HTTP ヘッダリファレンス
開発
日常的に使う HTTP ヘッダのクイック検索 — 何をするか、リクエスト・レスポンス・両方向か、CORS・キャッシュ・セキュリティ・Cookie でどう組み合わさるか。カテゴリフィルタまたは名前・説明検索。
—
| ヘッダ | 説明 | ||
|---|---|---|---|
| Date | ↔ | Timestamp when the message was originated, in IMF-fixdate format. | |
| Connection | ↔ | Whether the network connection stays open after the current exchange (keep-alive / close). | |
| Transfer-Encoding | ↔ | How the message body is encoded for transfer — chunked, compress, deflate, gzip, identity. | |
| Content-Type | ↔ | Media type of the body (e.g. application/json; charset=utf-8). | |
| Content-Length | ↔ | Size of the body in bytes. | |
| Content-Encoding | ↔ | Compression applied to the body (gzip, br, zstd). | |
| Content-Language | ↔ | Natural language of the body (e.g. ko-KR). | |
| Content-Disposition | ↔ | Whether the body is displayed inline or treated as an attachment to be downloaded. | |
| Host | → | Domain name of the server (required for HTTP/1.1). | |
| User-Agent | → | Identifies the client software (browser, bot, library). | |
| Accept | → | Media types the client can handle (e.g. text/html, application/json). | |
| Accept-Encoding | → | Content encodings the client can decode (gzip, br). | |
| Accept-Language | → | Preferred languages of the client (e.g. ko, en;q=0.8). | |
| Referer | → | URL of the page that triggered the request — yes, misspelled in the spec. | |
| Authorization | → | Credentials — Basic, Bearer, Digest, etc. | |
| Range | → | Request only a portion of the resource (e.g. bytes=0-1023). Triggers a 206 response. | |
| If-None-Match | → | Conditional request — only return the resource if its ETag does not match. | |
| If-Modified-Since | → | Conditional request — only return the resource if changed since the given date. | |
| Origin | → | Scheme + host + port of the page that initiated a CORS or fetch request. | |
| Server | ← | Identifies the server software handling the request. | |
| Location | ← | Target URL for redirects (3xx) or location of a newly created resource (201). | |
| ETag | ← | Opaque identifier for a specific version of the resource — used with If-None-Match. | |
| Last-Modified | ← | When the resource was last changed — used with If-Modified-Since. | |
| Retry-After | ← | How long to wait before retrying — used with 429 and 503. | |
| WWW-Authenticate | ← | Challenges the client to authenticate — sent with 401 responses. | |
| Vary | ← | Lists request headers that affect this response — caches use it to key entries. | |
| Allow | ← | HTTP methods allowed on the resource — sent with 405 responses. | |
| Access-Control-Allow-Origin | ← | Which origin(s) may read the response — exact origin or `*`. Cannot be `*` with credentials. | |
| Access-Control-Allow-Methods | ← | Methods allowed on the resource for cross-origin requests — sent in the preflight response. | |
| Access-Control-Allow-Headers | ← | Custom request headers the client may include — sent in the preflight response. | |
| Access-Control-Allow-Credentials | ← | Whether the response can be shared when credentials (cookies, basic auth) are sent. | |
| Access-Control-Max-Age | ← | How long the browser may cache the preflight response, in seconds. | |
| Access-Control-Expose-Headers | ← | Response headers JavaScript may read (beyond the default safelist). | |
| Access-Control-Request-Method | → | In a preflight, the method the actual request will use. | |
| Access-Control-Request-Headers | → | In a preflight, the custom headers the actual request will include. | |
| Cache-Control | ↔ | Caching directives — max-age, no-store, public, private, immutable, etc. | |
| Expires | ← | Absolute date after which the response is stale — Cache-Control: max-age takes precedence. | |
| Pragma | → | Legacy caching control — `Pragma: no-cache` for HTTP/1.0 compatibility. | |
| Age | ← | How long ago (seconds) the response was generated by the origin, per the proxy. | |
| Strict-Transport-Security | ← | HSTS — forces future visits to use HTTPS, optionally including subdomains and preload. | |
| Content-Security-Policy | ← | CSP — restricts which sources of scripts, styles, frames, etc. the browser may load. | |
| X-Frame-Options | ← | Whether the page may be embedded in a frame — DENY, SAMEORIGIN. Superseded by CSP frame-ancestors. | |
| X-Content-Type-Options | ← | `nosniff` disables MIME sniffing — the browser must trust the declared Content-Type. | |
| Referrer-Policy | ← | Controls how much of the Referer URL is sent with outgoing requests. | |
| Permissions-Policy | ← | Opts in/out of browser features (camera, microphone, geolocation, etc.) for the page and its frames. | |
| Cross-Origin-Opener-Policy | ← | COOP — isolates the browsing context from cross-origin documents. Required for SharedArrayBuffer. | |
| Cross-Origin-Resource-Policy | ← | CORP — restricts which origins may load this resource. | |
| Cookie | → | Cookies the client sends back to the server. | |
| Set-Cookie | ← | Asks the client to store one or more cookies — attributes: Path, Domain, Max-Age, Secure, HttpOnly, SameSite. |
使い方
- 検索ボックスにヘッダ名 (`cache-control`) またはキーワード (`cors`、`redirect`) を入力。
- カテゴリチップで絞り込み — 例:Security で CSP・HSTS・COOP を比較。
- 各行のコピーボタンでヘッダ名をコピー。
よくある質問
- `Cache-Control` が両方向と表示される理由は?
- `Cache-Control`・`Content-Type`・`Date`・`Connection` などの一部ヘッダはリクエストとレスポンスの両方で有効。テーブルでは `↔` で表示。
- `Origin` と `Referer` の違いは?
- `Origin` は scheme + host + port のみ — CORS と POST リクエストで送信。`Referer` は前のページの完全な URL で主に分析用途 — `Referrer-Policy` でどこまで漏らすか制御。
- CORS preflight ヘッダはいつ使われる?
- fetch が non-simple メソッド (`PUT`・`DELETE`) やカスタムヘッダを使うとき、ブラウザは先に `OPTIONS` preflight を送信。`Access-Control-Request-*` は preflight に、`Access-Control-Allow-*` は応答に。許可されれば実際のリクエストが続く。
関連ツール
JWT デコーダー
JWT のヘッダー・クレーム・有効期限を即座に確認。
開発00
UUID ジェネレーター
ランダムなバージョン 4 UUID をまとめて生成し、コピー。
開発00
ハッシュ生成 (SHA)
テキストから SHA-1・SHA-256・SHA-384・SHA-512 ハッシュを生成。
開発00
URL エンコーダー / デコーダー
URL 用にテキストをパーセントエンコード、または URL をデコード。
開発00
Base64 エンコーダー / デコーダー
テキストを Base64 にエンコード、または Base64 をテキストにデコード。
開発00
JSON フォーマッター & バリデーター
ブラウザで JSON を整形・並べ替え・圧縮・検証できます。
開発00