# http.dev > Comprehensive HTTP protocol reference: methods, status codes, headers, and general concepts. Written by Fili, Technical SEO Consultant and former Google Search Engineer. ## HTTP Concepts - [HTTP/0.9](https://http.dev/0.9): The original HTTP protocol from 1991: single-line requests, no headers, no status codes. How HTTP/0.9 worked and why HTTP/0.9 was replaced. - [HTTP/1.0](https://http.dev/1.0): HTTP/1.0 added headers, status codes, and content types to the web. Protocol details, limitations, and the upgrade path to HTTP/1.1. - [HTTP/1.1](https://http.dev/1.1): HTTP/1.1 explained: persistent connections, chunked encoding, host headers, and caching. The protocol powering most of the web today. - [HTTP/2](https://http.dev/2): HTTP/2 explained: multiplexing, header compression, server push, and stream prioritization. Understand the binary protocol upgrade from HTTP/1.1. - [HTTP/3](https://http.dev/3): HTTP/3 runs on QUIC instead of TCP. Zero-RTT connections, no head-of-line blocking, and built-in TLS 1.3. Full protocol reference with examples. - [Application-Layer Protocol Negotiation (ALPN)](https://http.dev/alpn): Learn how ALPN negotiates HTTP/2 and HTTP/3 inside the TLS handshake. Protocol IDs, the ClientHello and ServerHello flow, and examples. - [HTTP Authentication](https://http.dev/authentication): HTTP authentication framework: Basic, Bearer, and Digest schemes, challenge- response flow, WWW-Authenticate and Authorization headers explained. - [Binary HTTP](https://http.dev/bhttp): Learn how Binary HTTP encodes a request or response as a self-contained binary message for encryption and Oblivious HTTP. - [HTTP Caching](https://http.dev/caching): How HTTP caching works: Cache-Control directives, ETag validation, conditional requests, and CDN behavior. Implement effective caching strategies. - [Canonical URLs](https://http.dev/canonical): Canonical URLs consolidate duplicate content for search engines. HTTP Link header syntax, HTML implementation, and SEO signal consolidation explained. - [Client Hints](https://http.dev/client-hints): HTTP Client Hints enable privacy-respecting device and network detection. Implement adaptive content delivery with Accept-CH, Sec-CH-UA, and related headers. - [HTTP Compression](https://http.dev/compression): HTTP compression with gzip, Brotli, Zstandard, and dictionary compression: content encoding negotiation, delta compression, and transfer optimization. - [HTTP Conditional Requests](https://http.dev/conditional-requests): HTTP conditional requests with If-Match, If-None-Match, and If-Modified-Since. Implement cache validation, concurrency control, and resumable downloads. - [CONNECT-TCP](https://http.dev/connect-tcp): Learn how CONNECT-TCP tunnels TCP through a proxy with a templated well-known URI and extended CONNECT across HTTP/2 and HTTP/3. - [HTTP Content Negotiation](https://http.dev/content-negotiation): How HTTP content negotiation works: Accept headers, server-driven and agent-driven selection, weight values, and variant matching explained. - [HTTP Cookies](https://http.dev/cookies): HTTP cookies explained: Set-Cookie attributes, SameSite policy, Secure and HttpOnly flags, and session management. Complete cookie reference. - [Cross-Origin Resource Sharing (CORS)](https://http.dev/cors): CORS explained: preflight requests, Access-Control headers, credentials, and same-origin policy. Fix cross-origin errors in browsers and APIs. - [Data URLs](https://http.dev/data-url): Data URLs embed resources inline using the data: scheme. Syntax, base64 encoding, size limits, security restrictions, and performance trade-offs. - [HTTP Explained](https://http.dev/explained): How HTTP works: request-response model, methods, status codes, headers, and versions. Understand the protocol behind every web interaction. - [Hreflang](https://http.dev/hreflang): Hreflang for international SEO: HTTP Link header syntax, HTML and XML sitemap formats, x-default usage, and search engine implementation rules. - [HTTP Strict Transport Security](https://http.dev/hsts): HSTS forces HTTPS-only connections in browsers. Implement Strict-Transport- Security headers, preload lists, and prevent protocol downgrade attacks. - [HTTP Connection Management](https://http.dev/http-connection): HTTP connection management across protocol versions: persistent connections, keep- alive, pipelining, multiplexing, and QUIC transport explained. - [HyperText Transfer Protocol Secure (HTTPS)](https://http.dev/https): HTTPS encrypts HTTP with TLS for secure communication. TLS handshake, Encrypted Client Hello (ECH), certificates, mixed content, and HSTS explained. - [MASQUE](https://http.dev/masque): Learn how MASQUE tunnels UDP and IP traffic through HTTP using extended CONNECT, HTTP Datagrams, and the Capsule Protocol. - [HTTP Media Types](https://http.dev/media-types): HTTP media types (MIME types) reference: Content-Type syntax, type/subtype format, parameters, IANA registry, and common types for web development. - [Oblivious HTTP](https://http.dev/ohttp): Understand Oblivious HTTP (OHTTP): the privacy protocol separating client identity from request content through relay-based encryption. - [Origins](https://http.dev/origins): Web origins explained: scheme + host + port as the browser security boundary. Same-origin policy, cross-origin access, and opaque origin rules. - [Percent-Encoding](https://http.dev/percent-encoding): Percent-encoding (URL encoding) converts reserved and non-ASCII characters for safe use in URIs. Encoding rules, common characters, and decoding explained. - [Problem Details for HTTP APIs](https://http.dev/problem-details): Understand problem details: the standard format for machine-readable HTTP API error responses with type, status, title, detail, and extension members. - [HTTP Protocol Upgrade Mechanism](https://http.dev/protocol-upgrade): HTTP protocol upgrade mechanism switches connections from HTTP/1.1 to WebSocket or other protocols. Upgrade header flow, 101 response, and negotiation rules. - [Punycode](https://http.dev/punycode): Punycode encodes international domain names into ASCII for DNS. The xn-- prefix, encoding algorithm, IDN handling, and homograph attack prevention. - [QUIC](https://http.dev/quic): Learn how QUIC powers HTTP/3: UDP-based streams, built-in TLS 1.3, 0-RTT setup, and connection migration explained with examples. - [HTTP Range Requests](https://http.dev/range-request): HTTP range requests fetch partial content using byte ranges. Implement resumable downloads, video seeking, and 206 Partial Content responses. - [HTTP Redirections](https://http.dev/redirects): HTTP redirects explained: 301, 302, 307, 308 status codes compared. Permanent vs temporary redirects, redirect chains, and SEO impact of each type. - [HTTP Request](https://http.dev/request): Anatomy of an HTTP request: method, request target, headers, and body. Understand request structure, formatting rules, and practical examples. - [Resource Hints](https://http.dev/resource-hints): Resource hints speed up page loads: preconnect, prefetch, preload, and modulepreload via HTTP Link headers. Implement early resource loading. - [HTTP Response](https://http.dev/response): Anatomy of an HTTP response: status line, headers, and body. Understand response structure, informational responses, and trailer fields. - [A Typical HTTP Session](https://http.dev/session): How HTTP sessions work: connection setup, request-response cycles, state management with cookies, and session persistence across a stateless protocol. - [Soft 404s](https://http.dev/soft404): Soft 404s return 200 status for missing pages, wasting crawl budget and hurting SEO. Detect, diagnose, and fix soft 404 errors. - [HTTP Streaming](https://http.dev/streaming): HTTP streaming delivers data incrementally: chunked encoding, Server-Sent Events, and the Streams API. Implement real-time data delivery over HTTP. - [HTTP Structured Fields](https://http.dev/structured-fields): HTTP structured fields provide typed data formats for header values: integers, strings, tokens, lists, and dictionaries with strict parsing rules. - [Uniform Resource Identifier (URI)](https://http.dev/uri): URIs identify resources by location, name, or both. Generic syntax, URL and URN subtypes, resolution rules, and the relationship between URI, URL, and URN. - [Uniform Resource Locator (URL)](https://http.dev/url): URL structure explained: scheme, host, port, path, query, and fragment. Parsing rules, encoding, relative resolution, and the WHATWG URL Standard. - [Uniform Resource Name (URN)](https://http.dev/urn): URNs provide persistent, location- independent resource identifiers. Syntax, namespace IDs, IANA registration, and URN resolution. - [WebDAV](https://http.dev/webdav): WebDAV extends HTTP for remote file management: PROPFIND, LOCK, MKCOL, and more. Implement file authoring, locking, and collection management over HTTP. - [Well-Known URIs](https://http.dev/well-known-uris): Understand the /.well-known/ path prefix for standardized site metadata discovery. Common URIs, registration, security, and implementation guidance. - [WHEP (WebRTC-HTTP Egress Protocol)](https://http.dev/whep): Learn how WHEP plays WebRTC streams over standard HTTP. POST an SDP offer, get a session URL, DELETE to stop. Full flow. - [WHIP (WebRTC-HTTP Ingestion Protocol)](https://http.dev/whip): WHIP replaces custom WebRTC signaling with standard HTTP methods. POST, PATCH, DELETE flow for live media ingestion. - [WebSocket](https://http.dev/ws): WebSocket protocol enables full-duplex communication over a single TCP connection. Handshake, framing, subprotocols, and HTTP upgrade process explained. - [WebSocket Secure (wss://)](https://http.dev/wss): WebSocket Secure (wss://) encrypts bidirectional communication with TLS. Configuration, certificate requirements, and differences from plain ws://. ## HTTP Methods - [CONNECT](https://http.dev/connect): HTTP CONNECT establishes a TCP tunnel through a proxy for HTTPS and other protocols. Tunneling flow, proxy behavior, and security considerations. - [DELETE](https://http.dev/delete): Learn how HTTP DELETE removes resources at the target URI. Covers idempotency rules, expected status codes, CORS preflight behavior, and REST API patterns. - [GET](https://http.dev/get): The HTTP GET method retrieves resources without side effects. Caching behavior, conditional requests, partial requests, and request examples for web and APIs. - [HEAD](https://http.dev/head): HTTP HEAD retrieves response headers without the body. Check resource size, existence, and freshness. Identical to GET except the server omits the body. - [OPTIONS](https://http.dev/options): HTTP OPTIONS queries allowed methods and server capabilities. Primary role in CORS preflight requests, Access-Control headers, and wildcard request targets. - [PATCH](https://http.dev/patch): HTTP PATCH applies partial modifications to a resource. JSON Patch, JSON Merge Patch formats, idempotency concerns, and differences from PUT explained. - [POST](https://http.dev/post): HTTP POST submits data to create resources or trigger processing. Form encodings, file uploads, API usage, and differences from