From f9e79432440db4b9befe29be58ad3745d93e710c Mon Sep 17 00:00:00 2001 From: Jean-Yves Perrier Date: Thu, 12 Aug 2021 12:27:43 +0200 Subject: [PATCH 1/9] Rename HTTP docs from html to md --- files/en-us/web/http/authentication/{index.html => index.md} | 0 .../{index.html => index.md} | 0 .../web/http/basics_of_http/data_uris/{index.html => index.md} | 0 .../basics_of_http/evolution_of_http/{index.html => index.md} | 0 .../identifying_resources_on_the_web/{index.html => index.md} | 0 files/en-us/web/http/basics_of_http/{index.html => index.md} | 0 .../mime_types/common_types/{index.html => index.md} | 0 .../web/http/basics_of_http/mime_types/{index.html => index.md} | 0 .../http/basics_of_http/resource_urls/{index.html => index.md} | 0 .../{index.html => index.md} | 0 files/en-us/web/http/caching/{index.html => index.md} | 0 files/en-us/web/http/compression/{index.html => index.md} | 0 .../en-us/web/http/conditional_requests/{index.html => index.md} | 0 .../configuring_servers_for_ogg_media/{index.html => index.md} | 0 .../connection_management_in_http_1.x/{index.html => index.md} | 0 files/en-us/web/http/content_negotiation/{index.html => index.md} | 0 .../list_of_default_accept_values/{index.html => index.md} | 0 files/en-us/web/http/cookies/{index.html => index.md} | 0 .../corsalloworiginnotmatchingorigin/{index.html => index.md} | 0 .../http/cors/errors/corsdidnotsucceed/{index.html => index.md} | 0 .../web/http/cors/errors/corsdisabled/{index.html => index.md} | 0 .../corsexternalredirectnotallowed/{index.html => index.md} | 0 .../cors/errors/corsinvalidallowheader/{index.html => index.md} | 0 .../cors/errors/corsinvalidallowmethod/{index.html => index.md} | 0 .../http/cors/errors/corsmethodnotfound/{index.html => index.md} | 0 .../errors/corsmissingallowcredentials/{index.html => index.md} | 0 .../corsmissingallowheaderfrompreflight/{index.html => index.md} | 0 .../cors/errors/corsmissingalloworigin/{index.html => index.md} | 0 .../corsmultiplealloworiginnotallowed/{index.html => index.md} | 0 .../errors/corsnotsupportingcredentials/{index.html => index.md} | 0 .../cors/errors/corsoriginheadernotadded/{index.html => index.md} | 0 .../errors/corspreflightdidnotsucceed/{index.html => index.md} | 0 .../http/cors/errors/corsrequestnothttp/{index.html => index.md} | 0 files/en-us/web/http/cors/errors/{index.html => index.md} | 0 files/en-us/web/http/cors/{index.html => index.md} | 0 .../cross-origin_resource_policy_(corp)/{index.html => index.md} | 0 .../web/http/csp/errors/cspviolation/{index.html => index.md} | 0 files/en-us/web/http/csp/errors/{index.html => index.md} | 0 files/en-us/web/http/csp/{index.html => index.md} | 0 files/en-us/web/http/feature_policy/{index.html => index.md} | 0 .../feature_policy/using_feature_policy/{index.html => index.md} | 0 .../web/http/headers/accept-ch-lifetime/{index.html => index.md} | 0 files/en-us/web/http/headers/accept-ch/{index.html => index.md} | 0 .../web/http/headers/accept-charset/{index.html => index.md} | 0 .../web/http/headers/accept-encoding/{index.html => index.md} | 0 .../web/http/headers/accept-language/{index.html => index.md} | 0 .../en-us/web/http/headers/accept-patch/{index.html => index.md} | 0 files/en-us/web/http/headers/accept-post/{index.html => index.md} | 0 .../en-us/web/http/headers/accept-ranges/{index.html => index.md} | 0 files/en-us/web/http/headers/accept/{index.html => index.md} | 0 .../access-control-allow-credentials/{index.html => index.md} | 0 .../headers/access-control-allow-headers/{index.html => index.md} | 0 .../headers/access-control-allow-methods/{index.html => index.md} | 0 .../headers/access-control-allow-origin/{index.html => index.md} | 0 .../access-control-expose-headers/{index.html => index.md} | 0 .../http/headers/access-control-max-age/{index.html => index.md} | 0 .../access-control-request-headers/{index.html => index.md} | 0 .../access-control-request-method/{index.html => index.md} | 0 files/en-us/web/http/headers/age/{index.html => index.md} | 0 files/en-us/web/http/headers/allow/{index.html => index.md} | 0 files/en-us/web/http/headers/alt-svc/{index.html => index.md} | 0 .../en-us/web/http/headers/authorization/{index.html => index.md} | 0 .../en-us/web/http/headers/cache-control/{index.html => index.md} | 0 .../web/http/headers/clear-site-data/{index.html => index.md} | 0 files/en-us/web/http/headers/connection/{index.html => index.md} | 0 .../web/http/headers/content-disposition/{index.html => index.md} | 0 files/en-us/web/http/headers/content-dpr/{index.html => index.md} | 0 .../web/http/headers/content-encoding/{index.html => index.md} | 0 .../web/http/headers/content-language/{index.html => index.md} | 0 .../web/http/headers/content-length/{index.html => index.md} | 0 .../web/http/headers/content-location/{index.html => index.md} | 0 .../en-us/web/http/headers/content-range/{index.html => index.md} | 0 .../content-security-policy-report-only/{index.html => index.md} | 0 .../content-security-policy/base-uri/{index.html => index.md} | 0 .../block-all-mixed-content/{index.html => index.md} | 0 .../content-security-policy/child-src/{index.html => index.md} | 0 .../content-security-policy/connect-src/{index.html => index.md} | 0 .../content-security-policy/default-src/{index.html => index.md} | 0 .../content-security-policy/font-src/{index.html => index.md} | 0 .../content-security-policy/form-action/{index.html => index.md} | 0 .../frame-ancestors/{index.html => index.md} | 0 .../content-security-policy/frame-src/{index.html => index.md} | 0 .../content-security-policy/img-src/{index.html => index.md} | 0 .../http/headers/content-security-policy/{index.html => index.md} | 0 .../content-security-policy/manifest-src/{index.html => index.md} | 0 .../content-security-policy/media-src/{index.html => index.md} | 0 .../content-security-policy/navigate-to/{index.html => index.md} | 0 .../content-security-policy/object-src/{index.html => index.md} | 0 .../content-security-policy/plugin-types/{index.html => index.md} | 0 .../content-security-policy/prefetch-src/{index.html => index.md} | 0 .../content-security-policy/referrer/{index.html => index.md} | 0 .../content-security-policy/report-to/{index.html => index.md} | 0 .../content-security-policy/report-uri/{index.html => index.md} | 0 .../require-sri-for/{index.html => index.md} | 0 .../require-trusted-types-for/{index.html => index.md} | 0 .../content-security-policy/sandbox/{index.html => index.md} | 0 .../script-src-attr/{index.html => index.md} | 0 .../script-src-elem/{index.html => index.md} | 0 .../content-security-policy/script-src/{index.html => index.md} | 0 .../style-src-attr/{index.html => index.md} | 0 .../style-src-elem/{index.html => index.md} | 0 .../content-security-policy/style-src/{index.html => index.md} | 0 .../trusted-types/{index.html => index.md} | 0 .../upgrade-insecure-requests/{index.html => index.md} | 0 .../content-security-policy/worker-src/{index.html => index.md} | 0 .../en-us/web/http/headers/content-type/{index.html => index.md} | 0 files/en-us/web/http/headers/cookie/{index.html => index.md} | 0 files/en-us/web/http/headers/cookie2/{index.html => index.md} | 0 .../headers/cross-origin-embedder-policy/{index.html => index.md} | 0 .../headers/cross-origin-opener-policy/{index.html => index.md} | 0 .../headers/cross-origin-resource-policy/{index.html => index.md} | 0 files/en-us/web/http/headers/date/{index.html => index.md} | 0 .../en-us/web/http/headers/device-memory/{index.html => index.md} | 0 files/en-us/web/http/headers/digest/{index.html => index.md} | 0 files/en-us/web/http/headers/dnt/{index.html => index.md} | 0 files/en-us/web/http/headers/downlink/{index.html => index.md} | 0 files/en-us/web/http/headers/dpr/{index.html => index.md} | 0 files/en-us/web/http/headers/early-data/{index.html => index.md} | 0 files/en-us/web/http/headers/ect/{index.html => index.md} | 0 files/en-us/web/http/headers/etag/{index.html => index.md} | 0 files/en-us/web/http/headers/expect-ct/{index.html => index.md} | 0 files/en-us/web/http/headers/expect/{index.html => index.md} | 0 files/en-us/web/http/headers/expires/{index.html => index.md} | 0 .../headers/feature-policy/accelerometer/{index.html => index.md} | 0 .../feature-policy/ambient-light-sensor/{index.html => index.md} | 0 .../http/headers/feature-policy/autoplay/{index.html => index.md} | 0 .../http/headers/feature-policy/battery/{index.html => index.md} | 0 .../http/headers/feature-policy/camera/{index.html => index.md} | 0 .../feature-policy/display-capture/{index.html => index.md} | 0 .../feature-policy/document-domain/{index.html => index.md} | 0 .../feature-policy/encrypted-media/{index.html => index.md} | 0 .../headers/feature-policy/fullscreen/{index.html => index.md} | 0 .../http/headers/feature-policy/gamepad/{index.html => index.md} | 0 .../headers/feature-policy/geolocation/{index.html => index.md} | 0 .../headers/feature-policy/gyroscope/{index.html => index.md} | 0 .../web/http/headers/feature-policy/{index.html => index.md} | 0 .../feature-policy/layout-animations/{index.html => index.md} | 0 .../feature-policy/legacy-image-formats/{index.html => index.md} | 0 .../headers/feature-policy/magnetometer/{index.html => index.md} | 0 .../headers/feature-policy/microphone/{index.html => index.md} | 0 .../web/http/headers/feature-policy/midi/{index.html => index.md} | 0 .../feature-policy/oversized-images/{index.html => index.md} | 0 .../http/headers/feature-policy/payment/{index.html => index.md} | 0 .../feature-policy/picture-in-picture/{index.html => index.md} | 0 .../publickey-credentials-get/{index.html => index.md} | 0 .../feature-policy/screen-wake-lock/{index.html => index.md} | 0 .../http/headers/feature-policy/sync-xhr/{index.html => index.md} | 0 .../feature-policy/unoptimized-images/{index.html => index.md} | 0 .../headers/feature-policy/unsized-media/{index.html => index.md} | 0 .../web/http/headers/feature-policy/usb/{index.html => index.md} | 0 .../http/headers/feature-policy/vibrate/{index.html => index.md} | 0 .../web/http/headers/feature-policy/vr/{index.html => index.md} | 0 .../headers/feature-policy/web-share/{index.html => index.md} | 0 .../feature-policy/xr-spatial-tracking/{index.html => index.md} | 0 .../web/http/headers/feature-policy/xr/{index.html => index.md} | 0 files/en-us/web/http/headers/forwarded/{index.html => index.md} | 0 files/en-us/web/http/headers/from/{index.html => index.md} | 0 files/en-us/web/http/headers/host/{index.html => index.md} | 0 files/en-us/web/http/headers/if-match/{index.html => index.md} | 0 .../web/http/headers/if-modified-since/{index.html => index.md} | 0 .../en-us/web/http/headers/if-none-match/{index.html => index.md} | 0 files/en-us/web/http/headers/if-range/{index.html => index.md} | 0 .../web/http/headers/if-unmodified-since/{index.html => index.md} | 0 files/en-us/web/http/headers/{index.html => index.md} | 0 files/en-us/web/http/headers/keep-alive/{index.html => index.md} | 0 .../web/http/headers/large-allocation/{index.html => index.md} | 0 .../en-us/web/http/headers/last-modified/{index.html => index.md} | 0 files/en-us/web/http/headers/link/{index.html => index.md} | 0 files/en-us/web/http/headers/location/{index.html => index.md} | 0 files/en-us/web/http/headers/nel/{index.html => index.md} | 0 files/en-us/web/http/headers/origin/{index.html => index.md} | 0 files/en-us/web/http/headers/pragma/{index.html => index.md} | 0 .../web/http/headers/proxy-authenticate/{index.html => index.md} | 0 .../web/http/headers/proxy-authorization/{index.html => index.md} | 0 .../headers/public-key-pins-report-only/{index.html => index.md} | 0 .../web/http/headers/public-key-pins/{index.html => index.md} | 0 files/en-us/web/http/headers/range/{index.html => index.md} | 0 files/en-us/web/http/headers/referer/{index.html => index.md} | 0 .../web/http/headers/referrer-policy/{index.html => index.md} | 0 files/en-us/web/http/headers/retry-after/{index.html => index.md} | 0 files/en-us/web/http/headers/rtt/{index.html => index.md} | 0 files/en-us/web/http/headers/save-data/{index.html => index.md} | 0 .../web/http/headers/sec-fetch-dest/{index.html => index.md} | 0 .../web/http/headers/sec-fetch-mode/{index.html => index.md} | 0 .../web/http/headers/sec-fetch-site/{index.html => index.md} | 0 .../web/http/headers/sec-fetch-user/{index.html => index.md} | 0 .../http/headers/sec-websocket-accept/{index.html => index.md} | 0 .../en-us/web/http/headers/server-timing/{index.html => index.md} | 0 files/en-us/web/http/headers/server/{index.html => index.md} | 0 files/en-us/web/http/headers/set-cookie/{index.html => index.md} | 0 .../web/http/headers/set-cookie/samesite/{index.html => index.md} | 0 files/en-us/web/http/headers/set-cookie2/{index.html => index.md} | 0 files/en-us/web/http/headers/sourcemap/{index.html => index.md} | 0 .../headers/strict-transport-security/{index.html => index.md} | 0 files/en-us/web/http/headers/te/{index.html => index.md} | 0 .../web/http/headers/timing-allow-origin/{index.html => index.md} | 0 files/en-us/web/http/headers/tk/{index.html => index.md} | 0 files/en-us/web/http/headers/trailer/{index.html => index.md} | 0 .../web/http/headers/transfer-encoding/{index.html => index.md} | 0 .../headers/upgrade-insecure-requests/{index.html => index.md} | 0 files/en-us/web/http/headers/upgrade/{index.html => index.md} | 0 .../web/http/headers/user-agent/firefox/{index.html => index.md} | 0 files/en-us/web/http/headers/user-agent/{index.html => index.md} | 0 files/en-us/web/http/headers/vary/{index.html => index.md} | 0 files/en-us/web/http/headers/via/{index.html => index.md} | 0 .../web/http/headers/viewport-width/{index.html => index.md} | 0 files/en-us/web/http/headers/want-digest/{index.html => index.md} | 0 files/en-us/web/http/headers/warning/{index.html => index.md} | 0 files/en-us/web/http/headers/width/{index.html => index.md} | 0 .../web/http/headers/www-authenticate/{index.html => index.md} | 0 .../http/headers/x-content-type-options/{index.html => index.md} | 0 .../http/headers/x-dns-prefetch-control/{index.html => index.md} | 0 .../web/http/headers/x-forwarded-for/{index.html => index.md} | 0 .../web/http/headers/x-forwarded-host/{index.html => index.md} | 0 .../web/http/headers/x-forwarded-proto/{index.html => index.md} | 0 .../web/http/headers/x-frame-options/{index.html => index.md} | 0 .../web/http/headers/x-xss-protection/{index.html => index.md} | 0 files/en-us/web/http/{index.html => index.md} | 0 files/en-us/web/http/index/{index.html => index.md} | 0 .../en-us/web/http/link_prefetching_faq/{index.html => index.md} | 0 files/en-us/web/http/messages/{index.html => index.md} | 0 files/en-us/web/http/methods/connect/{index.html => index.md} | 0 files/en-us/web/http/methods/delete/{index.html => index.md} | 0 files/en-us/web/http/methods/get/{index.html => index.md} | 0 files/en-us/web/http/methods/head/{index.html => index.md} | 0 files/en-us/web/http/methods/{index.html => index.md} | 0 files/en-us/web/http/methods/options/{index.html => index.md} | 0 files/en-us/web/http/methods/patch/{index.html => index.md} | 0 files/en-us/web/http/methods/post/{index.html => index.md} | 0 files/en-us/web/http/methods/put/{index.html => index.md} | 0 files/en-us/web/http/methods/trace/{index.html => index.md} | 0 .../en-us/web/http/network_error_logging/{index.html => index.md} | 0 files/en-us/web/http/overview/{index.html => index.md} | 0 .../web/http/protocol_upgrade_mechanism/{index.html => index.md} | 0 .../web/http/proxy_servers_and_tunneling/{index.html => index.md} | 0 .../proxy_auto-configuration_pac_file/{index.html => index.md} | 0 files/en-us/web/http/public_key_pinning/{index.html => index.md} | 0 files/en-us/web/http/range_requests/{index.html => index.md} | 0 files/en-us/web/http/redirections/{index.html => index.md} | 0 .../http/resources_and_specifications/{index.html => index.md} | 0 files/en-us/web/http/resources_and_uris/{index.html => index.md} | 0 files/en-us/web/http/session/{index.html => index.md} | 0 files/en-us/web/http/status/100/{index.html => index.md} | 0 files/en-us/web/http/status/101/{index.html => index.md} | 0 files/en-us/web/http/status/103/{index.html => index.md} | 0 files/en-us/web/http/status/200/{index.html => index.md} | 0 files/en-us/web/http/status/201/{index.html => index.md} | 0 files/en-us/web/http/status/202/{index.html => index.md} | 0 files/en-us/web/http/status/203/{index.html => index.md} | 0 files/en-us/web/http/status/204/{index.html => index.md} | 0 files/en-us/web/http/status/205/{index.html => index.md} | 0 files/en-us/web/http/status/206/{index.html => index.md} | 0 files/en-us/web/http/status/300/{index.html => index.md} | 0 files/en-us/web/http/status/301/{index.html => index.md} | 0 files/en-us/web/http/status/302/{index.html => index.md} | 0 files/en-us/web/http/status/303/{index.html => index.md} | 0 files/en-us/web/http/status/304/{index.html => index.md} | 0 files/en-us/web/http/status/307/{index.html => index.md} | 0 files/en-us/web/http/status/308/{index.html => index.md} | 0 files/en-us/web/http/status/400/{index.html => index.md} | 0 files/en-us/web/http/status/401/{index.html => index.md} | 0 files/en-us/web/http/status/402/{index.html => index.md} | 0 files/en-us/web/http/status/403/{index.html => index.md} | 0 files/en-us/web/http/status/404/{index.html => index.md} | 0 files/en-us/web/http/status/405/{index.html => index.md} | 0 files/en-us/web/http/status/406/{index.html => index.md} | 0 files/en-us/web/http/status/407/{index.html => index.md} | 0 files/en-us/web/http/status/408/{index.html => index.md} | 0 files/en-us/web/http/status/409/{index.html => index.md} | 0 files/en-us/web/http/status/410/{index.html => index.md} | 0 files/en-us/web/http/status/411/{index.html => index.md} | 0 files/en-us/web/http/status/412/{index.html => index.md} | 0 files/en-us/web/http/status/413/{index.html => index.md} | 0 files/en-us/web/http/status/414/{index.html => index.md} | 0 files/en-us/web/http/status/415/{index.html => index.md} | 0 files/en-us/web/http/status/416/{index.html => index.md} | 0 files/en-us/web/http/status/417/{index.html => index.md} | 0 files/en-us/web/http/status/418/{index.html => index.md} | 0 files/en-us/web/http/status/422/{index.html => index.md} | 0 files/en-us/web/http/status/425/{index.html => index.md} | 0 files/en-us/web/http/status/426/{index.html => index.md} | 0 files/en-us/web/http/status/428/{index.html => index.md} | 0 files/en-us/web/http/status/429/{index.html => index.md} | 0 files/en-us/web/http/status/431/{index.html => index.md} | 0 files/en-us/web/http/status/451/{index.html => index.md} | 0 files/en-us/web/http/status/500/{index.html => index.md} | 0 files/en-us/web/http/status/501/{index.html => index.md} | 0 files/en-us/web/http/status/502/{index.html => index.md} | 0 files/en-us/web/http/status/503/{index.html => index.md} | 0 files/en-us/web/http/status/504/{index.html => index.md} | 0 files/en-us/web/http/status/505/{index.html => index.md} | 0 files/en-us/web/http/status/506/{index.html => index.md} | 0 files/en-us/web/http/status/507/{index.html => index.md} | 0 files/en-us/web/http/status/508/{index.html => index.md} | 0 files/en-us/web/http/status/510/{index.html => index.md} | 0 files/en-us/web/http/status/511/{index.html => index.md} | 0 files/en-us/web/http/status/{index.html => index.md} | 0 297 files changed, 0 insertions(+), 0 deletions(-) rename files/en-us/web/http/authentication/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/data_uris/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/evolution_of_http/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/mime_types/common_types/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/mime_types/{index.html => index.md} (100%) rename files/en-us/web/http/basics_of_http/resource_urls/{index.html => index.md} (100%) rename files/en-us/web/http/browser_detection_using_the_user_agent/{index.html => index.md} (100%) rename files/en-us/web/http/caching/{index.html => index.md} (100%) rename files/en-us/web/http/compression/{index.html => index.md} (100%) rename files/en-us/web/http/conditional_requests/{index.html => index.md} (100%) rename files/en-us/web/http/configuring_servers_for_ogg_media/{index.html => index.md} (100%) rename files/en-us/web/http/connection_management_in_http_1.x/{index.html => index.md} (100%) rename files/en-us/web/http/content_negotiation/{index.html => index.md} (100%) rename files/en-us/web/http/content_negotiation/list_of_default_accept_values/{index.html => index.md} (100%) rename files/en-us/web/http/cookies/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsdidnotsucceed/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsdisabled/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsinvalidallowheader/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsinvalidallowmethod/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsmethodnotfound/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsmissingallowcredentials/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsmissingalloworigin/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsnotsupportingcredentials/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsoriginheadernotadded/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/corsrequestnothttp/{index.html => index.md} (100%) rename files/en-us/web/http/cors/errors/{index.html => index.md} (100%) rename files/en-us/web/http/cors/{index.html => index.md} (100%) rename files/en-us/web/http/cross-origin_resource_policy_(corp)/{index.html => index.md} (100%) rename files/en-us/web/http/csp/errors/cspviolation/{index.html => index.md} (100%) rename files/en-us/web/http/csp/errors/{index.html => index.md} (100%) rename files/en-us/web/http/csp/{index.html => index.md} (100%) rename files/en-us/web/http/feature_policy/{index.html => index.md} (100%) rename files/en-us/web/http/feature_policy/using_feature_policy/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-ch-lifetime/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-ch/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-charset/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-encoding/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-language/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-patch/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-post/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept-ranges/{index.html => index.md} (100%) rename files/en-us/web/http/headers/accept/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-allow-credentials/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-allow-headers/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-allow-methods/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-allow-origin/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-expose-headers/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-max-age/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-request-headers/{index.html => index.md} (100%) rename files/en-us/web/http/headers/access-control-request-method/{index.html => index.md} (100%) rename files/en-us/web/http/headers/age/{index.html => index.md} (100%) rename files/en-us/web/http/headers/allow/{index.html => index.md} (100%) rename files/en-us/web/http/headers/alt-svc/{index.html => index.md} (100%) rename files/en-us/web/http/headers/authorization/{index.html => index.md} (100%) rename files/en-us/web/http/headers/cache-control/{index.html => index.md} (100%) rename files/en-us/web/http/headers/clear-site-data/{index.html => index.md} (100%) rename files/en-us/web/http/headers/connection/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-disposition/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-dpr/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-encoding/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-language/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-length/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-location/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-range/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy-report-only/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/base-uri/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/child-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/connect-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/default-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/font-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/form-action/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/frame-ancestors/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/frame-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/img-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/manifest-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/media-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/navigate-to/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/object-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/plugin-types/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/prefetch-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/referrer/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/report-to/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/report-uri/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/require-sri-for/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/sandbox/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/script-src-attr/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/script-src-elem/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/script-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/style-src-attr/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/style-src-elem/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/style-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/trusted-types/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/upgrade-insecure-requests/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-security-policy/worker-src/{index.html => index.md} (100%) rename files/en-us/web/http/headers/content-type/{index.html => index.md} (100%) rename files/en-us/web/http/headers/cookie/{index.html => index.md} (100%) rename files/en-us/web/http/headers/cookie2/{index.html => index.md} (100%) rename files/en-us/web/http/headers/cross-origin-embedder-policy/{index.html => index.md} (100%) rename files/en-us/web/http/headers/cross-origin-opener-policy/{index.html => index.md} (100%) rename files/en-us/web/http/headers/cross-origin-resource-policy/{index.html => index.md} (100%) rename files/en-us/web/http/headers/date/{index.html => index.md} (100%) rename files/en-us/web/http/headers/device-memory/{index.html => index.md} (100%) rename files/en-us/web/http/headers/digest/{index.html => index.md} (100%) rename files/en-us/web/http/headers/dnt/{index.html => index.md} (100%) rename files/en-us/web/http/headers/downlink/{index.html => index.md} (100%) rename files/en-us/web/http/headers/dpr/{index.html => index.md} (100%) rename files/en-us/web/http/headers/early-data/{index.html => index.md} (100%) rename files/en-us/web/http/headers/ect/{index.html => index.md} (100%) rename files/en-us/web/http/headers/etag/{index.html => index.md} (100%) rename files/en-us/web/http/headers/expect-ct/{index.html => index.md} (100%) rename files/en-us/web/http/headers/expect/{index.html => index.md} (100%) rename files/en-us/web/http/headers/expires/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/accelerometer/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/ambient-light-sensor/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/autoplay/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/battery/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/camera/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/display-capture/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/document-domain/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/encrypted-media/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/fullscreen/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/gamepad/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/geolocation/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/gyroscope/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/layout-animations/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/legacy-image-formats/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/magnetometer/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/microphone/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/midi/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/oversized-images/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/payment/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/picture-in-picture/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/publickey-credentials-get/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/screen-wake-lock/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/sync-xhr/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/unoptimized-images/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/unsized-media/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/usb/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/vibrate/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/vr/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/web-share/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/{index.html => index.md} (100%) rename files/en-us/web/http/headers/feature-policy/xr/{index.html => index.md} (100%) rename files/en-us/web/http/headers/forwarded/{index.html => index.md} (100%) rename files/en-us/web/http/headers/from/{index.html => index.md} (100%) rename files/en-us/web/http/headers/host/{index.html => index.md} (100%) rename files/en-us/web/http/headers/if-match/{index.html => index.md} (100%) rename files/en-us/web/http/headers/if-modified-since/{index.html => index.md} (100%) rename files/en-us/web/http/headers/if-none-match/{index.html => index.md} (100%) rename files/en-us/web/http/headers/if-range/{index.html => index.md} (100%) rename files/en-us/web/http/headers/if-unmodified-since/{index.html => index.md} (100%) rename files/en-us/web/http/headers/{index.html => index.md} (100%) rename files/en-us/web/http/headers/keep-alive/{index.html => index.md} (100%) rename files/en-us/web/http/headers/large-allocation/{index.html => index.md} (100%) rename files/en-us/web/http/headers/last-modified/{index.html => index.md} (100%) rename files/en-us/web/http/headers/link/{index.html => index.md} (100%) rename files/en-us/web/http/headers/location/{index.html => index.md} (100%) rename files/en-us/web/http/headers/nel/{index.html => index.md} (100%) rename files/en-us/web/http/headers/origin/{index.html => index.md} (100%) rename files/en-us/web/http/headers/pragma/{index.html => index.md} (100%) rename files/en-us/web/http/headers/proxy-authenticate/{index.html => index.md} (100%) rename files/en-us/web/http/headers/proxy-authorization/{index.html => index.md} (100%) rename files/en-us/web/http/headers/public-key-pins-report-only/{index.html => index.md} (100%) rename files/en-us/web/http/headers/public-key-pins/{index.html => index.md} (100%) rename files/en-us/web/http/headers/range/{index.html => index.md} (100%) rename files/en-us/web/http/headers/referer/{index.html => index.md} (100%) rename files/en-us/web/http/headers/referrer-policy/{index.html => index.md} (100%) rename files/en-us/web/http/headers/retry-after/{index.html => index.md} (100%) rename files/en-us/web/http/headers/rtt/{index.html => index.md} (100%) rename files/en-us/web/http/headers/save-data/{index.html => index.md} (100%) rename files/en-us/web/http/headers/sec-fetch-dest/{index.html => index.md} (100%) rename files/en-us/web/http/headers/sec-fetch-mode/{index.html => index.md} (100%) rename files/en-us/web/http/headers/sec-fetch-site/{index.html => index.md} (100%) rename files/en-us/web/http/headers/sec-fetch-user/{index.html => index.md} (100%) rename files/en-us/web/http/headers/sec-websocket-accept/{index.html => index.md} (100%) rename files/en-us/web/http/headers/server-timing/{index.html => index.md} (100%) rename files/en-us/web/http/headers/server/{index.html => index.md} (100%) rename files/en-us/web/http/headers/set-cookie/{index.html => index.md} (100%) rename files/en-us/web/http/headers/set-cookie/samesite/{index.html => index.md} (100%) rename files/en-us/web/http/headers/set-cookie2/{index.html => index.md} (100%) rename files/en-us/web/http/headers/sourcemap/{index.html => index.md} (100%) rename files/en-us/web/http/headers/strict-transport-security/{index.html => index.md} (100%) rename files/en-us/web/http/headers/te/{index.html => index.md} (100%) rename files/en-us/web/http/headers/timing-allow-origin/{index.html => index.md} (100%) rename files/en-us/web/http/headers/tk/{index.html => index.md} (100%) rename files/en-us/web/http/headers/trailer/{index.html => index.md} (100%) rename files/en-us/web/http/headers/transfer-encoding/{index.html => index.md} (100%) rename files/en-us/web/http/headers/upgrade-insecure-requests/{index.html => index.md} (100%) rename files/en-us/web/http/headers/upgrade/{index.html => index.md} (100%) rename files/en-us/web/http/headers/user-agent/firefox/{index.html => index.md} (100%) rename files/en-us/web/http/headers/user-agent/{index.html => index.md} (100%) rename files/en-us/web/http/headers/vary/{index.html => index.md} (100%) rename files/en-us/web/http/headers/via/{index.html => index.md} (100%) rename files/en-us/web/http/headers/viewport-width/{index.html => index.md} (100%) rename files/en-us/web/http/headers/want-digest/{index.html => index.md} (100%) rename files/en-us/web/http/headers/warning/{index.html => index.md} (100%) rename files/en-us/web/http/headers/width/{index.html => index.md} (100%) rename files/en-us/web/http/headers/www-authenticate/{index.html => index.md} (100%) rename files/en-us/web/http/headers/x-content-type-options/{index.html => index.md} (100%) rename files/en-us/web/http/headers/x-dns-prefetch-control/{index.html => index.md} (100%) rename files/en-us/web/http/headers/x-forwarded-for/{index.html => index.md} (100%) rename files/en-us/web/http/headers/x-forwarded-host/{index.html => index.md} (100%) rename files/en-us/web/http/headers/x-forwarded-proto/{index.html => index.md} (100%) rename files/en-us/web/http/headers/x-frame-options/{index.html => index.md} (100%) rename files/en-us/web/http/headers/x-xss-protection/{index.html => index.md} (100%) rename files/en-us/web/http/{index.html => index.md} (100%) rename files/en-us/web/http/index/{index.html => index.md} (100%) rename files/en-us/web/http/link_prefetching_faq/{index.html => index.md} (100%) rename files/en-us/web/http/messages/{index.html => index.md} (100%) rename files/en-us/web/http/methods/connect/{index.html => index.md} (100%) rename files/en-us/web/http/methods/delete/{index.html => index.md} (100%) rename files/en-us/web/http/methods/get/{index.html => index.md} (100%) rename files/en-us/web/http/methods/head/{index.html => index.md} (100%) rename files/en-us/web/http/methods/{index.html => index.md} (100%) rename files/en-us/web/http/methods/options/{index.html => index.md} (100%) rename files/en-us/web/http/methods/patch/{index.html => index.md} (100%) rename files/en-us/web/http/methods/post/{index.html => index.md} (100%) rename files/en-us/web/http/methods/put/{index.html => index.md} (100%) rename files/en-us/web/http/methods/trace/{index.html => index.md} (100%) rename files/en-us/web/http/network_error_logging/{index.html => index.md} (100%) rename files/en-us/web/http/overview/{index.html => index.md} (100%) rename files/en-us/web/http/protocol_upgrade_mechanism/{index.html => index.md} (100%) rename files/en-us/web/http/proxy_servers_and_tunneling/{index.html => index.md} (100%) rename files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/{index.html => index.md} (100%) rename files/en-us/web/http/public_key_pinning/{index.html => index.md} (100%) rename files/en-us/web/http/range_requests/{index.html => index.md} (100%) rename files/en-us/web/http/redirections/{index.html => index.md} (100%) rename files/en-us/web/http/resources_and_specifications/{index.html => index.md} (100%) rename files/en-us/web/http/resources_and_uris/{index.html => index.md} (100%) rename files/en-us/web/http/session/{index.html => index.md} (100%) rename files/en-us/web/http/status/100/{index.html => index.md} (100%) rename files/en-us/web/http/status/101/{index.html => index.md} (100%) rename files/en-us/web/http/status/103/{index.html => index.md} (100%) rename files/en-us/web/http/status/200/{index.html => index.md} (100%) rename files/en-us/web/http/status/201/{index.html => index.md} (100%) rename files/en-us/web/http/status/202/{index.html => index.md} (100%) rename files/en-us/web/http/status/203/{index.html => index.md} (100%) rename files/en-us/web/http/status/204/{index.html => index.md} (100%) rename files/en-us/web/http/status/205/{index.html => index.md} (100%) rename files/en-us/web/http/status/206/{index.html => index.md} (100%) rename files/en-us/web/http/status/300/{index.html => index.md} (100%) rename files/en-us/web/http/status/301/{index.html => index.md} (100%) rename files/en-us/web/http/status/302/{index.html => index.md} (100%) rename files/en-us/web/http/status/303/{index.html => index.md} (100%) rename files/en-us/web/http/status/304/{index.html => index.md} (100%) rename files/en-us/web/http/status/307/{index.html => index.md} (100%) rename files/en-us/web/http/status/308/{index.html => index.md} (100%) rename files/en-us/web/http/status/400/{index.html => index.md} (100%) rename files/en-us/web/http/status/401/{index.html => index.md} (100%) rename files/en-us/web/http/status/402/{index.html => index.md} (100%) rename files/en-us/web/http/status/403/{index.html => index.md} (100%) rename files/en-us/web/http/status/404/{index.html => index.md} (100%) rename files/en-us/web/http/status/405/{index.html => index.md} (100%) rename files/en-us/web/http/status/406/{index.html => index.md} (100%) rename files/en-us/web/http/status/407/{index.html => index.md} (100%) rename files/en-us/web/http/status/408/{index.html => index.md} (100%) rename files/en-us/web/http/status/409/{index.html => index.md} (100%) rename files/en-us/web/http/status/410/{index.html => index.md} (100%) rename files/en-us/web/http/status/411/{index.html => index.md} (100%) rename files/en-us/web/http/status/412/{index.html => index.md} (100%) rename files/en-us/web/http/status/413/{index.html => index.md} (100%) rename files/en-us/web/http/status/414/{index.html => index.md} (100%) rename files/en-us/web/http/status/415/{index.html => index.md} (100%) rename files/en-us/web/http/status/416/{index.html => index.md} (100%) rename files/en-us/web/http/status/417/{index.html => index.md} (100%) rename files/en-us/web/http/status/418/{index.html => index.md} (100%) rename files/en-us/web/http/status/422/{index.html => index.md} (100%) rename files/en-us/web/http/status/425/{index.html => index.md} (100%) rename files/en-us/web/http/status/426/{index.html => index.md} (100%) rename files/en-us/web/http/status/428/{index.html => index.md} (100%) rename files/en-us/web/http/status/429/{index.html => index.md} (100%) rename files/en-us/web/http/status/431/{index.html => index.md} (100%) rename files/en-us/web/http/status/451/{index.html => index.md} (100%) rename files/en-us/web/http/status/500/{index.html => index.md} (100%) rename files/en-us/web/http/status/501/{index.html => index.md} (100%) rename files/en-us/web/http/status/502/{index.html => index.md} (100%) rename files/en-us/web/http/status/503/{index.html => index.md} (100%) rename files/en-us/web/http/status/504/{index.html => index.md} (100%) rename files/en-us/web/http/status/505/{index.html => index.md} (100%) rename files/en-us/web/http/status/506/{index.html => index.md} (100%) rename files/en-us/web/http/status/507/{index.html => index.md} (100%) rename files/en-us/web/http/status/508/{index.html => index.md} (100%) rename files/en-us/web/http/status/510/{index.html => index.md} (100%) rename files/en-us/web/http/status/511/{index.html => index.md} (100%) rename files/en-us/web/http/status/{index.html => index.md} (100%) diff --git a/files/en-us/web/http/authentication/index.html b/files/en-us/web/http/authentication/index.md similarity index 100% rename from files/en-us/web/http/authentication/index.html rename to files/en-us/web/http/authentication/index.md diff --git a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.html b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.html rename to files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md diff --git a/files/en-us/web/http/basics_of_http/data_uris/index.html b/files/en-us/web/http/basics_of_http/data_uris/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/data_uris/index.html rename to files/en-us/web/http/basics_of_http/data_uris/index.md diff --git a/files/en-us/web/http/basics_of_http/evolution_of_http/index.html b/files/en-us/web/http/basics_of_http/evolution_of_http/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/evolution_of_http/index.html rename to files/en-us/web/http/basics_of_http/evolution_of_http/index.md diff --git a/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.html b/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.html rename to files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md diff --git a/files/en-us/web/http/basics_of_http/index.html b/files/en-us/web/http/basics_of_http/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/index.html rename to files/en-us/web/http/basics_of_http/index.md diff --git a/files/en-us/web/http/basics_of_http/mime_types/common_types/index.html b/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/mime_types/common_types/index.html rename to files/en-us/web/http/basics_of_http/mime_types/common_types/index.md diff --git a/files/en-us/web/http/basics_of_http/mime_types/index.html b/files/en-us/web/http/basics_of_http/mime_types/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/mime_types/index.html rename to files/en-us/web/http/basics_of_http/mime_types/index.md diff --git a/files/en-us/web/http/basics_of_http/resource_urls/index.html b/files/en-us/web/http/basics_of_http/resource_urls/index.md similarity index 100% rename from files/en-us/web/http/basics_of_http/resource_urls/index.html rename to files/en-us/web/http/basics_of_http/resource_urls/index.md diff --git a/files/en-us/web/http/browser_detection_using_the_user_agent/index.html b/files/en-us/web/http/browser_detection_using_the_user_agent/index.md similarity index 100% rename from files/en-us/web/http/browser_detection_using_the_user_agent/index.html rename to files/en-us/web/http/browser_detection_using_the_user_agent/index.md diff --git a/files/en-us/web/http/caching/index.html b/files/en-us/web/http/caching/index.md similarity index 100% rename from files/en-us/web/http/caching/index.html rename to files/en-us/web/http/caching/index.md diff --git a/files/en-us/web/http/compression/index.html b/files/en-us/web/http/compression/index.md similarity index 100% rename from files/en-us/web/http/compression/index.html rename to files/en-us/web/http/compression/index.md diff --git a/files/en-us/web/http/conditional_requests/index.html b/files/en-us/web/http/conditional_requests/index.md similarity index 