| Field name | Description | Example | Status | Standard |
| Accept-CH | Requests HTTP Client Hints | Accept-CH: UA, Platform | Experimental | RFC 8942 |
| Access-Control-Allow-Origin,Access-Control-Allow-Credentials,Access-Control-Expose-Headers,Access-Control-Max-Age,Access-Control-Allow-Methods,Access-Control-Allow-Headers | Specifying which web sites can participate in cross-origin resource sharing | Access-Control-Allow-Origin: * | Permanent: standard | RFC 7480 |
| Accept-Patch | Specifies which patch document formats this server supports | Accept-Patch: text/example;charset=utf-8 | Permanent | RFC 5789 |
| Accept-Ranges | What partial content range types this server supports via byte serving | Accept-Ranges: bytes | Permanent | RFC 9110 |
| Age | The age the object has been in a proxy cache in seconds | Age: 12 | Permanent | RFC 9111 |
| Allow | Valid methods for a specified resource. To be used for a 405 Method not allowed | Allow: GET, HEAD | Permanent | RFC 9110 |
| Alt-Svc | A server uses "Alt-Svc" header (meaning Alternative Services) to indicate that its resources can also be accessed at a different network location (host or port) or using a different protocol When using HTTP/2, servers should instead send an ALTSVC frame. | Alt-Svc: http/1.1="http2.example.com:8001"; ma=7200 | Permanent | |
| Cache-Control | Tells all caching mechanisms from server to client whether they may cache this object. It is measured in seconds | Cache-Control: max-age=3600 | Permanent | RFC 9111 |
| Connection | Control options for the current connection and list of hop-by-hop response fields. Must not be used with HTTP/2. | Connection: close | Permanent | RFC 9110 |
| Content-Disposition | An opportunity to raise a "File Download" dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters. | Content-Disposition: attachment; filename="fname.ext" | Permanent | RFC 2616, 4021, 6266 |
| Content-Encoding | The type of encoding used on the data. See HTTP compression. | Content-Encoding: gzip | Permanent | RFC 9110 |
| Content-Language | The natural language or languages of the intended audience for the enclosed content | Content-Language: da | Permanent | RFC 9110 |
| Content-Length | The length of the response body in octets (8-bit bytes) | Content-Length: 348 | Permanent | RFC 9110 |
| Content-Location | An alternate location for the returned data | Content-Location: /index.htm | Permanent | RFC 9110 |
| Content-MD5 | A Base64-encoded binary MD5 sum of the content of the response | Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ== | Obsolete | RFC 1544, 1864, 4021 |
| Content-Range | Where in a full body message this partial message belongs | Content-Range: bytes 21010-47021/47022 | Permanent | RFC 9110 |
| Content-Type | The MIME type of this content | Content-Type: text/html; charset=utf-8 | Permanent | RFC 9110 |
| Date | The date and time that the message was sent (in "HTTP-date" format as defined by RFC 9110) | Date: Tue, 15 Nov 1994 08:12:31 GMT | Permanent | RFC 9110 |
| Delta-Base | Specifies the delta-encoding entity tag of the response. | Delta-Base: "abc" | Permanent | RFC 3229 |
| ETag | An identifier for a specific version of a resource, often a message digest | ETag: "737060cd8c284d8af7ad3082f209582d" | Permanent | RFC 9110 |
| Expires | Gives the date/time after which the response is considered stale (in "HTTP-date" format as defined by RFC 9110) | Expires: Thu, 01 Dec 1994 16:00:00 GMT | Permanent: standard | RFC 9111 |
| IM | Instance-manipulations applied to the response. | IM: feed | Permanent | RFC 3229 |
| Last-Modified | The last modified date for the requested object (in "HTTP-date" format as defined by RFC 9110) | Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT | Permanent | RFC 9110 |
| Link | Used to express a typed relationship with another resource, where the relation type is defined by RFC 8288 | Link: ; rel="alternate" | Permanent | RFC 8288 |
| Location | Used in redirection, or when a new resource has been created. | Example 1: Location: http://www.w3.org/pub/WWW/People.html Example 2: Location: /pub/WWW/People.html | Permanent | RFC 9110 |
| P3P | This field is supposed to set P3P policy, in the form of P3P:CP="your_compact_policy". However, P3P did not take off, most browsers have never fully implemented it, a lot of websites set this field with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies. | P3P: CP="This is not a P3P policy! See https://en.wikipedia.org/wiki/Special:CentralAutoLogin/P3P for more info." | Permanent | |
| Pragma | Implementation-specific fields that may have various effects anywhere along the request-response chain. | Pragma: no-cache | Permanent | RFC 9111 |
| Preference-Applied | Indicates which Prefer tokens were honored by the server and applied to the processing of the request. | Preference-Applied: return=representation | Permanent | RFC 7240 |
| Proxy-Authenticate | Request authentication to access the proxy. | Proxy-Authenticate: Basic | Permanent | RFC 9110 |
| Public-Key-Pins | HTTP Public Key Pinning, announces hash of website's authentic TLS certificate | Public-Key-Pins: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; | Permanent | RFC 7469 |
| Retry-After | If an entity is temporarily unavailable, this instructs the client to try again later. Value could be a specified period of time (in seconds) or a HTTP-date. | Example 1: Retry-After: 120 Example 2: Retry-After: Fri, 07 Nov 2014 23:59:59 GMT | Permanent | RFC 9110 |
| Server | A name for the server | Server: Apache/2.4.1 (Unix) | Permanent | RFC 9110 |
| Set-Cookie | An HTTP cookie | Set-Cookie: CookieName=CookieValue; Max-Age=3600; Version=1 | Permanent: standard | RFC 6265 |
| Strict-Transport-Security | A HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains. | Strict-Transport-Security: max-age=16070400; includeSubDomains | Permanent: standard | |
| Trailer | The Trailer general field value indicates that the given set of header fields is present in the trailer of a message encoded with chunked transfer coding. | Trailer: Max-Forwards | Permanent | RFC 9110 |
| Transfer-Encoding | The form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity. Must not be used with HTTP/2. | Transfer-Encoding: chunked | Permanent | RFC 9110 |
| Tk | Tracking Status header, value suggested to be sent in response to a DNT(do-not-track), possible values: "!" — under construction "?" — dynamic "G" — gateway to multiple parties "N" — not tracking "T" — tracking "C" — tracking with consent "P" — tracking only if consented "D" — disregarding DNT "U" — updated | Tk: ? | Permanent | |
| Upgrade | Ask the client to upgrade to another protocol. Must not be used in HTTP/2 | Upgrade: h2c, HTTPS/1.3, IRC/6.9, RTA/x11, websocket | Permanent | RFC 9110 |
| Vary | Tells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server. | Example 1: Vary: * Example 2: Vary: Accept-Language | Permanent | RFC 9110 |
| Via | Informs the client of proxies through which the response was sent. | Via: 1.0 fred, 1.1 example.com (Apache/1.1) | Permanent | RFC 9110 |
| Warning | A general warning about possible problems with the entity body. | Warning: 199 Miscellaneous warning | Obsolete | RFC 7234, 9111 |
| WWW-Authenticate | Indicates the authentication scheme that should be used to access the requested entity. | WWW-Authenticate: Basic | Permanent | RFC 9110 |
| X-Frame-Options | Clickjacking protection: deny - no rendering within a frame, sameorigin - no rendering if origin mismatch, allow-from - allow from specified location, allowall - non-standard, allow from any location | X-Frame-Options: deny | Obsolete | |
