Index

Found 153 pages:

# Page Tags and summary
1 HTTP headers HTTP, HTTP Header, Headers, Networking, Overview, Reference
HTTP headers let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon (:), then by its value.
2 Accept HTTP, HTTP Header, Reference, Request header
The Accept request HTTP header advertises which content types, expressed as MIME types, the client is able to understand. Using content negotiation, the server then selects one of the proposals, uses it and informs the client of its choice with the Content-Type response header. Browsers set adequate values for this header depending on the context where the request is done: when fetching a CSS stylesheet a different value is set for the request than when fetching an image, video or a script.
3 Accept-Charset Content Negotiation, HTTP, HTTP Header, Reference, Request header
The Accept-Charset request HTTP header advertises which character encodings the client understands.
4 Accept-Encoding Content Negotiation, HTTP, HTTP Header, Reference, Request header
The Accept-Encoding request HTTP header advertises which content encoding, usually a compression algorithm, the client is able to understand. Using content negotiation, the server selects one of the proposals, uses it and informs the client of its choice with the Content-Encoding response header.
5 Accept-Language Accept-Language, Content Negotiation, HTTP, HTTP Header, Reference, Request header
The Accept-Language request HTTP header advertises which languages the client is able to understand, and which locale variant is preferred. (By languages, we mean natural languages, such as English, and not programming languages.) Using content negotiation, the server then selects one of the proposals, uses it and informs the client of its choice with the Content-Language response header. Browsers set adequate values for this header according to their user interface language and even if a user can change it, this happens rarely (and is frowned upon as it leads to fingerprinting).
6 Accept-Patch HTTP, Reference
The Accept-Patch response HTTP header advertises which media-type the server is able to understand.
7 Accept-Ranges HTTP, HTTP Header, Range Requests, Reference, Response Header
The Accept-Ranges response HTTP header is a marker used by the server to advertise its support of partial requests. The value of this field indicates the unit that can be used to define a range.
8 Access-Control-Allow-Credentials CORS, HTTP, Reference, header
The Access-Control-Allow-Credentials response header tells browsers whether to expose the response to frontend JavaScript code when the request's credentials mode (Request.credentials) is "include".
9 Access-Control-Allow-Headers CORS, HTTP, Reference, Response Header, header
The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request.
10 Access-Control-Allow-Methods CORS, HTTP, Reference, header
The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request.
11 Access-Control-Allow-Origin Access Control, Access-Control-Allow-Origin, CORS, Dealing with CORS, HTTP, HTTP Header, How to Fix CORS, Reference, Security, cross-origin issue, header, origin
The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.
12 Access-Control-Expose-Headers CORS, HTTP, Reference, header
The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names.
13 Access-Control-Max-Age CORS, HTTP, Reference, header
The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached.
14 Access-Control-Request-Headers CORS, HTTP, Reference, header
The Access-Control-Request-Headers request header is used by browsers when issuing a preflight request, to let the server know which HTTP headers the client might send when the actual request is made.
15 Access-Control-Request-Method CORS, HTTP, Reference, header
The Access-Control-Request-Method request header is used by browsers when issuing a preflight request, to let the server know which HTTP method will be used when the actual request is made. This header is necessary as the preflight request is always an OPTIONS and doesn't use the same method as the actual request.
16 Age Caching, HTTP, Response, header
The Age header contains the time in seconds the object has been in a proxy cache.
17 Allow Entity header, HTTP, HTTP Header, Reference, header
The Allow header lists the set of methods support by a resource.
18 Alt-Svc Draft, HTTP, HTTP Header, NeedsCompatTable, NeedsContent, NeedsExample, Reference
The Alt-Svc header is used to list alternate ways to reach this website.
19 Authorization HTTP, HTTP Header, Reference, Request header, header
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.
20 Cache-Control Cache-Control, General Header, HTTP, HTTP Header, Reference
The Cache-Control general-header field is used to specify directives for caching mechanisms in both requests and responses. Caching directives are unidirectional, meaning that a given directive in a request is not implying that the same directive is to be given in the response.
21 Clear-Site-Data HTTP, HTTP Header, Reference, header
The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored locally by a browser for their origins.
22 Connection HTTP, Headers, Reference, Web
The Connection general header controls whether or not the network connection stays open after the current transaction finishes. If the value sent is keep-alive, the connection is persistent and not closed, allowing for subsequent requests to the same server to be done.