100% rename from files/en-us/web/http/conditional_requests/index.html rename to files/en-us/web/http/conditional_requests/index.md diff --git a/files/en-us/web/http/configuring_servers_for_ogg_media/index.html b/files/en-us/web/http/configuring_servers_for_ogg_media/index.md similarity index 100% rename from files/en-us/web/http/configuring_servers_for_ogg_media/index.html rename to files/en-us/web/http/configuring_servers_for_ogg_media/index.md diff --git a/files/en-us/web/http/connection_management_in_http_1.x/index.html b/files/en-us/web/http/connection_management_in_http_1.x/index.md similarity index 100% rename from files/en-us/web/http/connection_management_in_http_1.x/index.html rename to files/en-us/web/http/connection_management_in_http_1.x/index.md diff --git a/files/en-us/web/http/content_negotiation/index.html b/files/en-us/web/http/content_negotiation/index.md similarity index 100% rename from files/en-us/web/http/content_negotiation/index.html rename to files/en-us/web/http/content_negotiation/index.md diff --git a/files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.html b/files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.md similarity index 100% rename from files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.html rename to files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.md diff --git a/files/en-us/web/http/cookies/index.html b/files/en-us/web/http/cookies/index.md similarity index 100% rename from files/en-us/web/http/cookies/index.html rename to files/en-us/web/http/cookies/index.md diff --git a/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.html b/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.html rename to files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md diff --git a/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.html b/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsdidnotsucceed/index.html rename to files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md diff --git a/files/en-us/web/http/cors/errors/corsdisabled/index.html b/files/en-us/web/http/cors/errors/corsdisabled/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsdisabled/index.html rename to files/en-us/web/http/cors/errors/corsdisabled/index.md diff --git a/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.html b/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.html rename to files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md diff --git a/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.html b/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsinvalidallowheader/index.html rename to files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md diff --git a/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.html b/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.html rename to files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md diff --git a/files/en-us/web/http/cors/errors/corsmethodnotfound/index.html b/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsmethodnotfound/index.html rename to files/en-us/web/http/cors/errors/corsmethodnotfound/index.md diff --git a/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.html b/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.html rename to files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md diff --git a/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.html b/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.html rename to files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md diff --git a/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.html b/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsmissingalloworigin/index.html rename to files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md diff --git a/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.html b/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.html rename to files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md diff --git a/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.html b/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.html rename to files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md diff --git a/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.html b/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.html rename to files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md diff --git a/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.html b/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.html rename to files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md diff --git a/files/en-us/web/http/cors/errors/corsrequestnothttp/index.html b/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/corsrequestnothttp/index.html rename to files/en-us/web/http/cors/errors/corsrequestnothttp/index.md diff --git a/files/en-us/web/http/cors/errors/index.html b/files/en-us/web/http/cors/errors/index.md similarity index 100% rename from files/en-us/web/http/cors/errors/index.html rename to files/en-us/web/http/cors/errors/index.md diff --git a/files/en-us/web/http/cors/index.html b/files/en-us/web/http/cors/index.md similarity index 100% rename from files/en-us/web/http/cors/index.html rename to files/en-us/web/http/cors/index.md diff --git a/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.html b/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md similarity index 100% rename from files/en-us/web/http/cross-origin_resource_policy_(corp)/index.html rename to files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md diff --git a/files/en-us/web/http/csp/errors/cspviolation/index.html b/files/en-us/web/http/csp/errors/cspviolation/index.md similarity index 100% rename from files/en-us/web/http/csp/errors/cspviolation/index.html rename to files/en-us/web/http/csp/errors/cspviolation/index.md diff --git a/files/en-us/web/http/csp/errors/index.html b/files/en-us/web/http/csp/errors/index.md similarity index 100% rename from files/en-us/web/http/csp/errors/index.html rename to files/en-us/web/http/csp/errors/index.md diff --git a/files/en-us/web/http/csp/index.html b/files/en-us/web/http/csp/index.md similarity index 100% rename from files/en-us/web/http/csp/index.html rename to files/en-us/web/http/csp/index.md diff --git a/files/en-us/web/http/feature_policy/index.html b/files/en-us/web/http/feature_policy/index.md similarity index 100% rename from files/en-us/web/http/feature_policy/index.html rename to files/en-us/web/http/feature_policy/index.md diff --git a/files/en-us/web/http/feature_policy/using_feature_policy/index.html b/files/en-us/web/http/feature_policy/using_feature_policy/index.md similarity index 100% rename from files/en-us/web/http/feature_policy/using_feature_policy/index.html rename to files/en-us/web/http/feature_policy/using_feature_policy/index.md diff --git a/files/en-us/web/http/headers/accept-ch-lifetime/index.html b/files/en-us/web/http/headers/accept-ch-lifetime/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-ch-lifetime/index.html rename to files/en-us/web/http/headers/accept-ch-lifetime/index.md diff --git a/files/en-us/web/http/headers/accept-ch/index.html b/files/en-us/web/http/headers/accept-ch/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-ch/index.html rename to files/en-us/web/http/headers/accept-ch/index.md diff --git a/files/en-us/web/http/headers/accept-charset/index.html b/files/en-us/web/http/headers/accept-charset/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-charset/index.html rename to files/en-us/web/http/headers/accept-charset/index.md diff --git a/files/en-us/web/http/headers/accept-encoding/index.html b/files/en-us/web/http/headers/accept-encoding/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-encoding/index.html rename to files/en-us/web/http/headers/accept-encoding/index.md diff --git a/files/en-us/web/http/headers/accept-language/index.html b/files/en-us/web/http/headers/accept-language/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-language/index.html rename to files/en-us/web/http/headers/accept-language/index.md diff --git a/files/en-us/web/http/headers/accept-patch/index.html b/files/en-us/web/http/headers/accept-patch/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-patch/index.html rename to files/en-us/web/http/headers/accept-patch/index.md diff --git a/files/en-us/web/http/headers/accept-post/index.html b/files/en-us/web/http/headers/accept-post/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-post/index.html rename to files/en-us/web/http/headers/accept-post/index.md diff --git a/files/en-us/web/http/headers/accept-ranges/index.html b/files/en-us/web/http/headers/accept-ranges/index.md similarity index 100% rename from files/en-us/web/http/headers/accept-ranges/index.html rename to files/en-us/web/http/headers/accept-ranges/index.md diff --git a/files/en-us/web/http/headers/accept/index.html b/files/en-us/web/http/headers/accept/index.md similarity index 100% rename from files/en-us/web/http/headers/accept/index.html rename to files/en-us/web/http/headers/accept/index.md diff --git a/files/en-us/web/http/headers/access-control-allow-credentials/index.html b/files/en-us/web/http/headers/access-control-allow-credentials/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-allow-credentials/index.html rename to files/en-us/web/http/headers/access-control-allow-credentials/index.md diff --git a/files/en-us/web/http/headers/access-control-allow-headers/index.html b/files/en-us/web/http/headers/access-control-allow-headers/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-allow-headers/index.html rename to files/en-us/web/http/headers/access-control-allow-headers/index.md diff --git a/files/en-us/web/http/headers/access-control-allow-methods/index.html b/files/en-us/web/http/headers/access-control-allow-methods/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-allow-methods/index.html rename to files/en-us/web/http/headers/access-control-allow-methods/index.md diff --git a/files/en-us/web/http/headers/access-control-allow-origin/index.html b/files/en-us/web/http/headers/access-control-allow-origin/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-allow-origin/index.html rename to files/en-us/web/http/headers/access-control-allow-origin/index.md diff --git a/files/en-us/web/http/headers/access-control-expose-headers/index.html b/files/en-us/web/http/headers/access-control-expose-headers/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-expose-headers/index.html rename to files/en-us/web/http/headers/access-control-expose-headers/index.md diff --git a/files/en-us/web/http/headers/access-control-max-age/index.html b/files/en-us/web/http/headers/access-control-max-age/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-max-age/index.html rename to files/en-us/web/http/headers/access-control-max-age/index.md diff --git a/files/en-us/web/http/headers/access-control-request-headers/index.html b/files/en-us/web/http/headers/access-control-request-headers/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-request-headers/index.html rename to files/en-us/web/http/headers/access-control-request-headers/index.md diff --git a/files/en-us/web/http/headers/access-control-request-method/index.html b/files/en-us/web/http/headers/access-control-request-method/index.md similarity index 100% rename from files/en-us/web/http/headers/access-control-request-method/index.html rename to files/en-us/web/http/headers/access-control-request-method/index.md diff --git a/files/en-us/web/http/headers/age/index.html b/files/en-us/web/http/headers/age/index.md similarity index 100% rename from files/en-us/web/http/headers/age/index.html rename to files/en-us/web/http/headers/age/index.md diff --git a/files/en-us/web/http/headers/allow/index.html b/files/en-us/web/http/headers/allow/index.md similarity index 100% rename from files/en-us/web/http/headers/allow/index.html rename to files/en-us/web/http/headers/allow/index.md diff --git a/files/en-us/web/http/headers/alt-svc/index.html b/files/en-us/web/http/headers/alt-svc/index.md similarity index 100% rename from files/en-us/web/http/headers/alt-svc/index.html rename to files/en-us/web/http/headers/alt-svc/index.md diff --git a/files/en-us/web/http/headers/authorization/index.html b/files/en-us/web/http/headers/authorization/index.md similarity index 100% rename from files/en-us/web/http/headers/authorization/index.html rename to files/en-us/web/http/headers/authorization/index.md diff --git a/files/en-us/web/http/headers/cache-control/index.html b/files/en-us/web/http/headers/cache-control/index.md similarity index 100% rename from files/en-us/web/http/headers/cache-control/index.html rename to files/en-us/web/http/headers/cache-control/index.md diff --git a/files/en-us/web/http/headers/clear-site-data/index.html b/files/en-us/web/http/headers/clear-site-data/index.md similarity index 100% rename from files/en-us/web/http/headers/clear-site-data/index.html rename to files/en-us/web/http/headers/clear-site-data/index.md diff --git a/files/en-us/web/http/headers/connection/index.html b/files/en-us/web/http/headers/connection/index.md similarity index 100% rename from files/en-us/web/http/headers/connection/index.html rename to files/en-us/web/http/headers/connection/index.md diff --git a/files/en-us/web/http/headers/content-disposition/index.html b/files/en-us/web/http/headers/content-disposition/index.md similarity index 100% rename from files/en-us/web/http/headers/content-disposition/index.html rename to files/en-us/web/http/headers/content-disposition/index.md diff --git a/files/en-us/web/http/headers/content-dpr/index.html b/files/en-us/web/http/headers/content-dpr/index.md similarity index 100% rename from files/en-us/web/http/headers/content-dpr/index.html rename to files/en-us/web/http/headers/content-dpr/index.md diff --git a/files/en-us/web/http/headers/content-encoding/index.html b/files/en-us/web/http/headers/content-encoding/index.md similarity index 100% rename from files/en-us/web/http/headers/content-encoding/index.html rename to files/en-us/web/http/headers/content-encoding/index.md diff --git a/files/en-us/web/http/headers/content-language/index.html b/files/en-us/web/http/headers/content-language/index.md similarity index 100% rename from files/en-us/web/http/headers/content-language/index.html rename to files/en-us/web/http/headers/content-language/index.md diff --git a/files/en-us/web/http/headers/content-length/index.html b/files/en-us/web/http/headers/content-length/index.md similarity index 100% rename from files/en-us/web/http/headers/content-length/index.html rename to files/en-us/web/http/headers/content-length/index.md diff --git a/files/en-us/web/http/headers/content-location/index.html b/files/en-us/web/http/headers/content-location/index.md similarity index 100% rename from files/en-us/web/http/headers/content-location/index.html rename to files/en-us/web/http/headers/content-location/index.md diff --git a/files/en-us/web/http/headers/content-range/index.html b/files/en-us/web/http/headers/content-range/index.md similarity index 100% rename from files/en-us/web/http/headers/content-range/index.html rename to files/en-us/web/http/headers/content-range/index.md diff --git a/files/en-us/web/http/headers/content-security-policy-report-only/index.html b/files/en-us/web/http/headers/content-security-policy-report-only/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy-report-only/index.html rename to files/en-us/web/http/headers/content-security-policy-report-only/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.html b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/base-uri/index.html rename to files/en-us/web/http/headers/content-security-policy/base-uri/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.html b/files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.html rename to files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/child-src/index.html b/files/en-us/web/http/headers/content-security-policy/child-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/child-src/index.html rename to files/en-us/web/http/headers/content-security-policy/child-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/connect-src/index.html b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/connect-src/index.html rename to files/en-us/web/http/headers/content-security-policy/connect-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/default-src/index.html b/files/en-us/web/http/headers/content-security-policy/default-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/default-src/index.html rename to files/en-us/web/http/headers/content-security-policy/default-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/font-src/index.html b/files/en-us/web/http/headers/content-security-policy/font-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/font-src/index.html rename to files/en-us/web/http/headers/content-security-policy/font-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.html b/files/en-us/web/http/headers/content-security-policy/form-action/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/form-action/index.html rename to files/en-us/web/http/headers/content-security-policy/form-action/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.html b/files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.html rename to files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/frame-src/index.html b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/frame-src/index.html rename to files/en-us/web/http/headers/content-security-policy/frame-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/img-src/index.html b/files/en-us/web/http/headers/content-security-policy/img-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/img-src/index.html rename to files/en-us/web/http/headers/content-security-policy/img-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/index.html b/files/en-us/web/http/headers/content-security-policy/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/index.html rename to files/en-us/web/http/headers/content-security-policy/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.html b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/manifest-src/index.html rename to files/en-us/web/http/headers/content-security-policy/manifest-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/media-src/index.html b/files/en-us/web/http/headers/content-security-policy/media-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/media-src/index.html rename to files/en-us/web/http/headers/content-security-policy/media-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/navigate-to/index.html b/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/navigate-to/index.html rename to files/en-us/web/http/headers/content-security-policy/navigate-to/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/object-src/index.html b/files/en-us/web/http/headers/content-security-policy/object-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/object-src/index.html rename to files/en-us/web/http/headers/content-security-policy/object-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/plugin-types/index.html b/files/en-us/web/http/headers/content-security-policy/plugin-types/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/plugin-types/index.html rename to files/en-us/web/http/headers/content-security-policy/plugin-types/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.html b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/prefetch-src/index.html rename to files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/referrer/index.html b/files/en-us/web/http/headers/content-security-policy/referrer/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/referrer/index.html rename to files/en-us/web/http/headers/content-security-policy/referrer/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/report-to/index.html b/files/en-us/web/http/headers/content-security-policy/report-to/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/report-to/index.html rename to files/en-us/web/http/headers/content-security-policy/report-to/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/report-uri/index.html b/files/en-us/web/http/headers/content-security-policy/report-uri/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/report-uri/index.html rename to files/en-us/web/http/headers/content-security-policy/report-uri/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/require-sri-for/index.html b/files/en-us/web/http/headers/content-security-policy/require-sri-for/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/require-sri-for/index.html rename to files/en-us/web/http/headers/content-security-policy/require-sri-for/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.html b/files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.html rename to files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/sandbox/index.html b/files/en-us/web/http/headers/content-security-policy/sandbox/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/sandbox/index.html rename to files/en-us/web/http/headers/content-security-policy/sandbox/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.html b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/script-src-attr/index.html rename to files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.html b/files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/script-src-elem/index.html rename to files/en-us/web/http/headers/content-security-policy/script-src-elem/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/script-src/index.html b/files/en-us/web/http/headers/content-security-policy/script-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/script-src/index.html rename to files/en-us/web/http/headers/content-security-policy/script-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.html b/files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/style-src-attr/index.html rename to files/en-us/web/http/headers/content-security-policy/style-src-attr/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.html b/files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/style-src-elem/index.html rename to files/en-us/web/http/headers/content-security-policy/style-src-elem/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/style-src/index.html b/files/en-us/web/http/headers/content-security-policy/style-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/style-src/index.html rename to files/en-us/web/http/headers/content-security-policy/style-src/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/trusted-types/index.html b/files/en-us/web/http/headers/content-security-policy/trusted-types/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/trusted-types/index.html rename to files/en-us/web/http/headers/content-security-policy/trusted-types/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/upgrade-insecure-requests/index.html b/files/en-us/web/http/headers/content-security-policy/upgrade-insecure-requests/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/upgrade-insecure-requests/index.html rename to files/en-us/web/http/headers/content-security-policy/upgrade-insecure-requests/index.md diff --git a/files/en-us/web/http/headers/content-security-policy/worker-src/index.html b/files/en-us/web/http/headers/content-security-policy/worker-src/index.md similarity index 100% rename from files/en-us/web/http/headers/content-security-policy/worker-src/index.html rename to files/en-us/web/http/headers/content-security-policy/worker-src/index.md diff --git a/files/en-us/web/http/headers/content-type/index.html b/files/en-us/web/http/headers/content-type/index.md similarity index 100% rename from files/en-us/web/http/headers/content-type/index.html rename to files/en-us/web/http/headers/content-type/index.md diff --git a/files/en-us/web/http/headers/cookie/index.html b/files/en-us/web/http/headers/cookie/index.md similarity index 100% rename from files/en-us/web/http/headers/cookie/index.html rename to files/en-us/web/http/headers/cookie/index.md diff --git a/files/en-us/web/http/headers/cookie2/index.html b/files/en-us/web/http/headers/cookie2/index.md similarity index 100% rename from files/en-us/web/http/headers/cookie2/index.html rename to files/en-us/web/http/headers/cookie2/index.md diff --git a/files/en-us/web/http/headers/cross-origin-embedder-policy/index.html b/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md similarity index 100% rename from files/en-us/web/http/headers/cross-origin-embedder-policy/index.html rename to files/en-us/web/http/headers/cross-origin-embedder-policy/index.md diff --git a/files/en-us/web/http/headers/cross-origin-opener-policy/index.html b/files/en-us/web/http/headers/cross-origin-opener-policy/index.md similarity index 100% rename from files/en-us/web/http/headers/cross-origin-opener-policy/index.html rename to files/en-us/web/http/headers/cross-origin-opener-policy/index.md diff --git a/files/en-us/web/http/headers/cross-origin-resource-policy/index.html b/files/en-us/web/http/headers/cross-origin-resource-policy/index.md similarity index 100% rename from files/en-us/web/http/headers/cross-origin-resource-policy/index.html rename to files/en-us/web/http/headers/cross-origin-resource-policy/index.md diff --git a/files/en-us/web/http/headers/date/index.html b/files/en-us/web/http/headers/date/index.md similarity index 100% rename from files/en-us/web/http/headers/date/index.html rename to files/en-us/web/http/headers/date/index.md diff --git a/files/en-us/web/http/headers/device-memory/index.html b/files/en-us/web/http/headers/device-memory/index.md similarity index 100% rename from files/en-us/web/http/headers/device-memory/index.html rename to files/en-us/web/http/headers/device-memory/index.md diff --git a/files/en-us/web/http/headers/digest/index.html b/files/en-us/web/http/headers/digest/index.md similarity index 100% rename from files/en-us/web/http/headers/digest/index.html rename to files/en-us/web/http/headers/digest/index.md diff --git a/files/en-us/web/http/headers/dnt/index.html b/files/en-us/web/http/headers/dnt/index.md similarity index 100% rename from files/en-us/web/http/headers/dnt/index.html rename to files/en-us/web/http/headers/dnt/index.md diff --git a/files/en-us/web/http/headers/downlink/index.html b/files/en-us/web/http/headers/downlink/index.md similarity index 100% rename from files/en-us/web/http/headers/downlink/index.html rename to files/en-us/web/http/headers/downlink/index.md diff --git a/files/en-us/web/http/headers/dpr/index.html b/files/en-us/web/http/headers/dpr/index.md similarity index 100% rename from files/en-us/web/http/headers/dpr/index.html rename to files/en-us/web/http/headers/dpr/index.md diff --git a/files/en-us/web/http/headers/early-data/index.html b/files/en-us/web/http/headers/early-data/index.md similarity index 100% rename from files/en-us/web/http/headers/early-data/index.html rename to files/en-us/web/http/headers/early-data/index.md diff --git a/files/en-us/web/http/headers/ect/index.html b/files/en-us/web/http/headers/ect/index.md similarity index 100% rename from files/en-us/web/http/headers/ect/index.html rename to files/en-us/web/http/headers/ect/index.md diff --git a/files/en-us/web/http/headers/etag/index.html b/files/en-us/web/http/headers/etag/index.md similarity index 100% rename from files/en-us/web/http/headers/etag/index.html rename to files/en-us/web/http/headers/etag/index.md diff --git a/files/en-us/web/http/headers/expect-ct/index.html b/files/en-us/web/http/headers/expect-ct/index.md similarity index 100% rename from files/en-us/web/http/headers/expect-ct/index.html rename to files/en-us/web/http/headers/expect-ct/index.md diff --git a/files/en-us/web/http/headers/expect/index.html b/files/en-us/web/http/headers/expect/index.md similarity index 100% rename from files/en-us/web/http/headers/expect/index.html rename to files/en-us/web/http/headers/expect/index.md diff --git a/files/en-us/web/http/headers/expires/index.html b/files/en-us/web/http/headers/expires/index.md similarity index 100% rename from files/en-us/web/http/headers/expires/index.html rename to files/en-us/web/http/headers/expires/index.md diff --git a/files/en-us/web/http/headers/feature-policy/accelerometer/index.html b/files/en-us/web/http/headers/feature-policy/accelerometer/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/accelerometer/index.html rename to files/en-us/web/http/headers/feature-policy/accelerometer/index.md diff --git a/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.html b/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.html rename to files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md diff --git a/files/en-us/web/http/headers/feature-policy/autoplay/index.html b/files/en-us/web/http/headers/feature-policy/autoplay/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/autoplay/index.html rename to files/en-us/web/http/headers/feature-policy/autoplay/index.md diff --git a/files/en-us/web/http/headers/feature-policy/battery/index.html b/files/en-us/web/http/headers/feature-policy/battery/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/battery/index.html rename to files/en-us/web/http/headers/feature-policy/battery/index.md diff --git a/files/en-us/web/http/headers/feature-policy/camera/index.html b/files/en-us/web/http/headers/feature-policy/camera/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/camera/index.html rename to files/en-us/web/http/headers/feature-policy/camera/index.md diff --git a/files/en-us/web/http/headers/feature-policy/display-capture/index.html b/files/en-us/web/http/headers/feature-policy/display-capture/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/display-capture/index.html rename to files/en-us/web/http/headers/feature-policy/display-capture/index.md diff --git a/files/en-us/web/http/headers/feature-policy/document-domain/index.html b/files/en-us/web/http/headers/feature-policy/document-domain/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/document-domain/index.html rename to files/en-us/web/http/headers/feature-policy/document-domain/index.md diff --git a/files/en-us/web/http/headers/feature-policy/encrypted-media/index.html b/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/encrypted-media/index.html rename to files/en-us/web/http/headers/feature-policy/encrypted-media/index.md diff --git a/files/en-us/web/http/headers/feature-policy/fullscreen/index.html b/files/en-us/web/http/headers/feature-policy/fullscreen/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/fullscreen/index.html rename to files/en-us/web/http/headers/feature-policy/fullscreen/index.md diff --git a/files/en-us/web/http/headers/feature-policy/gamepad/index.html b/files/en-us/web/http/headers/feature-policy/gamepad/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/gamepad/index.html rename to files/en-us/web/http/headers/feature-policy/gamepad/index.md diff --git a/files/en-us/web/http/headers/feature-policy/geolocation/index.html b/files/en-us/web/http/headers/feature-policy/geolocation/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/geolocation/index.html rename to files/en-us/web/http/headers/feature-policy/geolocation/index.md diff --git a/files/en-us/web/http/headers/feature-policy/gyroscope/index.html b/files/en-us/web/http/headers/feature-policy/gyroscope/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/gyroscope/index.html rename to files/en-us/web/http/headers/feature-policy/gyroscope/index.md diff --git a/files/en-us/web/http/headers/feature-policy/index.html b/files/en-us/web/http/headers/feature-policy/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/index.html rename to files/en-us/web/http/headers/feature-policy/index.md diff --git a/files/en-us/web/http/headers/feature-policy/layout-animations/index.html b/files/en-us/web/http/headers/feature-policy/layout-animations/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/layout-animations/index.html rename to files/en-us/web/http/headers/feature-policy/layout-animations/index.md diff --git a/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.html b/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.html rename to files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md diff --git a/files/en-us/web/http/headers/feature-policy/magnetometer/index.html b/files/en-us/web/http/headers/feature-policy/magnetometer/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/magnetometer/index.html rename to files/en-us/web/http/headers/feature-policy/magnetometer/index.md diff --git a/files/en-us/web/http/headers/feature-policy/microphone/index.html b/files/en-us/web/http/headers/feature-policy/microphone/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/microphone/index.html rename to files/en-us/web/http/headers/feature-policy/microphone/index.md diff --git a/files/en-us/web/http/headers/feature-policy/midi/index.html b/files/en-us/web/http/headers/feature-policy/midi/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/midi/index.html rename to files/en-us/web/http/headers/feature-policy/midi/index.md diff --git a/files/en-us/web/http/headers/feature-policy/oversized-images/index.html b/files/en-us/web/http/headers/feature-policy/oversized-images/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/oversized-images/index.html rename to files/en-us/web/http/headers/feature-policy/oversized-images/index.md diff --git a/files/en-us/web/http/headers/feature-policy/payment/index.html b/files/en-us/web/http/headers/feature-policy/payment/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/payment/index.html rename to files/en-us/web/http/headers/feature-policy/payment/index.md diff --git a/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.html b/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/picture-in-picture/index.html rename to files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md diff --git a/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.html b/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.html rename to files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md diff --git a/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.html b/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.html rename to files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md diff --git a/files/en-us/web/http/headers/feature-policy/sync-xhr/index.html b/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/sync-xhr/index.html rename to files/en-us/web/http/headers/feature-policy/sync-xhr/index.md diff --git a/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.html b/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/unoptimized-images/index.html rename to files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md diff --git a/files/en-us/web/http/headers/feature-policy/unsized-media/index.html b/files/en-us/web/http/headers/feature-policy/unsized-media/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/unsized-media/index.html rename to files/en-us/web/http/headers/feature-policy/unsized-media/index.md diff --git a/files/en-us/web/http/headers/feature-policy/usb/index.html b/files/en-us/web/http/headers/feature-policy/usb/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/usb/index.html rename to files/en-us/web/http/headers/feature-policy/usb/index.md diff --git a/files/en-us/web/http/headers/feature-policy/vibrate/index.html b/files/en-us/web/http/headers/feature-policy/vibrate/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/vibrate/index.html rename to files/en-us/web/http/headers/feature-policy/vibrate/index.md diff --git a/files/en-us/web/http/headers/feature-policy/vr/index.html b/files/en-us/web/http/headers/feature-policy/vr/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/vr/index.html rename to files/en-us/web/http/headers/feature-policy/vr/index.md diff --git a/files/en-us/web/http/headers/feature-policy/web-share/index.html b/files/en-us/web/http/headers/feature-policy/web-share/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/web-share/index.html rename to files/en-us/web/http/headers/feature-policy/web-share/index.md diff --git a/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.html b/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.html rename to files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md diff --git a/files/en-us/web/http/headers/feature-policy/xr/index.html b/files/en-us/web/http/headers/feature-policy/xr/index.md similarity index 100% rename from files/en-us/web/http/headers/feature-policy/xr/index.html rename to files/en-us/web/http/headers/feature-policy/xr/index.md diff --git a/files/en-us/web/http/headers/forwarded/index.html b/files/en-us/web/http/headers/forwarded/index.md similarity index 100% rename from files/en-us/web/http/headers/forwarded/index.html rename to files/en-us/web/http/headers/forwarded/index.md diff --git a/files/en-us/web/http/headers/from/index.html b/files/en-us/web/http/headers/from/index.md similarity index 100% rename from files/en-us/web/http/headers/from/index.html rename to files/en-us/web/http/headers/from/index.md diff --git a/files/en-us/web/http/headers/host/index.html b/files/en-us/web/http/headers/host/index.md similarity index 100% rename from files/en-us/web/http/headers/host/index.html rename to files/en-us/web/http/headers/host/index.md diff --git a/files/en-us/web/http/headers/if-match/index.html b/files/en-us/web/http/headers/if-match/index.md similarity index 100% rename from files/en-us/web/http/headers/if-match/index.html rename to files/en-us/web/http/headers/if-match/index.md diff --git a/files/en-us/web/http/headers/if-modified-since/index.html b/files/en-us/web/http/headers/if-modified-since/index.md similarity index 100% rename from files/en-us/web/http/headers/if-modified-since/index.html rename to files/en-us/web/http/headers/if-modified-since/index.md diff --git a/files/en-us/web/http/headers/if-none-match/index.html b/files/en-us/web/http/headers/if-none-match/index.md similarity index 100% rename from files/en-us/web/http/headers/if-none-match/index.html rename to files/en-us/web/http/headers/if-none-match/index.md diff --git a/files/en-us/web/http/headers/if-range/index.html b/files/en-us/web/http/headers/if-range/index.md similarity index 100% rename from files/en-us/web/http/headers/if-range/index.html rename to files/en-us/web/http/headers/if-range/index.md diff --git a/files/en-us/web/http/headers/if-unmodified-since/index.html b/files/en-us/web/http/headers/if-unmodified-since/index.md similarity index 100% rename from files/en-us/web/http/headers/if-unmodified-since/index.html rename to files/en-us/web/http/headers/if-unmodified-since/index.md diff --git a/files/en-us/web/http/headers/index.html b/files/en-us/web/http/headers/index.md similarity index 100% rename from files/en-us/web/http/headers/index.html rename to files/en-us/web/http/headers/index.md diff --git a/files/en-us/web/http/headers/keep-alive/index.html b/files/en-us/web/http/headers/keep-alive/index.md similarity index 100% rename from files/en-us/web/http/headers/keep-alive/index.html rename to files/en-us/web/http/headers/keep-alive/index.md diff --git a/files/en-us/web/http/headers/large-allocation/index.html b/files/en-us/web/http/headers/large-allocation/index.md similarity index 100% rename from files/en-us/web/http/headers/large-allocation/index.html rename to files/en-us/web/http/headers/large-allocation/index.md diff --git a/files/en-us/web/http/headers/last-modified/index.html b/files/en-us/web/http/headers/last-modified/index.md similarity index 100% rename from files/en-us/web/http/headers/last-modified/index.html rename to files/en-us/web/http/headers/last-modified/index.md diff --git a/files/en-us/web/http/headers/link/index.html b/files/en-us/web/http/headers/link/index.md similarity index 100% rename from files/en-us/web/http/headers/link/index.html rename to files/en-us/web/http/headers/link/index.md diff --git a/files/en-us/web/http/headers/location/index.html b/files/en-us/web/http/headers/location/index.md similarity index 100% rename from files/en-us/web/http/headers/location/index.html rename to files/en-us/web/http/headers/location/index.md diff --git a/files/en-us/web/http/headers/nel/index.html b/files/en-us/web/http/headers/nel/index.md similarity index 100% rename from files/en-us/web/http/headers/nel/index.html rename to files/en-us/web/http/headers/nel/index.md diff --git a/files/en-us/web/http/headers/origin/index.html b/files/en-us/web/http/headers/origin/index.md similarity index 100% rename from files/en-us/web/http/headers/origin/index.html rename to files/en-us/web/http/headers/origin/index.md diff --git a/files/en-us/web/http/headers/pragma/index.html b/files/en-us/web/http/headers/pragma/index.md similarity index 100% rename from files/en-us/web/http/headers/pragma/index.html rename to files/en-us/web/http/headers/pragma/index.md diff --git a/files/en-us/web/http/headers/proxy-authenticate/index.html b/files/en-us/web/http/headers/proxy-authenticate/index.md similarity index 100% rename from files/en-us/web/http/headers/proxy-authenticate/index.html rename to files/en-us/web/http/headers/proxy-authenticate/index.md diff --git a/files/en-us/web/http/headers/proxy-authorization/index.html b/files/en-us/web/http/headers/proxy-authorization/index.md similarity index 100% rename from files/en-us/web/http/headers/proxy-authorization/index.html rename to files/en-us/web/http/headers/proxy-authorization/index.md diff --git a/files/en-us/web/http/headers/public-key-pins-report-only/index.html b/files/en-us/web/http/headers/public-key-pins-report-only/index.md similarity index 100% rename from files/en-us/web/http/headers/public-key-pins-report-only/index.html rename to files/en-us/web/http/headers/public-key-pins-report-only/index.md diff --git a/files/en-us/web/http/headers/public-key-pins/index.html b/files/en-us/web/http/headers/public-key-pins/index.md similarity index 100% rename from files/en-us/web/http/headers/public-key-pins/index.html rename to files/en-us/web/http/headers/public-key-pins/index.md diff --git a/files/en-us/web/http/headers/range/index.html b/files/en-us/web/http/headers/range/index.md similarity index 100% rename from files/en-us/web/http/headers/range/index.html rename to files/en-us/web/http/headers/range/index.md diff --git a/files/en-us/web/http/headers/referer/index.html b/files/en-us/web/http/headers/referer/index.md similarity index 100% rename from files/en-us/web/http/headers/referer/index.html rename to files/en-us/web/http/headers/referer/index.md diff --git a/files/en-us/web/http/headers/referrer-policy/index.html b/files/en-us/web/http/headers/referrer-policy/index.md similarity index 100% rename from files/en-us/web/http/headers/referrer-policy/index.html rename to files/en-us/web/http/headers/referrer-policy/index.md diff --git a/files/en-us/web/http/headers/retry-after/index.html b/files/en-us/web/http/headers/retry-after/index.md similarity index 100% rename from files/en-us/web/http/headers/retry-after/index.html rename to files/en-us/web/http/headers/retry-after/index.md diff --git a/files/en-us/web/http/headers/rtt/index.html b/files/en-us/web/http/headers/rtt/index.md similarity index 100% rename from files/en-us/web/http/headers/rtt/index.html rename to files/en-us/web/http/headers/rtt/index.md diff --git a/files/en-us/web/http/headers/save-data/index.html