HTTP ヘッダーリファレンス
HTTPリクエストおよびレスポンスヘッダーの検索可能なリファレンス表。
| ヘッダー | 種類 | カテゴリ | 説明 |
|---|---|---|---|
| Accept | Request | Content Negotiation | Media types acceptable for the response (e.g. text/html, application/json). |
| Accept-Charset | Request | Content Negotiation | Character sets acceptable for the response. |
| Accept-Encoding | Request | Content Negotiation | Encoding algorithms the client supports (e.g. gzip, deflate, br). |
| Accept-Language | Request | Content Negotiation | Natural languages preferred for the response (e.g. en-US, fr). |
| Authorization | Request | Authentication | Credentials for authenticating the client with the server (e.g. Bearer token). |
| Cookie | Request | State | HTTP cookies previously set by the server, sent back with each request. |
| Expect | Request | Request Control | Indicates that particular server behaviors are required by the client (e.g. 100-continue). |
| Host | Request | Request Target | Domain name and port number of the server being addressed. Required in HTTP/1.1. |
| If-Match | Request | Conditional | Makes the request conditional based on matching ETag values. |
| If-Modified-Since | Request | Conditional | Makes the request conditional based on modification date. |
| If-None-Match | Request | Conditional | Makes the request conditional based on non-matching ETag values. |
| If-Unmodified-Since | Request | Conditional | Makes the request conditional on the resource not being modified since the given date. |
| Origin | Request | CORS | Indicates the origin from which the cross-site request is initiated. |
| Proxy-Authorization | Request | Authentication | Credentials for authenticating with a proxy server. |
| Range | Request | Partial Requests | Requests only part of a resource (e.g. bytes=0-1023 for the first 1 KB). |
| Referer | Request | Request Context | URL of the page from which the request originated. |
| TE | Request | Transfer Encoding | Specifies transfer encodings the client is willing to accept. |
| User-Agent | Request | Request Context | Contains information about the client software making the request. |
| X-Forwarded-For | Request | Proxies | Identifies the originating IP address when the request passes through proxies. |
| X-Requested-With | Request | Custom | Commonly used to identify Ajax requests (value: XMLHttpRequest). |
| Accept-Ranges | Response | Partial Requests | Indicates if the server supports range requests (bytes or none). |
| Age | Response | Caching | Time in seconds the object has been stored in a proxy cache. |
| Allow | Response | Request Methods | HTTP methods allowed for the requested resource (used in 405 responses). |
| Content-Disposition | Response | Response Body | Indicates whether content should be displayed inline or as a file download. |
| Content-Encoding | Response | Response Body | Encoding applied to the response body (e.g. gzip, br). |
| Content-Language | Response | Content Negotiation | Natural language(s) of the response body. |
| Content-Length | Response | Response Body | Size of the response body in bytes. |
| Content-Range | Response | Partial Requests | Indicates the range of bytes sent in a partial content response (206). |
| ETag | Response | Caching | Unique identifier for the specific version of a resource; used for cache validation. |
| Expires | Response | Caching | Date/time after which the response is considered stale. |
| Last-Modified | Response | Caching | Date and time the resource was last modified on the server. |
| Location | Response | Redirects | URL to redirect the client to in 3xx or 201 responses. |
| Proxy-Authenticate | Response | Authentication | Defines the authentication method to use for a proxy (407 response). |
| Retry-After | Response | Request Control | How long to wait before making a new request after a 429 or 503 response. |
| Server | Response | Server Info | Software information about the origin server. |
| Set-Cookie | Response | State | Sends a cookie from the server to the client for storage. |
| Strict-Transport-Security | Response | Security | HSTS: forces browsers to use HTTPS for subsequent requests. |
| Vary | Response | Caching | Tells caches which request headers to use as cache keys. |
| WWW-Authenticate | Response | Authentication | Defines the authentication method for accessing the resource (401 response). |
| X-Content-Type-Options | Response | Security | Prevents MIME sniffing. Use value: nosniff. |
| X-Frame-Options | Response | Security | Controls whether the page can be embedded in an iframe (DENY, SAMEORIGIN). |
| X-XSS-Protection | Response | Security | Enables XSS filtering in older browsers (legacy, mostly deprecated). |
| Cache-Control | Both | Caching | Directives for caching in requests and responses (e.g. no-cache, max-age=3600). |
| Connection | Both | Connection Management | Controls whether the network connection stays open (keep-alive or close). |
| Content-Type | Both | Response Body | Media type of the request or response body (e.g. application/json). |
| Date | Both | Timestamps | Date and time the message was sent. |
| Pragma | Both | Caching | Legacy cache control directive (no-cache). Superseded by Cache-Control. |
| Trailer | Both | Transfer Encoding | Indicates which headers will be present in the trailer of a chunked response. |
| Transfer-Encoding | Both | Transfer Encoding | Encoding applied to the message body for transfer (e.g. chunked). |
| Via | Both | Proxies | Added by proxies to indicate intermediate protocols and recipients. |
| Warning | Both | Request Control | General warnings about possible problems with the message (deprecated in RFC 9110). |
| Access-Control-Allow-Origin | Response | CORS | Specifies which origins are allowed for CORS requests. |
| Access-Control-Allow-Methods | Response | CORS | HTTP methods allowed for CORS preflight responses. |
| Access-Control-Allow-Headers | Response | CORS | HTTP headers allowed in CORS preflight responses. |
| Access-Control-Allow-Credentials | Response | CORS | Indicates if the response can be shared when credentials are included. |
| Access-Control-Max-Age | Response | CORS | How long the preflight response can be cached (in seconds). |
| Cross-Origin-Opener-Policy | Response | Security | Controls the browsing context group for cross-origin documents. |
| Cross-Origin-Resource-Policy | Response | Security | Prevents cross-origin reads of the response in certain contexts. |
| Content-Security-Policy | Response | Security | Specifies allowed sources for content types to prevent XSS and injection attacks. |
| Referrer-Policy | Response | Security | Controls how much referrer information is sent with requests. |
| Permissions-Policy | Response | Security | Controls browser features and APIs that are allowed to be used (formerly Feature-Policy). |
Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.