HttpHeader uses ConstantsTrait, ApiHeaderTrait, AuthenticationHeaderTrait, CachingHeaderTrait, ClientHintHeaderTrait, ConditionalHeaderTrait, ContentHeaderTrait, ContentNegotiationHeaderTrait, CookieHeaderTrait, CorsHeaderTrait, FetchMetadataHeaderTrait, IntegrityHeaderTrait, MiscHeaderTrait, ObservabilityHeaderTrait, ProxyHeaderTrait, RangeHeaderTrait, RateLimitHeaderTrait, ReportingHeaderTrait, RequestContextHeaderTrait, RoutingHeaderTrait, SecurityHeaderTrait, WebSocketHeaderTrait

Enumeration of standard HTTP header names (request and response).

Tags

author

Marc Alcaraz (ekameleon)

Table of Contents

Constants

ACCEPT  : string = 'Accept'

`Accept` — Media types acceptable for the response (RFC 9110 §12.5.1).

ACCEPT_CHARSET  : string = 'Accept-Charset'

`Accept-Charset` — Charsets acceptable for the response (RFC 9110 §12.5.2, deprecated).

ACCEPT_ENCODING  : string = 'Accept-Encoding'

`Accept-Encoding` — Content codings acceptable for the response (RFC 9110 §12.5.3).

ACCEPT_LANGUAGE  : string = 'Accept-Language'

`Accept-Language` — Natural languages preferred for the response (RFC 9110 §12.5.4).

ACCEPT_PATCH  : string = 'Accept-Patch'

`Accept-Patch` — Patch document media types supported by the resource (RFC 5789).

ACCEPT_POST  : string = 'Accept-Post'

`Accept-Post` — Media types accepted by the server in a POST request (W3C LDP).

ACCEPT_RANGES  : string = 'Accept-Ranges'

`Accept-Ranges` — Range units the server supports for a resource (RFC 9110 §14.3).

ACCESS_CONTROL_ALLOW_CREDENTIALS  : string = 'Access-Control-Allow-Credentials'

`Access-Control-Allow-Credentials` — Whether the response may be exposed when credentials are sent.

ACCESS_CONTROL_ALLOW_HEADERS  : string = 'Access-Control-Allow-Headers'

`Access-Control-Allow-Headers` — Request headers allowed during the actual cross-origin request.

ACCESS_CONTROL_ALLOW_METHODS  : string = 'Access-Control-Allow-Methods'

`Access-Control-Allow-Methods` — Methods allowed when accessing the resource cross-origin.

ACCESS_CONTROL_ALLOW_ORIGIN  : string = 'Access-Control-Allow-Origin'

`Access-Control-Allow-Origin` — Origin(s) allowed to access the resource.

ACCESS_CONTROL_ALLOW_PRIVATE_NETWORK  : string = 'Access-Control-Allow-Private-Network'

`Access-Control-Allow-Private-Network` — Grants access to a resource on a private network (Private Network Access).

ACCESS_CONTROL_EXPOSE_HEADERS  : string = 'Access-Control-Expose-Headers'

`Access-Control-Expose-Headers` — Response headers exposed to client-side script.

ACCESS_CONTROL_MAX_AGE  : string = 'Access-Control-Max-Age'

`Access-Control-Max-Age` — How long (seconds) the preflight result may be cached.

ACCESS_CONTROL_REQUEST_HEADERS  : string = 'Access-Control-Request-Headers'

`Access-Control-Request-Headers` — Preflight: headers the actual request will use.

ACCESS_CONTROL_REQUEST_METHOD  : string = 'Access-Control-Request-Method'

`Access-Control-Request-Method` — Preflight: method the actual request will use.

ACCESS_CONTROL_REQUEST_PRIVATE_NETWORK  : string = 'Access-Control-Request-Private-Network'

`Access-Control-Request-Private-Network` — Preflight: actual request targets a private network (Private Network Access).

AGE  : string = 'Age'

`Age` — Estimated time in seconds since the response was generated (RFC 9111 §5.1).

ALLOW  : string = 'Allow'

`Allow` — Set of methods supported by the target resource (RFC 9110 §10.2.1).

ALT_SVC  : string = 'Alt-Svc'

`Alt-Svc` — Alternative services (e.g. HTTP/3) available for the origin (RFC 7838).

AUTHORIZATION  : string = 'Authorization'

`Authorization` — Credentials authenticating the user agent (RFC 9110 §11.6.2).