b/files/en-us/web/http/headers/save-data/index.md similarity index 100% rename from files/en-us/web/http/headers/save-data/index.html rename to files/en-us/web/http/headers/save-data/index.md diff --git a/files/en-us/web/http/headers/sec-fetch-dest/index.html b/files/en-us/web/http/headers/sec-fetch-dest/index.md similarity index 100% rename from files/en-us/web/http/headers/sec-fetch-dest/index.html rename to files/en-us/web/http/headers/sec-fetch-dest/index.md diff --git a/files/en-us/web/http/headers/sec-fetch-mode/index.html b/files/en-us/web/http/headers/sec-fetch-mode/index.md similarity index 100% rename from files/en-us/web/http/headers/sec-fetch-mode/index.html rename to files/en-us/web/http/headers/sec-fetch-mode/index.md diff --git a/files/en-us/web/http/headers/sec-fetch-site/index.html b/files/en-us/web/http/headers/sec-fetch-site/index.md similarity index 100% rename from files/en-us/web/http/headers/sec-fetch-site/index.html rename to files/en-us/web/http/headers/sec-fetch-site/index.md diff --git a/files/en-us/web/http/headers/sec-fetch-user/index.html b/files/en-us/web/http/headers/sec-fetch-user/index.md similarity index 100% rename from files/en-us/web/http/headers/sec-fetch-user/index.html rename to files/en-us/web/http/headers/sec-fetch-user/index.md diff --git a/files/en-us/web/http/headers/sec-websocket-accept/index.html b/files/en-us/web/http/headers/sec-websocket-accept/index.md similarity index 100% rename from files/en-us/web/http/headers/sec-websocket-accept/index.html rename to files/en-us/web/http/headers/sec-websocket-accept/index.md diff --git a/files/en-us/web/http/headers/server-timing/index.html b/files/en-us/web/http/headers/server-timing/index.md similarity index 100% rename from files/en-us/web/http/headers/server-timing/index.html rename to files/en-us/web/http/headers/server-timing/index.md diff --git a/files/en-us/web/http/headers/server/index.html b/files/en-us/web/http/headers/server/index.md similarity index 100% rename from files/en-us/web/http/headers/server/index.html rename to files/en-us/web/http/headers/server/index.md diff --git a/files/en-us/web/http/headers/set-cookie/index.html b/files/en-us/web/http/headers/set-cookie/index.md similarity index 100% rename from files/en-us/web/http/headers/set-cookie/index.html rename to files/en-us/web/http/headers/set-cookie/index.md diff --git a/files/en-us/web/http/headers/set-cookie/samesite/index.html b/files/en-us/web/http/headers/set-cookie/samesite/index.md similarity index 100% rename from files/en-us/web/http/headers/set-cookie/samesite/index.html rename to files/en-us/web/http/headers/set-cookie/samesite/index.md diff --git a/files/en-us/web/http/headers/set-cookie2/index.html b/files/en-us/web/http/headers/set-cookie2/index.md similarity index 100% rename from files/en-us/web/http/headers/set-cookie2/index.html rename to files/en-us/web/http/headers/set-cookie2/index.md diff --git a/files/en-us/web/http/headers/sourcemap/index.html b/files/en-us/web/http/headers/sourcemap/index.md similarity index 100% rename from files/en-us/web/http/headers/sourcemap/index.html rename to files/en-us/web/http/headers/sourcemap/index.md diff --git a/files/en-us/web/http/headers/strict-transport-security/index.html b/files/en-us/web/http/headers/strict-transport-security/index.md similarity index 100% rename from files/en-us/web/http/headers/strict-transport-security/index.html rename to files/en-us/web/http/headers/strict-transport-security/index.md diff --git a/files/en-us/web/http/headers/te/index.html b/files/en-us/web/http/headers/te/index.md similarity index 100% rename from files/en-us/web/http/headers/te/index.html rename to files/en-us/web/http/headers/te/index.md diff --git a/files/en-us/web/http/headers/timing-allow-origin/index.html b/files/en-us/web/http/headers/timing-allow-origin/index.md similarity index 100% rename from files/en-us/web/http/headers/timing-allow-origin/index.html rename to files/en-us/web/http/headers/timing-allow-origin/index.md diff --git a/files/en-us/web/http/headers/tk/index.html b/files/en-us/web/http/headers/tk/index.md similarity index 100% rename from files/en-us/web/http/headers/tk/index.html rename to files/en-us/web/http/headers/tk/index.md diff --git a/files/en-us/web/http/headers/trailer/index.html b/files/en-us/web/http/headers/trailer/index.md similarity index 100% rename from files/en-us/web/http/headers/trailer/index.html rename to files/en-us/web/http/headers/trailer/index.md diff --git a/files/en-us/web/http/headers/transfer-encoding/index.html b/files/en-us/web/http/headers/transfer-encoding/index.md similarity index 100% rename from files/en-us/web/http/headers/transfer-encoding/index.html rename to files/en-us/web/http/headers/transfer-encoding/index.md diff --git a/files/en-us/web/http/headers/upgrade-insecure-requests/index.html b/files/en-us/web/http/headers/upgrade-insecure-requests/index.md similarity index 100% rename from files/en-us/web/http/headers/upgrade-insecure-requests/index.html rename to files/en-us/web/http/headers/upgrade-insecure-requests/index.md diff --git a/files/en-us/web/http/headers/upgrade/index.html b/files/en-us/web/http/headers/upgrade/index.md similarity index 100% rename from files/en-us/web/http/headers/upgrade/index.html rename to files/en-us/web/http/headers/upgrade/index.md diff --git a/files/en-us/web/http/headers/user-agent/firefox/index.html b/files/en-us/web/http/headers/user-agent/firefox/index.md similarity index 100% rename from files/en-us/web/http/headers/user-agent/firefox/index.html rename to files/en-us/web/http/headers/user-agent/firefox/index.md diff --git a/files/en-us/web/http/headers/user-agent/index.html b/files/en-us/web/http/headers/user-agent/index.md similarity index 100% rename from files/en-us/web/http/headers/user-agent/index.html rename to files/en-us/web/http/headers/user-agent/index.md diff --git a/files/en-us/web/http/headers/vary/index.html b/files/en-us/web/http/headers/vary/index.md similarity index 100% rename from files/en-us/web/http/headers/vary/index.html rename to files/en-us/web/http/headers/vary/index.md diff --git a/files/en-us/web/http/headers/via/index.html b/files/en-us/web/http/headers/via/index.md similarity index 100% rename from files/en-us/web/http/headers/via/index.html rename to files/en-us/web/http/headers/via/index.md diff --git a/files/en-us/web/http/headers/viewport-width/index.html b/files/en-us/web/http/headers/viewport-width/index.md similarity index 100% rename from files/en-us/web/http/headers/viewport-width/index.html rename to files/en-us/web/http/headers/viewport-width/index.md diff --git a/files/en-us/web/http/headers/want-digest/index.html b/files/en-us/web/http/headers/want-digest/index.md similarity index 100% rename from files/en-us/web/http/headers/want-digest/index.html rename to files/en-us/web/http/headers/want-digest/index.md diff --git a/files/en-us/web/http/headers/warning/index.html b/files/en-us/web/http/headers/warning/index.md similarity index 100% rename from files/en-us/web/http/headers/warning/index.html rename to files/en-us/web/http/headers/warning/index.md diff --git a/files/en-us/web/http/headers/width/index.html b/files/en-us/web/http/headers/width/index.md similarity index 100% rename from files/en-us/web/http/headers/width/index.html rename to files/en-us/web/http/headers/width/index.md diff --git a/files/en-us/web/http/headers/www-authenticate/index.html b/files/en-us/web/http/headers/www-authenticate/index.md similarity index 100% rename from files/en-us/web/http/headers/www-authenticate/index.html rename to files/en-us/web/http/headers/www-authenticate/index.md diff --git a/files/en-us/web/http/headers/x-content-type-options/index.html b/files/en-us/web/http/headers/x-content-type-options/index.md similarity index 100% rename from files/en-us/web/http/headers/x-content-type-options/index.html rename to files/en-us/web/http/headers/x-content-type-options/index.md diff --git a/files/en-us/web/http/headers/x-dns-prefetch-control/index.html b/files/en-us/web/http/headers/x-dns-prefetch-control/index.md similarity index 100% rename from files/en-us/web/http/headers/x-dns-prefetch-control/index.html rename to files/en-us/web/http/headers/x-dns-prefetch-control/index.md diff --git a/files/en-us/web/http/headers/x-forwarded-for/index.html b/files/en-us/web/http/headers/x-forwarded-for/index.md similarity index 100% rename from files/en-us/web/http/headers/x-forwarded-for/index.html rename to files/en-us/web/http/headers/x-forwarded-for/index.md diff --git a/files/en-us/web/http/headers/x-forwarded-host/index.html b/files/en-us/web/http/headers/x-forwarded-host/index.md similarity index 100% rename from files/en-us/web/http/headers/x-forwarded-host/index.html rename to files/en-us/web/http/headers/x-forwarded-host/index.md diff --git a/files/en-us/web/http/headers/x-forwarded-proto/index.html b/files/en-us/web/http/headers/x-forwarded-proto/index.md similarity index 100% rename from files/en-us/web/http/headers/x-forwarded-proto/index.html rename to files/en-us/web/http/headers/x-forwarded-proto/index.md diff --git a/files/en-us/web/http/headers/x-frame-options/index.html b/files/en-us/web/http/headers/x-frame-options/index.md similarity index 100% rename from files/en-us/web/http/headers/x-frame-options/index.html rename to files/en-us/web/http/headers/x-frame-options/index.md diff --git a/files/en-us/web/http/headers/x-xss-protection/index.html b/files/en-us/web/http/headers/x-xss-protection/index.md similarity index 100% rename from files/en-us/web/http/headers/x-xss-protection/index.html rename to files/en-us/web/http/headers/x-xss-protection/index.md diff --git a/files/en-us/web/http/index.html b/files/en-us/web/http/index.md similarity index 100% rename from files/en-us/web/http/index.html rename to files/en-us/web/http/index.md diff --git a/files/en-us/web/http/index/index.html b/files/en-us/web/http/index/index.md similarity index 100% rename from files/en-us/web/http/index/index.html rename to files/en-us/web/http/index/index.md diff --git a/files/en-us/web/http/link_prefetching_faq/index.html b/files/en-us/web/http/link_prefetching_faq/index.md similarity index 100% rename from files/en-us/web/http/link_prefetching_faq/index.html rename to files/en-us/web/http/link_prefetching_faq/index.md diff --git a/files/en-us/web/http/messages/index.html b/files/en-us/web/http/messages/index.md similarity index 100% rename from files/en-us/web/http/messages/index.html rename to files/en-us/web/http/messages/index.md diff --git a/files/en-us/web/http/methods/connect/index.html b/files/en-us/web/http/methods/connect/index.md similarity index 100% rename from files/en-us/web/http/methods/connect/index.html rename to files/en-us/web/http/methods/connect/index.md diff --git a/files/en-us/web/http/methods/delete/index.html b/files/en-us/web/http/methods/delete/index.md similarity index 100% rename from files/en-us/web/http/methods/delete/index.html rename to files/en-us/web/http/methods/delete/index.md diff --git a/files/en-us/web/http/methods/get/index.html b/files/en-us/web/http/methods/get/index.md similarity index 100% rename from files/en-us/web/http/methods/get/index.html rename to files/en-us/web/http/methods/get/index.md diff --git a/files/en-us/web/http/methods/head/index.html b/files/en-us/web/http/methods/head/index.md similarity index 100% rename from files/en-us/web/http/methods/head/index.html rename to files/en-us/web/http/methods/head/index.md diff --git a/files/en-us/web/http/methods/index.html b/files/en-us/web/http/methods/index.md similarity index 100% rename from files/en-us/web/http/methods/index.html rename to files/en-us/web/http/methods/index.md diff --git a/files/en-us/web/http/methods/options/index.html b/files/en-us/web/http/methods/options/index.md similarity index 100% rename from files/en-us/web/http/methods/options/index.html rename to files/en-us/web/http/methods/options/index.md diff --git a/files/en-us/web/http/methods/patch/index.html b/files/en-us/web/http/methods/patch/index.md similarity index 100% rename from files/en-us/web/http/methods/patch/index.html rename to files/en-us/web/http/methods/patch/index.md diff --git a/files/en-us/web/http/methods/post/index.html b/files/en-us/web/http/methods/post/index.md similarity index 100% rename from files/en-us/web/http/methods/post/index.html rename to files/en-us/web/http/methods/post/index.md diff --git a/files/en-us/web/http/methods/put/index.html b/files/en-us/web/http/methods/put/index.md similarity index 100% rename from files/en-us/web/http/methods/put/index.html rename to files/en-us/web/http/methods/put/index.md diff --git a/files/en-us/web/http/methods/trace/index.html b/files/en-us/web/http/methods/trace/index.md similarity index 100% rename from files/en-us/web/http/methods/trace/index.html rename to files/en-us/web/http/methods/trace/index.md diff --git a/files/en-us/web/http/network_error_logging/index.html b/files/en-us/web/http/network_error_logging/index.md similarity index 100% rename from files/en-us/web/http/network_error_logging/index.html rename to files/en-us/web/http/network_error_logging/index.md diff --git a/files/en-us/web/http/overview/index.html b/files/en-us/web/http/overview/index.md similarity index 100% rename from files/en-us/web/http/overview/index.html rename to files/en-us/web/http/overview/index.md diff --git a/files/en-us/web/http/protocol_upgrade_mechanism/index.html b/files/en-us/web/http/protocol_upgrade_mechanism/index.md similarity index 100% rename from files/en-us/web/http/protocol_upgrade_mechanism/index.html rename to files/en-us/web/http/protocol_upgrade_mechanism/index.md diff --git a/files/en-us/web/http/proxy_servers_and_tunneling/index.html b/files/en-us/web/http/proxy_servers_and_tunneling/index.md similarity index 100% rename from files/en-us/web/http/proxy_servers_and_tunneling/index.html rename to files/en-us/web/http/proxy_servers_and_tunneling/index.md diff --git a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.html b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md similarity index 100% rename from files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.html rename to files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md diff --git a/files/en-us/web/http/public_key_pinning/index.html b/files/en-us/web/http/public_key_pinning/index.md similarity index 100% rename from files/en-us/web/http/public_key_pinning/index.html rename to files/en-us/web/http/public_key_pinning/index.md diff --git a/files/en-us/web/http/range_requests/index.html b/files/en-us/web/http/range_requests/index.md similarity index 100% rename from files/en-us/web/http/range_requests/index.html rename to files/en-us/web/http/range_requests/index.md diff --git a/files/en-us/web/http/redirections/index.html b/files/en-us/web/http/redirections/index.md similarity index 100% rename from files/en-us/web/http/redirections/index.html rename to files/en-us/web/http/redirections/index.md diff --git a/files/en-us/web/http/resources_and_specifications/index.html b/files/en-us/web/http/resources_and_specifications/index.md similarity index 100% rename from files/en-us/web/http/resources_and_specifications/index.html rename to files/en-us/web/http/resources_and_specifications/index.md diff --git a/files/en-us/web/http/resources_and_uris/index.html b/files/en-us/web/http/resources_and_uris/index.md similarity index 100% rename from files/en-us/web/http/resources_and_uris/index.html rename to files/en-us/web/http/resources_and_uris/index.md diff --git a/files/en-us/web/http/session/index.html b/files/en-us/web/http/session/index.md similarity index 100% rename from files/en-us/web/http/session/index.html rename to files/en-us/web/http/session/index.md diff --git a/files/en-us/web/http/status/100/index.html b/files/en-us/web/http/status/100/index.md similarity index 100% rename from files/en-us/web/http/status/100/index.html rename to files/en-us/web/http/status/100/index.md diff --git a/files/en-us/web/http/status/101/index.html b/files/en-us/web/http/status/101/index.md similarity index 100% rename from files/en-us/web/http/status/101/index.html rename to files/en-us/web/http/status/101/index.md diff --git a/files/en-us/web/http/status/103/index.html b/files/en-us/web/http/status/103/index.md similarity index 100% rename from files/en-us/web/http/status/103/index.html rename to files/en-us/web/http/status/103/index.md diff --git a/files/en-us/web/http/status/200/index.html b/files/en-us/web/http/status/200/index.md similarity index 100% rename from files/en-us/web/http/status/200/index.html rename to files/en-us/web/http/status/200/index.md diff --git a/files/en-us/web/http/status/201/index.html b/files/en-us/web/http/status/201/index.md similarity index 100% rename from files/en-us/web/http/status/201/index.html rename to files/en-us/web/http/status/201/index.md diff --git a/files/en-us/web/http/status/202/index.html b/files/en-us/web/http/status/202/index.md similarity index 100% rename from files/en-us/web/http/status/202/index.html rename to files/en-us/web/http/status/202/index.md diff --git a/files/en-us/web/http/status/203/index.html b/files/en-us/web/http/status/203/index.md similarity index 100% rename from files/en-us/web/http/status/203/index.html rename to files/en-us/web/http/status/203/index.md diff --git a/files/en-us/web/http/status/204/index.html b/files/en-us/web/http/status/204/index.md similarity index 100% rename from files/en-us/web/http/status/204/index.html rename to files/en-us/web/http/status/204/index.md diff --git a/files/en-us/web/http/status/205/index.html b/files/en-us/web/http/status/205/index.md similarity index 100% rename from files/en-us/web/http/status/205/index.html rename to files/en-us/web/http/status/205/index.md diff --git a/files/en-us/web/http/status/206/index.html b/files/en-us/web/http/status/206/index.md similarity index 100% rename from files/en-us/web/http/status/206/index.html rename to files/en-us/web/http/status/206/index.md diff --git a/files/en-us/web/http/status/300/index.html b/files/en-us/web/http/status/300/index.md similarity index 100% rename from files/en-us/web/http/status/300/index.html rename to files/en-us/web/http/status/300/index.md diff --git a/files/en-us/web/http/status/301/index.html b/files/en-us/web/http/status/301/index.md similarity index 100% rename from files/en-us/web/http/status/301/index.html rename to files/en-us/web/http/status/301/index.md diff --git a/files/en-us/web/http/status/302/index.html b/files/en-us/web/http/status/302/index.md similarity index 100% rename from files/en-us/web/http/status/302/index.html rename to files/en-us/web/http/status/302/index.md diff --git a/files/en-us/web/http/status/303/index.html b/files/en-us/web/http/status/303/index.md similarity index 100% rename from files/en-us/web/http/status/303/index.html rename to files/en-us/web/http/status/303/index.md diff --git a/files/en-us/web/http/status/304/index.html b/files/en-us/web/http/status/304/index.md similarity index 100% rename from files/en-us/web/http/status/304/index.html rename to files/en-us/web/http/status/304/index.md diff --git a/files/en-us/web/http/status/307/index.html b/files/en-us/web/http/status/307/index.md similarity index 100% rename from files/en-us/web/http/status/307/index.html rename to files/en-us/web/http/status/307/index.md diff --git a/files/en-us/web/http/status/308/index.html b/files/en-us/web/http/status/308/index.md similarity index 100% rename from files/en-us/web/http/status/308/index.html rename to files/en-us/web/http/status/308/index.md diff --git a/files/en-us/web/http/status/400/index.html b/files/en-us/web/http/status/400/index.md similarity index 100% rename from files/en-us/web/http/status/400/index.html rename to files/en-us/web/http/status/400/index.md diff --git a/files/en-us/web/http/status/401/index.html b/files/en-us/web/http/status/401/index.md similarity index 100% rename from files/en-us/web/http/status/401/index.html rename to files/en-us/web/http/status/401/index.md diff --git a/files/en-us/web/http/status/402/index.html b/files/en-us/web/http/status/402/index.md similarity index 100% rename from files/en-us/web/http/status/402/index.html rename to files/en-us/web/http/status/402/index.md diff --git a/files/en-us/web/http/status/403/index.html b/files/en-us/web/http/status/403/index.md similarity index 100% rename from files/en-us/web/http/status/403/index.html rename to files/en-us/web/http/status/403/index.md diff --git a/files/en-us/web/http/status/404/index.html b/files/en-us/web/http/status/404/index.md similarity index 100% rename from files/en-us/web/http/status/404/index.html rename to files/en-us/web/http/status/404/index.md diff --git a/files/en-us/web/http/status/405/index.html b/files/en-us/web/http/status/405/index.md similarity index 100% rename from files/en-us/web/http/status/405/index.html rename to files/en-us/web/http/status/405/index.md diff --git a/files/en-us/web/http/status/406/index.html b/files/en-us/web/http/status/406/index.md similarity index 100% rename from files/en-us/web/http/status/406/index.html rename to files/en-us/web/http/status/406/index.md diff --git a/files/en-us/web/http/status/407/index.html b/files/en-us/web/http/status/407/index.md similarity index 100% rename from files/en-us/web/http/status/407/index.html rename to files/en-us/web/http/status/407/index.md diff --git a/files/en-us/web/http/status/408/index.html b/files/en-us/web/http/status/408/index.md similarity index 100% rename from files/en-us/web/http/status/408/index.html rename to files/en-us/web/http/status/408/index.md diff --git a/files/en-us/web/http/status/409/index.html b/files/en-us/web/http/status/409/index.md similarity index 100% rename from files/en-us/web/http/status/409/index.html rename to files/en-us/web/http/status/409/index.md diff --git a/files/en-us/web/http/status/410/index.html b/files/en-us/web/http/status/410/index.md similarity index 100% rename from files/en-us/web/http/status/410/index.html rename to files/en-us/web/http/status/410/index.md diff --git a/files/en-us/web/http/status/411/index.html b/files/en-us/web/http/status/411/index.md similarity index 100% rename from files/en-us/web/http/status/411/index.html rename to files/en-us/web/http/status/411/index.md diff --git a/files/en-us/web/http/status/412/index.html b/files/en-us/web/http/status/412/index.md similarity index 100% rename from files/en-us/web/http/status/412/index.html rename to files/en-us/web/http/status/412/index.md diff --git a/files/en-us/web/http/status/413/index.html b/files/en-us/web/http/status/413/index.md similarity index 100% rename from files/en-us/web/http/status/413/index.html rename to files/en-us/web/http/status/413/index.md diff --git a/files/en-us/web/http/status/414/index.html b/files/en-us/web/http/status/414/index.md similarity index 100% rename from files/en-us/web/http/status/414/index.html rename to files/en-us/web/http/status/414/index.md diff --git a/files/en-us/web/http/status/415/index.html b/files/en-us/web/http/status/415/index.md similarity index 100% rename from files/en-us/web/http/status/415/index.html rename to files/en-us/web/http/status/415/index.md diff --git a/files/en-us/web/http/status/416/index.html b/files/en-us/web/http/status/416/index.md similarity index 100% rename from files/en-us/web/http/status/416/index.html rename to files/en-us/web/http/status/416/index.md diff --git a/files/en-us/web/http/status/417/index.html b/files/en-us/web/http/status/417/index.md similarity index 100% rename from files/en-us/web/http/status/417/index.html rename to files/en-us/web/http/status/417/index.md diff --git a/files/en-us/web/http/status/418/index.html b/files/en-us/web/http/status/418/index.md similarity index 100% rename from files/en-us/web/http/status/418/index.html rename to files/en-us/web/http/status/418/index.md diff --git a/files/en-us/web/http/status/422/index.html b/files/en-us/web/http/status/422/index.md similarity index 100% rename from files/en-us/web/http/status/422/index.html rename to files/en-us/web/http/status/422/index.md diff --git a/files/en-us/web/http/status/425/index.html b/files/en-us/web/http/status/425/index.md similarity index 100% rename from files/en-us/web/http/status/425/index.html rename to files/en-us/web/http/status/425/index.md diff --git a/files/en-us/web/http/status/426/index.html b/files/en-us/web/http/status/426/index.md similarity index 100% rename from files/en-us/web/http/status/426/index.html rename to files/en-us/web/http/status/426/index.md diff --git a/files/en-us/web/http/status/428/index.html b/files/en-us/web/http/status/428/index.md similarity index 100% rename from files/en-us/web/http/status/428/index.html rename to files/en-us/web/http/status/428/index.md diff --git a/files/en-us/web/http/status/429/index.html b/files/en-us/web/http/status/429/index.md similarity index 100% rename from files/en-us/web/http/status/429/index.html rename to files/en-us/web/http/status/429/index.md diff --git a/files/en-us/web/http/status/431/index.html b/files/en-us/web/http/status/431/index.md similarity index 100% rename from files/en-us/web/http/status/431/index.html rename to files/en-us/web/http/status/431/index.md diff --git a/files/en-us/web/http/status/451/index.html b/files/en-us/web/http/status/451/index.md similarity index 100% rename from files/en-us/web/http/status/451/index.html rename to files/en-us/web/http/status/451/index.md diff --git a/files/en-us/web/http/status/500/index.html b/files/en-us/web/http/status/500/index.md similarity index 100% rename from files/en-us/web/http/status/500/index.html rename to files/en-us/web/http/status/500/index.md diff --git a/files/en-us/web/http/status/501/index.html b/files/en-us/web/http/status/501/index.md similarity index 100% rename from files/en-us/web/http/status/501/index.html rename to files/en-us/web/http/status/501/index.md diff --git a/files/en-us/web/http/status/502/index.html b/files/en-us/web/http/status/502/index.md similarity index 100% rename from files/en-us/web/http/status/502/index.html rename to files/en-us/web/http/status/502/index.md diff --git a/files/en-us/web/http/status/503/index.html b/files/en-us/web/http/status/503/index.md similarity index 100% rename from files/en-us/web/http/status/503/index.html rename to files/en-us/web/http/status/503/index.md diff --git a/files/en-us/web/http/status/504/index.html b/files/en-us/web/http/status/504/index.md similarity index 100% rename from files/en-us/web/http/status/504/index.html rename to files/en-us/web/http/status/504/index.md diff --git a/files/en-us/web/http/status/505/index.html b/files/en-us/web/http/status/505/index.md similarity index 100% rename from files/en-us/web/http/status/505/index.html rename to files/en-us/web/http/status/505/index.md diff --git a/files/en-us/web/http/status/506/index.html b/files/en-us/web/http/status/506/index.md similarity index 100% rename from files/en-us/web/http/status/506/index.html rename to files/en-us/web/http/status/506/index.md diff --git a/files/en-us/web/http/status/507/index.html b/files/en-us/web/http/status/507/index.md similarity index 100% rename from files/en-us/web/http/status/507/index.html rename to files/en-us/web/http/status/507/index.md diff --git a/files/en-us/web/http/status/508/index.html b/files/en-us/web/http/status/508/index.md similarity index 100% rename from files/en-us/web/http/status/508/index.html rename to files/en-us/web/http/status/508/index.md diff --git a/files/en-us/web/http/status/510/index.html b/files/en-us/web/http/status/510/index.md similarity index 100% rename from files/en-us/web/http/status/510/index.html rename to files/en-us/web/http/status/510/index.md diff --git a/files/en-us/web/http/status/511/index.html b/files/en-us/web/http/status/511/index.md similarity index 100% rename from files/en-us/web/http/status/511/index.html rename to files/en-us/web/http/status/511/index.md diff --git a/files/en-us/web/http/status/index.html b/files/en-us/web/http/status/index.md similarity index 100% rename from files/en-us/web/http/status/index.html rename to files/en-us/web/http/status/index.md From d18574b42a37a2cc6066e89036ccab58b142cdfb Mon Sep 17 00:00:00 2001 From: Jean-Yves Perrier Date: Thu, 12 Aug 2021 12:28:36 +0200 Subject: [PATCH 2/9] Convert HTTP docs to markdown --- files/en-us/web/http/authentication/index.md | 169 ++-- .../index.md | 64 +- .../http/basics_of_http/data_uris/index.md | 181 ++-- .../basics_of_http/evolution_of_http/index.md | 262 +++-- .../identifying_resources_on_the_web/index.md | 274 ++--- files/en-us/web/http/basics_of_http/index.md | 64 +- .../mime_types/common_types/index.md | 468 ++------- .../http/basics_of_http/mime_types/index.md | 913 ++++++++--------- .../basics_of_http/resource_urls/index.md | 133 ++- .../index.md | 535 ++++------ files/en-us/web/http/caching/index.md | 198 ++-- files/en-us/web/http/compression/index.md | 66 +- .../web/http/conditional_requests/index.md | 152 ++- .../index.md | 129 ++- .../index.md | 86 +- .../web/http/content_negotiation/index.md | 139 +-- .../list_of_default_accept_values/index.md | 328 ++---- files/en-us/web/http/cookies/index.md | 273 +++-- .../corsalloworiginnotmatchingorigin/index.md | 77 +- .../cors/errors/corsdidnotsucceed/index.md | 75 +- .../http/cors/errors/corsdisabled/index.md | 66 +- .../corsexternalredirectnotallowed/index.md | 63 +- .../errors/corsinvalidallowheader/index.md | 68 +- .../errors/corsinvalidallowmethod/index.md | 71 +- .../cors/errors/corsmethodnotfound/index.md | 73 +- .../corsmissingallowcredentials/index.md | 77 +- .../index.md | 26 +- .../errors/corsmissingalloworigin/index.md | 112 +-- .../index.md | 59 +- .../corsnotsupportingcredentials/index.md | 34 +- .../errors/corsoriginheadernotadded/index.md | 52 +- .../corspreflightdidnotsucceed/index.md | 58 +- .../cors/errors/corsrequestnothttp/index.md | 80 +- files/en-us/web/http/cors/errors/index.md | 82 +- files/en-us/web/http/cors/index.md | 621 ++++++------ .../index.md | 85 +- .../web/http/csp/errors/cspviolation/index.md | 92 +- files/en-us/web/http/csp/errors/index.md | 80 +- files/en-us/web/http/csp/index.md | 477 ++++----- files/en-us/web/http/feature_policy/index.md | 201 ++-- .../using_feature_policy/index.md | 180 ++-- .../http/headers/accept-ch-lifetime/index.md | 75 +- .../en-us/web/http/headers/accept-ch/index.md | 53 +- .../web/http/headers/accept-charset/index.md | 42 +- .../web/http/headers/accept-encoding/index.md | 110 +-- .../web/http/headers/accept-language/index.md | 134 +-- .../web/http/headers/accept-patch/index.md | 92 +- .../web/http/headers/accept-post/index.md | 90 +- .../web/http/headers/accept-ranges/index.md | 98 +- files/en-us/web/http/headers/accept/index.md | 98 +- .../access-control-allow-credentials/index.md | 118 +-- .../access-control-allow-headers/index.md | 125 ++- .../access-control-allow-methods/index.md | 68 +- .../access-control-allow-origin/index.md | 94 +- .../access-control-expose-headers/index.md | 79 +- .../headers/access-control-max-age/index.md | 69 +- .../access-control-request-headers/index.md | 55 +- .../access-control-request-method/index.md | 52 +- files/en-us/web/http/headers/age/index.md | 59 +- files/en-us/web/http/headers/allow/index.md | 70 +- files/en-us/web/http/headers/alt-svc/index.md | 91 +- .../web/http/headers/authorization/index.md | 118 +-- .../web/http/headers/cache-control/index.md | 254 +++-- .../web/http/headers/clear-site-data/index.md | 117 ++- .../web/http/headers/connection/index.md | 80 +- .../http/headers/content-disposition/index.md | 164 ++- .../web/http/headers/content-dpr/index.md | 97 +- .../http/headers/content-encoding/index.md | 91 +- .../http/headers/content-language/index.md | 111 ++- .../web/http/headers/content-length/index.md | 41 +- .../http/headers/content-location/index.md | 205 ++-- .../web/http/headers/content-range/index.md | 84 +- .../index.md | 152 +-- .../content-security-policy/base-uri/index.md | 99 +- .../block-all-mixed-content/index.md | 45 +- .../child-src/index.md | 89 +- .../connect-src/index.md | 109 +- .../default-src/index.md | 209 ++-- .../content-security-policy/font-src/index.md | 77 +- .../form-action/index.md | 105 +- .../frame-ancestors/index.md | 133 ++- .../frame-src/index.md | 82 +- .../content-security-policy/img-src/index.md | 78 +- .../headers/content-security-policy/index.md | 546 +++++----- .../manifest-src/index.md | 82 +- .../media-src/index.md | 85 +- .../navigate-to/index.md | 109 +- .../object-src/index.md | 104 +- .../plugin-types/index.md | 109 +- .../prefetch-src/index.md | 73 +- .../content-security-policy/referrer/index.md | 99 +- .../report-to/index.md | 100 +- .../report-uri/index.md | 166 ++-- .../require-sri-for/index.md | 81 +- .../require-trusted-types-for/index.md | 52 +- .../content-security-policy/sandbox/index.md | 133 +-- .../script-src-attr/index.md | 146 ++- .../script-src-elem/index.md | 158 ++- .../script-src/index.md | 252 +++-- .../style-src-attr/index.md | 97 +- .../style-src-elem/index.md | 99 +- .../style-src/index.md | 200 ++-- .../trusted-types/index.md | 60 +- .../upgrade-insecure-requests/index.md | 152 +-- .../worker-src/index.md | 76 +- .../web/http/headers/content-type/index.md | 141 +-- files/en-us/web/http/headers/cookie/index.md | 58 +- files/en-us/web/http/headers/cookie2/index.md | 57 +- .../cross-origin-embedder-policy/index.md | 86 +- .../cross-origin-opener-policy/index.md | 84 +- .../cross-origin-resource-policy/index.md | 77 +- files/en-us/web/http/headers/date/index.md | 149 ++- .../web/http/headers/device-memory/index.md | 100 +- files/en-us/web/http/headers/digest/index.md | 108 +- files/en-us/web/http/headers/dnt/index.md | 92 +- .../en-us/web/http/headers/downlink/index.md | 88 +- files/en-us/web/http/headers/dpr/index.md | 102 +- .../web/http/headers/early-data/index.md | 36 +- files/en-us/web/http/headers/ect/index.md | 87 +- files/en-us/web/http/headers/etag/index.md | 135 ++- .../en-us/web/http/headers/expect-ct/index.md | 124 +-- files/en-us/web/http/headers/expect/index.md | 96 +- files/en-us/web/http/headers/expires/index.md | 65 +- .../feature-policy/accelerometer/index.md | 37 +- .../ambient-light-sensor/index.md | 37 +- .../headers/feature-policy/autoplay/index.md | 58 +- .../headers/feature-policy/battery/index.md | 43 +- .../headers/feature-policy/camera/index.md | 44 +- .../feature-policy/display-capture/index.md | 43 +- .../feature-policy/document-domain/index.md | 60 +- .../feature-policy/encrypted-media/index.md | 36 +- .../feature-policy/fullscreen/index.md | 69 +- .../headers/feature-policy/gamepad/index.md | 71 +- .../feature-policy/geolocation/index.md | 94 +- .../headers/feature-policy/gyroscope/index.md | 36 +- .../web/http/headers/feature-policy/index.md | 288 +++--- .../feature-policy/layout-animations/index.md | 32 +- .../legacy-image-formats/index.md | 32 +- .../feature-policy/magnetometer/index.md | 37 +- .../feature-policy/microphone/index.md | 59 +- .../http/headers/feature-policy/midi/index.md | 36 +- .../feature-policy/oversized-images/index.md | 32 +- .../headers/feature-policy/payment/index.md | 59 +- .../picture-in-picture/index.md | 53 +- .../publickey-credentials-get/index.md | 42 +- .../feature-policy/screen-wake-lock/index.md | 67 +- .../headers/feature-policy/sync-xhr/index.md | 30 +- .../unoptimized-images/index.md | 32 +- .../feature-policy/unsized-media/index.md | 36 +- .../http/headers/feature-policy/usb/index.md | 34 +- .../headers/feature-policy/vibrate/index.md | 57 +- .../http/headers/feature-policy/vr/index.md | 69 +- .../headers/feature-policy/web-share/index.md | 38 +- .../xr-spatial-tracking/index.md | 40 +- .../http/headers/feature-policy/xr/index.md | 5 +- .../en-us/web/http/headers/forwarded/index.md | 123 ++- files/en-us/web/http/headers/from/index.md | 55 +- files/en-us/web/http/headers/host/index.md | 59 +- .../en-us/web/http/headers/if-match/index.md | 121 ++- .../http/headers/if-modified-since/index.md | 121 ++- .../web/http/headers/if-none-match/index.md | 91 +- .../en-us/web/http/headers/if-range/index.md | 135 ++- .../http/headers/if-unmodified-since/index.md | 133 ++- files/en-us/web/http/headers/index.md | 831 ++++++++-------- .../web/http/headers/keep-alive/index.md | 96 +- .../http/headers/large-allocation/index.md | 157 ++- .../web/http/headers/last-modified/index.md | 95 +- files/en-us/web/http/headers/link/index.md | 50 +- .../en-us/web/http/headers/location/index.md | 106 +- files/en-us/web/http/headers/nel/index.md | 41 +- files/en-us/web/http/headers/origin/index.md | 85 +- files/en-us/web/http/headers/pragma/index.md | 71 +- .../http/headers/proxy-authenticate/index.md | 70 +- .../http/headers/proxy-authorization/index.md | 82 +- .../public-key-pins-report-only/index.md | 135 ++- .../web/http/headers/public-key-pins/index.md | 151 ++- files/en-us/web/http/headers/range/index.md | 90 +- files/en-us/web/http/headers/referer/index.md | 78 +- .../web/http/headers/referrer-policy/index.md | 408 +++----- .../web/http/headers/retry-after/index.md | 101 +- files/en-us/web/http/headers/rtt/index.md | 87 +- .../en-us/web/http/headers/save-data/index.md | 163 ++- .../web/http/headers/sec-fetch-dest/index.md | 244 +++-- .../web/http/headers/sec-fetch-mode/index.md | 128 ++- .../web/http/headers/sec-fetch-site/index.md | 122 ++- .../web/http/headers/sec-fetch-user/index.md | 87 +- .../headers/sec-websocket-accept/index.md | 48 +- .../web/http/headers/server-timing/index.md | 75 +- files/en-us/web/http/headers/server/index.md | 65 +- .../web/http/headers/set-cookie/index.md | 436 ++++---- .../http/headers/set-cookie/samesite/index.md | 162 ++- .../web/http/headers/set-cookie2/index.md | 77 +- .../en-us/web/http/headers/sourcemap/index.md | 72 +- .../strict-transport-security/index.md | 262 +++-- files/en-us/web/http/headers/te/index.md | 97 +- .../http/headers/timing-allow-origin/index.md | 71 +- files/en-us/web/http/headers/tk/index.md | 100 +- files/en-us/web/http/headers/trailer/index.md | 135 ++- .../http/headers/transfer-encoding/index.md | 158 ++- .../upgrade-insecure-requests/index.md | 60 +- files/en-us/web/http/headers/upgrade/index.md | 133 ++- .../http/headers/user-agent/firefox/index.md | 680 +++++-------- .../web/http/headers/user-agent/index.md | 163 ++- files/en-us/web/http/headers/vary/index.md | 95 +- files/en-us/web/http/headers/via/index.md | 67 +- .../web/http/headers/viewport-width/index.md | 95 +- .../web/http/headers/want-digest/index.md | 172 ++-- files/en-us/web/http/headers/warning/index.md | 178 ++-- files/en-us/web/http/headers/width/index.md | 96 +- .../http/headers/www-authenticate/index.md | 78 +- .../headers/x-content-type-options/index.md | 130 ++- .../headers/x-dns-prefetch-control/index.md | 153 ++- .../web/http/headers/x-forwarded-for/index.md | 98 +- .../http/headers/x-forwarded-host/index.md | 79 +- .../http/headers/x-forwarded-proto/index.md | 81 +- .../web/http/headers/x-frame-options/index.md | 153 ++- .../http/headers/x-xss-protection/index.md | 115 ++- files/en-us/web/http/index.md | 92 +- files/en-us/web/http/index/index.md | 6 +- .../web/http/link_prefetching_faq/index.md | 114 +-- files/en-us/web/http/messages/index.md | 162 ++- files/en-us/web/http/methods/connect/index.md | 60 +- files/en-us/web/http/methods/delete/index.md | 74 +- files/en-us/web/http/methods/get/index.md | 31 +- files/en-us/web/http/methods/head/index.md | 33 +- files/en-us/web/http/methods/index.md | 95 +- files/en-us/web/http/methods/options/index.md | 148 +-- files/en-us/web/http/methods/patch/index.md | 84 +- files/en-us/web/http/methods/post/index.md | 94 +- files/en-us/web/http/methods/put/index.md | 60 +- files/en-us/web/http/methods/trace/index.md | 25 +- .../web/http/network_error_logging/index.md | 179 ++-- files/en-us/web/http/overview/index.md | 208 ++-- .../http/protocol_upgrade_mechanism/index.md | 172 ++-- .../http/proxy_servers_and_tunneling/index.md | 102 +- .../index.md | 934 +++++++++--------- .../web/http/public_key_pinning/index.md | 182 ++-- files/en-us/web/http/range_requests/index.md | 137 ++- files/en-us/web/http/redirections/index.md | 355 +++---- .../resources_and_specifications/index.md | 303 +----- .../web/http/resources_and_uris/index.md | 26 +- files/en-us/web/http/session/index.md | 294 +++--- files/en-us/web/http/status/100/index.md | 41 +- files/en-us/web/http/status/101/index.md | 96 +- files/en-us/web/http/status/103/index.md | 58 +- files/en-us/web/http/status/200/index.md | 36 +- files/en-us/web/http/status/201/index.md | 42 +- files/en-us/web/http/status/202/index.md | 72 +- files/en-us/web/http/status/203/index.md | 71 +- files/en-us/web/http/status/204/index.md | 69 +- files/en-us/web/http/status/205/index.md | 55 +- files/en-us/web/http/status/206/index.md | 98 +- files/en-us/web/http/status/300/index.md | 72 +- files/en-us/web/http/status/301/index.md | 40 +- files/en-us/web/http/status/302/index.md | 66 +- files/en-us/web/http/status/303/index.md | 44 +- files/en-us/web/http/status/304/index.md | 68 +- files/en-us/web/http/status/307/index.md | 68 +- files/en-us/web/http/status/308/index.md | 58 +- files/en-us/web/http/status/400/index.md | 39 +- files/en-us/web/http/status/401/index.md | 60 +- files/en-us/web/http/status/402/index.md | 60 +- files/en-us/web/http/status/403/index.md | 33 +- files/en-us/web/http/status/404/index.md | 42 +- files/en-us/web/http/status/405/index.md | 43 +- files/en-us/web/http/status/406/index.md | 65 +- files/en-us/web/http/status/407/index.md | 58 +- files/en-us/web/http/status/408/index.md | 87 +- files/en-us/web/http/status/409/index.md | 24 +- files/en-us/web/http/status/410/index.md | 30 +- files/en-us/web/http/status/411/index.md | 77 +- files/en-us/web/http/status/412/index.md | 84 +- files/en-us/web/http/status/413/index.md | 37 +- files/en-us/web/http/status/414/index.md | 78 +- files/en-us/web/http/status/415/index.md | 73 +- files/en-us/web/http/status/416/index.md | 30 +- files/en-us/web/http/status/417/index.md | 49 +- files/en-us/web/http/status/418/index.md | 46 +- files/en-us/web/http/status/422/index.md | 52 +- files/en-us/web/http/status/425/index.md | 28 +- files/en-us/web/http/status/426/index.md | 69 +- files/en-us/web/http/status/428/index.md | 59 +- files/en-us/web/http/status/429/index.md | 49 +- files/en-us/web/http/status/431/index.md | 95 +- files/en-us/web/http/status/451/index.md | 60 +- files/en-us/web/http/status/500/index.md | 24 +- files/en-us/web/http/status/501/index.md | 33 +- files/en-us/web/http/status/502/index.md | 29 +- files/en-us/web/http/status/503/index.md | 32 +- files/en-us/web/http/status/504/index.md | 28 +- files/en-us/web/http/status/505/index.md | 45 +- files/en-us/web/http/status/506/index.md | 31 +- files/en-us/web/http/status/507/index.md | 31 +- files/en-us/web/http/status/508/index.md | 47 +- files/en-us/web/http/status/510/index.md | 45 +- files/en-us/web/http/status/511/index.md | 57 +- files/en-us/web/http/status/index.md | 356 ++++--- 297 files changed, 15269 insertions(+), 18465 deletions(-) diff --git a/files/en-us/web/http/authentication/index.md b/files/en-us/web/http/authentication/index.md index 4b55c032e4f18d3..6eb3adb27cad06c 100644 --- a/files/en-us/web/http/authentication/index.md +++ b/files/en-us/web/http/authentication/index.md @@ -8,135 +8,134 @@ tags: - HTTP - Security --- -
{{HTTPSidebar}}
+{{HTTPSidebar}} -