23 Content-Disposition HTTP, Reference, header
In a multipart/form-data body, the HTTP Content-Disposition general header is a header that can be used on the subpart of a multipart body to give information about the field it applies to. The subpart is delimited by the boundary defined in the Content-Type header. Used on the body itself, Content-Disposition has no effect.
24 Content-Encoding HTTP, Headers, Reference
The Content-Encoding entity header is used to compress the media-type. When present, its value indicates which encodings were applied to the entity-body. It lets the client know how to decode in order to obtain the media-type referenced by the Content-Type header.
25 Content-Language HTTP, Headers, Reference
The Content-Language entity header is used to describe the language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
26 Content-Length HTTP, Headers, Reference
The Content-Length entity header indicates the size of the entity-body, in bytes, sent to the recipient.
27 Content-Location HTTP, Reference, header
The Content-Location header indicates an alternate location for the returned data. The principal use is to indicate the URL of a resource transmitted as the result of content negotiation.
28 Content-Range HTTP, HTTP Header, Reference, Response Header, header
The Content-Range response HTTP header indicates where in a full body message a partial message belongs.
29 Content-Security-Policy CSP, HTTP, Reference, Security, header
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS).
30 CSP: base-uri CSP, Directive, Document directive, HTTP, Security
The HTTP Content-Security-Policy base-uri directive restricts the URLs which can be used in a document's <base> element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <base> element.
31 CSP: block-all-mixed-content CSP, Content-Security-Policy, Directive, HTTP, Mixed Content, Reference, Security, block-all-mixed-content
The HTTP Content-Security-Policy (CSP) block-all-mixed-content directive prevents loading any assets using HTTP when the page is loaded using HTTPS.
32 CSP: child-src CSP, Child, Content-Security-Policy, Directive, HTTP, Reference, Security, child-src, source
The HTTP Content-Security-Policy (CSP) child-src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>. For workers, non-compliant requests are treated as fatal network errors by the user agent.
33 CSP: connect-src CSP, Content-Security-Policy, Directive, HTTP, Reference, Security, connect-src, source
The HTTP Content-Security-Policy (CSP) connect-src directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are:
34 CSP: default-src CSP, Content-Security-Policy, Directive, HTTP, Reference, Security, default, default-src, source
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent will look for the default-src directive and will use this value for it:
35 CSP: font-src CSP, Content-Security-Policy, Directive, HTTP, Reference, Security, font, source
The HTTP Content-Security-Policy (CSP) font-src directive specifies valid sources for fonts loaded using @font-face.
36 CSP: form-action CSP, Content-Security-Policy, Directive, HTTP, Security, action, form, form-action
The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of a form submissions from a given context.
37 CSP: frame-ancestors Ancestors, CSP, Content-Security-Policy, Directive, Frame, HTTP, Security, frame-ancestors
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame><iframe><object><embed>, or <applet>.
38 CSP: frame-src CSP, Content-Security-Policy, Directive, Frame, HTTP, Reference, Security, frame-src, source
The HTTP Content-Security-Policy (CSP) frame-src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe>.
39 CSP: img-src CSP, Content-Security-Policy, Directive, HTTP, Image, Reference, Security, img-src, source
The HTTP Content-Security-Policy img-src directive specifies valid sources of images and favicons.
40 CSP: manifest-src CSP, Content-Security-Policy, Directive, HTTP, Manifest, Reference, Security, manifest-src, source
The HTTP Content-Security-Policy: manifest-src directive specifies which manifest can be applied to the resource.
41 CSP: media-src CSP, Content-Security-Policy, Directive, HTTP, Media, Reference, Security, media-src, source
The HTTP Content-Security-Policy (CSP) media-src directive specifies valid sources for loading media using the <audio> and <video> elements.
42 CSP: navigate-to CSP, Content-Security-Policy, Directive, HTTP, Navigation, Reference, Security
The HTTP Content-Security-Policy (CSP) navigate-to directive restricts the URLs to which a document can initiate navigations by any means including <form> (if form-action is not specified), <a>, window.location, window.open, etc. This is an enforcement on what navigations this document initiates not on what this document is allowed to navigate to.
43 CSP: object-src CSP, Content-Security-Policy, Directive, HTTP, Object, Reference, Security, object-src, source
The HTTP Content-Security-Policy object-src directive specifies valid sources for the <object>, <embed>, and <applet> elements.
