Index
Found 170 pages:
| # | Page | Tags and summary |
|---|---|---|
| 1 | HTTP headers | HTTP, HTTP Header, Headers, Networking, Overview, Reference |
HTTP headers let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon (:), then by its value. |
||
| 2 | Accept-CH-Lifetime | Client hints, HTTP, header |
The Accept-CH-Lifetime header is set by the server to
specify the persistence of Accept-CH header value that specifies for
which Client Hints headers client should
include in subsequent requests. |
||
| 3 | Accept-CH | Client hints, HTTP, HTTP Header |
The Accept-CH header is set by the server to specify
which Client Hints headers a client
should include in subsequent requests. |
||
| 4 | Accept-Charset | Content Negotiation, HTTP, HTTP Header, Reference, Request header |
The Accept-Charset request HTTP header advertises which character encoding the client understands. |
||
| 5 | Accept-Encoding | Content Negotiation, HTTP, HTTP Header, Reference, Request header |
The Accept-Encoding request HTTP header advertises which content encoding, usually a compression algorithm, the client is able to understand. Using content negotiation, the server selects one of the proposals, uses it and informs the client of its choice with the Content-Encoding response header. |
||
| 6 | Accept-Language | Accept-Language, Content Negotiation, HTTP, HTTP Header, Reference, Request header |
The Accept-Language request HTTP header advertises which
languages the client is able to understand, and which locale variant is preferred. (By
languages, we mean natural languages, such as English, and not programming languages.)
Using content negotiation, the
server then selects one of the proposals, uses it and informs the client of its choice
with the Content-Language response header. Browsers set adequate
values for this header according to their user interface language and even if a user can
change it, this happens rarely (and is frowned upon as it leads to fingerprinting). |
||
| 7 | Accept-Patch | HTTP, Reference |
The Accept-Patch response HTTP header advertises which media-type the server is able to understand in a PATCH request. |
||
| 8 | Accept-Post | Accept-Post, HTTP, HTTP Header, Response Header |
The Accept-Post response HTTP header advertises which media types are accepted by the server for HTTP post requests. |
||
| 9 | Accept-Ranges | HTTP, HTTP Header, Range Requests, Reference, Response Header |
The Accept-Ranges response HTTP header is a marker used
by the server to advertise its support of partial requests. The value of this field
indicates the unit that can be used to define a range. |
||
| 10 | Accept | HTTP, HTTP Header, Reference, Request header |
The Accept request HTTP header advertises which content types, expressed as MIME types, the client is able to understand. Using content negotiation, the server then selects one of the proposals, uses it and informs the client of its choice with the Content-Type response header. Browsers set adequate values for this header depending on the context where the request is done: when fetching a CSS stylesheet a different value is set for the request than when fetching an image, video or a script. |
||
| 11 | Access-Control-Allow-Credentials | Access-Control-Allow-Credentials, CORS, HTTP, Reference, credentials, header |
The Access-Control-Allow-Credentials response header
tells browsers whether to expose the response to frontend JavaScript code when the
request's credentials mode (Request.credentials) is include. |
||
| 12 | Access-Control-Allow-Headers | CORS, HTTP, Reference, Response Header, header |
The Access-Control-Allow-Headers response header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. |
||
| 13 | Access-Control-Allow-Methods | CORS, HTTP, Reference, header |
The Access-Control-Allow-Methods response header
specifies the method or methods allowed when accessing the resource in response to a
preflight request. |
||
| 14 | Access-Control-Allow-Origin | Access Control, Access-Control-Allow-Origin, CORS, Dealing with CORS, HTTP, HTTP Header, How to Fix CORS, Reference, Security, cross-origin issue, header, origin |
The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin. |
||
| 15 | Access-Control-Expose-Headers | CORS, HTTP, Reference, header |
The Access-Control-Expose-Headers response header allows a server to indicate which response headers should be made available to scripts running in the browser, in response to a cross-origin request. |
||
| 16 | Access-Control-Max-Age | CORS, HTTP, Reference, header |
The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached. |
||
| 17 | Access-Control-Request-Headers | CORS, HTTP, Reference, header |
The Access-Control-Request-Headers request header is used by browsers when issuing a preflight request, to let the server know which HTTP headers the client might send when the actual request is made (such as with XMLHttpRequest.setRequestHeader()). This browser side header will be answered by the complementary server side header of Access-Control-Allow-Headers. |
||
| 18 | Access-Control-Request-Method | CORS, HTTP, Reference, header |
The Access-Control-Request-Method request header is used
by browsers when issuing a preflight request, to let the server know
which HTTP method will be used when the
actual request is made. This header is necessary as the preflight request is always an
OPTIONS and doesn't use the same method as the actual request. |
||
| 19 | Age | Caching, HTTP, Response, header |
The Age header contains the time in seconds the object
has been in a proxy cache. |
||
| 20 | Allow | Entity header, HTTP, HTTP Header, Reference, header |
The Allow header lists the set of methods supported by a resource. |
||
| 21 | Alt-Svc | HTTP, HTTP Header, NeedsCompatTable, Reference |
The Alt-Svc HTTP header allows a server to indicate that a particular resource should be loaded from a different server โ while still appearing to the user as if were loaded from the same server. |
||
| 22 | Authorization | HTTP, HTTP Header, Reference, Request header, header |
The HTTP Authorization request header contains the
credentials to authenticate a user agent with a server, usually, but not
necessarily, after the server has responded with a 401
Unauthorized status and the WWW-Authenticate header. |
||
| 23 | Cache-Control | Cache-Control, General Header, HTTP, HTTP Header, Reference |