HTTP provides a general framework for access control and authentication. This page is an introduction to the HTTP framework for authentication, and shows how to restrict access to your server using the HTTP "Basic" schema.

+HTTP provides a general framework for access control and authentication. This page is an introduction to the HTTP framework for authentication, and shows how to restrict access to your server using the HTTP "Basic" schema. -

The general HTTP authentication framework

+## The general HTTP authentication framework -

{{RFC("7235")}} defines the HTTP authentication framework, which can be used by a server to {{glossary("challenge")}} a client request, and by a client to provide authentication information.

+{{RFC("7235")}} defines the HTTP authentication framework, which can be used by a server to {{glossary("challenge")}} a client request, and by a client to provide authentication information. -

The challenge and response flow works like this:

+The challenge and response flow works like this: -
    -
  1. The server responds to a client with a {{HTTPStatus("401")}} (Unauthorized) response status and provides information on how to authorize with a {{HTTPHeader("WWW-Authenticate")}} response header containing at least one challenge.
    2. -
  2. A client that wants to authenticate itself with the server can then do so by including an {{HTTPHeader("Authorization")}} request header with the credentials.
    3. -
  3. Usually a client will present a password prompt to the user and will then issue the request including the correct Authorization header.
    4. -
+1. The server responds to a client with a {{HTTPStatus("401")}} (Unauthorized) response status and provides information on how to authorize with a {{HTTPHeader("WWW-Authenticate")}} response header containing at least one challenge. +2. A client that wants to authenticate itself with the server can then do so by including an {{HTTPHeader("Authorization")}} request header with the credentials. +3. Usually a client will present a password prompt to the user and will then issue the request including the correct `Authorization` header. -

A sequence diagram illustrating HTTP messages between a client and a server lifeline.

+![A sequence diagram illustrating HTTP messages between a client and a server lifeline.](httpauth.png "Sequence Diagram of Client-server HTTP Authentication") -

In the case of a "Basic" authentication like shown in the figure, the exchange must happen over an HTTPS (TLS) connection to be secure.

+In the case of a "Basic" authentication like shown in the figure, the exchange **must** happen over an HTTPS (TLS) connection to be secure. -

Proxy authentication

+### Proxy authentication -

The same challenge and response mechanism can be used for proxy authentication. As both resource authentication and proxy authentication can coexist, a different set of headers and status codes is needed. In the case of proxies, the challenging status code is {{HTTPStatus("407")}} (Proxy Authentication Required), the {{HTTPHeader("Proxy-Authenticate")}} response header contains at least one challenge applicable to the proxy, and the {{HTTPHeader("Proxy-Authorization")}} request header is used for providing the credentials to the proxy server.

+The same challenge and response mechanism can be used for _proxy authentication_. As both resource authentication and proxy authentication can coexist, a different set of headers and status codes is needed. In the case of proxies, the challenging status code is {{HTTPStatus("407")}} (Proxy Authentication Required), the {{HTTPHeader("Proxy-Authenticate")}} response header contains at least one challenge applicable to the proxy, and the {{HTTPHeader("Proxy-Authorization")}} request header is used for providing the credentials to the proxy server. -

Access forbidden

+### Access forbidden -

If a (proxy) server receives invalid credentials, it should respond with a {{HTTPStatus("401")}} Unauthorized or with a {{HTTPStatus("407")}} Proxy Authentication Required, and the user may send a new request or replace the {{HTTPHeader("Authorization")}} header field.

-

If a (proxy) server receives valid credentials that are inadequate to access a given resource, the server should respond with the {{HTTPStatus("403")}} Forbidden status code. Unlike {{HTTPStatus("401")}} Unauthorized or {{HTTPStatus("407")}} Proxy Authentication Required, authentication is impossible for this user and browsers will not propose a new attempt.

-

In all cases, the server may prefer returning a {{HTTPStatus("404")}} Not Found status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated.

+If a (proxy) server receives _invalid_ credentials, it should respond with a {{HTTPStatus("401")}} `Unauthorized` or with a {{HTTPStatus("407")}} `Proxy Authentication Required`, and the user may send a new request or replace the {{HTTPHeader("Authorization")}} header field. -

Authentication of cross-origin images

+If a (proxy) server receives valid credentials that are _inadequate_ to access a given resource, the server should respond with the {{HTTPStatus("403")}} `Forbidden` status code. Unlike {{HTTPStatus("401")}} `Unauthorized` or {{HTTPStatus("407")}} `Proxy Authentication Required`, authentication is impossible for this user and browsers will not propose a new attempt. -

A potential security hole recently been fixed by browsers is authentication of cross-site images. From Firefox 59 onwards, image resources loaded from different origins to the current document are no longer able to trigger HTTP authentication dialogs ({{bug(1423146)}}), preventing user credentials being stolen if attackers were able to embed an arbitrary image into a third-party page.

+In all cases, the server may prefer returning a {{HTTPStatus("404")}} `Not Found` status code, to hide the existence of the page to a user without adequate privileges or not correctly authenticated. -

Character encoding of HTTP authentication

+### Authentication of cross-origin images -

Browsers use utf-8 encoding for usernames and passwords.

+A potential security hole recently been fixed by browsers is authentication of cross-site images. From [Firefox 59](/en-US/docs/Mozilla/Firefox/Releases/59) onwards, image resources loaded from different origins to the current document are no longer able to trigger HTTP authentication dialogs ({{bug(1423146)}}), preventing user credentials being stolen if attackers were able to embed an arbitrary image into a third-party page. -

Firefox once used ISO-8859-1, but changed to utf-8 for parity with other browsers and to avoid potential problems as described in {{bug(1419658)}}.

+### Character encoding of HTTP authentication -

WWW-Authenticate and Proxy-Authenticate headers

+Browsers use `utf-8` encoding for usernames and passwords. -

The {{HTTPHeader("WWW-Authenticate")}} and {{HTTPHeader("Proxy-Authenticate")}} response headers define the authentication method that should be used to gain access to a resource. They must specify which authentication scheme is used, so that the client that wishes to authorize knows how to provide the credentials.

+Firefox once used `ISO-8859-1`, but changed to `utf-8` for parity with other browsers and to avoid potential problems as described in {{bug(1419658)}}. -

The syntax for these headers is the following:

+### WWW-Authenticate and Proxy-Authenticate headers -
WWW-Authenticate: <type> realm=<realm>
-Proxy-Authenticate: <type> realm=<realm>
-
+The {{HTTPHeader("WWW-Authenticate")}} and {{HTTPHeader("Proxy-Authenticate")}} response headers define the authentication method that should be used to gain access to a resource. They must specify which authentication scheme is used, so that the client that wishes to authorize knows how to provide the credentials. -

Here, <type> is the authentication scheme ("Basic" is the most common scheme and introduced below). The realm is used to describe the protected area or to indicate the scope of protection. This could be a message like "Access to the staging site" or similar, so that the user knows to which space they are trying to get access to.

+The syntax for these headers is the following: -

Authorization and Proxy-Authorization headers

+```html +WWW-Authenticate: realm= +Proxy-Authenticate: realm= +``` -

The {{HTTPHeader("Authorization")}} and {{HTTPHeader("Proxy-Authorization")}} request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the <type> is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used.

+Here, `` is the authentication scheme ("Basic" is the most common scheme and [introduced below](#basic_authentication_scheme)). The _realm_ is used to describe the protected area or to indicate the scope of protection. This could be a message like "Access to the staging site" or similar, so that the user knows to which space they are trying to get access to. -
Authorization: <type> <credentials>
-Proxy-Authorization: <type> <credentials>
-
+### Authorization and Proxy-Authorization headers -

Authentication schemes

+The {{HTTPHeader("Authorization")}} and {{HTTPHeader("Proxy-Authorization")}} request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the `` is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used. -

The general HTTP authentication framework is used by several authentication schemes. Schemes can differ in security strength and in their availability in client or server software.

+```html +Authorization: +Proxy-Authorization: +``` -

The most common authentication scheme is the "Basic" authentication scheme, which is introduced in more detail below. IANA maintains a list of authentication schemes, but there are other schemes offered by host services, such as Amazon AWS. Common authentication schemes include:

+### Authentication schemes -
-
Basic
-
See {{rfc(7617)}}, base64-encoded credentials. More information below.
-
Bearer
-
See {{rfc(6750)}}, bearer tokens to access OAuth 2.0-protected resources
-
Digest
-
See {{rfc(7616)}}, only md5 hashing is supported in Firefox, see {{bug(472823)}} for SHA encryption support
-
HOBA
-
See {{rfc(7486)}}, Section 3, HTTP Origin-Bound Authentication, digital-signature-based
-
Mutual
-
See {{rfc(8120)}}
-
AWS4-HMAC-SHA256
-
See AWS docs
-
+The general HTTP authentication framework is used by several authentication schemes. Schemes can differ in security strength and in their availability in client or server software. -

Basic authentication scheme

+The most common authentication scheme is the "Basic" authentication scheme, which is introduced in more detail below. IANA maintains a [list of authentication schemes](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml), but there are other schemes offered by host services, such as Amazon AWS. Common authentication schemes include: -

The "Basic" HTTP authentication scheme is defined in {{rfc(7617)}}, which transmits credentials as user ID/password pairs, encoded using base64.

+- **Basic** + - : See {{rfc(7617)}}, base64-encoded credentials. More information below. +- **Bearer** + - : See {{rfc(6750)}}, bearer tokens to access OAuth 2.0-protected resources +- **Digest** + - : See {{rfc(7616)}}, only md5 hashing is supported in Firefox, see {{bug(472823)}} for SHA encryption support +- **HOBA** + - : See {{rfc(7486)}}, Section 3, **H**TTP **O**rigin-**B**ound **A**uthentication, digital-signature-based +- **Mutual** + - : See {{rfc(8120)}} +- **AWS4-HMAC-SHA256** + - : See [AWS docs](https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html) -

Security of basic authentication

+## Basic authentication scheme -

As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme is not secure. HTTPS/TLS should be used with basic authentication. Without these additional security enhancements, basic authentication should not be used to protect sensitive or valuable information.

+The "Basic" HTTP authentication scheme is defined in {{rfc(7617)}}, which transmits credentials as user ID/password pairs, encoded using base64. -

Restricting access with Apache and basic authentication

+### Security of basic authentication -

To password-protect a directory on an Apache server, you will need a .htaccess and a .htpasswd file.

+As the user ID and password are passed over the network as clear text (it is base64 encoded, but base64 is a reversible encoding), the basic authentication scheme **is not secure**. HTTPS/TLS should be used with basic authentication. Without these additional security enhancements, basic authentication should not be used to protect sensitive or valuable information. -

The .htaccess file typically looks like this:

+### Restricting access with Apache and basic authentication -
AuthType Basic
-AuthName "Access to the staging site"
-AuthUserFile /path/to/.htpasswd
-Require valid-user
+To password-protect a directory on an Apache server, you will need a `.htaccess` and a `.htpasswd` file. -

The .htaccess file references a .htpasswd file in which each line consists of a username and a password separated by a colon (:). You cannot see the actual passwords as they are hashed (using MD5-based hashing, in this case). Note that you can name your .htpasswd file differently if you like, but keep in mind this file shouldn't be accessible to anyone. (Apache is usually configured to prevent access to .ht* files).

+The `.htaccess` file typically looks like this: -
aladdin:$apr1$ZjTqBB3f$IF9gdYAGlMrs2fuINjHsz.
-user2:$apr1$O04r.y2H$/vEkesPhVInBByJUkXitA/
-
+ AuthType Basic + AuthName "Access to the staging site" + AuthUserFile /path/to/.htpasswd + Require valid-user -

Restricting access with nginx and basic authentication

+The `.htaccess` file references a `.htpasswd` file in which each line consists of a username and a password separated by a colon (`:`). You cannot see the actual passwords as they are [hashed](https://httpd.apache.org/docs/2.4/misc/password_encryptions.html) (using MD5-based hashing, in this case). Note that you can name your `.htpasswd` file differently if you like, but keep in mind this file shouldn't be accessible to anyone. (Apache is usually configured to prevent access to `.ht*` files). -

For nginx, you will need to specify a location that you are going to protect and the auth_basic directive that provides the name to the password-protected area. The auth_basic_user_file directive then points to a .htpasswd file containing the encrypted user credentials, just like in the Apache example above.

+ aladdin:$apr1$ZjTqBB3f$IF9gdYAGlMrs2fuINjHsz. + user2:$apr1$O04r.y2H$/vEkesPhVInBByJUkXitA/ -
location /status {
-    auth_basic           "Access to the staging site";
-    auth_basic_user_file /etc/apache2/.htpasswd;
-}
+### Restricting access with nginx and basic authentication -

Access using credentials in the URL

+For nginx, you will need to specify a location that you are going to protect and the `auth_basic` directive that provides the name to the password-protected area. The `auth_basic_user_file` directive then points to a `.htpasswd` file containing the encrypted user credentials, just like in the Apache example above. -

Many clients also let you avoid the login prompt by using an encoded URL containing the username and the password like this:

+ location /status { + auth_basic "Access to the staging site"; + auth_basic_user_file /etc/apache2/.htpasswd; + } -
https://username:password@www.example.com/
+### Access using credentials in the URL -

The use of these URLs is deprecated. In Chrome, the username:password@ part in URLs is even stripped out for security reasons. In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “www.example.com” with the username “username”, but the website does not require authentication. This may be an attempt to trick you."

+Many clients also let you avoid the login prompt by using an encoded URL containing the username and the password like this: -

See also

+```plain example-bad +https://username:password@www.example.com/ +``` -
    -
  • {{HTTPHeader("WWW-Authenticate")}}
    • -
  • {{HTTPHeader("Authorization")}}
    • -
  • {{HTTPHeader("Proxy-Authorization")}}
    • -
  • {{HTTPHeader("Proxy-Authenticate")}}
    • -
  • {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
    • -
+**The use of these URLs is deprecated**. In Chrome, the `username:password@` part in URLs is even [stripped out](https://bugs.chromium.org/p/chromium/issues/detail?id=82250#c7) for security reasons. In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “www\.example.com” with the username “username”, but the website does not require authentication. This may be an attempt to trick you." + +## See also + +- {{HTTPHeader("WWW-Authenticate")}} +- {{HTTPHeader("Authorization")}} +- {{HTTPHeader("Proxy-Authorization")}} +- {{HTTPHeader("Proxy-Authenticate")}} +- {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}} diff --git a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md index 8c61a1f13218d02..8291ad6272a2891 100644 --- a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md +++ b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md @@ -6,63 +6,57 @@ tags: - HTTP - URL --- -
{{HTTPSidebar}}
+{{HTTPSidebar}} -

A recurring question among website owners is whether to choose non-www or www URLs. This page provides some advice on what's best.

+A recurring question among website owners is whether to choose non-www or www URLs. This page provides some advice on what's best. -

What are domain names?

+## What are domain names? -

In an HTTP URL, the first substring that follows the initial http:// or https:// is called the domain name. This domain name is hosted on a server where the document resides.

+In an HTTP URL, the first substring that follows the initial `http://` or `https://` is called the domain name. This domain name is hosted on a server where the document resides. -

A server isn't necessarily a physical machine: several servers can reside on the same physical machine. Or, one server can be handled by several machines, cooperating to produce the answer or balancing the load of the requests between them. The key point is that semantically one domain name represents one single server.

+A server isn't necessarily a physical machine: several servers can reside on the same physical machine. Or, one server can be handled by several machines, cooperating to produce the answer or balancing the load of the requests between them. The key point is that semantically _one domain name represents one single server_. -

So, do I have to choose one or the other for my web site?

+## So, do I have to choose one or the other for my web site? -
    -
  • Yes, you need to choose one and stick with it. The choice of which one to have as your canonical location is yours, but if you choose one, stick with it. It will make your website appear more consistent to your users and to search engines. This includes always linking to the chosen domain (which shouldn't be hard if you're using relative URLs in your website) and always sharing links (by email/social networks, etc.) to the same domain.
    • -
  • No, you can have two. What is important is that you are coherent and consistent with which one is the official domain. This official domain is called the canonical name. All your absolute links should use it. But even so, you can still have the other domain working: HTTP allows two techniques so that it is clear for your users, or search engines, which domain is the canonical one, while still allowing the non-canonical domain to work and provide the expected pages.
    • -
+- **Yes**, you need to choose one and stick with it. The choice of which one to have as your canonical location is yours, but if you choose one, stick with it. It will make your website appear more consistent to your users and to search engines. This includes always linking to the chosen domain (which shouldn't be hard if you're using relative URLs in your website) and always sharing links (by email/social networks, etc.) to the same domain. +- **No**, you can have two. What is important is that you are coherent and consistent with which one is the official domain. **This official domain is called the _canonical_ name.** All your absolute links should use it. But even so, you can still have the other domain working: HTTP allows two techniques so that it is clear for your users, or search engines, which domain is the canonical one, while still allowing the non-canonical domain to work and provide the expected pages. -

So, choose one of your domains as your canonical one! There are two techniques below to allow the non-canonical domain to work still.

+So, choose one of your domains as your canonical one! There are two techniques below to allow the non-canonical domain to work still. -

Techniques for canonical URLs

+## Techniques for canonical URLs -

There are different ways to choose which website is canonical.

+There are different ways to choose which website is _canonical_. -

Using HTTP 301 redirects

+### Using HTTP 301 redirects -

In this case, you need to configure the server receiving the HTTP requests (which is most likely the same for www and non-www URLs) to respond with an adequate HTTP {{HTTPStatus(301)}} response to any request to the non-canonical domain. This will redirect the browser trying to access the non-canonical URLs to their canonical equivalent. For example, if you've chosen to use non-www URLs as the canonical type, you should redirect all www URLs to their equivalent URL without the www.

+In this case, you need to configure the server receiving the HTTP requests (which is most likely the same for www and non-www URLs) to respond with an adequate HTTP {{HTTPStatus(301)}} response to any request to the non-canonical domain. This will redirect the browser trying to access the non-canonical URLs to their canonical equivalent. For example, if you've chosen to use non-www URLs as the canonical type, you should redirect all www URLs to their equivalent URL without the www. -

Example:

+Example: -
    -
  1. A server receives a request for http://www.example.org/whaddup (when the canonical domain is example.org)
    2. -
  2. The server answers with a code {{HTTPStatus(301)}} with the header {{HTTPHeader("Location")}}: http://example.org/whaddup.
    3. -
  3. The client issues a request to the canonical domain: http://example.org/whatddup
    4. -
+1. A server receives a request for `http://www.example.org/whaddup` (when the canonical domain is example.org) +2. The server answers with a code {{HTTPStatus(301)}} with the header `{{HTTPHeader("Location")}}: http://example.org/whaddup`. +3. The client issues a request to the canonical domain: `http://example.org/whatddup` -

The HTML5 boilerplate project has an example on how to configure an Apache server to redirect one domain to the other.

+The[ HTML5 boilerplate project](https://github.com/h5bp/html5-boilerplate) has an example on [how to configure an Apache server to redirect one domain to the other](https://github.com/h5bp/html5-boilerplate/blob/7a22a33d4041c479d0962499e853501073811887/.htaccess#L219-L258). - +### Using _``_ -

It is possible to add a special HTML {{HTMLElement("link")}} element to a page to indicate what the canonical address of a page is. This has no impact on the human reader of the page, but tells search engine crawlers where the page actually lives. This way, search engines don't index the same page several times, potentially leading to it being considered as duplicate content or spam, and even removing or lowering your page from the search engine result pages.

+It is possible to add a special HTML {{HTMLElement("link")}} element to a page to indicate what the canonical address of a page is. This has no impact on the human reader of the page, but tells search engine crawlers where the page actually lives. This way, search engines don't index the same page several times, potentially leading to it being considered as duplicate content or spam, and even removing or lowering your page from the search engine result pages. -

When adding such a tag, you serve the same content for both domains, telling search engines which URL is canonical. In the previous example, http://www.example.org/whaddup would serve the same content as http://example.org/whaddup, but with an additional {{htmlelement("link")}} element in the head:

+When adding such a tag, you serve the same content for both domains, telling search engines which URL is canonical. In the previous example, `http://www.example.org/whaddup` would serve the same content as `http://example.org/whaddup`, but with an additional {{htmlelement("link")}} element in the head: -

<link href="http://example.org/whaddup" rel="canonical">

+`` -

Unlike the previous case, browser history will consider non-www and www URLs as independent entries.

+Unlike the previous case, browser history will consider non-www and www URLs as independent entries. -

Make your page work for both

+## Make your page work for both -

With these techniques, you can configure your server to respond correctly for both, the www-prefixed and the non-www-prefixed domains. It is good advice to do this since you can't predict which URL users will type in their browser's URL bar. It is a matter of choosing which type you want to use as your canonical location, then redirecting the other type to it.

+With these techniques, you can configure your server to respond correctly for both, the www-prefixed and the non-www-prefixed domains. It is good advice to do this since you can't predict which URL users will type in their browser's URL bar. It is a matter of choosing which type you want to use as your canonical location, then redirecting the other type to it. -

Deciding the case

+## Deciding the case -

This is a very subjective topic it could be considered a bikeshedding issue. If you wish to read deeper, please see some of the many articles on the subject.