CACHE_CONTROL  : string = 'Cache-Control'

`Cache-Control` — Directives for caches along the request/response chain (RFC 9111 §5.2).

CF_CONNECTING_IP  : string = 'CF-Connecting-IP'

`CF-Connecting-IP` — Original client IP, added by Cloudflare.

CLEAR_SITE_DATA  : string = 'Clear-Site-Data'

`Clear-Site-Data` — Clears browsing data (cookies, storage, cache) for the origin (W3C).

CONNECTION  : string = 'Connection'

`Connection` — Control options for the current connection (RFC 9110 §7.6.1).

CONTENT_DIGEST  : string = 'Content-Digest'

`Content-Digest` — Digest of the actual message content (RFC 9530).

CONTENT_DISPOSITION  : string = 'Content-Disposition'

`Content-Disposition` — How the payload should be handled (inline, attachment) (RFC 6266).

CONTENT_ENCODING  : string = 'Content-Encoding'

`Content-Encoding` — Content codings applied to the representation (RFC 9110 §8.4).

CONTENT_LANGUAGE  : string = 'Content-Language'

`Content-Language` — Natural language(s) of the representation (RFC 9110 §8.5).

CONTENT_LENGTH  : string = 'Content-Length'

`Content-Length` — Size of the representation body in bytes (RFC 9110 §8.6).

CONTENT_LOCATION  : string = 'Content-Location'

`Content-Location` — URL where the representation can be found (RFC 9110 §8.7).

CONTENT_RANGE  : string = 'Content-Range'

`Content-Range` — Where a partial body belongs in the full representation (RFC 9110 §14.4).

CONTENT_SECURITY_POLICY  : string = 'Content-Security-Policy'

`Content-Security-Policy` — Controls resources the user agent may load (CSP Level 3).

CONTENT_SECURITY_POLICY_REPORT_ONLY  : string = 'Content-Security-Policy-Report-Only'

`Content-Security-Policy-Report-Only` — Monitors a CSP without enforcing it.

CONTENT_TYPE  : string = 'Content-Type'

`Content-Type` — Media type of the representation (RFC 9110 §8.3).

COOKIE  : string = 'Cookie'

`Cookie` — Cookies previously stored, sent by the user agent (RFC 6265 §5.4).

CROSS_ORIGIN_EMBEDDER_POLICY  : string = 'Cross-Origin-Embedder-Policy'

`Cross-Origin-Embedder-Policy` — Requires cross-origin resources to opt in to embedding.

CROSS_ORIGIN_OPENER_POLICY  : string = 'Cross-Origin-Opener-Policy'

`Cross-Origin-Opener-Policy` — Isolates the browsing context group from cross-origin documents.

CROSS_ORIGIN_RESOURCE_POLICY  : string = 'Cross-Origin-Resource-Policy'

`Cross-Origin-Resource-Policy` — Restricts which origins may embed the resource.

DATE  : string = 'Date'

`Date` — Date and time the message was originated (RFC 9110 §6.6.1).

DNT  : string = 'DNT'

`DNT` — Legacy "Do Not Track" preference (deprecated).

EARLY_HINTS  : string = '103 Early Hints'

`103 Early Hints` — Informational status hinting at resources to preload (RFC 8297).

ETAG  : string = 'ETag'

`ETag` — Entity tag uniquely identifying a representation (RFC 9110 §8.8.3).

EXPECT  : string = 'Expect'

`Expect` — Expectations the server must meet, e.g. `100-continue` (RFC 9110 §10.1.1).

EXPIRES  : string = 'Expires'

`Expires` — Date/time after which the response is considered stale (RFC 9111 §5.3).

FASTLY_CLIENT_IP  : string = 'Fastly-Client-IP'

`Fastly-Client-IP` — Original client IP, added by Fastly.

FORWARDED  : string = 'Forwarded'

`Forwarded` — Proxy disclosure of the originating client and chain (RFC 7239).

FROM  : string = 'From'

`From` — E-mail address of the human controlling the user agent (RFC 9110 §10.1.2).

HOST  : string = 'Host'

`Host` — Target host and port of the request (RFC 9110 §7.2).

IDEMPOTENCY_KEY  : string = 'Idempotency-Key'

`Idempotency-Key` — Client-generated key making an unsafe request idempotent (IETF draft, de-facto).

IF_MATCH  : string = 'If-Match'

`If-Match` — Apply the method only if the entity tag matches (RFC 9110 §13.1.1).

