Detailed Http request header of the response member


What Referrer Policy that?

 We know that in the introduction page picture, JS and other resources, or jump from one page to another page, will have a new HTTP request,

Browsers usually add to these requests represent Referrer header field sources. Referrer is useful in analyzing the user source, has a wide range of use .

Property description:

The new provisions five Referrer Referrer Policy Strategy: No Referrer, No Referrer When Downgrade, Origin Only, Origin When Cross-origin, and Unsafe URL.

Three strategies existed before: never, default and always, the new standard was changed the name. Their correspondence is as follows:

Policy Name Property value (new) Property value (old)
No Referrer no-referrer never
No Referrer When Downgrade no-referrer-when-downgrade default
Origin Only origin -
Origin When Cross-origin origin-when-crossorigin -
Unsafe URL unsafe-url always
  • No Referrer :
  • Referrer not transmit information under any circumstances;
  • No Referrer When Downgrade :
  • It occurs only when the degraded protocols (e.g., HTTP resource introducing an HTTPS page, a page from the HTTP jump HTTPS, etc.) is not transmitted Referrer information.
  • This rule is now most browsers used by default;
  • Origin Only
  •  : Referrer host transmits a portion only. Enable this rule, regardless of whether the agreement occurred downgrade,
  • Whether inbound links or link station will send Referrer information, but only the portion containing protocol + host (does not contain information specific path and parameters, etc.);
  • Origin When Cross-origin 
  • : Send only contains only Referrer host at the time of the occurrence of cross-domain access, under the same domain or complete.
  • It differs from Origin Only is a multi-judge whether the Cross-origin. Note that the protocol, the domain name and port are the same, the browser will be considered the same domain;
  • Unsafe URL :
  • Whether or not to downgrade the protocol occurred, whether the site links or inbound links, all are sent Referrer information. As the name suggests, this is the most liberal and the most insecure strategy;


Know what strategies can be used, also you need to know how to use. Here are three ways to specify the Referrer Policy:

1.CSP response header

CSP (Content Security Policy), is a specification for a page with content security.

In HTTP to tell the browser response header Content-Security-Policy field of the current page which CSP policy to use. I wrote before the Content Security Policy introduced ,

You can take a look at. CSP can also now command value by referrer and five optional command to specify Referrer strategy format is very simple:

Content-Security-Policy: referrer no-referrer|no-referrer-when-downgrade|origin|origin-when-cross-origin|unsafe-url;


Note: According to the document , when setting Origin When Cross-origin policy by CSP head command value should origin-when-cross-origin,

There are differences with the previous table in the origin-when-crossorigin. In fact, after my tests, Chrome 42 supports only the origin-when-crossorigin,

Follow-up will not change is not known, it is recommended that you use when he first test it.

CSP between the commands and command values ​​separated by spaces, separated by a semicolon between the plurality of instructions.

2. <meta> tag

By <meta> tag you can also specify Referrer strategy is equally simple:

<meta name="referrer" content="no-referrer|no-referrer-when-downgrade|origin|origin-when-crossorigin|unsafe-url">

Note that, <meta> only on the <head> ... </ head> between the position if there is not it will be ignored. Similarly, if the content is not defined attribute to it, or content property is empty, it will be ignored. If the content value of property is not legitimate, the browser will automatically select the most stringent no-referrer this strategy.

3. referrer tag attributes

You can also specify the policy by giving <a> Referrer increase referrer tag attributes, in the following format:

<a href="" referrer="no-referrer|origin|unsafe-url">xxx</a>


It is only in this way the role of a link. And, <a> labels available Referrer strategy only three: do not pass, just pass both host and pass.

In addition, this policy priorities for the single link is set to be higher than the CSP and <meta>.

In addition repeat, at this stage of the browser also retains the support never, default and always, but is no longer recommended for use.

It can be seen through the new Referrer strategy, site owners can choose a higher level of security to ensure that users' privacy is not compromised;

You can also select a lower security level to get some convenience, only the default policy across the board by the browser than before, a lot of really flexible.


What Accept that?