The Cache-Control HTTP header holds directives (instructions) for caching in both requests and responses. A given directive in a request does not mean the same directive should be in the response. |
||
| 24 | Clear-Site-Data | HTTP, HTTP Header, Reference, Response Header, header |
The Clear-Site-Data header clears browsing data (cookies, storage, cache) associated with the requesting website. It allows web developers to have more control over the data stored locally by a browser for their origins. |
||
| 25 | Connection | HTTP, Headers, Reference, Web |
The Connection general header controls whether or not the
network connection stays open after the current transaction finishes. If the value sent
is keep-alive, the connection is persistent and not closed, allowing for
subsequent requests to the same server to be done. |
||
| 26 | Content-Disposition | HTTP, Reference, header |
In a regular HTTP response, the Content-Disposition response header is a header indicating if the content is expected to be displayed inline in the browser, that is, as a Web page or as part of a Web page, or as an attachment, that is downloaded and saved locally. |
||
| 27 | Content-Encoding | HTTP, Headers, Reference |
The Content-Encoding entity header is used to compress
the media-type. When present, its value indicates which encodings were applied to the
entity-body. It lets the client know how to decode in order to obtain the media-type
referenced by the Content-Type header. |
||
| 28 | Content-Language | HTTP, Headers, Reference |
The Content-Language entity header is used to describe the language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language. |
||
| 29 | Content-Length | HTTP, Headers, Reference |
The Content-Length entity header indicates the size of
the entity-body, in bytes, sent to the recipient. |
||
| 30 | Content-Location | HTTP, Reference, header |
The Content-Location header indicates an alternate
location for the returned data. The principal use is to indicate the URL of a resource
transmitted as the result of content
negotiation. |
||
| 31 | Content-Range | HTTP, HTTP Header, Reference, Response Header, header |
The Content-Range response HTTP header indicates where in
a full body message a partial message belongs. |
||
| 32 | Content-Security-Policy-Report-Only | CSP, HTTP, HTTPS, Reference, Security, header |
The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. |
||
| 33 | Content-Security-Policy | CSP, Content Security Policy, HTTP, Reference, Security, header |
The HTTP Content-Security-Policy response header allows
web site administrators to control resources the user agent is allowed to load for a
given page. With a few exceptions, policies mostly involve specifying server origins and
script endpoints. This helps guard against cross-site scripting attacks
(XSS). |
||
| 34 | CSP: base-uri | CSP, Directive, Document directive, HTTP, Security |
The HTTP Content-Security-Policy base-uri directive restricts the URLs which can be used in a document's base element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the base element. |
||
| 35 | CSP: block-all-mixed-content | CSP, Content-Security-Policy, Directive, HTTP, Mixed Content, Reference, Security, block-all-mixed-content |
The HTTP Content-Security-Policy (CSP) block-all-mixed-content directive prevents loading any assets over HTTP when the page uses HTTPS. |
||
| 36 | CSP: child-src | CSP, Child, Content-Security-Policy, Directive, HTTP, Reference, Security, child-src, source |
The HTTP Content-Security-Policy (CSP)
child-src directive defines the valid sources for web workers and nested browsing
contexts loaded using elements such as frame and
iframe. For workers, non-compliant requests are treated as fatal
network errors by the user agent. |
||
| 37 | CSP: connect-src | CSP, Content-Security-Policy, Directive, HTTP, Reference, Security, connect-src, source |
The HTTP Content-Security-Policy (CSP)
connect-src directive restricts the URLs which can be
loaded using script interfaces. The APIs that are restricted are: |
||
| 38 | CSP: default-src | CSP, Content-Security-Policy, Directive, HTTP, Reference, Security, default, default-src, source |
The HTTP Content-Security-Policy (CSP) default-src directive serves as a fallback for the other CSP fetch directive. |
||
| 39 | CSP: font-src | CSP, Content-Security-Policy, Directive, HTTP, Reference, Security, font, source |
The HTTP Content-Security-Policy (CSP)
font-src directive specifies
valid sources for fonts loaded using @font-face. |
||
| 40 | CSP: form-action | CSP, Content-Security-Policy, Directive, HTTP, Security, action, form, form-action |
The HTTP Content-Security-Policy (CSP) form-action directive restricts the URLs which can be used as the target of a form submissions from a given context. |
||
| 41 | CSP: frame-ancestors | Ancestors, CSP, Content-Security-Policy, Directive, Frame, HTTP, Security, frame-ancestors |
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using frame, iframe, object, embed, or applet. |
||
| 42 | CSP: frame-src | CSP, Content-Security-Policy, Directive, Frame, HTTP, Reference, Security, frame-src, source |
The HTTP Content-Security-Policy (CSP)
frame-src directive specifies valid sources for nested
browsing contexts loading using elements such as frame and
iframe. |
||
| 43 | CSP: img-src | CSP, Content-Security-Policy, Directive, HTTP, Image, Reference, Security, img-src, source |
The HTTP Content-Security-Policy
img-src directive specifies valid sources of images and
favicons. |
||
| 44 | CSP: manifest-src | CSP, Content-Security-Policy, Directive, HTTP, Manifest, Reference, Security, manifest-src, source |
The HTTP
Content-Security-Policy: manifest-src
directive specifies which manifest can be applied
to the resource. |
||
| 45 | CSP: media-src | CSP, Content-Security-Policy, Directive, HTTP, Media, Reference, Security, media-src, source |
The HTTP Content-Security-Policy (CSP)
media-src directive specifies valid sources for loading
media using the audio and video elements. |
||
| 46 | CSP: navigate-to | CSP, Content-Security-Policy, Directive, HTTP, Navigation, Reference, Security |
The HTTP Content-Security-Policy (CSP)
navigate-to directive
restricts the URLs to which a document can initiate navigations by any means including
form (if form-action is not specified),
a, window.location, window.open, etc.