44 CSP: plugin-types CSP, Content-Security-Policy, Directive, Flash, HTTP, Java, Plugin, Plugins, Security
The HTTP Content-Security-Policy (CSP) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded.
45 CSP: prefetch-src CSP, Content Security Policy, Directive, HTTP, Reference, prefetch-src
The HTTP Content-Security-Policy (CSP) prefetch-src directive specifies valid resources that may be prefetched or prerendered.
46 CSP: referrer CSP, Content-Security-Policy, Directive, HTTP, Obsolete, Reference, Security, referrer
The HTTP Content-Security-Policy (CSP) referrer directive used to specify information in the Referer header (with a single r as this was a typo in the original spec) for links away from a page. This API is deprecated and removed from browsers.
47 CSP: report-to CSP, Content Security Policy, Content-Security-Policy, HTTP, Reporting, Security, report-to
The Content-Security-Policy Report-To HTTP response header field instructs the user agent to store reporting endpoints for an origin.
48 CSP: report-uri CSP, Directive, HTTP, Reference, Security
The deprecated HTTP Content-Security-Policy (CSP) report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
49 CSP: require-sri-for CSP, Directive, HTTP, Obsolete, Reference, Security
The obsolete HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page.
50 CSP: sandbox CSP, Content-Security-Policy, Directive, HTTP, Sandbox, Security
The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy.
51 CSP: script-src CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Script, Security, script-src, source
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution.
52 CSP: script-src-attr CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Script, Security, script-src, source
The HTTP Content-Security-Policy (CSP) script-src-attr directive specifies valid sources for JavaScript inline event handlers. This includes only inline script event handlers like onclick, but not URLs loaded directly into <script> elements.
53 CSP: script-src-elem CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Script, Security, script-src, source
The HTTP Content-Security-Policy (CSP) script-src-elem directive specifies valid sources for JavaScript <script> elements, but not inline script event handlers like onclick.
54 CSP: style-src CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Security, Style, source, style-src
The HTTP Content-Security-Policy (CSP) style-src directive specifies valid sources for stylesheets.
55 CSP: style-src-attr CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Security, Style, source, style-src, style-src-attr
The HTTP Content-Security-Policy (CSP) style-src-attr directive specifies valid sources for inline styles applied to individual DOM elements.
56 CSP: style-src-elem CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Security, Style, source, style-src, style-src-elem
The HTTP Content-Security-Policy (CSP) style-src-elem directive specifies valid sources for stylesheets <style> elements and <link> elements with rel="stylesheet".
57 CSP: trusted-types
The HTTP Content-Security-Policy (CSP) trusted-types  directive instructs user agents to restrict usage of known DOM XSS sinks to a predefined set of functions that only accept non-spoofable, typed values in place of strings. This allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review. This directive declares a white-list of trusted type policy names created with TrustedTypes.createPolicy from Trusted Types API.
58 CSP: upgrade-insecure-requests CSP, Content-Security-Policy, Directive, HTTP, Reference, Requests, Security, Upgrade, upgrade-insecure-requests
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten.
59 CSP: worker-src CSP, Content-Security-Policy, Directive, HTTP, Reference, Security
The HTTP Content-Security-Policy (CSP) worker-src directive specifies valid sources for Worker, SharedWorker, or ServiceWorker scripts.
60 Content-Security-Policy-Report-Only CSP, HTTP, HTTPS, Reference, Security, header
The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
61 Content-Type Content-Type, Entity header, HTTP, Reference, header
The Content-Type entity header is used to indicate the media type of the resource.
62 Cookie Cookies, HTTP, Reference, header, request
The Cookie HTTP request header contains stored HTTP cookies previously sent by the server with the Set-Cookie header.
63 Cookie2 HTTP, Obsolete, Reference, header, request
The obsolete Cookie2 HTTP request header used to advise the server that the user agent understands "new-style" cookies, but nowadays user agents will use the Cookie header instead, not this one.
64 Cross-Origin-Resource-Policy HTTP, HTTP Header, Reference, Response Header, header
The HTTP Cross-Origin-Resource-Policy response header conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the given resource.
65 DNT DNT, HTTP, Reference, header
The DNT (Do Not Track) request header indicates the user's tracking preference. It lets users indicate whether they would prefer privacy rather than personalized content.
66 Date General Header, HTTP, Reference, header
The Date general HTTP header contains the date and time at which the message was originated.
67 Digest HTTP, HTTP Header
The Digest response HTTP header provides a digest of the requested resource.
