HTTP Headers Reference

HTTP headers are fundamental components of web communication, enabling clients and servers to exchange metadata about requests and responses. This reference covers essential headers, their functions, and directive options.

Age

Indicates time in seconds the object has been in a proxy cache. A value of 0 typically means the response came directly from the origin server.

Alt-Svc

Specifies alternative services available for the requested resource.

Directives

• clear: Remove cached alternative service information
• host: Authority (host:port) of the alternative service
• h2/h3: Application-Layer Protocol Negotiation (ALPN) identifiers
• ma: Maximum validity duration in seconds

Cache-Control

Controls caching mechanisms for requests and responses.

Directives

• max-age: Response freshness duration (seconds)
• public: Allows caching by any cache
• private: Restricts caching to user's local cache
• no-cache: Requires revalidation before use
• no-store: Prevents caching entirely
• s-maxage: Shared cache freshness duration
• no-transform: Prohibits modification of content
• must-revalidate: Requires cache validation
• proxy-revalidate: Requires shared cache validation
• immutable: Indicates unchanging content
• stale-while-revalidate: Allows stale responses during revalidation
• stale-if-error: Serves stale content on origin errors

Content-Encoding

Specifies compression format for message bodies.

Directives

• gzip: GNU zip compression
• deflate: DEFLATE compression
• br: Brotli compression

Content-Security-Policy

Mitigates cross-site scripting risks by controlling resource loading.

Directives

• base-uri: Restricts base URL usage
• block-all-mixed-content: Blocks HTTP resources on HTTPS pages
• child-src: Controls workers and frames
• connect-src: Limits fetch/XHR/WebSocket sources
• default-src: Fallback for unspecified directives
• font-src: Governs font loading
• form-action: Restricts form submission URLs
• frame-ancestors: Controls embedding origins

Set-Cookie

Transmits cookies from server to client.

Directives

• name: Cookie identifier
• domain: Valid domain scope
• path: URL path scope
• expires: Absolute expiration time
• max-age: Relative expiration (seconds)
• secure: HTTPS-only transmission
• HttpOnly: Prevents JavaScript access
• SameSite: Controls cross-site sending

Strict-Transport-Security

Enforces HTTPS connections.

Directives

• max-age: Policy duration (seconds)
• includeSubDomains: Applies to all subdomains
• preload: Eligibility for browser preload lists

Additional Headers

ETag

Resource version identifier

Vary

Indicates request headers affecting response

X-Content-Type-Options

Prevents MIME sniffing

X-Frame-Options

Controls frame embedding

Connection

Manages TCP connection persistence

Referrer-Policy

Governs Referer header inclusion

Cross-Origin Headers

Handles cross-origin resource policies

This reference covers core HTTP headers essential for optimizing web security, performance, and functionality. For implementation details, consult official HTTP documentation.