| If-Match \|\| Only perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like PUT to only update a resource if it has not been modified since the user last updated it. \|\| <code>If-Match: "737060cd8c284d8af7ad3082f209582d"</code> \|\| Permanent ~~\| If-Modified-Since \|\| Allows a ''304 Not Modified'' to be returned if content is unchanged \|\| <code>If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT</code>~~ \|{{IETF RFC\|9110}} \|- \| If-~~None~~Modified-~~Match~~Since \|\| Allows a ''304 Not Modified'' to be returned if content is unchanged~~, see [[HTTP ETag]]~~. \|\| <code>If-~~None~~Modified-~~Match~~Since: ~~"737060cd8c284d8af7ad3082f209582d"~~Sat, 29 Oct 1994 19:43:31 GMT</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| If-~~Range~~None-Match \|\| IfAllows ~~the~~a ~~entity~~''304 isNot ~~unchanged,~~Modified'' ~~send~~to mebe ~~the~~returned ~~part(s)~~if ~~that~~content Iis ~~am missing; otherwise~~unchanged, ~~send~~see me[[HTTP ~~the entire new entity~~ETag]]. \|\| <code>If-~~Range~~None-Match: "737060cd8c284d8af7ad3082f209582d"</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| If-~~Unmodified-Since~~Range \|\| ~~Only~~If the entity is unchanged, send me the ~~response~~part(s) ifthat ~~the~~I ~~entity~~am ~~has~~missing; ~~not~~otherwise, ~~been~~send ~~modified~~me ~~since~~the aentire ~~specific~~new ~~time~~entity. \|\| <code>If-~~Unmodified-Since~~Range: ~~Sat, 29 Oct 1994 19:43:31 GMT~~"737060cd8c284d8af7ad3082f209582d"</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| ~~Max~~style=white-~~Forwards~~space:nowrap \| If-Unmodified-Since \|\| ~~Limit~~Only send the ~~number~~response ~~of times~~if the ~~message~~entity ~~can~~has benot ~~forwarded~~been ~~through~~modified ~~proxies~~since ora ~~gateways~~specific time. \|\| <code>~~Max~~If-~~Forwards~~Unmodified-Since: 10Sat, 29 Oct 1994 19:43:31 GMT</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Max-Forwards \|\| Limit the number of times the message can be forwarded through proxies or gateways. \|\| <code>Max-Forwards: 10</code> \|\| Permanent ~~\| Pragma \|\| Implementation-specific headers that may have various effects anywhere along the request-response chain. \|\| <code>Pragma: no-cache</code>~~ \|{{IETF RFC\|9110}} \|- id="origin-request-header" \| Origin<ref name="CORS" /> \|\| Initiates a request for [[cross-origin resource sharing]] (asks server for [[#access-control-response-headers\|Access-Control-]] response fields). \|\| <code>Origin: <nowiki>http://www.example-social-network.com</nowiki></code> \|\| Permanent: standard \|{{IETF RFC\|6454}} \|- \| Pragma \|\| Implementation-specific fields that may have various effects anywhere along the request-response chain. \|\| <code>[[#Avoiding caching\|Pragma: no-cache]]</code> \|\| Outdated ~~\| Proxy-Authorization \|\| Authorization credentials for connecting to a proxy. \|\| <code>Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code>~~ \|{{IETF RFC\|9111}} \|- \|Prefer ~~\| Range \|\| Request only part of an entity. Bytes are numbered from 0.\|\| <code>Range: bytes=500-999</code>~~ \|Allows client to request that certain behaviors be employed by a server while processing a request. \|<code>Prefer: return=representation</code> \|Permanent \|{{IETF RFC\| 7240}} \|- \| Proxy-Authorization \|\| Authorization credentials for connecting to a proxy. \|\| <code>Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==</code> \|\| Permanent \| [[HTTP referrer\|Referrer]] \|\| This is the address of the previous web page from which a link to the currently requested page was followed. \|\| <code><nowiki>Referer: http://en.wikipedia.org/wiki/Main_Page</nowiki></code> \|{{IETF RFC\|9110}} \|- id="range-request-header" \| {{anchor\|Range}} Range \|\| Request only part of an entity. Bytes are numbered from 0. See [[Byte serving]]. \|\| <code>Range: bytes=500-999</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| [[HTTP referer\|Referer]]{{sic}} \|\| This is the address of the previous web page from which a link to the currently requested page was followed. (The word "referrer" has been misspelled in the RFC as well as in most implementations to the point that it has become standard usage and is considered correct terminology.) \|\| <code><nowiki>Referer: http://en.wikipedia.org/wiki/Main_Page</nowiki></code> \|\| Permanent \| <span id='te-request-header'>TE</span> \|\| The transfer encodings the user agent is willing to accept: the same values as for the response header Transfer-Encoding can be used, plus the "trailers" value (related to the "[[chunked transfer encoding\|chunked]]" transfer method) to notify the server it accepts to receive additional headers (the trailers) after the last, zero-sized, chunk. \|\| <code>TE: trailers, [[deflate]]</code> \|{{IETF RFC\|9110}} \|- id="te-request-header" \| TE \|\| The transfer encodings the user agent is willing to accept: the same values as for the response header field Transfer-Encoding can be used, plus the "trailers" value (related to the "[[chunked transfer encoding\|chunked]]" transfer method) to notify the server it expects to receive additional fields in the trailer after the last, zero-sized, chunk. Only <code>trailers</code> is supported in HTTP/2.<ref name="rfc9113_connection"/> \|\| <code>TE: trailers, [[deflate]]</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \|Trailer ~~\| Upgrade \|\| Ask the server to upgrade to another protocol. \|\| <code>Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11</code>~~ \|The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with [[chunked transfer coding]]. \|<code>Trailer: Max-Forwards</code> \|Permanent \|{{IETF RFC\|9110}} \|- \|Transfer-Encoding ~~\| User-Agent \|\| The [[user agent]] string of the user agent \|\| <code>User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)</code>~~ \|The form of encoding used to safely transfer the entity to the user. [https://www.iana.org/assignments/http-parameters Currently defined methods] are: [[chunked transfer encoding\|chunked]], compress, deflate, gzip, identity. Must not be used with HTTP/2.<ref name="rfc9113_connection" /> \|<code>Transfer-Encoding: chunked</code> \|Permanent \|{{IETF RFC\|9110}} \|- \|- id="user-agent-request-header" ~~\| Via \|\| Informs the server of proxies through which the request was sent. \|\| <code>Via: 1.0 fred, 1.1 nowhere.com (Apache/1.1)</code>~~ \| [[User-Agent]] \|\| The [[user agent string]] of the user agent. \|\| <code>User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| [[Upgrade header\|Upgrade]] \|\| Ask the server to upgrade to another protocol. ~~\| Warning \|\| A general warning about possible problems with the entity body. \|\| <code>Warning: 199 Miscellaneous warning</code>~~ Must not be used in HTTP/2.