IF_MODIFIED_SINCE  : string = 'If-Modified-Since'

`If-Modified-Since` — Apply the method only if modified since the given date (RFC 9110 §13.1.3).

IF_NONE_MATCH  : string = 'If-None-Match'

`If-None-Match` — Apply the method only if no entity tag matches (RFC 9110 §13.1.2).

IF_RANGE  : string = 'If-Range'

`If-Range` — Conditional range request: send the range only if unchanged (RFC 9110 §13.1.5).

IF_UNMODIFIED_SINCE  : string = 'If-Unmodified-Since'

`If-Unmodified-Since` — Apply the method only if unmodified since the given date (RFC 9110 §13.1.4).

KEEP_ALIVE  : string = 'Keep-Alive'

`Keep-Alive` — Parameters for a persistent connection (RFC 9112).

LAST_MODIFIED  : string = 'Last-Modified'

`Last-Modified` — Date/time the representation was last modified (RFC 9110 §8.8.2).

LINK  : string = 'Link'

`Link` — Typed relationships to other resources (RFC 8288).

LOCATION  : string = 'Location'

`Location` — URL to redirect to, or of a newly created resource (RFC 9110 §10.2.2).

MAX_FORWARDS  : string = 'Max-Forwards'

`Max-Forwards` — Hop limit for TRACE and OPTIONS requests (RFC 9110 §7.6.2).

NEL  : string = 'NEL'

`NEL` — Network Error Logging policy for the origin (W3C).

ORIGIN  : string = 'Origin'

`Origin` — Origin that caused the request, sent for CORS and POST (RFC 9110 §7.8 / Fetch).

PERMISSIONS_POLICY  : string = 'Permissions-Policy'

`Permissions-Policy` — Enables or disables browser features for the document.

PRAGMA  : string = 'Pragma'

`Pragma` — Legacy HTTP/1.0 cache directive, superseded by `Cache-Control` (RFC 9111 §5.4).

PREFER  : string = 'Prefer'

`Prefer` — Preferences for how the server should handle the request (RFC 7240).

PREFERENCE_APPLIED  : string = 'Preference-Applied'

`Preference-Applied` — Indicates which `Prefer` preferences were applied (RFC 7240).

PROXY_AUTHENTICATE  : string = 'Proxy-Authenticate'

`Proxy-Authenticate` — Authentication challenge from a proxy (RFC 9110 §11.7.1).

PROXY_AUTHORIZATION  : string = 'Proxy-Authorization'

`Proxy-Authorization` — Credentials for a proxy (RFC 9110 §11.7.2).

RANGE  : string = 'Range'

`Range` — Requests one or more sub-ranges of the representation (RFC 9110 §14.2).

RATELIMIT_LIMIT  : string = 'RateLimit-Limit'

`RateLimit-Limit` — Request quota for the window (IETF draft).

RATELIMIT_REMAINING  : string = 'RateLimit-Remaining'

`RateLimit-Remaining` — Remaining quota in the current window (IETF draft).

RATELIMIT_RESET  : string = 'RateLimit-Reset'

`RateLimit-Reset` — Time until the quota resets (IETF draft).

REFERER  : string = 'Referer'

`Referer` — Address of the page from which the request was made (RFC 9110 §10.1.3).

REFERRER_POLICY  : string = 'Referrer-Policy'

`Referrer-Policy` — Controls how much referrer information is sent (W3C).

REPORT_TO  : string = 'Report-To'

`Report-To` — Named reporting endpoint groups (legacy Reporting API).

REPORTING_ENDPOINTS  : string = 'Reporting-Endpoints'

`Reporting-Endpoints` — Named reporting endpoints (Reporting API v1, replaces `Report-To`).

REPR_DIGEST  : string = 'Repr-Digest'

`Repr-Digest` — Digest of the selected representation, independent of encoding (RFC 9530).

RETRY_AFTER  : string = 'Retry-After'

`Retry-After` — How long to wait before making a follow-up request (RFC 9110 §10.2.3).

SEC_CH_UA  : string = 'Sec-CH-UA'

`Sec-CH-UA` — User agent's branding and significant version (low entropy).

SEC_CH_UA_ARCH  : string = 'Sec-CH-UA-Arch'

`Sec-CH-UA-Arch` — Underlying CPU architecture (e.g. `x86`, `arm`).