+This is a very subjective topic it could be considered a [bikeshedding](https://bikeshed.com/) issue. If you wish to read deeper, please see some of the [many](https://www.netlify.com/blog/2017/02/28/to-www-or-not-www/) [articles](https://www.wpbeginner.com/beginners-guide/www-vs-non-www-which-is-better-for-wordpress-seo/) on the subject. -

See also

+## See also - +- [Stats on what people type in the URL bar](https://www.chrisfinke.com/2011/07/25/what-do-people-type-in-the-address-bar/) (2011) diff --git a/files/en-us/web/http/basics_of_http/data_uris/index.md b/files/en-us/web/http/basics_of_http/data_uris/index.md index c04f21cb54b1f2b..73557779563b11e 100644 --- a/files/en-us/web/http/basics_of_http/data_uris/index.md +++ b/files/en-us/web/http/basics_of_http/data_uris/index.md @@ -9,132 +9,115 @@ tags: - URL browser-compat: http.data-url --- -
{{HTTPSidebar}}
+{{HTTPSidebar}} -

Data URLs, URLs prefixed with the data: scheme, allow content creators to embed small files inline in documents. They were formerly known as "data URIs" until that name was retired by the WHATWG.

+**Data URLs**, URLs prefixed with the `data:` scheme, allow content creators to embed small files inline in documents. They were formerly known as "data URIs" until that name was retired by the WHATWG. -
-

Note: Data URLs are treated as unique opaque origins by modern browsers, rather than inheriting the origin of the settings object responsible for the navigation.

-
+> **Note:** Data URLs are treated as unique opaque origins by modern browsers, rather than inheriting the origin of the settings object responsible for the navigation. -

Syntax

+## Syntax -

Data URLs are composed of four parts: a prefix (data:), a MIME type indicating the type of data, an optional base64 token if non-textual, and the data itself:

+Data URLs are composed of four parts: a prefix (`data:`), a [MIME type](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) indicating the type of data, an optional `base64` token if non-textual, and the data itself: -
data:[<mediatype>][;base64],<data>
-
+```html +data:[][;base64], +``` -

The mediatype is a MIME type string, such as 'image/jpeg' for a JPEG image file. If omitted, defaults to text/plain;charset=US-ASCII

+The `mediatype` is a [MIME type](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) string, such as `'image/jpeg'` for a JPEG image file. If omitted, defaults to `text/plain;charset=US-ASCII` -

If the data contains characters defined in RFC 3986 as reserved characters, or contains space characters, newline characters, or other non-printing characters, those characters must be percent-encoded (aka “URL-encoded”).

+If the data contains [characters defined in RFC 3986 as reserved characters](https://datatracker.ietf.org/doc/html/rfc3986#section-2.2), or contains space characters, newline characters, or other non-printing characters, those characters must be [percent-encoded](/en-US/docs/Glossary/percent-encoding) (_aka_ “URL-encoded”). -

If the data is textual, you can embed the text (using the appropriate entities or escapes based on the enclosing document's type). Otherwise, you can specify base64 to embed base64-encoded binary data. You can find more info on MIME types here and here.

+If the data is textual, you can embed the text (using the appropriate entities or escapes based on the enclosing document's type). Otherwise, you can specify `base64` to embed base64-encoded binary data. You can find more info on MIME types [here](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) and [here](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types). -

A few examples:

+A few examples: -
-
data:,Hello%2C%20World%21
-
The text/plain data Hello, World!. Note how the comma is percent-encoded as %2C, and the space character as %20.
-
data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==
-
base64-encoded version of the above
-
data:text/html,%3Ch1%3EHello%2C%20World%21%3C%2Fh1%3E
-
An HTML document with <h1>Hello, World!</h1>
-
data:text/html,<script>alert('hi');</script>
-
An HTML document that executes a JavaScript alert. Note that the closing script tag is required.
-
+- `data:,Hello%2C%20World%21` + - : The text/plain data `Hello, World!`. Note how the comma is [percent-encoded](/en-US/docs/Glossary/percent-encoding) as `%2C`, and the space character as `%20`. +- `data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==` + - : base64-encoded version of the above +- `data:text/html,%3Ch1%3EHello%2C%20World%21%3C%2Fh1%3E` + - : An HTML document with `

Hello, World!

` +- `data:text/html,` + - : An HTML document that executes a JavaScript alert. Note that the closing script tag is required. -

Encoding data into base64 format

+## Encoding data into base64 format -

Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. By consisting only in ASCII characters, base64 strings are generally url-safe, and that's why they can be used to encode data in Data URLs.

+Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation. By consisting only in ASCII characters, base64 strings are generally url-safe, and that's why they can be used to encode data in Data URLs. -

Encoding in Javascript

+### Encoding in Javascript -

The Web APIs have native methods to encode or decode to base64: Base64 encoding and decoding.

+The Web APIs have native methods to encode or decode to base64: [Base64 encoding and decoding](/en-US/docs/Glossary/Base64). -

Encoding on a Unix system

+### Encoding on a Unix system -

Base64 encoding of a file or string on Linux and Mac OS X systems can be achieved using the command-line base64 (or, as an alternative, the uuencode utility with -m argument).

+Base64 encoding of a file or string on Linux and Mac OS X systems can be achieved using the command-line `base64` (or, as an alternative, the `uuencode` utility with `-m` argument). -
echo -n hello|base64
+```bash
+echo -n hello|base64
 # outputs to console: aGVsbG8=
 
-echo -n hello>a.txt
+echo -n hello>a.txt
 base64 a.txt
 # outputs to console: aGVsbG8=
 
-base64 a.txt>b.txt
+base64 a.txt>b.txt
 # outputs to file b.txt: aGVsbG8=
-
+``` -

Encoding on Microsoft Windows

+### Encoding on Microsoft Windows -

On Windows, Convert.ToBase64String from PowerShell can be used to perform the Base64 encoding:

+On Windows, [Convert.ToBase64String](https://docs.microsoft.com/en-us/dotnet/api/system.convert.tobase64string?view=net-5.0) from PowerShell can be used to perform the Base64 encoding: -
[convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("hello"))
+```html
+[convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("hello"))
 # outputs to console: aGVsbG8=
-
+``` -

Alternatively, a GNU/Linux shell (such as WSL) provides the utility base64:

+Alternatively, a GNU/Linux shell (such as [WSL](https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux)) provides the utility `base64`: -
bash$ echo -n hello | base64
+```html
+bash$ echo -n hello | base64
 # outputs to console: aGVsbG8=
-
- -

Common problems

- -

This section describes problems that commonly occur when creating and using data URLs.

- -
data:text/html,lots of text...<p><a name%3D"bottom">bottom</a>?arg=val
-
- -

This represents an HTML resource whose contents are:

- -
lots of text...<p><a name="bottom">bottom</a>?arg=val
-
- -
-
Syntax
-
The format for data URLs is very simple, but it's easy to forget to put a comma before the "data" segment, or to incorrectly encode the data into base64 format.
-
Formatting in HTML
-
A data URL provides a file within a file, which can potentially be very wide relative to the width of the enclosing document. As a URL, the data should be formatable with whitespace (linefeed, tab, or spaces), but there are practical issues that arise when using base64 encoding.
-
Length limitations
-
Although Firefox supports data URLs of essentially unlimited length, browsers are not required to support any particular maximum length of data. For example, the Opera 11 browser limited URLs to 65535 characters long which limits data URLs to 65529 characters (65529 characters being the length of the encoded data, not the source, if you use the plain data:, without specifying a MIME type).
-
Lack of error handling
-
Invalid parameters in media, or typos when specifying 'base64', are ignored, but no error is provided.
-
No support for query strings, etc.
-
-

The data portion of a data URL is opaque, so an attempt to use a query string (page-specific parameters, with the syntax <url>?parameter-data) with a data URL will just include the query string in the data the URL represents.

-
-
Security issues
-
A number of security issues (e.g. phishing) have been associated with data URLs, and navigating to them in the browser's top level. To mitigate such issues, top-level navigation to data:// URLs has been blocked in Firefox 59+ (release version, Nightly/Beta from 58), and we hope to see other browsers follow suit soon. See Blocking Top-Level Navigations to data URLs for Firefox 58 for more details.
-
- -

Specifications

- - - - - - - - - - - - -
SpecificationTitle
{{RFC("2397")}}The "data" URL scheme
- -

Browser compatibility

- -

{{compat}}

- -

See also

- - +``` + +## Common problems + +This section describes problems that commonly occur when creating and using `data` URLs. + + data:text/html,lots of text...

bottom?arg=val + +This represents an HTML resource whose contents are: + + lots of text...

bottom?arg=val + +- Syntax + - : The format for `data` URLs is very simple, but it's easy to forget to put a comma before the "data" segment, or to incorrectly encode the data into base64 format. +- Formatting in HTML + - : A `data` URL provides a file within a file, which can potentially be very wide relative to the width of the enclosing document. As a URL, the `data` should be formatable with whitespace (linefeed, tab, or spaces), but there are practical issues that arise [when using base64 encoding](https://bugzilla.mozilla.org/show_bug.cgi?id=73026#c12). +- Length limitations + - : Although Firefox supports `data` URLs of essentially unlimited length, browsers are not required to support any particular maximum length of data. For example, the Opera 11 browser limited URLs to 65535 characters long which limits `data` URLs to 65529 characters (65529 characters being the length of the encoded data, not the source, if you use the plain `data:`, without specifying a MIME type). +- Lack of error handling + - : Invalid parameters in media, or typos when specifying `'base64'`, are ignored, but no error is provided. +- No support for query strings, etc. + - : The data portion of a data URL is opaque, so an attempt to use a query string (page-specific parameters, with the syntax `?parameter-data`) with a data URL will just include the query string in the data the URL represents. +- Security issues + - : A number of security issues (e.g. phishing) have been associated with data URLs, and navigating to them in the browser's top level. To mitigate such issues, top-level navigation to `data://` URLs has been blocked in Firefox 59+ (release version, Nightly/Beta from 58), and we hope to see other browsers follow suit soon. [See Blocking Top-Level Navigations to data URLs for Firefox 58](https://blog.mozilla.org/security/2017/11/27/blocking-top-level-navigations-data-urls-firefox-58/) for more details. + +## Specifications + +| Specification | Title | +| -------------------- | --------------------- | +| {{RFC("2397")}} | The "data" URL scheme | + +## Browser compatibility + +{{compat}} + +## See also + +- [Base64 encoding and decoding](/en-US/docs/Glossary/Base64) +- [Percent encoding](/en-US/docs/Glossary/percent-encoding) +- {{domxref("WindowOrWorkerGlobalScope/atob","atob()")}} +- {{domxref("WindowOrWorkerGlobalScope/btoa","btoa()")}} +- [CSS `url()`]() +- [URI](/en-US/docs/Glossary/URI) diff --git a/files/en-us/web/http/basics_of_http/evolution_of_http/index.md b/files/en-us/web/http/basics_of_http/evolution_of_http/index.md index 394a56aebd7d4b2..761dd79b290937d 100644 --- a/files/en-us/web/http/basics_of_http/evolution_of_http/index.md +++ b/files/en-us/web/http/basics_of_http/evolution_of_http/index.md @@ -7,202 +7,190 @@ tags: - NeedsUpdate - NeedsUpdate(HTTP/3) --- -

{{HTTPSidebar}}
+{{HTTPSidebar}} -

HTTP (HyperText Transfer Protocol) is the underlying protocol of the World Wide Web. Developed by Tim Berners-Lee and his team between 1989-1991, HTTP has seen many changes, keeping most of the simplicity and further shaping its flexibility. HTTP has evolved from an early protocol to exchange files in a semi-trusted laboratory environment, to the modern maze of the Internet, now carrying images, videos in high resolution and 3D.

+**HTTP** (HyperText Transfer Protocol) is the underlying protocol of the World Wide Web. Developed by Tim Berners-Lee and his team between 1989-1991, HTTP has seen many changes, keeping most of the simplicity and further shaping its flexibility. HTTP has evolved from an early protocol to exchange files in a semi-trusted laboratory environment, to the modern maze of the Internet, now carrying images, videos in high resolution and 3D. -

Invention of the World Wide Web

+## Invention of the World Wide Web -

In 1989, while he was working at CERN, Tim Berners-Lee wrote a proposal to build a hypertext system over the Internet. Initially calling it the Mesh, it was later renamed to World Wide Web during its implementation in 1990. Built over the existing TCP and IP protocols, it consisted of 4 building blocks:

+In 1989, while he was working at CERN, Tim Berners-Lee wrote a proposal to build a hypertext system over the Internet. Initially calling it the _Mesh_, it was later renamed to _World Wide Web_ during its implementation in 1990. Built over the existing TCP and IP protocols, it consisted of 4 building blocks: -
    -
  • A textual format to represent hypertext documents, the HyperText Markup Language (HTML).
    • -
  • A simple protocol to exchange these documents, the HypertText Transfer Protocol (HTTP).
    • -
  • A client to display (and accidentally edit) these documents, the first Web browser called WorldWideWeb.
    • -
  • A server to give access to the document, an early version of httpd.
    • -
+- A textual format to represent hypertext documents, the _[HyperText Markup Language](/en-US/docs/Web/HTML)_ (HTML). +- A simple protocol to exchange these documents, the _HypertText Transfer Protocol_ (HTTP). +- A client to display (and accidentally edit) these documents, the first Web browser called _WorldWideWeb_. +- A server to give access to the document, an early version of _httpd_. -

These four building blocks were completed by the end of 1990, and the first servers were already running outside of CERN by early 1991. On August 6th 1991, Tim Berners-Lee's post on the public alt.hypertext newsgroup is now considered as the official start of the World Wide Web as a public project.

+These four building blocks were completed by the end of 1990, and the first servers were already running outside of CERN by early 1991. On August 6th 1991, Tim Berners-Lee's [post](https://www.w3.org/People/Berners-Lee/1991/08/art-6484.txt) on the public _alt.hypertext_ newsgroup is now considered as the official start of the World Wide Web as a public project. -

The HTTP protocol used in those early phases was very simple, later dubbed HTTP/0.9, and sometimes as the one-line protocol.

+The HTTP protocol used in those early phases was very simple, later dubbed HTTP/0.9, and sometimes as the one-line protocol. -

HTTP/0.9 – The one-line protocol

+## HTTP/0.9 – The one-line protocol -

The initial version of HTTP had no version number; it has been later called 0.9 to differentiate it from the later versions. HTTP/0.9 is extremely simple: requests consist of a single line and start with the only possible method {{HTTPMethod("GET")}} followed by the path to the resource (not the URL as both the protocol, server, and port are unnecessary once connected to the server).

+The initial version of HTTP had no version number; it has been later called 0.9 to differentiate it from the later versions. HTTP/0.9 is extremely simple: requests consist of a single line and start with the only possible method {{HTTPMethod("GET")}} followed by the path to the resource (not the URL as both the protocol, server, and port are unnecessary once connected to the server). -
GET /mypage.html
+ GET /mypage.html -

The response is extremely simple too: it only consisted of the file itself.

+The response is extremely simple too: it only consisted of the file itself. -
<HTML>
-A very simple HTML page
-</HTML>
+ + A very simple HTML page + -

Unlike subsequent evolutions, there were no HTTP headers, meaning that only HTML files could be transmitted, but no other type of documents. There were no status or error codes: in case of a problem, a specific HTML file was sent back with the description of the problem contained in it, for human consumption.

+Unlike subsequent evolutions, there were no HTTP headers, meaning that only HTML files could be transmitted, but no other type of documents. There were no status or error codes: in case of a problem, a specific HTML file was sent back with the description of the problem contained in it, for human consumption. -

HTTP/1.0 – Building extensibility

+## HTTP/1.0 – Building extensibility -

HTTP/0.9 was very limited and both browsers and servers quickly extended it to be more versatile:

+HTTP/0.9 was very limited and both browsers and servers quickly extended it to be more versatile: -
    -
  • Versioning information is now sent within each request (HTTP/1.0 is appended to the GET line)
    • -
  • A status code line is also sent at the beginning of the response, allowing the browser itself to understand the success or failure of the request and to adapt its behavior in consequence (like in updating or using its local cache in a specific way)
    • -
  • The notion of HTTP headers has been introduced, both for the requests and the responses, allowing metadata to be transmitted and making the protocol extremely flexible and extensible.
    • -
  • With the help of the new HTTP headers, the ability to transmit other documents than plain HTML files has been added (thanks to the {{HTTPHeader("Content-Type")}} header).
    • -
+- Versioning information is now sent within each request (`HTTP/1.0` is appended to the `GET` line) +- A status code line is also sent at the beginning of the response, allowing the browser itself to understand the success or failure of the request and to adapt its behavior in consequence (like in updating or using its local cache in a specific way) +- The notion of HTTP headers has been introduced, both for the requests and the responses, allowing metadata to be transmitted and making the protocol extremely flexible and extensible. +- With the help of the new HTTP headers, the ability to transmit other documents than plain HTML files has been added (thanks to the {{HTTPHeader("Content-Type")}} header). -

At this point, a typical request and response looked like this:

+At this point, a typical request and response looked like this: -
GET /mypage.html HTTP/1.0
-User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
+    GET /mypage.html HTTP/1.0
+    User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
 
-200 OK
-Date: Tue, 15 Nov 1994 08:12:31 GMT
-Server: CERN/3.0 libwww/2.17
-Content-Type: text/html
-<HTML>
-A page with an image
-  <IMG SRC="/myimage.gif">
-</HTML>
+ 200 OK + Date: Tue, 15 Nov 1994 08:12:31 GMT + Server: CERN/3.0 libwww/2.17 + Content-Type: text/html + + A page with an image + + -

Followed by a second connection and request to fetch the image (followed by a response to that request):

+Followed by a second connection and request to fetch the image (followed by a response to that request): -
GET /myimage.gif HTTP/1.0
-User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
+    GET /myimage.gif HTTP/1.0
+    User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
 
-200 OK
-Date: Tue, 15 Nov 1994 08:12:32 GMT
-Server: CERN/3.0 libwww/2.17
-Content-Type: text/gif
-(image content)
+ 200 OK + Date: Tue, 15 Nov 1994 08:12:32 GMT + Server: CERN/3.0 libwww/2.17 + Content-Type: text/gif + (image content) -

These novelties have not been introduced as concerted effort, but as a try-and-see approach over the 1991-1995 period: a server and a browser added one feature and it saw if it got traction. A lot of interoperability problems were common. In November 1996, in order to solve these annoyances, an informational document describing the common practices has been published, {{RFC(1945)}}. This is the definition of HTTP/1.0 and it is notable that, in the narrow sense of the term, it isn't an official standard.

+These novelties have not been introduced as concerted effort, but as a try-and-see approach over the 1991-1995 period: a server and a browser added one feature and it saw if it got traction. A lot of interoperability problems were common. In November 1996, in order to solve these annoyances, an informational document describing the common practices has been published, {{RFC(1945)}}. This is the definition of HTTP/1.0 and it is notable that, in the narrow sense of the term, it isn't an official standard. -

HTTP/1.1 – The standardized protocol

+## HTTP/1.1 – The standardized protocol -

In parallel to the somewhat chaotic use of the diverse implementations of HTTP/1.0, and since 1995, well before the publication of HTTP/1.0 document the next year, proper standardization was in progress. The first standardized version of HTTP, HTTP/1.1 was published in early 1997, only a few months after HTTP/1.0.

+In parallel to the somewhat chaotic use of the diverse implementations of HTTP/1.0, and since 1995, well before the publication of HTTP/1.0 document the next year, proper standardization was in progress. The first standardized version of HTTP, HTTP/1.1 was published in early 1997, only a few months after HTTP/1.0. -

HTTP/1.1 clarified ambiguities and introduced numerous improvements:

+HTTP/1.1 clarified ambiguities and introduced numerous improvements: -
    -
  • A connection can be reused, saving the time to reopen it numerous times to display the resources embedded into the single original document retrieved.
    • -
  • Pipelining has been added, allowing to send a second request before the answer for the first one is fully transmitted, lowering the latency of the communication.
    • -
  • Chunked responses are now also supported.
    • -
  • Additional cache control mechanisms have been introduced.
    • -
  • Content negotiation, including language, encoding, or type, has been introduced, and allows a client and a server to agree on the most adequate content to exchange.
    • -
  • Thanks to the {{HTTPHeader("Host")}} header, the ability to host different domains at the same IP address now allows server colocation.
    • -
+- A connection can be reused, saving the time to reopen it numerous times to display the resources embedded into the single original document retrieved. +- Pipelining has been added, allowing to send a second request before the answer for the first one is fully transmitted, lowering the latency of the communication. +- Chunked responses are now also supported. +- Additional cache control mechanisms have been introduced. +- Content negotiation, including language, encoding, or type, has been introduced, and allows a client and a server to agree on the most adequate content to exchange. +- Thanks to the {{HTTPHeader("Host")}} header, the ability to host different domains at the same IP address now allows server colocation. -

A typical flow of requests, all through one single connection is now looking like this:

+A typical flow of requests, all through one single connection is now looking like this: -
GET /en-US/docs/Glossary/Simple_header HTTP/1.1
-Host: developer.mozilla.org
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-US,en;q=0.5
-Accept-Encoding: gzip, deflate, br
-Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
+    GET /en-US/docs/Glossary/Simple_header HTTP/1.1
+    Host: developer.mozilla.org
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-US,en;q=0.5
+    Accept-Encoding: gzip, deflate, br
+    Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
 
-200 OK
-Connection: Keep-Alive
-Content-Encoding: gzip
-Content-Type: text/html; charset=utf-8
-Date: Wed, 20 Jul 2016 10:55:30 GMT
-Etag: "547fa7e369ef56031dd3bff2ace9fc0832eb251a"
-Keep-Alive: timeout=5, max=1000
-Last-Modified: Tue, 19 Jul 2016 00:59:33 GMT
-Server: Apache
-Transfer-Encoding: chunked
-Vary: Cookie, Accept-Encoding
+    200 OK
+    Connection: Keep-Alive
+    Content-Encoding: gzip
+    Content-Type: text/html; charset=utf-8
+    Date: Wed, 20 Jul 2016 10:55:30 GMT
+    Etag: "547fa7e369ef56031dd3bff2ace9fc0832eb251a"
+    Keep-Alive: timeout=5, max=1000
+    Last-Modified: Tue, 19 Jul 2016 00:59:33 GMT
+    Server: Apache
+    Transfer-Encoding: chunked
+    Vary: Cookie, Accept-Encoding
 
-(content)
+    (content)
 
-GET /static/img/header-background.png HTTP/1.1
-Host: developer.mozilla.org
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
-Accept: */*
-Accept-Language: en-US,en;q=0.5
-Accept-Encoding: gzip, deflate, br
-Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
+    GET /static/img/header-background.png HTTP/1.1
+    Host: developer.mozilla.org
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
+    Accept: */*
+    Accept-Language: en-US,en;q=0.5
+    Accept-Encoding: gzip, deflate, br
+    Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
 
-200 OK
-Age: 9578461
-Cache-Control: public, max-age=315360000
-Connection: keep-alive
-Content-Length: 3077
-Content-Type: image/png
-Date: Thu, 31 Mar 2016 13:34:46 GMT
-Last-Modified: Wed, 21 Oct 2015 18:27:50 GMT
-Server: Apache
+    200 OK
+    Age: 9578461
+    Cache-Control: public, max-age=315360000
+    Connection: keep-alive
+    Content-Length: 3077
+    Content-Type: image/png
+    Date: Thu, 31 Mar 2016 13:34:46 GMT
+    Last-Modified: Wed, 21 Oct 2015 18:27:50 GMT
+    Server: Apache
 
-(image content of 3077 bytes)
+ (image content of 3077 bytes) -

HTTP/1.1 was first published as {{rfc(2068)}} in January 1997.

+HTTP/1.1 was first published as {{rfc(2068)}} in January 1997. -

More than 15 years of extensions

+## More than 15 years of extensions -

Thanks to its extensibility – creating new headers or methods is easy – and even if the HTTP/1.1 protocol was refined over two revisions, {{RFC("2616")}} published in June 1999 and the series of {{RFC("7230")}}-{{RFC("7235")}} published in June 2014 in prevision of the release of HTTP/2, this protocol has been extremely stable over more than 15 years.

+Thanks to its extensibility – creating new headers or methods is easy – and even if the HTTP/1.1 protocol was refined over two revisions, {{RFC("2616")}} published in June 1999 and the series of {{RFC("7230")}}-{{RFC("7235")}} published in June 2014 in prevision of the release of HTTP/2, this protocol has been extremely stable over more than 15 years. -

Using HTTP for secure transmissions

+### Using HTTP for secure transmissions -

The largest change that happened to HTTP was done as early as end of 1994. Instead of sending HTTP over a basic TCP/IP stack, Netscape Communications created an additional encrypted transmission layer on top of it: SSL. SSL 1.0 was never released outside the company, but SSL 2.0 and its successor SSL 3.0 allowed for the creation of e-commerce Web sites by encrypting and guaranteeing the authenticity of the messages exchanged between the server and client. SSL was put on the standards track and eventually became TLS, with versions 1.0, 1.1, 1.2, and 1.3 appearing successfully to close vulnerabilities.

+The largest change that happened to HTTP was done as early as end of 1994. Instead of sending HTTP over a basic TCP/IP stack, Netscape Communications created an additional encrypted transmission layer on top of it: SSL. SSL 1.0 was never released outside the company, but SSL 2.0 and its successor SSL 3.0 allowed for the creation of e-commerce Web sites by encrypting and guaranteeing the authenticity of the messages exchanged between the server and client. SSL was put on the standards track and eventually became TLS, with versions 1.0, 1.1, 1.2, and 1.3 appearing successfully to close vulnerabilities. -

During the same time, the need for an encrypted transport layer raised: the Web left the relative trustiness of a mostly academic network, to a jungle where advertisers, random individuals or criminals compete to get as much private information about people, try to impersonate them or even to replace data transmitted by altered ones. As the applications built over HTTP became more and more powerful, having access to more and more private information like address books, e-mail, or the geographic position of the user, the need to have TLS became ubiquitous even outside the e-commerce use case.

+During the same time, the need for an encrypted transport layer raised: the Web left the relative trustiness of a mostly academic network, to a jungle where advertisers, random individuals or criminals compete to get as much private information about people, try to impersonate them or even to replace data transmitted by altered ones. As the applications built over HTTP became more and more powerful, having access to more and more private information like address books, e-mail, or the geographic position of the user, the need to have TLS became ubiquitous even outside the e-commerce use case. -

Using HTTP for complex applications

+### Using HTTP for complex applications -

The original vision of Tim Berners-Lee for the Web wasn't a read-only medium. He envisioned a Web where people can add and move documents remotely, a kind of distributed file system. Around 1996, HTTP has been extended to allow authoring, and a standard called WebDAV was created. It has been further extended for specific applications like CardDAV to handle address book entries and CalDAV to deal with calendars. But all these *DAV extensions had a flaw: they had to be implemented by the servers to be used, which was quite complex. Their use on Web realms stayed confidential.

+The original vision of Tim Berners-Lee for the Web wasn't a read-only medium. He envisioned a Web where people can add and move documents remotely, a kind of distributed file system. Around 1996, HTTP has been extended to allow authoring, and a standard called WebDAV was created. It has been further extended for specific applications like CardDAV to handle address book entries and CalDAV to deal with calendars. But all these \*DAV extensions had a flaw: they had to be implemented by the servers to be used, which was quite complex. Their use on Web realms stayed confidential. -

In 2000, a new pattern for using HTTP was designed: {{glossary("REST", "representational state transfer")}} (or REST). The actions induced by the API were no more conveyed by new HTTP methods, but only by accessing specific URIs with basic HTTP/1.1 methods. This allowed any Web application to provide an API to allow retrieval and modification of its data without having to update the browsers or the servers: all what is needed was embedded in the files served by the Web sites through standard HTTP/1.1. The drawback of the REST model resides in the fact that each website defines its own non-standard RESTful API and has total control on it; unlike the *DAV extensions where clients and servers are interoperable. RESTful APIs became very common in the 2010s.

+In 2000, a new pattern for using HTTP was designed: {{glossary("REST", "representational state transfer")}} (or REST). The actions induced by the API were no more conveyed by new HTTP methods, but only by accessing specific URIs with basic HTTP/1.1 methods. This allowed any Web application to provide an API to allow retrieval and modification of its data without having to update the browsers or the servers: all what is needed was embedded in the files served by the Web sites through standard HTTP/1.1. The drawback of the REST model resides in the fact that each website defines its own non-standard RESTful API and has total control on it; unlike the \*DAV extensions where clients and servers are interoperable. RESTful APIs became very common in the 2010s. -

Since 2005, the set of APIs available to Web pages greatly increased and several of these APIs created extensions, mostly new specific HTTP headers, to the HTTP protocol for specific purposes:

+Since 2005, the set of APIs available to Web pages greatly increased and several of these APIs created extensions, mostly new specific HTTP headers, to the HTTP protocol for specific purposes: -
    -
  • Server-sent events, where the server can push occasional messages to the browser.
    • -
  • WebSocket, a new protocol that can be set up by upgrading an existing HTTP connection.
    • -
+- [Server-sent events](/en-US/docs/Web/API/Server-sent_events), where the server can push occasional messages to the browser. +- [WebSocket](/en-US/docs/Web/API/WebSockets_API), a new protocol that can be set up by upgrading an existing HTTP connection. -

Relaxing the security-model of the Web

+### Relaxing the security-model of the Web -

HTTP is independent of the security model of the Web, the same-origin policy. In fact, the current Web security model has been developed after the creation of HTTP! Over the years, it has proved useful to be able to be more lenient, by allowing under certain constraints to lift some of the restriction of this policy. How much and when such restrictions are lifted is transmitted by the server to the client using a new bunch of HTTP headers. These are defined in specifications like Cross-Origin Resource Sharing (CORS) or the Content Security Policy (CSP).

+HTTP is independent of the security model of the Web, the [same-origin policy](/en-US/docs/Web/Security/Same-origin_policy). In fact, the current Web security model has been developed after the creation of HTTP! Over the years, it has proved useful to be able to be more lenient, by allowing under certain constraints to lift some of the restriction of this policy. How much and when such restrictions are lifted is transmitted by the server to the client using a new bunch of HTTP headers. These are defined in specifications like [Cross-Origin Resource Sharing](/en-US/docs/Glossary/CORS) (CORS) or the [Content Security Policy](/en-US/docs/Web/HTTP/CSP) (CSP). -

In addition to these large extensions, numerous other headers have been added, sometimes experimentally only. Notable headers are Do Not Track ({{HTTPHeader("DNT")}}) header to control privacy, {{HTTPHeader("X-Frame-Options")}}, or {{HTTPHeader('Upgrade-Insecure-Requests')}} but many more exist.

+In addition to these large extensions, numerous other headers have been added, sometimes experimentally only. Notable headers are Do Not Track ({{HTTPHeader("DNT")}}) header to control privacy, {{HTTPHeader("X-Frame-Options")}}, or {{HTTPHeader('Upgrade-Insecure-Requests')}} but many more exist. -

HTTP/2 – A protocol for greater performance

+## HTTP/2 – A protocol for greater performance -

Over the years, Web pages have become much more complex, even becoming applications in their own right. The amount of visual media displayed, the volume and size of scripts adding interactivity, has also increased: much more data is transmitted over significantly more HTTP requests. HTTP/1.1 connections need requests sent in the correct order. Theoretically, several parallel connections could be used (typically between 5 and 8), bringing considerable overhead and complexity. For example, HTTP pipelining has emerged as a resource burden in Web development.

+Over the years, Web pages have become much more complex, even becoming applications in their own right. The amount of visual media displayed, the volume and size of scripts adding interactivity, has also increased: much more data is transmitted over significantly more HTTP requests. HTTP/1.1 connections need requests sent in the correct order. Theoretically, several parallel connections could be used (typically between 5 and 8), bringing considerable overhead and complexity. For example, HTTP pipelining has emerged as a resource burden in Web development. -

In the first half of the 2010s, Google demonstrated an alternative way of exchanging data between client and server, by implementing an experimental protocol SPDY. This amassed interest from developers working on both browsers and servers. Defining an increase in responsiveness, and solving the problem of duplication of data transmitted, SPDY served as the foundations of the HTTP/2 protocol.

+In the first half of the 2010s, Google demonstrated an alternative way of exchanging data between client and server, by implementing an experimental protocol SPDY. This amassed interest from developers working on both browsers and servers. Defining an increase in responsiveness, and solving the problem of duplication of data transmitted, SPDY served as the foundations of the HTTP/2 protocol. -

The HTTP/2 protocol has several prime differences from the HTTP/1.1 version:

+The HTTP/2 protocol has several prime differences from the HTTP/1.1 version: -
    -
  • It is a binary protocol rather than text. It can no longer be read and created manually. Despite this hurdle, improved optimization techniques can now be implemented.
    • -
  • It is a multiplexed protocol. Parallel requests can be handled over the same connection, removing the order and blocking constraints of the HTTP/1.x protocol.
    • -
  • It compresses headers. As these are often similar among a set of requests, this removes duplication and overhead of data transmitted.
    • -
  • It allows a server to populate data in a client cache, in advance of it being required, through a mechanism called the server push.
    • -
+- It is a binary protocol rather than text. It can no longer be read and created manually. Despite this hurdle, improved optimization techniques can now be implemented. +- It is a multiplexed protocol. Parallel requests can be handled over the same connection, removing the order and blocking constraints of the HTTP/1.x protocol. +- It compresses headers. As these are often similar among a set of requests, this removes duplication and overhead of data transmitted. +- It allows a server to populate data in a client cache, in advance of it being required, through a mechanism called the server push. -

Officially standardized, in May 2015, HTTP/2 has had much success. By July 2016, 8.7% of all Web sites were already using it (see these stats), representing more than 68% of all requests (see these statistics). High-traffic Web sites showed the most rapid adoption, saving considerably on data transfer overheads and subsequent budgets.

+Officially standardized, in May 2015, HTTP/2 has had much success. By July 2016, 8.7% of all Web sites were already using it (see [these stats](https://w3techs.com/technologies/details/ce-http2/all/all)), representing more than 68% of all requests (see [these statistics](https://www.keycdn.com/blog/http2-statistics/)). High-traffic Web sites showed the most rapid adoption, saving considerably on data transfer overheads and subsequent budgets. -

This rapid adoption rate was likely as HTTP/2 does not require adaptation of Web sites and applications: using HTTP/1.1 or HTTP/2 is transparent for them. Having an up-to-date server communicating with a recent browser is enough to enable its use: only a limited set of groups were needed to trigger adoption, and as legacy browser and server versions are renewed, usage has naturally increased, without further Web developer efforts.

