HTML

Structure of content on the web

  • Web APIs

    Interfaces for building web applications

  • Learn
  • HTTP Observatory

    Scan a website for free

  • HTTP
  • HTTP
  • A typical HTTP session
  • HTTP caching
  • HTTP conditional requests
  • Protocol upgrade mechanism
  • HTTP Observatory
  • Permissions Policy
  • CORS errors
    1. Reason: CORS header 'Origin' cannot be added
    2. Reason: CORS request not HTTP
    3. Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
    4. Reference
    5. Accept-Encoding
    6. Accept-Ranges
    7. Access-Control-Allow-Origin
    8. Access-Control-Request-Method
    9. Alt-Used
    10. Attribution-Reporting-Eligible
    11. Attribution-Reporting-Register-Source
    12. Attribution-Reporting-Register-Trigger
    13. Connection
    14. Content-DPR
    15. Content-Location
    16. Content-Type
    17. Critical-CH
    18. Date
    19. DNT
    20. Downlink
    21. DPR
    22. Early-Data
    23. ECT
    24. Expect-CT
    25. Host
    26. If-Range
    27. Link
    28. NEL
    29. No-Vary-Search
    30. Observe-Browsing-Topics
    31. Origin-Agent-Cluster
    32. Permissions-Policy
    33. Pragma
    34. Range
    35. Report-To
    36. Reporting-Endpoints
    37. RTT
    38. Save-Data
    39. Sec-Browsing-Topics
    40. Sec-CH-Prefers-Color-Scheme
    41. Sec-CH-Prefers-Reduced-Motion
    42. Sec-CH-Prefers-Reduced-Transparency
    43. Sec-CH-UA
    44. Sec-CH-UA-Arch
    45. Sec-CH-UA-Bitness
    46. Sec-CH-UA-Form-Factors
    47. Sec-CH-UA-Full-Version
    48. Sec-CH-UA-Full-Version-List
    49. Sec-CH-UA-Mobile
    50. Sec-CH-UA-Model
    51. Sec-CH-UA-Platform
    52. Sec-CH-UA-Platform-Version
    53. Sec-CH-UA-WoW64
    54. Sec-Fetch-User
    55. Sec-GPC
    56. Sec-WebSocket-Key
    57. Server-Timing
    58. Set-Cookie
    59. Set-Login
    60. Speculation-Rules
    61. Supports-Loading-Mode
    62. Tk
    63. Upgrade-Insecure-Requests
    64. Viewport-Width
    65. Warning
    66. Width
    67. X-DNS-Prefetch-Control
    68. X-Forwarded-For
    69. X-Forwarded-Host
    70. X-Forwarded-Proto
    71. X-Permitted-Cross-Domain-Policies
    72. X-Powered-By
    73. X-Robots-Tag
    74. X-XSS-Protection
  • GET
  • POST
  • 100 Continue
  • 200 OK
  • 204 No Content
  • 208 Already Reported
  • 302 Found
  • 308 Permanent Redirect
  • 403 Forbidden
  • 407 Proxy Authentication Required
  • 411 Length Required
  • 415 Unsupported Media Type
  • 421 Misdirected Request
  • 425 Too Early
  • 431 Request Header Fields Too Large
  • 502 Bad Gateway
  • 506 Variant Also Negotiates
  • 511 Network Authentication Required
  • CSP: block-all-mixed-content
  • CSP: fenced-frame-src
  • CSP: frame-src
  • CSP: object-src
  • CSP: prefetch-src
  • CSP: report-uri
  • CSP: require-trusted-types-for
  • CSP: script-src-elem
  • CSP: trusted-types
  • Permissions-Policy directives
    1. Permissions-Policy: accelerometer
    2. Permissions-Policy: ambient-light-sensor
    3. Permissions-Policy: attribution-reporting
    4. Permissions-Policy: autoplay
    5. Permissions-Policy: bluetooth
    6. Permissions-Policy: browsing-topics
    7. Permissions-Policy: camera
    8. Permissions-Policy: compute-pressure
    9. Permissions-Policy: cross-origin-isolated
    10. Permissions-Policy: display-capture
    11. Permissions-Policy: document-domain
    12. Permissions-Policy: encrypted-media
    13. Permissions-Policy: fullscreen
    14. Permissions-Policy: gamepad
    15. Permissions-Policy: geolocation
    16. Permissions-Policy: gyroscope
    17. Permissions-Policy: hid
    18. Permissions-Policy: identity-credentials-get
    19. Permissions-Policy: idle-detection
    20. Permissions-Policy: local-fonts
    21. Permissions-Policy: magnetometer
    22. Permissions-Policy: microphone
    23. Permissions-Policy: midi
    24. Permissions-Policy: otp-credentials
    25. Permissions-Policy: payment
    26. Permissions-Policy: picture-in-picture
    27. Permissions-Policy: publickey-credentials-create
    28. Permissions-Policy: publickey-credentials-get
    29. Permissions-Policy: screen-wake-lock
    30. Permissions-Policy: serial
    31. Permissions-Policy: speaker-selection
    32. Permissions-Policy: storage-access
    33. Permissions-Policy: usb
    34. Permissions-Policy: web-share
    35. Permissions-Policy: window-management
    36. Permissions-Policy: xr-spatial-tracking
  • response header communicates one or more performance metrics about the request-response cycle to the user agent. It is used to surface backend server timing metrics (for example, database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the PerformanceServerTiming interface.

