HTTP 头部参考
开发
日常 HTTP 头部的快速查询 — 它们做什么、是请求侧、响应侧还是双向,以及在 CORS、缓存、安全、Cookie 中如何配合。按分类筛选或按名称、描述搜索。
—
| 头部 | 描述 | ||
|---|---|---|---|
| Date | ↔ | Timestamp when the message was originated, in IMF-fixdate format. | |
| Connection | ↔ | Whether the network connection stays open after the current exchange (keep-alive / close). | |
| Transfer-Encoding | ↔ | How the message body is encoded for transfer — chunked, compress, deflate, gzip, identity. | |
| Content-Type | ↔ | Media type of the body (e.g. application/json; charset=utf-8). | |
| Content-Length | ↔ | Size of the body in bytes. | |
| Content-Encoding | ↔ | Compression applied to the body (gzip, br, zstd). | |
| Content-Language | ↔ | Natural language of the body (e.g. ko-KR). | |
| Content-Disposition | ↔ | Whether the body is displayed inline or treated as an attachment to be downloaded. | |
| Host | → | Domain name of the server (required for HTTP/1.1). | |
| User-Agent | → | Identifies the client software (browser, bot, library). | |
| Accept | → | Media types the client can handle (e.g. text/html, application/json). | |
| Accept-Encoding | → | Content encodings the client can decode (gzip, br). | |
| Accept-Language | → | Preferred languages of the client (e.g. ko, en;q=0.8). | |
| Referer | → | URL of the page that triggered the request — yes, misspelled in the spec. | |
| Authorization | → | Credentials — Basic, Bearer, Digest, etc. | |
| Range | → | Request only a portion of the resource (e.g. bytes=0-1023). Triggers a 206 response. | |
| If-None-Match | → | Conditional request — only return the resource if its ETag does not match. | |
| If-Modified-Since | → | Conditional request — only return the resource if changed since the given date. | |
| Origin | → | Scheme + host + port of the page that initiated a CORS or fetch request. | |
| Server | ← | Identifies the server software handling the request. | |
| Location | ← | Target URL for redirects (3xx) or location of a newly created resource (201). | |
| ETag | ← | Opaque identifier for a specific version of the resource — used with If-None-Match. | |
| Last-Modified | ← | When the resource was last changed — used with If-Modified-Since. | |
| Retry-After | ← | How long to wait before retrying — used with 429 and 503. | |
| WWW-Authenticate | ← | Challenges the client to authenticate — sent with 401 responses. | |
| Vary | ← | Lists request headers that affect this response — caches use it to key entries. | |
| Allow | ← | HTTP methods allowed on the resource — sent with 405 responses. | |
| Access-Control-Allow-Origin | ← | Which origin(s) may read the response — exact origin or `*`. Cannot be `*` with credentials. | |
| Access-Control-Allow-Methods | ← | Methods allowed on the resource for cross-origin requests — sent in the preflight response. | |
| Access-Control-Allow-Headers | ← | Custom request headers the client may include — sent in the preflight response. | |
| Access-Control-Allow-Credentials | ← | Whether the response can be shared when credentials (cookies, basic auth) are sent. | |
| Access-Control-Max-Age | ← | How long the browser may cache the preflight response, in seconds. | |
| Access-Control-Expose-Headers | ← | Response headers JavaScript may read (beyond the default safelist). | |
| Access-Control-Request-Method | → | In a preflight, the method the actual request will use. | |
| Access-Control-Request-Headers | → | In a preflight, the custom headers the actual request will include. | |
| Cache-Control | ↔ | Caching directives — max-age, no-store, public, private, immutable, etc. | |
| Expires | ← | Absolute date after which the response is stale — Cache-Control: max-age takes precedence. | |
| Pragma | → | Legacy caching control — `Pragma: no-cache` for HTTP/1.0 compatibility. | |
| Age | ← | How long ago (seconds) the response was generated by the origin, per the proxy. | |
| Strict-Transport-Security | ← | HSTS — forces future visits to use HTTPS, optionally including subdomains and preload. | |
| Content-Security-Policy | ← | CSP — restricts which sources of scripts, styles, frames, etc. the browser may load. | |
| X-Frame-Options | ← | Whether the page may be embedded in a frame — DENY, SAMEORIGIN. Superseded by CSP frame-ancestors. | |
| X-Content-Type-Options | ← | `nosniff` disables MIME sniffing — the browser must trust the declared Content-Type. | |
| Referrer-Policy | ← | Controls how much of the Referer URL is sent with outgoing requests. | |
| Permissions-Policy | ← | Opts in/out of browser features (camera, microphone, geolocation, etc.) for the page and its frames. | |
| Cross-Origin-Opener-Policy | ← | COOP — isolates the browsing context from cross-origin documents. Required for SharedArrayBuffer. | |
| Cross-Origin-Resource-Policy | ← | CORP — restricts which origins may load this resource. | |
| Cookie | → | Cookies the client sends back to the server. | |
| Set-Cookie | ← | Asks the client to store one or more cookies — attributes: Path, Domain, Max-Age, Secure, HttpOnly, SameSite. |
使用方法
- 在搜索框输入头部名 (`cache-control`) 或关键字 (`cors`、`redirect`)。
- 选择分类标签缩小范围 — 例如 Security 比较 CSP、HSTS、COOP。
- 点击任意行的复制按钮复制头部名称。
常见问题
- 为什么 `Cache-Control` 显示为双向?
- 一些头部 — `Cache-Control`、`Content-Type`、`Date`、`Connection` — 在请求和响应中都有效。表格用 `↔` 标记。
- `Origin` 和 `Referer` 的区别?
- `Origin` 只是 scheme + host + port;在 CORS 和 POST 请求中发送。`Referer` 是前一页面的完整 URL,主要用于分析 — `Referrer-Policy` 控制泄漏多少。
- CORS preflight 头部什么时候用?
- 当 fetch 使用非简单方法 (`PUT`、`DELETE`) 或自定义头部时,浏览器先发送 `OPTIONS` 预检请求。`Access-Control-Request-*` 在预检中;`Access-Control-Allow-*` 返回;预检允许后再发真正的请求。