PUT and PATCH. - [PRI](https://http.dev/pri): The HTTP PRI method is the HTTP/2 connection preface. Its role in protocol detection, why HTTP/1.1 servers reject PRI, and the 24-byte handshake format. - [PUT](https://http.dev/put): HTTP PUT creates or replaces a resource at the target URI. Idempotent full-state replacement, Content-Type handling, and differences from POST and PATCH. - [QUERY](https://http.dev/query): HTTP QUERY sends safe, idempotent queries with a request body. Overcome URI length limits for complex searches, GraphQL, and structured filter operations. - [TRACE](https://http.dev/trace): HTTP TRACE performs a loopback diagnostic test along the request path. Reveals proxy modifications, security risks, and why servers disable TRACE in production. ## 1xx Informational Status Codes - [100 Continue](https://http.dev/100): Learn how the 100 Continue status code works with the Expect header to validate requests before sending large message bodies. - [101 Switching Protocols](https://http.dev/101): Learn how the 101 Switching Protocols response upgrades HTTP connections to WebSocket or other protocols using the Upgrade header. - [102 Processing](https://http.dev/102): Understand the 102 Processing status code, how the response prevents client timeouts during long-running requests, and its WebDAV origins. - [103 Early Hints](https://http.dev/103): Understand 103 Early Hints and how the status code speeds up page loads by preloading resources before the final response arrives. - [110 Response is Stale](https://http.dev/110): The 110 Response is Stale warning code was used in HTTP caching. Learn its history and why the Warning header was obsoleted. - [111 Revalidation Failed](https://http.dev/111): The 111 Revalidation Failed warning code signaled a stale cached response when the origin server was unreachable. Now obsolete. - [112 Disconnected Operation](https://http.dev/112): The 112 Disconnected Operation warning code indicated a cache intentionally disconnected from the network. Now obsolete. - [113 Heuristic Expiration](https://http.dev/113): The 113 Heuristic Expiration warning code flagged cached responses using heuristic freshness over 24 hours. Now obsolete. - [199 Miscellaneous Warning](https://http.dev/199): The 199 Miscellaneous Warning code carried arbitrary cache warnings for display or logging. Now obsolete. ## 2xx Success Status Codes - [200 OK](https://http.dev/200): Learn what a 200 OK response means, when servers send this status code, and how browsers and search engines process successful responses. - [201 Created](https://http.dev/201): Understand the 201 Created status code, when servers send 201 for POST and PUT requests, and how search engines treat new resources. - [202 Accepted](https://http.dev/202): Learn what a 202 Accepted response means, how the status code signals asynchronous processing, and how to poll for the eventual result. - [203 Non-Authoritative Information](https://http.dev/203): Learn what a 203 Non-Authoritative Information response means, when proxies return 203, and how the status code differs from 200 OK. - [204 No Content](https://http.dev/204): Understand the 204 No Content status code, when servers return 204, and how the response works with form submissions, APIs, and caching. - [205 Reset Content](https://http.dev/205): Learn what a 205 Reset Content response means, how the status code instructs clients to clear form data, and how 205 differs from 204. - [206 Partial Content](https://http.dev/206): Understand the 206 Partial Content response, how Range requests work for resumable downloads, and multipart range responses. - [207 Multi-Status](https://http.dev/207): Learn what a 207 Multi-Status response means, how WebDAV uses 207 to report per-resource results, and how to parse the XML body. - [208 Already Reported](https://http.dev/208): Understand the 208 Already Reported status code, how WebDAV uses 208 inside 207 responses to avoid duplicate resource listings. - [214 Transformation Applied](https://http.dev/214): The 214 Transformation Applied warning code flagged proxy modifications like compression or format conversion. Now obsolete. - [218 This is fine](https://http.dev/218): Learn about 218 This is fine, an unofficial HTTP status code inspired by the internet meme and its disputed Apache origins. - [226 IM Used](https://http.dev/226): Learn what a 226 IM Used response means, how delta encoding and instance manipulations conserve bandwidth in HTTP responses. - [299 Miscellaneous Persistent Warning](https://http.dev/299): The 299 Miscellaneous Persistent Warning code carried persistent cache warnings for display or logging. Now obsolete. ## 3xx Redirection Status Codes - [300 Multiple Choices](https://http.dev/300): Understand the 300 Multiple Choices response, when servers send 300, and how clients select from multiple available representations. - [301 Moved Permanently](https://http.dev/301): Understand the 301 redirect: when to use 301, how search engines handle the redirect, and how 301 differs from 302 and 308. - [302 Found](https://http.dev/302): Learn how the 302 Found redirect works, when to use 302 for temporary redirections, and how 302 differs from 301, 303, and 307. - [303 See Other](https://http.dev/303): Learn how the 303 See Other redirect works, why 303 always switches to GET, and when to use 303 after POST, PUT, or DELETE requests. - [304 Not Modified](https://http.dev/304): Understand the 304 Not Modified response, how conditional requests save bandwidth, and how ETags and Last-Modified drive cache validation. - [305 Use Proxy](https://http.dev/305): Learn about the deprecated 305 Use Proxy status code, why 305 was removed over security concerns, and what replaced the status code. - [306 Switch Proxy](https://http.dev/306): Learn about the reserved 306 Switch Proxy status code, the origin in an expired Internet-Draft, and why 306 was never adopted. - [307 Temporary Redirect](https://http.dev/307): Understand the 307 Temporary Redirect, why 307 preserves the request method unlike 302, and when to use 307 over 302 or 303. - [308 Permanent Redirect](https://http.dev/308): Understand the 308 Permanent Redirect, how 308 preserves the request method unlike 301, and how search engines transfer link equity. ## 4xx Client Error Status Codes - [400 Bad Request](https://http.dev/400): Fix 400 Bad Request errors. Learn common causes like malformed URLs and invalid cookies, with troubleshooting steps. - [401 Unauthorized](https://http.dev/401): Fix 401 Unauthorized errors. Learn authentication schemes, WWW-Authenticate headers, and credential troubleshooting. - [402 Payment Required](https://http.dev/402): Understand 402 Payment Required: a reserved status code, its non-standard usage by Shopify and Stripe, and SEO impact. - [403 Forbidden](https://http.dev/403): Fix 403 Forbidden errors. Understand access control causes, 403 vs 404 security decisions, and SEO impact. - [404 Not Found](https://http.dev/404): Fix 404 Not Found errors. Learn causes, custom error pages, soft 404 pitfalls, and SEO impact on search indexing. - [405 Method Not Allowed](https://http.dev/405): Fix 405 Method Not Allowed errors. Learn what triggers this status, the Allow header response, and troubleshooting. - [406 Not Acceptable](https://http.dev/406): Fix 406 Not Acceptable errors. Understand content negotiation, Accept headers, and how servers handle unsatisfiable requests. - [407 Proxy Authentication Required](https://http.dev/407): Fix 407 Proxy Authentication Required errors. Learn proxy authentication schemes and Proxy-Authenticate headers. - [408 Request Timeout](https://http.dev/408): Fix 408 Request Timeout errors. Understand why servers close slow connections and how to resolve transmission issues. - [409 Conflict](https://http.dev/409): Fix 409 Conflict errors. Understand resource state conflicts, resolution strategies, and common API use cases. - [410 Gone](https://http.dev/410): Understand 410 Gone: permanent resource removal, differences from 404, caching behavior, and SEO indexing impact. - [411 Length Required](https://http.dev/411): Fix 411 Length Required errors. Learn when the Content-Length header is needed and how to resolve this client error. - [412 Precondition Failed](https://http.dev/412): Fix 412 Precondition Failed errors. Learn conditional request headers, If-Match failures, and lost update prevention. - [413 Content Too Large](https://http.dev/413): Fix 413 Content Too Large errors. Learn server size limits, Expect header usage, and how to handle oversized uploads. - [414 URI Too Long](https://http.dev/414): Fix 414 URI Too Long errors. Understand URL length limits, browser restrictions, and how to shorten request URIs. - [415 Unsupported Media Type](https://http.dev/415): Fix 415 Unsupported Media Type errors. Learn Content-Type and Content-Encoding validation, with troubleshooting steps. - [416 Range Not Satisfiable](https://http.dev/416): Fix 416 Range Not Satisfiable errors. Understand byte range requests, the Content-Range header, and resolution. - [417 Expectation Failed](https://http.dev/417): Fix 417 Expectation Failed errors. Learn how the Expect header and 100-continue mechanism work and when 417 is returned. - [418 I'm a teapot](https://http.dev/418): Understand 418 I'm a teapot: the IETF April Fools' joke, HTCPCP protocol, and the Save 418 initiative. - [419 Page Expired](https://http.dev/419): Fix 419 Page Expired errors in Laravel. Understand CSRF token validation, common causes, and troubleshooting steps. - [420 Method Failure or Enhance your calm](https://http.dev/420): Understand 420 Method Failure and Enhance Your Calm: Spring Framework and Twitter API usage, and migration to 429. - [421 Misdirected Request](https://http.dev/421): Fix 421 Misdirected Request errors. Understand connection reuse, HTTP/2 routing, and Alt-Svc troubleshooting. - [422 Unprocessable Content](https://http.dev/422): Fix 422 Unprocessable Content errors. Learn differences from 400 and 415, and how to resolve semantic validation failures. - [423 Locked](https://http.dev/423): Fix 423 Locked errors. Learn WebDAV file locking mechanisms, Lock-Token headers, precondition codes, and how to unlock resources. - [424 Failed Dependency](https://http.dev/424): Fix 424 Failed Dependency errors. Learn WebDAV multi-status responses, PROPPATCH operations, and dependency resolution. - [425 Too Early](https://http.dev/425): Understand 425 Too Early: TLS early data replay risks, the Early-Data header, and server-side protection strategies. - [426 Upgrade Required](https://http.dev/426): Fix 426 Upgrade Required errors. Learn protocol upgrade requirements, the Upgrade header, and resolution steps. - [428 Precondition Required](https://http.dev/428): Fix 428 Precondition Required errors. Learn conditional headers like If-Match and how to prevent lost updates. - [429 Too Many Requests](https://http.dev/429): Fix 429 Too Many Requests errors. Learn rate limiting, Retry-After headers, and how to handle API throttling. - [430 Security Rejection](https://http.dev/430): Diagnose Shopify 430 Security Rejection errors. Learn IP-based filtering, common triggers, and