mdn · bsmth · Dec 9, 2024 · Oct 31, 2024 · Oct 31, 2024 · Oct 31, 2024
@@ -0,0 +1,20 @@
+---
+title: Source map
+slug: Glossary/Source_map
+page-type: glossary-definition
+---
+
+{{GlossarySidebar}}
+
+A **source map** is a file that maps transformed code back to a source, enabling the browser to reconstruct the original source code and show that reconstructed code in the debugger.
+
+The JavaScript sources executed by the browser are often transformed in some way from the sources created by a developer.
+For example, sources are often combined and minified to make delivering them from the server more efficient.
+Additionally, JavaScript running on a page is often machine-generated, such as compiled from a language like TypeScript.
+
+In these situations, debugging the original source is much easier than the source in the transformed state that the browser has downloaded.
+
+## See also
+
+- HTTP {{HTTPHeader("SourceMap")}} response header
+- [Firefox Developer Tools: using a source map](https://firefox-source-docs.mozilla.org/devtools-user/debugger/how_to/use_a_source_map/index.html)
@@ -70,3 +70,8 @@ Connection: close
 ## Browser compatibility
 
 {{Compat}}
+
+## See also
+
+- [Connection management in HTTP/1.x](/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x)
+- [Protocol upgrade mechanism](/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism)
@@ -18,6 +18,10 @@ Therefore, the user's privacy must be kept in mind when deploying this header.
 
 The alternative and de-facto standard versions of this header are the {{HTTPHeader("X-Forwarded-For")}}, {{HTTPHeader("X-Forwarded-Host")}} and {{HTTPHeader("X-Forwarded-Proto")}} headers.
 
+> [!NOTE]
+> If upstream services rely on `X-Forwarded-*` headers, replacing them outright with `Forwarded` could lead to compatibility issues.
+> Verify that frameworks, middleware, and any third-party tools support the standardized version before deploying this header as a replacement.
+
 <table class="properties">
   <tbody>
     <tr>

@@ -316,7 +316,7 @@ Headers used by the [WebSockets API](/en-US/docs/Web/API/WebSockets_API) in the
 - `Service-Worker-Allowed`
   - : Used to remove the [path restriction](/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers#why_is_my_service_worker_failing_to_register) by including this header [in the response of the Service Worker script](https://w3c.github.io/ServiceWorker/#service-worker-script-response).
 - {{HTTPHeader("SourceMap")}}
-  - : Links generated code to a [source map](https://firefox-source-docs.mozilla.org/devtools-user/debugger/how_to/use_a_source_map/index.html).
+  - : Links to a {{Glossary("source map")}} so that debuggers can step through original source code instead of generated or transformed code.
 - {{HTTPHeader("Upgrade")}}
   - : This HTTP/1.1 (only) header can be used to upgrade an already established client/server connection to a different protocol (over the same transport protocol). For example, it can be used by a client to upgrade a connection from HTTP 1.1 to HTTP 2.0, or an HTTP or HTTPS connection into a WebSocket.
 - {{HTTPHeader("Priority")}}

@@ -132,3 +132,8 @@ No-Vary-Search: params, except=("id")
 ## Browser compatibility
 
 {{Compat}}
+
+## See also
+
+- [Speculation Rules API](/en-US/docs/Web/API/Speculation_Rules_API)
+- [HTTP Caching: Vary](/en-US/docs/Web/HTTP/Caching#vary) and {{HTTPHeader("Vary")}} header
@@ -7,7 +7,8 @@ browser-compat: http.headers.Server-Timing
 
 {{HTTPSidebar}}
 
-The **`Server-Timing`** header communicates one or more metrics and descriptions for a given request-response cycle. It is used to surface any backend server timing metrics (e.g. database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the {{domxref("PerformanceServerTiming")}} interface.
+The HTTP **`Server-Timing`** {{Glossary("response header")}} communicates one or more performance metrics about the request-response cycle to the user agent.
+It is used to surface backend server timing metrics (for example, database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the {{domxref("PerformanceServerTiming")}} interface.
 