Accept representative of the transmission side (client) wishes to receive data type

1.Accept belonging request header, Content- the Type entity-header belongs. 
Http header common header, the request header, and response header entity header. Http header structure requesting party: common header
| request header | header entity in response http header structure side: common header | response header | header entity

For example: Accept: text / xml (application  / json);
data type represents the client is willing to accept XML (JSON) Type 

Content-Type on behalf of the sender (client | server) data types entity data sent.

比如:Content-Type:text/html(application/json) ;

Representative transmitting side transmits data format is HTML ( JSON ). 
The two together,


Which represents a desired type of data received in xml format, the data format of the data transmitted this request is html.

If you accept the specified type and response type of return is inconsistent, there will be 406, not acceptable error corresponding to java spring project is

HttpHeaders headers = new HttpHeaders();

headers.add("Accept", MediaType.APPLICATION_JSON_UTF8_VALUE.toString());

如果head头里加了accept,那么@RequestMapping里的produces = "*/*"或produces = "application/json"





Accept-Encoding 是浏览器发给服务器,声明浏览器支持的编码类型的



       Accept-Encoding: compress, gzip                //支持compress 和gzip类型(压缩)
       Accept-Encoding:                          //默认是identity
       Accept-Encoding: *                        //支持所有类型
       Accept-Encoding: compress;q=0.5, gzip;q=1.0         //按顺序支持 gzip , compress
       Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0      // 按顺序支持 gzip , identity 
       服务器返回的对应的类型编码header是 content-encoding


  1. 如果服务器可以返回定义在Accept-Encoding 中的任何一种Encoding类型, 那么处理成功(除非q的值等于0, 等于0代表不可接受)
  2. * 代表任意一种Encoding类型 (除了在Accept-Encoding中显示定义的类型)
  3.如果有多个Encoding同时匹配, 按照q值顺序排列
  4. identity总是可被接受的encoding类型(除非显示的标记这个类型q=0) , 

如果Accept-Encoding的值是空 那么只有identity是会被接受的类型
如果Accept-Encoding中的所有类型服务器都没发返回, 那么应该返回406错误给客户端
如果request中没有Accept-Encoding  那么服务器会假设所有的Encoding都是可以被接受的, 
如果Accept-Encoding中有identity  那么应该优先返回identity (除非有q值的定义,或者你认为另外一种类型是更有意义的)
如果服务器不支持identity 并且浏览器没有发送Accept-Encoding,那么服务器应该倾向于使用HTTP1.0中的 "gzip" and "compress" ,
服务器可能按照客户端类型 发送更适合的encoding类型






(1) 请求Request:

[1] no-cache  ---- 不要读取缓存中的文件,要求向WEB服务器重新请求

[2] no-store    ---- 请求和响应都禁止被缓存
[2] max-age: ---- 表示当访问此网页后的max-age秒内再次访问不会去服务器请求,其功能与Expires类似,


[3] max-stale  ---- 允许读取过期时间必须小于max-stale 值的缓存对象。 
[4] min-fresh ---- 接受其max-age生命期大于其当前时间 跟 min-fresh 值之和的缓存对象

[5] only-if-cached ---- 告知缓存者,我希望内容来自缓存,我并不关心被缓存响应,是否是新鲜的.

[6] no-transform   ---- 告知代理,不要更改媒体类型,比如jpg,被你改成png.


(2) 响应Response:

[1] public    ---- 数据内容皆被储存起来,就连有密码保护的网页也储存,安全性很低
[2] private    ---- 数据内容只能被储存到私有的cache,仅对某个用户有效,不能共享
[3] no-cache    ---- 可以缓存,但是只有在跟WEB服务器验证了其有效后,才能返回给客户端

[4] no-store  ---- 请求和响应都禁止被缓存

[4] max-age:   ----- 本响应包含的对象的过期时间
[5] Must-revalidate    ---- 如果缓存过期了,会再次和原来的服务器确定是否为最新数据,而不是和中间的proxy

[6] max-stale  ----  允许读取过期时间必须小于max-stale 值的缓存对象。 

[7] proxy-revalidate  ---- 与Must-revalidate类似,区别在于:proxy-revalidate要排除掉用户代理的缓存的。即其规则并不应用于用户代理的本地缓存上。

[8] s-maxage  ---- 与max-age的唯一区别是,s-maxage仅仅应用于共享缓存.而不应用于用户代理的本地缓存等针对单用户的缓存. 另外,s-maxage的优先级要高于max-age.