resolution strategies. - [431 Request Header Fields Too Large](https://http.dev/431): Fix 431 Request Header Fields Too Large errors. Learn header size limits, cookie reduction, and troubleshooting steps. - [440 Login Time-out](https://http.dev/440): Fix IIS 440 Login Time-out errors. Understand session expiration on Microsoft IIS and Exchange servers. - [444 No Response](https://http.dev/444): Understand nginx 444 No Response: how nginx silently drops connections, common configurations, and troubleshooting. - [449 Retry With](https://http.dev/449): Fix IIS 449 Retry With errors. Learn how Microsoft IIS signals missing request data and how to resubmit. - [450 Blocked by Windows Parental Controls](https://http.dev/450): Understand 450 Blocked by Windows Parental Controls: when 450 occurs, what triggers the error, and how to resolve the block. - [451 Unavailable For Legal Reasons](https://http.dev/451): Understand 451 Unavailable For Legal Reasons: censorship responses, legal demands, and Exchange ActiveSync usage. - [460 Client closed connection prematurely](https://http.dev/460): Diagnose AWS ELB 460 errors. Understand why clients close connections before the idle timeout and how to fix the problem. - [463 Too many forwarded IP addresses](https://http.dev/463): Fix AWS ELB 463 Too Many Forwarded IP Addresses. Understand X-Forwarded-For limits and proxy chain resolution. - [464 Incompatible protocol](https://http.dev/464): Fix AWS ELB 464 Incompatible Protocol errors. Learn protocol version mismatches between load balancer and target groups. - [470 Request Denied](https://http.dev/470): Fix Azure Firewall 470 Request Denied errors. Learn application rule configuration and firewall diagnostics. - [492 User Access Forbidden](https://http.dev/492): Fix Akamai EAA 492 User Access Forbidden errors. Learn access policy checks and EAA Client configuration sync. - [493 Unsupported Browser](https://http.dev/493): Fix Akamai EAA 493 Unsupported Browser errors. Understand SNI requirements in TLS handshakes and client compatibility. - [494 Request header too large](https://http.dev/494): Fix nginx 494 Request Header Too Large errors. Learn buffer size configuration and differences from the official 431. - [495 SSL Certificate Error](https://http.dev/495): Fix nginx 495 SSL Certificate Error. Troubleshoot expired, untrusted, or mismatched client certificates. - [496 SSL Certificate Required](https://http.dev/496): Fix nginx 496 SSL Certificate Required errors. Learn client certificate requirements and mutual TLS setup. - [497 HTTP Request Sent to HTTPS Port](https://http.dev/497): Fix nginx 497 HTTP Request Sent to HTTPS Port errors. Understand plain HTTP to HTTPS port mismatches and resolution. - [498 Invalid Token](https://http.dev/498): Fix ArcGIS 498 Invalid Token errors. Troubleshoot expired, revoked, or mismatched authentication tokens. - [499 Token Required or Client Closed Request](https://http.dev/499): Fix 499 errors: ArcGIS Token Required and nginx Client Closed Request. Learn causes and troubleshooting for both. ## 5xx Server Error Status Codes - [500 Internal Server Error](https://http.dev/500): Fix 500 Internal Server Error: common causes, server log analysis, debugging steps, and SEO impact of 5xx responses. - [501 Not Implemented](https://http.dev/501): Fix 501 Not Implemented errors. Understand unsupported HTTP methods, differences from 405, and server configuration. - [502 Bad Gateway](https://http.dev/502): Fix 502 Bad Gateway errors. Understand causes, upstream server configuration, and step-by-step troubleshooting. - [503 Service Unavailable](https://http.dev/503): Fix 503 Service Unavailable errors. Learn maintenance mode setup, Retry-After headers, and SEO-safe downtime handling. - [504 Gateway Timeout](https://http.dev/504): Fix 504 Gateway Timeout errors. Learn upstream timeout causes, proxy configuration, and troubleshooting. - [505 HTTP Version Not Supported](https://http.dev/505): Fix 505 HTTP Version Not Supported errors. Learn protocol version mismatches and server compatibility. - [506 Variant Also Negotiates](https://http.dev/506): Understand 506 Variant Also Negotiates: transparent content negotiation circular references and server misconfiguration. - [507 Insufficient Storage](https://http.dev/507): Fix 507 Insufficient Storage errors. Understand WebDAV storage limits, differences from 413, and resolution. - [508 Loop Detected](https://http.dev/508): Fix 508 Loop Detected errors. Understand WebDAV infinite loops and cPanel resource limit troubleshooting. - [509 Bandwidth Limit Exceeded](https://http.dev/509): Fix 509 Bandwidth Limit Exceeded errors. Understand hosting bandwidth allotments, cPanel limits, and resolution steps. - [510 Not Extended](https://http.dev/510): Understand 510 Not Extended: the obsolete HTTP Extension Framework, its historic status, and usage. - [511 Network Authentication Required](https://http.dev/511): Fix 511 Network Authentication Required errors. Understand captive portals, Wi-Fi login pages, and client handling. - [520 Web Server Is Returning an Unknown Error](https://http.dev/520): Fix Cloudflare 520 Web Server Unknown Error. Diagnose empty responses, header overflows, and origin server issues. - [521 Web Server Is Down](https://http.dev/521): Fix Cloudflare 521 Web Server Is Down. Diagnose origin connection refusals, firewall blocks, and server crashes. - [522 Connection Timed Out](https://http.dev/522): Fix Cloudflare 522 Connection Timed Out. Diagnose TCP handshake failures, origin overload, and firewall packet drops. - [523 Origin Is Unreachable](https://http.dev/523): Fix Cloudflare 523 Origin Is Unreachable. Diagnose DNS resolution failures and incorrect origin IP configurations. - [524 A Timeout Occurred](https://http.dev/524): Fix Cloudflare 524 A Timeout Occurred. Diagnose slow origin responses, timeout limits, and long-running processes. - [525 SSL Handshake Failed](https://http.dev/525): Fix Cloudflare 525 SSL Handshake Failed. Diagnose TLS negotiation failures, cipher mismatches, and certificate setup. - [526 Invalid SSL Certificate](https://http.dev/526): Fix Cloudflare 526 Invalid SSL Certificate. Diagnose expired, untrusted, or mismatched origin certificates. - [527 Railgun Listener to Origin](https://http.dev/527): Understand Cloudflare 527 Railgun Listener to Origin errors. Learn the deprecated Railgun technology and its replacement. - [529 The Service Is Overloaded](https://http.dev/529): Fix 529 The Service Is Overloaded errors. Understand server-wide overload vs rate limiting, with backoff strategies. - [530 Site Frozen](https://http.dev/530): Fix 530 errors from Cloudflare, Pantheon, and Shopify. Diagnose 1XXX sub-errors, frozen sites, and DNS resolution issues. - [531 Upstream Connection Error](https://http.dev/531): Fix Edgio 531 Upstream Connection Error. Diagnose TCP failures, origin server crashes, and firewall blocking. - [532 Response Too Large](https://http.dev/532): Fix Edgio 532 Response Too Large errors. Understand the 6 MB serverless response limit and how to reduce payload size. - [533 Upstream TLS Error](https://http.dev/533): Fix Edgio 533 Upstream TLS Error. Diagnose TLS handshake failures between Edgio edge servers and the origin. - [534 Application Error](https://http.dev/534): Fix Edgio 534 Application Error. Diagnose serverless function crashes, unhandled exceptions, and malformed responses. - [535 Unknown Application](https://http.dev/535): Fix Edgio 535 Unknown Application errors. Diagnose Host header mismatches and missing project hostname registration. - [536 HTTP Response Timeout](https://http.dev/536): Fix Edgio 536 HTTP Response Timeout. Diagnose origin servers failing to respond within the timeout window. - [537 DNS Resolution Error](https://http.dev/537): Fix Edgio 537 DNS Resolution Error. Diagnose origin hostname typos, expired DNS records, and provider outages. - [538 Request Loop](https://http.dev/538): Fix Edgio 538 Request Loop errors. Diagnose routing loops, circular CNAME records, and origin misconfiguration. - [539 Serverless Timeout](https://http.dev/539): Fix Edgio 539 Serverless Timeout errors. Diagnose functions exceeding the 20-second runtime limit and optimize. - [540 Temporarily Disabled](https://http.dev/540): Fix 540 errors from Shopify, Akamai EAA, and Edgio. Diagnose disabled endpoints, connectivity issues, and resource limits. - [541 Out of Workers](https://http.dev/541): Fix Edgio 541 Out of Workers errors. Diagnose serverless capacity limits and traffic scaling strategies. - [542 Database Error / Header Overflow](https://http.dev/542): Fix 542 errors: Akamai EAA Internal Database Error and Edgio Header Overflow. Diagnose causes and resolution steps. - [543 Communication Error / Upstream Timeout](https://http.dev/543): Fix 543 errors: Akamai EAA IdP Communication Error and Edgio Global Upstream Timeout. Causes and resolution. - [544 Management Error / Invalid Host Header](https://http.dev/544): Fix 544 errors: Akamai EAA Management Communication Error and Edgio Invalid Host Header. Causes and resolution. - [545 Authentication Error / Component Not Ready](https://http.dev/545): Fix 545 errors: Akamai EAA Authentication Internal Error and Edgio Component Not Ready. Causes and troubleshooting. - [546 Unknown Application / TLS Error](https://http.dev/546): Fix 546 errors: Akamai EAA Unknown Application and Edgio TLS Error. Diagnose causes and resolution steps. - [547 No HTTP Response](https://http.dev/547): Fix Edgio 547 No HTTP Response errors. Diagnose global POP failures and edge-to-global communication issues. - [548 Invalid Response / DNS Resolution Error](https://http.dev/548): Fix 548 errors: Akamai EAA Invalid Response and Edgio DNS Resolution Error. Diagnose causes and resolution steps. - [549 Authentication Gateway Error / Application Crash](https://http.dev/549): Fix 549 errors: Akamai EAA Authentication Gateway Error and Edgio Application Crash. Causes and troubleshooting. - [552 Application Unreachable](https://http.dev/552): Fix Akamai EAA 552 Application Unreachable. Diagnose connector-to-origin connection failures and configuration. - [553 Directory Service Error](https://http.dev/553): Fix Akamai EAA 553 Directory Service Error. Diagnose Kerberos authentication failures and SPN configuration issues. - [554 Authentication Token Error](https://http.dev/554): Fix Akamai EAA 554 Authentication Token Error. Diagnose rejected Kerberos service tickets and SPNEGO token issues. - [555 Application Does Not Support Kerberos](https://http.dev/555): Fix Akamai EAA 555 Application Does Not Support Kerberos. Diagnose missing Negotiate headers and SSO configuration. - [556 Unexpected Authentication Challenge](https://http.dev/556): Fix Akamai EAA 556 Unexpected Authentication Challenge. Diagnose login URI misconfigurations and 401 handling. - [557 KDC Unreachable](https://http.dev/557): Fix Akamai EAA 557 KDC Unreachable errors. Diagnose Kerberos Key Distribution Center connectivity issues. - [558 Connection Limit Stop](https://http.dev/558): Fix Akamai EAA 558 Connection Limit Stop errors. Understand WebSocket connection limits, IP-based rate limiting, and resolution