MDN HTTP pages
This page lists all MDN HTTP pages along with their summary and tags.
Found 191 pages:
# | Page | Tags and summary |
---|---|---|
1 | HTTP | HTTP, Reference, Web, l10n:priority |
Hypertext Transfer Protocol (HTTP) is an application-layer protocol for transmitting hypermedia documents, such as HTML. | ||
2 | A typical HTTP session | HTTP |
In client-server protocols, like HTTP, sessions consist of three phases: | ||
3 | An overview of HTTP | HTML, Overview, WebMechanics, l10n:priority |
HTTP is a protocol which allows the fetching of resources, such as HTML documents. It is the foundation of any data exchange on the Web and a client-server protocol, which means requests are initiated by the recipient, usually the Web browser. A complete document is reconstructed from the different sub-documents fetched, for instance text, layout description, images, videos, scripts, and more. | ||
4 | Basics of HTTP | HTTP, Overview |
HTTP is a pretty extensible protocol. It relies on a few basics concepts like the notion of resources and URIs, a simple structure of messages, and a client-server structure for the communication flow. On top of these basics concepts, numerous extensions have appeared over the years, adding new functionality and new semantics by creating new HTTP methods or headers. | ||
5 | Choosing between www and non-www URLs | Guide, HTTP, URL |
A recurring question among website owners is whether to choose non-www or www URLs. This page provides some advice on what's best. | ||
6 | Data URLs | Base64, Guide, Intermediate, URL |
Data URLs, URLs prefixed with the data: scheme, allow content creators to embed small files inline in documents. |
||
7 | Evolution of HTTP | Guide, HTTP |
HTTP is the underlying protocol of the World Wide Web. Invented by Tim Berners-Lee in the years 1989-1991, HTTP has seen many changes, keeping most of the simplicity and further shaping its flexibility. HTTP has evolved, from an early protocol to exchange files in a semi-trusted laboratory environment, to the modern maze of the Internet, now carrying images, videos in high resolution and 3D. | ||
8 | Identifying resources on the Web | HTTP |
The target of an HTTP request is called a "resource", which nature isn't defined further; it can be a document, a photo, or anything else. Each resource is identified by a Uniform Resource Identifier (URI) used throughout HTTP for identifying resources. | ||
9 | MIME types | Guide, HTTP |
The MIME type is the mechanism to tell the client the variety of document transmitted: the extension of a file name has no meaning on the web. It is, therefore, important that the server is correctly set up, so that the correct MIME type is transmitted with each document. Browsers often use the MIME-type to determine what default action to do when a resource is fetched. | ||
10 | Complete list of MIME types | HTTP, MIME Types, Reference |
Here is a comprehensive list of MIME types, associated by type of documents, ordered by their common extensions. | ||
11 | Browser detection using the user agent | Compatibility, Web Development |
Serving different Web pages or services to different browsers is usually a bad idea. The Web is meant to be accessible to everyone, regardless of which browser or device they're using. There are ways to develop your web site to progressively enhance itself based on the availability of features rather than by targeting specific browsers. | ||
12 | Compression in HTTP | Content Negotiation, Guide, HTTP |
Compression is an important way to increase the performance of a Web site. For some documents, size reduction of up to 70% lowers the bandwidth capacity needs. Over the years, algorithms also got more efficient, and new ones are supported by clients and servers. | ||
13 | Configuring servers for Ogg media | Audio, Media, Ogg, Video |
HTML <audio> and <video> elements allow media presentation without the need for the user to install any plug-ins or other software to do so. In order for a server to serve Ogg media correctly, there are a few configuration tweaks that might be useful. |
||
14 | Connection management in HTTP/1.x | Guide, HTTP, Performance, WebMechanics |
Connection management is a key topic in HTTP: opening and maintaining connections largely impacts the performance of Web sites and Web applications. In HTTP/1.x, there are several models: short-lived connections, persistent connections, and HTTP pipelining. | ||
15 | Content Security Policy (CSP) | CSP, Content Security Policy, Reference, Security |
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. | ||
16 | Content negotiation | Content Negotiation, HTTP, Reference |
In HTTP, content negotiation is the mechanism that is used for serving different representations of a resource at the same URI, so that the user agent can specify which is best suited for the user (for example, which language of a document, which image format, or which content encoding). | ||
17 | List of default Accept values | Accept, Content Negotiation, HTTP, Reference |
These are the values sent when the context doesn't give better information. Note that all browsers add the */* MIME Type to cover all cases. This is typically used for requests initiated via the address bar of a browser, or via an HTML <a> element. |
||
18 | HTTP Messages | Guide, HTTP, WebMechanics |
HTTP messages are how data is exchanged between a server and a client. There are two types of messages: requests sent by the client to trigger an action on the server, and responses, the answer from the server. | ||
19 | HTTP Public Key Pinning (HPKP) | Guide, HPKP, HTTP, Security |
The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. | ||
20 | HTTP access control (CORS) | AJAX, HTTP, Same-origin policy, Security, XMLHttpRequest |
A resource makes a cross-origin HTTP request when it requests a resource from a different domain, protocol, or port to its own. For example, an HTML page served from http://domain-a.com makes an <img> src request for http://domain-b.com/image.jpg. Many pages on the web today load resources like CSS stylesheets, images, and scripts from separate domains. |
||
21 | HTTP authentication | Access Control, Authentication, Guide, HTTP |
HTTP provides a general framework for access control and authentication. The most common HTTP authentication scheme is the "Basic" authentication. This page introduces the general HTTP auth framework and shows how to restrict access to your server with HTTP Basic authentication. | ||
22 | HTTP caching | Caching, Guide, HTTP |
