HTTP - MDN Web Docs

Trang chủ » Http://2nds.biz » HTTP - MDN Web Docs

Có thể bạn quan tâm

  • Skip to main content
  • Skip to search
HTTP: Hypertext Transfer Protocol

HTTP is an application-layer protocol for transmitting hypermedia documents, such as HTML. It was designed for communication between web browsers and web servers, but it can also be used for other purposes, such as machine-to-machine communication, programmatic access to APIs, and more.

HTTP follows a classical client-server model, with a client opening a connection to make a request, then waiting until it receives a response from the server. HTTP is a stateless protocol, meaning that the server does not keep any session data between two requests, although the later addition of cookies adds state to some client-server interactions.

In this article

  • Guides
  • Tools & resources
  • Reference

Guides

HTTP is an extensible protocol that relies on concepts like resources and Uniform Resource Identifiers (URIs), a basic message structure, and client-server communication model. On top of these concepts, numerous extensions have been developed over the years that add functionality and updated semantics, including additional HTTP methods and headers.

The HTTP guides are listed in order from general overviews to specialized, use-case-driven topics. Beginners are encouraged to start with the foundational guides before exploring more focused articles.

Overview of HTTP

The basic features of HTTP, what it can do, its intended use in web architecture, and its position in the protocol stack.

Evolution of HTTP

HTTP was created in the early 1990s and has been extended several times. This article goes through its history and describes HTTP/0.9, HTTP/1.0, HTTP/1.1, through HTTP/2 and HTTP/3, as well as novelties introduced over the years.

A typical HTTP session

Describes the flow of an HTTP session, from establishing a connection, sending a request, to receiving a response.

HTTP messages

HTTP messages transmitted as requests and responses have a defined structure. This article describes this general structure, its purpose, and the different types of messages.

MIME types

Since HTTP/1.0, different types of content can be transmitted. This article explains how this is accomplished using the Content-Type header and the MIME standard. A shortlist of common types used by web developers can be found in Common MIME types.

Compression in HTTP

Browsers and servers compress their messages before sending them over the network to reduce the amount of data that needs to be transmitted, improving transfer speed and bandwidth utilization.

HTTP caching

Caching is a highly important mechanism for delivering fast experiences on the Web and for efficient use of resources. This article describes different methods of caching and how to use HTTP headers to control them.

HTTP authentication

Authentication is a way to verify the identity of a client when making requests to a server. It ensures that only authorized users or systems can access certain resources.

Using HTTP cookies

Although HTTP is a stateless protocol, a server can send a Set-Cookie header with the response. The client then returns the cookie's value with every subsequent request to the server in the form of a Cookie request header. This adds the ability to store and exchange a small amount of data which effectively adds state to some client-server interactions.

Redirections in HTTP

URL redirection, also known as URL forwarding, is a technique to give more than one URL address to a page, a form, a whole website, or a web application. HTTP has a special kind of response, called a HTTP redirect, for this operation.

HTTP conditional requests

In conditional requests, the outcome of a request depends on the value of a validator in the request. This method is used heavily in caching and use cases such as resuming a download, preventing lost updates when modifying a document on the server, and more.

HTTP range requests

A range request asks the server to send a specific part (or parts) of a resource back to a client instead of the full resource. Range requests are useful for cases when a client knows they need only part of a large file, or for cases where an application allows the user to pause and resume a download.

Content negotiation

HTTP defines a set of message headers, starting with Accept as a way for a browser to announce the format, language, or encoding it prefers. This article explains how this advertisement happens, how the server is expected to react, and how it chooses the most adequate response to a request.

Connection management in HTTP/1.x

HTTP/1.1 was the first version of HTTP to support persistent connections and pipelining. This article explains both concepts, including the pros and cons of each.

Protocol upgrade mechanism

HTTP/1.1 provides a mechanism to upgrade an already-established connection to a different protocol using the Upgrade header. A client can upgrade a connection from HTTP/1.1 to HTTP/2, or an HTTP(S) connection to a WebSocket (ws / wss).

Proxy servers and tunneling

A proxy can be on the user's local computer, or anywhere between the user's computer and a destination server on the Internet. This page outlines some basics about proxies and introduces a few configuration options.

