HTTP Header Dictionary

Request and response headers by category — syntax, directives, security notes, and related headers/codes.

Auth2
CORS5
Caching4
Conditional6
Connection2
Content7
Cookies2
General2
Ranges3
Routing3
Security6
Content-Security-PolicyContent-Security-Policy (CSP) is a security header that finely controls, via directives, which sources of scripts, styles, images, frames, and more the browser may load or execute on a page. By blocking untrusted resources it strongly mitigates XSS, data exfiltration, and clickjacking.RefererReferer is the request header that names the URL of the previous page — the page whose link or resource led the user to this request. It is used for traffic-source analytics, referral stats, and basic access control.Referrer-PolicyReferrer-Policy is a security/privacy header controlling how much origin information the browser includes in the Referer header when navigating to another page or requesting a resource. You can choose between the full URL, origin only, or nothing.Strict-Transport-SecurityStrict-Transport-Security (HSTS) is a security header telling the browser to only ever connect to this site over HTTPS. Once received, for the duration of max-age the browser auto-upgrades any http:// attempt to https:// and won't let the user click through certificate errors.X-Content-Type-OptionsX-Content-Type-Options: nosniff is a security header that turns off the browser's habit of inspecting a response's actual bytes and guessing its Content-Type (MIME sniffing). It makes the browser trust the server-declared Content-Type verbatim.X-Frame-OptionsX-Frame-Options is a security header that controls whether this page may be embedded inside another page's <iframe>, <frame>, or <object>. Its main purpose is clickjacking defense — stopping an attacker from overlaying your page as a transparent frame to hijack the user's clicks.