+This rapid adoption rate was likely as HTTP/2 does not require adaptation of Web sites and applications: using HTTP/1.1 or HTTP/2 is transparent for them. Having an up-to-date server communicating with a recent browser is enough to enable its use: only a limited set of groups were needed to trigger adoption, and as legacy browser and server versions are renewed, usage has naturally increased, without further Web developer efforts. -

Post-HTTP/2 evolution

+## Post-HTTP/2 evolution -

HTTP didn't stop evolving upon the release of HTTP/2. Like with HTTP/1.x previously, HTTP's extensibility is still being used to add new features. Notably, we can cite new extensions of the HTTP protocol appearing in 2016:

+HTTP didn't stop evolving upon the release of HTTP/2. Like with HTTP/1.x previously, HTTP's extensibility is still being used to add new features. Notably, we can cite new extensions of the HTTP protocol appearing in 2016: -
    -
  • Support of {{HTTPHeader("Alt-Svc")}} allows the dissociation of the identification and the location of a given resource, allowing for a smarter {{Glossary("CDN")}} caching mechanism.
    • -
  • The introduction of {{HTTPHeader("Client-Hints")}} allows the browser, or client, to proactively communicate information about its requirements, or hardware constraints, to the server.
    • -
  • The introduction of security-related prefixes in the {{HTTPHeader("Cookie")}} header, now helps guarantee a secure cookie has not been altered.
    • -
+- Support of {{HTTPHeader("Alt-Svc")}} allows the dissociation of the identification and the location of a given resource, allowing for a smarter {{Glossary("CDN")}} caching mechanism. +- The introduction of {{HTTPHeader("Client-Hints")}} allows the browser, or client, to proactively communicate information about its requirements, or hardware constraints, to the server. +- The introduction of security-related prefixes in the {{HTTPHeader("Cookie")}} header, now helps guarantee a secure cookie has not been altered. -

This evolution of HTTP proves its extensibility and simplicity, liberating creation of many applications and compelling the adoption of the protocol. The environment in which HTTP is used today is quite different from that seen in the early 1990s. HTTP's original design proved to be a masterpiece, allowing the Web to evolve over a quarter of a century, without the need of a mutiny. By healing flaws, yet retaining the flexibility and extensibility which made HTTP such a success, the adoption of HTTP/2 hints at a bright future for the protocol.

+This evolution of HTTP proves its extensibility and simplicity, liberating creation of many applications and compelling the adoption of the protocol. The environment in which HTTP is used today is quite different from that seen in the early 1990s. HTTP's original design proved to be a masterpiece, allowing the Web to evolve over a quarter of a century, without the need of a mutiny. By healing flaws, yet retaining the flexibility and extensibility which made HTTP such a success, the adoption of HTTP/2 hints at a bright future for the protocol. -

HTTP/3 - HTTP over QUIC

+## HTTP/3 - HTTP over QUIC -

{{Draft}}{{SeeCompatTable}}

+{{Draft}}{{SeeCompatTable}} -

The next major version of HTTP, HTTP/3, will use {{Glossary("QUIC")}} instead {{Glossary("TCP")}}/{{Glossary("TLS")}} for the transport layer portion.

+The next major version of HTTP, HTTP/3, will use {{Glossary("QUIC")}} instead {{Glossary("TCP")}}/{{Glossary("TLS")}} for the transport layer portion. -

See {{bug(1158011)}} for implementation status in Firefox.

+See {{bug(1158011)}} for implementation status in Firefox. diff --git a/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md b/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md index 3384afd42c6e010..4f08d9c99833995 100644 --- a/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md +++ b/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md @@ -16,174 +16,106 @@ tags: - query - resources --- -
{{HTTPSidebar}}
- -

The target of an HTTP request is called a "resource", whose nature isn't defined further; it can be a document, a photo, or anything else. Each resource is identified by a Uniform Resource Identifier ({{Glossary("URI")}}) used throughout HTTP for identifying resources.

- -

URLs and URNs

- -

URLs

- -

The most common form of URI is the Uniform Resource Locator ({{Glossary("URL")}}), which is known as the web address.

- -
https://developer.mozilla.org
-https://developer.mozilla.org/en-US/docs/Learn/
-https://developer.mozilla.org/en-US/search?q=URL
- -

Any of those URLs can be typed into your browser's address bar to tell it to load the associated page (resource).

- -

A URL is composed of different parts, some mandatory and others are optional. A more complex example might look like this:

- -
http://www.example.com:80/path/to/myfile.html?key1=value1&key2=value2#SomewhereInTheDocument
- -

URNs

- -

A Uniform Resource Name (URN) is a URI that identifies a resource by name in a particular namespace.

- -
urn:isbn:9780141036144
-urn:ietf:rfc:7230
-
- -

The two URNs correspond to

- -
    -
  • the book Nineteen Eighty-Four by George Orwell,
    • -
  • the IETF specification 7230, Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing.
    • -
- -

Syntax of Uniform Resource Identifiers (URIs)

- -

Scheme or protocol

- -
-
Protocol
-
http:// is the protocol. It indicates which protocol the browser must use. Usually it is the HTTP protocol or its secured version, HTTPS. The Web requires one of these two, but browsers also know how to handle other protocols such as mailto: (to open a mail client) or ftp: to handle file transfer, so don't be surprised if you see such protocols. Common schemes are:
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SchemeDescription
dataData URIs
fileHost-specific file names
ftp{{Glossary("FTP","File Transfer Protocol")}}
http/httpsHyper text transfer protocol (Secure)
javascriptURL-embedded JavaScript code
mailtoElectronic mail address
sshSecure shell
teltelephone
urnUniform Resource Names
view-sourceSource code of the resource
ws/wssWebSocket connections (Secure)
- -

Authority

- -
-
Domaine Name
-
www.example.com is the domain name or authority that governs the namespace. It indicates which Web server is being requested. Alternatively, it is possible to directly use an {{Glossary("IP address")}}, but because it is less convenient, it is not often used on the Web.
-
- -

Port

- -
-
Port
-
:80 is the port in this instance. It indicates the technical "gate" used to access the resources on the web server. It is usually omitted if the web server uses the standard ports of the HTTP protocol (80 for HTTP and 443 for HTTPS) to grant access to its resources. Otherwise it is mandatory.
-
- -

Path

- -
-
Path to the file
-
/path/to/myfile.html is the path to the resource on the Web server. In the early days of the Web, a path like this represented a physical file location on the Web server. Nowadays, it is mostly an abstraction handled by Web servers without any physical reality.
-
- -

Query

- -
-
Parameters
-
?key1=value1&key2=value2 are extra parameters provided to the Web server. Those parameters are a list of key/value pairs separated with the & symbol. The Web server can use those parameters to do extra stuff before returning the resource to the user. Each Web server has its own rules regarding parameters, and the only reliable way to know how a specific Web server is handling parameters is by asking the Web server owner.
-
- -

Fragment

- -
-
Anchor
-
#SomewhereInTheDocument is an anchor to another part of the resource itself. An anchor represents a sort of "bookmark" inside the resource, giving the browser the directions to show the content located at that "bookmarked" spot. On an HTML document, for example, the browser will scroll to the point where the anchor is defined; on a video or audio document, the browser will try to go to the time the anchor represents. It is worth noting that the part after the #, also known as fragment identifier, is never sent to the server with the request.
-
- -

Usage notes

- -

When using URLs in {{Glossary("HTML")}} content, you should generally only use a few of these URL schemes. When referring to subresources — that is, files that are being loaded as part of a larger document — you should only use the HTTP and HTTPS schemes. Increasingly, browsers are removing support for using FTP to load subresources, for security reasons.

- -

FTP is still acceptable at the top level (such as typed directly into the browser's URL bar, or the target of a link), although some browsers may delegate loading FTP content to another application.

- -

Examples

- -
https://developer.mozilla.org/en-US/docs/Learn
-tel:+1-816-555-1212
-git@github.com:mdn/browser-compat-data.git
-ftp://example.org/resource.txt
-urn:isbn:9780141036144
-mailto:help@supercyberhelpdesk.info
-
- -

Specifications

- - - - - - - - - - - - -
SpecificationTitle
{{RFC("7230", "Uniform Resource Identifiers", "2.7")}}Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
- -

See also

- - +{{HTTPSidebar}} + +The target of an HTTP request is called a "resource", whose nature isn't defined further; it can be a document, a photo, or anything else. Each resource is identified by a Uniform Resource Identifier ({{Glossary("URI")}}) used throughout HTTP for identifying resources. + +## URLs and URNs + +### URLs + +The most common form of URI is the Uniform Resource Locator ({{Glossary("URL")}}), which is known as the _web address_. + + https://developer.mozilla.org + https://developer.mozilla.org/en-US/docs/Learn/ + https://developer.mozilla.org/en-US/search?q=URL + +Any of those URLs can be typed into your browser's address bar to tell it to load the associated page (resource). + +A URL is composed of different parts, some mandatory and others are optional. A more complex example might look like this: + + http://www.example.com:80/path/to/myfile.html?key1=value1&key2=value2#SomewhereInTheDocument + +### URNs + +A Uniform Resource Name (URN) is a URI that identifies a resource by name in a particular namespace. + + urn:isbn:9780141036144 + urn:ietf:rfc:7230 + +The two URNs correspond to + +- the book Nineteen Eighty-Four by George Orwell, +- the IETF specification 7230, Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. + +## Syntax of Uniform Resource Identifiers (URIs) + +### Scheme or protocol + +- ![Protocol](mdn-url-protocol@x2.png) + - : `http://` is the protocol. It indicates which protocol the browser must use. Usually it is the HTTP protocol or its secured version, HTTPS. The Web requires one of these two, but browsers also know how to handle other protocols such as `mailto:` (to open a mail client) or `ftp:` to handle file transfer, so don't be surprised if you see such protocols. Common schemes are: + +| Scheme | Description | +| ----------- | -------------------------------------------------------------------- | +| data | [Data URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) | +| file | Host-specific file names | +| ftp | {{Glossary("FTP","File Transfer Protocol")}} | +| http/https | [Hyper text transfer protocol (Secure)](/en-US/docs/Glossary/HTTP) | +| javascript | URL-embedded JavaScript code | +| mailto | Electronic mail address | +| ssh | Secure shell | +| tel | telephone | +| urn | Uniform Resource Names | +| view-source | Source code of the resource | +| ws/wss | [WebSocket connections (Secure)](/en-US/docs/Web/API/WebSockets_API) | + +### Authority + +- ![Domaine Name](mdn-url-domain@x2.png) + - : `www.example.com` is the domain name or authority that governs the namespace. It indicates which Web server is being requested. Alternatively, it is possible to directly use an {{Glossary("IP address")}}, but because it is less convenient, it is not often used on the Web. + +### Port + +- ![Port](mdn-url-port@x2.png) + - : `:80` is the port in this instance. It indicates the technical "gate" used to access the resources on the web server. It is usually omitted if the web server uses the standard ports of the HTTP protocol (80 for HTTP and 443 for HTTPS) to grant access to its resources. Otherwise it is mandatory. + +### Path + +- ![Path to the file](mdn-url-path@x2.png) + - : `/path/to/myfile.html` is the path to the resource on the Web server. In the early days of the Web, a path like this represented a physical file location on the Web server. Nowadays, it is mostly an abstraction handled by Web servers without any physical reality. + +### Query + +- ![Parameters](mdn-url-parameters@x2.png) + - : `?key1=value1&key2=value2` are extra parameters provided to the Web server. Those parameters are a list of key/value pairs separated with the `&` symbol. The Web server can use those parameters to do extra stuff before returning the resource to the user. Each Web server has its own rules regarding parameters, and the only reliable way to know how a specific Web server is handling parameters is by asking the Web server owner. + +### Fragment + +- ![Anchor](mdn-url-anchor@x2.png) + - : `#SomewhereInTheDocument` is an anchor to another part of the resource itself. An anchor represents a sort of "bookmark" inside the resource, giving the browser the directions to show the content located at that "bookmarked" spot. On an HTML document, for example, the browser will scroll to the point where the anchor is defined; on a video or audio document, the browser will try to go to the time the anchor represents. It is worth noting that the part after the #, also known as fragment identifier, is never sent to the server with the request. + +## Usage notes + +When using URLs in {{Glossary("HTML")}} content, you should generally only use a few of these URL schemes. When referring to subresources — that is, files that are being loaded as part of a larger document — you should only use the HTTP and HTTPS schemes. Increasingly, browsers are removing support for using FTP to load subresources, for security reasons. + +FTP is still acceptable at the top level (such as typed directly into the browser's URL bar, or the target of a link), although some browsers may delegate loading FTP content to another application. + +## Examples + + https://developer.mozilla.org/en-US/docs/Learn + tel:+1-816-555-1212 + git@github.com:mdn/browser-compat-data.git + ftp://example.org/resource.txt + urn:isbn:9780141036144 + mailto:help@supercyberhelpdesk.info + +## Specifications + +| Specification | Title | +| ------------------------------------------------------------------------ | ------------------------------------------------------------------ | +| {{RFC("7230", "Uniform Resource Identifiers", "2.7")}} | Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing | + +## See also + +- [What is a URL?](/en-US/docs/Learn/Common_questions/What_is_a_URL) +- [IANA list of URI schemes](https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml) diff --git a/files/en-us/web/http/basics_of_http/index.md b/files/en-us/web/http/basics_of_http/index.md index 5df8ff46f459c12..1ce0f80f264603f 100644 --- a/files/en-us/web/http/basics_of_http/index.md +++ b/files/en-us/web/http/basics_of_http/index.md @@ -6,39 +6,37 @@ tags: - HTTP - Overview --- -
{{HTTPSidebar}}
+{{HTTPSidebar}} -

HTTP is an extensible protocol that relies on concepts like resources and Uniform Resource Identifiers (URIs), simple message structure, and client-server communication flow. On top of these basic concepts, numerous extensions have been developed over the years that add updated functionality and semantics with new HTTP methods or headers.

+HTTP is an extensible protocol that relies on concepts like resources and Uniform Resource Identifiers (URIs), simple message structure, and client-server communication flow. On top of these basic concepts, numerous extensions have been developed over the years that add updated functionality and semantics with new HTTP methods or headers. -

Articles

+## Articles -
-
Overview of HTTP
-
Describes what HTTP is and its role in web architecture, including its position in the protocol stack.
-
Evolution of HTTP
-
HTTP was created in the early 1990s and has been extended several times. This article goes through its history and describes HTTP/0.9, HTTP/1.0, HTTP/1.1, and the modern HTTP/2, as well as novelties introduced over the years.
-
Resources and URIs
-
A brief introduction to the concept of resources, identifiers, and locations on the web.
-
Identifying resources on the Web
-
Describes how web resources are referenced and how to locate them.
-
Data URIs
-
A specific kind of URI that directly embeds the resource it represents. Data URIs are very convenient, but have some caveats.
-
Resource URLs {{Non-standard_Inline}}
-
Resource URLs, those prefixed with the resource scheme are used by Firefox and Firefox browser extensions to load resources internally, but is also available to some sites the browser connects to as well.
-
MIME types
-
Since HTTP/1.0, different types of content can be transmitted. This article explains how this is accomplished using the {{HTTPHeader("Content-Type")}} header and the MIME standard.
-
Choosing between www and non-www URLs
-
This article provides guidance on how to choose whether to use a www-prefixed domain or not, along with the consequences of that choice.
-
Flow of an HTTP session
-
This article describes a typical HTTP session; i.e. what happens when you follow a link or load an image into a web page.
-
HTTP Messages
-
HTTP Messages transmitted during requests or responses have a very clear structure. This introductory article describes this structure, its purpose, and its possibilities.
-
Frame and message structure in HTTP/2
-
HTTP/2 encapsulates and represents HTTP/1.x messages in a binary frame. This article explains the frame structure, its purpose, and the way it's encoded.
-
Connection management in HTTP/1.x
-
HTTP/1.1 was the first version of HTTP to support persistent connection and pipelining. This article explains both concepts.
-
Connection management in HTTP/2
-
HTTP/2 completely revisited how connections are created and maintained. This article explains how HTTP frames allow multiplexing and solve the 'head-of-line' blocking problem of former HTTP versions.
-
Content Negotiation
-
HTTP introduces a set of headers, starting with Accept as a way for a browser to announce the format, language, or encoding it prefers. This article explains how this advertisement happens, how the server is expected to react, and how it chooses the most adequate response.
-
+- [Overview of HTTP](/en-US/docs/Web/HTTP/Overview) + - : Describes what HTTP is and its role in web architecture, including its position in the protocol stack. +- [Evolution of HTTP](/en-US/docs/Web/HTTP/Basics_of_HTTP/Evolution_of_HTTP) + - : HTTP was created in the early 1990s and has been extended several times. This article goes through its history and describes HTTP/0.9, HTTP/1.0, HTTP/1.1, and the modern HTTP/2, as well as novelties introduced over the years. +- [Resources and URIs](/en-US/docs/Web/HTTP/Resources_and_URIs) + - : A brief introduction to the concept of resources, identifiers, and locations on the web. +- [Identifying resources on the Web](/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web) + - : Describes how web resources are referenced and how to locate them. +- [Data URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) + - : A specific kind of URI that directly embeds the resource it represents. Data URIs are very convenient, but have some caveats. +- [Resource URLs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Resource_URLs) {{Non-standard_Inline}} + - : Resource URLs, those prefixed with the `resource` scheme are used by Firefox and Firefox browser extensions to load resources internally, but is also available to some sites the browser connects to as well. +- [MIME types](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) + - : Since HTTP/1.0, different types of content can be transmitted. This article explains how this is accomplished using the {{HTTPHeader("Content-Type")}} header and the MIME standard. +- [Choosing between www and non-www URLs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Choosing_between_www_and_non-www_URLs) + - : This article provides guidance on how to choose whether to use a www-prefixed domain or not, along with the consequences of that choice. +- [Flow of an HTTP session](/en-US/docs/Web/HTTP/Session) + - : This article describes a typical HTTP session; i.e. what happens when you follow a link or load an image into a web page. +- [HTTP Messages](/en-US/docs/Web/HTTP/Messages) + - : HTTP Messages transmitted during requests or responses have a very clear structure. This introductory article describes this structure, its purpose, and its possibilities. +- [Frame and message structure in HTTP/2](/en-US/docs/Web/HTTP/Frame_and_message_structure_in_HTTP_2) + - : HTTP/2 encapsulates and represents HTTP/1.x messages in a binary frame. This article explains the frame structure, its purpose, and the way it's encoded. +- [Connection management in HTTP/1.x](/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x) + - : HTTP/1.1 was the first version of HTTP to support persistent connection and pipelining. This article explains both concepts. +- [Connection management in HTTP/2](/en-US/docs/Web/HTTP/Connection_management_in_HTTP_2) + - : HTTP/2 completely revisited how connections are created and maintained. This article explains how HTTP frames allow multiplexing and solve the 'head-of-line' blocking problem of former HTTP versions. +- [Content Negotiation](/en-US/docs/Web/HTTP/Content_negotiation) + - : HTTP introduces a set of headers, starting with [`Accept`](/en-US/docs/Web/HTTP/Headers/Accept) as a way for a browser to announce the format, language, or encoding it prefers. This article explains how this advertisement happens, how the server is expected to react, and how it chooses the most adequate response. diff --git a/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md b/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md index 7d0a1c41d7de71e..6c7ec40b477f93d 100644 --- a/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md +++ b/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md @@ -14,396 +14,88 @@ tags: - Types - Video --- -
{{HTTPSidebar}}
+{{HTTPSidebar}} -

Here is a list of MIME types, associated by type of documents, ordered by their common extensions.

+Here is a list of MIME types, associated by type of documents, ordered by their common extensions. -

Two primary MIME types are important for the role of default types:

+Two primary MIME types are important for the role of default types: -
    -
  • text/plain is the default value for textual files. A textual file should be human-readable and must not contain binary data.
    • -
  • application/octet-stream is the default value for all other cases. An unknown file type should use this type. Browsers pay a particular care when manipulating these files, attempting to safeguard the user to prevent dangerous behaviors.
    • -
+- `text/plain` is the default value for textual files. A textual file should be human-readable and must not contain binary data. +- `application/octet-stream` is the default value for all other cases. An unknown file type should use this type. Browsers pay a particular care when manipulating these files, attempting to safeguard the user to prevent dangerous behaviors. -

IANA is the official registry of MIME media types and maintains a list of all the official MIME types. This table lists some important MIME types for the Web:

+IANA is the official registry of MIME media types and maintains a [list of all the official MIME types](https://www.iana.org/assignments/media-types/media-types.xhtml). This table lists some important MIME types for the Web: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ExtensionKind of documentMIME Type
.aacAAC audioaudio/aac
.abwAbiWord documentapplication/x-abiword
.arcArchive document (multiple files embedded)application/x-freearc
.aviAVI: Audio Video Interleavevideo/x-msvideo
.azwAmazon Kindle eBook formatapplication/vnd.amazon.ebook
.binAny kind of binary dataapplication/octet-stream
.bmpWindows OS/2 Bitmap Graphicsimage/bmp
.bzBZip archiveapplication/x-bzip
.bz2BZip2 archiveapplication/x-bzip2
.cdaCD audioapplication/x-cdf
.cshC-Shell scriptapplication/x-csh
.cssCascading Style Sheets (CSS)text/css
.csvComma-separated values (CSV)text/csv
.docMicrosoft Wordapplication/msword
.docxMicrosoft Word (OpenXML)application/vnd.openxmlformats-officedocument.wordprocessingml.document
.eotMS Embedded OpenType fontsapplication/vnd.ms-fontobject
.epubElectronic publication (EPUB)application/epub+zip
.gzGZip Compressed Archiveapplication/gzip
.gifGraphics Interchange Format (GIF)image/gif
.htm
- .html		HyperText Markup Language (HTML)text/html
.icoIcon formatimage/vnd.microsoft.icon
.icsiCalendar formattext/calendar
.jarJava Archive (JAR)application/java-archive
.jpeg
- .jpg		JPEG imagesimage/jpeg
.jsJavaScript - text/javascript (Specifications: HTML and its reasoning, and IETF) -
.jsonJSON formatapplication/json
.jsonldJSON-LD formatapplication/ld+json
.mid
- .midi		Musical Instrument Digital Interface (MIDI)audio/midi audio/x-midi
.mjsJavaScript moduletext/javascript
.mp3MP3 audioaudio/mpeg
.mp4MP4 audiovideo/mp4
.mpegMPEG Videovideo/mpeg
.mpkgApple Installer Packageapplication/vnd.apple.installer+xml
.odpOpenDocument presentation documentapplication/vnd.oasis.opendocument.presentation
.odsOpenDocument spreadsheet documentapplication/vnd.oasis.opendocument.spreadsheet
.odtOpenDocument text documentapplication/vnd.oasis.opendocument.text
.ogaOGG audioaudio/ogg
.ogvOGG videovideo/ogg
.ogxOGGapplication/ogg
.opusOpus audioaudio/opus
.otfOpenType fontfont/otf
.pngPortable Network Graphicsimage/png
.pdfAdobe Portable Document Format (PDF)application/pdf
.phpHypertext Preprocessor (Personal Home Page)application/x-httpd-php
.pptMicrosoft PowerPointapplication/vnd.ms-powerpoint
.pptxMicrosoft PowerPoint (OpenXML)application/vnd.openxmlformats-officedocument.presentationml.presentation
.rarRAR archiveapplication/vnd.rar
.rtfRich Text Format (RTF)application/rtf
.shBourne shell scriptapplication/x-sh
.svgScalable Vector Graphics (SVG)image/svg+xml
.swfSmall web format (SWF) or Adobe Flash documentapplication/x-shockwave-flash
.tarTape Archive (TAR)application/x-tar
.tif
- .tiff		Tagged Image File Format (TIFF)image/tiff
.tsMPEG transport streamvideo/mp2t
.ttfTrueType Fontfont/ttf
.txtText, (generally ASCII or ISO 8859-n)text/plain
.vsdMicrosoft Visioapplication/vnd.visio
.wavWaveform Audio Formataudio/wav
.webaWEBM audioaudio/webm
.webmWEBM videovideo/webm
.webpWEBP imageimage/webp
.woffWeb Open Font Format (WOFF)font/woff
.woff2Web Open Font Format (WOFF)font/woff2
.xhtmlXHTMLapplication/xhtml+xml
.xlsMicrosoft Excelapplication/vnd.ms-excel
.xlsxMicrosoft Excel (OpenXML)application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
.xmlXMLapplication/xml if not readable from casual users (RFC 3023, section 3)
- text/xml if readable from casual users (RFC 3023, section 3)
.xulXULapplication/vnd.mozilla.xul+xml
.zipZIP archiveapplication/zip
.3gp3GPP audio/video containervideo/3gpp
- audio/3gpp if it doesn't contain video
.3g23GPP2 audio/video containervideo/3gpp2
- audio/3gpp2 if it doesn't contain video
.7z7-zip archiveapplication/x-7z-compressed
+| Extension | Kind of document | MIME Type | +| -------------- | ------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| `.aac` | AAC audio | `audio/aac` | +| `.abw` | [AbiWord](https://en.wikipedia.org/wiki/AbiWord) document | `application/x-abiword` | +| `.arc` | Archive document (multiple files embedded) | `application/x-freearc` | +| `.avi` | AVI: Audio Video Interleave | `video/x-msvideo` | +| `.azw` | Amazon Kindle eBook format | `application/vnd.amazon.ebook` | +| `.bin` | Any kind of binary data | `application/octet-stream` | +| `.bmp` | Windows OS/2 Bitmap Graphics | `image/bmp` | +| `.bz` | BZip archive | `application/x-bzip` | +| `.bz2` | BZip2 archive | `application/x-bzip2` | +| `.cda` | CD audio | `application/x-cdf` | +| `.csh` | C-Shell script | `application/x-csh` | +| `.css` | Cascading Style Sheets (CSS) | `text/css` | +| `.csv` | Comma-separated values (CSV) | `text/csv` | +| `.doc` | Microsoft Word | `application/msword` | +| `.docx` | Microsoft Word (OpenXML) | `application/vnd.openxmlformats-officedocument.wordprocessingml.document` | +| `.eot` | MS Embedded OpenType fonts | `application/vnd.ms-fontobject` | +| `.epub` | Electronic publication (EPUB) | `application/epub+zip` | +| `.gz` | GZip Compressed Archive | `application/gzip` | +| `.gif` | Graphics Interchange Format (GIF) | `image/gif` | +| `.htm .html` | HyperText Markup Language (HTML) | `text/html` | +| `.ico` | Icon format | `image/vnd.microsoft.icon` | +| `.ics` | iCalendar format | `text/calendar` | +| `.jar` | Java Archive (JAR) | `application/java-archive` | +| `.jpeg` `.jpg` | JPEG images | `image/jpeg` | +| `.js` | JavaScript | `text/javascript` (Specifications: [HTML](https://html.spec.whatwg.org/multipage/#scriptingLanguages) and its [reasoning](https://html.spec.whatwg.org/multipage/#dependencies:willful-violation), and [IETF](https://datatracker.ietf.org/doc/draft-ietf-dispatch-javascript-mjs/)) | +| `.json` | JSON format | `application/json` | +| `.jsonld` | JSON-LD format | `application/ld+json` | +| `.mid` `.midi` | Musical Instrument Digital Interface (MIDI) | `audio/midi` `audio/x-midi` | +| `.mjs` | JavaScript module | `text/javascript` | +| `.mp3` | MP3 audio | `audio/mpeg` | +| `.mp4` | MP4 audio | `video/mp4` | +| `.mpeg` | MPEG Video | `video/mpeg` | +| `.mpkg` | Apple Installer Package | `application/vnd.apple.installer+xml` | +| `.odp` | OpenDocument presentation document | `application/vnd.oasis.opendocument.presentation` | +| `.ods` | OpenDocument spreadsheet document | `application/vnd.oasis.opendocument.spreadsheet` | +| `.odt` | OpenDocument text document | `application/vnd.oasis.opendocument.text` | +| `.oga` | OGG audio | `audio/ogg` | +| `.ogv` | OGG video | `video/ogg` | +| `.ogx` | OGG | `application/ogg` | +| `.opus` | Opus audio | `audio/opus` | +| `.otf` | OpenType font | `font/otf` | +| `.png` | Portable Network Graphics | `image/png` | +| `.pdf` | Adobe [Portable Document Format](https://acrobat.adobe.com/us/en/why-adobe/about-adobe-pdf.html) (PDF) | `application/pdf` | +| `.php` | Hypertext Preprocessor (**Personal Home Page**) | `application/x-httpd-php` | +| `.ppt` | Microsoft PowerPoint | `application/vnd.ms-powerpoint` | +| `.pptx` | Microsoft PowerPoint (OpenXML) | `application/vnd.openxmlformats-officedocument.presentationml.presentation` | +| `.rar` | RAR archive | `application/vnd.rar` | +| `.rtf` | Rich Text Format (RTF) | `application/rtf` | +| `.sh` | Bourne shell script | `application/x-sh` | +| `.svg` | Scalable Vector Graphics (SVG) | `image/svg+xml` | +| `.swf` | [Small web format](https://en.wikipedia.org/wiki/SWF) (SWF) or Adobe Flash document | `application/x-shockwave-flash` | +| `.tar` | Tape Archive (TAR) | `application/x-tar` | +| `.tif .tiff` | Tagged Image File Format (TIFF) | `image/tiff` | +| `.ts` | MPEG transport stream | `video/mp2t` | +| `.ttf` | TrueType Font | `font/ttf` | +| `.txt` | Text, (generally ASCII or ISO 8859-_n_) | `text/plain` | +| `.vsd` | Microsoft Visio | `application/vnd.visio` | +| `.wav` | Waveform Audio Format | `audio/wav` | +| `.weba` | WEBM audio | `audio/webm` | +| `.webm` | WEBM video | `video/webm` | +| `.webp` | WEBP image | `image/webp` | +| `.woff` | Web Open Font Format (WOFF) | `font/woff` | +| `.woff2` | Web Open Font Format (WOFF) | `font/woff2` | +| `.xhtml` | XHTML | `application/xhtml+xml` | +| `.xls` | Microsoft Excel | `application/vnd.ms-excel` | +| `.xlsx` | Microsoft Excel (OpenXML) | `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet` | +| `.xml` | `XML` | `application/xml `if _not_ readable from casual users ([RFC 3023](https://datatracker.ietf.org/doc/html/rfc3023#section-3), section 3) `text/xml` if readable from casual users ([RFC 3023](https://datatracker.ietf.org/doc/html/rfc3023#section-3), section 3) | +| `.xul` | XUL | `application/vnd.mozilla.xul+xml` | +| `.zip` | ZIP archive | `application/zip` | +| `.3gp` | [3GPP](https://en.wikipedia.org/wiki/3GP_and_3G2) audio/video container | `video/3gpp` `audio/3gpp` if it doesn't contain video | +| `.3g2` | [3GPP2](https://en.wikipedia.org/wiki/3GP_and_3G2) audio/video container | `video/3gpp2` `audio/3gpp2` if it doesn't contain video | +| `.7z` | [7-zip](https://en.wikipedia.org/wiki/7-Zip) archive | `application/x-7z-compressed` | diff --git a/files/en-us/web/http/basics_of_http/mime_types/index.md b/files/en-us/web/http/basics_of_http/mime_types/index.md index 601c249097e353d..089f930113c2c69 100644 --- a/files/en-us/web/http/basics_of_http/mime_types/index.md +++ b/files/en-us/web/http/basics_of_http/mime_types/index.md @@ -13,398 +13,294 @@ tags: - application/json - application/xml --- -
{{HTTPSidebar}}
- -

- A media type (also known as a - Multipurpose Internet Mail Extensions or MIME type) is a standard - that indicates the nature and format of a document, file, or assortment of - bytes. It is defined and standardized in IETF's {{RFC(6838)}}. -

- -

The Internet Assigned Numbers Authority (IANA) is - responsible for all official MIME types, and you can find the most up-to-date and - complete list at their Media Types - page.

- -
-

- Warning: Browsers use the MIME type, - not the file extension, - to determine how to process a URL, - so it's important - that web servers send the correct MIME type in the response's {{HTTPHeader("Content-Type")}} header. - If this is not correctly configured, - browsers are likely to misinterpret the contents of files, - sites will not work correctly, - and downloaded files may be mishandled. -

-
- -

Structure of a MIME type

- -

The simplest MIME type consists of a type and a subtype; these - are each strings which, when concatenated with a slash (/) between them, - comprise a MIME type. No whitespace is allowed in a MIME type:

- -
type/subtype
- -

The type represents the general category into which the - data type falls, such as video or text. The - subtype identifies the exact kind of data of the specified - type the MIME type represents. For example, for the MIME type text, the - subtype might be plain (plain text), html - ({{Glossary("HTML")}} source code), or calendar (for - iCalendar/.ics) files.

- -

Each type has its own set of possible subtypes, and a MIME type always has both a type - and a subtype, never just one or the other.

- -

An optional parameter can be added to provide additional details:

- -
type/subtype;parameter=value
- -

For example, for any MIME type whose main type is text, the optional - charset parameter can be used to specify the character set used for the - characters in the data. If no charset is specified, the default is - {{Glossary("ASCII")}} (US-ASCII) unless overridden by the {{Glossary("user +{{HTTPSidebar}} + +A **media type** (also known as a +**Multipurpose Internet Mail Extensions or MIME type**) is a standard +that indicates the nature and format of a document, file, or assortment of +bytes. It is defined and standardized in IETF's {{RFC(6838)}}. + +The [Internet Assigned Numbers Authority (IANA)](https://www.iana.org/) is +responsible for all official MIME types, and you can find the most up-to-date and +complete list at their [Media Types](https://www.iana.org/assignments/media-types/media-types.xhtml) +page. + +> **Warning:** Browsers use the MIME type, +> _not the file extension_, +> to determine how to process a URL, +> so it's important +> that web servers send the correct MIME type in the response's {{HTTPHeader("Content-Type")}} header. +> If this is not correctly configured, +> browsers are likely to misinterpret the contents of files, +> sites will not work correctly, +> and downloaded files may be mishandled. + +## Structure of a MIME type + +The simplest MIME type consists of a _type_ and a _subtype_; these +are each strings which, when concatenated with a slash (`/`) between them, +comprise a MIME type. No whitespace is allowed in a MIME type: + +```html +type/subtype +``` + +The **_type_** represents the general category into which the +data type falls, such as `video` or `text`. The +**_subtype_** identifies the exact kind of data of the specified +type the MIME type represents. For example, for the MIME type `text`, the +subtype might be `plain` (plain text), `html` +({{Glossary("HTML")}} source code), or `calendar` (for +iCalendar/`.ics`) files. + +Each type has its own set of possible subtypes, and a MIME type always has both a type +and a subtype, never just one or the other. + +An optional **parameter** can be added to provide additional details: + +```html +type/subtype;parameter=value +``` + +For example, for any MIME type whose main type is `text`, the optional +`charset` parameter can be used to specify the character set used for the +characters in the data. If no `charset` is specified, the default is +{{Glossary("ASCII")}} (`US-ASCII`) unless overridden by the {{Glossary("user agent", "user agent's")}} settings. To specify a UTF-8 text file, the MIME type - text/plain;charset=UTF-8 is used.