[9] no-transform   ---- 告知代理,不要更改媒体类型,比如jpg,被你改成png.






  • Connection: keep-alive , 开启HTTP持久连接,HTTP 1.1默认值
  • Connection: close , 关闭HTTP持久连接,HTTP 1.0默认值
HTTP keep-alive与TCP keep-alive区别
  • HTTP keep-alive参数为了减少TCP连接和断开而提出的一种解决方案,HTTP持久连接即TCP长连接。
  • TCP keep-alive参数主要为探测长连接的存活状况,即TCP保活功能。

本文将对HTTP首部Connction实践,对比keep-alive/close两个值在HTTP和TCP的表现情况。后端使用Spring boot+Java,前端使用HTML+CSS。

HTTP Request首部Connection

如果Client希望HTTP使用持久连接,在Request首部指定Connection: keep-alive,否则指定Connection: close







HTTP 协议中的 Origin Header 存在于请求中,用于指明当前请求来自于哪个站点。







 HTTP Referer是header的一部分,当浏览器向web服务器发送请求的时候,一般会带上Referer,





 User-Agent 首部包含了一个特征字符串,用来让网络协议的对端来识别发起请求的用户代理软件的应用类型、操作系统、软件开发商以及版本号。









Content-Type(内容类型),一般是指网页中存在的 Content-Type,用于定义网络文件的类型和网页的编码,决定浏览器将以什么形式、什么编码读取这个文件


text/html : HTML格式
text/plain :纯文本格式
text/xml : XML格式
image/gif :gif图片格式
image/jpeg :jpg图片格式