HTTP Client hints

Client Hints are a set of response headers that a server can use to proactively request information from a client about the device, network, user, and user-agent-specific preferences. The server can then determine which resources to send, based on the information that the client chooses to provide.

Network Error Logging Experimental

Network Error Logging is a mechanism that can be configured via the NEL HTTP response header. This experimental header allows websites and applications to opt-in to receive reports about failed (or even successful) network fetches from supporting browsers.

Browser detection using the user agent

It's very rarely a good idea to use user agent sniffing to detect a browser, but there are edge cases that require it. This document will guide you in doing this as correctly as possible when this is necessary, with an emphasis on considerations to make before embarking on this route.

Security and privacy

Permissions Policy

Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website. You define a set of "policies" that restrict what APIs the site's code can access or modify the browser's default behavior for certain features.

Cross-Origin Resource Sharing (CORS)

Cross-site HTTP requests are requests for resources from a different domain than that of the resource making the request. Web pages today very commonly load cross-site resources, for example, a page 'Domain A' (http://domaina.example/) requests an image on 'Domain B' (http://domainb.foo/image.jpg) via the img element. CORS allows web developers to control how their site reacts to cross-site requests.

Content Security Policy (CSP)

CSP allows website administrators to use the Content-Security-Policy response header to control which resources the client is allowed to load for a given page. The CSP guide describes the overall Content Security Policy mechanism which helps detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.

Cross-Origin Resource Policy (CORP)

CORP lets websites and applications opt in to protection against specific requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks.

Mozilla web security guidelines

A collection of tips to help operational teams with creating secure web applications.

URIs

Uniform Resource Identifiers (URIs) are used to describe and locate resources on the web and are an essential component in HTTP requests.

Configuring servers for Ogg media

This guide covers a few server configuration changes that may be necessary for your web server to correctly serve Ogg media files. This information may also be useful if you encounter other media types your server isn't already configured to recognize.

Tools & resources

Helpful tools and resources for understanding and debugging HTTP.

Firefox Developer Tools

Network monitor

HTTP Observatory

A project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

RedBot

Tools to check your cache-related headers.

nghttp2

An HTTP/2 client, server and proxy implementation written in C with load test and benchmarking tools and an HPACK encoder and decoder.

curl

A command-line tool for transferring data specified with URL syntax. Supports HTTP, HTTPS, WS, WSS, among many other protocols.

How Browsers Work (2011)

A very comprehensive article on browser internals and request flow through HTTP protocol.

Reference

The HTTP reference documentation contains detailed information about headers, request methods, status responses, and lists relevant specifications and standards documents.

HTTP headers

Message headers are used to send metadata about a resource or a HTTP message, and to describe the behavior of the client or the server.

HTTP request methods

Request methods indicate the purpose of the request and what is expected if the request is successful. The most common methods are GET and POST for retrieving and sending data to servers, respectively, but there are other methods which serve different purposes.

HTTP response status codes

Response status codes indicate the outcome of a specific HTTP request. Responses are grouped in five classes: informational, successful, redirections, client errors, and server errors.

HTTP resources and specifications

This page lists relevant resources about HTTP since it was first specified in the early 1990s.

The following subsections are also notable:

CSP directives

The Content-Security-Policy (CSP) response header allows website administrators to specify which resources the user agent is allowed to load for a given page. This section lists directives that can be used in a CSP header, with individual documentation pages that describe how the directives work and how to use them.

Permissions-Policy directives

The Permissions-Policy response header provides a mechanism to allow or deny the use of browser features in a document or within any <iframe> element in the document. This section lists directives that can be used in a Permissions-Policy header, with individual documentation pages that describe how the directives work and how to use them.

Help improve MDN

Was this page helpful to you? Yes No Learn how to contribute

This page was last modified on ⁨Dec 22, 2025⁩ by MDN contributors.