SEC_CH_UA_BITNESS  : string = 'Sec-CH-UA-Bitness'

`Sec-CH-UA-Bitness` — CPU bitness (e.g. `64`).

SEC_CH_UA_FULL_VERSION_LIST  : string = 'Sec-CH-UA-Full-Version-List'

`Sec-CH-UA-Full-Version-List` — Full version of each brand in the user agent.

SEC_CH_UA_MOBILE  : string = 'Sec-CH-UA-Mobile'

`Sec-CH-UA-Mobile` — Whether the user agent runs on a mobile device (`?0` / `?1`).

SEC_CH_UA_MODEL  : string = 'Sec-CH-UA-Model'

`Sec-CH-UA-Model` — Device model identifier.

SEC_CH_UA_PLATFORM  : string = 'Sec-CH-UA-Platform'

`Sec-CH-UA-Platform` — Operating system / platform (e.g. `Windows`, `Android`).

SEC_CH_UA_PLATFORM_VERSION  : string = 'Sec-CH-UA-Platform-Version'

`Sec-CH-UA-Platform-Version` — Version of the operating system / platform.

SEC_FETCH_DEST  : string = 'Sec-Fetch-Dest'

`Sec-Fetch-Dest` — Destination of the request (`document`, `image`, `script`, …).

SEC_FETCH_MODE  : string = 'Sec-Fetch-Mode'

`Sec-Fetch-Mode` — Request mode (`navigate`, `cors`, `no-cors`, `same-origin`, …).

SEC_FETCH_SITE  : string = 'Sec-Fetch-Site'

`Sec-Fetch-Site` — Relationship between origin and target (`same-origin`, `cross-site`, …).

SEC_FETCH_USER  : string = 'Sec-Fetch-User'

`Sec-Fetch-User` — Set to `?1` when the request was triggered by a user activation.

SEC_WEBSOCKET_ACCEPT  : string = 'Sec-WebSocket-Accept'

`Sec-WebSocket-Accept` — Server's hashed acknowledgement of the handshake key (RFC 6455 §11.3.3).

SEC_WEBSOCKET_EXTENSIONS  : string = 'Sec-WebSocket-Extensions'

`Sec-WebSocket-Extensions` — Extensions negotiated for the connection (RFC 6455 §11.3.2).

SEC_WEBSOCKET_KEY  : string = 'Sec-WebSocket-Key'

`Sec-WebSocket-Key` — Client's handshake key (RFC 6455 §11.3.1).

SEC_WEBSOCKET_PROTOCOL  : string = 'Sec-WebSocket-Protocol'

`Sec-WebSocket-Protocol` — Subprotocols requested / selected (RFC 6455 §11.3.4).

SEC_WEBSOCKET_VERSION  : string = 'Sec-WebSocket-Version'

`Sec-WebSocket-Version` — WebSocket protocol version (RFC 6455 §11.3.5).

SERVER  : string = 'Server'

`Server` — Software used by the origin server (RFC 9110 §10.2.4).

SERVER_TIMING  : string = 'Server-Timing'

`Server-Timing` — Server-side performance metrics for the response (W3C).

SET_COOKIE  : string = 'Set-Cookie'

`Set-Cookie` — Instructs the user agent to store a cookie (RFC 6265 §4.1).

STRICT_TRANSPORT_SECURITY  : string = 'Strict-Transport-Security'

`Strict-Transport-Security` — Enforces HTTPS for future requests (HSTS, RFC 6797).

SUNSET  : string = 'Sunset'

`Sunset` — Date/time at which the resource is expected to become unresponsive (RFC 8594).

TE  : string = 'TE'

`TE` — Transfer codings the client is willing to accept (RFC 9110 §10.1.4).

TIMING_ALLOW_ORIGIN  : string = 'Timing-Allow-Origin'

`Timing-Allow-Origin` — Origins allowed to read detailed Resource Timing data (W3C).

TRACEPARENT  : string = 'traceparent'

`traceparent` — W3C Trace Context: incoming trace and parent span identifiers.

TRACESTATE  : string = 'tracestate'

`tracestate` — W3C Trace Context: vendor-specific trace state.

TRAILER  : string = 'Trailer'

`Trailer` — Names of fields present in the trailer section (RFC 9110 §6.6.2).

TRANSFER_ENCODING  : string = 'Transfer-Encoding'

`Transfer-Encoding` — Transfer codings applied to the message body (RFC 9112 §6.1).