The performance of web sites and applications can be significantly improved by reusing previously fetched resources. Web caches reduce latency and network traffic and thus lessen the time needed to display a representation of a resource. By making use of HTTP caching, Web sites become more responsive. | ||
23 | HTTP conditional requests | Conditional Requests, Guide, HTTP |
HTTP has a concept of conditional requests, where the result, and even the success of a request, can be changed by comparing the affected resources with the value of a validator. Such requests can be useful to validate the content of a cache, and sparing a useless control, to verify the integrity of a document, like when resuming a download, or when preventing to lose updates when uploading or modifying a document on the server. | ||
24 | HTTP cookies | Cookies, Guide, HTTP |
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser, that may store it and send it back together with the next request to the same server. Typically, it's used to know if two requests came from the same browser allowing to keep a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. | ||
25 | HTTP headers | HTTP, Headers, Networking, Reference |
HTTP headers allow the client and the server to pass additional information with the request or the response. A request header consists of its case-insensitive name followed by a colon ': ', then by its value (without line breaks). Leading white space before the value is ignored. |
||
26 | Accept | HTTP, HTTP Header, Reference, Request header |
The Accept request HTTP header advertises which content types, expressed as MIME types, the client is able to understand. Using content negotiation, the server then selects one of the proposals, uses it and informs the client of its choice with the Content-Type response header. Browsers set adequate values for this header depending of the context where the request is done: when fetching a CSS stylesheet a different value is set for the request than when fetching an image, video or a script. |
||
27 | Accept-Charset | Content Negotiation, HTTP, HTTP Header, Reference, Request header |
The Accept-Charset request HTTP header advertises which character set the client is able to understand. Using content negotiation, the server then selects one of the proposals, uses it and informs the client of its choice within the Content-Type response header. Browsers usually don't set this header as the default value for each content type is usually correct and transmitting it would allow easier fingerprinting. |
||
28 | Accept-Encoding | Content Negotiation, HTTP, HTTP Header, Reference, Request header |
The Accept-Encoding request HTTP header advertises which content encoding, usually a compression algorithm, the client is able to understand. Using content negotiation, the server selects one of the proposals, uses it and informs the client of its choice with the Content-Encoding response header. |
||
29 | Accept-Language | Content Negotiation, HTTP, HTTP Header, Reference, Request header |
The Accept-Language request HTTP header advertises which languages the client is able to understand, and which locale variant is preferred. Using content negotiation, the server then selects one of the proposals, uses it and informs the client of its choice with the Content-Language response header. Browsers set adequate values for this header according their user interface language and even if a user can change it, this happens rarely (and is frowned upon as it leads to fingerprinting). |
||
30 | Accept-Ranges | HTTP, HTTP Headers, Range Requests, Reference, Response Header |
The Accept-Ranges response HTTP header is a marker used by the server to advertise its support of partial requests. The value of this field indicates the unit that can be used to define a range. |
||
31 | Access-Control-Allow-Credentials | CORS, HTTP, Reference, header |
The Access-Control-Allow-Credentials response header indicates whether or not the response to the request can be exposed to the page. It can be exposed when the true value is returned; it can't in other cases. |
||
32 | Access-Control-Allow-Headers | CORS, HTTP, Reference, header |
The Access-Control-Allow-Headers response header is used in response to a preflight request to indicate which HTTP headers will be available via Access-Control-Expose-Headers when making the actual request. |
||
33 | Access-Control-Allow-Methods | CORS, HTTP, Reference, header |
The Access-Control-Allow-Methods response header specifies the method or methods allowed when accessing the resource in response to a preflight request. |
||
34 | Access-Control-Allow-Origin | CORS, HTTP, Reference, header |
The Access-Control-Allow-Origin response header indicates whether the response can be shared with resources with the given origin. |
||
35 | Access-Control-Expose-Headers | CORS, HTTP, Reference, header |
The Access-Control-Expose-Headers response header indicates which headers can be exposed as part of the response by listing their names. |
||
36 | Access-Control-Max-Age | CORS, HTTP, Reference, header |
The Access-Control-Max-Age response header indicates how long the results of a preflight request (that is the information contained in the Access-Control-Allow-Methods and Access-Control-Allow-Headers headers) can be cached. |
||
37 | Access-Control-Request-Headers | CORS, HTTP, Reference, header |
The Access-Control-Request-Headers request header is used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made. |
||
38 | Access-Control-Request-Method | CORS, HTTP, Reference, header |
The Access-Control-Request-Method request header is used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made. This header is necessary as the preflight request is always an OPTIONS and doesn't use the same method as the actual request. |
||
39 | Age | Caching, HTTP, Response, header |
The Age header contains the time in seconds the object has been in a proxy cache. |
||
40 | Allow | Entity header, HTTP, HTTP Header, Reference, header |
The Allow header lists the set of methods support by a resource. |
||
41 | Authorization | HTTP, HTTP Header, Reference, Request header, header |
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header. |
||
42 | Cache-Control | General Header, HTTP, HTTP Headers, Reference |
The Cache-Control general-header field is used to specify directives for caching mechanisms in both, requests and responses. Caching directives are unidirectional, meaning that a given directive in a request is not implying that the same directive is to be given in the response. |
