HTML

Structure of content on the web

  • Web APIs

    Interfaces for building web applications

  • Learn
  • HTTP Observatory

    Scan a website for free

  • HTTP
  • An overview of HTTP
  • Compression in HTTP
  • Redirections in HTTP
  • Connection management in HTTP/1.x
  • HTTP Client hints
  • Security and privacy
    1. Permissions Policy
    2. Headers
  • References
  • HTTP headers
    1. Accept-Language
    2. Access-Control-Allow-Credentials
    3. Access-Control-Expose-Headers
    4. Age
    5. Attribution-Reporting-Eligible
    6. Attribution-Reporting-Register-Source
    7. Attribution-Reporting-Register-Trigger
    8. Connection
    9. Content-DPR
    10. Content-Location
    11. Content-Type
    12. Critical-CH
    13. Date
    14. DNT
    15. Downlink
    16. DPR
    17. Early-Data
    18. ECT
    19. Expect-CT
    20. Host
    21. If-Range
    22. Link
    23. NEL
    24. No-Vary-Search
    25. Observe-Browsing-Topics
    26. Origin-Agent-Cluster
    27. Permissions-Policy
    28. Pragma
    29. Range
    30. Report-To
    31. Reporting-Endpoints
    32. RTT
    33. Save-Data
    34. Sec-Browsing-Topics
    35. Sec-CH-Prefers-Color-Scheme
    36. Sec-CH-Prefers-Reduced-Motion
    37. Sec-CH-Prefers-Reduced-Transparency
    38. Sec-CH-UA
    39. Sec-CH-UA-Arch
    40. Sec-CH-UA-Bitness
    41. Sec-CH-UA-Form-Factors
    42. Sec-CH-UA-Full-Version
    43. Sec-CH-UA-Full-Version-List
    44. Sec-CH-UA-Mobile
    45. Sec-CH-UA-Model
    46. Sec-CH-UA-Platform
    47. Sec-CH-UA-Platform-Version
    48. Sec-CH-UA-WoW64
    49. Sec-Fetch-User
    50. Sec-GPC
    51. Sec-WebSocket-Key
    52. Server-Timing
    53. Set-Cookie
    54. Set-Login
    55. Speculation-Rules
    56. Supports-Loading-Mode
    57. Tk
    58. Upgrade-Insecure-Requests
    59. Viewport-Width
    60. Warning
    61. Width
    62. X-DNS-Prefetch-Control
    63. X-Forwarded-For
    64. X-Forwarded-Host
    65. X-Forwarded-Proto
    66. X-Permitted-Cross-Domain-Policies
    67. X-Powered-By
    68. X-Robots-Tag
    69. X-XSS-Protection
  • HTTP request methods
    1. HEAD
    2. PUT
    3. 102 Processing
    4. 202 Accepted
    5. 206 Partial Content
    6. 300 Multiple Choices
    7. 304 Not Modified
    8. 401 Unauthorized
    9. 405 Method Not Allowed
    10. 409 Conflict
    11. 413 Content Too Large
    12. 417 Expectation Failed
    13. 423 Locked
    14. 428 Precondition Required
    15. 500 Internal Server Error
    16. 504 Gateway Timeout
    17. 508 Loop Detected
    18. CSP: block-all-mixed-content
    19. CSP: fenced-frame-src
    20. CSP: frame-src
    21. CSP: object-src
    22. CSP: prefetch-src
    23. CSP: report-uri
    24. CSP: require-trusted-types-for
    25. CSP: script-src-elem
    26. CSP: trusted-types
    27. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
    28. Reason: CORS request did not succeed
    29. Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'
    30. Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel
    31. Permissions-Policy: accelerometer
    32. Permissions-Policy: ambient-light-sensor
    33. Permissions-Policy: attribution-reporting
    34. Permissions-Policy: autoplay
    35. Permissions-Policy: bluetooth
    36. Permissions-Policy: browsing-topics
    37. Permissions-Policy: camera
    38. Permissions-Policy: compute-pressure
    39. Permissions-Policy: cross-origin-isolated
    40. Permissions-Policy: display-capture
    41. Permissions-Policy: document-domain
    42. Permissions-Policy: encrypted-media
    43. Permissions-Policy: fullscreen
    44. Permissions-Policy: gamepad
    45. Permissions-Policy: geolocation
    46. Permissions-Policy: gyroscope
    47. Permissions-Policy: hid
    48. Permissions-Policy: identity-credentials-get
    49. Permissions-Policy: idle-detection
    50. Permissions-Policy: local-fonts
    51. Permissions-Policy: magnetometer
    52. Permissions-Policy: microphone
    53. Permissions-Policy: midi
    54. Permissions-Policy: otp-credentials
    55. Permissions-Policy: payment
    56. Permissions-Policy: picture-in-picture
    57. Permissions-Policy: publickey-credentials-create
    58. Permissions-Policy: publickey-credentials-get
    59. Permissions-Policy: screen-wake-lock
    60. Permissions-Policy: serial
    61. Permissions-Policy: speaker-selection
    62. Permissions-Policy: storage-access
    63. Permissions-Policy: usb
    64. Permissions-Policy: web-share
    65. Permissions-Policy: window-management
    66. Permissions-Policy: xr-spatial-tracking
  • informational response may be sent by a server while it is still preparing a response, with hints about the sites and resources that the server expects the final response will link to. This allows a browser to preloading resources even before the server has prepared and sent a final response. Preloaded resources indicated by early hints are fetched by the client as soon as the hints are received.

