The HTTP Reference

This article contains all the reference for my HTTP series. This reference could be helpful if you need to quickly find what some HTTP status code means. It is also some kind of cheat sheet for myself because there is a lot of information to remember by heart. So I hope it is helpful to you too.

You can find the reference to the HTTP:

Request Methods

List of HTTP Request methods (verbs).

Request methods

MethodDescriptionHas body?
CONNECTThis specification reserves the method name CONNECT for use with a proxy that can dynamically switch to being a tunnel (e.g. SSL tunneling).No
DELETEThe DELETE method requests that the origin server delete the resource identified by the Request-URI.No
GETThe GET method retrieves whatever information (in the form of an entity) is identified by the Request-URI.No
HEADThe HEAD method is identical to GET except that the server MUST NOT return a message-body in the response.No
OPTIONSThe OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI.No
POSTThe POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line.Yes
PUTThe PUT method requests that the enclosed entity be stored under the supplied Request-URI.Yes
TRACEThe TRACE method is used to invoke a remote, application-layer loop-back of the request message.No

Status Codes

These two tables define status code ranges (classification) and describe all the status codes.

Status Code Classification

Overall rangeDefined rangeCategory
400–499400–415Client error
500–599500–505Server error

Status Codes

Status codeReason phraseMeaning
100 Continue An initial part of the request was received, and the client should continue.
101Switching Protocols The server is changing protocols, as specified by the client, to one listed in the Upgrade header.
200OK The request is okay.
201Created The resource was created (for requests that create server objects).
202AcceptedThe request was accepted, but the server has not yet performed any action with it.
203Non-Authoritative InformationThe transaction was okay, except the information contained in the entity headers was not from the origin server, but from a copy of the resource.
204No ContentThe response message contains headers and a status line, but no entity body.
205Reset ContentAnother code primarily for browsers; basically means that the browser should clear any HTML form elements on the current page.
206Partial Content A partial request was successful.
300Multiple ChoicesA client has requested a URL that actually refers to multiple resources. This code is returned along with a list of options; the user can then select which one he wants.
301Moved PermanentlyThe requested URL has been moved. The response should contain a Location URL indicating where the resource now resides.
302Found Like the 301 status code, but the move is temporary. The client should use the URL given in the Location header to locate the resource temporarily.
303See OtherTells the client that the resource should be fetched using a different URL. This new URL is in the Location header of the response message.
304Not ModifiedClients can make their requests conditional by the request headers they include. This code indicates that the resource has not changed.
305Use ProxyThe resource must be accessed through a proxy, the location of the proxy is given in the Location header.
306(Unused)This status code currently is not used.
307Temporary RedirectLike the 301 status code; however, the client should use the URL given in the Location header to locate the resource temporarily.
400Bad RequestTells the client that it sent a malformed request.
401Unauthorized Returned along with appropriate headers that ask the client to authenticate itself before it can gain access to the resource.
402Payment RequiredCurrently this status code is not used, but it has been set aside for future use.
403Forbidden The request was refused by the server.
404Not FoundThe server cannot find the requested URL.
405Method Not AllowedA request was made with a method that is not supported for the requested URL. The Allow header should be included in the response to tell the client what methods are allowed on the requested resource.
406Not AcceptableClients can specify parameters about what types of entities they are willing to accept. This code is used when the server has no resource matching the URL that is acceptable for the client.
407Proxy Authentication RequiredLike the 401 status code, but used for proxy servers that require authentication for a resource.
408Request TimeoutIf a client takes too long to complete its request, a server can send back this status code and close down the connection.
409Conflict The request is causing some conflict on a resource.
410Gone Like the 404 status code, except that the server once held the resource.
411Length RequiredServers use this code when they require a Content-Length header in the request message. The server will not accept requests for the resource without the Content-Length header.
412Precondition Failed If a client makes a conditional request and one of the conditions fails, this response code is returned.
413Request Entity Too LargeThe client sent an entity body that is larger than the server can or wants to process.
414Request URI Too LongThe client sent a request with a request URL that is larger than what the server can or wants to process.
415Unsupported Media TypeThe client sent an entity of a content type that the server does not understand or support.
416Requested Range Not SatisfiableThe request message requested a range of a given resource, and that range either was invalid or could not be met.
417Expectation FailedThe request contained an expectation in the Expect request header that could not be satisfied by the server.

Internal Server ErrorThe server encountered an error that prevented it from servicing the request.
501Not ImplementedThe client made a request that is beyond the server’s capabilities.
502Bad GatewayA server acting as a proxy or gateway encountered a bogus response from the next link in the request response chain.
503Service UnavailableThe server cannot currently service the request but will be able to in the future.
504 Gateway TimeoutSimilar to the 408 status code, except that the response is coming from a gateway or proxy that has timed out waiting for a response to its request from another server.
505HTTP Version Not SupportedThe server received a request in a version of the protocol that it can’t or won’t support.