steps. - [559 Connection Limit Stop](https://http.dev/559): Fix Akamai EAA 559 Connection Limit Stop errors. Understand WebSocket connection limits, IP-based rate limiting, and resolution steps. - [561 Unauthorized](https://http.dev/561): Fix 561 errors from AWS ALB, Pantheon, and Akamai EAA. Diagnose authentication failures and site configuration issues. - [562 Credential Error](https://http.dev/562): Fix 562 errors: Akamai EAA Credential Error and AWS ALB JWKS Request Failed. Diagnose NTLM and JWT validation issues. - [598 Network Read Timeout Error](https://http.dev/598): Understand 598 Network Read Timeout Error: an informal proxy status for read timeouts behind upstream servers. - [599 Network Connect Timeout Error](https://http.dev/599): Understand 599 Network Connect Timeout Error: an informal proxy status for TCP connection timeouts to upstream servers. ## HTTP Testing Tools - [HTTP Status Tester](https://http.app/): Live test HTTP responses, redirect chains and status codes for one or multiple URLs - [HTTP Compression Check](https://httpcompression.com/): Check if HTTP compression is enabled for any URL - [HTTP Caching Check](https://httpcaching.com/): Check if HTTP caching is properly configured for any URL - [HTTP/2 Check](https://http2test.com/): Check if HTTP/2 is enabled for any URL - [HTTP/3 Check](https://http3test.com/): Check if HTTP/3 is enabled for any URL - [HTTP Response API](https://http.codes/): Test how your code reacts to varying HTTP responses with different status codes, methods, headers, JSON and delayed responses - [URL Parse API](https://urlparse.com/): Parse any URL into its components - [Content-Type Check](https://contenttype.net/): Validate HTTP Content-Type headers and MIME types for any URL ## HTTP Headers - [A-IM](https://http.dev/a-im): Request delta-encoded responses with the A-IM header. Instance manipulations, bandwidth savings, and implementation details. - [Accept](https://http.dev/accept): Negotiate response media types with the Accept header. Quality values, wildcards, content negotiation flow, and examples. - [Accept-CH](https://http.dev/accept-ch): Opt in to Client Hints with Accept-CH. Request device, network, and preference data from browsers. Syntax and examples. - [Accept-CH-Lifetime](https://http.dev/accept-ch-lifetime): Understand the legacy Accept-CH-Lifetime header, removed before Client Hints was finalized. History and modern alternatives. - [Accept-Charset](https://http.dev/accept-charset): Understand why Accept-Charset is deprecated and why UTF-8 replaced charset negotiation. History, syntax, and migration guidance. - [Accept-Datetime](https://http.dev/accept-datetime): Request archived web snapshots with Accept-Datetime and the Memento protocol. Syntax, TimeGate flow, and examples. - [Accept-Encoding](https://http.dev/accept-encoding): Negotiate compression with Accept-Encoding. Supported algorithms, quality values, syntax, and server-side implementation. - [Accept-Language](https://http.dev/accept-language): Negotiate content language with Accept-Language. BCP 47 tags, quality values, server handling, and examples. - [Accept-Patch](https://http.dev/accept-patch): Advertise supported PATCH formats with Accept-Patch. Media types, API discovery, error handling, and usage examples. - [Accept-Post](https://http.dev/accept-post): Advertise accepted POST media types with Accept-Post. API discovery, supported formats, and implementation examples. - [Accept-Ranges](https://http.dev/accept-ranges): Enable resumable downloads with Accept-Ranges. Partial requests, byte serving, streaming, and server setup. - [Accept-Signature](https://http.dev/accept-signature): Negotiate HTTP Message Signatures with Accept-Signature. Algorithm preferences, covered components, and usage examples. - [Access-Control-Allow-Credentials](https://http.dev/access-control-allow-credentials): Send cookies and credentials in CORS requests with Access-Control-Allow- Credentials. Setup, pitfalls, and fixes. - [Access-Control-Allow-Headers](https://http.dev/access-control-allow-headers): Permit custom headers in CORS requests with Access-Control-Allow-Headers. Preflight setup, wildcards, and examples. - [Access-Control-Allow-Methods](https://http.dev/access-control-allow-methods): Allow HTTP methods in CORS preflight with Access-Control-Allow-Methods. Syntax, wildcard rules, and server configuration. - [Access-Control-Allow-Origin](https://http.dev/access-control-allow-origin): Control cross-origin access with Access-Control-Allow-Origin. Wildcards, dynamic origins, CORS errors, and fixes. - [Access-Control-Expose-Headers](https://http.dev/access-control-expose-headers): Expose custom response headers to JavaScript in CORS with Access-Control- Expose-Headers. Syntax and examples. - [Access-Control-Max-Age](https://http.dev/access-control-max-age): Cache CORS preflight results with Access-Control-Max-Age. Reduce latency, set TTL, and understand browser limits. - [Access-Control-Request-Headers](https://http.dev/access-control-request-headers): Understand Access-Control-Request-Headers in CORS preflight. How browsers list non-safelisted headers and server handling. - [Access-Control-Request-Method](https://http.dev/access-control-request-method): Understand Access-Control-Request-Method in CORS preflight. How browsers declare the intended HTTP method to the server. - [Age](https://http.dev/age): Measure cache freshness with the Age header. How CDNs and proxies report elapsed time since the origin response. - [Akamai-GRN](https://http.dev/akamai-grn): Trace Akamai CDN requests with the Akamai-GRN header. Global Request Number format, log correlation, and debugging. - [Allow](https://http.dev/allow): Advertise supported HTTP methods with the Allow header. Required in 405 responses, OPTIONS handling, and syntax. - [Alt-Svc](https://http.dev/alt-svc): Upgrade connections to HTTP/2 and HTTP/3 with Alt-Svc. Protocol discovery, syntax, QUIC negotiation, and server examples. - [Alt-Used](https://http.dev/alt-used): Identify alternative service connections with Alt-Used. How browsers report Alt-Svc selection back to the server. - [Authentication-Info](https://http.dev/authentication-info): Handle post-authentication data with Authentication-Info. Nonce rotation, mutual auth, and digest scheme details. - [Authorization](https://http.dev/authorization): Send credentials with the Authorization header. Basic, Bearer, and Digest schemes, syntax, and security guidance. - [Available-Dictionary](https://http.dev/available-dictionary): Signal compression dictionary support with Available-Dictionary. Dictionary hashing, encoding flow, and examples. - [Cache-Control](https://http.dev/cache-control): Control browser and CDN caching with Cache-Control directives. Syntax, real-world examples, and best practices. - [Cache-Group-Invalidation](https://http.dev/cache-group-invalidation): Invalidate related cache entries with Cache-Group-Invalidation. Group-based purging, syntax, and flow. - [Cache-Groups](https://http.dev/cache-groups): Group cached responses for coordinated invalidation with Cache-Groups. Named groups, syntax, and examples. - [Cache-Status](https://http.dev/cache-status): Debug cache behavior with Cache-Status. Standardized hit/miss reporting across CDN layers, parameters, and examples. - [Capsule-Protocol](https://http.dev/capsule-protocol): Enable HTTP Datagrams on CONNECT tunnels with Capsule-Protocol. Tunnel negotiation and WebTransport support. - [CDN-Cache-Control](https://http.dev/cdn-cache-control): Set CDN-specific cache rules with CDN-Cache-Control. Separate edge and browser TTLs, and examples. - [CDN-Loop](https://http.dev/cdn-loop): Prevent CDN forwarding loops with CDN-Loop. Detection mechanism, identifier format, and multi-CDN configuration. - [Cf-Cache-Status](https://http.dev/cf-cache-status): Diagnose Cloudflare caching with Cf-Cache-Status. HIT, MISS, DYNAMIC, BYPASS values explained with examples. - [Cf-Edge-Cache](https://http.dev/cf-edge-cache): Cache HTML at Cloudflare's edge with Cf-Edge-Cache. APO integration, WordPress setup, and directive values. - [Cf-Mitigated](https://http.dev/cf-mitigated): Detect Cloudflare challenge pages with Cf-Mitigated. Identify mitigated requests in client-side code and handle Turnstile. - [Cf-Ray](https://http.dev/cf-ray): Trace Cloudflare requests with Cf-Ray. Unique request IDs, data center codes, log correlation, and debugging tips. - [Clear-Site-Data](https://http.dev/clear-site-data): Wipe browser caches, cookies, and storage with Clear-Site-Data. Logout flows, directives, and deployment patterns. - [Client-Cert](https://http.dev/client-cert): Forward mTLS client certificates with Client-Cert. Proxy TLS termination, format, and configuration. - [Client-Cert-Chain](https://http.dev/client-cert-chain): Forward mTLS certificate chains with Client-Cert-Chain. Proxy-to-origin validation, and setup guide. - [Connection](https://http.dev/connection): Manage TCP connection lifecycle with the Connection header. Keep-alive, close, hop-by-hop behavior, and HTTP/2 changes. - [Content-Digest](https://http.dev/content-digest): Verify message integrity with Content-Digest. SHA-256/SHA-512 hashes, Structured Fields format, and examples. - [Content-Disposition](https://http.dev/content-disposition): Trigger file downloads or inline display with Content-Disposition. Attachment, filename encoding, and form data usage. - [Content-Encoding](https://http.dev/content-encoding): Identify response compression with Content-Encoding. gzip, br, zstd algorithms, server setup, and decoding. - [Content-Language](https://http.dev/content-language): Declare content audience language with Content-Language. Language tags, content negotiation, and multilingual setup. - [Content-Length](https://http.dev/content-length): Declare message body size with Content-Length. Byte counting, connection reuse, progress indicators, and gotchas. - [Content-Location](https://http.dev/content-location): Point to the negotiated representation with Content-Location. Difference from Location, caching impact, and examples. - [Content-MD5](https://http.dev/content-md5): Understand the obsolete Content-MD5 integrity header. Removal reasons, security issues, and modern alternatives. - [Content-Range](https://http.dev/content-range): Serve partial content with Content-Range. Byte range syntax, resumable downloads, media streaming, and 206 response flow. - [Content-Security-Policy](https://http.dev/content-security-policy): Prevent XSS and injection attacks with Content-Security-Policy. Directives, source lists, nonces, and deployment. - [Content-Security-Policy-Report-Only](https://http.dev/content-security-policy-report-only): Test CSP policies without blocking with Content-Security-Policy-Report-Only. Violation reports, rollout strategy. - [Content-Type](https://http.dev/content-type): Declare media types with Content-Type. MIME types, charset parameter, content negotiation, and MIME sniffing risks. - [Cookie](https://http.dev/cookie): Send stored cookies to the server with the Cookie header. Name-value pairs, session management, and security rules. - [Critical-CH](https://http.dev/critical-ch): Force