<ref name="rfc9113_connection"/> \|\| <code>Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Via \|\| Informs the server of proxies through which the request was sent. \|\| <code>Via: 1.0 fred, 1.1 example.com (Apache/1.1)</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Warning \|\| A general warning about possible problems with the entity body. \|\| <code>Warning: 199 Miscellaneous warning</code> \|\| Obsolete<ref name="rfc9111_5.5">{{cite ietf \|rfc=9111 \|title=HTTP Caching \|section=5.5 \|sectionname=Warning header \|date=June 2022}}</ref> \|{{IETF RFC\|7234\|9111}} \|} {{anchor\|Common non-standard request headers}} ~~==Responses==~~ ===Common non-standard request fields=== {\| class="wikitable sortable" style="width: 100%; clear:right;" \|- ! Field name ! class="unsortable" \| Description ! class="unsortable" \| Example \|- \|{{nowrap\|Upgrade-Insecure-Requests}}<ref>{{cite web\|title=Upgrade Insecure Requests - W3C Candidate Recommendation\|url=https://www.w3.org/TR/upgrade-insecure-requests/#preference\|website=W3C\|access-date=14 January 2016\|date=8 October 2015}}</ref> \|\| Tells a server which (presumably in the middle of a HTTP -> HTTPS migration) hosts mixed content that the client would prefer redirection to HTTPS and can handle <code>Content-Security-Policy: upgrade-insecure-requests</code> \|\| <code class="nowrap">Upgrade-Insecure-Requests: 1</code> \|- id="Requested-With" \| style=white-space:nowrap \| X-Requested-With \|\| Mainly used to identify [[Ajax (programming)\|Ajax]] requests (most [[JavaScript framework]]s send this field with value of <code>XMLHttpRequest</code>); also identifies Android apps using WebView<ref>{{cite web \| url=https://www.stoutner.com/the-x-requested-with-header/ \| title=The "X-Requested-With" Header – Stoutner \| date=October 31, 2022 }}</ref> \|\| <code> X-Requested-With: XMLHttpRequest</code> \|- \| [[Do Not Track\|DNT]]<ref>{{cite web\|url=http://blog.sidstamm.com/2011/01/try-out-do-not-track-http-header.html \|title=Try out the "Do Not Track" HTTP header \|access-date=2011-01-31}}</ref> \|\| Requests a web application to disable their tracking of a user. This is Mozilla's version of the X-Do-Not-Track header field (since [[Mozilla Firefox 4\|Firefox 4.0]] Beta 11). [[Safari (web browser)\|Safari]] and [[Internet Explorer 9\|IE9]] also have support for this field.<ref>{{cite web\|url=http://blogs.msdn.com/b/ie/archive/2011/03/14/web-tracking-protection-minimum-standards-and-opportunities-to-innovate.aspx \|title=Web Tracking Protection: Minimum Standards and Opportunities to Innovate \|access-date=2011-03-24}}</ref> On March 7, 2011, a draft proposal was submitted to IETF.<ref>IETF [http://tools.ietf.org/html/draft-mayer-do-not-track-00 Do Not Track: A Universal Third-Party Web Tracking Opt Out] March 7, 2011</ref> The [[World Wide Web Consortium\|W3C]] Tracking Protection Working Group is producing a specification.<ref>W3C [http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html Tracking Preference Expression (DNT)], January 26, 2012</ref>\|\| <code>DNT: 1</code> (Do Not Track Enabled) <code>DNT: 0</code> (Do Not Track Disabled) \|- \| style=white-space:nowrap \| [[X-Forwarded-For]]<ref>{{cite web\|url=http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-3518b69c63e221cc3cd7885415e365ffaf3dd27f \|title=SquidFaq/ConfiguringSquid - Squid Web Proxy Wiki \|author=Amos Jeffries \|date=2010-07-02 \|access-date=2009-09-10}}</ref> \|\| A [[de facto standard\|''de facto'' standard]] for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. Superseded by ''Forwarded'' header. \|\| <code>X-Forwarded-For: client1, proxy1, proxy2</code> <code>X-Forwarded-For: 129.78.138.66, 129.78.64.103</code> \|- \| X-Forwarded-Host<ref>{{cite web\|url=http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#x-headers \|title=mod_proxy - Apache HTTP Server Version 2.2\|author=The Apache Software Foundation\|access-date=2014-11-12}}</ref> \|\| A [[de facto standard\|''de facto'' standard]] for identifying the original host requested by the client in the <code>Host</code> HTTP request header, since the host name and/or port of the reverse proxy (load balancer) may differ from the origin server handling the request. Superseded by ''Forwarded'' header. \|\| <code>X-Forwarded-Host: en.wikipedia.org:8080</code> <code>X-Forwarded-Host: en.wikipedia.org</code> \|- \| X-Forwarded-Proto<ref>{{cite web\|url=http://www.geekisp.com/faq/6_65_en.html \|title=How do I adjust my SSL site to work with GeekISP's loadbalancer? \|author=Dave Steinberg \|date=2007-04-10 \|access-date=2010-09-30}}</ref> \|\| A [[de facto standard\|''de facto'' standard]] for identifying the originating protocol of an HTTP request, since a reverse proxy (or a load balancer) may communicate with a web server using HTTP even if the request to the reverse proxy is HTTPS. An alternative form of the header (X-ProxyUser-Ip) is used by Google clients talking to Google servers. Superseded by ''Forwarded'' header. \|\| <code>X-Forwarded-Proto: https</code> \|- \| Front-End-Https<ref>{{cite web\|url=https://technet.microsoft.com/en-us/library/aa997519(v=exchg.65).aspx \|title=Helping to Secure Communication: Client to Front-End Server \|date=2006-07-27 \|access-date=2012-04-23}}</ref> \|\| Non-standard header field used by Microsoft applications and load-balancers \|\| <code>Front-End-Https: on</code> \|- \| X-Http-Method-Override<ref>{{cite web\|url=https://opensocial.github.io/spec/2.5.1/Core-API-Server.xml#rfc.section.2.1.1.1 \|title=OpenSocial Core API Server Specification 2.5.1 \|access-date=2014-10-08}}</ref> \|\| Requests a web application to override the method specified in the request (typically POST) with the method given in the header field (typically PUT or DELETE). This can be used when a user agent or firewall prevents PUT or DELETE methods from being sent directly (this is either a bug in the software component, which ought to be fixed, or an intentional configuration, in which case bypassing it may be the wrong thing to do). \|\| <code>X-HTTP-Method-Override: DELETE</code> \|- \| X-ATT-DeviceId<ref>{{cite web\|url=http://developer.att.com/developer/forward.jsp?passedItemId=5300270 \|title=ATT Device ID \|access-date=2012-01-14 \|archive-url=https://web.archive.org/web/20120216021736/http://developer.att.com/developer/forward.jsp?passedItemId=5300270 \|archive-date=2012-02-16}}</ref> \|\| Allows easier parsing of the MakeModel/Firmware that is usually found in the User-Agent String of AT&T Devices\|\| <code>X-Att-Deviceid: GT-P7320/P7320XXLPG</code> \|- \| X-Wap-Profile<ref>{{cite web\|url=http://www.developershome.com/wap/detection/detection.asp?page=profileHeader \|title=WAP Profile \|access-date=2012-01-14}}</ref> \|\| Links to an XML file on the Internet with a full description and details about the device currently connecting. In the example to the right is an XML file for an AT&T Samsung Galaxy S2.