Both HTTP request and HTTP response can contain header fields. These two tables describe those fields and provide simple examples.

Request headers

AcceptCan be used to specify certain media types which are acceptable for the responseAccept: text/plain
Accept-CharsetIndicates what character sets are acceptable for the responseAccept-Charset: utf-8
Accept-EncodingSimilar to Accept, but restricts the content-codings that are acceptable in the response.Accept-Encoding: gzip, deflate
Accept-LanguageSimilar to Accept, but restricts the set of natural languages that are preferred as a response.Accept-Language: en-US
AuthorizationAuthentication credentials for HTTP authentication.Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Cache-ControlUsed to specify directives that must be obeyed by all caching mechanisms along the request-response chain.Cache-Control: no-cache
ConnectionAllows the sender to specify options that are desired for that particular connection and MUST NOT be communicated by proxies over further connections.Connection: keep-alive
Content-EncodingContent-Encoding is primarily used to allow a document to be compressed without losing the identity of its underlying media type.Content-Encoding: gzip
CookieAn HTTP cookie previously sent by the server with Set-Cookie (below).Cookie: $Version=1;
Content-LengthThe length of the request body in octets (8-bit bytes).Content-Length: 1024
Content-MD5A Base64-encoded binary MD5 sum of the content of the request body.Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==
Content-TypeThe MIME type of the body of the request (used with POST and PUT requests).Content-Type: application/ x-www-form-urlencoded
DateThe date and time that the message was sent.Date: Tue, 19 Jun 2012 10:10:10 GMT
ExpectIndicates that particular server behaviors are required by the client.Expect: 100-continue
FromThe email address of the user making the request.From:
HostThe domain name of the server (for virtual hosting), and the TCP port number on which the server is listening. The port number may be omitted if the port is the standard port for the service requested. Mandatory since HTTP/1.1.Host:
If-MatchOnly perform the action if the client supplied entity matches the same entity on the server. This is mainly for methods like PUT to only update a resource if it has not been modified since the user last updated it.If-Match: "737060cd8c284d8af7ad3082f209582d"
If-Modified- SinceAllows a 304 Not Modified to be returned if content is unchanged.If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT
If-None-MatchAllows a 304 Not Modified to be returned if content is unchanged.If-None-Match: "737060cd8c284d8af7ad3082f209582d"
If-RangeIf the entity is unchanged, send me the part(s) that I am missing; otherwise, send me the entire new entity.If-Range: "737060cd8c284d8af7ad3082f209582d"
If-Unmodified- SinceOnly send the response if the entity has not been modified since a specific time.If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT
Max-ForwardsLimit the number of times the message can be forwarded through proxies or gateways.Max-Forwards: 10
OriginInitiates a request for cross-origin resource sharing (asks server for an 'Access-Control-Allow-Origin' response field).Origin:
PragmaImplementation-specific headers that may have various effects anywhere along the request-response chain.Pragma: no-cache
Proxy- AuthorizationAuthorization credentials for connecting to a proxy.Proxy-Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
RangeRequest only part of an entity. Bytes are numbered from 0.Range: bytes=500-999
RefererThis is the address of the previous web page from which a link to the currently requested page was followed. (The word "referrer" is misspelled in the RFC as well as in most implementations.)Referer:
TEThe transfer encodings the user agent is willing to accept: the same values as for the response header TE can be used, plus the "trailers" value (related to the "chunked" transfer method) to notify the server it expects to receive additional headers (the trailers) after the last, zero-sized, chunk.TE: trailers, deflate
UpgradeAsk the server to upgrade to another protocol.Upgrade: HTTPS/1.3, IRC/6.9, RTA/x11, websocket
User-AgentThe user agent string of the user agentUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
ViaInforms the server of proxies through which the request was sent.Via: 1.0 fred, 1.1 (Apache/1.1)
WarningA general warning about possible problems with the entity body.Warning: 199 Miscellaneous warning