68 ETag HTTP, Reference, Response, header
The ETag HTTP response header is an identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content has not changed. Additionally, etags help prevent simultaneous updates of a resource from overwriting each other ("mid-air collisions").
69 Early-Data Client hints, HTTP, header, request
The Early-Data header is set by an intermediate to indicates that the request has been conveyed in TLS early data, and additionally indicates that an intermediary understands the 425 (Too Early) status code.  The Early-Data header is not set by the originator of the request (i.e., a browser).
70 Expect HTTP, HTTP Header, Reference, Request header
The Expect HTTP request header indicates expectations that need to be fulfilled by the server in order to properly handle the request.
71 Expect-CT HTTP, Reference, header
The Expect-CT header allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed.
72 Expires Caching, HTTP, Response, header
The Expires header contains the date/time after which the response is considered stale.
73 Feature-Policy Experimental, Feature Policy, Feature-Policy, HTTP, Reference, header
The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.
74 Feature-Policy: accelerometer Accelerometer, Directive, Feature Policy, HTTP, Reference
The HTTP Feature-Policy header accelerometer directive controls whether the current document is allowed to gather information about the acceleration of the device through the Accelerometer interface.
75 Feature-Policy: ambient-light-sensor
The HTTP Feature-Policy header ambient-light-sensor directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the AmbientLightSensor interface.
76 Feature-Policy: autoplay Directive, Feature Policy, Feature-Policy, HTTP, Reference, autoplay
The HTTP Feature-Policy header autoplay directive controls whether the current document is allowed to autoplay media requested through the HTMLMediaElement interface.
77 Feature-Policy: camera Directive, Feature Policy, Feature-Policy, HTTP, Reference, camera
The HTTP Feature-Policy header camera directive controls whether the current document is allowed to use video input devices. When this policy is enabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError.
78 Feature-Policy: display-capture
The HTTP Feature-Policy header display-capture directive controls whether or not the document is permitted to use Screen Capture API, i.e.,getDisplayMedia() to capture the screen's contents.
79 Feature-Policy: document-domain Directive, Experimental, Feature Policy, Feature-Policy, HTTP, Reference, document-domain, header
The HTTP Feature-Policy header document-domain directive controls whether the current document is allowed to set document.domain. When this policy is enabled, attempting to set document.domain will fail and cause a SecurityError DOMException to be be thrown.
80 Feature-Policy: encrypted-media Directive, EME, Feature Policy, Feature-Policy, HTTP, Reference
The HTTP Feature-Policy header encrypted-media directive controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is enabled, the Promise returned by Navigator.requestMediaKeySystemAccess() will reject with a DOMException.
81 Feature-Policy: fullscreen Feature Policy, Feature-Policy, HTTP, fullscreen, header
The HTTP Feature-Policy header fullscreen directive controls whether the current document is allowed to use Element.requestFullScreen(). When this policy is enabled, the returned Promise rejects with a TypeError.
82 Feature-Policy: geolocation Feature Policy, Feature-Policy, Geolocation, HTTP, header
The HTTP Feature-Policy header geolocation directive controls whether the current document is allowed to use the Geolocation Interface. When this policy is enabled, calls to getCurrentPosition() and watchPosition() will cause those functions' callbacks to be invoked with a PositionError code of PERMISSION_DENIED.
83 Feature-Policy: gyroscope
The HTTP Feature-Policy header gyroscope directive controls whether the current document is allowed to gather information about the orientation of the device through the Gyroscope interface.
84 Feature-Policy: layout-animations Directive, Feature-Policy, HTTP, Reference, layout-animations
The HTTP Feature-Policy header layout-animations directive controls whether the current document is allowed to show layout animations.
85 Feature-Policy: legacy-image-formats Direcive, Feature-Policy, HTTP, Reference, legacy-image-formats
The HTTP Feature-Policy header legacy-image-formats directive controls whether the current document is allowed to display images in legacy formats.
86 Feature-Policy: magnetometer Directive, Feature-Policy, HTTP, Magnetometer, Reference
The HTTP Feature-Policy header magnetometer directive controls whether the current document is allowed to gather information about the orientation of the device through the Magnetometer interface.
87 Feature-Policy: microphone Feature Policy, Feature-Policy, HTTP, header, microphone
The HTTP Feature-Policy header microphone directive controls whether the current document is allowed to use audio input devices. When this policy is enabled, the Promise returned by MediaDevices.getUserMedia() will reject with a NotAllowedError.