\|\| <code>x-wap-profile: http://wap.samsungmobile.com/uaprof/SGH-I777.xml</code> \|- \| Proxy-Connection<ref>{{cite web \|url=https://jdebp.eu/FGA/web-proxy-connection-header.html \|title=The Proxy-Connection: header is a mistake in how some web browsers use HTTP. \|access-date=2018-01-16\| last=de Boyne Pollard\| first=Jonathan\|year=2007 \| archive-url=https://web.archive.org/web/20161023162007/https://jdebp.eu/FGA/web-proxy-connection-header.html \| archive-date=2016-10-23 \| url-status=dead}}</ref> \|\| Implemented as a misunderstanding of the HTTP specifications. Common because of mistakes in implementations of early HTTP versions. Has exactly the same functionality as standard Connection field. Must not be used with HTTP/2.<ref name="rfc9113_connection" /> \|\| <code>Proxy-Connection: keep-alive</code> \|- \| X-UIDH<ref>{{cite web\|url=https://www.eff.org/deeplinks/2014/11/verizon-x-uidh\|title=Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls\|publisher=[[Electronic Frontier Foundation]]\|access-date=2014-01-19}}</ref><ref>{{cite web\|url=http://lessonslearned.org/sniff\|title=Checking known AT&T, Verizon, Sprint, Bell Canada & Vodacom Unique Identifier beacons\|access-date=2014-01-19}}</ref><ref>{{cite news\|url=https://www.washingtonpost.com/business/technology/verizon-atandt-tracking-their-users-with-super-cookies/2014/11/03/7bbbf382-6395-11e4-bb14-4cfea1e742d5_story.html\|title=Verizon, AT&T tracking their users with 'supercookies'\|author=Craig Timberg\|newspaper=The Washington Post\|access-date=2014-01-19}}</ref> \|\| Server-side [[deep packet inspection]] of a unique ID identifying customers of [[Verizon Wireless]]; also known as "perma-cookie" or "supercookie" \|\| <code>X-UIDH: ...</code> \|- \| X-Csrf-Token<ref>{{cite web\|url=https://help.sap.com/saphelp_nw74/helpdata/en/b3/5c22518bc72214e10000000a44176d/content.htm\|title=SAP Cross-Site Request Forgery Protection\|publisher=[[SAP SE]]\|access-date=2015-01-20}}</ref> \|\| Used to prevent [[cross-site request forgery]]. Alternative header names are: <code>X-CSRFToken</code><ref>{{cite web\|url=https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/\|title=Django Cross Site Request Forgery protection\|publisher=[[Django (web framework)]]\|access-date=2015-01-20\|archive-url=https://web.archive.org/web/20150120134602/https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/\|archive-date=January 20, 2015\|url-status=dead}}</ref> and <code>X-XSRF-TOKEN</code><ref>{{cite web\|url=https://docs.angularjs.org/api/ng/service/$http#cross-site-request-forgery-xsrf-protection\|title=Angular Cross Site Request Forgery (XSRF) Protection\|publisher=[[AngularJS]]\|access-date=2015-01-20}}</ref> \|\| <code>X-Csrf-Token: i8XNjC4b8KVok4uw5RftR38Wgp2BFwql</code> \|- \|X-Request-ID,<ref name="stackoverflow2" group="stackoverflow2" /><ref>{{cite web\|url=https://devcenter.heroku.com/articles/http-request-id\|title=HTTP Request IDs\|website=devcenter.heroku.com\|access-date=2022-03-22}}</ref> X-Correlation-ID,<ref>{{Cite news\|url=https://blog.rapid7.com/2016/12/23/the-value-of-correlation-ids/\|title=The Value of Correlation IDs\|date=2016-12-23\|work=Rapid7 Blog\|access-date=2018-04-13\|language=en}}</ref> Correlation-ID<ref>{{Cite web\|url=http://hilton.org.uk/blog/microservices-correlation-id\|title=Correlation IDs for microservices architectures - Peter Hilton\|last=Hilton\|first=Peter\|website=hilton.org.uk\|date=July 12, 2017 \|language=en\|access-date=2018-04-13}}</ref> \|Correlates HTTP requests between a client and server. Superseded by the traceparent header <ref>{{cite web\|url=https://www.w3.org/TR/trace-context/\|title=W3C Trace Context\|website=w3c.org\|access-date=2024-06-19}}</ref> \|<code class="nowrap">X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5</code> \|- \|Save-Data<ref>{{cite web \|url=https://wicg.github.io/savedata/#save-data-request-header-field \|title=Save Data API Living Document Draft Community Group Report 2.1.1. Save-Data Request Header Field \|author=<!--Not stated--> \|date=30 June 2020 \|website=Web Platform Incubator Community Group \|access-date=2021-03-05}}</ref> \|The Save-Data client hint request header available in Chrome, Opera, and Yandex browsers lets developers deliver lighter, faster applications to users who opt-in to data saving mode in their browser. \|<code class="nowrap">Save-Data: on</code> \|- \|Sec-GPC<ref>{{cite web \|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Sec-GPC \|title=Sec-GPC \|author=((MDN contributors)) \|date=3 Mar 2023 \|website=MDN Web Docs \|access-date=2023-03-12}}</ref> \|The Sec-GPC ([[Do Not Track#Global Privacy Controls\|Global Privacy Control]]{{Broken anchor\|date=2025-05-23\|bot=User:Cewbot/log/20201008/configuration\|target_link=Do Not Track#Global Privacy Controls\|reason= The anchor (Global Privacy Controls) [[Special:Diff/1232726086\|has been deleted]].\|diff_id=1232726086}}) request header indicates whether the user consents to a website or service selling or sharing their personal information with third parties. \|<code class="nowrap">Sec-GPC: 1</code> \|} ==Response fields== ===Standard response fields=== {\| class="wikitable sortable" style="width: 100%" \|- ! Field name ! class="unsortable" \| Description ! class="unsortable" \| Example ! Status !Standard \|- \| Accept-~~Ranges~~CH \|\| ~~What~~Requests ~~partial~~[[HTTP ~~content~~Client ~~range types this server supports~~Hints]] \|\| <code>Accept-~~Ranges~~CH: ~~bytes~~UA, Platform</code> \|\| Experimental \|{{IETF RFC\|8942}} \|- id="access-Control-response-headers" \| {{nowrap\|Access-Control-Allow-Origin,<br/>Access-Control-Allow-Credentials,<br />Access-Control-Expose-Headers,<br />Access-Control-Max-Age,<br />Access-Control-Allow-Methods,<br />Access-Control-Allow-Headers}}<ref name="CORS" /> \|\| Specifying which web sites can participate in [[cross-origin resource sharing]] \|\| <code>Access-Control-Allow-Origin: </code> \|\| {{nowrap\|Permanent: standard}} \|{{IETF RFC\|7480}} \|- id="accept-patch-response-header" \| Accept-Patch<ref>{{cite journal\|url=http://tools.ietf.org/html/rfc5789#section-3.1 \|title=RFC 5789 \|year=2010 \|doi=10.17487/RFC5789 \|access-date=2014-12-24\|last1=Dusseault \|first1=L. \|last2=Snell \|first2=J. \|s2cid=42062521 \|url-access=subscription }}</ref> \|\| Specifies which patch document formats this server supports \|\| <code>Accept-Patch: text/example;charset=utf-8</code> \|\| Permanent \|{{IETF RFC\|5789}} \|- id="accept-ranges-response-header" \| Accept-Ranges \|\| What partial content range types this server supports via [[byte serving]]\|\| <code>Accept-Ranges: bytes</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Age \|\| The age the object has been in a [[proxy ~~server\|proxy~~cache]] ~~cache~~ in seconds \|\| <code>Age: 12</code> \|\| Permanent \|{{IETF RFC\|9111}} \|- \| Allow \|\| Valid ~~actions~~methods for a specified resource. To be used for a ''405 Method not allowed'' \|\| <code>Allow: GET, HEAD</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Alt-Svc<ref>{{cite journal\|url=https://tools.ietf.org/html/rfc7838\|title=HTTP Alternative Services ~~\| Cache-Control \|\| Tells all caching mechanisms from server to client whether they may cache this object \|\| <code>Cache-Control: max-age=3600</code>~~ \|publisher=IETF\|date=April 2016\|doi=10.17487/RFC7838 \|access-date=2016-04-19\|last1=Nottingham \|first1=M. \|last2=McManus \|first2=P. \|last3=Reschke \|first3=J. \|doi-access=free \|url-access=subscription }}</ref> \|\| A server uses "Alt-Svc" header (meaning Alternative Services) to indicate that its resources can also be accessed at a different network ___location (host or port) or using a different protocol When using HTTP/2, servers should instead send an ALTSVC frame.