    Header type Response header
    Forbidden request header No

    • Syntax

    http
    / A single metric
Server-Timing: <timing-metric>

/ Multiple metrics as a comma-separated list
Server-Timing: <timing-metric>, …, <timing-metricN>

    A <timing-metric> has a name, and may include an optional duration and an optional description. For example:

    http
    / A metric with a name only
Server-Timing: missedCache

/ A metric with a duration
Server-Timing: cpu;dur=2.4

/ A metric with a description and duration
Server-Timing: cache;desc="Cache Read";dur=23.2

/ Two metrics with duration values
Server-Timing: db;dur=53, app;dur=47.2

    Directives

    <timing-metric>

    A comma-separated list of one or more metrics with the following components separated by semi-colons:

    <name>

    A name token (no spaces or special characters) for the metric that is implementation-specific or defined by the server, like cacheHit.

    <duration> Optional

    A duration as the string dur, followed by =, followed by a value, like dur=23.2.

    <description> Optional

    A description as the string desc, followed by =, followed by a value as a token or a quoted string, like desc=prod or desc="DB lookup".

    Names and descriptions should be kept as short as possible (for example, use abbreviations and omit optional values) to minimize HTTP data overhead.

    Description

    Privacy and security

    The Server-Timing header may expose potentially sensitive application and infrastructure information. Decide which metrics to send, when to send them, and who should see them based on the use case. For example, you may decide to only show metrics to authenticated users and nothing on public responses.

    PerformanceServerTiming interface

    In addition to having Server-Timing header metrics appear in the developer tools of the browser, the Timing-Allow-Origin header to specify the domains that are allowed to access the server metrics. The interface is only available in secure contexts (HTTPS) in some browsers.

    The components of the Server-Timing header map to the PerformanceServerTiming properties as follows:

    Examples

    Sending a metric using the Server-Timing header

    The following response includes a metric custom-metric with a duration of 123.45 milliseconds, and a description of "My custom metric":

    http
    Server-Timing: custom-metric;dur=123.45;desc="My custom metric"

    Server-Timing as HTTP trailer

    In the following response, the Trailer header is used to indicate that a Server-Timing header will follow the response body. A metric custom-metric with a duration of 123.4 milliseconds is sent.

    http
    HTTP/1.1 200 OK
Transfer-Encoding: chunked
Trailer: Server-Timing

--- response body ---
Server-Timing: custom-metric;dur=123.4

    Warning: Only the browser's DevTools can use the Server-Timing header as a HTTP trailer to display information in the Network -> Timings tab. The Fetch API cannot access HTTP trailers. See Browser compatibility for more information.

    Specifications

    Specification
    Server Timing
    # the-server-timing-header-field

    Browser compatibility

    BCD tables only load in the browser

    See also