Common request headers and Response headers in HTTP message headers

Source: Internet
Author: User
Tags base64 http authentication ranges

As a web development it is necessary to familiarize yourself with the request headers and the response headers of common HTTP. For example, the request header Content-type specified the content of the request, if the type is application/x-www-form-urlencoded, you can call Reqeust get the parameter method to fetch the content, if the other needs to call the method fetch stream. Another example of the response header X-frame-options settings directly determines whether your page can be embedded in other non-homologous ifream, and this setting can be in the HTML page, or the framework or code in the response header settings, It can also be configured in an HTTP server (Nginx or tomcat, etc.).

Common Standard Request Header fields

Accept sets the accepted content type


Accept-charset Set the accepted character encoding


accept-encoding Setting the accepted encoding format

Accept-encoding:gzip, deflate

accept-datetime Setting the accepted version time

Accept-datetime:thu, 20:35:00 GMT

accept-language Setting the accepted language


Authorization Setting the credentials for HTTP authentication

Authorization:basic qwxhzgrpbjpvcgvuihnlc2ftzq==

Cache-control Set the instructions that all caching mechanisms on the request response chain must follow


Connection Setting control options for the current connection and Hop-by-hop Protocol request field List


content-length Setting the byte length of the request body


content-md5 Sets the Base64 binary encoding of the request body content based on the MD5 algorithm


content-type Setting the MIME type of the request body (for Post and put requests)


Cookie Setting HTTP cookies sent by the server using Set-cookie

Cookie: $Version = 1; Skin=new;

Date sets the day and time the message was sent

Date:tue, 1994 08:12:31 GMT

Expect identifies specific browser behavior required by the client


forwarded disclosing source information for a client to connect to a Web service through an HTTP proxy

forwarded:for=, for=

from setting the email address of the user sending the request

From: [Email protected]

Host Sets the server domain name and TCP port number, if you are using a service request standard port number, the port number can be omitted

If-match Sets the client's ETag, which is executed only when the client ETag and the server-generated etag are consistent, and is suitable for updating resources that have not changed since the last update

If-match: "737060cd8c284d8af7ad3082f209582d

if-modified-since Set update time, from update time to server accept request during the period of time if the resource has not changed, allow the server to return 304 not Modified

If-modified-since:sat, OCT 1994 19:43:31 GMT

If-none-match Sets the client ETag, which allows the server side to return 304 not Modified if the same etage as the server accepts the request generated

If-none-match: "737060cd8c284d8af7ad3082f209582d"

If-range Sets the client ETag, which returns the missing entity part if the same etage as the server accepts the request, or returns the entire new entity

If-range: "737060cd8c284d8af7ad3082f209582d"

if-unmodified-since Set update time, the service will send a response only if the entity has not changed since the time of the update to the server accept request

If-unmodified-since:sat, OCT 1994 19:43:31 GMT

max-forwards Limit the number of times a proxy or gateway forwards messages


Origin identifies cross-domain resource requests (Request server Settings access-control-allow-origin response field)


Pragma Setting a special implementation field may have multiple effects on the request response chain


proxy-authorization authorizing authentication information for connection agents

Proxy-authorization:basic qwxhzgrpbjpvcgvuihnlc2ftzq==

Range Requests some entities to set the range of bytes for the requested entity, as described in http/1.1 in byte serving


Referer Sets the address of the previous page, and the connection in the previous page points to the current request, meaning that if the current request is sent in a page, then Referer is the URL address of page A (anecdote: the correct spelling of this word should be "referrer ", but in many of the specifications are spelled" Referer ", so this word also become the standard usage)


TE Sets the transport encoding format that the user agent expects to accept, as in the Transfer-encoding field in the response header

Te:trailers, deflate

Upgrade Request Service-side Upgrade protocol

upgrade:http/2.0, https/1.3, irc/6.9, rta/x11, WebSocket

user-agent The string value of the user agent

user-agent:mozilla/5.0 (X11; Linux x86_64; rv:12.0) gecko/20100101 firefox/21.0

Via Notification Server Proxy request

via:1.0 Fred, 1.1 (apache/1.1)

General warning of issues that may occur with Warning entities

warning:199 Miscellaneous Warning

Common non-standard request header fields

X-requested-with identifies Ajax requests, and most JS frames send requests when they are set to XMLHttpRequest


DNT Requests Web Apps to disable user tracking

Dnt:1 (don't track Enabled)
Dnt:0 (do not track Disabled)

x-forwarded-for A fact standard that identifies the original IP address of a Web server that the client is connected to via an HTTP proxy or a load balancer

X-forwarded-for:client1, Proxy1, Proxy2

X-forwarded-host A fact standard that identifies the original host requested by the client in the HTTP request header because the host name or reverse proxy port may be different from the original server that is processing the request

X-forwarded-proto A fact standard that identifies the HTTP original protocol because the reverse proxy or the load balancer and Web server may use HTTP, but the request to the reverse proxy uses HTTPS


Front-end-https non-standard header fields used by Microsoft applications and load balancers Front-end-https:on
X-http-method-override When requesting a Web app, use the method given in the header field (usually a put or delete) to overwrite the method specified in the request (usually a post). This field can be used if the user agent or firewall does not support sending requests directly using the put or Delete method


X-att-deviceid allows for easier resolution of user agent Makemodel/firmware on/t devices


x-wap-profile Sets the location of the XML file that describes the details of the currently connected device in the network


proxy-connection Get up early http a false name in the version, now use the standard Connection field


X-uidh service-side depth packet detection a unique ID for the insert identifies the Verizon Wireless customer

X-uidh: ...