||
43 | Connection | HTTP, Headers, Reference, Web |
The Connection general header controls whether or not the network connection stays open after the current transaction finishes. If the value sent is keep-alive , the connection is persistent and not closed, allowing for subsequent requests to the same server to be done. |
||
44 | Content-Disposition | HTTP, Reference, header |
In a multipart/form-data body, the HTTP Content-Disposition general header is a header that can be used on the subpart of a multipart body to give information about the field it applies to. The subpart is delimited by the boundary defined in the Content-Type header. Used on the body itself, Content-Disposition has no effect. |
||
45 | Content-Encoding | HTTP, Headers, Reference |
The Content-Encoding entity header is used to compress the media-type. When present, its value indicates what additional content encoding has been applied to the entity-body. It lets the client know, how to decode in order to obtain the media-type referenced by the Content-Type header. |
||
46 | Content-Language | HTTP, Headers, Reference |
The Content-Language entity header is used to describe the language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language. |
||
47 | Content-Length | HTTP, Headers, Reference |
The Content-Length entity header is indicating the size of the entity-body, in decimal number of octets, sent to the recipient. |
||
48 | Content-Location | HTTP, Reference, header |
The Content-Location header indicates an alternate location for the returned data. The principal use case is to indicate the URL of the resource transmitted as the result of content negotiation. |
||
49 | Content-Range | HTTP, HTTP Header, Reference, Response Header, header |
The Content-Range response HTTP header indicates where in a full body message a partial message belongs. |
||
50 | Content-Security-Policy | CSP, HTTP, Reference, Security, header |
The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS). |
||
51 | CSP: base-uri | CSP, Directive, Document directive, HTTP, Security |
The HTTP Content-Security-Policy base-uri directive restricts the URLs which can be used in a document's <base> element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the <base> element. |
||
52 | CSP: block-all-mixed-content | CSP, Directive, HTTP, Mixed Content, Reference, Security |
The HTTP Content-Security-Policy (CSP) block-all-mixed-content directive prevents loading any assets using HTTP when the page is loaded using HTTPS. |
||
53 | CSP: child-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) child -src directive defines the valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe> . For workers, non-compliant requests are treated as fatal network errors by the user agent. |
||
54 | CSP: connect-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) connect -src directive restricts the URLs which can be loaded using script interfaces. The APIs that are restricted are: |
||
55 | CSP: default-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) default -src directive serves as a fallback for the other CSP fetch directives. For each of the following directives that are absent, the user agent will look for the default-src directive and will use this value for it: |
||
56 | CSP: font-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) font -src directive specifies valid sources for fonts loaded using @font-face . |
||
57 | CSP: form-action | CSP, Directive, HTTP, Security |
The HTTP Content-Security-Policy (CSP) form -action directive restricts the URLs which can be used as the target of a form submissions from a given context. |
||
58 | CSP: frame-ancestors | CSP, Directive, HTTP, Security |
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame> , <iframe> , <object> , <embed> , or <applet> . |
||
59 | CSP: frame-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) frame -src directive specifies valid sources for nested browsing contexts loading using elements such as <frame> and <iframe> . |
||
60 | CSP: img-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy : img -src directive specifies valid sources of images and favicons. |
||
61 | CSP: manifest-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy : manifest -src directive specifies which manifest can be applied to the resource. |
||
62 | CSP: media-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) media -src directive specifies valid sources for loading media using the <audio> and <video> elements. |
||
63 | CSP: object-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy object -src directive specifies valid sources for the <object> , <embed> , and <applet> elements. |
||
64 | CSP: plugin-types | CSP, Directive, Flash, HTTP, Java, Plugins, Security |
The HTTP Content-Security-Policy (CSP) plugin-types directive restricts the set of plugins that can be embedded into a document by limiting the types of resources which can be loaded. |
||
65 | CSP: referrer | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) referrer directive used to specify information in the Referer header (with a single r as this was a typo in the orignal spec) for links away from a page. This API is deprecated and removed from browsers. |
||
66 | CSP: report-uri | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) report-uri directive instructs the user agent to report attempts to violate the Content Security Policy. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. |
||
67 | CSP: require-sri-for | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy require-sri-for directive instructs the client to require the use of Subresource Integrity for scripts or styles on the page. |
||
68 | CSP: sandbox | CSP, Directive, HTTP, Security |
The HTTP Content-Security-Policy (CSP) sandbox directive enables a sandbox for the requested resource similar to the <iframe> sandbox attribute. It applies restrictions to a page's actions including preventing popups, preventing the execution of plugins and scripts, and enforcing a same-origin policy. |
||
69 | CSP: script-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) script -src directive specifies valid sources for sources for JavaScript. This includes not only URLs loaded directly into <script> elements, but also things like inline script event handlers (onclick ) and XSLT stylesheets which can trigger script execution. |
||
70 | CSP: style-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) style -src directive specifies valid sources for sources for stylesheets. |
