https://en.wikipedia.org/wiki/List_of_HTTP_header_fields#cite_note-52
Common non-standard response fields[edit]
| Field name | Description | Example |
|---|---|---|
| Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP[45] |
Content Security Policy definition. | X-WebKit-CSP: default-src 'self' |
| Refresh | Used in redirection, or when a new resource has been created. This refresh redirects after 5 seconds. Header extension introduced by Netscape and supported by most web browsers. | Refresh: 5; url=http://www.w3.org/pub/WWW/People.html |
| Status | CGI header field specifying the status of the HTTP response. Normal HTTP responses use a separate "Status-Line" instead, defined by RFC 7230.[46] | Status: 200 OK |
| Upgrade-Insecure-Requests[47] | Tells a server which (presumably in the middle of a HTTP -> HTTPS migration) hosts mixed content that the client would prefer redirection to HTTPS and can handle Content-Security-Policy: upgrade-insecure-requests
Must not be used with HTTP/2[9] |
Upgrade-Insecure-Requests: 1 |
| X-Content-Duration[48] | Provide the duration of the audio or video in seconds; only supported by Gecko browsers | X-Content-Duration: 42.666 |
| X-Content-Type-Options[49] | The only defined value, "nosniff", prevents Internet Explorer from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions.[50] | X-Content-Type-Options: nosniff[51] |
| X-Powered-By[52] | Specifies the technology (e.g. ASP.NET, PHP, JBoss) supporting the web application (version details are often in X-Runtime, X-Version, or X-AspNet-Version) |
X-Powered-By: PHP/5.4.0 |
| X-Request-ID, X-Correlation-ID[32] |
Correlates HTTP requests between a client and server. | X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5 |
| X-UA-Compatible[53] | Recommends the preferred rendering engine (often a backward-compatibility mode) to use to display the content. Also used to activate Chrome Frame in Internet Explorer. | X-UA-Compatible: IE=EmulateIE7X-UA-Compatible: IE=edgeX-UA-Compatible: Chrome=1 |
| X-XSS-Protection[54] | Cross-site scripting (XSS) filter |
f