 <table class="properties">
   <tbody>
@@ -17,55 +18,98 @@ The **`Server-Timing`** header communicates one or more metrics and descriptions
     </tr>
     <tr>
       <th scope="row">{{Glossary("Forbidden header name")}}</th>
-      <td>no</td>
+      <td>No</td>
     </tr>
   </tbody>
 </table>
 
 ## Syntax
 
-The syntax of the `Server-Timing` header allows you to communicate metrics in different ways: server metric name only, metric with value, metric with value and description, and metric with description.
-
-This header can contain one or more metrics, separated by commas. Each metric has a name, an optional duration, and an optional description. These components are separated by semi-colons.
+```http
+// A single metric
+Server-Timing: <timing-metric>
 
-The duration component consists of the string `"dur"`, followed by `"="`, followed by the value, like `"dur=23.2"`.
-The description component consists of the string `"desc"`, followed by `"="`, followed by the value, like `"desc=DB lookup"`.
+// Multiple metrics as a comma-separated list
+Server-Timing: <timing-metric>, <timing-metric>
+```
 
-The specification advises that names and descriptions should be kept as short as possible (use abbreviations and omit optional values where possible) to minimize the HTTP overhead.
+A `<timing-metric>` has a name, and may include an optional duration and an optional description.
+For example:
 
 ```http
-// Single metric without value
+// A metric with a name only
 Server-Timing: missedCache
 
-// Single metric with value
+// A metric with a duration
 Server-Timing: cpu;dur=2.4
 
-// Single metric with description and value
+// A metric with a description and duration
 Server-Timing: cache;desc="Cache Read";dur=23.2
 
-// Two metrics with value
+// Two metrics with duration values
 Server-Timing: db;dur=53, app;dur=47.2
-
-// Server-Timing as trailer
-Trailer: Server-Timing
---- response body ---
-Server-Timing: total;dur=123.4
 ```
 
-## Privacy and security
+## Directives
 
-The `Server-Timing` header may expose potentially sensitive application and infrastructure information. Consider to control which metrics are returned when and to whom on the server side. For example, you could only show metrics to authenticated users and nothing to the public.
+- `<timing-metric>`
+  - : A comma-separated list of one or more metrics with the following components separated by semi-colons:
+    - `<name>`
+      - : A name component as a token (cannot contain spaces or special characters).
+    - `<duration>` {{optional_inline}}
+      - : A duration component consisting of the string `dur`, followed by `=`, followed by a value, like `dur=23.2`.
+    - `<description>` {{optional_inline}}
+      - : A description component consisting of the string `desc`, followed by `=`, followed by a value as a token or a quoted string, like `desc=prod` or `desc="DB lookup"`.
 
-## PerformanceServerTiming interface
+The specification advises that names and descriptions should be kept as short as possible (use abbreviations and omit optional values where possible) to minimize the HTTP overhead.
+
+## Description
+
+### Privacy and security
+
+The `Server-Timing` header may expose potentially sensitive application and infrastructure information.
+Consider to control which metrics are returned when and to whom on the server side.
+For example, you could only show metrics to authenticated users and nothing to the public.
+
+### PerformanceServerTiming interface
 
 In addition to having `Server-Timing` header metrics appear in the developer tools of the browser, the {{domxref("PerformanceServerTiming")}} interface enables tools to automatically collect and process metrics from JavaScript. This interface is restricted to the same origin, but you can use the {{HTTPHeader("Timing-Allow-Origin")}} header to specify the domains that are allowed to access the server metrics. The interface is only available in secure contexts (HTTPS) in some browsers.
 
-The components of the `Server-Timing` header map to the {{domxref("PerformanceServerTiming")}} properties like this:
+The components of the `Server-Timing` header map to the {{domxref("PerformanceServerTiming")}} properties as follows:
 
 - `"name"` -> {{domxref("PerformanceServerTiming.name")}}
 - `"dur"` -> {{domxref("PerformanceServerTiming.duration")}}
 - `"desc"` -> {{domxref("PerformanceServerTiming.description")}}
 
+## Examples
+
+### Sending a metric using the Server-Timing header
+
+The following response includes a metric `custom-metric` with a duration of `123.45` milliseconds, and a description of "My custom metric":
+
+```http
+Server-Timing: custom-metric;dur=123.45;desc="My custom metric"
+```
+
+### Server-Timing as HTTP trailer
+
+In the following response, the {{HTTPHeader("Trailer")}} header is used to indicate that a `Server-Timing` header will follow the response body.
+A metric `custom-metric` with a duration of `123.4` milliseconds is sent.
+
+```http
+HTTP/1.1 200 OK
+Transfer-Encoding: chunked
+Trailer: Server-Timing
+
+--- response body ---
+Server-Timing: custom-metric;dur=123.4
+```
+
+> [!WARNING]
+> Only the browser's DevTools can use the Server-Timing header as a HTTP trailer to display information in the Network -> Timings tab.
+> The Fetch API cannot access HTTP trailers.
+> See [Browser compatibility](#browser_compatibility) for more information.
+
 ## Specifications
 