<ref>{{cite journal\|url=https://tools.ietf.org/html/rfc7838#section-3\|title=HTTP Alternative Services, section 3 \|publisher=IETF\|date=April 2016\|doi=10.17487/RFC7838 \|access-date=2017-06-08\|last1=Nottingham \|first1=M. \|last2=McManus \|first2=P. \|last3=Reschke \|first3=J. \|doi-access=free \|url-access=subscription }}</ref> \|\| <code>Alt-Svc: http/1.1="http2.example.com:8001"; ma=7200</code> \|\| Permanent \| \|- \| [[Cache-Control]] \|\| Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds\|\| <code>Cache-Control: max-age=3600</code> \|\| Permanent ~~\| [[HTTP compression\|Content-Encoding]] \|\| The type of encoding used on the data \|\| <code>Content-Encoding: gzip</code>~~ \|{{IETF RFC\|9111}} \|- \| Connection \|\| Control options for the current connection and list of hop-by-hop response fields.<ref name=rfc9110_connection /> ~~\| Content-Language \|\| The language the content is in \|\| <code>Content-Language: da</code>~~ Must not be used with HTTP/2.<ref name="rfc9113_connection" /> \|\| <code>Connection: close</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Content-Disposition<ref>{{cite journal\|url=http://tools.ietf.org/html/rfc6266 \|title=RFC 6266 \|year=2011 \|doi=10.17487/RFC6266 \|access-date=2015-03-13\|last1=Reschke \|first1=J. \|doi-access=free \|url-access=subscription }}</ref> \|\| An opportunity to raise a "File Download" dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters. \|\| <code>Content-Disposition: attachment; filename="fname.ext"</code> \|\| Permanent ~~\| <span id='content-length-response-header'>Content-Length</span> \|\| The length of the response body in [[Octet (computing)\|octets]] (8-bit bytes)\|\| <code>Content-Length: 348</code>~~ \|{{IETF RFC\|2616\|4021\|6266}} \|- \|- id="content-encoding-response-header" ~~\| Content-Location \|\| An alternate ___location for the returned data \|\| <code>Content-Location: /index.htm</code>~~ \| Content-Encoding \|\| The type of encoding used on the data. See [[HTTP compression]]. \|\| <code>Content-Encoding: gzip</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Content-Language \|\| The natural language or languages of the intended audience for the enclosed content<ref>{{cite ietf \|date=June 2022 \|rfc=9110 \|title=HTTP Semantics \|section=8.5 \|sectionname=Content-Language}}</ref> \|\| <code>Content-Language: da</code> \|\| Permanent ~~\| Content-Disposition \|\| An opportunity to raise a "File Download" dialogue box for a known MIME type \|\| <code>Content-Disposition: attachment; filename=fname.ext</code>~~ \|{{IETF RFC\|9110}} \|- id="content-length-response-header" \| Content-Length \|\| The length of the response body in [[Octet (computing)\|octets]] (8-bit bytes)\|\| <code>Content-Length: 348</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Content-~~MD5~~Location \|\| AAn ~~[[Base64]]-encoded binary [[MD5]]~~alternate ~~sum~~___location offor the ~~content~~returned ~~of the response~~data \|\| <code>Content-~~MD5~~Location: ~~Q2hlY2sgSW50ZWdyaXR5IQ==~~/index.htm</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Content-~~Range~~MD5 \|\| ~~Where~~A in[[Base64]]-encoded abinary ~~full~~[[MD5]] ~~body~~sum ~~message~~of ~~this~~the ~~partial~~content ~~message~~of ~~belongs~~the response \|\| <code>Content-~~Range~~MD5: ~~bytes 21010-47021/47022~~Q2hlY2sgSW50ZWdyaXR5IQ==</code> \|\| Obsolete<ref name="7231_appendixB"/> \|{{IETF RFC\|1544\|1864\|4021}} \|- id="content-range-response-header" \| Content-Range \|\| Where in a full body message this partial message belongs \|\| <code>Content-Range: bytes 21010-47021/47022</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- id="content-type-response-header" \| Content-Type \|\| The [[MIME type]] of this content \|\| <code>Content-Type: text/html; charset=utf-8</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Date \|\| The date and time that the message was sent (in "HTTP-date" format as defined by RFC 9110) \|\| <code>Date: Tue, 15 Nov 1994 08:12:31 GMT</code> \|\| Permanent ~~\| Content-Type \|\| The [[mime type]] of this content \|\| <code>Content-Type: text/html; charset=utf-8</code>~~ \|{{IETF RFC\|9110}} \|- \| ~~Date~~Delta-Base \|\| ~~The~~Specifies ~~date~~the ~~and~~delta-encoding ~~time~~entity ~~that~~tag of the ~~message~~response.<ref ~~was sent~~name="rfc3229"/> \|\| <code>~~Date~~Delta-Base: ~~Tue, 15 Nov 1994 08:12:31 GMT~~"abc"</code> \|\| Permanent \|{{IETF RFC\|3229}} \|- \| [[HTTP ETag\|ETag]] \|\| An identifier for a specific version of a resource, often a [[~~Hash~~message ~~function\|Message Digest]], see [[HTTP ETag\|ETag~~digest]] \|\| <code>ETag: "737060cd8c284d8af7ad3082f209582d"</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- id="Expires" \| Expires \|\| Gives the date/time after which the response is considered stale (in "HTTP-date" format as defined by RFC 9110) \|\| <code>Expires: Thu, 01 Dec 1994 16:00:00 GMT</code> \|\| Permanent: standard \|{{IETF RFC\|9111}} \|- \| ~~Expires~~IM \|\| ~~Gives~~Instance-manipulations ~~the date/time after~~applied ~~which~~to the response.<ref ~~is considered stale~~name="rfc3229"/> \|\| <code>~~Expires~~IM: ~~Thu, 01 Dec 1994 16:00:00 GMT~~feed</code> \|\| Permanent \|{{IETF RFC\|3229}} \|- \| Last-Modified \|\| The last modified date for the requested object, (in ~~[http://www.ietf.org/rfc/rfc2822.txt~~"HTTP-date" ~~RFC~~format ~~2822~~as ~~format]~~defined by RFC 9110) \|\| <code>Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Link \|\| Used to express a typed relationship with another resource, where the relation type is defined by ~~[http://www.ietf.org/rfc/rfc5988.txt~~ RFC ~~5988]~~ 8288\|\| <code>Link: </feed>; rel="alternate"</code><ref name="google_canonical">[https://support.google.com/webmasters/bin/answer.py?hl=en&answer=139394 Indicate the canonical version of a URL by responding with the Link rel="canonical" HTTP header] Retrieved: 2012-02-09</ref> \|\| Permanent \|{{IETF RFC\|8288}} \|- \| [[HTTP ___location\|Location]] \|\| Used in [[URL redirection\|redirection]], or when a new resource has been created. \|\| * Example 1: <code>Location: <nowiki>http://www.w3.org/pub/WWW/People.html</nowiki></code> * Example 2: <code>Location: <nowiki>/pub/WWW/People.html</nowiki></code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| [[P3P]] \|\| This ~~header~~field is supposed to set [[P3P]] policy, in the form of <code>P3P:CP="your_compact_policy"</code>. However, P3P did not take off,<ref>W3C [http://www.w3.org/P3P P3P Work Suspended]</ref>, most browsers have never fully implemented it, a lot of websites set this ~~header~~field with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for [[~~HTTP_cookie#Third-party_cookie\|~~third party ~~cookies~~cookie]]s. \|\| <code>P3P: CP="This is not a P3P policy! See <nowiki>~~http~~https://~~www~~en.