TRUE_CLIENT_IP  : string = 'True-Client-IP'

`True-Client-IP` — Original client IP, used by Akamai / Cloudflare Enterprise.

UPGRADE  : string = 'Upgrade'

`Upgrade` — Request to switch to a different protocol (RFC 9110 §7.8).

UPGRADE_INSECURE_REQUESTS  : string = 'Upgrade-Insecure-Requests'

`Upgrade-Insecure-Requests` — Signals the client's preference for an encrypted response.

USER_AGENT  : string = 'User-Agent'

`User-Agent` — Product tokens identifying the client software (RFC 9110 §10.1.5).

VARY  : string = 'Vary'

`Vary` — Request headers that influenced content negotiation (RFC 9110 §12.5.5).

VIA  : string = 'Via'

`Via` — Intermediaries (proxies, gateways) traversed by the message (RFC 9110 §7.6.3).

WANT_CONTENT_DIGEST  : string = 'Want-Content-Digest'

`Want-Content-Digest` — Requests a `Content-Digest` in the response (RFC 9530).

WANT_REPR_DIGEST  : string = 'Want-Repr-Digest'

`Want-Repr-Digest` — Requests a `Repr-Digest` in the response (RFC 9530).

WARNING  : string = 'Warning'

`Warning` — Additional information about the status of a response (obsoleted by RFC 9111).

WWW_AUTHENTICATE  : string = 'WWW-Authenticate'

`WWW-Authenticate` — Authentication challenge from the server (RFC 9110 §11.6.1).

X_CLUSTER_CLIENT_IP  : string = 'X-Cluster-Client-IP'

`X-Cluster-Client-IP` — Original client IP, added by some load balancers.

X_CONTENT_TYPE_OPTIONS  : string = 'X-Content-Type-Options'

`X-Content-Type-Options` — `nosniff` disables MIME-type sniffing.

X_CORRELATION_ID  : string = 'X-Correlation-Id'

`X-Correlation-Id` — Correlates requests across services (de-facto).

X_FORWARDED_FOR  : string = 'X-Forwarded-For'

`X-Forwarded-For` — Chain of client and proxy IP addresses (de-facto).

X_FORWARDED_HOST  : string = 'X-Forwarded-Host'

`X-Forwarded-Host` — Original `Host` requested by the client (de-facto).

X_FORWARDED_PROTO  : string = 'X-Forwarded-Proto'

`X-Forwarded-Proto` — Original protocol (`http` / `https`) used by the client (de-facto).

X_FRAME_OPTIONS  : string = 'X-Frame-Options'

`X-Frame-Options` — Legacy clickjacking protection, superseded by CSP `frame-ancestors`.

X_RATELIMIT_LIMIT  : string = 'X-RateLimit-Limit'

`X-RateLimit-Limit` — Request quota for the window (de-facto).

X_RATELIMIT_REMAINING  : string = 'X-RateLimit-Remaining'

`X-RateLimit-Remaining` — Remaining quota in the current window (de-facto).

X_RATELIMIT_RESET  : string = 'X-RateLimit-Reset'

`X-RateLimit-Reset` — Time until the quota resets (de-facto).

X_REAL_IP  : string = 'X-Real-IP'

`X-Real-IP` — Original client IP, added by nginx and others (de-facto).

X_REQUEST_ID  : string = 'X-Request-Id'

`X-Request-Id` — Unique identifier of the request (de-facto).

X_REQUESTED_WITH  : string = 'X-Requested-With'

`X-Requested-With` — De-facto AJAX marker, usually `XMLHttpRequest`.

X_RESPONSE_TIME  : string = 'X-Response-Time'

`X-Response-Time` — Time taken to produce the response (de-facto, Express/Koa).

X_XSS_PROTECTION  : string = 'X-XSS-Protection'

`X-XSS-Protection` — Legacy XSS filter control (deprecated; prefer CSP).

Methods

all()  : array<string|int, string>

Returns all currently sent headers.

has()  : bool

Checks if a specific header has already been sent.

remove()  : void

Removes a previously set header.

send()  : void

Sends an HTTP header with optional value.

HttpHeader::send( HttpHeader::CONTENT_TYPE  , 'application/json' ) ;
HttpHeader::send( HttpHeader::CACHE_CONTROL , 'no-cache' ) ;
HttpHeader::send( HttpHeader::ACCESS_CONTROL_ALLOW_ORIGIN , '*' ) ;