||
71 | CSP: upgrade-insecure-requests | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) upgrade-insecure-requests directive instructs user agents to treat all of a site's insecure URLs (those served over HTTP) as though they have been replaced with secure URLs (those served over HTTPS). This directive is intended for web sites with large numbers of insecure legacy URLs that need to be rewritten. |
||
72 | CSP: worker-src | CSP, Directive, HTTP, Reference, Security |
The HTTP Content-Security-Policy (CSP) worker -src directive specifies valid sources for Worker , SharedWorker , or ServiceWorker scripts. |
||
73 | Content-Security-Policy-Report-Only | CSP, HTTP, HTTPS, Reference, Security, header |
The HTTP Content-Security-Policy-Report-Only response header allows web developers to experiment with policies by monitoring (but not enforcing) their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI. |
||
74 | Content-Type | HTTP, Reference, header |
The Content-Type entity header is used to indicate the media type of the resource. |
||
75 | Cookie | Cookies, HTTP, Reference, header, request |
The Cookie HTTP request header contains stored HTTP cookies previously sent by the server with the Set-Cookie header. |
||
76 | Cookie2 | HTTP, Obsolete, Reference, header, request |
The obsolete Cookie2 HTTP request header used to advise the server that the user agent understands "new-style" cookies, but nowadays user agents will use the Cookie header instead, not this one. |
||
77 | DNT | DNT, HTTP, Reference, header |
The DNT (Do Not Track) request header indicates the user's tracking preference. It lets users indicate whether they would prefer privacy rather than personalized content. |
||
78 | Date | General Header, HTTP, Reference, header |
The Date general HTTP header contains the date and time at which the message was originated. |
||
79 | ETag | HTTP, Reference, Response, header |
The ETag HTTP response header is an identifier for a specific version of a resource. It allows caches to be more efficient, and saves bandwidth, as a web server does not need to send a full response if the content has not changed. On the other side, if the content has changed, etags are useful to help prevent simultaneous updates of a resource from overwriting each other ("mid-air collisions"). |
||
80 | Expect | HTTP, HTTP Headers, Reference, Request header |
The Expect HTTP request header indicates expectations that need to be fulfilled by the server in order to properly handle the request. |
||
81 | Expires | Caching, HTTP, Response, header |
The Expires header contains the date/time after which the response is considered stale. |
||
82 | Forwarded | HTTP, HTTP Header, Reference, Request header, header |
The Forwarded header contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request. |
||
83 | From | HTTP, Reference, header |
The From request header contains an Internet email address for a human user who controls the requesting user agent. |
||
84 | Host | HTTP, Reference, header |
The Host request header specifies the domain name of the server (for virtual hosting), and (optionally) the TCP port number on which the server is listening. |
||
85 | If-Match | Conditional Requests, HTTP, HTTP Headers, Reference, Request Headers |
The If-Match HTTP request header makes the request conditional. For GET and HEAD methods, the server will send back the requested resource only if it matches one of the listed ETags . For PUT and other non-safe methods, it will only upload the resource in this case. |
||
86 | If-Modified-Since | Conditional Requests, HTTP, HTTP Headers, Reference, Request header |
The If-Modified-Since request HTTP header makes the request conditional: the server will send back the requested resource, with a 200 status, only if it has been last modified after the given date. If the request has not been modified since, the response will be a 304 without any body; the Last-Modified header will contain the date of last modification. Unlike If-Unmodified-Since , If-Modified-Since can only be used with a GET or HEAD . |
||
87 | If-None-Match | Conditional Requests, HTTP, HTTP Header, Reference, Request header |
The If-None-Match HTTP request header makes the request conditional. For GET and HEAD methods, the server will send back the requested resource, with a 200 status, only if it doesn't have an ETag matching the given ones. For other methods, the request will be processed only if the eventually existing resource's ETag doesn't match any of the values listed. |
||
88 | If-Range | Condtional Requests, HTTP, HTTP Header, Range Requests, Reference, Request header |
The If-Range HTTP request header makes a range request conditional: if the condition is fulfilled, the range request will be issued and the server sends back a 206 Partial Content answer with the appropriate body. If the condition is not fulfilled, the full resource is sent back, with a 200 OK status. |
||
89 | If-Unmodified-Since | HTTP, HTTP Headers, Reference, Request header |
The If-Unmodified-Since request HTTP header makes the request conditional: the server will send back the requested resource, or accept it in the case of a POST or another non-safe method, only if it has not been last modified after the given date. If the request has been modified after the given date, the response will be a 412 (Precondition Failed) error. |
||
90 | Keep-Alive | General Header, HTTP, HTTP Headers, Reference |
The Keep-Alive general header allows the sender to hint about how the connection and may be used to set a timeout and a maximum amount of requests. |
||
91 | Large-Allocation | HTTP, HTTP Header, Non-standard, Reference, Response Header, header |
The non-standard Large-Allocation response header tells the browser that the page being loaded is going to want to perform a large allocation. It is currently only implemented in Firefox, but is harmless to send to every browser. |
||
92 | Last-Modified | HTTP, HTTP Headers, Reference, Response Header |
The Last-Modified response HTTP header contains the date and time at which the origin server believes the resource was last modified. It is used as a validator to determine if a resource received or stored is the same. Less accurate than an ETag header, it is a fallback mechanism. Conditional requests containing If-Modified-Since or If-Unmodified-Since headers make use of this field. |
||
93 | Location | HTTP, HTTP Header, Reference, Response Header |
The Location response header indicates the URL to redirect a page to. It only provides a meaning when served with a 3xx status response. |
