HTTP Response Headers
Overview
There are numerous HTTP response headers that can be included in the server’s response to provide additional information, control caching behavior, enforce security policies, and facilitate communication between the client and server. Here are some commonly seen HTTP response headers:
A
Accept-Ch:- Sec-CH-UA
- Sec-CH-UA-Arch
- Sec-CH-UA-Bitness
- Sec-CH-UA-Full-Version-List
- Sec-CH-UA-Mobile
- Sec-CH-UA-Model
- Sec-CH-UA-Platform
- Sec-CH-UA-Platform-Version
- Sec-CH-UA-WoW64
Accept-Ranges: bytesAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin:- https://www.syb.com
- https://www.youtube.com
Access-Control-Allow-Headers:- Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, X-WL-CONF,X-Requested-With
Access-Control-Allow-Methods:- GET, POST, OPTIONS
- POST, GET, OPTIONS, PUT, DELETE
Access-Control-Expose-Headers: Client-Protocol, Content-Length, Content-Type, X-Bandwidth-Est, X-Bandwidth-Est2, X-Bandwidth-Est3, X-Bandwidth-App-Limited, X-Bandwidth-Est-App-Limited, X-Bandwidth-Est-Comp, X-Bandwidth-Avg, X-Head-Time-Millis, X-Head-Time-Sec, X-Head-Seqnum, X-Response-Itag, X-Restrict-Formats-Hint, X-Sequence-Num, X-Segment-Lmt, X-Walltime-MsAlt-Svc: h3=”:443″; ma=2592000,h3-29=”:443″; ma=2592000
C
Cache-Control:- no-cache, must-revalidate
- no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private
- public, max-age=86400
Cf-Ray:- 7e59627769246332-ORD
- 7e597c7db891104e-ORD
Cf-Cache-Status: HITConnection:- Close
- keep-alive
Content-Length: 13Content-Security-Policy: frame-ancestors ‘none’Content-Security-Policy-Report-Only: require-trusted-types-for ‘script’; report-uri https://csp.withgoogle.com/csp/apps-themesContent-Type:- application/x-javascript
- application/json
- text/html; charset=UTF-8
Cross-Origin-Opener-Policy:- same-origin
- same-origin; report-to=”apps-themes”
Cross-Origin-Embedder-Policy: require-corpCross-Origin-Resource-Policy: cross-origin
D
Date: Tue, 11 Jul 2023 21:23:27 GMT
E
Etag: W/”8228-5fea824eb3567-gzip”Expires: Fri, 01 Jan 1990 00:00:00 GMT
H
HTTP/1.0 301HTTP/1.1 200 OKHTTP/1.1 302 FoundHTTP/2 200 OKHTTP/2 204 No ContentHTTP/2 429 Too Many Requests
L
Last-Modified: Sun, 17 May 1998 03:00:00 GMTLocation:- https://x.bidswitch.net/sync dsp_id=393&user_id=0&ssp=triplelift&bsw_param=997cfff6-21c8-49c1-b7a8-92b277de917a
- https://rtb.openx.net/sync/prebid?gdpr=0&gdpr_consent=&r=https%3A%2F%2Fprebid.a-mo.net%2Fcchain%2F2%2F1302%3Fgdpr%3D0%26gdpr_consent%3D%26us_privacy%3D%26A%3D417ecbd9-1829-4a39-844d-280300d697bf%26bidder%3Dopenx%26cbx%3DaHR0cHM6Ly9jcy5taW51dGVtZWRpYS1wcmViaWQuY29tL2NzP2FpZD0yMTQ5MiZ1aWQ9%26uid%3D%24%7BUID%7D
- https://match.sharethrough.com/sync/v1?source_id=m3k4T1aBLLPMpeMdFP9tJTiB&source_user_id=2e357199-8d5a-4f6c-99b5-93f63d78effff
- https://bh.contextweb.com/bh/rtset?pid=562894&ev=1&us_privacy=&rurl=https%3A%2F%2Fssp.disqus.com%2Fmatch%3Fbidder%3D29%26buyeruid%3D%25%25VGUID%25%25%26r%3DCid1YS0yYjk0NTg1My01YjlkLTNmNzgtOTY1YS0xM2FlNzVkN2M0ZDUQ____________ASpZaHR0cHM6Ly9jcy5taW51dGVtZWRpYS1wcmViaWQuY29tL2NzP2FpZD0yMTQ5NSZpZD11YS0yYjk0NTg1My01YjlkLTNmNzgtOTY1YS0xM2FlNzVkN2M0ZDUyAh0fOAE=%26gdpr%3D%26gdpr_consent%3D
