Industry Observations-Technical Insight-Tools and Applications

List of Common HTTP Headers

Every few months I find myself looking up up the syntax of a relatively obscure, common HTTP headers. Regularly I find myself wondering why there isn’t a good definitive list of common HTTP headers anywhere. Usually the lists on the Internet are missing half a dozen HTTP response headers. So I’ve taken care to gather a list all of the common HTTP headers I could find. Hopefully this is useful to you, and removes some of the mystique behind how HTTP works if you’ve never seen headers before.

Note: this does not include things like IncapIP or other proxy/service specific headers that aren’t standard, and nor does it include HTTP request headers.

Header Example Value Notes
Access-Control-Allow-Credentials true  
Access-Control-Allow-Headers X-PINGOTHER  
Access-Control-Allow-Methods PUT, DELETE, XMODIFY  
Access-Control-Allow-Origin http://example.org  
Access-Control-Expose-Headers X-My-Custom-Header, X-Another-Custom-Header  
Access-Control-Max-Age 2520  
Accept-Ranges bytes  
Age 12  
Allow GET, HEAD, POST, OPTIONS Commonly includes other things, like PROPFIND etc…
Alternate-Protocol 443:npn-spdy/2,443:npn-spdy/2  
Cache-Control private, no-cache, must-revalidate  
Client-Date Tue, 27 Jan 2009 18:17:30 GMT  
Client-Peer 123.123.123.123:80  
Client-Response-Num 1  
Connection Keep-Alive  
Content-Disposition attachment; filename=”example.exe”  
Content-Encoding gzip  
Content-Language en  
Content-Length 1329  
Content-Location /index.htm  
Content-MD5 Q2hlY2sgSW50ZWdyaXR5IQ==  
Content-Range bytes 21010-47021/47022  
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP default-src ‘self’ Different header needed to control different browsers
Content-Security-Policy-Report-Only default-src ‘self’; …; report-uri /csp_report_parser;  
Content-Type text/html Can also include charset information (E.g.: text/html;charset=ISO-8859-1)
Date Fri, 22 Jan 2010 04:00:00 GMT  
ETag “737060cd8c284d8af7ad3082f209582d”  
Expires Mon, 26 Jul 1997 05:00:00 GMT  
HTTP /1.1 401 Unauthorized Special header, no colon space delimiter
Keep-Alive timeout=3, max=87  
Last-Modified Tue, 15 Nov 1994 12:45:26 +0000  
Link <http://www.example.com/>; rel=”cononical” rel=”alternate”
Location http://www.example.com/  
P3P policyref=”http://www.example.com/w3c/p3p.xml”, CP=”NOI DSP COR ADMa OUR NOR STA”  
Pragma no-cache  
Proxy-Authenticate Basic  
Proxy-Connection Keep-Alive  
Refresh 5; url=http://www.example.com/  
Retry-After 120  
Server Apache  
Set-Cookie test=1; domain=example.com; path=/; expires=Tue, 01-Oct-2013 19:16:48 GMT Can also include the secure and HTTPOnly flag
Status 200 OK  
Strict-Transport-Security max-age=16070400; includeSubDomains  
Timing-Allow-Origin www.example.com  
Trailer Max-Forwards  
Transfer-Encoding chunked compress, deflate, gzip, identity
Upgrade HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11  
Vary *  
Via 1.0 fred, 1.1 example.com (Apache/1.1)  
Warning Warning: 199 Miscellaneous warning  
WWW-Authenticate Basic  
X-Aspnet-Version 2.0.50727  
X-Content-Type-Options nosniff  
X-Frame-Options deny  
X-Permitted-Cross-Domain-Policies master-only Used by Adobe Flash
X-Pingback http://www.example.com/pingback/xmlrpc  
X-Powered-By PHP/5.4.0  
X-Robots-Tag noindex,nofollow  
X-UA-Compatible Chome=1  
X-XSS-Protection 1; mode=block  

If I’ve missed any response headers, please let us know by leaving a comment and I’ll add it into the list. Perhaps at some point I’ll create a similar list for Request headers, if people find this helpful enough.

  • https://grepular.com/ Mike

    There’s the “Alternate-Protocol” response header too.

  • http://intern0t.org MaXe

    You forgot “X-Pingback:” from WordPress and other applications. It displays the pingback URL for XMLRPC, which in some cases can be abused to perform certain types of enumeration and bruteforce attacks.

    • Maurina Venturelli

      Hi Maxe,

      We added X-Pingback! Thanks for the comment.

  • Dave V

    X-Forwarded-For ?

    • Maurina Venturelli

      Hi Dave,

      I passed along your comment to Robert. He had this to say, “X-Forwarded-For is a request header, not a response
      header (at least that’s how it’s commonly used – who knows what edge cases
      there are on the vast weirdness of the Internet).”

      Thank you for your interest.

  • http://www.computec.ch Marc Ruef

    Hello,

    Nice list! You might be interested in my two fingerprinting projects which provide a database of header fields:

    * http://www.computec.ch/projekte/httprecon/?s=database

    * http://www.computec.ch/projekte/browserrecon/?s=database

    Regards,

    Marc

    • Maurina Venturelli

      Hi Marc,

      Interesting links, unfortunately this isn’t a scanning project – but I could see how
      someone might use that to create a similar or even superior list, using
      real-world examples.

      Robert Hansen, CISSP
      Director of Product Management, WhiteHat Security

  • http://ethernet.org/~super Derek Callaway

    Third-party headers from Oracle/BEA WebLogic Server: WL-Proxy-Client-IP and WL-Proxy-Client-Cert

  • Hari

    This is very helpful compilation of headers. While more literature is available on popular headers like X-Frame-Options, its more difficult to get information on less known (from security perspective) headers like: Age, client-date, client-peer, timing-allow-origin, etc. It will be very helpful if a brief description of the security angle of these headers (if any) is also compiled. Not sure if it is too much a ask though. Thanks for the compilation.

    Regards,