HTTP Headers

HTTP headers are a means for a client, server, and any intermediaries to exchange information during the HTTP request-response process.

Usage

HTTP headers are a pillar of HTTP messages. Servers and clients alike rely on the information exchanged in HTTP headers regardless of whether they are in the HTTP request or HTTP response. There are HTTP request-specific headers that might contain information about the client, HTTP response-specific headers that may contain details about the host, and HTTP headers that are common on both sides of the conversation. A representational HTTP header, for example, contains information about the body of the resource such as how it is encoded. There are also payload headers, which hold representation-independent information such as the size of the message body.

HTTP headers can be further characterized by their scope within the message chain. An end-to-end header that is sent by the client must be transmitted to the server, unmodified by intermediaries, and stored by caches as appropriate. Conversely, a hop-by-hop header is only relevant between nodes, and as such, not forwarded or stored by caches.

There are many different types of HTTP headers that describe or govern processes such as authentication, caching, message body information, and proxies. For example, Cookies are transmitted via HTTP headers, and they are responsible for maintaining the current client’s state in a stateless system.

HTTP header categories and names

Authentication

• WWW-Authenticate
• Authorization
• Proxy-Authenticate
• Proxy-Authorization

Caching

• Age
• Cache-Control
• Clear-Site-Data
• Expires
• Pragma
• Warning

Client Hints

• Accept-CH

Network client hints

• Save-Data

Conditionals

• Last-Modified
• ETag
• If-Match
• If-None-Match
• If-Modified-Since
• If-Unmodified-Since
• Vary
• Delta-Base

Connection Management

• Connection
• Keep-Alive

Content negotiation

• Accept
• Accept-Encoding
• Accept-Language
• A-IM
• IM

Controls

• Expect
• Max-Forwards

Cookies

• Cookie
• Set-Cookie

CORS

• Access-Control-Allow-Origin
• Access-Control-Allow-Credentials
• Access-Control-Allow-Headers
• Access-Control-Expose-Headers
• Access-Control-Max-Age
• Access-Control-Request-Headers
• Access-Control-Request-Method
• Timing-Allow-Origin

Downloads

• Content-Disposition

Message body information

• Content-Length
• Content-Type
• Content-Encoding
• Content-Language
• Content-Location

Proxies

• Forwarded
• X-Forwarded-For
• X-Forwarded-Host
• X-Forwarded-Proto
• Via

Redirects

• Location

Request context

• From
• Host
• Referer (sic)
• Referrer-Policy
• User-Agent

Response context

• Allow
• Server

Range requests

• Accept-Ranges
• Range
• If-Range
• Content-Range

Security

• Cross-Origin-Embedder-Policy (COEP)
• Cross-Origin-Opener-Policy (COOP)
• Cross-Origin-Resource-Policy (CORP)
• Content-Security-Policy (CSP)
• Content-Security-Policy-Report-Only
• Expect-CT
• Strict-Transport-Security (HSTS)
• Upgrade-Insecure-Requests
• X-Content-Type-Options
• X-Frame-Options
• X-Powered-By
• X-XSS-Protection

Fetch metadata request headers

• Sec-Fetch-Site
• Sec-Fetch-Mode
• Sec-Fetch-User
• Sec-Fetch-Dest

Server-Sent events

• NEL

Transfer coding

• Transfer-Encoding
• TE
• Trailer

WebSockets

• Sec-Websocket-Accept

Other

• Alt-Svc
• Date
• Link
• Retry-After
• Server-Timing
• Sourcemap
• Upgrade
• X-DNS-Prefetch-Control
• X-Request-ID
• X-Robots-Tag
• X-UA-Compatible

Takeaway

HTTP headers are part of the HTTP messaging architecture, with both client and server relying on them for information, direction, and general assistance.