88 Feature-Policy: midi Directive, Feature Policy, Feature-Policy, HTTP, MIDI, Reference
The HTTP Feature-Policy header midi directive controls whether the current document is allowed to use the Web MIDI API. When this policy is enabled, the Promise returned by Navigator.requestMIDIAccess() will reject with a DOMException.
89 Feature-Policy: oversized-images Directive, Feature-Policy, HTTP, Reference
The HTTP Feature-Policy header oversized-images directive controls whether the current document is allowed to download and display large images.
90 Feature-Policy: payment Directive, Feature Policy, Feature-Policy, HTTP, Payment Request API, Payments API, Reference
The HTTP Feature-Policy header field's payment directive controls whether the current document is allowed to use the Payment Request API. When this policy is disabled, the PaymentRequest() constructor will throw a SecurityError.
91 Feature-Policy: picture-in-picture Directive, Feature-Policy, HTTP, Picture in picture, Reference
The HTTP Feature-Policy header picture-in-picture directive controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.
92 Feature-Policy: speaker Audio, Directive, Feature-Policy, HTTP, Reference, speaker
The HTTP Feature-Policy header speaker directive controls whether the current document is allowed to play audio via any methods.
93 Feature-Policy: sync-xhr Directive, Feature Policy, Feature-Policy, HTTP, Reference, XMLHttpRequest
The HTTP Feature-Policy header sync-xhr directive controls whether the current document is allowed to make synchronous XMLHttpRequest requests.
94 Feature-Policy: unoptimized-images Directive, Feature-Policy, HTTP, Image, Reference
The HTTP Feature-Policy header unoptimized-images directive controls whether the current document is allowed to download and display unoptimized images.
95 Feature-Policy: unsized-media Directive, Feature-Policy, HTTP, Reference
The HTTP Feature-Policy header unsized-media directive controls whether the current document is allowed to change the size of media elements after the initial layout is complete.
96 Feature-Policy: usb Directive, Feature-Policy, HTTP, Reference, Vibration API, Web USB
The HTTP Feature-Policy header usb directive controls whether the current document is allowed to use the WebUSB API.
97 Feature-Policy: vibrate Directive, Feature-Policy, HTTP, Reference, Vibration API
The HTTP Feature-Policy header vibrate directive controls whether the current document is allowed to trigger device vibrations via Vibration API.
98 Feature-Policy: vr Directive, Feature Policy, Feature-Policy, HTTP, Reference, WebVR
The HTTP Feature-Policy header vr directive controls whether the current document is allowed to use the WebVR API. When this policy is enabled, the Promise returned by Navigator.getVRDisplays() will reject with a DOMException.
99 Feature-Policy: wake-lock Directive, Feature-Policy, HTTP, Reference, Wake Lock API
The HTTP Feature-Policy header wake-lock directive controls whether the current document is allowed to use Wake Lock API to indicate that device should not enter power-saving mode.
100 Feature-Policy: webauthn
The HTTP Feature-Policy header webauthn directive controls whether the current document is allowed to access Web Authentcation API, i.e, via navigator.credentials.create({publicKey: ...,...}) and navigator.credentials.get({publicKey: ...,...}).
101 Feature-Policy: xr
This Feature Policy directive is defined as xr, but currently implemented only in Chrome as vr.
102 Forwarded HTTP, HTTP Header, Reference, Request header, header
The Forwarded header contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request.
103 From HTTP, Reference, header
The From request header contains an Internet email address for a human user who controls the requesting user agent.
104 Host HTTP, Reference, header
The Host request header specifies the domain name of the server (for virtual hosting), and (optionally) the TCP port number on which the server is listening.
105 If-Match Conditional Requests, HTTP, HTTP Header, Reference, Request header
The If-Match HTTP request header makes the request conditional. For GET and HEAD methods, the server will send back the requested resource only if it matches one of the listed ETags. For PUT and other non-safe methods, it will only upload the resource in this case.
106 If-Modified-Since Conditional Requests, HTTP, HTTP Header, Reference, Request header
The If-Modified-Since request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304 without any body; the Last-Modified response header of a previous request will contain the date of last modification. Unlike If-Unmodified-Since, If-Modified-Since can only be used with a GET or HEAD.
