HTTP Response Headers

Overview

There are numerous HTTP response headers that can be included in the server’s response to provide additional information, control caching behavior, enforce security policies, and facilitate communication between the client and server. Here are some commonly seen HTTP response headers:

A

• Accept-Ch:
  • Sec-CH-UA
  • Sec-CH-UA-Arch
  • Sec-CH-UA-Bitness
  • Sec-CH-UA-Full-Version-List
  • Sec-CH-UA-Mobile
  • Sec-CH-UA-Model
  • Sec-CH-UA-Platform
  • Sec-CH-UA-Platform-Version
  • Sec-CH-UA-WoW64
• Accept-Ranges: bytes
• Access-Control-Allow-Credentials: true
• Access-Control-Allow-Origin:
  • https://www.syb.com
  • https://www.youtube.com
• Access-Control-Allow-Headers:
  • Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization, X-WL-CONF,X-Requested-With
• Access-Control-Allow-Methods:
  • GET, POST, OPTIONS
  • POST, GET, OPTIONS, PUT, DELETE
• Access-Control-Expose-Headers: Client-Protocol, Content-Length, Content-Type, X-Bandwidth-Est, X-Bandwidth-Est2, X-Bandwidth-Est3, X-Bandwidth-App-Limited, X-Bandwidth-Est-App-Limited, X-Bandwidth-Est-Comp, X-Bandwidth-Avg, X-Head-Time-Millis, X-Head-Time-Sec, X-Head-Seqnum, X-Response-Itag, X-Restrict-Formats-Hint, X-Sequence-Num, X-Segment-Lmt, X-Walltime-Ms
• Alt-Svc: h3=”:443″; ma=2592000,h3-29=”:443″; ma=2592000

C

• Cache-Control:
  • no-cache, must-revalidate
  • no-cache,no-store,must-revalidate,max-age=0,proxy-revalidate,no-transform,private
  • public, max-age=86400
• Cf-Ray:
  • 7e59627769246332-ORD
  • 7e597c7db891104e-ORD
• Cf-Cache-Status: HIT
• Connection:
  • Close
  • keep-alive
• Content-Length: 13
• Content-Security-Policy: frame-ancestors ‘none’
• Content-Security-Policy-Report-Only: require-trusted-types-for ‘script’; report-uri https://csp.withgoogle.com/csp/apps-themes
• Content-Type:
  • application/x-javascript
  • application/json
  • text/html; charset=UTF-8
• Cross-Origin-Opener-Policy:
  • same-origin
  • same-origin; report-to=”apps-themes”
• Cross-Origin-Embedder-Policy: require-corp
• Cross-Origin-Resource-Policy: cross-origin

D

• Date: Tue, 11 Jul 2023 21:23:27 GMT

E

• Etag: W/”8228-5fea824eb3567-gzip”
• Expires: Fri, 01 Jan 1990 00:00:00 GMT

H

• HTTP/1.0 301
• HTTP/1.1 200 OK
• HTTP/1.1 302 Found
• HTTP/2 200 OK
• HTTP/2 204 No Content
• HTTP/2 429 Too Many Requests

L

• Last-Modified: Sun, 17 May 1998 03:00:00 GMT
• Location:
  • https://x.bidswitch.net/sync dsp_id=393&user_id=0&ssp=triplelift&bsw_param=997cfff6-21c8-49c1-b7a8-92b277de917a
  • https://rtb.openx.net/sync/prebid?gdpr=0&gdpr_consent=&r=https%3A%2F%2Fprebid.a-mo.net%2Fcchain%2F2%2F1302%3Fgdpr%3D0%26gdpr_consent%3D%26us_privacy%3D%26A%3D417ecbd9-1829-4a39-844d-280300d697bf%26bidder%3Dopenx%26cbx%3DaHR0cHM6Ly9jcy5taW51dGVtZWRpYS1wcmViaWQuY29tL2NzP2FpZD0yMTQ5MiZ1aWQ9%26uid%3D%24%7BUID%7D
  • https://match.sharethrough.com/sync/v1?source_id=m3k4T1aBLLPMpeMdFP9tJTiB&source_user_id=2e357199-8d5a-4f6c-99b5-93f63d78effff
  • https://bh.contextweb.com/bh/rtset?pid=562894&ev=1&us_privacy=&rurl=https%3A%2F%2Fssp.disqus.com%2Fmatch%3Fbidder%3D29%26buyeruid%3D%25%25VGUID%25%25%26r%3DCid1YS0yYjk0NTg1My01YjlkLTNmNzgtOTY1YS0xM2FlNzVkN2M0ZDUQ____________ASpZaHR0cHM6Ly9jcy5taW51dGVtZWRpYS1wcmViaWQuY29tL2NzP2FpZD0yMTQ5NSZpZD11YS0yYjk0NTg1My01YjlkLTNmNzgtOTY1YS0xM2FlNzVkN2M0ZDUyAh0fOAE=%26gdpr%3D%26gdpr_consent%3D