client hint retries with Critical-CH. Ensure essential hints arrive on first load. Syntax and flow. - [Cross-Origin-Embedder-Policy](https://http.dev/cross-origin-embedder-policy): Enable cross-origin isolation with COEP. Require-corp, credentialless modes, SharedArrayBuffer access, and setup. - [Cross-Origin-Embedder-Policy-Report-Only](https://http.dev/cross-origin-embedder-policy-report-only): Test COEP policies without breaking resources. Collect violation reports before enforcing cross-origin isolation. - [Cross-Origin-Opener-Policy](https://http.dev/cross-origin-opener-policy): Isolate browsing contexts with COOP. Prevent cross-origin window access, enable SharedArrayBuffer, and Spectre protection. - [Cross-Origin-Opener-Policy-Report-Only](https://http.dev/cross-origin-opener-policy-report-only): Test COOP policies without breaking popups. Collect violation reports before enforcing opener isolation. - [Cross-Origin-Resource-Policy](https://http.dev/cross-origin-resource-policy): Protect resources from cross-origin embedding with CORP. Block no-cors requests, Spectre defense, and setup. - [Date](https://http.dev/date): Understand the HTTP Date header and how origin servers timestamp responses. Role in cache freshness calculations and proxy behavior. - [Delta-Base](https://http.dev/delta-base): Understand the Delta-Base header and how delta encoding identifies the base ETag for computing response differences. A-IM integration. - [Deprecation](https://http.dev/deprecation): Learn how the Deprecation header signals API resource phase-out dates. Syntax, format, and migration strategies for API versioning transitions. - [Device-Memory](https://http.dev/device-memory): Learn how the Device-Memory client hint reports approximate device RAM. Adapt content delivery based on memory constraints with examples. - [Dictionary-ID](https://http.dev/dictionary-id): Understand the Dictionary-ID header and how compression dictionaries reference cached data for smaller payloads. Syntax and examples. - [Digest](https://http.dev/digest): Learn about the deprecated Digest header and its Content-Digest and Repr-Digest successors. Integrity verification syntax and migration guidance. - [DNT](https://http.dev/dnt): Understand the deprecated DNT (Do Not Track) request header. History, syntax, browser removal, and the GPC replacement. - [Document-Isolation-Policy](https://http.dev/document-isolation-policy): Learn how Document-Isolation-Policy enables crossOriginIsolation without COOP and COEP. Access SharedArrayBuffer on a per-document basis. - [Document-Isolation-Policy-Report-Only](https://http.dev/document-isolation-policy-report-only): Test Document-Isolation-Policy without enforcement. Detect cross-origin subresource violations and collect reports before deploying isolation. - [Document-Policy](https://http.dev/document-policy): Learn how Document-Policy controls rendering behavior, resource limits, and performance within pages. Syntax and iframe enforcement. - [Downlink](https://http.dev/downlink): Understand the Downlink client hint reporting connection bandwidth in Mbps. Adapt server responses to network speed with examples. - [DPoP](https://http.dev/dpop): Learn how DPoP binds OAuth access tokens to client key pairs, preventing token theft and replay attacks. Syntax and examples. - [DPoP-Nonce](https://http.dev/dpop-nonce): Understand how DPoP-Nonce adds server-side replay protection to DPoP proof JWTs. Nonce lifecycle, error handling, and implementation examples. - [Early-Data](https://http.dev/early-data): Understand the Early-Data header and TLS 1.3 zero round-trip requests. Learn how to handle 0-RTT replay risks for safe and unsafe HTTP methods. - [ECT](https://http.dev/ect): Learn how the ECT client hint classifies network connections into effective types. Adapt content delivery based on real connection performance. - [Edge-Control](https://http.dev/edge-control): Learn how Edge-Control configures caching on Akamai CDN edge servers independently of browser Cache-Control. Directives, syntax, and real-world patterns. - [ETag](https://http.dev/etag): Learn how ETag identifiers enable cache revalidation and concurrency control. Strong vs. weak ETags, syntax, and conditional request patterns. - [Expect](https://http.dev/expect): Understand the Expect header and the 100 Continue mechanism for large uploads. Save bandwidth by validating request headers before sending the body. - [Expect-CT](https://http.dev/expect-ct): Learn about the legacy Expect-CT header and Certificate Transparency enforcement. Why browsers no longer need Expect-CT and when to remove the header. - [Expires](https://http.dev/expires): Understand the Expires header and timestamp-based cache freshness. Learn how Expires interacts with Cache-Control and when to use each approach. - [Feature-Policy](https://http.dev/feature-policy): Learn about the deprecated Feature-Policy header and its Permissions-Policy replacement. Migration guide, syntax differences, and browser API controls. - [Forwarded](https://http.dev/forwarded): Learn how the Forwarded header preserves client IP and proxy details through intermediaries. The standardized replacement for X-Forwarded-For. - [From](https://http.dev/from): Understand the From header and how bots and crawlers identify their operators. Best practices for automated agents and server-side handling. - [GLB-X-Seen-By](https://http.dev/glb-x-seen-by): Understand the GLB-X-Seen-By header from WordPress.com and how Automattic's global load balancer layer traces request routing through its infrastructure. - [Host](https://http.dev/host): Understand the required Host header in HTTP/1.1 requests. Learn how virtual hosting works, syntax rules, and how servers resolve target domains. - [Host-Header](https://http.dev/host-header): Learn about the Host-Header response from shared hosting providers. How CDN backends expose hosting account identifiers and security implications. - [HTTP2-Settings](https://http.dev/http2-settings): The deprecated HTTP2-Settings header carried HTTP/2 connection parameters during h2c cleartext upgrades. Now obsoleted in favor of modern HTTP/2 negotiation. - [If-Match](https://http.dev/if-match): Understand the If-Match header and ETag- based conditional requests. Prevent lost updates with optimistic concurrency control in PUT and DELETE operations. - [If-Modified-Since](https://http.dev/if-modified-since): Learn how If-Modified-Since enables date- based cache revalidation for GET and HEAD requests. Reduce bandwidth with conditional responses and 304 status. - [If-None-Match](https://http.dev/if-none-match): Learn how If-None-Match validates cached resources using ETags. Implement cache revalidation and prevent overwrites with conditional requests. - [If-Range](https://http.dev/if-range): Learn how If-Range makes range requests conditional for safe download resumption. Get partial content or the full resource without 412 errors. - [If-Unmodified-Since](https://http.dev/if-unmodified-since): Understand If-Unmodified-Since and how date-based preconditions prevent lost updates. Guard PUT and DELETE operations against concurrent modifications. - [IM](https://http.dev/im): Understand the IM response header and instance-manipulations in delta encoding. Learn how servers report applied transformations in 226 IM Used responses. - [Incremental](https://http.dev/incremental): Control how proxies and CDNs forward streaming HTTP responses with the Incremental header. Syntax, intermediary behavior, and real-world examples. - [Keep-Alive](https://http.dev/keep-alive): Learn how the Keep-Alive header controls persistent connection parameters in HTTP/1.1. Configure timeout and max request limits to reduce latency. - [Last-Event-ID](https://http.dev/last-event-id): Learn how Last-Event-ID enables automatic Server-Sent Events stream resumption after disconnects. Implement reliable SSE reconnection without data loss. - [Last-Modified](https://http.dev/last-modified): Understand the Last-Modified header and date-based cache validation. Learn how servers report modification timestamps for conditional request workflows. - [Link](https://http.dev/link): Learn how the Link header provides early resource hints, preloading, and relation metadata in HTTP responses. Syntax, rel types, and performance patterns. - [Link-Template](https://http.dev/link-template): Learn how Link-Template describes parameterized URIs using URI templates. Build dynamic API navigation and collection links with variables. - [Location](https://http.dev/location): Understand how the Location header drives HTTP redirects and signals newly created resources. Syntax, redirect types, and examples. - [Max-Forwards](https://http.dev/max-forwards): Understand how Max-Forwards limits proxy hops for TRACE and OPTIONS requests. Diagnose routing issues and map intermediary chains. - [Memento-Datetime](https://http.dev/memento-datetime): Understand how the Memento-Datetime header identifies when a web archive captured a snapshot. Syntax and Wayback Machine usage. - [MIME-Version](https://http.dev/mime-version): Understand why the MIME-Version header still appears in HTTP responses despite being unnecessary. Email origins, current usage, and removal guidance. - [NEL](https://http.dev/nel): Configure Network Error Logging with the NEL header to detect DNS, TLS, and TCP failures affecting real users. Syntax, report format, and examples. - [No-Vary-Search](https://http.dev/no-vary-search): Use No-Vary-Search to tell caches which URL query parameters to ignore during matching. Improve prefetch hits and cache efficiency with examples. - [Onion-Location](https://http.dev/onion-location): The Onion-Location header advertises a site's Tor hidden service address. Setup, Tor Browser integration, and deployment examples. - [Origin](https://http.dev/origin): Understand how the Origin request header identifies where a request came from for CORS. Syntax, browser behavior, and server-side validation. - [Origin-Agent-Cluster](https://http.dev/origin-agent-cluster): Origin-Agent-Cluster isolates an origin into its own browser process. Performance benefits, security implications, and syntax. - [Origin-Trial](https://http.dev/origin-trial): Use the Origin-Trial header to enable experimental browser features in production. Token format, registration process, and implementation guide. - [P3P](https://http.dev/p3p): Understand the legacy P3P header and its role in Internet Explorer's third-party cookie decisions. History, policy tokens, and why it persists. - [Panel](https://http.dev/panel): Understand the Panel response header used by hosts like Hostinger to identify the control panel managing a server. Values and security notes. - [Permissions-Policy](https://http.dev/permissions-policy): Implement Permissions-Policy to control which browser features a site and embedded iframes access. Directives, allowlists, and examples. - [Ping-From](https://http.dev/ping-from): Understand the Ping-From request header sent during hyperlink auditing to identify the clicking page. Syntax, browser support, and privacy implications. - [Ping-To](https://http.dev/ping-to): Understand