1   Request methods

Allowed

• GET;
• HEAD;

Forbidden

• CONNECT;
• DELETE;
• PATCH;
• POST;
• PUT;
• TRACE;

???

• OPTIONS;

2   Request headers

Required

• Host;

Allowed

• Accept;
• Accept-Encoding;
• Accept-Language;
• Connection;
• If-Modified-Since;
• If-None-Match;

Ignored

• Accept-Charset;
• Accept-Datetime;
• Authorization;
• Cache-Control;
• Cookie;
• Date;
• DNT;
• From;
• Max-Forwards;
• Referer;
• User-Agent;
• Via;
• Warning;
• X-*; [RFC-6648]

Forbidden

• Content-Length;
• Content-MD5;
• Content-Type;
• If-Match;
• If-Range;
• If-Unmodified-Since;
• Proxy-Authorization;
• Range;
• TE;
• Upgrade;

???

• Expect;
• Proxy-Connection;

3   Response statuses

Implicit

• 200;
• 304;
• 400;
• 404;
• 405;
• 406;
• 408;
• 415;
• 429; [RFC-6585]
• 431; [RFC-6585]
• 500;
• 503;
• 505;

Customizable

• 300;
• 301;
• 302;
• 307;
• 308;
• 410;

Not supported

• 100;
• 201, 202, 203, 204, 205, 206;
• 303, 305, 306;
• 401, 402, 403, 407, 409, 411, 412, 413, 414, 416;
• 501, 502, 504, 506;
• *;

???

• 426; [RFC-2817]

4   Response headers

Implicit

• Age;
• Allow;
• Cache-Control;
• Connection;
• Content-Length;
• Content-MD5;
• Date;
• ETag;
• Expires;
• Retry-After;
• Server;

Customizable

• Access-Control-Allow-Origin;
• Content-Encoding;
• Content-Language;
• Content-Location;
• Content-Disposition; [RFC-6266] [RFC-2183]
• Content-Type;
• Last-Modified;
• Link;
• Location;
• Warning;
• X-*; [RFC-6648]

Not supported

• Accept-Ranges;
• Content-Range;
• P3P;
• Pragma;
• Proxy-Authenticate;
• Refresh;
• Set-Cookie;
• Status;
• Trailer;
• Transfer-Encoding;
• Via;
• WWW-Authenticate;

???

• Strict-Transport-Security;
• Vary

5   References