~~google~~wikipedia.~~com~~org/~~support~~wiki/~~accounts/bin~~Special:CentralAutoLogin/~~answer.py?hl=en&answer=151657~~P3P</nowiki> for more info."</code> \|\| Permanent \| \|- \| Pragma \|\| Implementation-specific ~~headers~~fields that may have various effects anywhere along the request-response chain. \|\| <code>Pragma: no-cache</code> \|\| Permanent \|{{IETF RFC\|9111}} \|- \|Preference-Applied ~~\| Proxy-Authenticate \|\| Request authentication to access the proxy. \|\| <code>Proxy-Authenticate: Basic</code>~~ \|Indicates which Prefer tokens were honored by the server and applied to the processing of the request. \|<code>Preference-Applied: return=representation</code> \|Permanent \|RFC 7240 \|- \| Proxy-Authenticate \|\| Request authentication to access the proxy. \|\| <code>Proxy-Authenticate: Basic</code> \|\| Permanent \| [[HTTP refresh\|Refresh]] \|\| Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds.<br/>(This is a proprietary/non-standard header extension introduced by Netscape and supported by most web browsers.) \|\| <code>Refresh: 5; url=<nowiki>http://www.w3.org/pub/WWW/People.html</nowiki></code> \|{{IETF RFC\|9110}} \|- id="PKP" \| Public-Key-Pins<ref>{{cite web \| url=http://www.rfc-editor.org/rfc/rfc7469.txt \| title=Public Key Pinning Extension for HTTP \| publisher=IETF \| access-date=17 April 2015}}</ref> \|\| [[HTTP Public Key Pinning]], announces hash of website's authentic [[Transport Layer Security\|TLS]] certificate \|\| <code>Public-Key-Pins: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g=";</code> \|\| Permanent \|{{IETF RFC\|7469}} \|- \| Retry-After \|\| If an entity is temporarily unavailable, this instructs the client to try again ~~after~~later. Value could be a specified period of time (in seconds) or a HTTP-date.<ref>{{cite ietf \|date=June 2022 \|rfc=9110 ~~<code>~~\|title=HTTP Semantics \|section=10.2.3 \|sectionname=Retry-After~~: 120~~}}</~~code~~ref> \| * Example 1: <code>Retry-After: 120</code> * Example 2: <code>Retry-After: Fri, 07 Nov 2014 23:59:59 GMT</code> \| Permanent \|{{IETF RFC\|9110}} \|- \| Server \|\| A name for the server \|\| <code>Server: Apache/12.34.271 (Unix~~) (Red-Hat/Linux~~)</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| id="innerlink_set-cookie" \| Set-Cookie \|\| anAn [[HTTP cookie]] \|\| <code>Set-Cookie: ~~UserID~~CookieName=~~JohnDoe~~CookieValue; Max-Age=3600; Version=1</code> \|\| Permanent: standard \|{{IETF RFC\|6265}} \|- \| [[HTTP Strict Transport Security\|Strict-Transport-Security]] \|\| A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains. \|\| <code>Strict-Transport-Security: max-age=16070400; includeSubDomains</code> \|\| Permanent: standard \| <span id='trailer-response-header'>Trailer</span> \|\| The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with [[chunked transfer encoding\|chunked transfer-coding]]. \|\| <code>Trailer: Max-Forwards</code> \| \|- id="trailer-response-header" \| Trailer \|\| The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with [[chunked transfer coding]]. \|\| <code>Trailer: Max-Forwards</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- id="transfer-encoding-response-header" \| Transfer-Encoding \|\| The form of encoding used to safely transfer the entity to the user. [https://www.iana.org/assignments/http-parameters Currently defined methods] are: [[chunked transfer encoding\|chunked]], compress, deflate, gzip, identity. Must not be used with HTTP/2.<ref name="rfc9113_connection" /> \|\| <code>Transfer-Encoding: chunked</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \|Tk \| <span id='transfer-encoding-response-header'>Transfer-Encoding</span> \|\| The form of encoding used to safely transfer the entity to the user. [http://www.iana.org/assignments/http-parameters Currently defined methods] are: [[chunked transfer encoding\|chunked]], compress, deflate, gzip, identity. \|\| <code>Transfer-Encoding: [[chunked transfer encoding\|chunked]]</code> \|Tracking Status header, value suggested to be sent in response to a DNT(do-not-track), possible values: "!" — under construction "?" — dynamic "G" — gateway to multiple parties "N" — not tracking "T" — tracking "C" — tracking with consent "P" — tracking only if consented "D" — disregarding DNT "U" — updated \|<code>Tk: ?</code> \|Permanent \| \|- \| [[Upgrade header\|Upgrade]] \|\| Ask the client to upgrade to another protocol. \| Vary \|\| Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server. \|\| <code>Vary: </code> Must not be used in HTTP/2<ref name="rfc9113_connection" /> \|\| <code>Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Vary \|\| Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server. \|\| ~~\| Via \|\| Informs the client of proxies through which the response was sent. \|\| <code>Via: 1.0 fred, 1.1 nowhere.com (Apache/1.1)</code>~~ Example 1: <code>Vary: </code> Example 2: <code>Vary: Accept-Language</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| ~~Warning~~Via \|\| AInforms ~~general~~the ~~warning~~client ~~about~~of ~~possible~~proxies ~~problems~~through ~~with~~which the ~~entity~~response ~~body~~was sent. \|\| <code>~~Warning~~Via: ~~199~~1.0 ~~Miscellaneous~~fred, ~~warning~~1.1 example.com (Apache/1.1)</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- \| Warning \|\| A general warning about possible problems with the entity body. \|\| <code>Warning: 199 Miscellaneous warning</code> \|\| Obsolete<ref name="rfc9111_5.5" /> ~~\| WWW-Authenticate \|\| Indicates the authentication scheme that should be used to access the requested entity. \|\| <code>WWW-Authenticate: Basic</code>~~ \|{{IETF RFC\|7234\|9111}} \|- id="www-authenticate-response-header" \| WWW-Authenticate \|\| Indicates the authentication scheme that should be used to access the requested entity. \|\| <code>WWW-Authenticate: Basic</code> \|\| Permanent \|{{IETF RFC\|9110}} \|- id="Frame-Options" \| X-Frame-Options<ref>{{cite journal\|url=https://tools.ietf.org/html/rfc7034\|title=HTTP Header Field X-Frame-Options \|year=2013 \|publisher=IETF \|doi=10.17487/RFC7034 \|access-date=2014-06-12\|last1=Ross \|first1=D. \|last2=Gondrom \|first2=T. \|doi-access=free }}</ref> \|\| [[Clickjacking]] protection: <code>deny</code> - no rendering within a frame, <code>sameorigin</code> - no rendering if origin mismatch, <code>allow-from</code> - allow from specified ___location, <code>allowall</code> - non-standard, allow from any ___location \|\| <code> X-Frame-Options: deny</code> \|\| Obsolete<ref>{{cite web\|url=http://www.w3.org/TR/CSP11/#frame-ancestors-and-frame-options \|title=Content Security Policy Level 2 \|access-date=2014-08-02}}</ref> \| \|} ===Common non-standard ~~headers~~response fields=== Non-standard headers can be used, with the convention of prefixing the header name with <code>X-</code> .