the Ping-To request header sent during hyperlink auditing to identify the navigation destination. Browser support, syntax, and privacy implications. - [Platform](https://http.dev/platform): Understand the Platform response header used by hosts like Hostinger to identify the infrastructure serving a site. Values and security notes. - [Powered-By](https://http.dev/powered-by): Understand the Powered-By response header identifying the technology stack serving a site. Common values, security risks, and removal steps. - [Pragma](https://http.dev/pragma): Understand the legacy Pragma header and its relationship to Cache-Control. HTTP/1.0 backward compatibility, when to send, and when to drop. - [Prefer](https://http.dev/prefer): Use the Prefer request header to communicate optional processing preferences to servers. Tokens, return preferences, and real-world API examples. - [Preference-Applied](https://http.dev/preference-applied): Understand how the Preference-Applied header confirms which Prefer request preferences the server honored. Syntax and usage examples. - [Priority](https://http.dev/priority): Use the Priority header to control HTTP/2 and HTTP/3 resource loading order. Urgency, incremental delivery, and Fetch Priority integration. - [Proxy-Authenticate](https://http.dev/proxy-authenticate): Understand how Proxy-Authenticate challenges clients to provide proxy credentials with a 407 response. Authentication schemes, syntax, and proxy chain examples. - [Proxy-Authentication-Info](https://http.dev/proxy-authentication-info): Understand how Proxy-Authentication-Info returns auth parameters after successful proxy authentication. Nonce rotation, mutual auth, and scheme details. - [Proxy-Authorization](https://http.dev/proxy-authorization): Use the Proxy-Authorization header to send credentials to a proxy server after a 407 challenge. Authentication schemes, syntax, and chain behavior. - [Proxy-Status](https://http.dev/proxy-status): Use Proxy-Status to understand how each intermediary handled a request. Syntax, error types, CDN debugging, and real-world examples. - [Public-Key-Pins](https://http.dev/public-key-pins): Understand the deprecated Public-Key- Pins (HPKP) header for pinning TLS certificate keys. Why browsers removed HPKP and what replaced the mechanism. - [Public-Key-Pins-Report-Only](https://http.dev/public-key-pins-report-only): Understand the deprecated Public-Key- Pins-Report-Only header for reporting HPKP violations without blocking connections. History and alternatives. - [Purpose](https://http.dev/purpose): Understand how the Purpose header flags prefetch and prerender requests from browser speculative loading. Server handling and Sec-Purpose link. - [Range](https://http.dev/range): Use the Range header to request partial content from a server. Byte-range syntax, multipart responses, resume downloads, and streaming examples. - [RateLimit](https://http.dev/ratelimit): Understand the RateLimit response header reporting available quota and reset time per policy. Structured Fields syntax, parameters, and examples. - [RateLimit-Limit](https://http.dev/ratelimit-limit): Understand the RateLimit-Limit header reporting the maximum request quota in a rate limit window. Structured Fields syntax, policies, and examples. - [RateLimit-Policy](https://http.dev/ratelimit-policy): Understand the RateLimit-Policy header advertising server quota policies. Quota, window, unit, and partition parameters with Structured Fields examples. - [RateLimit-Remaining](https://http.dev/ratelimit-remaining): Understand the RateLimit-Remaining header reporting how many requests are left in the current window. Syntax and client pacing strategies. - [RateLimit-Reset](https://http.dev/ratelimit-reset): Understand the RateLimit-Reset header reporting seconds until the rate limit window resets. Delta-seconds format and retry strategy examples. - [Referer](https://http.dev/referer): Understand how the Referer header identifies the linking page in HTTP requests. Analytics, access control, privacy risks, and Referrer-Policy interaction. - [Referrer-Policy](https://http.dev/referrer-policy): Implement Referrer-Policy to control what referrer information browsers send. Directive options, privacy implications, and deployment examples. - [Refresh](https://http.dev/refresh): Understand the Refresh header for timed page reloads and client-side redirects. Syntax, meta-equiv equivalent, SEO impact, and accessibility considerations. - [Replay-Nonce](https://http.dev/replay-nonce): Understand how the Replay-Nonce header prevents replay attacks in the ACME certificate protocol. Nonce lifecycle, JWS integration, and error handling. - [Report-To](https://http.dev/report-to): Configure Report-To endpoint groups for browser reporting of CSP violations and network errors. JSON syntax, NEL integration, and Reporting-Endpoints migration. - [Reporting-Endpoints](https://http.dev/reporting-endpoints): Configure Reporting-Endpoints to receive CSP violations, deprecation warnings, and crash reports from browsers. Syntax, setup, and migration from Report-To. - [Repr-Digest](https://http.dev/repr-digest): Use the Repr-Digest header to verify representation integrity independent of content encoding. Algorithms, Content-Digest comparison, and usage examples. - [Request-Context](https://http.dev/request-context): Understand the Request-Context header used by Azure Application Insights for distributed tracing across services. Key-value syntax and correlation. - [Retry-After](https://http.dev/retry-after): Use the Retry-After header to tell clients when to retry after 429 or 503 responses. Delta-seconds, HTTP- date formats, and bot handling tips. - [RTT](https://http.dev/rtt): Understand the RTT client hint header reporting network round-trip time. Adaptive content delivery, privacy rounding, and server-side usage. - [Save-Data](https://http.dev/save-data): Signal reduced data usage preferences with Save-Data. Implement adaptive content delivery for images, fonts, and scripts on bandwidth-constrained connections. - [Sec-CH-Prefers-Color-Scheme](https://http.dev/sec-ch-prefers-color-scheme): Detect light or dark mode preferences server-side with Sec-CH-Prefers-Color-Scheme. Eliminate theme flashes by delivering pre-themed responses. - [Sec-CH-Prefers-Reduced-Motion](https://http.dev/sec-ch-prefers-reduced-motion): Respect motion sensitivity preferences server-side with Sec-CH-Prefers-Reduced-Motion. Deliver animation-free stylesheets to users who need them. - [Sec-CH-UA](https://http.dev/sec-ch-ua): Identify browsers reliably with Sec-CH-UA. Understand brand lists, GREASE values, and the structured replacement for User-Agent parsing. - [Sec-CH-UA-Arch](https://http.dev/sec-ch-ua-arch): Identify CPU architecture with Sec-CH-UA-Arch. Serve correct binaries and platform-specific downloads for x86, ARM, and other architectures. - [Sec-CH-UA-Bitness](https://http.dev/sec-ch-ua-bitness): Detect 32-bit or 64-bit platforms with Sec-CH-UA-Bitness. Offer the right installer and binary format for each user's system. - [Sec-CH-UA-Full-Version-List](https://http.dev/sec-ch-ua-full-version-list): Get full browser version strings with Sec-CH-UA-Full-Version-List. Access complete version data for analytics, compatibility checks, and debugging. - [Sec-CH-UA-Mobile](https://http.dev/sec-ch-ua-mobile): Detect mobile devices server-side with Sec-CH-UA-Mobile. The reliable mobile signal after User-Agent reduction froze device tokens. - [Sec-CH-UA-Model](https://http.dev/sec-ch-ua-model): Get the device model name with Sec-CH-UA-Model. Retrieve hardware identifiers for analytics and device-specific content delivery. - [Sec-CH-UA-Platform](https://http.dev/sec-ch-ua-platform): Identify the operating system with Sec-CH-UA-Platform. A low-entropy client hint sent automatically for platform-aware content delivery. - [Sec-CH-UA-Platform-Version](https://http.dev/sec-ch-ua-platform-version): Get the OS version number with Sec-CH-UA-Platform-Version. Detect Windows, macOS, and Android versions for compatibility-aware responses. - [Sec-Fetch-Dest](https://http.dev/sec-fetch-dest): Identify request destinations with Sec-Fetch-Dest. Enforce resource isolation policies by verifying how fetched resources will be used. - [Sec-Fetch-Mode](https://http.dev/sec-fetch-mode): Distinguish navigation from API requests with Sec-Fetch-Mode. Build server-side security policies based on how the browser initiated each fetch. - [Sec-Fetch-Site](https://http.dev/sec-fetch-site): Enforce origin-based access policies with Sec-Fetch-Site. Determine if requests are same-origin, same-site, cross-site, or user-initiated. - [Sec-Fetch-User](https://http.dev/sec-fetch-user): Verify user-initiated navigations with Sec-Fetch-User. Detect whether a navigation was triggered by a click, form submission, or keyboard action. - [Sec-GPC](https://http.dev/sec-gpc): Implement Global Privacy Control with Sec-GPC. Handle opt-out signals for data sale and sharing under CCPA and other privacy regulations. - [Sec-Purpose](https://http.dev/sec-purpose): Identify prefetch and prerender requests with Sec-Purpose. Handle speculative loading on the server by deferring side effects and analytics. - [Sec-Speculation-Tags](https://http.dev/sec-speculation-tags): Track speculation rule sources with Sec-Speculation-Tags. Distinguish CDN-injected from site-owned prefetch and prerender requests on the server. - [Sec-WebSocket-Accept](https://http.dev/sec-websocket-accept): Complete the WebSocket handshake with Sec-WebSocket-Accept. Understand the SHA-1 hash computation confirming server-side protocol support. - [Sec-WebSocket-Extensions](https://http.dev/sec-websocket-extensions): Negotiate WebSocket extensions with Sec-WebSocket-Extensions. Configure permessage-deflate compression and other frame-level capabilities. - [Sec-WebSocket-Key](https://http.dev/sec-websocket-key): Initiate WebSocket connections with Sec-WebSocket-Key. Understand the base64 nonce preventing accidental HTTP-to-WebSocket upgrades. - [Sec-WebSocket-Protocol](https://http.dev/sec-websocket-protocol): Negotiate WebSocket subprotocols with Sec-WebSocket-Protocol. Select application-level protocols like GraphQL, MQTT, or custom formats. - [Sec-WebSocket-Version](https://http.dev/sec-websocket-version): Specify the WebSocket protocol version with Sec-WebSocket-Version. Handle version negotiation and 426 responses during the upgrade handshake. - [Server](https://http.dev/server): Identify server software with the Server header. Understand product token syntax, security risks of version exposure, and best practices. - [Server-Timing](https://http.dev/server-timing): Expose backend performance metrics with Server-Timing. Surface database, cache, and rendering durations in browser DevTools and JavaScript. - [Set-Cookie](https://http.dev/set-cookie): Manage HTTP cookies with Set-Cookie. Configure attributes for security, scope, expiration, SameSite policy, and cross-site behavior. - [Shopify-Complexity-Score](https://http.dev/shopify-complexity-score): Monitor Shopify GraphQL query costs with Shopify-Complexity-Score. Identify expensive queries before