+`text/plain;charset=UTF-8` is used. -

MIME types are case-insensitive but are traditionally written in lowercase, with the - exception of parameter values, whose case may or may not have specific meaning.

+MIME types are case-insensitive but are traditionally written in lowercase, with the +exception of parameter values, whose case may or may not have specific meaning. -

Types

+### Types -

There are two classes of type: discrete and - multipart. Discrete types are types which represent a single file or - medium, such as a single text or music file, or a single video. A multipart type is one - which represents a document that's comprised of multiple component parts, each of which - may have its own individual MIME type; or, a multipart type may encapsulate multiple - files being sent together in one transaction. For example, multipart MIME types are used - when attaching multiple files to an email.

+There are two classes of type: **discrete** and +**multipart**. Discrete types are types which represent a single file or +medium, such as a single text or music file, or a single video. A multipart type is one +which represents a document that's comprised of multiple component parts, each of which +may have its own individual MIME type; or, a multipart type may encapsulate multiple +files being sent together in one transaction. For example, multipart MIME types are used +when attaching multiple files to an email. -

Discrete types

+#### Discrete types -

The discrete types currently registered with the IANA are:

+The discrete types currently registered with the IANA are: -
-
- application -
-
- Any kind of binary data that doesn't fall explicitly into one of the other types; +- `application` + - : Any kind of binary data that doesn't fall explicitly into one of the other types; either data that will be executed or interpreted in some way or binary data that requires a specific application or category of application to use. Generic binary data - (or binary data whose true type is unknown) is application/octet-stream. - Other common examples include application/pdf, - application/pkcs8, and application/zip. - (Registration at IANA) -
- -
- audio -
-
- Audio or music data. Examples include audio/mpeg, - audio/vorbis. - (Registration at IANA) -
- -
- example -
-
- Reserved for use as a placeholder in examples showing how to use MIME types. These + (or binary data whose true type is unknown) is `application/octet-stream`. + Other common examples include `application/pdf`, + `application/pkcs8`, and `application/zip`. + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#application) +- `audio` + - : Audio or music data. Examples include `audio/mpeg`, + `audio/vorbis`. + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#audio) +- `example` + - : Reserved for use as a placeholder in examples showing how to use MIME types. These should never be used outside of sample code listings and documentation. - example can also be used as a subtype; for instance, in an example - related to working with audio on the web, the MIME type audio/example can + `example` can also be used as a subtype; for instance, in an example + related to working with audio on the web, the MIME type `audio/example` can be used to indicate that the type is a placeholder and should be replaced with an appropriate one when using the code in the real world. -
- -
- font -
-
- Font/typeface data. Common examples include font/woff, - font/ttf, and font/otf. - (Registration at IANA) -
- -
- image -
-
- Image or graphical data including both bitmap and vector still images as well as +- `font` + - : Font/typeface data. Common examples include `font/woff`, + `font/ttf`, and `font/otf`. + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#font) +- `image` + - : Image or graphical data including both bitmap and vector still images as well as animated versions of still image formats such as animated {{Glossary("GIF")}} or APNG. - Common examples are image/jpeg, image/png, and - image/svg+xml. - (Registration at IANA) -
-
- model -
-
- Model data for a 3D object or scene. Examples include model/3mf and - model/vrml. - (Registration at IANA) -
- -
- text -
-
- Text-only data including any human-readable content, source code, or textual data + Common examples are `image/jpeg`, `image/png`, and + `image/svg+xml`. + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#image) +- `model` + - : Model data for a 3D object or scene. Examples include `model/3mf` and + `model/vrml`. + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#model) +- `text` + - : Text-only data including any human-readable content, source code, or textual data such as comma-separated value (CSV) formatted data. Examples include - text/plain, text/csv, and text/html. - (Registration at IANA) -
- -
- video -
-
- Video data or files, such as MP4 movies (video/mp4). - (Registration at IANA) -
-
- -

For text documents without a specific subtype, text/plain should be used. - Similarly, for binary documents without a specific or known subtype, - application/octet-stream should be used.

- -

Multipart types

- -

Multipart types indicate a category of document broken into - pieces, often with different MIME types; they can also be used — especially in email - scenarios — to represent multiple, separate files which are all part of the same - transaction. They represent a composite document.

- -

With the exception of multipart/form-data, used in - the {{HTTPMethod("POST")}} method of HTML - Forms, and multipart/byteranges, used with {{HTTPStatus("206")}} - Partial Content to send part of a document, HTTP doesn't handle multipart - documents in a special way: the message is transmitted to the browser (which will likely - show a "Save As" window if it doesn't know how to display the document).

- -

There are two multipart types:

- -
-
- message -
-
- A message that encapsulates other messages. This can be used, for instance, to + `text/plain`, `text/csv`, and `text/html`. + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#text) +- `video` + - : Video data or files, such as MP4 movies (`video/mp4`). + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#video) + +For text documents without a specific subtype, `text/plain` should be used. +Similarly, for binary documents without a specific or known subtype, +`application/octet-stream` should be used. + +#### Multipart types + +**Multipart** types indicate a category of document broken into +pieces, often with different MIME types; they can also be used — especially in email +scenarios — to represent multiple, separate files which are all part of the same +transaction. They represent a **composite document**. + +With the exception of `multipart/form-data`, used in +the {{HTTPMethod("POST")}} method of [HTML +Forms](/en-US/docs/Learn/Forms), and `multipart/byteranges`, used with {{HTTPStatus("206")}} +`Partial Content` to send part of a document, HTTP doesn't handle multipart +documents in a special way: the message is transmitted to the browser (which will likely +show a "Save As" window if it doesn't know how to display the document). + +There are two multipart types: + +- `message` + - : A message that encapsulates other messages. This can be used, for instance, to represent an email that includes a forwarded message as part of its data, or to allow sending very large messages in chunks as if it were multiple messages. Examples - include message/rfc822 (for forwarded or replied-to message quoting) and - message/partial to allow breaking a large message into smaller ones + include `message/rfc822` (for forwarded or replied-to message quoting) and + `message/partial` to allow breaking a large message into smaller ones automatically to be reassembled by the recipient. - (Registration at IANA) -
- -
- multipart -
-
- Data that is comprised of multiple components which may individually have different - MIME types. Examples include multipart/form-data (for data produced using - the {{domxref("FormData")}} API) and multipart/byteranges (defined in + [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#message) +- `multipart` + - : Data that is comprised of multiple components which may individually have different + MIME types. Examples include `multipart/form-data` (for data produced using + the {{domxref("FormData")}} API) and `multipart/byteranges` (defined in {{RFC(7233, "5.4.1")}} and used with {{Glossary("HTTP")}}'s {{HTTPStatus(206)}} "Partial Content" response returned when the fetched data is only part of the content, such as is delivered using the {{HTTPHeader("Range")}} header). - (Registration at IANA) -
-
- -

Important MIME types for Web developers -

- -

application/octet-stream

- -

This is the default for binary files. As it means unknown binary file, - browsers usually don't execute it, or even ask if it should be executed. They treat it - as if the {{HTTPHeader("Content-Disposition")}} header was set to - attachment, and propose a "Save As" dialog.

- -

text/plain

- -

This is the default for textual files. Even if it really means "unknown textual file," - browsers assume they can display it.

- -
-

Note: text/plain does not mean "any kind of textual data." If they - expect a specific kind of textual data, they will likely not consider it a match. - Specifically if they download a text/plain file from a - {{HTMLElement("link")}} element declaring a CSS file, they will not recognize it as a - valid CSS file if presented with text/plain. The CSS mime type - text/css must be used.

-
- -

text/css

- -

CSS files used to style a Web page must be sent with - text/css. If a server doesn't recognize the .css suffix for - CSS files, it may send them with text/plain or - application/octet-stream MIME types. If so, they won't be recognized as CSS - by most browsers and will be ignored.

- -

text/html

- -

All HTML content should be served with this type. Alternative MIME types for XHTML - (like application/xhtml+xml) are mostly useless nowadays.

- -
-

Note: Use application/xml or - application/xhtml+xml if you want XML's strict parsing rules, - <![CDATA[…]]> - sections, or elements that aren't from HTML/SVG/MathML namespaces.

-
- -

text/javascript

- -

Per the HTML specification, JavaScript files should always be served using the MIME - type text/javascript. No other values are considered valid, and using any - of those may result in scripts that do not load or run.

- -

For historical reasons, the MIME Sniffing - Standard (the definition of how browsers should interpret media types and figure - out what to do with content that doesn't have a valid one) allows JavaScript to be - served using any MIME type that essentially matches any of the following:

- -
    -
  • application/javascript
    • -
  • application/ecmascript
    • -
  • application/x-ecmascript {{Non-standard_Inline}}
    • -
  • application/x-javascript {{Non-standard_Inline}}
    • -
  • text/javascript
    • -
  • text/ecmascript
    • -
  • text/javascript1.0 {{Non-standard_Inline}}
    • -
  • text/javascript1.1 {{Non-standard_Inline}}
    • -
  • text/javascript1.2 {{Non-standard_Inline}}
    • -
  • text/javascript1.3 {{Non-standard_Inline}}
    • -
  • text/javascript1.4 {{Non-standard_Inline}}
    • -
  • text/javascript1.5 {{Non-standard_Inline}}
    • -
  • text/jscript {{Non-standard_Inline}}
    • -
  • text/livescript {{Non-standard_Inline}}
    • -
  • text/x-ecmascript {{Non-standard_Inline}}
    • -
  • text/x-javascript {{Non-standard_Inline}}
    • -
- -
-

Note: Even though any given {{Glossary("user agent")}} may support - any or all of these, you should only use text/javascript. It's the only - MIME type guaranteed to work now and into the future.

-
- -

Some content you find may have a charset parameter at the end of the - text/javascript media type, to specify the character set used to represent - the code's content. This is not valid, and in most cases will result in a script not - being loaded.

- -

Image types

- -

Files whose MIME type is image contain image data. The subtype specifies - which specific image file format the data represents. Only a few image types are used - commonly enough to be considered safe for use on web pages:

- -

{{page("en-US/docs/Web/Media/Formats/Image_types", "table-of-image-file-types")}}

- -

Audio and video types

- -

As is the case for images, HTML doesn't mandate that web browsers support any specific - file and codec types for the {{HTMLElement("audio")}} and {{HTMLElement("video")}} - elements, so it's important to consider your target audience and the range of browsers - (and versions of those browsers) they may be using when choosing the file type and - codecs to use for media.

- -

Our media container formats - guide provides a list of the file types that are commonly supported by web - browsers, including information about what their special use cases may be, any drawbacks - they have, and compatibility information, along with other details.

- -

The audio codec and video codec guides list the - various codecs that web browsers often support, providing compatibility details along - with technical information such as how many audio channels they support, what sort of - compression is used, and what bit rates and so forth they're useful at. The codecs used by WebRTC guide - expands upon this by specifically covering the codecs supported by the major web - browsers, so you can choose the codecs that best cover the range of browsers you wish to - support.

- -

As for MIME types of audio or video files, they typically specify the container format - (file type). The optional codecs parameter can be - added to the MIME type to further specify which codecs to use and what options were used - to encode the media, such as codec profile, level, or other such information.

- -

The most commonly used MIME types used for web content are listed below. This isn't a - complete list of all the types that may be available, however. See the media container formats guide for - that.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MIME typeAudio or video type
audio/wave
- audio/wav
- audio/x-wav
- audio/x-pn-wav - 		An audio file in the WAVE container format. The PCM audio codec (WAVE codec "1") - is often supported, but other codecs have limited support (if any).
audio/webmAn audio file in the WebM container format. Vorbis and Opus are the codecs - officially supported by the WebM specification.
video/webmA video file, possibly with audio, in the WebM container format. VP8 and VP9 are - the most common video codecs; Vorbis and Opus the most common audio codecs.
audio/oggAn audio file in the Ogg container format. Vorbis is the most common audio codec - used in such a container; however, Opus is now supported by Ogg as well.
video/oggA video file, possibly with audio, in the Ogg container format. Theora is the - usual video codec used within it; Vorbis is the usual audio codec, although Opus - is becoming more common.
application/oggAn audio or video file using the Ogg container format. Theora is the usual video - codec used within it; Vorbis is the usual audio codec.
- -

multipart/form-data

- -

The multipart/form-data type can be used when sending the values of a - completed HTML Form from browser to - server.

- -

As a multipart document format, it consists of different parts, delimited by a boundary - (a string starting with a double dash --). Each part is its own entity with - its own HTTP headers, {{HTTPHeader("Content-Disposition")}}, and - {{HTTPHeader("Content-Type")}} for file uploading fields.

- -
Content-Type: multipart/form-data; boundary=aBoundaryString
+    [(Registration at IANA)](https://www.iana.org/assignments/media-types/media-types.xhtml#multipart)
+
+## Important MIME types for Web developers
+
+### application/octet-stream
+
+This is the default for binary files. As it means _unknown binary_ file,
+browsers usually don't execute it, or even ask if it should be executed. They treat it
+as if the {{HTTPHeader("Content-Disposition")}} header was set to
+`attachment`, and propose a "Save As" dialog.
+
+### text/plain
+
+This is the default for textual files. Even if it really means "unknown textual file,"
+browsers assume they can display it.
+
+> **Note:** `text/plain` does not mean "any kind of textual data." If they
+> expect a specific kind of textual data, they will likely not consider it a match.
+> Specifically if they download a `text/plain` file from a
+> {{HTMLElement("link")}} element declaring a CSS file, they will not recognize it as a
+> valid CSS file if presented with `text/plain`. The CSS mime type
+> `text/css` must be used.
+
+### text/css
+
+CSS files used to style a Web page **must** be sent with
+`text/css`. If a server doesn't recognize the `.css` suffix for
+CSS files, it may send them with `text/plain` or
+`application/octet-stream` MIME types. If so, they won't be recognized as CSS
+by most browsers and will be ignored.
+
+### text/html
+
+All HTML content should be served with this type. Alternative MIME types for XHTML
+(like `application/xhtml+xml`) are mostly useless nowadays.
+
+> **Note:** Use `application/xml` or
+> `application/xhtml+xml` if you want XML's strict parsing rules,
+> [``](/en-US/docs/Web/API/CDATASection)
+> sections, or elements that aren't from HTML/SVG/MathML namespaces.
+
+### text/javascript
+
+Per the HTML specification, JavaScript files should always be served using the MIME
+type `text/javascript`. No other values are considered valid, and using any
+of those may result in scripts that do not load or run.
+
+For historical reasons, the [MIME Sniffing
+Standard](https://mimesniff.spec.whatwg.org/) (the definition of how browsers should interpret media types and figure
+out what to do with content that doesn't have a valid one) allows JavaScript to be
+served using any MIME type that essentially matches any of the following:
+
+- `application/javascript`
+- `application/ecmascript`
+- `application/x-ecmascript` {{Non-standard_Inline}}
+- `application/x-javascript` {{Non-standard_Inline}}
+- `text/javascript`
+- `text/ecmascript`
+- `text/javascript1.0` {{Non-standard_Inline}}
+- `text/javascript1.1` {{Non-standard_Inline}}
+- `text/javascript1.2` {{Non-standard_Inline}}
+- `text/javascript1.3` {{Non-standard_Inline}}
+- `text/javascript1.4` {{Non-standard_Inline}}
+- `text/javascript1.5` {{Non-standard_Inline}}
+- `text/jscript` {{Non-standard_Inline}}
+- `text/livescript` {{Non-standard_Inline}}
+- `text/x-ecmascript` {{Non-standard_Inline}}
+- `text/x-javascript` {{Non-standard_Inline}}
+
+> **Note:** Even though any given {{Glossary("user agent")}} may support
+> any or all of these, you should only use `text/javascript`. It's the only
+> MIME type guaranteed to work now and into the future.
+
+Some content you find may have a `charset` parameter at the end of the
+`text/javascript` media type, to specify the character set used to represent
+the code's content. This is not valid, and in most cases will result in a script not
+being loaded.
+
+### Image types
+
+Files whose MIME type is `image` contain image data. The subtype specifies
+which specific image file format the data represents. Only a few image types are used
+commonly enough to be considered safe for use on web pages:
+
+{{page("en-US/docs/Web/Media/Formats/Image_types", "table-of-image-file-types")}}
+
+### Audio and video types
+
+As is the case for images, HTML doesn't mandate that web browsers support any specific
+file and codec types for the {{HTMLElement("audio")}} and {{HTMLElement("video")}}
+elements, so it's important to consider your target audience and the range of browsers
+(and versions of those browsers) they may be using when choosing the file type and
+codecs to use for media.
+
+Our [media container formats
+guide](/en-US/docs/Web/Media/Formats/Containers) provides a list of the file types that are commonly supported by web
+browsers, including information about what their special use cases may be, any drawbacks
+they have, and compatibility information, along with other details.
+
+The [audio codec](/en-US/docs/Web/Media/Formats/Audio_codecs) and [video codec](/en-US/docs/Web/Media/Formats/Video_codecs) guides list the
+various codecs that web browsers often support, providing compatibility details along
+with technical information such as how many audio channels they support, what sort of
+compression is used, and what bit rates and so forth they're useful at. The [codecs used by WebRTC](/en-US/docs/Web/Media/Formats/WebRTC_codecs) guide
+expands upon this by specifically covering the codecs supported by the major web
+browsers, so you can choose the codecs that best cover the range of browsers you wish to
+support.
+
+As for MIME types of audio or video files, they typically specify the container format
+(file type). The optional [codecs parameter](/en-US/docs/Web/Media/Formats/codecs_parameter) can be
+added to the MIME type to further specify which codecs to use and what options were used
+to encode the media, such as codec profile, level, or other such information.
+
+The most commonly used MIME types used for web content are listed below. This isn't a
+complete list of all the types that may be available, however. See the [media container formats](/en-US/docs/Web/Media/Formats/Containers) guide for
+that.
+
+| MIME type                                               | Audio or video type                                                                                                                                                                     |
+| ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `audio/wave` `audio/wav` `audio/x-wav` `audio/x-pn-wav` | An audio file in the WAVE container format. The PCM audio codec (WAVE codec "1") is often supported, but other codecs have limited support (if any).                                    |
+| `audio/webm`                                            | An audio file in the WebM container format. Vorbis and Opus are the codecs officially supported by the WebM specification.                                                              |
+| `video/webm`                                            | A video file, possibly with audio, in the WebM container format. VP8 and VP9 are the most common video codecs; Vorbis and Opus the most common audio codecs.                            |
+| `audio/ogg`                                             | An audio file in the Ogg container format. Vorbis is the most common audio codec used in such a container; however, Opus is now supported by Ogg as well.                               |
+| `video/ogg`                                             | A video file, possibly with audio, in the Ogg container format. Theora is the usual video codec used within it; Vorbis is the usual audio codec, although Opus is becoming more common. |
+| `application/ogg`                                       | An audio or video file using the Ogg container format. Theora is the usual video codec used within it; Vorbis is the usual audio codec.                                                 |
+
+### multipart/form-data
+
+The `multipart/form-data` type can be used when sending the values of a
+completed [HTML Form](/en-US/docs/Learn/Forms) from browser to
+server.
+
+As a multipart document format, it consists of different parts, delimited by a boundary
+(a string starting with a double dash `--`). Each part is its own entity with
+its own HTTP headers, {{HTTPHeader("Content-Disposition")}}, and
+{{HTTPHeader("Content-Type")}} for file uploading fields.
+
+```html
+Content-Type: multipart/form-data; boundary=aBoundaryString
 (other headers associated with the multipart document as a whole)
 
 --aBoundaryString
@@ -419,148 +315,131 @@ Content-Disposition: form-data; name="myField"
 --aBoundaryString
 (more subparts)
 --aBoundaryString--
-
-
- -

The following <form>:

- -
<form action="http://localhost:8000/" method="post" enctype="multipart/form-data">
-  <label>Name: <input name="myTextField" value="Test"></label>
-  <label><input type="checkbox" name="myCheckBox"> Check</label>
-  <label>Upload file: <input type="file" name="myFile" value="test.txt"></label>
-  <button>Send the file</button>
-</form>
- -

will send this message:

- -
POST / HTTP/1.1
-Host: localhost:8000
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-US,en;q=0.5
-Accept-Encoding: gzip, deflate
-Connection: keep-alive
-Upgrade-Insecure-Requests: 1
-Content-Type: multipart/form-data; boundary=---------------------------8721656041911415653955004498
-Content-Length: 465
-
------------------------------8721656041911415653955004498
-Content-Disposition: form-data; name="myTextField"
-
-Test
------------------------------8721656041911415653955004498
-Content-Disposition: form-data; name="myCheckBox"
-
-on
------------------------------8721656041911415653955004498
-Content-Disposition: form-data; name="myFile"; filename="test.txt"
-Content-Type: text/plain
-
-Simple file.
------------------------------8721656041911415653955004498--
-
-
- -

multipart/byteranges

- -

The multipart/byteranges MIME type is used to send partial responses to - the browser.

- -

When the {{HTTPStatus("206")}} Partial Content status code is sent, this - MIME type indicates that the document is composed of several parts, one for each of the - requested ranges. Like other multipart types, the {{HTTPHeader("Content-Type")}} uses a - boundary to separate the pieces. Each piece has a - {{HTTPHeader("Content-Type")}} header with its actual type and a - {{HTTPHeader("Content-Range")}} of the range it represents.

- -
HTTP/1.1 206 Partial Content
-Accept-Ranges: bytes
-Content-Type: multipart/byteranges; boundary=3d6b6a416f9b5
-Content-Length: 385
-
---3d6b6a416f9b5
-Content-Type: text/html
-Content-Range: bytes 100-200/1270
-
-eta http-equiv="Content-type" content="text/html; charset=utf-8" />
-    <meta name="vieport" content
---3d6b6a416f9b5
-Content-Type: text/html
-Content-Range: bytes 300-400/1270
-
--color: #f0f0f2;
-        margin: 0;
-        padding: 0;
-        font-family: "Open Sans", "Helvetica
---3d6b6a416f9b5--
- -

Importance of setting the correct - MIME type

- -

Most web servers send unrecognized resources as the - application/octet-stream MIME type. For security reasons, most browsers do - not allow setting a custom default action for such resources, forcing the user to save - it to disk to use it.

- -

Some common incorrect server configurations:

- -
    -
  • -

    RAR-compressed files. In this case, the ideal would be the true type of the - original files; this is often impossible as .RAR files can hold several resources of - different types. In this case, configure the server to send - application/x-rar-compressed.

    -
    • -
  • -

    Audio and video. Only resources with the correct MIME Type will be played in - {{HTMLElement("video")}} or {{HTMLElement("audio")}} elements. Be sure to specify - the correct media type for audio and - video.

    -
    • -
  • -

    Proprietary file types. Avoid using application/octet-stream as most - browsers do not allow defining a default behavior (like "Open in Word") for this - generic MIME type. A specific type like application/vnd.mspowerpoint - lets users open such files automatically in the presentation software of their - choice.

    -
    • -
- -

MIME sniffing

- -

In the absence of a MIME type, or in certain cases where browsers believe they are - incorrect, browsers may perform MIME sniffing — guessing the correct MIME type - by looking at the bytes of the resource.

- -

Each browser performs MIME sniffing differently and under different circumstances. (For - example, Safari will look at the file extension in the URL if the sent MIME type is - unsuitable.) There are security concerns as some MIME types represent executable - content. Servers can prevent MIME sniffing by sending the - {{HTTPHeader("X-Content-Type-Options")}} header.

- -

Other methods of conveying document type -

- -

MIME types are not the only way to convey document type information:

- -
    -
  • Filename suffixes are sometimes used, especially on Microsoft Windows. Not all - operating systems consider these suffixes meaningful (such as Linux and MacOS), and - there is no guarantee they are correct.
    • -
  • Magic numbers. The syntax of different formats allows file-type inference by looking - at their byte structure. For example, GIF files start with the - 47 49 46 38 39 hexadecimal value (GIF89), and PNG files with - 89 50 4E 47 (.PNG). Not all file types have magic numbers, - so this is not 100% reliable either.
    • -
- -

See also

- - +``` + +The following `
`: + +```html + + + + + +
+``` + +will send this message: + + POST / HTTP/1.1 + Host: localhost:8000 + User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0 + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + Accept-Language: en-US,en;q=0.5 + Accept-Encoding: gzip, deflate + Connection: keep-alive + Upgrade-Insecure-Requests: 1 + Content-Type: multipart/form-data; boundary=---------------------------8721656041911415653955004498 + Content-Length: 465 + + -----------------------------8721656041911415653955004498 + Content-Disposition: form-data; name="myTextField" + + Test + -----------------------------8721656041911415653955004498 + Content-Disposition: form-data; name="myCheckBox" + + on + -----------------------------8721656041911415653955004498 + Content-Disposition: form-data; name="myFile"; filename="test.txt" + Content-Type: text/plain + + Simple file. + -----------------------------8721656041911415653955004498-- + +### multipart/byteranges + +The `multipart/byteranges` MIME type is used to send partial responses to +the browser. + +When the {{HTTPStatus("206")}}` Partial Content` status code is sent, this +MIME type indicates that the document is composed of several parts, one for each of the +requested ranges. Like other multipart types, the {{HTTPHeader("Content-Type")}} uses a +`boundary` to separate the pieces. Each piece has a +{{HTTPHeader("Content-Type")}} header with its actual type and a +{{HTTPHeader("Content-Range")}} of the range it represents. + + HTTP/1.1 206 Partial Content + Accept-Ranges: bytes + Content-Type: multipart/byteranges; boundary=3d6b6a416f9b5 + Content-Length: 385 + + --3d6b6a416f9b5 + Content-Type: text/html + Content-Range: bytes 100-200/1270 + + eta http-equiv="Content-type" content="text/html; charset=utf-8" /> + {{HTTPSidebar}}{{non-standard_header}}

+{{HTTPSidebar}}{{non-standard_header}} -

Resource URLs, URLs prefixed with the resource: scheme, are used by - Firefox and Firefox browser extensions to load resources internally, but some of the - information is available to sites the browser connects to as well.

+Resource URLs, URLs prefixed with the `resource:` scheme, are used by +Firefox and Firefox browser extensions to load resources internally, but some of the +information is available to sites the browser connects to as well. -

Syntax

+## Syntax -

Resource URLs are composed of two parts: a prefix (resource:), and a URL - pointing to the resource you want to load:

+Resource URLs are composed of two parts: a prefix (`resource:`), and a URL +pointing to the resource you want to load: -
resource://<url>
+```html +resource:// +``` -

An example:

+An example: -
resource://gre/res/svg.css
+ resource://gre/res/svg.css -

When arrows are found in the resource URL's ('->'), it means that the first file - loaded the next one:

+When arrows are found in the resource URL's ('->'), it means that the first file +loaded the next one: -
resource://<File-loader> -> <File-loaded>
+ resource:// -> -

Please refer to Identifying - resources on the web for more general details.

+Please refer to [Identifying +resources on the web](/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web) for more general details. -

In this article, we focus on resource URIs, which are used internally by Firefox to - point to built-in resources.

+In this article, we focus on resource URIs, which are used internally by Firefox to +point to built-in resources. -

Threats

+## Threats -

Because some of the information shared by resource: URLs is available to - websites, a web page could run internal scripts and inspect internal resources of - Firefox, including the default preferences, which could be a serious security and - privacy issue.

+Because some of the information shared by `resource:` URLs is available to +websites, a web page could run internal scripts and inspect internal resources of +Firefox, including the default preferences, which could be a serious security and +privacy issue. -

For example, a script on - Browserleaks highlights what Firefox reveals when queried by a simple script - running on the site (you can find the code in https://browserleaks.com/firefox#more). -

+For example, [a script on +Browserleaks](https://www.browserleaks.com/firefox) highlights what Firefox reveals when queried by a simple script +running on the site (you can find the code in ). -

The file firefox.js passes preference names and values to the pref() function. For - example:

+The file firefox.js passes preference names and values to the pref() function. For +example: -
http://searchfox.org/mozilla-central/rev/48ea452803907f2575d81021e8678634e8067fc2/browser/app/profile/firefox.js#575
+ http://searchfox.org/mozilla-central/rev/48ea452803907f2575d81021e8678634e8067fc2/browser/app/profile/firefox.js#575 -

Web sites can easily collect Firefox default preferences by overriding this - pref() function and using the script - resource:///defaults/preferences/firefox.js.

+Web sites can easily collect Firefox default preferences by overriding this +`pref()` function and using the script +`resource:///defaults/preferences/firefox.js`. -

Furthermore, some default values of preferences differ between build configurations, - such as platform and locale, which means web sites could identify individual users using - this information.

+Furthermore, some default values of preferences differ between build configurations, +such as platform and locale, which means web sites could identify individual users using +this information. -

Solution

+## Solution -

In order to fix this problem, Mozilla changed the behavior of loading resource: URIs in - {{bug(863246)}}, which landed in Firefox 57 (Quantum).

+In order to fix this problem, Mozilla changed the behavior of loading resource: URIs in +{{bug(863246)}}, which landed in [Firefox 57 (Quantum)](/en-US/docs/Mozilla/Firefox/Releases/57). -

In the past, web content was able to access whatever resource: URIs were - desired — not only Firefox’s internal resources, but also extensions’ assets.  Now this - behavior is prohibited by default.

+In the past, web content was able to access whatever `resource:` URIs were +desired — not only Firefox’s internal resources, but also extensions’ assets.  Now this +behavior is prohibited by default. -

It is however still necessary for Firefox to load resources in web content under - certain circumstances.  For example, if you open the view source page (View Page Source - or View Selection Source), you will find it requires viewsource.css through - a resource: URI.  Resources that have to be exposed to web content have - been moved to a new location named resource://content-accessible/, which is - isolated and only contains non-sensitive resources.  In this way we can keep essential - resources exposed and have most threats eliminated.

+It is however still necessary for Firefox to load resources in web content under +certain circumstances.  For example, if you open the view source page (View Page Source +or View Selection Source), you will find it requires `viewsource.css` through +a `resource:` URI.  Resources that have to be exposed to web content have +been moved to a new location named `resource://content-accessible/`, which is +isolated and only contains non-sensitive resources.  In this way we can keep essential +resources exposed and have most threats eliminated. -
-

Note: It is recommended that web and extension developers don't try - to use resource URLs anymore. Their usage was hacky at best, and most usage won't work - any more.

-
+> **Note:** It is recommended that web and extension developers don't try +> to use resource URLs anymore. Their usage was hacky at best, and most usage won't work +> any more. -

Specifications

+## Specifications -

resource: is not defined in any specification.

+resource: is not defined in any specification. -

Browser compatibility

+## Browser compatibility -

resource: is Firefox only.

+resource: is Firefox only. -

See also

+## See also - +- [Identifying + resources on the Web](/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web) +- [What is a URL?](/en-US/docs/Learn/Common_questions/What_is_a_URL) +- [IANA list + of URI schemes](https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml) (`resource:` is [covered here](https://www.iana.org/assignments/uri-schemes/prov/resource)) diff --git a/files/en-us/web/http/browser_detection_using_the_user_agent/index.md b/files/en-us/web/http/browser_detection_using_the_user_agent/index.md index 9854d8bcbbf42e3..3448408ecc12d59 100644 --- a/files/en-us/web/http/browser_detection_using_the_user_agent/index.md +++ b/files/en-us/web/http/browser_detection_using_the_user_agent/index.md @@ -6,132 +6,137 @@ tags: - HTTP - Web Development --- -
{{HTTPSidebar}}
- -

Serving different Web pages or services to different browsers is usually a bad idea. The Web is meant to be accessible to everyone, regardless of which browser or device they're using. There are ways to develop your website to progressively enhance itself based on the availability of features rather than by targeting specific browsers.

- -

But browsers and standards are not perfect, and there are still some edge cases where detecting the browser is needed. Using the user agent to detect the browser looks simple, but doing it well is, in fact, a very hard problem. This document will guide you in doing this as correctly as possible.

- -
-

Note: It's worth re-iterating: it's very rarely a good idea to use user agent sniffing. You can almost always find a better, more broadly compatible way to solve your problem!

-
- -

Considerations before using browser detection

- -

When considering using the user agent string to detect which browser is being used, your first step is to try to avoid it if possible. Start by trying to identify why you want to do it.

- -
-
Are you trying to work around a specific bug in some version of a browser?
-
Look, or ask, in specialized forums: you're unlikely to be the first to hit this problem. Also, experts, or people with another point of view, can give you ideas for working around the bug. If the problem seems uncommon, it's worth checking if this bug has been reported to the browser vendor via their bug tracking system (Mozilla; WebKit; Blink; Opera). Browser makers do pay attention to bug reports, and the analysis may hint about other workarounds for the bug.
-
Are you trying to check for the existence of a specific feature?
-
Your site needs to use a specific Web feature that some browsers don't yet support, and you want to send those users to an older Web site with fewer features but that you know will work. This is the worst reason to use user agent detection because odds are eventually all the other browsers will catch up. In addition, it is not practical to test every one of the less popular browsers and test for those Web features. You should never do user agent sniffing. There is always the alternative of doing feature detection instead.
-
Do you want to provide different HTML depending on which browser is being used?
-
This is usually a bad practice, but there are some cases in which this is necessary. In these cases, you should first analyze your situation to be sure it's really necessary. Can you prevent it by adding some non-semantic {{ HTMLElement("div") }} or {{ HTMLElement("span") }} elements? The difficulty of successfully using user agent detection is worth a few disruptions to the purity of your HTML. Also, rethink your design: can you use progressive enhancement or fluid layouts to help remove the need to do this?
-
- -

Avoiding user agent detection

- -

If you want to avoid using user agent detection, you have options!