application/xhtml+xml :XHTML格式
application/xml: XML数据格式
application/atom+xml :Atom XML聚合格式
application/json: JSON数据格式
application/msword : Word文档格式
application/octet-stream : 二进制流数据(如常见的文件下载)
application/x-www-form-urlencoded : <form encType=””>中默认的encType,
form表单数据被编码为key/value格式发送到服务器(表单默认的提交数据的格式) 另外一种常见的媒体格式是上传文件之时使用的:
multipart/form-data : 需要在表单中进行文件上传时,就需要使用该格式
文件扩展名    Content-Type(Mime-Type)    文件扩展名    Content-Type(Mime-Type)
.*( 二进制流,不知道下载文件类型)    application/octet-stream    .tif    image/tiff
.001    application/x-001    .301    application/x-301
.323    text/h323    .906    application/x-906
.907    drawing/907    .a11    application/x-a11
.acp    audio/x-mei-aac    .ai    application/postscript
.aif    audio/aiff    .aifc    audio/aiff
.aiff    audio/aiff    .anv    application/x-anv
.asa    text/asa    .asf    video/x-ms-asf
.asp    text/asp    .asx    video/x-ms-asf
.au    audio/basic    .avi    video/avi
.awf    application/vnd.adobe.workflow    .biz    text/xml
.bmp    application/x-bmp    .bot    application/x-bot
.c4t    application/x-c4t    .c90    application/x-c90
.cal    application/x-cals    .cat    application/
.cdf    application/x-netcdf    .cdr    application/x-cdr
.cel    application/x-cel    .cer    application/x-x509-ca-cert
.cg4    application/x-g4    .cgm    application/x-cgm
.cit    application/x-cit    .class    java/*
.cml    text/xml    .cmp    application/x-cmp
.cmx    application/x-cmx    .cot    application/x-cot
.crl    application/pkix-crl    .crt    application/x-x509-ca-cert
.csi    application/x-csi    .css    text/css
.cut    application/x-cut    .dbf    application/x-dbf
.dbm    application/x-dbm    .dbx    application/x-dbx
.dcd    text/xml    .dcx    application/x-dcx
.der    application/x-x509-ca-cert    .dgn    application/x-dgn
.dib    application/x-dib    .dll    application/x-msdownload
.doc    application/msword    .dot    application/msword
.drw    application/x-drw    .dtd    text/xml
.dwf    Model/vnd.dwf    .dwf    application/x-dwf
.dwg    application/x-dwg    .dxb    application/x-dxb
.dxf    application/x-dxf    .edn    application/vnd.adobe.edn
.emf    application/x-emf    .eml    message/rfc822
.ent    text/xml    .epi    application/x-epi
.eps    application/x-ps    .eps    application/postscript
.etd    application/x-ebx    .exe    application/x-msdownload
.fax    image/fax    .fdf    application/vnd.fdf
.fif    application/fractals    .fo    text/xml
.frm    application/x-frm    .g4    application/x-g4
.gbr    application/x-gbr    .    application/x-
.gif    image/gif    .gl2    application/x-gl2
.gp4    application/x-gp4    .hgl    application/x-hgl
.hmr    application/x-hmr    .hpg    application/x-hpgl
.hpl    application/x-hpl    .hqx    application/mac-binhex40
.hrf    application/x-hrf    .hta    application/hta
.htc    text/x-component    .htm    text/html
.html    text/html    .htt    text/webviewhtml
.htx    text/html    .icb    application/x-icb
.ico    image/x-icon    .ico    application/x-ico
.iff    application/x-iff    .ig4    application/x-g4
.igs    application/x-igs    .iii    application/x-iphone
.img    application/x-img    .ins    application/x-internet-signup
.isp    application/x-internet-signup    .IVF    video/x-ivf
.java    java/*    .jfif    image/jpeg
.jpe    image/jpeg    .jpe    application/x-jpe
.jpeg    image/jpeg    .jpg    image/jpeg
.jpg    application/x-jpg    .js    application/x-javascript
.jsp    text/html    .la1    audio/x-liquid-file
.lar    application/x-laplayer-reg    .latex    application/x-latex
.lavs    audio/x-liquid-secure    .lbm    application/x-lbm
.lmsff    audio/x-la-lms    .ls    application/x-javascript
.ltr    application/x-ltr    .m1v    video/x-mpeg
.m2v    video/x-mpeg    .m3u    audio/mpegurl
.m4e    video/mpeg4    .mac    application/x-mac
.man    application/x-troff-man    .math    text/xml
.mdb    application/msaccess    .mdb    application/x-mdb
.mfp    application/x-shockwave-flash    .mht    message/rfc822
.mhtml    message/rfc822    .mi    application/x-mi
.mid    audio/mid    .midi    audio/mid
.mil    application/x-mil    .mml    text/xml
.mnd    audio/x-musicnet-download    .mns    audio/x-musicnet-stream
.mocha    application/x-javascript    .movie    video/x-sgi-movie
.mp1    audio/mp1    .mp2    audio/mp2
.mp2v    video/mpeg    .mp3    audio/mp3
.mp4    video/mpeg4    .mpa    video/x-mpg
.mpd    application/    .mpe    video/x-mpeg
.mpeg    video/mpg    .mpg    video/mpg
.mpga    audio/rn-mpeg    .mpp    application/
.mps    video/x-mpeg    .mpt    application/
.mpv    video/mpg    .mpv2    video/mpeg
.mpw    application/    .mpx    application/
.mtx    text/xml    .mxp    application/x-mmxp
.net    image/pnetvue    .nrf    application/x-nrf
.nws    message/rfc822    .odc    text/x-ms-odc
.out    application/x-out    .p10    application/pkcs10
