HTTP Headers

HTTP headers are name-value pairs exchanged between clients, servers, and intermediaries during the HTTP request-response cycle. Headers carry metadata controlling Caching, Authentication, Compression, content negotiation, session state, security policy, and connection behavior.

Usage

Headers appear in both requests and responses. Request headers describe client preferences and context. Response headers convey server decisions and instructions. Representation headers describe the message body (encoding, language, and length). Transfer-related headers like Transfer-Encoding and Content-Length describe the message content framing.

End-to-end headers travel the full path from client to server (or server to client) and are preserved by intermediaries. Hop-by-hop headers apply only to the connection between adjacent nodes and are not forwarded.

Modern headers use structured fields, a common type system of integers, strings, tokens, lists, dictionaries, and parameters with strict parsing rules.

HTTP header categories and names

Authentication

• WWW-Authenticate
• Authorization
• Proxy-Authenticate
• Proxy-Authorization
• Authentication-Info
• Proxy-Authentication-Info

Caching

• Age
• Cache-Control
• CDN-Cache-Control
• Cache-Status
• Cache-Groups
• Cache-Group-Invalidation
• CDN-Loop
• Clear-Site-Data
• Expires
• No-Vary-Search
• Pragma
• Warning

Client hints

• Accept-CH
• Accept-CH-Lifetime
• Critical-CH
• Device-Memory
• Downlink
• ECT
• RTT
• Save-Data

User-Agent client hints

• Sec-CH-UA
• Sec-CH-UA-Arch
• Sec-CH-UA-Bitness
• Sec-CH-UA-Full-Version-List
• Sec-CH-UA-Mobile
• Sec-CH-UA-Model
• Sec-CH-UA-Platform
• Sec-CH-UA-Platform-Version

Preference client hints

• Sec-CH-Prefers-Color-Scheme
• Sec-CH-Prefers-Reduced-Motion

Conditionals

• Last-Modified
• ETag
• If-Match
• If-None-Match
• If-Modified-Since
• If-Unmodified-Since
• Vary
• Delta-Base

Connection management

• Connection
• Keep-Alive
• HTTP2-Settings

Content negotiation

• Accept
• Accept-Charset
• Accept-Encoding
• Accept-Language
• Accept-Datetime
• Accept-Patch
• Accept-Post
• A-IM
• IM

Controls

• Expect
• Max-Forwards

Cookies

• Cookie
• Set-Cookie

CORS

• Access-Control-Allow-Origin
• Access-Control-Allow-Credentials
• Access-Control-Allow-Headers
• Access-Control-Allow-Methods
• Access-Control-Expose-Headers
• Access-Control-Max-Age
• Access-Control-Request-Headers
• Access-Control-Request-Method
• Origin
• Timing-Allow-Origin

Content information

• Content-Disposition
• Content-Encoding
• Content-Language
• Content-Length
• Content-Location
• Content-Range
• Content-Type
• MIME-Version

Content digests

• Content-Digest
• Content-MD5
• Digest
• Repr-Digest
• Want-Content-Digest
• Want-Digest
• Want-Repr-Digest

Dictionary compression

• Available-Dictionary
• Dictionary-ID
• Use-As-Dictionary

Fetch metadata

• Sec-Fetch-Dest
• Sec-Fetch-Mode
• Sec-Fetch-Site
• Sec-Fetch-User

HTTP signatures

• Accept-Signature
• Signature
• Signature-Agent
• Signature-Input

Navigation and ping

• Ping-From
• Ping-To
• Purpose
• Sec-Purpose

Preferences

• Prefer
• Preference-Applied

Priority

• Priority
• Early-Data

Proxies

• Forwarded
• X-Forwarded-For
• X-Forwarded-Host
• X-Forwarded-Proto
• Via
• X-Real-IP
• Proxy-Status

Range requests

• Accept-Ranges
• Range
• If-Range
• Content-Range

Rate limiting

• Ratelimit-Limit
• Ratelimit-Remaining
• Ratelimit-Reset
• Retry-After
• X-Ratelimit-Limit
• X-Ratelimit-Remaining
• X-Ratelimit-Reset
• X-WS-Ratelimit-Limit
• X-WS-Ratelimit-Remaining