This is an enforcement on what navigations this document initiates not
on what this document is allowed to navigate to. |
||
| 47 | CSP: object-src | CSP, Content-Security-Policy, Directive, HTTP, Object, Reference, Security, object-src, source |
The HTTP Content-Security-Policy
object-src directive specifies valid sources for the
object, embed, and applet
elements. |
||
| 48 | CSP: plugin-types | CSP, Content-Security-Policy, Directive, Flash, HTTP, Java, Plugin, Plugins, Security |
The HTTP Content-Security-Policy (CSP)
plugin-types directive restricts the set of plugins that
can be embedded into a document by limiting the types of resources which can be loaded. |
||
| 49 | CSP: prefetch-src | CSP, Content Security Policy, Directive, HTTP, Reference, prefetch-src |
The HTTP Content-Security-Policy (CSP)
prefetch-src directive specifies valid resources that may
be prefetched or prerendered. |
||
| 50 | CSP: referrer | CSP, Content-Security-Policy, Directive, HTTP, Obsolete, Reference, Security, referrer |
The HTTP Content-Security-Policy (CSP)
referrer directive used to specify information in the
Referer header (with a single r as this was a typo in the
original spec) for links away from a page. This API is deprecated and removed from
browsers. |
||
| 51 | CSP: report-to | CSP, Content Security Policy, Content-Security-Policy, HTTP, Reporting, Security, report-to |
The Content-Security-Policy
Report-To HTTP response header field
instructs the user agent to store reporting endpoints for an origin. |
||
| 52 | CSP: report-uri | CSP, Directive, HTTP, Reference, Security |
The deprecated HTTP Content-Security-Policy (CSP)
report-uri directive instructs the user agent to report
attempts to violate the Content Security Policy. These violation reports consist of JSON
documents sent via an HTTP POST request to the specified URI. |
||
| 53 | CSP: require-sri-for | CSP, Directive, HTTP, Reference, Security, Subresource Integrity, require-sri-for |
The HTTP Content-Security-Policy
require-sri-for directive instructs the client to require
the use of Subresource
Integrity for scripts or styles on the page. |
||
| 54 | CSP: require-trusted-types-for | CSP, Directive, HTTP, Security |
The HTTP Content-Security-Policy (CSP) require-trusted-types-for directive instructs user agents to control the data passed to DOM XSS sink functions, like Element.innerHTML setter. |
||
| 55 | CSP: sandbox | CSP, Content-Security-Policy, Directive, HTTP, Sandbox, Security |
The HTTP Content-Security-Policy (CSP)
sandbox directive enables a sandbox for the requested
resource similar to the iframe sandbox
attribute. It applies restrictions to a page's actions including preventing popups,
preventing the execution of plugins and scripts, and enforcing a same-origin policy. |
||
| 56 | CSP: script-src-attr | CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Script, Security, script-src, source |
The HTTP Content-Security-Policy (CSP)
script-src-attr directive specifies valid sources for
JavaScript inline event handlers. This includes only inline script event handlers like
onclick, but not URLs loaded directly into script
elements. |
||
| 57 | CSP: script-src-elem | CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Script, Security, script-src, source |
The HTTP Content-Security-Policy (CSP) script-src-elem directive specifies valid sources for JavaScript script elements, but not inline script event handlers like onclick. |
||
| 58 | CSP: script-src | CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Script, Security, script-src, source |
The HTTP Content-Security-Policy (CSP) script-src directive specifies valid sources for JavaScript. This includes not only URLs loaded directly into script elements, but also things like inline script event handlers (onclick) and XSLT stylesheets which can trigger script execution. |
||
| 59 | CSP: style-src-attr | CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Security, Style, source, style-src, style-src-attr |
The HTTP Content-Security-Policy (CSP)
style-src-attr directive
specifies valid sources for inline styles applied to individual DOM elements. |
||
| 60 | CSP: style-src-elem | CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Security, Style, source, style-src, style-src-elem |
The HTTP Content-Security-Policy (CSP)
style-src-elem directive
specifies valid sources for stylesheets style elements and
link elements with rel="stylesheet". |
||
| 61 | CSP: style-src | CSP, Content, Content-Security-Policy, Directive, HTTP, Reference, Security, Style, source, style-src |
The HTTP Content-Security-Policy (CSP) style-src directive specifies valid sources for stylesheets. |
||
| 62 | CSP: trusted-types | CSP, Directive, HTTP, Security |
The HTTP Content-Security-Policy (CSP) trusted-types directive instructs user agents to restrict the creation of Trusted Types policies - functions that build non-spoofable, typed values intended to be passed to DOM XSS sinks in place of strings. |
||
| 63 | CSP: upgrade-insecure-requests | CSP, Content-Security-Policy, Directive, HTTP, Reference, Requests, Security, Upgrade, upgrade-insecure-requests |
The HTTP Content-Security-Policy (CSP)
upgrade-insecure-requests directive instructs user
agents to treat all of a site's insecure URLs (those served over HTTP) as though they
have been replaced with secure URLs (those served over HTTPS). This directive is