View this page on GitHub • Report a problem with this content Filter sidebar
  1. HTTP
  2. Guides
  3. Overview of HTTP
  4. Evolution of HTTP
  5. A typical HTTP session
  6. HTTP messages
  7. Media types
    1. Common types
  8. Compression in HTTP
  9. HTTP caching
  10. HTTP authentication
  11. Using HTTP cookies
  12. Redirections in HTTP
  13. Conditional requests
  14. Range requests
  15. Client hints
  16. User-Agent reduction
  17. Compression Dictionary Transport Experimental
  18. Network Error Logging Experimental
  19. Content negotiation
    1. Default Accept values
  20. Browser detection using the UA string
  21. Connection management in HTTP/1.x
  22. Protocol upgrade mechanism
  23. Proxy servers and tunneling
    1. Proxy Auto-Configuration (PAC) file
  24. Security and privacy
    1. HTTP Observatory
    2. Practical implementation guides
    3. Permissions Policy Experimental
    4. Cross-Origin Resource Policy (CORP)
    5. IFrame credentialless Experimental
    6. Cross-Origin Resource Sharing (CORS)
    7. CORS errors
      1. Reason: CORS disabled
      2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
      3. Reason: CORS header 'Access-Control-Allow-Origin' missing
      4. Reason: CORS header 'Origin' cannot be added
      5. Reason: CORS preflight channel did not succeed
      6. Reason: CORS request did not succeed
      7. Reason: CORS request external redirect not allowed
      8. Reason: CORS request not HTTP
      9. Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'
      10. Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'
      11. Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'
      12. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
      13. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'
      14. Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel
      15. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
    8. Content Security Policy (CSP)
      1. Errors and warnings
  25. Reference
  26. HTTP headers
    1. Accept
    2. Accept-CH
    3. Accept-Encoding
    4. Accept-Language
    5. Accept-Patch
    6. Accept-Post
    7. Accept-Ranges
    8. Access-Control-Allow-Credentials
    9. Access-Control-Allow-Headers
    10. Access-Control-Allow-Methods
    11. Access-Control-Allow-Origin
    12. Access-Control-Expose-Headers
    13. Access-Control-Max-Age
    14. Access-Control-Request-Headers
    15. Access-Control-Request-Method
    16. Activate-Storage-Access
    17. Age
    18. Allow
    19. Alt-Svc
    20. Alt-Used
    21. Attribution-Reporting-Eligible Deprecated
    22. Attribution-Reporting-Register-Source Deprecated
    23. Attribution-Reporting-Register-Trigger Deprecated
    24. Authorization
    25. Available-Dictionary Experimental
    26. Cache-Control
    27. Clear-Site-Data
    28. Connection
    29. Content-Digest
    30. Content-Disposition
    31. Content-DPR Non-standard Deprecated
    32. Content-Encoding
    33. Content-Language
    34. Content-Length
    35. Content-Location
    36. Content-Range
    37. Content-Security-Policy
    38. Content-Security-Policy-Report-Only
    39. Content-Type
    40. Cookie
    41. Critical-CH Experimental
    42. Cross-Origin-Embedder-Policy
    43. Cross-Origin-Opener-Policy
    44. Cross-Origin-Resource-Policy
    45. Date
    46. Device-Memory Non-standard Deprecated
    47. Dictionary-ID Experimental
    48. DNT Non-standard Deprecated
    49. Downlink Experimental
    50. DPR Non-standard Deprecated
    51. Early-Data Experimental
    52. ECT Experimental
    53. ETag
    54. Expect
    55. Expect-CT Deprecated
    56. Expires
    57. Forwarded
    58. From
    59. Host
    60. Idempotency-Key Experimental
    61. If-Match
    62. If-Modified-Since
    63. If-None-Match
    64. If-Range
    65. If-Unmodified-Since