<ref>{{Cite web\|url=http://www.httpwatch.com/httpgallery/headers/ \|title=2. HTTP Headers \|author=Simtec Limited \|date= \|accessdate=2010-09-10}}</ref> {\| class="wikitable sortable" style="width: 100%; clear:right;" \|- ! Field name ! class="unsortable" \| Description ! class="unsortable" \| Example \|- \| Content-Security-Policy,<br />X-Content-Security-Policy,<br />X-WebKit-CSP<ref>{{cite web\|url=http://www.w3.org/TR/CSP/\|title=Content Security Policy \|publisher=W3C \|year=2012\|access-date=28 April 2017}}</ref> \| X-Frame-Options<ref>{{Cite web\|url=http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx \|title=IE8 Security Part VII: ClickJacking Defenses \|author=Eric Lawrence \|date=2009-01-27 \|accessdate=2009-06-10}}</ref> \|\| [[Clickjacking]] protection: "deny" - no rendering within a frame, "sameorigin" - no rendering if origin mismatch \|\| <code> X-Frame-Options: deny</code> \|[[Content Security Policy]] definition. \|<code class="nowrap">X-WebKit-CSP: default-src 'self'</code> \|- \| Expect-CT<ref>{{cite web\|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expect-CT\|title=Expect-CT\|website=Mozilla Developer Network\|language=en-US\|access-date=2021-07-23}}</ref> \| X-XSS-Protection<ref>{{Cite web\|url=http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx \|title=IE8 Security Part IV: The XSS Filter \|author=Eric Lawrence \|date=2008-07-02 \|accessdate=2010-09-30}}</ref> \|\| [[Cross-site scripting]] (XSS) filter \|\| <code>X-XSS-Protection: 1; mode=block</code> \| Notify to prefer to enforce [[Certificate Transparency]]. \|<code>Expect-CT: max-age=604800, enforce, report-uri="https://example.example/report"</code> \|- \| NEL<ref>{{cite web\|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/NEL/\|title=NEL\|website=Mozilla Developer Network\|language=en-US\|year=2021\|access-date=2021-05-18}}</ref> \|\| Used to configure network request logging. \|\| {{code\|2=yaml\|1=NEL: { "report_to": "name_of_reporting_group", "max_age": 12345, "include_subdomains": false, "success_fraction": 0.0, "failure_fraction": 1.0 } }} \| X-Content-Type-Options<ref>{{Cite web\|url=http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx \|title=IE8 Security Part VI: Beta 2 Update \|author=Eric Lawrence \|date=2008-09-03 \|accessdate=2010-09-28}}</ref> \|\| the only defined value, "nosniff", prevents [[Internet Explorer]] from MIME-sniffing a response away from the declared content-type \|\| <code> X-Content-Type-Options: nosniff </code> \|- \| Permissions-Policy<ref>{{cite web\|url=https://www.w3.org/TR/permissions-policy/\|title=Permissions Policy \| publisher=W3C\|year=2020\|access-date=2021-05-01}}</ref> \|\| To allow or disable different features or APIs of the browser. \|\| <code>Permissions-Policy: fullscreen=(), camera=(), microphone=(), geolocation=(), interest-cohort=()<ref>{{cite web\|url=https://amifloced.org/\|title=Am I FLoCed?\|publisher=EFF\|year=2021\|access-date=2021-05-01}}</ref></code> \| X-Requested-With<ref>{{Cite web\|url=http://docs.djangoproject.com/en/1.2/ref/contrib/csrf/ \|title=Cross Site Request Forgery protection \|author=Django Software Foundation \|date= \|accessdate=2009-09-10}}</ref> \|\| mainly used to identify [[Ajax (programming)\|Ajax]] requests. Most [[JavaScript]] [[Software framework\|frameworks]] send this header with value of <code>XMLHttpRequest</code> \|\| <code> X-Requested-With: XMLHttpRequest</code> \|- id="Refresh" \| Refresh \|\| Tells the browser to [[Meta refresh\|refresh]] the page or [[URL_redirection#Refresh_Meta_tag_and_HTTP_refresh_header\|redirect]] to a different URL, after a given number of seconds (<code>0</code> meaning immediately); {{clarify \|text=or when a new resource has been created\|date=August 2024}}. Header introduced by Netscape in 1995 and became a de facto standard supported by most web browsers. Eventually standardized in the HTML Living Standard in 2017.<ref>{{cite web \|url=https://github.com/whatwg/html/pull/2892 \|title=Define the HTTP Refresh header by annevk · Pull Request #2892 · whatwg/html \|date=2017-08-09 \|website=GitHub \|access-date=2021-04-17 \|quote=}}</ref> \|\| <code>Refresh: 5; url=<span class="plainlinks">http://www.w3.org/pub/WWW/People.html</span></code> \|- \| Report-To<ref>{{cite web\|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\|title=CSP: report-to \|website=Mozilla Developer Network\|language=en-US\|year=2021\|access-date=2021-05-18}}</ref> \|\| Instructs the user agent to store reporting endpoints for an origin. \|\| {{code\|2=yaml\|1=Report-To: { "group": "csp-endpoint", "max_age": 10886400, "endpoints": [ { "url": "https-url-of-site-which-collects-reports" } ] } }} \| [[X-Forwarded-For]]<ref>{{Cite web\|url=http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-3518b69c63e221cc3cd7885415e365ffaf3dd27f \|title=SquidFaq/ConfiguringSquid - Squid Web Proxy Wiki \|author=Amos Jeffries \|date=2010-07-02 \|accessdate=2009-09-10}}</ref> \|\| a de facto standard for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer \|\| <code> X-Forwarded-For: client1, proxy1, proxy2</code> \|- \| Status \|\| [[Common Gateway Interface\|CGI]] header field specifying the [[HTTP status\|status]] of the HTTP response. Normal HTTP responses use a separate "Status-Line" instead, defined by RFC 9110.<ref> \| X-Forwarded-Proto<ref>{{Cite web\|url=http://www.geekisp.com/faq/6_65_en.html \|title=How do I adjust my SSL site to work with GeekISP's loadbalancer? \|author=Dave Steinberg \|date=2007-04-10 \|accessdate=2010-09-30}}</ref> \|\| a de facto standard for identifying the originating protocol of an HTTP request, since a reverse proxy (load balancer) communicates with a web server using HTTP \|\| <code>X-Forwarded-Proto: https</code> {{IETF RFC\|9110\|link=no}}: HTTP Semantics</ref> \| <code>Status: 200 OK </code> \|- \|Timing-Allow-Origin \| X-Powered-By<ref>{{Cite web\|url=http://stackoverflow.com/questions/1288338/why-does-asp-net-framework-add-the-x-powered-byasp-net-http-header-in-response \|title=Why does ASP.NET framework add the 'X-Powered-By:ASP.NET' HTTP Header in responses? - Stack Overflow \|accessdate=2010-09-30}}</ref> \|\| specifies the technology (ASP.NET, PHP, JBoss, e.g.) supporting the web application (version details are often in <code>X-Runtime</code>, <code>X-Version</code>, or <code>X-AspNet-Version</code>) \|\| <code>X-Powered-By: PHP/5.2.1</code> \|The <code>Timing-Allow-Origin</code> response header specifies origins that are allowed to see values of attributes retrieved via features of the [https://developer.mozilla.org/en-US/docs/Web/API/Resource_Timing_API Resource Timing API], which would otherwise be reported as zero due to cross-origin restrictions.