intended for web sites with large numbers of insecure legacy URLs that need to be
rewritten. |
||
| 64 | CSP: worker-src | CSP, Content-Security-Policy, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP)
worker-src directive specifies valid sources for
Worker, SharedWorker, or ServiceWorker
scripts. |
||
| 65 | Content-Type | Content-Type, Entity header, HTTP, Reference, header |
The Content-Type entity header is used to indicate the MIME type of the resource. |
||
| 66 | Cookie | Cookies, HTTP, Reference, header, request |
The Cookie HTTP request header contains stored HTTP cookies associated with the server (i.e. previously sent by the server with the Set-Cookie header or set in Javascript using Document.cookie). |
||
| 67 | Cookie2 | HTTP, Obsolete, Reference, header, request |
The obsolete Cookie2 HTTP request header used to advise the server that the user agent understands "new-style" cookies, but nowadays user agents will use the Cookie header instead, not this one. |
||
| 68 | Cross-Origin-Embedder-Policy | HTTP, HTTP Header, Reference, Response Header, header |
The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS). |
||
| 69 | Cross-Origin-Opener-Policy | HTTP, HTTP Header, Reference, Response Header, header |
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents. |
||
| 70 | Cross-Origin-Resource-Policy | HTTP, HTTP Header, Reference, Response Header, header |
The HTTP Cross-Origin-Resource-Policy response header
conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the
given resource. |
||
| 71 | Date | General Header, HTTP, Reference, header |
The Date general HTTP header contains the date and time
at which the message was originated. |
||
| 72 | Device-Memory | Client hints, Device Memory API, HTTP, HTTP Header |
The Device-Memory header is a Device Memory API header that works like Client Hints header which represents the approximate amount of RAM client device has. |
||
| 73 | Digest | HTTP, HTTP Header |
The Digest response HTTP header provides a
digest of the requested resource. |
||
| 74 | DNT | DNT, HTTP, Reference, header |
The DNT (Do Not
Track) request header indicates the user's tracking preference. It lets
users indicate whether they would prefer privacy rather than personalized content. |
||
| 75 | DPR | Client hints, HTTP, HTTP Header, Non-standard, Obsolete |
The DPR header is a Client Hints header which represents the client device pixel ratio (DPR), which is the number of physical device pixels corresponding to every CSS pixel. |
||
| 76 | Early-Data | Client hints, HTTP, header, request |
The Early-Data header is set by
an intermediary to indicate that the request has been conveyed in TLS early data,
and also indicates that the intermediary understands the 425 status code. |
||
| 77 | ETag | HTTP, Reference, Response, header |
The ETag HTTP response header is an identifier for a
specific version of a resource. It lets caches be more efficient and save bandwidth, as
a web server does not need to resend a full response if the content has not changed.
Additionally, etags help prevent simultaneous updates of a resource from overwriting
each other ("mid-air collisions"). |
||
| 78 | Expect-CT | HTTP, Reference, header |
The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements, to prevent the use of misissued certificates for that site from going unnoticed. |
||
| 79 | Expect | HTTP, HTTP Header, Reference, Request header |
The Expect HTTP request header indicates expectations
that need to be fulfilled by the server in order to properly handle the request. |
||
| 80 | Expires | Caching, HTTP, Response, header |
The Expires header contains the date/time after which the
response is considered stale. |
||
| 81 | Feature-Policy | Authorization, Experimental, Feature Policy, Feature-Policy, HTTP, Permissions, Reference, Security, Web, header |
The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any iframe elements in the document. |
||
| 82 | Feature-Policy: accelerometer | Accelerometer, Directive, Feature Policy, HTTP, Reference |
The HTTP Feature-Policy header accelerometer directive controls whether the current document is allowed to gather information about the acceleration of the device through the Accelerometer interface. |
||
| 83 | Feature-Policy: ambient-light-sensor | Ambient Light Sensor, Feature Policy, HTTP |
The HTTP Feature-Policy header ambient-light-sensor directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the AmbientLightSensor interface. |
||
| 84 | Feature-Policy: autoplay | Directive, Feature Policy, Feature-Policy, HTTP, Reference, autoplay |
The HTTP Feature-Policy header
autoplay directive controls whether the current document is allowed to
autoplay media requested through the HTMLMediaElement interface. |
||
| 85 | Feature-Policy: battery | |
The HTTP Feature-Policy header battery directive controls whether the current document is allowed to gather information about the battery of the device through the BatteryManager interface obtained via Navigator.getBattery. |
||
| 86 | Feature-Policy: camera | Directive, Feature Policy, Feature-Policy, HTTP, Reference, camera |
The HTTP Feature-Policy header
camera directive controls whether the current document is allowed to use
video input devices. When this policy is enabled, the Promise returned
by MediaDevices.getUserMedia() will reject with
a NotAllowedError. |