Response headers

Access-Control-Allow-OriginSpecifying which web sites can participate in cross-origin resource sharingAccess-Control-Allow- Origin: *
Accept-RangesAllows the server to indicate its acceptance of range requests for a resource.Accept-Ranges: bytes
AgeConveys the sender's estimate of the amount of time since the response (or its revalidation) was generated at the origin server.Age: 24
AllowLists the set of methods supported by the resource identified by the Request-URI. The purpose of this field is strictly to inform the recipient of valid methods associated with the resource.Allow: GET, HEAD, PUT
Cache-ControlTells all caching mechanisms from server to client whether they may cache this object. It is measured in secondsCache-Control: max-age=3600
ConnectionOptions that are desired for the connectionConnection: close
Content-EncodingThe type of encoding used on the data. See HTTP compression.Content-Encoding: gzip
Content-LanguageThe language the content is in.Content-Language: en
Content-LengthThe length of the response body in octets (8-bit bytes)Content-Length: 1024
Content-LocationAn alternate location for the returned dataContent-Location: /index.htm
Content-MD5A Base64-encoded binary MD5 sum of the content of the responseContent-MD5: Q2hlY2sgSW50ZWdyaXR5IQ==
Content-DispositionAn opportunity to raise a "File Download" dialogue box for a known MIME type with binary format or suggest a filename for dynamic content. Quotes are necessary with special characters.Content-Disposition: attachment; filename="fname.ext"
Content-RangeWhere in a full body message this partial message belongsContent-Range: bytes 21010-47021/47022
Content-TypeThe MIME type of this contentContent-Type: text/html; charset=utf-8
DateThe date and time that the message was sentDate: Sun, 17 Jun 2017 10:11:12 GMT
ETagAn identifier for a specific version of a resource, often a message digestETag: "737060cd8c284d8af7ad3082f209582d"
ExpiresGives the date/time after which the response is considered staleExpires: Date: Sun, 17 Jun 2017 10:11:12 GMT
Last-ModifiedThe last modified date for the requested object, in RFC 2822 formaLast-Modified: Date: Sun, 17 Jun 2017 10:11:12 GMT
LinkUsed to express a typed relationship with another resource, where the relation type is defined by RFC 5988Link: ; rel="alternate"
LocationUsed in redirection, or when a new resource has been created.Location:
P3PThis header is supposed to set Platform for Privacy Preferences Project (P3P) policy, in the form of P3P:CP="your_compact_policy". However, P3P did not take off, most browsers have never fully implemented it, a lot of websites set this header with fake policy text, that was enough to fool browsers the existence of P3P policy and grant permissions for third party cookies.P3P: CP="This is not a P3P policy! See accounts/bin/ for more info."
PragmaImplementation-specific headers that may have various effects anywhere along the request-response chain.Pragma: no-cache
Proxy-AuthenticateRequest authentication to access the proxy.Proxy-Authenticate: Basic
RefreshUsed in redirection, or when a new resource has been created. This refresh redirects after 5 seconds. This is a proprietary, non-standard header extension introduced by Netscape and supported by most web browsers.Refresh: 5; url=
Retry-AfterIf an entity is temporarily unavailable, this instructs the client to try again after a specified period of time (seconds).Retry-After: 240
ServerA name for the serverServer: Apache/2.4 (Unix)
Set-CookieSets an HTTP CookieSet-Cookie: UserID=1; Max-Age=3600; Version=1
Strict-transfer-SecurityA HSTS Policy informing the HTTP client how long to cache the HTTPS only policy and whether this applies to subdomains.Strict-transfer-Security: max-age=16070400; includeSubDomains
TrailerStrict-transfer-Security: max-age=16070400; includeSubDomainsTrailer: Max-Forwards
Transfer-EncodingThe form of encoding used to safely transfer the entity to the user. Currently defined methods are: chunked, compress, deflate, gzip, identity.Transfer-Encoding: chunked
VaryTells downstream proxies how to match future request headers to decide whether the cached response can be used rather than requesting a fresh one from the origin server.Vary: *
ViaInforms the client of proxies through which the response was sent.Via: 1.0 mick, 1.1 (Apache/2.4)
WarningA general warning about possible problems with the entity body.A general warning about possible problems with the entity body.
WWW-AuthenticateIndicates the authentication scheme that should be used to access the requested entity.WWW-Authenticate: Basic


MIME types

Because of the sheer quantity of Internet Media Types, just the most commonly used ones are listed here.

Common primary MIME types

application Application-specific content format (discrete type)
audio Audio format (discrete type)
chemical Chemical data set (discrete IETF extension type)
image Image format (discrete type)
message Message format (composite type)
model 3-D model format (discrete IETF extension type)
multipart Collection of multiple objects (composite type)
text Text format (discrete type)
video Video movie format (discrete type)

Common application MIME types

application/atom+xmlAtom Feeds
application/ecmascriptECMAScript/JavaScript (equivalent to application/javascript but with stricter processing rules)
application/jsonJavaScript Object Notation JSON
application/javascriptECMAScript/JavaScript (equivalent to application/ecmascript but with looser processing rules) It is not accepted in IE 8 or earlier
application/octet-streamUnclassified binary data.
application/pdfPortable Document Format
application/rss+xmlRSS feeds
application/font-woffWeb Open Font Format
application/xml-dtdDocument Type Definition (DTD) files
application/xop+xmlXML-binary Optimized Packaging (XOP)
application/zipZIP archive files

Common multipart MIME types

multipart/mixedMIME Email
multipart/form-dataMIME Webform

Common text MIME types

text/cssCascading Style Sheets.
text/csvComma-separated values
text/htmlHTML file
text/plainTextual data
text/xmlExtensible Markup Language


Everything mentioned in this reference article can be found in more detail in the HTTP1.1 spec document:

Bookmark the permalink.