    66. Integrity-Policy
    67. Integrity-Policy-Report-Only
    68. Keep-Alive
    69. Last-Modified
    70. Link
    71. Location
    72. Max-Forwards
    73. NEL Experimental
    74. No-Vary-Search Experimental
    75. Observe-Browsing-Topics Non-standard Deprecated
    76. Origin
    77. Origin-Agent-Cluster
    78. Permissions-Policy Experimental
    79. Pragma Deprecated
    80. Prefer
    81. Preference-Applied
    82. Priority
    83. Proxy-Authenticate
    84. Proxy-Authorization
    85. Range
    86. Referer
    87. Referrer-Policy
    88. Refresh
    89. Report-To Non-standard Deprecated
    90. Reporting-Endpoints
    91. Repr-Digest
    92. Retry-After
    93. RTT Experimental
    94. Save-Data Experimental
    95. Sec-Browsing-Topics Non-standard Deprecated
    96. Sec-CH-Device-Memory Experimental
    97. Sec-CH-DPR Experimental
    98. Sec-CH-Prefers-Color-Scheme Experimental
    99. Sec-CH-Prefers-Reduced-Motion Experimental
    100. Sec-CH-Prefers-Reduced-Transparency Experimental
    101. Sec-CH-UA Experimental
    102. Sec-CH-UA-Arch Experimental
    103. Sec-CH-UA-Bitness Experimental
    104. Sec-CH-UA-Form-Factors Experimental
    105. Sec-CH-UA-Full-Version Deprecated
    106. Sec-CH-UA-Full-Version-List Experimental
    107. Sec-CH-UA-Mobile Experimental
    108. Sec-CH-UA-Model Experimental
    109. Sec-CH-UA-Platform Experimental
    110. Sec-CH-UA-Platform-Version Experimental
    111. Sec-CH-UA-WoW64 Experimental
    112. Sec-CH-Viewport-Height Experimental
    113. Sec-CH-Viewport-Width Experimental
    114. Sec-CH-Width
    115. Sec-Fetch-Dest
    116. Sec-Fetch-Mode
    117. Sec-Fetch-Site
    118. Sec-Fetch-Storage-Access
    119. Sec-Fetch-User
    120. Sec-GPC Experimental
    121. Sec-Private-State-Token Experimental
    122. Sec-Private-State-Token-Crypto-Version Experimental
    123. Sec-Private-State-Token-Lifetime Experimental
    124. Sec-Purpose
    125. Sec-Redemption-Record Experimental
    126. Sec-Speculation-Tags Experimental
    127. Sec-WebSocket-Accept
    128. Sec-WebSocket-Extensions
    129. Sec-WebSocket-Key
    130. Sec-WebSocket-Protocol
    131. Sec-WebSocket-Version
    132. Server
    133. Server-Timing
    134. Service-Worker
    135. Service-Worker-Allowed
    136. Service-Worker-Navigation-Preload
    137. Set-Cookie
    138. Set-Login
    139. SourceMap
    140. Speculation-Rules Experimental
    141. Strict-Transport-Security
    142. Supports-Loading-Mode Experimental
    143. TE
    144. Timing-Allow-Origin
    145. Tk Non-standard Deprecated
    146. Trailer
    147. Transfer-Encoding
    148. Upgrade
    149. Upgrade-Insecure-Requests
    150. Use-As-Dictionary Experimental
    151. User-Agent
    152. Vary
    153. Via
    154. Viewport-Width Non-standard Deprecated
    155. Want-Content-Digest
    156. Want-Repr-Digest
    157. Warning Deprecated
    158. Width Non-standard Deprecated
    159. WWW-Authenticate
    160. X-Content-Type-Options
    161. X-DNS-Prefetch-Control Non-standard
    162. X-Forwarded-For Non-standard
    163. X-Forwarded-Host Non-standard
    164. X-Forwarded-Proto Non-standard
    165. X-Frame-Options
    166. X-Permitted-Cross-Domain-Policies Non-standard
    167. X-Powered-By Non-standard
    168. X-Robots-Tag Non-standard
    169. X-XSS-Protection Non-standard Deprecated
  27. HTTP request methods
    1. CONNECT
    2. DELETE
    3. GET
    4. HEAD
    5. OPTIONS
    6. PATCH
    7. POST
    8. PUT
    9. TRACE
  28. HTTP response status codes
    1. 100 Continue
    2. 101 Switching Protocols
    3. 102 Processing
    4. 103 Early Hints
    5. 200 OK
    6. 201 Created
    7. 202 Accepted
    8. 203 Non-Authoritative Information
    9. 204 No Content
    10. 205 Reset Content
    11. 206 Partial Content
    12. 207 Multi-Status
    13. 208 Already Reported
    14. 226 IM Used