||
| 87 | Feature-Policy: display-capture | |
The HTTP Feature-Policy header display-capture directive controls whether or not the document is permitted to use Screen Capture API, i.e.,MediaDevices.getDisplayMedia to capture the screen's contents. |
||
| 88 | Feature-Policy: document-domain | Directive, Experimental, Feature Policy, Feature-Policy, HTTP, Reference, document-domain, header |
The HTTP Feature-Policy header
document-domain directive controls whether the current document is
allowed to set document.domain. When this policy is disabled, attempting
to set document.domain will fail and cause a SecurityError
DOMException to be thrown. |
||
| 89 | Feature-Policy: encrypted-media | Directive, EME, Feature Policy, Feature-Policy, HTTP, Reference |
The HTTP Feature-Policy header encrypted-media directive controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is enabled, the Promise returned by Navigator.requestMediaKeySystemAccess will reject with a DOMException. |
||
| 90 | Feature-Policy: fullscreen | Feature Policy, Feature-Policy, HTTP, fullscreen, header |
The HTTP Feature-Policy header fullscreen directive controls whether the current document is allowed to use Element.requestFullScreen(). When this policy is enabled, the returned Promise rejects with a TypeError. |
||
| 91 | Feature-Policy: geolocation | Feature Policy, Feature-Policy, Geolocation, HTTP, header |
The HTTP Feature-Policy header
geolocation directive controls whether the current document is allowed to
use the Geolocation Interface. When this policy is enabled, calls to
Geolocation.getCurrentPosition and
Geolocation.watchPosition will cause those functions'
callbacks to be invoked with a GeolocationPositionError code of
PERMISSION_DENIED. |
||
| 92 | Feature-Policy: gyroscope | |
The HTTP Feature-Policy header gyroscope directive controls whether the current document is allowed to gather information about the orientation of the device through the Gyroscope interface. |
||
| 93 | Feature-Policy: layout-animations | Directive, Feature-Policy, HTTP, Reference, layout-animations |
The HTTP Feature-Policy header layout-animations directive controls whether the current document is allowed to show layout animations. |
||
| 94 | Feature-Policy: legacy-image-formats | Direcive, Feature-Policy, HTTP, Reference, legacy-image-formats |
The HTTP Feature-Policy header legacy-image-formats directive controls whether the current document is allowed to display images in legacy formats. |
||
| 95 | Feature-Policy: magnetometer | Directive, Feature-Policy, HTTP, Magnetometer, Reference |
The HTTP Feature-Policy header magnetometer directive controls whether the current document is allowed to gather information about the orientation of the device through the Magnetometer interface. |
||
| 96 | Feature-Policy: microphone | Feature Policy, Feature-Policy, HTTP, header, microphone |
The HTTP Feature-Policy header
microphone directive controls whether the current document is allowed to
use audio input devices. When this policy is enabled, the Promise
returned by MediaDevices.getUserMedia() will reject with a
NotAllowedError. |
||
| 97 | Feature-Policy: midi | Directive, Feature Policy, Feature-Policy, HTTP, MIDI, Reference |
The HTTP Feature-Policy header midi directive controls whether the current document is allowed to use the Web MIDI API. When this policy is enabled, the Promise returned by Navigator.requestMIDIAccess() will reject with a DOMException. |
||
| 98 | Feature-Policy: oversized-images | Directive, Feature-Policy, HTTP, Reference |
The HTTP Feature-Policy header oversized-images directive controls whether the current document is allowed to download and display large images. |
||
| 99 | Feature-Policy: payment | Directive, Feature Policy, Feature-Policy, HTTP, Payment Request API, Payments API, Reference |
The HTTP Feature-Policy header field's payment directive controls whether the current document is allowed to use the Payment Request API. When this policy is disabled, the PaymentRequest() constructor will throw a SyntaxError. |
||
| 100 | Feature-Policy: picture-in-picture | Directive, Feature-Policy, HTTP, Picture in picture, Reference |
The HTTP Feature-Policy header picture-in-picture directive controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API. |
||
| 101 | Feature-Policy: publickey-credentials-get | |
The HTTP Feature-Policy header publickey-credentials-get directive controls whether the current document is allowed to access the Web Authentication API to retrieve public-key credentials; i.e, via CredentialsContainer.get. |
||
| 102 | Feature-Policy: screen-wake-lock | |
The HTTP Feature-Policy header screen-wake-lock directive controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not dim or turn off the screen. |
||
| 103 | Feature-Policy: sync-xhr | Directive, Feature Policy, Feature-Policy, HTTP, Reference, XMLHttpRequest |
The HTTP Feature-Policy header sync-xhr directive controls whether the current document is allowed to make synchronous XMLHttpRequest requests. |
||
| 104 | Feature-Policy: unoptimized-images | Directive, Feature-Policy, HTTP, Image, Reference |
The HTTP Feature-Policy header unoptimized-images directive controls whether the current document is allowed to download and display unoptimized images. |
||
| 105 | Feature-Policy: unsized-media | Directive, Feature-Policy, HTTP, Reference |