    The early hint response is primarily intended for use with the Link header, which indicates the resources to be loaded. It may also contain a Content-Security-Policy header that is enforced while processing the early hint.

    A server might send multiple 103 responses, for example, following a redirect. Browsers only process the first early hints response, and this response must be discarded if the request results in a cross-origin redirect.

    Note: For compatibility and security reasons, it is recommended to only send HTTP 103 Early Hints responses over HTTP/2 or later unless the client is known to handle informational responses correctly.

    Most browsers limit support to HTTP/2 or later for this reason. See browser compatibility below. Despite this, the examples below use HTTP/1.1-style notation as per usual convention.

    • Syntax

    http
    103 Early Hints

    Examples

    Preconnect example

    The following 103 early hint response shows an early hint response where the server indicates that the client might want to preconnect to a particular origin (https://cdn.example.com). Just like the HTML rel=preconnect attribute, this is a hint that the page is likely to need resources from the target resource's origin, and that the browser may improve the user experience by preemptively initiating a connection to that origin.

    http
    103 Early Hint
Link: <https://cdn.example.com>; rel=preconnect, <https://cdn.example.com>; rel=preconnect; crossorigin

    This example preconnects to https://cdn.example.com twice:

    • The first connection would be used for loading resources that can be fetched without CORS, such as images.
    • The second connection includes the CORS-protected resources, such as fonts.

    CORS-protected resources must be fetched over a completely separate connection. If you only need one type of resource from an origin then you only need to preconnect once.

    Subsequently the server sends the final response. This includes a crossorigin font preload and an <img> loaded from the additional origin.

    http
    200 OK
Content-Type: text/html

<!doctype html>
...
<link rel="preload" href="/cats-d8c4vu/cdn.example.com/fonts/my-font.woff2" as="font" type="font/woff2" crossorigin>
...
<img src="/cats-d8c4vu/cdn.example.com/images/image.jpg" alt="">
...

    Preload example

    The following 103 early hint response indicates a stylesheet style.css might be needed by the final response.

    http
    103 Early Hint
Link: </style.css>; rel=preload; as=style

    Subsequently the server sends the final response. This includes a link to the stylesheet, which may already have been preloaded from the early hint.

    http
    200 OK
Content-Type: text/html

<!doctype html>
...
<link rel="stylesheet" rel="preload" href="style.css" />
...

    Early hint response with CSP

    The following example shows the same early hint response but with a Content-Security-Policy header included.

    http
    103 Early Hint
Content-Security-Policy: style-src: self;
Link: </style.css>; rel=preload; as=style

    The early response restricts preloading to the same origin as the request. The stylesheet will be preloaded if the origin matches.

    The final response might set the CSP to none, as shown below. The stylesheet has already been preloaded, but will not be used when rendering the page.

    http
    200 OK
Content-Security-Policy: style-src: none;
Content-Type: text/html

<!doctype html>
...
<link rel="stylesheet" rel="preload" href="style.css" />
...

    Specifications

    Specification
    HTML
    # early-hints

    Browser compatibility

    BCD tables only load in the browser

    See also