P
P3P: policyref=”/w3c/p3p.xml”, CP=”NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT”Pragma: no-cache
R
Referrer-Policy: origin-when-cross-originReport-To:- {“group”:”apps-themes”,”max_age”:2592000,”endpoints”:[{“url”:”https://csp.withgoogle.com/csp/report-to/apps-themes”}]}
- {“endpoints”:[{“url”:”https:\/\/a.nel.cloudflare.com\/report\/v3?s=o9D%2Bnf1yoifJsyd*****O84r3n1RQ0pcfA5Sa9H4O0zbPNfCmGEytlHFNAfBouaS0US0mjKb8hdtTb2***************9f%2Fkh6jAJhovxtBKd5SB58Y5iP8i76%2Bdn”}],”group”:”cf-nel”,”max_age”:604800}
S
Server:- Akamai Resource Optimizer
- AmazonS3
- cafe
- cloudflare
- Golfe2
- nginx
- Playlog
- scaffolding on HTTPServer2
- sffe
Server-Timing: ak_p; desc=”469197_399137570_1009706770_44_7814_16_0_-“;dur=1Server-Timing: cdn-cache; desc=HITServer-Timing: edge; dur=1Set-Cookie: SMSESSION=ZJ4bMPgUuRpdAdjtWK7+tC6bpsbyCuUEYrO4r+; path=/; domain=.chase.com; secure; HTTPOnlySet-Cookie: WmuiProvided_CustomPositions_AuthCache_Entry_Token=””; Domain=.chase.com; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/; Secure; HttpOnlyStrict-Transport-Security:- max-age=0
- max-age=10886400; includeSubDomains; preload
T
Timing-Allow-Origin: *
V
Vary:- Accept-Encoding
- Origin, Accept-Encoding
- Referer
- X-Origin
X
x-amz-id-2: npwK2XjjLmz+CaPqiPSyEDZPZVwatTCTeYlH+MN+9lgeykemLatWN8S3t9raWXvbR/LglR7JmI0=x-amz-request-id: Q1KFRNPGM4F9NSA0x-amz-server-side-encryption: AES256X-Amzn-Trace-Id: [0.1eb74d68.1687439769.1fa23927 | 0.225bca17.1689110484.3c2ee712]X-App-Cdndc-Id: us-east-2X-App-Info: bv=DPS/dps-banking-accounts/release%2F2023.06.11-477; pd=02eaX-B3-Traceid: f3ede37efc7b60efdcd589f7d3a61cc0X-Content-Security-Policy: frame-ancestors ‘none’X-Content-Type-Options: nosniffX-Download-Options: noopenX-Envoy-Upstream-Service-Time: 0X-Frame-Options:- DENY
- SAMEORIGIN
X-Ms-Blob-Type: BlockBlobX-Ms-Lease-Status: unlockedX-Ms-Request-Id: 4a03d358-701e-007b-67f3-b3b356000000X-Ms-Version: 2009-09-19X-Oneagent-Js-Injection: trueX-TID: IcvsnPohRjw=X-Trace-Id: ZK3IQwvOtRUE8TXC91cjtQAAACgX-Xss-Protection:- 0
- 1; mode=block
Cache-Control
Some words about the Cache-Control header
Cache-Control Directives
- max-age
must-revalidate– TODOno-cache– TODOno-store– TODO- no-transform
- public
- private
- proxy-revalidate
- s-maxage
How to set Cache-Control
- Apache
- TODO: how do I set in Apache?
- IIS
- TODO: how do i set in Microsoft IIS
| Threat | Name | Value | Notes |
| Information Leak on client | Cache-Control | no-cache, no-store, must-revalidate | – http/1.1 – Some HTTP/1.0 caches might not implement Cache-Control |
| Information Leak on client | Pragma | no-cache | http/1.0 |
| Information Leak on client | Expires | -1 or Fri, 01 Jan 1990 00:00:00 GMT | |
Content Security Profile(CSP)
Set to a narrow scope. Never set it to wildcard (e.g. *)