HTTP 头字段
常用的标准请求头与响应头,按功能分类。展开任意头字段查看其语法、指令与实际示例。
Authentication
WWW-AuthenticateChallenge clients for credentials with WWW-Authenticate. Configure Basic, Bearer, Digest, and other authentication schemes on 401 responses.
AuthorizationSend credentials with the Authorization header. Basic, Bearer, and Digest schemes, syntax, and security guidance.
Proxy-AuthenticateUnderstand how Proxy-Authenticate challenges clients to provide proxy credentials with a 407 response. Authentication schemes, syntax, and proxy chain examples.
Proxy-AuthorizationUse the Proxy-Authorization header to send credentials to a proxy server after a 407 challenge. Authentication schemes, syntax, and chain behavior.
Caching
AgeMeasure cache freshness with the Age header. How CDNs and proxies report elapsed time since the origin response.
Cache-ControlControl browser and CDN caching with Cache-Control directives. Syntax, real-world examples, and best practices.
ExpiresUnderstand the Expires header and timestamp-based cache freshness. Learn how Expires interacts with Cache-Control and when to use each approach.
Clear-Site-DataWipe browser caches, cookies, and storage with Clear-Site-Data. Logout flows, directives, and deployment patterns.
Conditionals
Last-ModifiedUnderstand the Last-Modified header and date-based cache validation. Learn how servers report modification timestamps for conditional request workflows.
ETagLearn how ETag identifiers enable cache revalidation and concurrency control. Strong vs. weak ETags, syntax, and conditional request patterns.
If-MatchUnderstand the If-Match header and ETag- based conditional requests. Prevent lost updates with optimistic concurrency control in PUT and DELETE operations.
If-None-MatchLearn how If-None-Match validates cached resources using ETags. Implement cache revalidation and prevent overwrites with conditional requests.
If-Modified-SinceLearn how If-Modified-Since enables date- based cache revalidation for GET and HEAD requests. Reduce bandwidth with conditional responses and 304 status.
If-Unmodified-SinceUnderstand If-Unmodified-Since and how date-based preconditions prevent lost updates. Guard PUT and DELETE operations against concurrent modifications.
VaryControl cache variants with the Vary header. Tell caches which request headers affect the response to store and serve correct representations.
Content Negotiation
AcceptNegotiate response media types with the Accept header. Quality values, wildcards, content negotiation flow, and examples.
Accept-EncodingNegotiate compression with Accept-Encoding. Supported algorithms, quality values, syntax, and server-side implementation.
Accept-LanguageNegotiate content language with Accept-Language. BCP 47 tags, quality values, server handling, and examples.
Accept-CharsetUnderstand why Accept-Charset is deprecated and why UTF-8 replaced charset negotiation. History, syntax, and migration guidance.
Content Information
Content-TypeDeclare media types with Content-Type. MIME types, charset parameter, content negotiation, and MIME sniffing risks.
Content-LengthDeclare message body size with Content-Length. Byte counting, connection reuse, progress indicators, and gotchas.
Content-EncodingIdentify response compression with Content-Encoding. gzip, br, zstd algorithms, server setup, and decoding.
Content-LanguageDeclare content audience language with Content-Language. Language tags, content negotiation, and multilingual setup.
Content-LocationPoint to the negotiated representation with Content-Location. Difference from Location, caching impact, and examples.
Content-DispositionTrigger file downloads or inline display with Content-Disposition. Attachment, filename encoding, and form data usage.
Content-RangeServe partial content with Content-Range. Byte range syntax, resumable downloads, media streaming, and 206 response flow.
Cookies
CORS
Access-Control-Allow-OriginControl cross-origin access with Access-Control-Allow-Origin. Wildcards, dynamic origins, CORS errors, and fixes.
Access-Control-Allow-MethodsAllow HTTP methods in CORS preflight with Access-Control-Allow-Methods. Syntax, wildcard rules, and server configuration.
Access-Control-Allow-HeadersPermit custom headers in CORS requests with Access-Control-Allow-Headers. Preflight setup, wildcards, and examples.
Access-Control-Allow-CredentialsSend cookies and credentials in CORS requests with Access-Control-Allow- Credentials. Setup, pitfalls, and fixes.
OriginUnderstand how the Origin request header identifies where a request came from for CORS. Syntax, browser behavior, and server-side validation.
Range Requests
Accept-RangesEnable resumable downloads with Accept-Ranges. Partial requests, byte serving, streaming, and server setup.
RangeUse the Range header to request partial content from a server. Byte-range syntax, multipart responses, resume downloads, and streaming examples.
If-RangeLearn how If-Range makes range requests conditional for safe download resumption. Get partial content or the full resource without 412 errors.
Redirects
Request Context
HostUnderstand the required Host header in HTTP/1.1 requests. Learn how virtual hosting works, syntax rules, and how servers resolve target domains.
User-AgentIdentify client software with User-Agent. Parse product tokens, understand UA reduction, and implement bot detection strategies.
RefererUnderstand how the Referer header identifies the linking page in HTTP requests. Analytics, access control, privacy risks, and Referrer-Policy interaction.
Referrer-PolicyImplement Referrer-Policy to control what referrer information browsers send. Directive options, privacy implications, and deployment examples.
Response Context
AllowAdvertise supported HTTP methods with the Allow header. Required in 405 responses, OPTIONS handling, and syntax.
DateUnderstand the HTTP Date header and how origin servers timestamp responses. Role in cache freshness calculations and proxy behavior.
ServerIdentify server software with the Server header. Understand product token syntax, security risks of version exposure, and best practices.
Security
Strict-Transport-SecurityForce HTTPS connections with Strict-Transport-Security. Configure HSTS max-age, includeSubDomains, preload, and prevent downgrade attacks.
Content-Security-PolicyPrevent XSS and injection attacks with Content-Security-Policy. Directives, source lists, nonces, and deployment.
X-Content-Type-OptionsPrevent MIME sniffing attacks with X-Content-Type-Options: nosniff. Force browsers to respect the declared Content-Type on every response.
X-Frame-OptionsPrevent clickjacking with X-Frame-Options. Control frame embedding with DENY, SAMEORIGIN, and the CSP frame-ancestors alternative.
Permissions-PolicyImplement Permissions-Policy to control which browser features a site and embedded iframes access. Directives, allowlists, and examples.
Transfer Coding
Transfer-EncodingEncode message bodies for safe transfer with Transfer-Encoding. Understand chunked encoding, hop-by- hop semantics, and streaming responses.
TEDeclare transfer encoding preferences with the TE header. Negotiate chunked trailers and compression between client and server.
ConnectionManage TCP connection lifecycle with the Connection header. Keep-alive, close, hop-by-hop behavior, and HTTP/2 changes.
UpgradeSwitch protocols on an existing connection with the Upgrade header. Negotiate WebSocket, HTTP/2, and TLS upgrades over HTTP/1.1.