X-csrf-token,x-csrftoken,x-xsrf-token Prevent cross-site request forgery


X-request-id,x-correlation-id Identifying HTTP requests from client and server


Common standard response header fields

access-control-allow-origin Specify which sites can participate in cross-site resource sharing

Access-control-allow-origin: *

Accept-patch Specifies the patch document format supported by the server and the patch method for HTTP


Partial content range types supported by the accept-ranges server through byte serving


The number of seconds that the age object is staged in the proxy cache


allow to set valid behavior for a specific resource, applicable method not allowed HTTP 405 error

Allow:get, HEAD

The alt-svc server uses the "Alt-svc" (abbreviated alternative SERVICESDE) header to identify resources that can be obtained through different network locations or different network protocols.

Alt-svc:h2= ""; ma=7200

Cache-control tells the service-to-client that all caching mechanisms can cache this object in seconds


Connection Setting control options for the current connection and Hop-by-hop Protocol request field List


content-disposition tells the client to pop up a file download box, and can specify the download file name

Content-disposition:attachment; Filename= "Fname.ext"

content-encoding Setting the encoding type used by the data


Content-language Set natural language or target user language for closed content


content-length byte length of the response body


content-location setting another location to return data


content-md5 setting Base64 binary encoding of response body content based on MD5 algorithm


Content-range Identifies the content of the response body as part of the complete message body

Content-range:bytes 21010-47021/47022

content-type Setting the MIME type of the response body

content-type:text/html; Charset=utf-8

Date sets the day and time the message was sent

Date:tue, 1994 08:12:31 GMT

An identifier for an ETag -specific version resource, usually a message digest

ETag: "737060cd8c284d8af7ad3082f209582d"

Expires Setting the response body expiration time

Expires:thu, Dec 1994 16:00:00 GMT

last-modified Setting the last modified date of the Request object

Last-modified:tue, 1994 12:45:26 GMT

link setting type relationships with other resources

Link: </feed>; Rel= "Alternate"

location is used in redirection or when creating new resources


P3P supports P3P (Platform for Privacy Preferences Project) Policies in p3p:cp= "Your_compact_policy" format, most browsers do not fully support P3P policies, Many sites set fake policy content to spoof browsers that support P3P policies to obtain authorization for third-party cookies

P3p:cp= "This was not a P3P policy! See for more info. "

Pragma Setting a special implementation field may have multiple effects on the request response chain


proxy-authenticate To set request permissions for the Access agent


Public-key-pins To set the authorization TLS certificate for a site

public-key-pins:max-age=2592000; Pin-sha256= "e9cz9indbd+2erqozyqqbq2yxlvkb9+xcprmf+44u1g=";

Refresh "Redirect or new resource creation is used, there is an extension on the head of the page to achieve similar functionality, and most browsers support
<meta http-equiv="refresh" content="5; url=">

Refresh:5; Url=

Retry-after If the entity is temporarily unavailable, you can set this value to allow the client to retry, either using the time period (in seconds) or HTTP time

Example 1:retry-after:120
Example 2:retry-after:fri, 23:59:59 GMT

Server Name

server:apache/2.4.1 (Unix)

Set-cookie Setting HTTP Cookies

Set-cookie:userid=johndoe; max-age=3600; Version=1

Status Setting HTTP response state

status:200 OK

strict-transport-security A hsts policy notifies the HTTP client how long the HTTPS policy is cached and whether it is applied to the child domain

strict-transport-security:max-age=16070400; Includesubdomains

Trailer identifies the given header field to be displayed in subsequent chunked encoded messages


transfer-encoding Setting the encoding format of the transport entity, currently supported formats: chunked, compress, deflate, gzip, identity


TSV Tracking Status value, set to Dnt (Do-not-track) in response, possible values
"!"-under Construction
"G"-gateway to multiple parties
"N"-not tracking
"C"-tracking with consent
"P"-tracking only if consented
"D"-disregarding DNT


Upgrade Request Client Upgrade Protocol

upgrade:http/2.0, https/1.3, irc/6.9, rta/x11, WebSocket

Vary Notifies the subordinate agent how to match the future request header to determine whether the cached response is available instead of re-requesting the new from the source host

Example 1:vary: *
Example 2:vary:accept-language

via Notifies the client agent of what response it wants to send

via:1.0 Fred, 1.1 (apache/1.1)

General warning of issues that may occur with Warning entities

warning:199 Miscellaneous Warning

www-authenticate identity authentication scheme that identifies access request entities


x-frame-options Click Hijack Protection:
Do not render in deny frame
Sameorigin If the source mismatch does not render
Allow-from allows you to specify location access
Allowall non-standard, allows arbitrary location access


Common non-standard response header fields

x-xss-protection Filtering cross-site scripting

X-xss-protection:1; Mode=block

Content-security-policy, X-CONTENT-SECURITY-POLICY,X-WEBKIT-CSP define content security Policy

X-webkit-csp:default-src ' self '

x-content-type-options The only value is "", preventing ie from sniffing in response to other MIME formats other than the content format defined


x-powered-by Specifying technologies that support Web applications


X-ua-compatible recommends the preferred rendering engine to present content, usually backwards compatible, and also for activating the embedded Chrome framework plugin in IE
<meta http-equiv="X-UA-Compatible" content="chrome=1" />


x-content-duration provides the duration of the audio and video, in seconds, only gecko Kernel browser support


upgrade-insecure-requests identifies whether the server can handle the HTTPS protocol


X-request-id,x-correlation-id identifies a client and server request


Links: Http://

Common request headers and Response headers in HTTP message headers

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.