HTTP Headers
Metadata controlling Caching, Authentication, Compression, content negotiation, session state, security policy, and connection behavior flows through HTTP headers, name-value pairs exchanged between clients, servers, and intermediaries during every request-response cycle.
Table of Contents
- Usage
- HTTP header categories and names
- Authentication
- Caching
- Client hints
- User-Agent client hints
- Preference client hints
- Conditionals
- Connection management
- Content negotiation
- Controls
- Cookies
- CORS
- Content information
- Content digests
- Dictionary compression
- Fetch metadata
- HTTP signatures
- Navigation and ping
- Preferences
- Priority
- Proxies
- Range requests
- Rate limiting
- Redirects
- Reporting
- Request context
- Response context
- Security
- Privacy
- DPoP
- Speculation
- Transfer coding
- Tracing
- WebSocket
- Web linking
- ACME
- Deprecated or experimental
- Other
- AWS
- Akamai
- Cloudflare
- Caching (vendor)
- Load balancer and infrastructure
- Microsoft / ASP.NET
- Next.js / Vercel
- Netlify
- LiteSpeed
- Drupal
- Shopify
- Wix
- GitHub
- Fastly
- Security (vendor)
- See also
Usage
Headers appear in both requests and responses. Request headers describe client preferences and context. Response headers convey server decisions and instructions. Representation headers describe the message body (encoding, language, and length). Transfer-related headers like Transfer-Encoding and Content-Length describe the message content framing.
End-to-end headers travel the full path from client to server (or server to client) and are preserved by intermediaries. Hop-by-hop headers apply only to the connection between adjacent nodes and are not forwarded.
Modern headers use structured fields, a common type system of integers, strings, tokens, lists, dictionaries, and parameters with strict parsing rules.
HTTP header categories and names
Authentication
- WWW-Authenticate
- Authorization
- Proxy-Authenticate
- Proxy-Authorization
- Authentication-Info
- Proxy-Authentication-Info
Caching
- Age
- Cache-Control
- CDN-Cache-Control
- Cache-Status
- Cache-Groups
- Cache-Group-Invalidation
- CDN-Loop
- Clear-Site-Data
- Expires
- No-Vary-Search
- Pragma
- Warning
Client hints
User-Agent client hints
- Sec-CH-UA
- Sec-CH-UA-Arch
- Sec-CH-UA-Bitness
- Sec-CH-UA-Full-Version-List
- Sec-CH-UA-Mobile
- Sec-CH-UA-Model
- Sec-CH-UA-Platform
- Sec-CH-UA-Platform-Version
Preference client hints
Conditionals
Connection management
Content negotiation
- Accept
- Accept-Charset
- Accept-Encoding
- Accept-Language
- Accept-Datetime
- Accept-Patch
- Accept-Post
- A-IM
- IM
Controls
Cookies
CORS
- Access-Control-Allow-Origin
- Access-Control-Allow-Credentials
- Access-Control-Allow-Headers
- Access-Control-Allow-Methods
- Access-Control-Expose-Headers
- Access-Control-Max-Age
- Access-Control-Request-Headers
- Access-Control-Request-Method
- Origin
- Timing-Allow-Origin
Content information
- Content-Disposition
- Content-Encoding
- Content-Language
- Content-Length
- Content-Location
- Content-Range
- Content-Type
- MIME-Version
Content digests
Dictionary compression
Fetch metadata
HTTP signatures
Navigation and ping
Preferences
Priority
Proxies
Range requests
Rate limiting
- Ratelimit-Limit
- Ratelimit-Remaining
- Ratelimit-Reset
- Retry-After
- X-Ratelimit-Limit
- X-Ratelimit-Remaining
- X-Ratelimit-Reset
- X-WS-Ratelimit-Limit
- X-WS-Ratelimit-Remaining
Redirects
Reporting
Request context
- From
- Host
- Referer (sic)
- Referrer-Policy
- User-Agent
Response context
Security
- Content-Security-Policy (CSP)
- Content-Security-Policy-Report-Only
- Cross-Origin-Embedder-Policy (COEP)
- Cross-Origin-Embedder-Policy-Report-Only
- Cross-Origin-Opener-Policy (COOP)
- Cross-Origin-Opener-Policy-Report-Only
- Cross-Origin-Resource-Policy (CORP)
- Document-Isolation-Policy
- Document-Isolation-Policy-Report-Only
- Document-Policy
- Expect-CT
- Feature-Policy
- Origin-Agent-Cluster
- Permissions-Policy
- Public-Key-Pins
- Public-Key-Pins-Report-Only
- Strict-Transport-Security (HSTS)
- Upgrade-Insecure-Requests
- X-Content-Security-Policy
- X-Content-Type-Options
- X-DNS-Prefetch-Control
- X-Download-Options
- X-Frame-Options
- X-Permitted-Cross-Domain-Policies
- X-Webkit-CSP
- X-XSS-Protection
Privacy
DPoP
Speculation
Transfer coding
Tracing
- Traceparent
- Tracestate
- Traceresponse
- X-B3-Traceid
- X-Cloud-Trace-Context
- X-Correlation-ID
- X-Request-ID
- Request-Context
WebSocket
- Sec-Websocket-Accept
- Sec-Websocket-Extensions
- Sec-Websocket-Key
- Sec-Websocket-Protocol
- Sec-Websocket-Version
Web linking
ACME
Deprecated or experimental
Other
- Alt-Svc
- Alt-Used
- Capsule-Protocol
- Edge-Control
- Host-Header
- HTTPS
- Onion-Location
- Panel
- Platform
- Powered-By
- Sourcemap
- Surrogate-Control
- Surrogate-Key
- Upgrade
- X-Adblock-Key
- X-Clacks-Overhead
- X-Generator
- X-Hacker
- X-Pingback
- X-Powered-By
- X-Robots-Tag
- X-Runtime
- X-UA-Compatible
- X-Version
AWS
- X-Amz-Cf-Id
- X-Amz-Cf-Pop
- X-Amz-Id-2
- X-Amz-Request-Id
- X-Amz-Server-Side-Encryption
- X-Amz-Version-Id
- X-Amzn-Requestid
- X-Amzn-Trace-Id
Akamai
Cloudflare
Caching (vendor)
- X-Cache
- X-Cacheable
- X-Cache-Group
- X-Cache-Hits
- X-Cache-Miss-From
- X-Cache-Status
- X-CDN
- X-Proxy-Cache
- X-Served-By
- X-Timer
- X-Varnish
Load balancer and infrastructure
- GLB-X-Seen-By
- X-AC
- X-Azure-Ref
- X-Contextid
- X-DC
- X-Domain
- X-Envoy-Upstream-Service-Time
- X-Host
- X-Iinfo
- X-IPLB-Instance
- X-IPLB-Request-ID
- X-Seen-By
Microsoft / ASP.NET
Next.js / Vercel
- X-Matched-Path
- X-Middleware-Rewrite
- X-Nextjs-Cache
- X-Nextjs-Prerender
- X-Nextjs-Stale-Time
- X-Vercel-Cache
- X-Vercel-Id
Netlify
LiteSpeed
Drupal
Shopify
- Shopify-Complexity-Score
- X-Shardid
- X-Shopid
- X-Sorting-Hat-Podid
- X-Sorting-Hat-Shopid
- X-Storefront-Renderer-Rendered
Wix
GitHub
Fastly
Security (vendor)
See also
Last updated: April 4, 2026