Référence des En-têtes HTTP
Table de référence consultable des en-têtes HTTP de requête et réponse.
| En-tête | Type | Catégorie | Description |
|---|---|---|---|
| Accept | Request | Content Negotiation | Media types acceptable for the response (e.g. text/html, application/json). |
| Accept-Charset | Request | Content Negotiation | Character sets acceptable for the response. |
| Accept-Encoding | Request | Content Negotiation | Encoding algorithms the client supports (e.g. gzip, deflate, br). |
| Accept-Language | Request | Content Negotiation | Natural languages preferred for the response (e.g. en-US, fr). |
| Authorization | Request | Authentication | Credentials for authenticating the client with the server (e.g. Bearer token). |
| Cookie | Request | State | HTTP cookies previously set by the server, sent back with each request. |
| Expect | Request | Request Control | Indicates that particular server behaviors are required by the client (e.g. 100-continue). |
| Host | Request | Request Target | Domain name and port number of the server being addressed. Required in HTTP/1.1. |
| If-Match | Request | Conditional | Makes the request conditional based on matching ETag values. |
| If-Modified-Since | Request | Conditional | Makes the request conditional based on modification date. |
| If-None-Match | Request | Conditional | Makes the request conditional based on non-matching ETag values. |
| If-Unmodified-Since | Request | Conditional | Makes the request conditional on the resource not being modified since the given date. |
| Origin | Request | CORS | Indicates the origin from which the cross-site request is initiated. |
| Proxy-Authorization | Request | Authentication | Credentials for authenticating with a proxy server. |
| Range | Request | Partial Requests | Requests only part of a resource (e.g. bytes=0-1023 for the first 1 KB). |
| Referer | Request | Request Context | URL of the page from which the request originated. |
| TE | Request | Transfer Encoding | Specifies transfer encodings the client is willing to accept. |
| User-Agent | Request | Request Context | Contains information about the client software making the request. |
| X-Forwarded-For | Request | Proxies | Identifies the originating IP address when the request passes through proxies. |
| X-Requested-With | Request | Custom | Commonly used to identify Ajax requests (value: XMLHttpRequest). |
| Accept-Ranges | Response | Partial Requests | Indicates if the server supports range requests (bytes or none). |
| Age | Response | Caching | Time in seconds the object has been stored in a proxy cache. |
| Allow | Response | Request Methods | HTTP methods allowed for the requested resource (used in 405 responses). |
| Content-Disposition | Response | Response Body | Indicates whether content should be displayed inline or as a file download. |
| Content-Encoding | Response | Response Body | Encoding applied to the response body (e.g. gzip, br). |
| Content-Language | Response | Content Negotiation | Natural language(s) of the response body. |
| Content-Length | Response | Response Body | Size of the response body in bytes. |
| Content-Range | Response | Partial Requests | Indicates the range of bytes sent in a partial content response (206). |
| ETag | Response | Caching | Unique identifier for the specific version of a resource; used for cache validation. |
| Expires | Response | Caching | Date/time after which the response is considered stale. |
| Last-Modified | Response | Caching | Date and time the resource was last modified on the server. |
| Location | Response | Redirects | URL to redirect the client to in 3xx or 201 responses. |
| Proxy-Authenticate | Response | Authentication | Defines the authentication method to use for a proxy (407 response). |
| Retry-After | Response | Request Control | How long to wait before making a new request after a 429 or 503 response. |
| Server | Response | Server Info | Software information about the origin server. |
| Set-Cookie | Response | State | Sends a cookie from the server to the client for storage. |
| Strict-Transport-Security | Response | Security | HSTS: forces browsers to use HTTPS for subsequent requests. |
| Vary | Response | Caching | Tells caches which request headers to use as cache keys. |
| WWW-Authenticate | Response | Authentication | Defines the authentication method for accessing the resource (401 response). |
| X-Content-Type-Options | Response | Security | Prevents MIME sniffing. Use value: nosniff. |
| X-Frame-Options | Response | Security | Controls whether the page can be embedded in an iframe (DENY, SAMEORIGIN). |
| X-XSS-Protection | Response | Security | Enables XSS filtering in older browsers (legacy, mostly deprecated). |
| Cache-Control | Both | Caching | Directives for caching in requests and responses (e.g. no-cache, max-age=3600). |
| Connection | Both | Connection Management | Controls whether the network connection stays open (keep-alive or close). |
| Content-Type | Both | Response Body | Media type of the request or response body (e.g. application/json). |
| Date | Both | Timestamps | Date and time the message was sent. |
| Pragma | Both | Caching | Legacy cache control directive (no-cache). Superseded by Cache-Control. |
| Trailer | Both | Transfer Encoding | Indicates which headers will be present in the trailer of a chunked response. |
| Transfer-Encoding | Both | Transfer Encoding | Encoding applied to the message body for transfer (e.g. chunked). |
| Via | Both | Proxies | Added by proxies to indicate intermediate protocols and recipients. |
| Warning | Both | Request Control | General warnings about possible problems with the message (deprecated in RFC 9110). |
| Access-Control-Allow-Origin | Response | CORS | Specifies which origins are allowed for CORS requests. |
| Access-Control-Allow-Methods | Response | CORS | HTTP methods allowed for CORS preflight responses. |
| Access-Control-Allow-Headers | Response | CORS | HTTP headers allowed in CORS preflight responses. |
| Access-Control-Allow-Credentials | Response | CORS | Indicates if the response can be shared when credentials are included. |
| Access-Control-Max-Age | Response | CORS | How long the preflight response can be cached (in seconds). |
| Cross-Origin-Opener-Policy | Response | Security | Controls the browsing context group for cross-origin documents. |
| Cross-Origin-Resource-Policy | Response | Security | Prevents cross-origin reads of the response in certain contexts. |
| Content-Security-Policy | Response | Security | Specifies allowed sources for content types to prevent XSS and injection attacks. |
| Referrer-Policy | Response | Security | Controls how much referrer information is sent with requests. |
| Permissions-Policy | Response | Security | Controls browser features and APIs that are allowed to be used (formerly Feature-Policy). |
À propos de cet outil
Les en-têtes HTTP sont des champs de métadonnées qui accompagnent chaque requête et réponse web, contrôlant tout, du comportement du cache à l'authentification et à la négociation de contenu. La référence des en-têtes HTTP est un guide interrogeable des en-têtes les plus courants et les plus importants utilisés dans le développement web moderne, aidant les développeurs à comprendre rapidement ce que chaque en-tête fait, quelles valeurs il accepte et quand l'utiliser.
Il suffit de chercher un nom d'en-tête ou de parcourir la liste catégorisée pour trouver des informations détaillées sur son objectif, sa syntaxe et ses cas d'usage typiques. Que vous déboguiez une erreur CORS, configurer le contrôle du cache, définir des politiques de sécurité ou comprendre les comportements de redirection, cette référence vous donne l'information exacte dont vous avez besoin sans quitter la page.
Cet outil est essentiel pour les développeurs backend, les ingénieurs frontend, les professionnels DevOps et toute personne gérant l'infrastructure HTTP. Il fonctionne entièrement dans votre navigateur sans appels serveur, ce qui le rend rapide et confidentiel comme référence hors ligne lors de la construction d'API, de la configuration de serveurs web ou du dépannage des en-têtes de requête en production.
Questions Fréquentes
Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.