 {{Specifications}}
@@ -77,3 +121,4 @@ The components of the `Server-Timing` header map to the {{domxref("PerformanceSe
 ## See also
 
 - {{domxref("PerformanceServerTiming")}}
+- {{HTTPHeader("Trailer")}} header
@@ -7,7 +7,7 @@ browser-compat: http.headers.Server
 
 {{HTTPSidebar}}
 
-The **`Server`** header describes the software used by the origin server that handled the request and generated a response.
+The HTTP **`Server`** {{Glossary("response header")}} describes the software used by the origin server that handled the request and generated a response.
 
 The benefits of advertising the server type and version via this header are that it helps with analytics and identifying how widespread specific interoperability issues are.
 Historically, clients have used the server version information to avoid known limitations, such as inconsistent support for [range requests](/en-US/docs/Web/HTTP/Range_requests) in specific software versions.
@@ -27,7 +27,7 @@ In general, a more robust approach to server security is to ensure software is r
     </tr>
     <tr>
       <th scope="row">{{Glossary("Forbidden header name")}}</th>
-      <td>no</td>
+      <td>No</td>
     </tr>
   </tbody>
 </table>

@@ -7,10 +7,10 @@ browser-compat: http.headers.Service-Worker-Navigation-Preload
 
 {{HTTPSidebar}}
 
-The **`Service-Worker-Navigation-Preload`** request header indicates that the request was the result of a {{domxref("Window/fetch", "fetch()")}} operation made during service worker navigation preloading.
+The HTTP **`Service-Worker-Navigation-Preload`** {{Glossary("request header")}} indicates that the request was the result of a {{domxref("Window/fetch", "fetch()")}} operation made during service worker navigation preloading.
 It allows a server to respond with a different resource than for a normal `fetch()`.
 
-If a different response may result from setting this header, the server must set `Vary: Service-Worker-Navigation-Preload` to ensure that the different responses are cached.
+If a different response may result from setting this header, the server must include a {{HTTPHeader("Vary", "Vary: Service-Worker-Navigation-Preload")}} header in responses to ensure that different responses are cached.
 
 For more information see {{domxref("NavigationPreloadManager.setHeaderValue()")}} (and {{domxref("NavigationPreloadManager")}}).
 
@@ -22,7 +22,7 @@ For more information see {{domxref("NavigationPreloadManager.setHeaderValue()")}
     </tr>
     <tr>
       <th scope="row">{{Glossary("Forbidden header name")}}</th>
-      <td>no</td>
+      <td>No</td>
     </tr>
   </tbody>
 </table>
@@ -42,7 +42,9 @@ Service-Worker-Navigation-Preload: <value>
 