.p12    application/x-pkcs12    .p7b    application/x-pkcs7-certificates
.p7c    application/pkcs7-mime    .p7m    application/pkcs7-mime
.p7r    application/x-pkcs7-certreqresp    .p7s    application/pkcs7-signature
.pc5    application/x-pc5    .pci    application/x-pci
.pcl    application/x-pcl    .pcx    application/x-pcx
.pdf    application/pdf    .pdf    application/pdf
.pdx    application/vnd.adobe.pdx    .pfx    application/x-pkcs12
.pgl    application/x-pgl    .pic    application/x-pic
.pko    application/    .pl    application/x-perl
.plg    text/html    .pls    audio/scpls
.plt    application/x-plt    .png    image/png
.png    application/x-png    .pot    application/
.ppa    application/    .ppm    application/x-ppm
.pps    application/    .ppt    application/
.ppt    application/x-ppt    .pr    application/x-pr
.prf    application/pics-rules    .prn    application/x-prn
.prt    application/x-prt    .ps    application/x-ps
.ps    application/postscript    .ptn    application/x-ptn
.pwz    application/    .r3t    text/vnd.rn-realtext3d
.ra    audio/vnd.rn-realaudio    .ram    audio/x-pn-realaudio
.ras    application/x-ras    .rat    application/rat-file
.rdf    text/xml    .rec    application/vnd.rn-recording
.red    application/x-red    .rgb    application/x-rgb
.rjs    application/vnd.rn-realsystem-rjs    .rjt    application/vnd.rn-realsystem-rjt
.rlc    application/x-rlc    .rle    application/x-rle
.rm    application/vnd.rn-realmedia    .rmf    application/vnd.adobe.rmf
.rmi    audio/mid    .rmj    application/vnd.rn-realsystem-rmj
.rmm    audio/x-pn-realaudio    .rmp    application/vnd.rn-rn_music_package
.rms    application/vnd.rn-realmedia-secure    .rmvb    application/vnd.rn-realmedia-vbr
.rmx    application/vnd.rn-realsystem-rmx    .rnx    application/vnd.rn-realplayer
.rp    image/vnd.rn-realpix    .rpm    audio/x-pn-realaudio-plugin
.rsml    application/vnd.rn-rsml    .rt    text/vnd.rn-realtext
.rtf    application/msword    .rtf    application/x-rtf
.rv    video/vnd.rn-realvideo    .sam    application/x-sam
.sat    application/x-sat    .sdp    application/sdp
.sdw    application/x-sdw    .sit    application/x-stuffit
.slb    application/x-slb    .sld    application/x-sld
.slk    drawing/x-slk    .smi    application/smil
.smil    application/smil    .smk    application/x-smk
.snd    audio/basic    .sol    text/plain
.sor    text/plain    .spc    application/x-pkcs7-certificates
.spl    application/futuresplash    .spp    text/xml
.ssm    application/streamingmedia    .sst    application/
.stl    application/    .stm    text/html
.sty    application/x-sty    .svg    text/xml
.swf    application/x-shockwave-flash    .tdf    application/x-tdf
.tg4    application/x-tg4    .tga    application/x-tga
.tif    image/tiff    .tif    application/x-tif
.tiff    image/tiff    .tld    text/xml
.top    drawing/x-top    .torrent    application/x-bittorrent
.tsd    text/xml    .txt    text/plain
.uin    application/x-icq    .uls    text/iuls
.vcf    text/x-vcard    .vda    application/x-vda
.vdx    application/vnd.visio    .vml    text/xml
.vpg    application/x-vpeg005    .vsd    application/vnd.visio
.vsd    application/x-vsd    .vss    application/vnd.visio
.vst    application/vnd.visio    .vst    application/x-vst
.vsw    application/vnd.visio    .vsx    application/vnd.visio
.vtx    application/vnd.visio    .vxml    text/xml
.wav    audio/wav    .wax    audio/x-ms-wax
.wb1    application/x-wb1    .wb2    application/x-wb2
.wb3    application/x-wb3    .wbmp    image/vnd.wap.wbmp
.wiz    application/msword    .wk3    application/x-wk3
.wk4    application/x-wk4    .wkq    application/x-wkq
.wks    application/x-wks    .wm    video/x-ms-wm
.wma    audio/x-ms-wma    .wmd    application/x-ms-wmd
.wmf    application/x-wmf    .wml    text/vnd.wap.wml
.wmv    video/x-ms-wmv    .wmx    video/x-ms-wmx
.wmz    application/x-ms-wmz    .wp6    application/x-wp6
.wpd    application/x-wpd    .wpg    application/x-wpg
.wpl    application/    .wq1    application/x-wq1
.wr1    application/x-wr1    .wri    application/x-wri
.wrk    application/x-wrk    .ws    application/x-ws
.ws2    application/x-ws    .wsc    text/scriptlet
.wsdl    text/xml    .wvx    video/x-ms-wvx
.xdp    application/vnd.adobe.xdp    .xdr    text/xml
.xfd    application/vnd.adobe.xfd    .xfdf    application/vnd.adobe.xfdf
.xhtml    text/html    .xls    application/
.xls    application/x-xls    .xlw    application/x-xlw
.xml    text/xml    .xpl    audio/scpls
.xq    text/xml    .xql    text/xml
.xquery    text/xml    .xsd    text/xml
.xsl    text/xml    .xslt    text/xml
.xwd    application/x-xwd    .x_b    application/x-x_b
.sis    application/vnd.symbian.install    .sisx    application/vnd.symbian.install
.x_t    application/x-x_t    .ipa    application/vnd.iphone
.apk    application/    .xap    application/x-silverlight-app
View Code