The HTTP Feature-Policy header unsized-media directive controls whether the current document is allowed to change the size of media elements after the initial layout is complete. |
||
| 106 | Feature-Policy: usb | Directive, Feature-Policy, HTTP, Reference, Vibration API, Web USB |
The HTTP Feature-Policy header usb directive controls whether the current document is allowed to use the WebUSB API. |
||
| 107 | Feature-Policy: vibrate | Directive, Feature-Policy, HTTP, Reference, Vibration API |
The HTTP Feature-Policy header vibrate directive controls whether the current document is allowed to trigger device vibrations via Navigator.vibrate method of Vibration API. |
||
| 108 | Feature-Policy: vr | Directive, Feature Policy, Feature-Policy, HTTP, Reference, WebVR |
The HTTP Feature-Policy header vr directive controls whether the current document is allowed to use the WebVR API. When this policy is enabled, the Promise returned by Navigator.getVRDisplays will reject with a DOMException. |
||
| 109 | Feature-Policy: wake-lock | Directive, Feature-Policy, HTTP, Reference, Wake Lock API |
| Note: This API is still actively being developed and available only behind a flag on select browsers and platforms. | ||
| 110 | web-share | Feature-Policy, HTTP, Web Share |
The HTTP Feature-Policy header web-share directive controls whether the current document is allowed to use the Navigator.share method of the Web Share API to share text, links, images, and other content to arbitrary destinations of the user's choice. |
||
| 111 | Feature-Policy: xr-spatial-tracking | |
The HTTP Feature-Policy header xr-spatial-tracking directive controls whether the current document is allowed to use the WebXR Device API. This policy controls whether XRSystem/requestSession can return XRSession that requires spatial tracking and whether user agent can indicate support for sessions supporting spatial tracking via XRSystem/isSessionSupported and devicechange event on Navigator.xr object. |
||
| 112 | Feature-Policy: xr | |
This Feature Policy directive was at one point defined as xr (but implemented in Chrome as Feature-Policy/vr), use Feature-Policy/xr-spatial-tracking instead. |
||
| 113 | Forwarded | HTTP, HTTP Header, Reference, Request header, header |
The Forwarded header contains information from the reverse proxy servers that is altered or lost when a proxy is involved in the path of the request. |
||
| 114 | From | HTTP, Reference, header |
The From request header contains an Internet email
address for a human user who controls the requesting user agent. |
||
| 115 | Host | HTTP, Reference, header |
The Host request header specifies the host and port
number of the server to which the request is being sent. |
||
| 116 | If-Match | Conditional Requests, HTTP, HTTP Header, Reference, Request header |
The If-Match HTTP request header makes the request
conditional. For GET and HEAD methods, the server
will send back the requested resource only if it matches one of the listed
ETags. For PUT and other non-safe methods, it will only
upload the resource in this case. |
||
| 117 | If-Modified-Since | Conditional Requests, HTTP, HTTP Header, Reference, Request header |
The If-Modified-Since request HTTP header makes the
request conditional: the server will send back the requested resource, with a
200 status, only if it has been last modified after the given date. If
the resource has not been modified since, the response will be a 304
without any body; the Last-Modified response header of a previous
request will contain the date of last modification. Unlike
If-Unmodified-Since, If-Modified-Since can only be used
with a GET or HEAD. |
||
| 118 | If-None-Match | Conditional Requests, HTTP, HTTP Header, Reference, Request header |
The If-None-Match HTTP request header makes the request conditional. For GET and HEAD methods, the server will send back the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. For other methods, the request will be processed only if the eventually existing resource's ETag doesn't match any of the values listed. |
||
| 119 | If-Range | Condtional Requests, HTTP, HTTP Header, Range Requests, Reference, Request header |
The If-Range HTTP request header makes a range request
conditional: if the condition is fulfilled, the range request will be issued and the
server sends back a 206 Partial Content answer with the
appropriate body. If the condition is not fulfilled, the full resource is sent back,
with a 200 OK status. |
||
| 120 | If-Unmodified-Since | HTTP, HTTP Header, Reference, Request header |
The If-Unmodified-Since request HTTP header makes the
request conditional: the server will send back the requested resource, or accept it in
the case of a POST or another non-safe method, only if
it has not been last modified after the given date. If the resource has been modified
after the given date, the response will be a 412 (Precondition Failed)
error. |
||
| 121 | Keep-Alive | General Header, HTTP, HTTP Header, Reference |
The Keep-Alive general header allows the sender to hint about how the connection may be used to set a timeout and a maximum amount of requests. |
||
| 122 | Large-Allocation | HTTP, HTTP Header, Non-standard, Reference, Response Header, header |
The non-standard Large-Allocation response header tells
the browser that the page being loaded is going to want to perform a large allocation.