P

• P3P: policyref=”/w3c/p3p.xml”, CP=”NOI NID CURa ADMa DEVa PSAa PSDa OUR SAMa BUS PUR COM NAV INT”
• Pragma: no-cache

R

• Referrer-Policy: origin-when-cross-origin
• Report-To:
  • {“group”:”apps-themes”,”max_age”:2592000,”endpoints”:[{“url”:”https://csp.withgoogle.com/csp/report-to/apps-themes”}]}
  • {“endpoints”:[{“url”:”https:\/\/a.nel.cloudflare.com\/report\/v3?s=o9D%2Bnf1yoifJsyd*****O84r3n1RQ0pcfA5Sa9H4O0zbPNfCmGEytlHFNAfBouaS0US0mjKb8hdtTb2***************9f%2Fkh6jAJhovxtBKd5SB58Y5iP8i76%2Bdn”}],”group”:”cf-nel”,”max_age”:604800}

S

• Server:
  • Akamai Resource Optimizer
  • AmazonS3
  • cafe
  • cloudflare
  • Golfe2
  • nginx
  • Playlog
  • scaffolding on HTTPServer2
  • sffe
• Server-Timing: ak_p; desc=”469197_399137570_1009706770_44_7814_16_0_-“;dur=1
• Server-Timing: cdn-cache; desc=HIT
• Server-Timing: edge; dur=1
• Set-Cookie: SMSESSION=ZJ4bMPgUuRpdAdjtWK7+tC6bpsbyCuUEYrO4r+; path=/; domain=.chase.com; secure; HTTPOnly
• Set-Cookie: WmuiProvided_CustomPositions_AuthCache_Entry_Token=””; Domain=.chase.com; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/; Secure; HttpOnly
• Strict-Transport-Security:
  • max-age=0
  • max-age=10886400; includeSubDomains; preload

T

• Timing-Allow-Origin: *

V

• Vary:
  • Accept-Encoding
  • Origin, Accept-Encoding
  • Referer
  • X-Origin

X

• x-amz-id-2: npwK2XjjLmz+CaPqiPSyEDZPZVwatTCTeYlH+MN+9lgeykemLatWN8S3t9raWXvbR/LglR7JmI0=
• x-amz-request-id: Q1KFRNPGM4F9NSA0
• x-amz-server-side-encryption: AES256
• X-Amzn-Trace-Id: [0.1eb74d68.1687439769.1fa23927 | 0.225bca17.1689110484.3c2ee712]
• X-App-Cdndc-Id: us-east-2
• X-App-Info: bv=DPS/dps-banking-accounts/release%2F2023.06.11-477; pd=02ea
• X-B3-Traceid: f3ede37efc7b60efdcd589f7d3a61cc0
• X-Content-Security-Policy: frame-ancestors ‘none’
• X-Content-Type-Options: nosniff
• X-Download-Options: noopen
• X-Envoy-Upstream-Service-Time: 0
• X-Frame-Options:
  • DENY
  • SAMEORIGIN
• X-Ms-Blob-Type: BlockBlob
• X-Ms-Lease-Status: unlocked
• X-Ms-Request-Id: 4a03d358-701e-007b-67f3-b3b356000000
• X-Ms-Version: 2009-09-19
• X-Oneagent-Js-Injection: true
• X-TID: IcvsnPohRjw=
• X-Trace-Id: ZK3IQwvOtRUE8TXC91cjtQAAACg
• X-Xss-Protection:
  • 0
  • 1; mode=block

Cache-Control

Some words about the Cache-Control header

Cache-Control Directives

• max-age
• must-revalidate – TODO
• no-cache – TODO
• no-store – TODO
• no-transform
• public
• private
• proxy-revalidate
• s-maxage

How to set Cache-Control

• Apache
  • TODO: how do I set in Apache?
• IIS
  • TODO: how do i set in Microsoft IIS

Content Security Profile(CSP)

Set to a narrow scope. Never set it to wildcard (e.g. *)

SOP