107 If-None-Match Conditional Requests, HTTP, HTTP Header, Reference, Request header
The If-None-Match HTTP request header makes the request conditional. For GET and HEAD methods, the server will send back the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. For other methods, the request will be processed only if the eventually existing resource's ETag doesn't match any of the values listed.
108 If-Range Condtional Requests, HTTP, HTTP Header, Range Requests, Reference, Request header
The If-Range HTTP request header makes a range request conditional: if the condition is fulfilled, the range request will be issued and the server sends back a 206 Partial Content answer with the appropriate body. If the condition is not fulfilled, the full resource is sent back, with a 200 OK status.
109 If-Unmodified-Since HTTP, HTTP Header, Reference, Request header
The If-Unmodified-Since request HTTP header makes the request conditional: the server will send back the requested resource, or accept it in the case of a POST or another non-safe method, only if it has not been last modified after the given date. If the resource has been modified after the given date, the response will be a 412 (Precondition Failed) error.
110 Index HTTP, HTTP Header, Index
Found 122 pages:
111 Keep-Alive General Header, HTTP, HTTP Header, Reference
The Keep-Alive general header allows the sender to hint about how the connection may be used to set a timeout and a maximum amount of requests.
112 Large-Allocation HTTP, HTTP Header, Non-standard, Reference, Response Header, header
The non-standard Large-Allocation response header tells the browser that the page being loaded is going to want to perform a large allocation. It is currently only implemented in Firefox, but is harmless to send to every browser.
113 Last-Modified HTTP, HTTP Header, Reference, Response Header
The Last-Modified response HTTP header contains the date and time at which the origin server believes the resource was last modified. It is used as a validator to determine if a resource received or stored is the same. Less accurate than an ETag header, it is a fallback mechanism. Conditional requests containing If-Modified-Since or If-Unmodified-Since headers make use of this field.
114 Link Draft, HTTP, HTTP Header, Link, NeedsCompatTable, NeedsContent, NeedsSyntax, Reference
The HTTP Link entity-header field provides a means for serialising one or more links in HTTP headers. It is semantically equivalent to the HTML <link> element.
115 Location HTTP, HTTP Header, Reference, Response Header
The Location response header indicates the URL to redirect a page to. It only provides a meaning when served with a 3xx (redirection) or 201 (created) status response.
116 Origin HTTP, Reference, Request header, header, origin
The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path.
117 Pragma Caching, Deprecated, HTTP, header, request
The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. It is used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not yet present.
118 Proxy-Authenticate HTTP, HTTP Header, Proxy, Reference, Response Header
The HTTP Proxy-Authenticate response header defines the authentication method that should be used to gain access to a resource behind a proxy server. It authenticates the request to the proxy server, allowing it to transmit the request further.
119 Proxy-Authorization HTTP, HTTP Header, Reference, Request header, header
The HTTP Proxy-Authorization request header contains the credentials to authenticate a user agent to a proxy server, usually after the server has responded with a 407 Proxy Authentication Required status and the Proxy-Authenticate header.
120 Public-Key-Pins HPKP, HTTP, Reference, Security, header
The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it.
121 Public-Key-Pins-Report-Only HPKP, HTTP, Security, header
The HTTP Public-Key-Pins-Report-Only response header sends reports of pinning violation to the report-uri specified in the header but, unlike Public-Key-Pins still allows browsers to connect to the server if the pinning is violated.
122 Range HTTP, HTTP Header, Range Requests, Reference, Request header
The Range HTTP request header indicates the part of a document that the server should return. Several parts can be requested with one Range header at once, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the 206 Partial Content for the response. If the ranges are invalid, the server returns the 416 Range Not Satisfiable error. The server can also ignore the Range header and return the whole document with a 200 status code.
123 Referer HTTP, Reference, header, referer, referrer
The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, for example.
124 Referrer-Policy HTTP, HTTP Header, Privacy, Reference, Referrer-Policy, Response, Response Header, referrer
The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.
125 Retry-After HTTP, Reference, Response, Response Header, header
The Retry-After response HTTP header indicates how long the user agent should wait before making a follow-up request. There are three main cases this header is used:
126 Save-Data HTTP, HTTP Header, Reference, Request header, Save-Data, header
The Save-Data header field is a boolean which, in requests, indicates the client's preference for reduced data usage. This could be for reasons such as high transfer costs, slow connection speeds, etc.