||
94 | Origin | HTTP, Reference, header |
The Origin request header indicates where a fetch originates from. It doesn't include any path information, but only the server name. It is sent with CORS requests, as well as with POST requests. It is similar to the Referer header, but, unlike this header, it doesn't disclose the whole path. |
||
95 | Pragma | Caching, Deprecated, HTTP, header, request |
The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. It is used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not yet present. |
||
96 | Proxy-Authenticate | HTTP, HTTP Header, Proxy, Reference, Response Header |
The HTTP Proxy-Authenticate response header defines the authentication method that should be used to gain access to a resource behind a proxy server. It authenticate the request to the proxy server, allowing it to transmit the request further. |
||
97 | Proxy-Authorization | HTTP, HTTP Header, Reference, Request header, header |
The HTTP Proxy-Authorization request header contains the credentials to authenticate a user agent to a proxy server, usually after the server has responded with a 407 Proxy Authentication Required status and the Proxy-Authenticate header. |
||
98 | Public-Key-Pins | HPKP, HTTP, Reference, Security, header |
The HTTP Public-Key-Pins response header associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates. If one or several keys are pinned and none of them are used by the server, the browser will not accept the response as legitimate, and will not display it. |
||
99 | Public-Key-Pins-Report-Only | HPKP, HTTP, Security, header |
The HTTP Public-Key-Pins-Report-Only response header sends reports of pinning violation to the report-uri specified in the header but, unlike Public-Key-Pins still allows browsers to connect to the server if the pinning is violated. |
||
100 | Range | HTTP, HTTP Header, Range Requests, Reference, Request header |
The Range HTTP request header indicates the part of a document that the server should return. Several parts can be requested with one Range header at once, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the 206 Partial Content for the response. If the ranges are invalid, the server returns the 416 Range Not Satisfiable error. The server can also ignore the Range header and return the whole document with a 200 status code. |
||
101 | Referer | HTTP, Reference, header |
The Referer request header contains the address of the previous web page from which a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, for example. |
||
102 | Referrer-Policy | HTTP, Privacy, Response, header |
The Referrer-Policy HTTP header governs which referrer information, sent in the Referer header, should be included with requests made. |
||
103 | Retry-After | HTTP, Reference, Response, Response Header, header |
The Retry-After response HTTP header indicates how long the user agent should wait before making a follow-up request. There are two main cases this header is used: |
||
104 | Server | HTTP, Reference, header |
The Server header contains information about the software used by the origin server to handle the request. |
||
105 | Set-Cookie | Cookies, HTTP, Reference, Response, header |
The Set-Cookie HTTP response header is used to send cookies from the server to the user agent. |
||
106 | Set-Cookie2 | Cookies, HTTP, Obsolete, Reference, header |
The obsolete Set-Cookie2 HTTP response header used to send cookies from the server to the user agent, but has been deprecated by the specification. Use Set-Cookie instead. |
||
107 | SourceMap | HTTP, HTTP Header, Reference, Response Header, header |
The SourceMap HTTP response header links generated code to a source map, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger. |
||
108 | Strict-Transport-Security | HSTS, HTTP, HTTPS, Security, header |
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. |
||
109 | TE | HTTP, Reference, header |
The TE request header specifies the transfer encodings the user agent is willing to accept. (you could informally call it Accept-Transfer-Encoding , which would be more intuitive). |
||
110 | Tk | DNT, HTTP, Reference, Response, header, tracking |
The Tk response header indicates the tracking status that applied to the corresponding request. |
||
111 | Trailer | HTTP, Reference, header |
The Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status. | ||
112 | Transfer-Encoding | HTTP, Reference, header |
The Transfer-Encoding header specifies the form of encoding used to safely transfer the entity to the user. |
||
113 | Upgrade-Insecure-Requests | HTTP, HTTPS, Security, header |
The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive. |
||
114 | User-Agent | HTTP, Reference, header |
The User-Agent request header contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent. | ||
115 | Firefox user agent string reference | Compatibility, Firefox, Firefox 4, Gecko, Gecko 2.0, Guide |
This document describes the user agent string used in Firefox 4 and later and applications based on Gecko 2.0 and later. For a breakdown of changes to the string in Gecko 2.0, see Final User Agent string for Firefox 4 (blog post). See also this document on user agent sniffing and this Hacks blog post. | ||
116 | Vary | HTTP, Reference, Response, Response Header, header |
The Vary HTTP response header determines how to match future request headers to decide whether a cached response can be used rather than requesting a fresh one from the origin server. It is used by the server to indicate which headers it used when selecting a representation of a resource in a content negotiation algorithm. |
||
117 | Via | HTTP, Reference, header |
The Via general header is added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers. It is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request/response chain. |
||
118 | WWW-Authenticate | HTTP, HTTP Header, Reference, Response Header, header |
The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource. |
||
119 | Warning | General Header, HTTP, Reference, header |
The Warning general HTTP header contains information about possible problems with the status of the message. More than one Warning header may appear in a response. |
||
120 | X-Content-Type-Options | HTTP, HTTP Headers, Reference, Response Header |
The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This allows to opt-out of MIME type sniffing, or, in other words, it is a way to say that the webmasters knew what they were doing. |
||