Redirects

• Location
• Refresh
• X-Redirect
• X-Redirect-By

Reporting

• NEL
• Report-To
• Reporting-Endpoints

Request context

• From
• Host
• Referer (sic)
• Referrer-Policy
• User-Agent

Response context

• Allow
• Date
• Server
• Server-Timing

Security

• Content-Security-Policy (CSP)
• Content-Security-Policy-Report-Only
• Cross-Origin-Embedder-Policy (COEP)
• Cross-Origin-Embedder-Policy-Report-Only
• Cross-Origin-Opener-Policy (COOP)
• Cross-Origin-Opener-Policy-Report-Only
• Cross-Origin-Resource-Policy (CORP)
• Document-Isolation-Policy
• Document-Isolation-Policy-Report-Only
• Document-Policy
• Expect-CT
• Feature-Policy
• Origin-Agent-Cluster
• Permissions-Policy
• Public-Key-Pins
• Public-Key-Pins-Report-Only
• Strict-Transport-Security (HSTS)
• Upgrade-Insecure-Requests
• X-Content-Security-Policy
• X-Content-Type-Options
• X-DNS-Prefetch-Control
• X-Download-Options
• X-Frame-Options
• X-Permitted-Cross-Domain-Policies
• X-Webkit-CSP
• X-XSS-Protection

Privacy

• Sec-GPC

DPoP

• DPoP
• DPoP-Nonce

Speculation

• Speculation-Rules
• Sec-Speculation-Tags
• Supports-Loading-Mode

Transfer coding

• Transfer-Encoding
• TE
• Trailer

Tracing

• Traceparent
• Tracestate
• Traceresponse
• X-B3-Traceid
• X-Cloud-Trace-Context
• X-Correlation-ID
• X-Request-ID
• Request-Context

WebSocket

• Sec-Websocket-Accept
• Sec-Websocket-Extensions
• Sec-Websocket-Key
• Sec-Websocket-Protocol
• Sec-Websocket-Version

Web linking

• Link
• Link-Template

ACME

• Replay-Nonce

Deprecated or experimental

• Deprecation
• Last-Event-ID
• Memento-Datetime
• Origin-Trial
• P3P
• Sunset

Other

• Alt-Svc
• Alt-Used
• Capsule-Protocol
• Edge-Control
• Host-Header
• HTTPS
• Onion-Location
• Panel
• Platform
• Powered-By
• Sourcemap
• Surrogate-Control
• Surrogate-Key
• Upgrade
• X-Adblock-Key
• X-Clacks-Overhead
• X-Generator
• X-Hacker
• X-Pingback
• X-Powered-By
• X-Robots-Tag
• X-Runtime
• X-UA-Compatible
• X-Version

AWS

• X-Amz-Cf-Id
• X-Amz-Cf-Pop
• X-Amz-Id-2
• X-Amz-Request-Id
• X-Amz-Server-Side-Encryption
• X-Amz-Version-Id
• X-Amzn-Requestid
• X-Amzn-Trace-Id

Akamai

• Akamai-GRN
• X-Akamai-Transformed

Cloudflare

• CF-Cache-Status
• CF-Edge-Cache
• CF-Mitigated
• CF-Ray

Caching (vendor)

• X-Cache
• X-Cacheable
• X-Cache-Group
• X-Cache-Hits
• X-Cache-Miss-From
• X-Cache-Status
• X-CDN
• X-Proxy-Cache
• X-Served-By
• X-Timer
• X-Varnish

Load balancer and infrastructure

• GLB-X-Seen-By
• X-AC
• X-Azure-Ref
• X-Contextid
• X-DC
• X-Domain
• X-Envoy-Upstream-Service-Time
• X-Host
• X-Iinfo
• X-IPLB-Instance
• X-IPLB-Request-ID
• X-Seen-By

Microsoft / ASP.NET

• X-Aspnet-Version
• X-Aspnetmvc-Version
• X-MS-Request-ID

Next.js / Vercel

• X-Matched-Path
• X-Middleware-Rewrite
• X-Nextjs-Cache
• X-Nextjs-Prerender
• X-Nextjs-Stale-Time
• X-Vercel-Cache
• X-Vercel-Id

Netlify

• X-NF-Request-ID

LiteSpeed

• X-Litespeed-Cache
• X-Litespeed-Cache-Control
• X-Litespeed-Tag
• X-Turbo-Charged-By

Drupal

• X-Drupal-Cache
• X-Drupal-Dynamic-Cache

Shopify

• Shopify-Complexity-Score
• X-Shardid
• X-Shopid
• X-Sorting-Hat-Podid
• X-Sorting-Hat-Shopid
• X-Storefront-Renderer-Rendered

Wix

• X-Meta-Site-Id
• X-Siteid
• X-Wix-Cache-Control
• X-Wix-Request-Id

GitHub

• X-Github-Request-Id

Facebook

• X-FB-Debug

Fastly

• X-Fastly-Request-ID

Security (vendor)

• Client-Cert
• Client-Cert-Chain
• X-PCREW-Blocked-Reason
• X-PCREW-IP-Organization
• X-Sucuri-ID

Takeaway

HTTP headers carry the metadata driving every aspect of the HTTP exchange, from Caching and Authentication to content negotiation and security policy. Each header category addresses a specific part of the request-response lifecycle.

See also

• HTTP request
• HTTP response
• Structured Fields
• Content negotiation