ORY

HTTP Headers Reference

Common HTTP headers — request, response, CORS, and security.

41 of 41

Accept Request

Media types the client accepts.

application/json

Accept-Encoding Request

Acceptable content encodings.

gzip, br

Accept-Language Request

Preferred response languages.

en-US,en;q=0.9

Authorization Request

Credentials for authentication.

Bearer eyJhbGciOiJIUzI1NiIsInR...

Cookie Request

Cookies stored for the host.

session=abc; theme=dark

Host Request

Target host (HTTP/1.1 required).

api.example.com

If-Modified-Since Request

Conditional GET — only return if modified after.

Tue, 01 Jan 2024 00:00:00 GMT

If-None-Match Request

Conditional GET on ETag.

"33a64df5"

Origin Request

Origin of the request (CORS).

https://example.com

Range Request

Request a byte range.

bytes=0-1023

Referer Request

URL the request was made from.

https://example.com/page

User-Agent Request

Identifies the client software.

Mozilla/5.0 ...

X-Forwarded-For Request

Client IP through a proxy chain.

203.0.113.1, 198.51.100.2

X-Requested-With Request

Distinguishes XHR / fetch.

XMLHttpRequest

Cache-Control Both

Caching directives.

public, max-age=3600, immutable

Content-Encoding Both

Compression applied to body.

gzip

Content-Length Both

Body size in bytes.

256

Content-Type Both

Media type of the body.

application/json; charset=utf-8

Access-Control-Allow-Origin Response

Allowed origin for CORS.

*

Access-Control-Allow-Methods Response

Allowed HTTP methods.

GET, POST, PUT

Access-Control-Allow-Headers Response

Allowed request headers.

Content-Type, Authorization

Access-Control-Allow-Credentials Response

Allow credentials over CORS.

true

Access-Control-Max-Age Response

Preflight cache duration in seconds.

86400

ETag Response

Identifier for a specific resource version.

"686897696a7c876b7e"

Expires Response

Date/time after which response is stale.

Wed, 01 Jan 2025 00:00:00 GMT

Last-Modified Response

Last modification date of the resource.

Tue, 15 Nov 2024 12:45:26 GMT

Location Response

Redirect target or new resource URL.

/login

Retry-After Response

Seconds (or date) to wait before retrying.

120

Server Response

Origin server software.

nginx/1.25.1

Set-Cookie Response

Sets cookies on the client.

session=abc; HttpOnly; Secure; SameSite=Strict

Vary Response

Headers that affect cache key.

Accept-Encoding, User-Agent

WWW-Authenticate Response

Required auth scheme.

Basic realm="example"

Content-Security-Policy Security

CSP directives.

default-src 'self'

Strict-Transport-Security Security

Enforce HTTPS (HSTS).

max-age=63072000; includeSubDomains; preload

X-Content-Type-Options Security

Disable MIME sniffing.

nosniff

X-Frame-Options Security

Iframe embedding policy.

DENY

Referrer-Policy Security

Referer header policy.

strict-origin-when-cross-origin

Permissions-Policy Security

Browser feature permissions.

geolocation=(), camera=()

Cross-Origin-Opener-Policy Security

Cross-origin opener policy.

same-origin

Cross-Origin-Embedder-Policy Security

Cross-origin embedder policy.

require-corp

Cross-Origin-Resource-Policy Security

Cross-origin resource policy.

same-origin