121 | X-DNS-Prefetch-Control | DNS, HTTP, header |
The X-DNS-Prefetch-Control HTTP response header controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth. |
||
122 | X-Forwarded-For | HTTP, HTTP Header, Non-standard, Reference, Request header, header |
The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used. |
||
123 | X-Forwarded-Host | HTTP, HTTP Header, Non-standard, Reference, Request header, header |
The X-Forwarded-Host (XFH) header is a de-facto standard header for identifying the original host requested by the client in the Host HTTP request header. |
||
124 | X-Forwarded-Proto | HTTP, HTTP Header, Non-standard, Reference, Request header, header |
The X-Forwarded-Proto (XFP) header is a de-facto standard header for identifying the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer. Your server access logs contain the protocol used between the server and the load balancer, but not the protocol used between the client and the load balancer. To determine the protocol used between the client and the load balancer, the X-Forwarded-Proto request header can be used. |
||
125 | X-Frame-Options | Gecko, HAProxy, HTTP, Response Header, Security, nginx |
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. |
||
126 | X-XSS-Protection | HTTP, Reference, Security, XSS, header |
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline' ), they can still provide protections for users of older web browsers that don't yet support CSP. |
||
127 | HTTP range requests | Guide, HTTP, HTTP range requests |
HTTP range requests allow to send only a portion of an HTTP message from a server to a client. Partial requests are useful for large media or downloading files with pause and resume functions, for example. | ||
128 | HTTP request methods | HTTP, Methods, Reference |
HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as HTTP verbs. Each of them implements a different semantic, but some common features are shared by a group of them: e.g. a request method can be safe, idempotent, or cacheable. | ||
129 | CONNECT | HTTP, Reference, Request method |
The HTTP CONNECT method method starts two-way communications with the requested resource. It can be used to open a tunnel. |
||
130 | DELETE | HTTP, HTTP method, Reference, Request method |
The HTTP DELETE request method deletes the specified resource. | ||
131 | GET | HTTP, Reference, Request method |
The HTTP GET method requests a representation of the specified resource. Requests using GET should only retrieve data. |
||
132 | HEAD | HTTP, Reference, Request method |
The HTTP HEAD method requests the headers that are returned if the specified resource would be requested with an HTTP GET method. Such a request can be done before deciding to download a large resource to save bandwidth, for example. |
||
133 | OPTIONS | HTTP, Reference, Request method |
The HTTP OPTIONS method is used to describe the communication options for the target resource. The client can specify a specific URL for the OPTIONS method, or an asterisk (*) to refer to the entire server. |
||
134 | PATCH | HTTP, HTTP method, Reference, Request method |
The HTTP PATCH request method applies partial modifications to a resource. | ||
135 | POST | HTTP, Reference, Request method |
The HTTP POST method sends data to the server. The type of the body of the request is indicated by the Content-Type header. |
||
136 | PUT | HTTP, HTTP method, Reference, Request method |
The HTTP PUT request method creates a new resource or replaces a representation of the target resource with the request payload. | ||
137 | HTTP resources and specifications | Guide, HTTP |
HTTP has been first specified in the early 1990s. Designed with extensibility in mind, it has seen numerous additions over the years; this lead to its specification being scattered through numerous specification documents (in the midst of experimental abandoned extensions). This page lists relevant resources about HTTP. | ||
138 | HTTP response status codes | HTTP, Status codes |
HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes: informational responses, successful responses, redirects, client errors, and servers errors. | ||
139 | 100 Continue | HTTP, Informational, Status code |
The HTTP 100 Continue informational status response code indicates that everything so far is OK and that the client should continue with the request or ignore it if it is already finished. |
||
140 | 101 Switching Protocol | HTTP, HTTP Status Code, Informational, Reference, WebSockets |
The HTTP 101 Switching Protocol response code indicates the protocol the server is switching too as requested using an Upgrade request header by the client. |
||
141 | 200 OK | HTTP, Status code, Success |
The HTTP 200 OK success status response code indicates that the request has succeeded. A 200 response is cacheable by default. |
||
142 | 201 Created | HTTP, Reference, Status code, Success |
The HTTP 201 Created success status response code indicates that the request has succeeded and has led to the creation of a resource. The new resource is effectively created before this response is sent back. and the new resource is returned in the body of the message, its location being either the URL of the request, or the content of the Location header. |
||
143 | 202 Accepted | HTTP, Reference, Status code, Success response |
The HTTP 202 Accepted response status code indicates that the request has been received but not yet acted upon. It is non-committal, meaning that there is no way in HTTP to later send an asynchronous response indicating the outcome of processing the request. It is intended for cases where another process or server handles the request, or for batch processing. |
||
144 | 203 Non-Authoritative Information | HTTP, HTTP Status Code, Reference, Status code, Successful response |
The HTTP 203 Non-Authoritative Information response status indicates that the request was successful but the enclosed payload has been modified from that of the origin server's 200 (OK ) response by a transforming proxy. |
||
145 | 204 No Content | HTTP, Reference, Status code, Success |
The HTTP 204 No Content success status response code indicates that the request has succeed, but that the client doesn't need to go away from its current page. A 204 response is cacheable by default. An ETag header is included in such a response. |
||
146 | 205 Reset Content | HTTP, HTTP Status Code, Reference, Status code |
The HTTP 205 Reset Content response status tells the client to reset the document view, so for example to clear the content of a form, reset a canvas state, or to refresh the UI. |