<ref>{{Cite web\|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin\|title=Timing-Allow-Origin\|website=Mozilla Developer Network\|language=en-US\|access-date=2018-01-25}}</ref> \|<code>Timing-Allow-Origin: </code> <code>Timing-Allow-Origin: <origin>[, <origin>]</code> \|- \|X-Content-Duration<ref>{{cite web\|url=https://developer.mozilla.org/en-US/docs/Web/HTTP/Configuring_servers_for_Ogg_media#Serve_X-Content-Duration_headers \|title=Configuring servers for Ogg media \|date=2014-05-26 \|access-date=2015-01-03}}</ref> \|\| Provide the duration of the audio or video in seconds. Not supported by current browsers – the header was only supported by Gecko browsers, from which support was removed in 2015.<ref>{{cite web\|url=https://bugzilla.mozilla.org/show_bug.cgi?id=1160695\|title=Clean up duration tracking and use mirroring for cross-thread access\|website=Bugzilla@Mozilla\|access-date=2024-02-09}}</ref> \|\| <code class="nowrap">X-Content-Duration: 42.666</code> \| X-Do-Not-Track<ref>{{Cite web\|url=http://hackademix.net/2010/12/28/x-do-not-track-support-in-noscript/ \|title=X-Do-Not-Track support in NoScript \|accessdate=2010-12-28}}</ref> \|\| Requests a web application to disable their tracking of a user. Note that, as of yet, this is largely ignored by web applications. It does however open the door to future legislation requiring web applications to comply with a user's request to not be tracked. Mozilla implements the DNT header with a similar purpose. \|\| <code>X-Do-Not-Track: 1</code> \|- \| X-Content-Type-Options<ref>{{cite web\|url=http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx \|title=IE8 Security Part VI: Beta 2 Update \|author=Eric Lawrence \|date=2008-09-03 \|access-date=2010-09-28}}</ref> \|\| The only defined value, "nosniff", prevents [[Internet Explorer]] from MIME-sniffing a response away from the declared content-type. This also applies to [[Google Chrome]], when downloading extensions.<ref>{{cite web\|url=https://code.google.com/chrome/extensions/hosting.html \|title=Hosting - Google Chrome Extensions - Google Code \|access-date=2012-06-14}}</ref> \|\| <code class="nowrap">X-Content-Type-Options: nosniff</code><ref name="whatwg-fetch-xcto">{{cite web \|url=https://fetch.spec.whatwg.org/#x-content-type-options-header \|title=Fetch standard \|last1=van Kesteren \|first1=Anne \|date=2016-08-26 \|website=WHATWG \|access-date=2016-08-26 \|url-status=live \|archive-url=https://web.archive.org/web/20160826132911/https://fetch.spec.whatwg.org/#x-content-type-options-header \|archive-date=2016-08-26}}</ref> \| DNT<ref>{{Cite web\|url=http://blog.sidstamm.com/2011/01/try-out-do-not-track-http-header.html \|title=Try out the "Do Not Track" HTTP header \|accessdate=2011-01-31}}</ref> \|\| Requests a web application to disable their tracking of a user. This is Mozilla's version of the X-Do-Not-Track header (since [[Mozilla Firefox 4\|Firefox 4.0]] Beta 11). IE9 also has support for this header.<ref>[http://www.informationweek.com/news/internet/browsers/showArticle.jhtml?articleID=229301209] </ref>. On March 7, 2011, a draft proposal was submitted to IETF<ref>IETF [http://tools.ietf.org/html/draft-mayer-do-not-track-00 Do Not Track: A Universal Third-Party Web Tracking Opt Out] March 7, 2011</ref>. \|\| <code>DNT: 1</code> \|- id="Powered-By" \| X-Powered-By<ref name="stackoverflow1" group="stackoverflow1">{{cite web\|url=https://stackoverflow.com/questions/1288338/why-does-asp-net-framework-add-the-x-powered-byasp-net-http-header-in-response \|title=Why does ASP.NET framework add the 'X-Powered-By:ASP.NET' HTTP Header in responses? - Stack Overflow \|access-date=2022-03-20 \|ref=stackoverflow1}}</ref> \|\| Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application (version details are often in <code class="nowrap">X-Runtime</code>, <code class="nowrap">X-Version</code>, or <code class="nowrap">X-AspNet-Version</code>) \|\| <code class="nowrap">X-Powered-By: PHP/5.4.0</code> \|- \|X-Redirect-By<ref>{{cite web\|url=https://webtechsurvey.com/response-header/x-redirect-by \|title=X-Redirect-By HTTP response header \|access-date=2021-05-29}}</ref> \|Specifies the component that is responsible for a particular redirect. \|<code class="nowrap">X-Redirect-By: WordPress</code><br><code class="nowrap">X-Redirect-By: Polylang</code> \|- \|X-Request-ID, X-Correlation-ID<ref name="stackoverflow2" group="stackoverflow2">{{Cite web \|date= \|title=What is the X-REQUEST-ID http header? \|url=https://stackoverflow.com/questions/25433258/what-is-the-x-request-id-http-header \|access-date=2022-03-20 \|ref=stackoverflow2}}</ref> \|Correlates HTTP requests between a client and server. \|<code class="nowrap">X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5</code> \|- \| X-UA-Compatible<ref>{{cite web\|url=http://msdn.microsoft.com/en-us/library/ie/cc288325%28v=vs.85%29.aspx#SetMode \|title=Defining Document Compatibility: Specifying Document Compatibility Modes \|date=2011-04-01 \|access-date=2012-01-24 }}</ref> \|\| Recommends the preferred rendering engine (often a backward-compatibility mode) to use to display the content. Also used to activate [[Chrome Frame]] in Internet Explorer. In HTML Standard, only the <code>IE=edge</code> value is defined.<ref>{{cite web \|url=https://html.spec.whatwg.org/multipage/semantics.html#attr-meta-http-equiv-x-ua-compatible \|title=HTML Living Standard 4.2.5.3 Pragma directives, X-UA-Compatible state \|date=2021-03-12 \|website=WHATWG \|access-date=2021-03-14 \|quote=For meta elements with an http-equiv attribute in the X-UA-Compatible state, the content attribute must have a value that is an ASCII case-insensitive match for the string<code>"IE=edge"</code>.}}</ref> \|\| <code class="nowrap">X-UA-Compatible: IE=edge</code><br><code class="nowrap">X-UA-Compatible: IE=EmulateIE7</code><br><code class="nowrap">X-UA-Compatible: Chrome=1</code> \|- \| X-XSS-Protection<ref>{{cite web\|url=http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx \|title=IE8 Security Part IV: The XSS Filter \|author=Eric Lawrence \|date=2008-07-02 \|access-date=2010-09-30}}</ref> \|\| [[Cross-site scripting]] (XSS) filter \|\| <code class="nowrap">X-XSS-Protection: 1; mode=block</code> \|} ==Effects of selected ~~HTTP header~~ fields== ===Avoiding caching=== If ~~the~~a web server responds with <code>Cache-Control: no-cache</code> then a web browser or other [[HTTP cache\|caching system]] (intermediate proxies) must not use the response to satisfy subsequent ~~responses~~requests without first checking with the originating server (this process is called validation). This header field is part of HTTP/ version 1.1, and is ignored by some caches and browsers. ToIt ~~make~~may ~~sure~~be ~~that~~simulated ~~an object is not cached, it is therefore~~by ~~sensible to also