    15. 300 Multiple Choices
    16. 301 Moved Permanently
    17. 302 Found
    18. 303 See Other
    19. 304 Not Modified
    20. 307 Temporary Redirect
    21. 308 Permanent Redirect
    22. 400 Bad Request
    23. 401 Unauthorized
    24. 402 Payment Required
    25. 403 Forbidden
    26. 404 Not Found
    27. 405 Method Not Allowed
    28. 406 Not Acceptable
    29. 407 Proxy Authentication Required
    30. 408 Request Timeout
    31. 409 Conflict
    32. 410 Gone
    33. 411 Length Required
    34. 412 Precondition Failed
    35. 413 Content Too Large
    36. 414 URI Too Long
    37. 415 Unsupported Media Type
    38. 416 Range Not Satisfiable
    39. 417 Expectation Failed
    40. 418 I'm a teapot
    41. 421 Misdirected Request
    42. 422 Unprocessable Content
    43. 423 Locked
    44. 424 Failed Dependency
    45. 425 Too Early
    46. 426 Upgrade Required
    47. 428 Precondition Required
    48. 429 Too Many Requests
    49. 431 Request Header Fields Too Large
    50. 451 Unavailable For Legal Reasons
    51. 500 Internal Server Error
    52. 501 Not Implemented
    53. 502 Bad Gateway
    54. 503 Service Unavailable
    55. 504 Gateway Timeout
    56. 505 HTTP Version Not Supported
    57. 506 Variant Also Negotiates
    58. 507 Insufficient Storage
    59. 508 Loop Detected
    60. 510 Not Extended
    61. 511 Network Authentication Required
  29. CSP directives
    1. base-uri
    2. block-all-mixed-content Deprecated
    3. child-src
    4. connect-src
    5. default-src
    6. fenced-frame-src Experimental
    7. font-src
    8. form-action
    9. frame-ancestors
    10. frame-src
    11. img-src
    12. manifest-src
    13. media-src
    14. object-src
    15. prefetch-src Non-standard Deprecated
    16. report-to
    17. report-uri Deprecated
    18. require-trusted-types-for
    19. sandbox
    20. script-src
    21. script-src-attr
    22. script-src-elem
    23. style-src
    24. style-src-attr
    25. style-src-elem
    26. trusted-types
    27. upgrade-insecure-requests
    28. worker-src
  30. Permissions-Policy directives Experimental
    1. accelerometer Experimental
    2. ambient-light-sensor Experimental
    3. aria-notify Experimental Non-standard
    4. attribution-reporting Deprecated
    5. autoplay Experimental
    6. bluetooth Experimental
    7. browsing-topics Non-standard Deprecated
    8. camera Experimental
    9. captured-surface-control Experimental
    10. compute-pressure Experimental
    11. cross-origin-isolated Experimental
    12. deferred-fetch Experimental
    13. deferred-fetch-minimal Experimental
    14. display-capture Experimental
    15. encrypted-media Experimental
    16. fullscreen Experimental
    17. gamepad Experimental
    18. geolocation Experimental
    19. gyroscope Experimental
    20. hid Experimental
    21. identity-credentials-get Experimental
    22. idle-detection Experimental
    23. language-detector Experimental
    24. local-fonts Experimental
    25. magnetometer Experimental
    26. microphone Experimental
    27. midi Experimental
    28. on-device-speech-recognition Experimental
    29. otp-credentials Experimental
    30. payment Experimental
    31. picture-in-picture Experimental
    32. private-state-token-issuance Experimental
    33. private-state-token-redemption Experimental
    34. publickey-credentials-create Experimental
    35. publickey-credentials-get Experimental
    36. screen-wake-lock Experimental
    37. serial Experimental
    38. speaker-selection Experimental
    39. storage-access Experimental
    40. summarizer Experimental
    41. translator Experimental
    42. usb Experimental
    43. web-share Experimental
    44. window-management Experimental
    45. xr-spatial-tracking Experimental
  31. HTTP resources and specifications

Từ khóa » Http://2nds.biz