It is currently only implemented in Firefox, but is harmless to send to every browser. |
||
| 123 | Last-Modified | HTTP, HTTP Header, Reference, Response Header |
The Last-Modified response HTTP header contains the date
and time at which the origin server believes the resource was last modified. It is used
as a validator to determine if a resource received or stored is the same. Less accurate
than an ETag header, it is a fallback mechanism. Conditional requests
containing If-Modified-Since or If-Unmodified-Since
headers make use of this field. |
||
| 124 | Link | Draft, HTTP, HTTP Header, Link, NeedsCompatTable, NeedsContent, NeedsSyntax, Reference |
The HTTP Link entity-header field provides a means for serialising one or more links in HTTP headers. It is semantically equivalent to the HTML link element. |
||
| 125 | Location | HTTP, HTTP Header, Reference, Response Header |
The Location response header indicates the URL to
redirect a page to. It only provides a meaning when served with a
3xx (redirection) or 201 (created) status response. |
||
| 126 | NEL | HTTP, HTTP Header, Network Error Logging, Reference, Response Header, header |
The HTTP NEL response header is used to configure network request logging. |
||
| 127 | Origin | HTTP, Reference, Request header, header, origin |
The Origin request header indicates where a request originates from. It doesn't include any path information. It is similar to the Referer header, but, unlike that header, it doesn't disclose the whole path. |
||
| 128 | Pragma | Caching, Deprecated, HTTP, header, request |
The Pragma HTTP/1.0 general header is an
implementation-specific header that may have various effects along the request-response
chain. It is used for backwards compatibility with HTTP/1.0 caches where the
Cache-Control HTTP/1.1 header is not yet present. |
||
| 129 | Proxy-Authenticate | HTTP, HTTP Header, Proxy, Reference, Response Header |
The HTTP Proxy-Authenticate response header defines the
authentication method that should be used to gain access to a resource behind a
proxy server. It authenticates the request to the proxy server, allowing
it to transmit the request further. |
||
| 130 | Proxy-Authorization | HTTP, HTTP Header, Reference, Request header, header |
The HTTP Proxy-Authorization request header contains the
credentials to authenticate a user agent to a proxy server, usually after the server has
responded with a 407 Proxy Authentication Required status
and the Proxy-Authenticate header. |
||
| 131 | Public-Key-Pins-Report-Only | Deprecated, HPKP, HTTP, Obsolete, Security, header |
The HTTP Public-Key-Pins-Report-Only response header was
used to send reports of pinning violation to the report-uri specified in
the header but, unlike Public-Key-Pins still allows browsers to
connect to the server if the pinning is violated. The header is silently ignored in
modern browsers as support for HPKP has been removed. Use Certificate Transparency
and the Expect-CT header instead. |
||
| 132 | Public-Key-Pins | Deprecated, HPKP, HTTP, Obsolete, Reference, Security, header |
The HTTP Public-Key-Pins response header used to
associate a specific cryptographic public key with a certain web server
to decrease the risk of MITM attacks with forged certificates, however,
it has been removed from modern browsers and is no longer supported. Use Certificate
Transparency and Expect-CT header instead. |
||
| 133 | Range | HTTP, HTTP Header, Range Requests, Reference, Request header |
The Range HTTP request header indicates the part of a document that the server should return. Several parts can be requested with one Range header at once, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the 206 Partial Content for the response. If the ranges are invalid, the server returns the 416 Range Not Satisfiable error. The server can also ignore the Range header and return the whole document with a 200 status code. |
||
| 134 | Referer | HTTP, Reference, header, referer, referrer |
The Referer HTTP request header contains an absolute or partial address of the page making the request. When following a link, this would be the address of the page containing the link. When making resource requests to another domain, this would be the address of the page using the resource. The Referer header allows servers to identify where people are visiting them from, which can then be used for analytics, logging, optimized caching, and more. |
||
| 135 | Referrer-Policy | HTTP, HTTP Header, Privacy, Reference, Referrer-Policy, Response, Response Header, referrer |
The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML. |
||
| 136 | Retry-After | HTTP, Reference, Response, Response Header, header |
The Retry-After response HTTP header indicates how long
the user agent should wait before making a follow-up request. There are three main cases
this header is used: |
||
| 137 | Save-Data | HTTP, HTTP Header, Reference, Request header, Save-Data, header |
The Save-Data header field is a boolean which, in
requests, indicates the client's preference for reduced data usage. This could be for
reasons such as high transfer costs, slow connection speeds, etc. |
||
| 138 | Sec-Fetch-Dest | Fetch Metadata Request Headers, HTTP, HTTP Headers |
The Sec-Fetch-Dest fetch metadata header indicates the request's destination, that is how the fetched data will be used. |
||
| 139 | Sec-Fetch-Mode | Fetch Metadata Request Headers, HTTP, HTTP Header |
The Sec-Fetch-Mode fetch metadata header indicates the request's mode. |
||
| 140 | Sec-Fetch-Site | Fetch Metadata Request Headers, HTTP, HTTP Header |
The Sec-Fetch-Site fetch metadata header indicates the relationship between a request initiator's origin and the origin of the resource. |
||
| 141 | Sec-Fetch-User | Fetch metadate request headers, HTTP, HTTP Headers |
The Sec-Fetch-User fetch metadata header is only sent for requests initiated by user activation, and its value will always be ?1. |
||
| 142 | Sec-WebSocket-Accept | Draft, HTTP, NeedsCompatTable, NeedsContent, Reference, Sec-WebSocket-Accept, WebSockets, header |
| The Sec-WebSocket-Accept header is used in the websocket opening handshake. It would appear in the response headers. That is, this is header is sent from server to client to inform that server is willing to initiate a websocket connection. | ||
| 143 | Server-Timing | HTTP, Performance, Reference, header |
The Server-Timing header communicates one or more metrics and descriptions for a given request-response cycle. It is used to surface any backend server timing metrics (e.g. database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the PerformanceServerTiming interface. |
||
| 144 | Server | HTTP, Reference, header |
The Server header describes the
software used by the origin server that handled the request โ that is, the server that
generated the response. |
||