127 Sec-WebSocket-Accept Draft, HTTP, NeedsCompatTable, NeedsContent, Reference, Sec-WebSocket-Accept, WebSockets, header
The Sec-WebSocket-Accept header is used in the websocket opening handshake. It would appear in the response headers. That is, this is header is sent from server to client to inform that server is willing to initiate a websocket connection.
128 Server HTTP, Reference, header
The Server header contains information about the software used by the origin server to handle the request.
129 Server-Timing HTTP, Performance, Reference, header
The Server-Timing header communicates one or more metrics and descriptions for a given request-response cycle. It is used to surface any backend server timing metrics (e.g. database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the PerformanceServerTiming interface.
130 Set-Cookie Cookies, HTTP, Reference, Response, header
The Set-Cookie HTTP response header is used to send cookies from the server to the user agent.
131 Set-Cookie2 Cookies, HTTP, Obsolete, Reference, header
The obsolete Set-Cookie2 HTTP response header used to send cookies from the server to the user agent, but has been deprecated by the specification. Use Set-Cookie instead.
132 SourceMap HTTP, HTTP Header, Reference, Response Header, header
The SourceMap HTTP response header links generated code to a source map, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger.
133 Strict-Transport-Security HSTS, HTTP, HTTPS, Security, header
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
134 TE HTTP, Reference, header
The TE request header specifies the transfer encodings the user agent is willing to accept. (you could informally call it Accept-Transfer-Encoding, which would be more intuitive).
135 Timing-Allow-Origin CORS, HTTP, Reference, Timing-Allow-Origin, header
The Timing-Allow-Origin response header specifies origins that are allowed to see values of attributes retrieved via features of the Resource Timing API, which would otherwise be reported as zero due to cross-origin restrictions.
136 Tk DNT, HTTP, Reference, Response, header, tracking
The Tk response header indicates the tracking status that applied to the corresponding request.
137 Trailer HTTP, Reference, header
The Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status.
138 Transfer-Encoding HTTP, Reference, header
The Transfer-Encoding header specifies the form of encoding used to safely transfer the payload body to the user.
139 Upgrade-Insecure-Requests HTTP, HTTPS, Security, header
The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.
140 User-Agent HTTP, HTTP Header, Reference, User-agent
The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent.
141 Firefox user agent string reference Compatibility, Firefox, Firefox 4, Gecko, Gecko 2.0, Guide
This document describes the user agent string used in Firefox 4 and later and applications based on Gecko 2.0 and later. For a breakdown of changes to the string in Gecko 2.0, see Final User Agent string for Firefox 4 (blog post). See also this document on user agent sniffing and this Hacks blog post.
142 Vary HTTP, Reference, Response, Response Header, header
The Vary HTTP response header determines how to match future request headers to decide whether a cached response can be used rather than requesting a fresh one from the origin server. It is used by the server to indicate which headers it used when selecting a representation of a resource in a content negotiation algorithm.
143 Via HTTP, Reference, header
The Via general header is added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers. It is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request/response chain.
144 WWW-Authenticate HTTP, HTTP Header, Reference, Response Header, header
The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource.
145 Want-Digest HTTP, HTTP Header
The Want-Digest HTTP header is primarily used in a HTTP request, to ask the responder to provide a digest of the requested resource using the Digest response header.
146 Warning General Header, HTTP, Reference, header
The Warning general HTTP header contains information about possible problems with the status of the message. More than one Warning header may appear in a response.
147 X-Content-Type-Options HTTP, HTTP Header, Reference, Response Header
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing.
148 X-DNS-Prefetch-Control DNS, HTTP, header
The X-DNS-Prefetch-Control HTTP response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.
149 X-Forwarded-For HTTP, HTTP Header, Non-standard, Reference, Request header, header
The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.
150 X-Forwarded-Host HTTP, HTTP Header, Non-standard, Reference, Request header, header
The X-Forwarded-Host (XFH) header is a de-facto standard header for identifying the original host requested by the client in the Host HTTP request header.
151 X-Forwarded-Proto HTTP, HTTP Header, Non-standard, Reference, Request header, header
The X-Forwarded-Proto (XFP) header is a de-facto standard header for identifying the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer. Your server access logs contain the protocol used between the server and the load balancer, but not the protocol used between the client and the load balancer. To determine the protocol used between the client and the load balancer, the X-Forwarded-Proto request header can be used.
152 X-Frame-Options Gecko, HAProxy, HTTP, Response Header, Security, nginx
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
153 X-XSS-Protection HTTP, Reference, Security, XSS, header
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.