they trigger rate limits. - [Signature](https://http.dev/signature): Sign HTTP messages cryptographically with the Signature header. Verify request and response integrity using message signatures. - [Signature-Agent](https://http.dev/signature-agent): Authenticate crawlers with Signature-Agent. Identify signed bot requests by their key directory using the Web Bot Auth protocol. - [Signature-Input](https://http.dev/signature-input): Declare signed HTTP message components with Signature-Input. Specify covered fields, algorithms, and parameters for HTTP message signatures. - [SourceMap](https://http.dev/sourcemap): Link minified code to original sources with the SourceMap header. Debug transpiled JavaScript and CSS in browser DevTools. - [Speculation-Rules](https://http.dev/speculation-rules): Speed up navigations with the Speculation-Rules header. Deliver prefetch and prerender rules via external JSON for instant page loads. - [Strict-Transport-Security](https://http.dev/strict-transport-security): Force HTTPS connections with Strict-Transport-Security. Configure HSTS max-age, includeSubDomains, preload, and prevent downgrade attacks. - [Sunset](https://http.dev/sunset): Announce API deprecation dates with the Sunset header. Give clients advance notice before endpoints become unavailable. - [Supports-Loading-Mode](https://http.dev/supports-loading-mode): Opt into cross-origin prerendering and fenced frames with Supports-Loading-Mode. Enables advanced speculative loading contexts for pages. - [Surrogate-Control](https://http.dev/surrogate-control): Set CDN-specific caching rules with Surrogate-Control. Separate edge cache directives from browser Cache-Control policies. - [Surrogate-Key](https://http.dev/surrogate-key): Tag cached responses for bulk purging with Surrogate-Key. Invalidate thousands of CDN cache entries by tag instead of URL. - [TE](https://http.dev/te): Declare transfer encoding preferences with the TE header. Negotiate chunked trailers and compression between client and server. - [Timing-Allow-Origin](https://http.dev/timing-allow-origin): Share cross-origin performance data with Timing-Allow-Origin. Grant access to Resource Timing API metrics for third-party resources. - [Traceparent](https://http.dev/traceparent): Propagate distributed traces with Traceparent. Understand the W3C Trace Context format for trace IDs, span IDs, and sampling flags. - [Traceresponse](https://http.dev/traceresponse): Return server trace context to clients with Traceresponse. Close the observability loop in distributed tracing systems. - [Tracestate](https://http.dev/tracestate): Carry vendor-specific tracing data with Tracestate. Extend W3C Trace Context with system-specific metadata across service boundaries. - [Trailer](https://http.dev/trailer): Announce trailing header fields with the Trailer header. Send checksums, signatures, and status after the chunked message body. - [Transfer-Encoding](https://http.dev/transfer-encoding): Encode message bodies for safe transfer with Transfer-Encoding. Understand chunked encoding, hop-by- hop semantics, and streaming responses. - [Upgrade](https://http.dev/upgrade): Switch protocols on an existing connection with the Upgrade header. Negotiate WebSocket, HTTP/2, and TLS upgrades over HTTP/1.1. - [Upgrade-Insecure-Requests](https://http.dev/upgrade-insecure-requests): Upgrade HTTP resources to HTTPS with Upgrade-Insecure-Requests. Signal browser support for automatic insecure URL rewriting via CSP. - [Use-As-Dictionary](https://http.dev/use-as-dictionary): Enable shared dictionary compression with Use-As-Dictionary. Store responses as reusable compression dictionaries for smaller transfers. - [User-Agent](https://http.dev/user-agent): Identify client software with User-Agent. Parse product tokens, understand UA reduction, and implement bot detection strategies. - [Vary](https://http.dev/vary): Control cache variants with the Vary header. Tell caches which request headers affect the response to store and serve correct representations. - [Via](https://http.dev/via): Track proxy and gateway hops with the Via header. Detect routing loops and identify intermediate protocols in the request chain. - [Want-Content-Digest](https://http.dev/want-content-digest): Request content integrity hashes with Want-Content-Digest. Negotiate hash algorithms for verifying message body integrity. - [Want-Digest](https://http.dev/want-digest): Understand the deprecated Want-Digest header and its modern replacements: Want-Content-Digest and Want-Repr-Digest. - [Want-Repr-Digest](https://http.dev/want-repr-digest): Request representation integrity hashes with Want-Repr-Digest. Negotiate algorithms for verifying pre-encoding content integrity. - [Warning](https://http.dev/warning): Understand the removed Warning header and why HTTP/1.1 cache warnings were dropped from the standard. Migration guidance included. - [WWW-Authenticate](https://http.dev/www-authenticate): Challenge clients for credentials with WWW-Authenticate. Configure Basic, Bearer, Digest, and other authentication schemes on 401 responses. - [X-AC](https://http.dev/x-ac): Decode Automattic cache routing with X-AC. Understand server numbers, data center codes, and cache status tokens on WordPress.com. - [X-Adblock-Key](https://http.dev/x-adblock-key): Bypass ad blocking for compliant ads with X-Adblock-Key. Authenticate Acceptable Ads participation using cryptographic site keys. - [X-Akamai-Transformed](https://http.dev/x-akamai-transformed): Detect Akamai edge transformations with X-Akamai-Transformed. Identify image optimization, compression, and format changes applied at the CDN. - [X-Amz-Cf-Id](https://http.dev/x-amz-cf-id): Trace CloudFront requests with X-Amz-Cf-Id. Use the encrypted request identifier for AWS support troubleshooting and log correlation. - [X-Amz-Cf-Pop](https://http.dev/x-amz-cf-pop): Identify CloudFront edge locations with X-Amz-Cf-Pop. Verify CDN routing and geographic distribution using IATA-based PoP codes. - [X-Amz-Id-2](https://http.dev/x-amz-id-2): Identify S3 hosts with X-Amz-Id-2. Use the extended request ID for AWS support cases and S3 request tracing. - [X-Amz-Request-Id](https://http.dev/x-amz-request-id): Trace Amazon S3 requests with X-Amz-Request-Id. Reference the unique identifier in support cases and CloudWatch log correlation. - [X-Amz-Server-Side-Encryption](https://http.dev/x-amz-server-side-encryption): Verify S3 encryption with X-Amz-Server-Side-Encryption. Identify AES-256, AWS KMS, and DSSE-KMS algorithms on stored objects. - [X-Amz-Version-Id](https://http.dev/x-amz-version-id): Track S3 object versions with X-Amz-Version-Id. Retrieve, restore, and manage versioned objects in S3 buckets. - [X-Amzn-RequestId](https://http.dev/x-amzn-requestid): Trace AWS API calls with X-Amzn-RequestId. Correlate requests across API Gateway, Lambda, DynamoDB, and other AWS services. - [X-Amzn-Trace-Id](https://http.dev/x-amzn-trace-id): Trace requests across AWS with X-Amzn-Trace-Id. Propagate X-Ray trace identifiers through ALB, API Gateway, and backend services. - [X-AspNet-Version](https://http.dev/x-aspnet-version): Understand X-AspNet-Version and why exposing ASP.NET runtime versions aids attackers. Remove this header in production deployments. - [X-AspNetMvc-Version](https://http.dev/x-aspnetmvc-version): Understand X-AspNetMvc-Version and why exposing ASP.NET MVC versions is a security risk. Remove this header in production. - [X-Azure-Ref](https://http.dev/x-azure-ref): Trace Azure Front Door requests with X-Azure-Ref. Use the opaque identifier for Azure support cases and diagnostic log correlation. - [X-B3-TraceId](https://http.dev/x-b3-traceid): Propagate Zipkin traces with X-B3-TraceId. Understand B3 propagation format and migration to the W3C Traceparent standard. - [X-Cache](https://http.dev/x-cache): Check CDN cache status with X-Cache. Determine if a response was a HIT, MISS, or served from origin across different CDN providers. - [X-Cache-Group](https://http.dev/x-cache-group): Identify CDN cache tiers with X-Cache-Group. See which caching policy group was applied to a specific response. - [X-Cache-Hits](https://http.dev/x-cache-hits): Monitor cache popularity with X-Cache-Hits. See how many times a resource has been served from each CDN cache layer. - [X-Cache-Miss-From](https://http.dev/x-cache-miss-from): Identify cache miss locations with X-Cache-Miss-From. Pinpoint which CDN node or pod had to fetch from origin. - [X-Cache-Status](https://http.dev/x-cache-status): Debug cache behavior with X-Cache-Status. Understand HIT, MISS, STALE, BYPASS, and other granular cache state values. - [X-Cacheable](https://http.dev/x-cacheable): Check cache eligibility with X-Cacheable. Determine whether a CDN or reverse proxy considers the response eligible for caching. - [X-CDN](https://http.dev/x-cdn): Identify the serving CDN with X-CDN. Detect which edge network or WAF provider delivered the response. - [X-Clacks-Overhead](https://http.dev/x-clacks-overhead): The X-Clacks-Overhead header is a Terry Pratchett memorial Easter egg. Origin, syntax, and server setup. - [X-Cloud-Trace-Context](https://http.dev/x-cloud-trace-context): Trace requests on Google Cloud with X-Cloud-Trace-Context. Propagate trace and span IDs across GCP services and Cloud Trace. - [X-Content-Security-Policy](https://http.dev/x-content-security-policy): Understand the legacy X-Content-Security-Policy header and why to migrate to the standard Content-Security-Policy header. - [X-Content-Type-Options](https://http.dev/x-content-type-options): Prevent MIME sniffing attacks with X-Content-Type-Options: nosniff. Force browsers to respect the declared Content-Type on every response. - [X-ContextId](https://http.dev/x-contextid): Identify hosting contexts with X-ContextId. Understand the opaque account identifier exposed by multi-tenant hosting platforms. - [X-Correlation-Id](https://http.dev/x-correlation-id): Correlate distributed requests with X-Correlation-Id. Track transactions across microservices, proxies, and logging systems. - [X-DC](https://http.dev/x-dc): Trace data center routing with X-DC. Identify which cloud regions and infrastructure tiers handled a request. - [X-DNS-Prefetch-Control](https://http.dev/x-dns-prefetch-control): Control DNS prefetching with X-DNS-Prefetch-Control. Enable or disable speculative DNS resolution for links on the page. - [X-Domain](https://http.dev/x-domain): Identify the matched virtual host with X-Domain. Debug multi-tenant proxy configurations and domain routing in CDN environments. - [X-Download-Options](https://http.dev/x-download-options): Block direct file opening with X-Download-Options: noopen. Prevent downloaded files from executing in the hosting site's security context. - [X-Drupal-Cache](https://http.dev/x-drupal-cache): Debug Drupal page caching with X-Drupal-Cache. Verify Internal Page Cache HIT and MISS status on anonymous requests. - [X-Drupal-Dynamic-Cache](https://http.dev/x-drupal-dynamic-cache): Debug Drupal render caching with X-Drupal-Dynamic-Cache. Monitor HIT, MISS, and UNCACHEABLE states for personalized content. - [X-Envoy-Upstream-Service-Time](https://http.dev/x-envoy-upstream-service-time): Measure