set~~setting the <code>Expires</code> HTTP version 1.0 header field value to a ~~value~~time earlier than the response ~~date~~time. ~~(e.g~~Notice that no-cache is not instructing the browser or proxies about whether or not to cache the content. It just tells the browser and proxies to validate the cache content with the server before using it (this is done by using If-1Modified-Since, If-Unmodified-Since, If-Match, If-None-Match attributes mentioned above). Sending ~~This~~a isno-cache ~~interpreted~~value asthus aninstructs ~~instruction~~a ~~not~~browser or proxy to not use the cache bycontents ~~HTTP/1~~merely based on "freshness criteria" of the cache content. Another common way to prevent old content from being shown to the user without validation is <code>Cache-Control: max-age=0</code>. ~~caches~~This instructs the user agent that the content is stale and ~~browsers~~should be validated before use. The header field <code>Cache-Control: no-store</code> is intended to instruct a browser application to make a best effort not to write it to disk (i.e not to cache it). The fact that a resource is not to be cached is no guarantee that it will not be written to disk. In particular, the HTTP/1.1 definition draws a distinction between history stores and caches. If you use navigation buttons to go back to a previous page a browser may still show you a page that has been stored on disk in the history store, even if it has been instructed not to cache that page. This is correct behaviour according to the specification. Many user agents (including both Firefox and IE) will show different behaviour with regards to loading something from history store and loading something from its cache depending on whether the protocol is http or https. The request that a resource should not be cached is no guarantee that it will not be written to disk. In particular, the HTTP/1.1 definition draws a distinction between history stores and caches. If the user navigates back to a previous page a browser may still show you a page that has been stored on disk in the history store. This is correct behavior according to the specification. Many user agents show different behavior in loading pages from the history store or cache depending on whether the protocol is HTTP or HTTPS. In the rare event that you specifically do not want a resource to be stored to disk anywhere - perhaps the resource is highly sensitive and you don't want it to appear in backups or to be written to insecure permanent storage - you can use the header <code>Cache-Control: no-store</code>. This does not guarantee that the resource will not be written, but instructs the browser to make a best effort not to write it, or in the worst case, that it does not remain on disk. The <code>~~Pragma~~Cache-Control: no-cache</code> ~~header is an~~ HTTP/1.01 header field is also intended for use in requests. made by the client. It is a means for the browser to tell the server and any intermediate caches that it wants a fresh version of the resource. The <code>Pragma: no-cache</code> header field, ~~not~~defined ~~for~~in the ~~server~~HTTP/1.0 tospec, ~~tell~~has the ~~browser~~same purpose. It, however, is only defined for the request header. Its meaning in a response header is not tospecified.<ref>{{cite ietf \|date=June 2022 \|rfc=9111 \|title=HTTP Caching \|section=5.4 \|sectionname=Pragme}}</ref> The behavior of <code>Pragma: no-cache</code> ~~the~~in ~~resource~~a response is implementation specific. While ~~Some~~some user agents do pay attention to this ~~header~~field in responses,<ref (ename="Q234067">{{cite web\|url= https://support.gmicrosoft.com/en-us/kb/234067/ ~~some~~\|title=How ~~versions~~to ofprevent ~~IE,~~caching ~~but~~in ~~only~~Internet ~~when~~Explorer ~~using~~\|publisher=[[Microsoft]] ~~https),~~\|date=2011-09-22 ~~but~~\|access-date=2015-04-15}}</ref> the HTTP/1.1 RFC specifically warns against relying on this ~~behaviour~~behavior. ==~~=Compression=~~See also== * [[HTTP header injection]] * [[HTTP ETag]] If Internet Explorer (tested up to version 8) is set to use HTTP/1.0 rather than HTTP/1.1, it will not send an <code>Accept-Encoding:</code> header. It will, as a result, ignore any <code>Content-Encoding</code> headers that it sees, and will not decompress compressed content. Enabling HTTP/1.1 in Internet Explorer sends the <code>Accept-Encoding:</code> header, and decompresses the response correctly. * [[List of HTTP status codes]] ==References== {{~~Reflist~~reflist}} {{CCBYSASource * RFC 4229: HTTP Header Field Registrations. December 2005 (contains a more complete list of HTTP headers) \|sourcepath = https://stackoverflow.com/q/25433258 \|sourcearticle = What is the X-REQUEST-ID http header? \|revision = 27174552 \|author(s) = [https://stackoverflow.com/users/693140/stefan-k%c3%b6gl Stefan Kögl] at Stack Exchange }} {{reflist\|group=stackoverflow2}} {{CCBYSASource \|sourcepath = https://stackoverflow.com/q/1288338 \|sourcearticle = Why does ASP.NET framework add the 'X-Powered-By:ASP.NET' HTTP Header in responses? \|revision = 1288385 \|author(s) = [https://stackoverflow.com/users/59301/adrian-grigore Adrian Grigore] at Stack Exchange }} {{reflist\|group=stackoverflow1}} ==External links== * [https://www.iana.org/assignments/message-headers/message-headers.xml#perm-headers\|Message Headers: Permanent Message Header Field Names] * [http://tools.ietf.org/html/rfc2616 IETF HTTP/1.1 RFC] * ~~[http~~{{IETF RFC\|6265\|link=no}}:~~//tools.ietf.org/html/rfc2965~~ IETF HTTP State Management Mechanism ~~RFC]~~ * {{IETF RFC\|9110\|link=no}}: HTTP Semantics * [http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html HTTP/1.1: Header Field Definitions] * {{IETF RFC\|9111\|link=no}}: HTTP Caching * {{IETF RFC\|9112\|link=no}}: HTTP/1.1 * {{IETF RFC\|9113\|link=no}}: HTTP/2 * {{IETF RFC\|9114\|link=no}}: HTTP/3 * {{IETF RFC\|7239\|link=no}}: Forwarded HTTP Extension * {{IETF RFC\|7240\|link=no}}: Prefer Header for HTTP * [http://www.and.org/texts/server-http HTTP/1.1 headers from a web server point of view] * [http://www.MyHTTP.info/ HTTP Request Header Viewer] * [http://viewdns.info/httpheaders/ HTTP Response Header Viewer] - Retrieves the HTTP response headers of any ___domain. * [http://url-info.appspot.com/ HTTP Header Viewer with Google App Engine] * [http://blogs.msdn.com/b/ieinternals/archive/2009/06/30/internet-explorer-custom-http-headers.aspx Internet Explorer and Custom HTTP Headers - EricLaw's IEInternals - Site Home - MSDN Blogs] <references group="stackoverflow1" /> ~~{{DEFAULTSORT:List Of Http Header Fields}}~~ ~~[[Category:HTTP]]~~ ~~[[Category:HTTP headers\|*]]~~ ~~[[Category:Internet-related lists\|HTTP headers]]~~ {{DEFAULTSORT:List Of Http Header Fields}} ~~[[pl:Lista nagłówków HTTP]]~~ [[Category:Hypertext Transfer Protocol headers\| ]] ~~[[ru:Список заголовков HTTP]]~~ [[Category:Internet-related lists\|HTTP header fields]] ~~[[th:รายชื่อส่วนหัวของเอชทีทีพี]]~~