| 145 | Set-Cookie | Cookies, HTTP, Reference, Response, header, samesite |
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie |
||
| 146 | SameSite cookies | Cookies, HTTP, Reference, samesite |
The SameSite attribute of the Set-Cookie HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context. |
||
| 147 | Set-Cookie2 | Cookies, HTTP, Obsolete, Reference, header |
The obsolete Set-Cookie2 HTTP response header used to
send cookies from the server to the user agent, but has been deprecated by the
specification. Use Set-Cookie instead. |
||
| 148 | SourceMap | HTTP, HTTP Header, Reference, Response Header, header |
The SourceMap HTTP response header links generated code to a source map, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger. |
||
| 149 | Strict-Transport-Security | HSTS, HTTP, HTTPS, Security, header |
The HTTP Strict-Transport-Security response header (often
abbreviated as HSTS) lets a web site tell browsers that it should only
be accessed using HTTPS, instead of using HTTP. |
||
| 150 | TE | HTTP, Reference, header |
The TE request header specifies the transfer encodings
the user agent is willing to accept. (you could informally call it
Accept-Transfer-Encoding, which would be more intuitive). |
||
| 151 | Timing-Allow-Origin | CORS, HTTP, Reference, Timing-Allow-Origin, header |
The Timing-Allow-Origin response header specifies origins that are allowed to see values of attributes retrieved via features of the Resource Timing API, which would otherwise be reported as zero due to cross-origin restrictions. |
||
| 152 | Tk | DNT, HTTP, Reference, Response, header, tracking |
The Tk response header indicates the tracking status that
applied to the corresponding request. |
||
| 153 | Trailer | HTTP, Reference, header |
| The Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status. | ||
| 154 | Transfer-Encoding | HTTP, Reference, header |
The Transfer-Encoding header specifies the form of
encoding used to safely transfer the Payload body to the
user. |
||
| 155 | Upgrade-Insecure-Requests | HTTP, HTTPS, Security, header |
The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the clientโs preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive. |
||
| 156 | Upgrade | HTTP, HTTP Header, Upgrade |
The HTTP 1.1 (only) Upgrade header can be used to upgrade an already established client/server connection to a different protocol (over the same transport protocol). For example, it can be used by a client to upgrade a connection from HTTP 1.1 to HTTP 2.0, or an HTTP or HTTPS connection into a WebSocket. |
||
| 157 | User-Agent | HTTP, HTTP Header, Reference, User-agent |
| The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent. | ||
| 158 | Firefox user agent string reference | Compatibility, Firefox, Firefox 4, Gecko, Gecko 2.0, Guide |
| This document describes the user agent string used in Firefox 4 and later and applications based on Gecko 2.0 and later. For a breakdown of changes to the string in Gecko 2.0, see Final User Agent string for Firefox 4 (blog post). See also this document on user agent sniffing and this Hacks blog post. | ||
| 159 | Vary | HTTP, Reference, Response, Response Header, header |
The Vary HTTP response header determines how to match
future request headers to decide whether a cached response can be used rather than
requesting a fresh one from the origin server. It is used by the server to indicate
which headers it used when selecting a representation of a resource in a content negotiation algorithm. |
||
| 160 | Via | HTTP, Reference, header |
The Via general header is added by proxies, both forward
and reverse proxies, and can appear in the request headers and the response headers. It
is used for tracking message forwards, avoiding request loops, and identifying the
protocol capabilities of senders along the request/response chain. |
||
| 161 | Want-Digest | HTTP, HTTP Header |
The Want-Digest HTTP header is primarily used in a HTTP
request, to ask the responder to provide a digest of the requested
resource using the Digest
response header. |
||
| 162 | Warning | General Header, HTTP, Reference, header |
The Warning general HTTP header contains information
about possible problems with the status of the message. More than one
Warning header may appear in a response. |
||
| 163 | WWW-Authenticate | HTTP, HTTP Header, Reference, Response Header, header |
The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource. |
||
| 164 | X-Content-Type-Options | HTTP, HTTP Header, Reference, Response Header |
The X-Content-Type-Options response HTTP header is a
marker used by the server to indicate that the MIME types advertised in the
Content-Type headers should not be changed and be followed. This is a
way to opt out of MIME type
sniffing, or, in other words, to say that the MIME types are deliberately
configured. |
||
| 165 | X-DNS-Prefetch-Control | DNS, HTTP, X-DNS-Prefetch-Control, header |
The X-DNS-Prefetch-Control HTTP response header controls
DNS prefetching, a feature by which browsers proactively perform domain name resolution
on both links that the user may choose to follow as well as URLs for items referenced by
the document, including images, CSS, JavaScript, and so forth. |
||
| 166 | X-Forwarded-For | HTTP, HTTP Header, Non-standard, Reference, Request header, header |
The X-Forwarded-For (XFF) header is a de-facto standard
header for identifying the originating IP address of a client connecting to a web server
through an HTTP proxy or a load balancer. When traffic is intercepted between clients
and servers, server access logs contain the IP address of the proxy or load balancer
only. To see the original IP address of the client, the X-Forwarded-For
request header is used. |
||
| 167 | X-Forwarded-Host | HTTP, HTTP Header, Non-standard, Reference, Request header, header |
The X-Forwarded-Host (XFH) header is a de-facto standard
header for identifying the original host requested by the client in the
Host HTTP request header. |
||
| 168 | X-Forwarded-Proto | HTTP, HTTP Header, Non-standard, Reference, Request header, header |
The X-Forwarded-Proto (XFP) header is a de-facto standard
header for identifying the protocol (HTTP or HTTPS) that a client used to connect to
your proxy or load balancer. Your server access logs contain the protocol used between
the server and the load balancer, but not the protocol used between the client and the
load balancer. To determine the protocol used between the client and the load balancer,
the X-Forwarded-Proto request header can be used. |
||
| 169 | X-Frame-Options | Gecko, HAProxy, HTTP, Response Header, Security, nginx |
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe, embed or object. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. |
||
| 170 | X-XSS-Protection | HTTP, Reference, Security, XSS, header |
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP. |
||