||
147 | 206 Partial Content | HTTP, HTTP Status, Range Requests, Success |
The HTTP 206 Partial Content success status response code indicates that the request has succeeded and has the body contains the requested ranges of data, as described in the Range header of the request. |
||
148 | 300 Multiple Choices | HTTP, HTTP Status Code, Reference, Status code |
The HTTP 300 Multiple Choices redirect status response code indicates that the request has more than one possible responses. The user-agent or the user should choose one of them. As there is no standardized way of choosing one of the responses, this response code is very rarely used. |
||
149 | 301 Moved Permanently | HTTP, Redirect, Reference, Status code |
The HTTP 301 Moved Permanently redirect status response code indicates that the resource requested has been definitively moved to the URL given by the Location headers. A browser redirects to this page, and search engines update their links to the resource (In SEO-speak, it is said that the link-juice is sent to the new URL). |
||
150 | 302 Found | HTTP, HTTP Status Code, Reference, redirects |
The HTTP 302 Found redirect status response code indicates that the resource requested has been temporarily moved to the URL given by the Location headers. A browser redirects to this page, but search engines don't update their links to the resource (In SEO-speak, it is said that the link-juice is not sent to the new URL). |
||
151 | 303 See Other | HTTP, HTTP Status Code, Reference, redirects |
The HTTP 303 See Other redirect status response code, usually sent back as a result of a PUT or POST operation, indicates that the redirects don't link to the newly uploaded resources but to another page, like a confirmation page or an upload progress page. The method used to display this redirected page is always GET . |
||
152 | 304 Not Modified | HTTP, Redirection, Reference, Status code |
The HTTP 304 Not Modified client redirection response code indicates that there is no need to retransmit the requested resources. It is an implicit redirection to a cached resource. This happens when the request method is safe, like a GET or a HEAD request, or when the request is conditional and uses a If-None-Match or a If-Modified-Since header. |
||
153 | 307 Temporary Redirect | HTTP, HTTP Status Code, Reference, redirects |
The method and the body of the original request are reused to perform the redirected request. In the cases where you want the method used to be changed to GET , use 303 See Also instead. This is useful when you want to give an answer to a PUT method that is not the uploaded resources, but a confirmation message (like "You successfully uploaded XYZ"). |
||
154 | 308 Permanent Redirect | HTTP, HTTP Status Code, Reference, redirects |
The request method and the body will not be altered, whereas 301 may incorrectly sometimes be changed to a GET method. |
||
155 | 400 Bad Request | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 400 Bad Request response status code indicates that the server could not understand the request due to invalid syntax. The client should not repeat this request without modification. |
||
156 | 401 Unauthorized | Client error, HTTP, Reference, Status code |
The HTTP 401 Unauthorized client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource. |
||
157 | 403 Forbidden | Client error, HTTP, Reference, Status code |
The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it. |
||
158 | 404 Not Found | Client error, HTTP, Status code |
The HTTP 404 Not Found client error response code indicates that a server can not find the requested resource. This response code probably is most famous one due to its frequency to occur in the web. These are often called broken or dead links and lead to link rot. |
||
159 | 405 Method Not Allowed | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 405 Method Not Allowed response status code indicates that the request method is known by the server but has been disabled and cannot be used. The two mandatory methods, GET and HEAD , must never be disabled and should not return this error code. |
||
160 | 406 Not Acceptable | HTTP, Reference, Status code |
The HTTP 406 Not Acceptable client error response code indicates that a response matching the list of acceptable values defined in Accept-Charset and Accept-Language cannot be served. |
||
161 | 407 Proxy Authentication Required | Client error, HTTP, Reference, Status code |
The HTTP 407 Proxy Authentication Required client error status response code indicates that the request has not been applied because it lacks valid authentication credentials for a proxy server that is between the browser and the server that can access the requested resource. |
||
162 | 408 Request Timeout | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 408 Request Timeout response status code means that the server would like to shut down this unused connection. It is sent on an idle connection by some servers, even without any previous request by the client. |
||
163 | 409 Conflict | Client error, HTTP, HTTP Status Code, Reference |
The HTTP 409 Conflict response status code indicates a request conflict with current state of the server. |
||
164 | 410 Gone | Client error, HTTP, Reference, Status code |
The HTTP 410 Gone client error response code indicates that access to the target resource is no longer available at the origin server and that this condition is likely to be permanent. |
||
165 | 411 Length Required | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 411 Length Required client error response code indicates that the server refuses to accept the request without a defined Content-Length header. |
||
166 | 412 Precondition Failed | Error, HTTP, Reference, Status code |
The HTTP 412 Precondition Failed client error response code indicates that access to the target resource has been denied. This happens with conditional requests on methods other than GET or HEAD when the condition defined by the If-Unmodified-Since or If-None-Match headers is not fulfilled. In that case, the request, usually an upload or a modification of a resource, cannot be made and this error response is sent back. |
||
167 | 413 Payload Too Large | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 413 Payload Too Large response status code indicates that the request entity is larger than limits defined by server; the server might close the connection or return a Retry-After header field. |
||