 ## Examples
 
-The header below is sent by default.
+### Service worker navigation preloading headers
+
+The following request header is sent by default in navigation preload requests:
 
 ```http
 Service-Worker-Navigation-Preload: true
@@ -62,3 +64,8 @@ Service-Worker-Navigation-Preload: json_fragment1
 ## Browser compatibility
 
 {{Compat}}
+
+## See also
+
+- [HTTP Caching: Vary](/en-US/docs/Web/HTTP/Caching#vary) and {{HTTPHeader("Vary")}} header
+- [Service Worker API](/en-US/docs/Web/API/Service_Worker_API)
@@ -7,11 +7,11 @@ browser-compat: http.headers.Set-Cookie
 
 {{HTTPSidebar}}
 
-The **`Set-Cookie`** HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.
-To send multiple cookies, multiple **`Set-Cookie`** headers should be sent in the same response.
+The HTTP **`Set-Cookie`** {{Glossary("response header")}} is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.
+To send multiple cookies, multiple `Set-Cookie` headers should be sent in the same response.
 
 > [!WARNING]
-> Browsers block frontend JavaScript code from accessing the `Set-Cookie` header, as required by the Fetch spec, which defines `Set-Cookie` as a [forbidden response-header name](https://fetch.spec.whatwg.org/#forbidden-response-header-name) that [must be filtered out](https://fetch.spec.whatwg.org/#ref-for-forbidden-response-header-name%E2%91%A0) from any response exposed to frontend code.
+> Browsers block frontend JavaScript code from accessing the `Set-Cookie` header, as required by the Fetch spec, which defines `Set-Cookie` as a [forbidden response header name](https://fetch.spec.whatwg.org/#forbidden-response-header-name) that [must be filtered out](https://fetch.spec.whatwg.org/#ref-for-forbidden-response-header-name%E2%91%A0) from any response exposed to frontend code.
 >
 > When a [Fetch API](/en-US/docs/Web/API/Fetch_API/Using_Fetch) or [XMLHttpRequest API](/en-US/docs/Web/API/XMLHttpRequest_API) request [uses CORS](/en-US/docs/Web/HTTP/CORS#what_requests_use_cors), browsers will ignore `Set-Cookie` headers present in the server's response unless the request includes credentials. Visit [Using the Fetch API - Including credentials](/en-US/docs/Web/API/Fetch_API/Using_Fetch#including_credentials) and the [XMLHttpRequest article](/en-US/docs/Web/API/XMLHttpRequest_API) to learn how to include credentials.
 
@@ -25,11 +25,11 @@ For more information, see the guide on [Using HTTP cookies](/en-US/docs/Web/HTTP
     </tr>
     <tr>
       <th scope="row">{{Glossary("Forbidden header name")}}</th>
-      <td>no</td>
+      <td>No</td>
     </tr>
     <tr>
       <th scope="row">{{Glossary("Forbidden response header name")}}</th>
-      <td>yes</td>
+      <td>Yes</td>
     </tr>
   </tbody>
 </table>
@@ -145,6 +145,10 @@ Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnl
       - : Means that the cookie is not sent on cross-site requests, such as on requests to load images or frames, but is sent when a user is navigating to the origin site from an external site (for example, when following a link).
         This is the default behavior if the `SameSite` attribute is not specified.
 
+        > [!WARNING]
+        > Browser implementations vary when `SameSite` is omitted.
+        > See [Browser compatibility](#browser_compatibility) for details.
+
     - `None`
 
       - : Means that the browser sends the cookie with both cross-site and same-site requests.
@@ -167,23 +171,24 @@ Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnl
   - : Indicates that the cookie is sent to the server only when a request is made with the `https:` scheme (except on localhost), and therefore, is more resistant to [man-in-the-middle](/en-US/docs/Glossary/MitM) attacks.
 
     > [!NOTE]
-    > Do not assume that `Secure` prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified either with access to the client's hard disk or from JavaScript if the `HttpOnly` cookie attribute is not set.
+    > Do not assume that `Secure` prevents all access to sensitive information in cookies (session keys, login details, etc.).
+    > Cookies with this attribute can still be read/modified either with access to the client's hard disk or from JavaScript if the `HttpOnly` cookie attribute is not set.
     >
-    > Insecure sites (`http:`) cannot set cookies with the `Secure` attribute (since Chrome 52 and Firefox 52). The `https:` requirements are ignored when the `Secure` attribute is set by localhost (since Chrome 89 and Firefox 75).
+    > Insecure sites (`http:`) cannot set cookies with the `Secure` attribute. The `https:` requirements are ignored when the `Secure` attribute is set by localhost.
 
 ## Examples
 
 ### Session cookie
 
-**Session cookies** are removed when the client shuts down. Cookies are session cookies if they do not specify the `Expires` or `Max-Age` attribute.
+Session cookies are removed when the client shuts down. Cookies are session cookies if they do not specify the `Expires` or `Max-Age` attribute.
 
 ```http
 Set-Cookie: sessionId=38afes7a8
 ```
 
 ### Permanent cookie
 
-**Permanent cookies** are removed at a specific date (`Expires`) or after a specific length of time (`Max-Age`) and not when the client is closed.
+Permanent cookies are removed at a specific date (`Expires`) or after a specific length of time (`Max-Age`) and not when the client is closed.
 
 ```http
 Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT
@@ -252,10 +257,6 @@ Set-Cookie: __Host-example=34d8g; SameSite=None; Secure; Path=/; Partitioned;
 
 {{Compat}}
 
-### Compatibility notes
-
-- Starting with Chrome 52 and Firefox 52, insecure sites (`http:`) can't set cookies with the `Secure` attribute anymore.
-
 ## See also
 
 - [HTTP cookies](/en-US/docs/Web/HTTP/Cookies)