WSGIServer/0.2 CPython/3.7.2 表示服务端用的语言和服务






 Vary 是一个HTTP响应头部信息,它决定了对于未来的一个请求头,


它被服务器用来表明在 content negotiationalgorithm(内容协商算法)中选择一个资源代表的时候应该使用哪些头部信息(headers)



The X-Frame-Options HTTP 响应头是用来给浏览器 指示允许一个页面

可否在 <frame><iframe><embed> 或者 <object> 中展现的标记。

站点可以通过确保网站没有被嵌入到别人的站点里面,从而避免 clickjacking 攻击。



使用 X-Frame-Options


X-Frame-Options 有三个值:


表示该页面不允许在 frame 中展示,即便是在相同域名的页面中嵌套也不允许。
表示该页面可以在相同域名页面的 frame 中展示。
表示该页面可以在指定来源的 frame 中展示。


换一句话说,如果设置为 DENY,不光在别人的网站 frame 嵌入时会无法加载,

在同域名页面中同样会无法加载。另一方面,如果设置为 SAMEORIGIN,那么页面就可以在同域名页面的 frame 中嵌套。





6. 首部

6.1 通用首部字段

首部字段名 说明
Cache-Control 控制缓存行为
Connection 链接的管理
Date 报文日期
Pragma 报文指令
Trailer 报文尾部的首部
Trasfer-Encoding 指定报文主体的传输编码方式
Upgrade 升级为其他协议
Via 代理服务器信息
Warning 错误通知

6.2 请求首部字段

首部字段名 说明
Accept 用户代理可处理的媒体类型
Accept-Charset 优先的字符集
Accept-Encoding 优先的编码
Accept-Langulage 优先的语言
Authorization Web认证信息
Expect 期待服务器的特定行为
From 用户的电子邮箱地址
Host 请求资源所在的服务器
If-Match 比较实体标记
If-Modified-Since 比较资源的更新时间
If-None-Match 比较实体标记
If-Range 资源未更新时发送实体Byte的范围请求
If-Unmodified-Since 比较资源的更新时间(和If-Modified-Since相反)
Max-Forwards 最大传输跳数
Proxy-Authorization 代理服务器需要客户端认证
Range 实体字节范围请求
Referer 请求中的URI的原始获取方
TE 传输编码的优先级
User-Agent HTTP客户端程序的信息

6.3 响应首部字段

首部字段名 说明
Accept-Ranges 是否接受字节范围
Age 资源的创建时间
ETag 资源的匹配信息
Location 客户端重定向至指定的URI
Proxy-Authenticate 代理服务器对客户端的认证信息
Retry-After 再次发送请求的时机
Server 服务器的信息
Vary 代理服务器缓存的管理信息
www-Authenticate 服务器对客户端的认证

6.4 实体首部字段

首部字段名 说明
Allow 资源可支持的HTTP方法
Content-Encoding 实体的编码方式
Content-Language 实体的自然语言
Content-Length 实体的内容大小(字节为单位)
Content-Location 替代对应资源的URI
Content-MD5 实体的报文摘要
Content-Range 实体的位置范围
Content-Type 实体主体的媒体类型
Expires 实体过期时间
Last-Modified 资源的最后修改时间



请求头字段 说明 响应头字段
Accept 告知服务器发送何种媒体类型 Content-Type
Accept-Language 告知服务器发送何种语言 Content-Language
Accept-Charset 告知服务器发送何种字符集 Content-Type
Accept-Encoding 告知服务器采用何种压缩方式 Content-Encoding

Guess you like