168 | 414 URI Too Long | Client error, HTTP, Reference, Status code |
The HTTP 414 URI Too Long response status code indicates that the URI requested by the client is longer than the server is willing to interpret. |
||
169 | 415 Unsupported Media Type | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 415 Unsupported Media Type client error response code indicates that the server refuses to accept the request because the payload format is in an unsupported format. |
||
170 | 416 Range Not Satisfiable | Client error, HTTP, Status code |
The HTTP 416 Range Not Satisfiable error response code indicates that a server cannot serve the requested ranges. The most likely reason is that the document doesn't contain such ranges, or that the Range header value, though syntactically correct, doesn't make sense. |
||
171 | 417 Expectation Failed | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 417 Expectation Failed client error response code indicates that the expectation given in the request's Expect header could not be met. |
||
172 | 426 Upgrade Required | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 426 Upgrade Required client error response code indicates that the server refuses to perform the request using the current protocol but might be willing to do so after the client upgrades to a different protocol. |
||
173 | 428 Precondition Required | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 428 Precondition Required response status code indicates that the server requires the request to be conditional. |
||
174 | 429 Too Many Requests | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 429 Too Many Requests response status code indicates the user has sent too many requests in a given amount of time ("rate limiting"). |
||
175 | 431 Request Header Fields Too Large | Client error, HTTP, HTTP Status Code, Reference, Status code |
The HTTP 431 Request Header Fields Too Large response status code indicates that the server is unwilling to process the request because its header fields are too large. The request may be resubmitted after reducing the size of the request header fields. |
||
176 | 451 Unavailable For Legal Reasons | Client error, HTTP, Reference, Status code |
The HTTP 451 Unavailable For Legal Reasons client error response code indicates that the user requested a resource which is not available due to legal reasons, such as a web page for which a legal action has been issued. |
||
177 | 500 Internal Server Error | HTTP, Server error, Status code |
The HTTP 500 Internal Server Error server error response code indicates that the server encountered an unexpected condition that prevented it from fulfilling the request. |
||
178 | 501 Not Implemented | HTTP, Server error, Status code |
The HTTP 501 Not Implemented server error response code indicates that the request method is not supported by the server and cannot be handled. The only methods that servers are required to support (and therefore that must not return this code) are GET and HEAD . |
||
179 | 502 Bad Gateway | HTTP, Server error, Status code |
The HTTP 502 Bad Gateway server error response code indicates that the server, while acting as a gateway or proxy, received an invalid response from the upstream server. |
||
180 | 503 Service Unavailable | HTTP, Server error, Status code |
The HTTP 503 Service Unavailable server error response code indicates that the server is not ready to handle the request. |
||
181 | 504 Gateway Timeout | HTTP, Server error, Status code |
The HTTP 504 Gateway Timeout server error response code indicates that the server, while acting as a gateway or proxy, cannot get a response in time. |
||
182 | 505 HTTP Version Not Supported | HTTP, Reference, Server error, Status code |
The HTTP 505 HTTP Version Not Supported response status code indicates that the HTTP version used in the request is not supported by the server. |
||
183 | 511 Network Authentication Required | HTTP, HTTP Status Code, Reference, Server error, Status code |
The HTTP 511 Network Authentication Required response status code indicates that the client needs to authenticate to gain network access. |
||
184 | Index | HTTP, Index, index |
This page lists all MDN HTTP pages along with their summary and tags. | ||
185 | Link prefetching FAQ | Gecko, HTML, HTTP, Link, Necko, Performance, Prefetch, Web Development |
Link prefetching is a browser mechanism, which utilizes browser idle time to download or prefetch documents that the user might visit in the near future. A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache. When the user visits one of the prefetched documents, it can be served up quickly out of the browser's cache. | ||
186 | Protocol upgrade mechanism | |
The HTTP protocol provides a special mechanism allowing an already established connection to upgrade to a new, incompatible, protocol. This mechanism is always client initiated, and the server may accept or refuse the switch to the new protocol. | ||
187 | Proxy servers and tunneling | HTTP, HTTP Tunneling, Proxies, Proxy |
When navigating through different networks of the Internet, proxy servers and HTTP tunnels are facilitating access to content on the World Wide Web. A proxy can be on the user's local computer, or anywhere between the user's computer and an destination server on the Internet. This page outlines some basics about proxies and introduces a few configuration options. | ||
188 | Proxy Auto-Configuration (PAC) file | Necko, Networking, PAC, Proxy |
A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. The JavaScript function contained in the PAC file defines the function: | ||
189 | Redirections in HTTP | Guide, HTTP, redirects |
URL redirection, or URL forwarding, is a technique to keep links alive while the actual resource, being a page, a form or a whole Web application, is located at a different URL. HTTP provides a special kind of responses, HTTP redirects, to perform this operation used for numerous goals: temporary redirection while site maintenance is ongoing, permanent redirection to keep external links working after a change of the site's architecture, progress pages when uploading a file, and many more … | ||
190 | Resources and URIs | HTTP, Overview, Reference |
HTTP allows a browser, or another user-agent, to a communicate with different resources on Internet: to do this the browser needs both, the identity and the location of the resources. These two bits of information are described by a URI. | ||
191 | Server-Side Access Control (CORS) | CORS, HTTP, PHP |
No summary! | ||