upstream latency with X-Envoy-Upstream-Service-Time. Get Envoy proxy timing for backend service request processing. - [X-Fastly-Request-Id](https://http.dev/x-fastly-request-id): Trace Fastly CDN requests with X-Fastly-Request-Id. Correlate edge logs and debug delivery issues using unique request identifiers. - [X-FB-Debug](https://http.dev/x-fb-debug): Understand Meta's X-FB-Debug header. Decode the CDN debug token found on Facebook, Instagram, and WhatsApp responses. - [X-Forwarded-For](https://http.dev/x-forwarded-for): Preserve client IP addresses through proxies with X-Forwarded-For. Parse IP chains, handle spoofing risks, and migrate to the Forwarded header. - [X-Forwarded-Host](https://http.dev/x-forwarded-host): Preserve the original hostname with X-Forwarded-Host. Recover the client-facing Host value behind reverse proxies and load balancers. - [X-Forwarded-Proto](https://http.dev/x-forwarded-proto): Detect the original protocol with X-Forwarded-Proto. Identify HTTP vs HTTPS connections behind TLS- terminating proxies and load balancers. - [X-Frame-Options](https://http.dev/x-frame-options): Prevent clickjacking with X-Frame-Options. Control frame embedding with DENY, SAMEORIGIN, and the CSP frame-ancestors alternative. - [X-Generator](https://http.dev/x-generator): Identify the CMS or site generator with X-Generator. Understand the security implications and how to remove this header in production. - [X-GitHub-Request-Id](https://http.dev/x-github-request-id): Trace GitHub API and web requests with X-GitHub-Request-Id. Reference the unique identifier in support tickets and debugging. - [X-Hacker](https://http.dev/x-hacker): Understand the X-Hacker Easter egg header. A recruitment message from WordPress.com and Automattic hidden in HTTP responses. - [X-Host](https://http.dev/x-host): Preserve original hostnames with X-Host. Pass the client-facing hostname to backends when proxies rewrite the Host header. - [X-IInfo](https://http.dev/x-iinfo): Decode Imperva request metadata with X-IInfo. Understand the encoded session and request identifiers from Imperva's WAF and CDN. - [X-IPLB-Instance](https://http.dev/x-iplb-instance): Identify OVHcloud load balancer nodes with X-IPLB-Instance. Debug routing and failover in OVH IP Load Balancing infrastructure. - [X-IPLB-Request-Id](https://http.dev/x-iplb-request-id): Trace OVHcloud requests with X-IPLB-Request-Id. Correlate load balancer logs using the unique request identifier. - [X-LiteSpeed-Cache](https://http.dev/x-litespeed-cache): Verify LiteSpeed cache status with X-LiteSpeed-Cache. Debug hit, miss, and bypass states in the LSCache engine. - [X-LiteSpeed-Cache-Control](https://http.dev/x-litespeed-cache-control): Configure LiteSpeed-specific caching with X-LiteSpeed-Cache-Control. Set TTL, public/private scope, and ESI directives for LSCache. - [X-LiteSpeed-Tag](https://http.dev/x-litespeed-tag): Tag cached responses for purging with X-LiteSpeed-Tag. Manage LSCache invalidation using content-based cache tags. - [X-Matched-Path](https://http.dev/x-matched-path): Debug Next.js routing with X-Matched-Path. See which route pattern matched the incoming request on Vercel deployments. - [X-Meta-Site-Id](https://http.dev/x-meta-site-id): Identify Wix sites with X-Meta-Site-Id. Understand the permanent UUID assigned to each site on the Wix platform. - [X-Middleware-Rewrite](https://http.dev/x-middleware-rewrite): Debug Next.js middleware rewrites with X-Middleware-Rewrite. See the internal destination path after URL rewriting in middleware. - [X-MS-Request-Id](https://http.dev/x-ms-request-id): Trace Azure service requests with X-MS-Request-Id. Reference the unique identifier for Azure support and diagnostic log correlation. - [X-Nextjs-Cache](https://http.dev/x-nextjs-cache): Debug Next.js page caching with X-Nextjs-Cache. Monitor HIT, STALE, and MISS states for static and ISR pages. - [X-Nextjs-Prerender](https://http.dev/x-nextjs-prerender): Identify pre-rendered Next.js pages with X-Nextjs-Prerender. Confirm static generation and incremental static regeneration status. - [X-Nextjs-Stale-Time](https://http.dev/x-nextjs-stale-time): Control Next.js Router Cache freshness with X-Nextjs-Stale-Time. Set how long prefetched page data stays valid client-side. - [X-Nf-Request-Id](https://http.dev/x-nf-request-id): Trace Netlify requests with X-Nf-Request-Id. Correlate edge logs and debug deployment issues using unique request identifiers. - [X-Pcrew-Blocked-Reason](https://http.dev/x-pcrew-blocked-reason): Understand ParkingCrew blocking with X-Pcrew-Blocked-Reason. See why the domain monetization platform filtered a specific request. - [X-Pcrew-Ip-Organization](https://http.dev/x-pcrew-ip-organization): Identify visitor networks with X-Pcrew-Ip-Organization. See the organization name resolved from the client IP by ParkingCrew. - [X-Permitted-Cross-Domain-Policies](https://http.dev/x-permitted-cross-domain-policies): Control cross-domain policy files with X-Permitted-Cross-Domain-Policies. Restrict Adobe Acrobat data loading permissions across domain boundaries. - [X-Pingback](https://http.dev/x-pingback): Advertise the XML-RPC pingback endpoint with X-Pingback. Understand WordPress pingbacks, security risks, and how to disable the header. - [X-Powered-By](https://http.dev/x-powered-by): Understand X-Powered-By and why exposing server technology aids attackers. Remove this header across frameworks and platforms. - [X-Proxy-Cache](https://http.dev/x-proxy-cache): Check reverse proxy cache status with X-Proxy-Cache. Verify HIT, MISS, and BYPASS states from Nginx and other proxy servers. - [X-RateLimit-Limit](https://http.dev/x-ratelimit-limit): Check API rate limits with X-RateLimit-Limit. See the maximum requests allowed per window and implement client-side throttling. - [X-RateLimit-Remaining](https://http.dev/x-ratelimit-remaining): Track remaining API quota with X-RateLimit-Remaining. Monitor request allowance and throttle clients before hitting limits. - [X-RateLimit-Reset](https://http.dev/x-ratelimit-reset): Know when rate limits reset with X-RateLimit-Reset. Schedule retries using the window reset timestamp from API responses. - [X-Real-IP](https://http.dev/x-real-ip): Get the true client IP with X-Real-IP. Pass the original address through Nginx and other reverse proxies to backend servers. - [X-Redirect](https://http.dev/x-redirect): Debug redirect routing with X-Redirect. Identify internal redirect configurations and deployment phases in Azure and other platforms. - [X-Redirect-By](https://http.dev/x-redirect-by): Identify redirect sources with X-Redirect-By. Debug which WordPress plugin, application, or component initiated a redirect. - [X-Request-ID](https://http.dev/x-request-id): Trace distributed requests with X-Request-ID. Correlate logs across proxies, load balancers, and microservices with unique identifiers. - [X-Robots-Tag](https://http.dev/x-robots-tag): Control search engine indexing with X-Robots-Tag. Apply noindex, nofollow, and other directives to any response type via HTTP headers. - [X-Runtime](https://http.dev/x-runtime): Measure server processing time with X-Runtime. Monitor request duration in Ruby on Rails and other frameworks for performance analysis. - [X-Seen-By](https://http.dev/x-seen-by): Trace WordPress.com infrastructure hops with X-Seen-By. See which Automattic internal nodes handled a request. - [X-Served-By](https://http.dev/x-served-by): Identify serving cache nodes with X-Served-By. See which CDN edge servers or cache tiers delivered the response. - [X-ShardId](https://http.dev/x-shardid): Identify Shopify database shards with X-ShardId. Understand pod-based data distribution in Shopify's multi-tenant architecture. - [X-ShopId](https://http.dev/x-shopid): Identify Shopify stores with X-ShopId. Reference the numeric shop identifier for API debugging and support requests. - [X-SiteId](https://http.dev/x-siteid): Identify sites in multi-tenant platforms with X-SiteId. Map responses to specific site configurations for debugging. - [X-Sorting-Hat-PodId](https://http.dev/x-sorting-hat-podid): Identify Shopify pods with X-Sorting-Hat-PodId. Understand request routing in Shopify's podded multi-tenant infrastructure. - [X-Sorting-Hat-ShopId](https://http.dev/x-sorting-hat-shopid): Route Shopify requests with X-Sorting-Hat-ShopId. Understand how the Sorting Hat load balancer maps shops to pods. - [X-Storefront-Renderer-Rendered](https://http.dev/x-storefront-renderer-rendered): Confirm Shopify storefront rendering with X-Storefront-Renderer-Rendered. Verify pages were rendered by the storefront pipeline, not from cache. - [X-Sucuri-Id](https://http.dev/x-sucuri-id): Identify Sucuri edge nodes with X-Sucuri-Id. Determine which WAF and CDN point of presence handled the request. - [X-Timer](https://http.dev/x-timer): Analyze Fastly edge timing with X-Timer. Decode internal timestamps for cache lookup, origin fetch, and response delivery phases. - [X-Turbo-Charged-By](https://http.dev/x-turbo-charged-by): Identify LiteSpeed-cached responses with X-Turbo-Charged-By. Confirm the LiteSpeed web server and its built-in cache engine are active. - [X-UA-Compatible](https://http.dev/x-ua-compatible): Understand the legacy X-UA-Compatible header for Internet Explorer rendering modes. When to keep and when to remove this IE-era header. - [X-Varnish](https://http.dev/x-varnish): Debug Varnish Cache behavior with X-Varnish. Decode transaction IDs to identify cache hits, misses, and request processing paths. - [X-Vercel-Cache](https://http.dev/x-vercel-cache): Debug Vercel CDN caching with X-Vercel-Cache. Understand HIT, MISS, STALE, PRERENDER, and other cache status values. - [X-Vercel-Id](https://http.dev/x-vercel-id): Trace Vercel edge requests with X-Vercel-Id. Identify the region and edge node for debugging deployment and routing issues. - [X-Version](https://http.dev/x-version): Understand X-Version and why exposing application versions aids attackers. Security implications and removal guidance for production. - [X-WebKit-CSP](https://http.dev/x-webkit-csp): Understand the legacy X-WebKit-CSP header and why to migrate to the standard Content-Security-Policy header. - [X-Wix-Cache-Control](https://http.dev/x-wix-cache-control): Configure Wix CDN caching with X-Wix-Cache-Control. Set max-age, no-cache, and other cache directives for the Wix edge layer. - [X-Wix-Request-Id](https://http.dev/x-wix-request-id): Trace Wix platform requests with X-Wix-Request-Id. Reference the numeric identifier for Wix support and debugging. - [X-WS-RateLimit-Limit](https://http.dev/x-ws-ratelimit-limit): Check WordPress.com API rate limits with X-WS-RateLimit-Limit. See the maximum requests allowed per window on Automattic infrastructure. - [X-WS-RateLimit-Remaining](https://http.dev/x-ws-ratelimit-remaining): Track remaining WordPress.com API quota with X-WS-RateLimit-Remaining. Monitor request allowance before hitting rate limits. - [X-XSS-Protection](https://http.dev/x-xss-protection): Understand the deprecated X-XSS-Protection header. Why browser XSS auditors were removed and how CSP replaces them.