- -
-
Feature detection
-
Feature detection is where you don't try to figure out which browser is rendering your page, but instead, you check to see if the specific feature you need is available. If it's not, you use a fallback. In those rare cases where behavior differs between browsers, instead of checking the user agent string, you should instead implement a test to detect how the browser implements the API and determine how to use it from that. An example of feature detection is as follows. In 2017, Chrome unflagged experimental lookbehind support in regular expressions, but no other browser supported it. So, you might have thought to do this: - 
// this code snippet splits a string in a special notation
-
-if (navigator.userAgent.indexOf("Chrome") !== -1){
-    // YES! The user is suspected to support look-behind regexps
-    // DO NOT USE /(?<=[A-Z])/. It will cause a syntax error in
-    //  browsers that do not support look-behind expressions
-    //  because all browsers parse the entire script, including
-    //  sections of the code that are never executed.
-    var camelCaseExpression = new RegExp("(?<=[A-Z])");
-    var splitUpString = function(str) {
-        return (""+str).split(camelCaseExpression);
-    };
-} else {
-    /*This fallback code is much less performant, but works*/
-    var splitUpString = function(str){
-        return str.replace(/[A-Z]/g,"z$1").split(/z(?=[A-Z])/g);
-    };
-}
-console.log(splitUpString("fooBare")); // ["fooB", "are"]
-console.log(splitUpString("jQWhy")); // ["jQ", "W", "hy"]
- -

+{{HTTPSidebar}} + +Serving different Web pages or services to different browsers is usually a bad idea. The Web is meant to be accessible to everyone, regardless of which browser or device they're using. There are ways to develop your website to progressively enhance itself based on the availability of features rather than by targeting specific browsers. + +But browsers and standards are not perfect, and there are still some edge cases where detecting the browser is needed. Using the user agent to detect the browser looks simple, but doing it well is, in fact, a very hard problem. This document will guide you in doing this as correctly as possible. + +> **Note:** It's worth re-iterating: it's very rarely a good idea to use user agent sniffing. You can almost always find a better, more broadly compatible way to solve your problem! + +## Considerations before using browser detection + +When considering using the user agent string to detect which browser is being used, your first step is to try to avoid it if possible. Start by trying to identify **why** you want to do it. + +- Are you trying to work around a specific bug in some version of a browser? + - : Look, or ask, in specialized forums: you're unlikely to be the first to hit this problem. Also, experts, or people with another point of view, can give you ideas for working around the bug. If the problem seems uncommon, it's worth checking if this bug has been reported to the browser vendor via their bug tracking system ([Mozilla](https://bugzilla.mozilla.org); [WebKit](https://bugs.webkit.org); [Blink](https://www.chromium.org/issue-tracking); [Opera](https://bugs.opera.com/)). Browser makers do pay attention to bug reports, and the analysis may hint about other workarounds for the bug. +- Are you trying to check for the existence of a specific feature? + - : Your site needs to use a specific Web feature that some browsers don't yet support, and you want to send those users to an older Web site with fewer features but that you know will work. This is the worst reason to use user agent detection because odds are eventually all the other browsers will catch up. In addition, it is not practical to test every one of the less popular browsers and test for those Web features. You should **never** do user agent sniffing. There is **always** the alternative of doing feature detection instead. +- Do you want to provide different HTML depending on which browser is being used? + - : This is usually a bad practice, but there are some cases in which this is necessary. In these cases, you should first analyze your situation to be sure it's really necessary. Can you prevent it by adding some non-semantic {{ HTMLElement("div") }} or {{ HTMLElement("span") }} elements? The difficulty of successfully using user agent detection is worth a few disruptions to the purity of your HTML. Also, rethink your design: can you use progressive enhancement or fluid layouts to help remove the need to do this? + +## Avoiding user agent detection + +If you want to avoid using user agent detection, you have options! + +- Feature detection + + - : Feature detection is where you don't try to figure out which browser is rendering your page, but instead, you check to see if the specific feature you need is available. If it's not, you use a fallback. In those rare cases where behavior differs between browsers, instead of checking the user agent string, you should instead implement a test to detect how the browser implements the API and determine how to use it from that. An example of feature detection is as follows. In 2017, Chrome [unflagged experimental lookbehind support in regular expressions](https://www.chromestatus.com/feature/5668726032564224), but no other browser supported it. So, you might have thought to do this: + + ```js + // this code snippet splits a string in a special notation + + if (navigator.userAgent.indexOf("Chrome") !== -1){ + // YES! The user is suspected to support look-behind regexps + // DO NOT USE /(?<=[A-Z])/. It will cause a syntax error in + // browsers that do not support look-behind expressions + // because all browsers parse the entire script, including + // sections of the code that are never executed. + var camelCaseExpression = new RegExp("(?<=[A-Z])"); + var splitUpString = function(str) { + return (""+str).split(camelCaseExpression); + }; + } else { + /*This fallback code is much less performant, but works*/ + var splitUpString = function(str){ + return str.replace(/[A-Z]/g,"z$1").split(/z(?=[A-Z])/g); + }; + } + console.log(splitUpString("fooBare")); // ["fooB", "are"] + console.log(splitUpString("jQWhy")); // ["jQ", "W", "hy"] + ``` + The above code would have made several incorrect assumptions: First, it assumed that all user agent strings that include the substring "Chrome" are Chrome. UA strings are notoriously misleading. Then, it assumed that the lookbehind feature would always be available if the browser was Chrome. The agent might be an older version of Chrome, from before support was added, or (because the feature was experimental at the time) it could be a later version of Chrome that removed it. Most importantly, it assumed no other browsers would support the feature. Support could have been added to other browsers at any time, but this code would have continued choosing the inferior path. -

- -

Problems like these can be avoided by testing for support of the feature itself instead:

- - 
var isLookBehindSupported = false;
-
-try {
-    new RegExp("(?<=)");
-    isLookBehindSupported = true;
-} catch (err) {
-    // If the agent doesn't support lookbehinds, the attempted
-    // creation of a RegExp object using that syntax throws and
-    // isLookBehindSupported remains false.
-}
-
-var splitUpString = isLookBehindSupported ? function(str) {
-    return (""+str).split(new RegExp("(?<=[A-Z])"));
-} : function(str) {
-    return str.replace(/[A-Z]/g,"z$1").split(/z(?=[A-Z])/g);
-};
-
- -

As the above code demonstrates, there is always a way to test browser support without user agent sniffing. There is never any reason to check the user agent string for this.

- -

Lastly, the above code snippets bring about a critical issue with cross-browser coding that must always be taken into account. Don't unintentionally use the API you are testing for in unsupported browsers. This may sound obvious and simple, but sometimes it is not. For example, in the above code snippets, using lookbehind in short-regexp notation (e.g. /reg/igm) will cause a parser error in unsupported browsers. Thus, in the above example, you would use new RegExp("(?<=look_behind_stuff)"); instead of /(?<=look_behind_stuff)/, even in the lookbehind supported section of your code.

-
-
Progressive enhancement
-
This design technique involves developing your Web site in 'layers', using a bottom-up approach, starting with a simpler layer and improving the capabilities of the site in successive layers, each using more features.
-
Graceful degradation
-
This is a top-down approach in which you build the best possible site using all the features you want, then tweak it to make it work on older browsers. This can be harder to do, and less effective, than progressive enhancement, but may be useful in some cases.
-
Mobile device detection
-
Arguably the most common use and misuse of user agent sniffing is to detect if the device is a mobile device. However, people too often overlook what they are really after. People use user agent sniffing to detect if the users' device is touch-friendly and has a small screen so they can optimize their website accordingly. While user agent sniffing can sometimes detect these, not all devices are the same: some mobile devices have big screen sizes, some desktops have a small touchscreen, some people use smart TV's which are an entirely different ballgame altogether, and some people can dynamically change the width and height of their screen by flipping their tablet on its side! So, user agent sniffing is definitely not the way to go. Thankfully, there are much better alternatives. Use Navigator.maxTouchPoints to detect if the user's device has a touchscreen. Then, default back to checking the user agent screen only if (!("maxTouchPoints" in navigator)) { /*Code here*/}. Using this information of whether the device has a touchscreen, do not change the entire layout of the website just for touch devices: you will only create more work and maintenance for yourself. Rather, add in touch conveniences such as bigger, more easily clickable buttons (you can do this using CSS by increasing the font size). Here is an example of code that increases the padding of #exampleButton to 1em on mobile devices. - 
var hasTouchScreen = false;
-if ("maxTouchPoints" in navigator) {
-    hasTouchScreen = navigator.maxTouchPoints > 0;
-} else if ("msMaxTouchPoints" in navigator) {
-    hasTouchScreen = navigator.msMaxTouchPoints > 0;
-} else {
-    var mQ = window.matchMedia && matchMedia("(pointer:coarse)");
-    if (mQ && mQ.media === "(pointer:coarse)") {
-        hasTouchScreen = !!mQ.matches;
-    } else if ('orientation' in window) {
-        hasTouchScreen = true; // deprecated, but good fallback
-    } else {
-        // Only as a last resort, fall back to user agent sniffing
-        var UA = navigator.userAgent;
-        hasTouchScreen = (
-            /\b(BlackBerry|webOS|iPhone|IEMobile)\b/i.test(UA) ||
-            /\b(Android|Windows Phone|iPad|iPod)\b/i.test(UA)
-        );
-    }
-}
-if (hasTouchScreen)
-    document.getElementById("exampleButton").style.padding="1em";
-

As for the screen size, use window.innerWidth and window.addEventListener("resize", function(){ /*refresh screen size dependent things*/ }). What you want to do for screen size is not slash off information on smaller screens. That will only annoy people because it will force them to use the desktop version. Rather, try to have fewer columns of information in a longer page on smaller screens while having more columns with a shorter page on larger screen sizes. This effect can be easily achieved using CSS flexboxes, sometimes with floats as a partial fallback.

-

Also try to move less relevant/important information down to the bottom and group the page's content together meaningfully. Although it is off-topic, perhaps the following detailed example might give you insights and ideas that persuade you to forgo user agent sniffing. Let us imagine a page composed of boxes of information; each box is about a different feline breed or canine breed. Each box has an image, an overview, and a historical funfact. The pictures are kept to a maximum reasonable size even on large screens. For the purposes of grouping the content meaningfully, all the cat boxes are separated from all the dog boxes such that the cat and dog boxes are not intermixed together. On a large screen, it saves space to have multiple columns to reduce the space wasted to the left and to the right of the pictures. The boxes can be separated into multiple columns via two equally fair method. From this point on, we shall assume that all the dog boxes are at the top of the source code, that all the cat boxes are at the bottom of the source code, and that all these boxes have the same parent element. There a single instance of a dog box immediately above a cat box, of course. The first method uses horizontal Flexboxes to group the content such that when the page is displayed to the end user, all the dogs boxes are at the top of the page and all the cat boxes are lower on the page. The second method uses a Column layout and resents all the dogs to the left and all the cats to the right. Only in this particular scenario, it is appropriate to provide no fallback for the flexboxes/multicolumns, resulting in a single column of very wide boxes on old browsers. Also consider the following. If more people visit the webpage to see the cats, then it might be a good idea to put all the cats higher in the source code than the dogs so that more people can find what they are looking for faster on smaller screens where the content collapses down to one column.

-

Next, always make your code dynamic. The user can flip their mobile device on its side, changing the width and height of the page. Or, there might be some weird flip-phone-like device thing in the future where flipping it out extends the screen. Do not be the developer having a headache over how to deal with the flip-phone-like device thing. Never be satisfied with your webpage until you can open up the dev tools side panel and resize the screen while the webpage looks smooth, fluid, and dynamically resized. The simplest way to do this is to separate all the code that moves content around based on screen size to a single function that is called when the page is loaded and at each resize event thereafter. If there is a lot calculated by this layout function before it determines the new layout of the page, then consider debouncing the event listener such that it is not called as often. Also note that there is a huge difference between the media queries (max-width: 25em), not all and (min-width: 25em), and (max-width: 24.99em): (max-width: 25em) excludes (max-width: 25em), whereas not all and (min-width: 25em) includes (max-width: 25em). (max-width: 24.99em) is a poor man's version of not all and (min-width: 25em): do not use (max-width: 24.99em) because the layout might break on very high font sizes on very high definition devices in the future. Always be very deliberate about choosing the right media query and choosing the right >=, <=, >, or < in any corresponding JavaScript because it is very easy to get these mixed up, resulting in the website looking wonking right at the screen size where the layout changes. Thus, thoroughly test the website at the exact widths/heights where layout changes occur to ensure that the layout changes occur properly.

-
-
- -

Making the best of user agent sniffing

- -

After reviewing all of the above better alternatives to user agent sniffing, there are still some potential cases where user agent sniffing is appropriate and justified.

- -

One such case is using user agent sniffing as a fallback when detecting if the device has a touch screen. See the Mobile Device Detection section for more information.

- -

Another such case is for fixing bugs in browsers that do not automatically update. Internet Explorer (on Windows) and Webkit (on iOS) are two perfect examples. Prior to version 9, Internet Explorer had issues with rendering bugs, CSS bugs, API bugs, and so forth. However, prior to version 9, Internet Explorer was was very easy to detect based upon the browser-specific features available. Webkit is a bit worse because Apple forces all of the browsers on IOS to use Webkit internally, thus the user has no way to get a better more updated browser on older devices. Most bugs can be detected, but some bugs take more effort to detect than others. In such cases, it might be beneficial to use user agent sniffing to save on performance. For example, Webkit 6 has a bug whereby when the device orientation changes, the browser might not fire MediaQueryList listeners when it should. To overcome this bug, observe the code below.

- -
var UA=navigator.userAgent, isWebkit=/\b(iPad|iPhone|iPod)\b/.test(UA) &&
-               /WebKit/.test(UA) && !/Edge/.test(UA) && !window.MSStream;
+
+    Problems like these can be avoided by testing for support of the feature itself instead:
+
+    
+    ```js
+        var isLookBehindSupported = false;
+
+        try {
+            new RegExp("(?<=)");
+            isLookBehindSupported = true;
+        } catch (err) {
+            // If the agent doesn't support lookbehinds, the attempted
+            // creation of a RegExp object using that syntax throws and
+            // isLookBehindSupported remains false.
+        }
+
+        var splitUpString = isLookBehindSupported ? function(str) {
+            return (""+str).split(new RegExp("(?<=[A-Z])"));
+        } : function(str) {
+            return str.replace(/[A-Z]/g,"z$1").split(/z(?=[A-Z])/g);
+        };
+        ```
+
+    As the above code demonstrates, there is **always** a way to test browser support without user agent sniffing. There is **never** any reason to check the user agent string for this.
+
+    Lastly, the above code snippets bring about a critical issue with cross-browser coding that must always be taken into account. Don't unintentionally use the API you are testing for in unsupported browsers. This may sound obvious and simple, but sometimes it is not. For example, in the above code snippets, using lookbehind in short-regexp notation (e.g. /reg/igm) will cause a parser error in unsupported browsers. Thus, in the above example, you would use _new RegExp("(?<=look_behind_stuff)");_ instead of _/(?<=look_behind_stuff)/_, even in the lookbehind supported section of your code.
+
+- Progressive enhancement
+  - : This design technique involves developing your Web site in 'layers', using a bottom-up approach, starting with a simpler layer and improving the capabilities of the site in successive layers, each using more features.
+- Graceful degradation
+  - : This is a top-down approach in which you build the best possible site using all the features you want, then tweak it to make it work on older browsers. This can be harder to do, and less effective, than progressive enhancement, but may be useful in some cases.
+- Mobile device detection
+
+  - : Arguably the most common use and misuse of user agent sniffing is to detect if the device is a mobile device. However, people too often overlook what they are really after. People use user agent sniffing to detect if the users' device is touch-friendly and has a small screen so they can optimize their website accordingly. While user agent sniffing can sometimes detect these, not all devices are the same: some mobile devices have big screen sizes, some desktops have a small touchscreen, some people use smart TV's which are an entirely different ballgame altogether, and some people can dynamically change the width and height of their screen by flipping their tablet on its side! So, user agent sniffing is definitely not the way to go. Thankfully, there are much better alternatives. Use [Navigator.maxTouchPoints](/en-US/docs/Web/API/Navigator/maxTouchPoints) to detect if the user's device has a touchscreen. Then, default back to checking the user agent screen only _if (!("maxTouchPoints" in navigator)) { /\*Code here\*/}_. Using this information of whether the device has a touchscreen, do not change the entire layout of the website just for touch devices: you will only create more work and maintenance for yourself. Rather, add in touch conveniences such as bigger, more easily clickable buttons (you can do this using CSS by increasing the font size). Here is an example of code that increases the padding of #exampleButton to 1em on mobile devices.
+
+    ```js
+        var hasTouchScreen = false;
+        if ("maxTouchPoints" in navigator) {
+            hasTouchScreen = navigator.maxTouchPoints > 0;
+        } else if ("msMaxTouchPoints" in navigator) {
+            hasTouchScreen = navigator.msMaxTouchPoints > 0;
+        } else {
+            var mQ = window.matchMedia && matchMedia("(pointer:coarse)");
+            if (mQ && mQ.media === "(pointer:coarse)") {
+                hasTouchScreen = !!mQ.matches;
+            } else if ('orientation' in window) {
+                hasTouchScreen = true; // deprecated, but good fallback
+            } else {
+                // Only as a last resort, fall back to user agent sniffing
+                var UA = navigator.userAgent;
+                hasTouchScreen = (
+                    /\b(BlackBerry|webOS|iPhone|IEMobile)\b/i.test(UA) ||
+                    /\b(Android|Windows Phone|iPad|iPod)\b/i.test(UA)
+                );
+            }
+        }
+        if (hasTouchScreen)
+            document.getElementById("exampleButton").style.padding="1em";
+        ```
+
+    As for the screen size, use _window\.innerWidth_ and window\.addEventListener("resize", function(){ /\*refresh screen size dependent things\*/ }). What you want to do for screen size is not slash off information on smaller screens. That will only annoy people because it will force them to use the desktop version. Rather, try to have fewer columns of information in a longer page on smaller screens while having more columns with a shorter page on larger screen sizes. This effect can be easily achieved using CSS [flexboxes](/en-US/docs/Learn/CSS/CSS_layout/Flexbox), sometimes with [floats](/en-US/docs/Learn/CSS/CSS_layout/Floats) as a partial fallback.
+
+    Also try to move less relevant/important information down to the bottom and group the page's content together meaningfully. Although it is off-topic, perhaps the following detailed example might give you insights and ideas that persuade you to forgo user agent sniffing. Let us imagine a page composed of boxes of information; each box is about a different feline breed or canine breed. Each box has an image, an overview, and a historical funfact. The pictures are kept to a maximum reasonable size even on large screens. For the purposes of grouping the content meaningfully, all the cat boxes are separated from all the dog boxes such that the cat and dog boxes are not intermixed together. On a large screen, it saves space to have multiple columns to reduce the space wasted to the left and to the right of the pictures. The boxes can be separated into multiple columns via two equally fair method. From this point on, we shall assume that all the dog boxes are at the top of the source code, that all the cat boxes are at the bottom of the source code, and that all these boxes have the same parent element. There a single instance of a dog box immediately above a cat box, of course. The first method uses horizontal [Flexboxes](/en-US/docs/Learn/CSS/CSS_layout/Flexbox) to group the content such that when the page is displayed to the end user, all the dogs boxes are at the top of the page and all the cat boxes are lower on the page. The second method uses a [Column](/en-US/docs/Web/CSS/Layout_cookbook/Column_layouts) layout and resents all the dogs to the left and all the cats to the right. Only in this particular scenario, it is appropriate to provide no fallback for the flexboxes/multicolumns, resulting in a single column of very wide boxes on old browsers. Also consider the following. If more people visit the webpage to see the cats, then it might be a good idea to put all the cats higher in the source code than the dogs so that more people can find what they are looking for faster on smaller screens where the content collapses down to one column.
+
+    Next, always make your code dynamic. The user can flip their mobile device on its side, changing the width and height of the page. Or, there might be some weird flip-phone-like device thing in the future where flipping it out extends the screen. Do not be the developer having a headache over how to deal with the flip-phone-like device thing. Never be satisfied with your webpage until you can open up the dev tools side panel and resize the screen while the webpage looks smooth, fluid, and dynamically resized. The simplest way to do this is to separate all the code that moves content around based on screen size to a single function that is called when the page is loaded and at each [resize](/en-US/docs/Web/API/Window/resize_event) event thereafter. If there is a lot calculated by this layout function before it determines the new layout of the page, then consider debouncing the event listener such that it is not called as often. Also note that there is a huge difference between the media queries `(max-width: 25em)`, `not all and (min-width: 25em)`, and `(max-width: 24.99em)`: `(max-width: 25em)` excludes `(max-width: 25em)`, whereas `not all and (min-width: 25em)` includes `(max-width: 25em)`. `(max-width: 24.99em)` is a poor man's version of `not all and (min-width: 25em)`: do not use `(max-width: 24.99em)` because the layout _might_ break on very high font sizes on very high definition devices in the future. Always be very deliberate about choosing the right media query and choosing the right >=, <=, >, or < in any corresponding JavaScript because it is very easy to get these mixed up, resulting in the website looking wonking right at the screen size where the layout changes. Thus, thoroughly test the website at the exact widths/heights where layout changes occur to ensure that the layout changes occur properly.
+
+## Making the best of user agent sniffing
+
+After reviewing all of the above better alternatives to user agent sniffing, there are still some potential cases where user agent sniffing is appropriate and justified.
+
+One such case is using user agent sniffing as a fallback when detecting if the device has a touch screen. See the [Mobile Device Detection](#mobile_device_detection) section for more information.
+
+Another such case is for fixing bugs in browsers that do not automatically update. Internet Explorer (on Windows) and Webkit (on iOS) are two perfect examples. Prior to version 9, Internet Explorer had issues with rendering bugs, CSS bugs, API bugs, and so forth. However, prior to version 9, Internet Explorer was was very easy to detect based upon the browser-specific features available. Webkit is a bit worse because Apple forces all of the browsers on IOS to use Webkit internally, thus the user has no way to get a better more updated browser on older devices. Most bugs can be detected, but some bugs take more effort to detect than others. In such cases, it might be beneficial to use user agent sniffing to save on performance. For example, Webkit 6 has a bug whereby when the device orientation changes, the browser might not fire [MediaQueryList](/en-US/docs/Web/API/MediaQueryList) listeners when it should. To overcome this bug, observe the code below.
+
+```js
+var UA=navigator.userAgent, isWebkit=/\b(iPad|iPhone|iPod)\b/.test(UA) &&
+               /WebKit/.test(UA) && !/Edge/.test(UA) && !window.MSStream;
 
 var mediaQueryUpdated = true, mqL = [];
 function whenMediaChanges(){mediaQueryUpdated = true}
@@ -141,7 +146,7 @@ var listenToMediaQuery = isWebkit ? function(mQ, f) {
     mQ.addListener(f), mQ.addListener(whenMediaChanges);
 } : function(){};
 var destroyMediaQuery = isWebkit ? function(mQ) {
-    for (var i=0,len=mqL.length|0; i<len; i=i+1|0)
+    for (var i=0,len=mqL.length|0; i
-
-
Which part of the user agent contains the information you are looking for?

-
-
As there is no uniformity of the different part of the user agent string, this is the tricky part.

-
-
Browser Name

-
-
When people say they want "browser detection", often they actually want "rendering engine detection". Do you actually want to detect Firefox, as opposed to SeaMonkey, or Chrome as opposed to Chromium? Or do you actually want to see if the browser is using the Gecko or the WebKit rendering engine? If this is what you need, see further down the page.

-
-
Most browsers set the name and version in the format BrowserName/VersionNumber, with the notable exception of Internet Explorer. But as the name is not the only information in a user agent string that is in that format, you can not discover the name of the browser, you can only check if the name you are looking for. But note that some browsers are lying: Chrome for example reports both as Chrome and Safari. So to detect Safari you have to check for the Safari string and the absence of the Chrome string, Chromium often reports itself as Chrome too or Seamonkey sometimes reports itself as Firefox.

-
-
Also, pay attention not to use a simple regular expression on the BrowserName, user agents also contain strings outside the Keyword/Value syntax. Safari & Chrome contain the string 'like Gecko', for instance.

-
-
-	
-		
-			
-			
-			
-		
-	
-	
-		
-			
-			
-			
-		
-		
-			
-			
-      
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-      
-      
-    
-    
-      
-      
-      
-		
-		
-			
-			
-      
-    
-      
-      
-      
-		
-	
-
EngineMust containMust not contain
FirefoxFirefox/xyzSeamonkey/xyz
SeamonkeySeamonkey/xyz
ChromeChrome/xyzChromium/xyz
ChromiumChromium/xyz
SafariSafari/xyzChrome/xyz or Chromium/xyz
Opera 15+ (Blink-based engine)OPR/xyz
Opera 12- (Presto-based engine)Opera/xyz
Internet Explorer 10-; MSIE xyz;
Internet Explorer 11Trident/7.0; .*rv:xyz

-
-
[1] Safari gives two version numbers: one technical in the Safari/xyz token, and one user-friendly in a Version/xyz token.

-
-
Of course, there is absolutely no guarantee that another browser will not hijack some of these things (like Chrome hijacked the Safari string in the past). That's why browser detection using the user agent string is unreliable and should be done only with the check of the version number (hijacking of past versions is less likely).

-
-
Browser version

-
-
The browser version is often, but not always, put in the value part of the BrowserName/VersionNumber token in the User Agent String. This is of course not the case for Internet Explorer (which puts the version number right after the MSIE token), and for Opera after version 10, which has added a Version/VersionNumber token.

-
-
Here again, be sure to take the right token for the browser you are looking for, as there is no guarantee that others will contain a valid number.

-
-
Rendering engine

-
-
As seen earlier, in most cases, looking for the rendering engine is a better way to go. This will help to not exclude lesser known browsers. Browsers sharing a common rendering engine will display a page in the same way: it is often a fair assumption that what will work in one will work in the other.

-
-
There are five major rendering engines: Trident, Gecko, Presto, Blink, and WebKit. As sniffing the rendering engines names is common, a lot of user agents added other rendering names to trigger detection. It is therefore important to pay attention not to trigger false-positives when detecting the rendering engine.

-
-
-	
-		
-			
-			
-			
-		
-	
-	
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-	
-
EngineMust containComment
GeckoGecko/xyz
WebKitAppleWebKit/xyzPay attention, WebKit browsers add a 'like Gecko' string that may trigger false positive for Gecko if the detection is not careful.
PrestoOpera/xyzNote: Presto is no longer used in Opera browser builds >= version 15 (see 'Blink')
TridentTrident/xyzInternet Explorer put this token in the comment part of the User Agent String
EdgeHTMLEdge/xyzThe non-Chromium Edge puts its engine version after the Edge/ token, not the application version.

-			Note: EdgeHTML is no longer used in Edge browser builds >= version 79 (see 'Blink').
BlinkChrome/xyz

-
-
Rendering engine version

-
-
Most rendering engines put the version number in the RenderingEngine/VersionNumber token, with the notable exception of Gecko. Gecko puts the Gecko version number in the comment part of the User Agent after the rv: string. From Gecko 14 for the mobile version and Gecko 17 for the desktop version, it also puts this value in the Gecko/version token (previous version put there the build date, then a fixed date called the GeckoTrail).

-
-
OS

-
-
The Operating System is given in most User Agent strings (although not web-focused platforms like Firefox OS), but the format varies a lot. It is a fixed string between two semi-colons, in the comment part of the User Agent. These strings are specific for each browser. They indicate the OS, but also often its version and information on the relying hardware (32 or 64 bits, or Intel/PPC for Mac).

-
-
Like in all cases, these strings may change in the future, one should use them only in conjunction with the detection of already released browsers. A technological survey must be in place to adapt the script when new browser versions are coming out.

-
-
Mobile, Tablet or Desktop

-
-
The most common reason to perform user agent sniffing is to determine which type of device the browser runs on. The goal is to serve different HTML to different device types.

-
-
    
-	
  • Never assume that a browser or a rendering engine only runs on one type of device. Especially don't make different defaults for different browsers or rendering engines.
    • 
-	
  • Never use the OS token to define if a browser is on mobile, tablet or desktop. The OS may run on more than one type of (for example, Android runs on tablets as well as phones).
    • 
-

-
-
The following table summarizes the way common browser vendors indicate that their browsers are running on a mobile device:

-
-
-	
-		
-			
-			
-			
-		
-	
-	
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-		
-			
-			
-			
-		
-	
-
BrowserRuleExample
Mozilla (Gecko, Firefox)Mobile or Tablet inside the comment.Mozilla/5.0 (Android; Mobile; rv:13.0) Gecko/13.0 Firefox/13.0
WebKit-based (Android, Safari)Mobile Safari token outside the comment.Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30
Blink-based (Chromium, Google Chrome, Opera 15+, Edge on Android)Mobile Safari token outside the comment.Mozilla/5.0 (Linux; Android 4.4.2); Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Mobile Safari/537.36 OPR/20.0.1396.72047
Presto-based (Opera 12-)Opera Mobi/xyz token inside the comment.Opera/9.80 (Android 2.3.3; Linux; Opera Mobi/ADR-1111101157; U; es-ES) Presto/2.9.201 Version/11.50
Internet ExplorerIEMobile/xyz token in the comment.Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)
Edge on Windows 10 MobileMobile/xyz and Edge/ tokens outside the comment.Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Mobile Safari/537.36 Edge/16.16299

-
-
In summary, we recommend looking for the string Mobi anywhere in the User Agent to detect a mobile device.

-
-

-  
Note: If the device is large enough that it's not marked with Mobi, you should serve your desktop site (which, as a best practice, should support touch input anyway, as more desktop machines are appearing with touchscreens).

-

+},0));
+```
+
+## Which part of the user agent contains the information you are looking for?
+
+As there is no uniformity of the different part of the user agent string, this is the tricky part.
+
+### Browser Name
+
+When people say they want "browser detection", often they actually want "rendering engine detection". Do you actually want to detect Firefox, as opposed to SeaMonkey, or Chrome as opposed to Chromium? Or do you actually want to see if the browser is using the Gecko or the WebKit rendering engine? If this is what you need, see further down the page.
+
+Most browsers set the name and version in the format _BrowserName/VersionNumber_, with the notable exception of Internet Explorer. But as the name is not the only information in a user agent string that is in that format, you can not discover the name of the browser, you can only check if the name you are looking for. But note that some browsers are lying: Chrome for example reports both as Chrome and Safari. So to detect Safari you have to check for the Safari string and the absence of the Chrome string, Chromium often reports itself as Chrome too or Seamonkey sometimes reports itself as Firefox.
+
+Also, pay attention not to use a simple regular expression on the BrowserName, user agents also contain strings outside the Keyword/Value syntax. Safari & Chrome contain the string 'like Gecko', for instance.
+
+| Engine                          | Must contain            | Must not contain               |
+| ------------------------------- | ----------------------- | ------------------------------ |
+| Firefox                         | `Firefox/xyz`           | `Seamonkey/xyz`                |
+| Seamonkey                       | `Seamonkey/xyz`         |                                |
+| Chrome                          | `Chrome/xyz`            | `Chromium/xyz`                 |
+| Chromium                        | `Chromium/xyz`          |                                |
+| Safari                          | `Safari/xyz`            | `Chrome/xyz` or `Chromium/xyz` |
+| Opera 15+ (Blink-based engine)  | `OPR/xyz`               |                                |
+| Opera 12- (Presto-based engine) | `Opera/xyz`             |                                |
+| Internet Explorer 10-           | `; MSIE xyz;`           |                                |
+| Internet Explorer 11            | `Trident/7.0; .*rv:xyz` |                                |
+
+\[1] Safari gives two version numbers: one technical in the `Safari/xyz` token, and one user-friendly in a `Version/xyz` token.
+
+Of course, there is absolutely no guarantee that another browser will not hijack some of these things (like Chrome hijacked the Safari string in the past). That's why browser detection using the user agent string is unreliable and should be done only with the check of the version number (hijacking of past versions is less likely).
+
+### Browser version
+
+The browser version is often, but not always, put in the value part of the _BrowserName/VersionNumber_ token in the User Agent String. This is of course not the case for Internet Explorer (which puts the version number right after the MSIE token), and for Opera after version 10, which has added a Version/_VersionNumber_ token.
+
+Here again, be sure to take the right token for the browser you are looking for, as there is no guarantee that others will contain a valid number.
+
+### Rendering engine
+
+As seen earlier, in most cases, looking for the rendering engine is a better way to go. This will help to not exclude lesser known browsers. Browsers sharing a common rendering engine will display a page in the same way: it is often a fair assumption that what will work in one will work in the other.
+
+There are five major rendering engines: Trident, Gecko, Presto, Blink, and WebKit. As sniffing the rendering engines names is common, a lot of user agents added other rendering names to trigger detection. It is therefore important to pay attention not to trigger false-positives when detecting the rendering engine.
+
+| Engine   | Must contain      | Comment                                                                                                                                                                                      |
+| -------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Gecko    | `Gecko/xyz`       |                                                                                                                                                                                              |
+| WebKit   | `AppleWebKit/xyz` | Pay attention, WebKit browsers add a 'like Gecko' string that may trigger false positive for Gecko if the detection is not careful.                                                          |
+| Presto   | `Opera/xyz`       | **Note:** Presto is no longer used in Opera browser builds >= version 15 (see 'Blink')                                                                                                       |
+| Trident  | `Trident/xyz`     | Internet Explorer put this token in the _comment_ part of the User Agent String                                                                                                              |
+| EdgeHTML | `Edge/xyz`        | The non-Chromium Edge puts its engine version after the _Edge/_ token, not the application version. **Note:** EdgeHTML is no longer used in Edge browser builds >= version 79 (see 'Blink'). |
+| Blink    | `Chrome/xyz`      |                                                                                                                                                                                              |
+
+## Rendering engine version
+
+Most rendering engines put the version number in the _RenderingEngine/VersionNumber_ token, with the notable exception of Gecko. Gecko puts the Gecko version number in the comment part of the User Agent after the `rv:` string. From Gecko 14 for the mobile version and Gecko 17 for the desktop version, it also puts this value in the `Gecko/version` token (previous version put there the build date, then a fixed date called the GeckoTrail).
+
+## OS
+
+The Operating System is given in most User Agent strings (although not web-focused platforms like Firefox OS), but the format varies a lot. It is a fixed string between two semi-colons, in the comment part of the User Agent. These strings are specific for each browser. They indicate the OS, but also often its version and information on the relying hardware (32 or 64 bits, or Intel/PPC for Mac).
+
+Like in all cases, these strings may change in the future, one should use them only in conjunction with the detection of already released browsers. A technological survey must be in place to adapt the script when new browser versions are coming out.
+
+### Mobile, Tablet or Desktop
+
+The most common reason to perform user agent sniffing is to determine which type of device the browser runs on. The goal is to serve different HTML to different device types.
+
+- Never assume that a browser or a rendering engine only runs on one type of device. Especially don't make different defaults for different browsers or rendering engines.
+- Never use the OS token to define if a browser is on mobile, tablet or desktop. The OS may run on more than one type of (for example, Android runs on tablets as well as phones).
+
+The following table summarizes the way common browser vendors indicate that their browsers are running on a mobile device:
+
+| Browser                                                           | Rule                                                                                                                                                                                                                                                | Example                                                                                                                                                          |
+| ----------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Mozilla (Gecko, Firefox)                                          | `Mobile` or `Tablet` inside the comment.                                                                                                                                                                                                            | `Mozilla/5.0 (Android; Mobile; rv:13.0) Gecko/13.0 Firefox/13.0`                                                                                                 |
+| WebKit-based (Android, Safari)                                    | `Mobile Safari` token [outside](https://developer.apple.com/library/safari/documentation/AppleApplications/Reference/SafariWebContent/OptimizingforSafarioniPhone/OptimizingforSafarioniPhone.html#//apple_ref/doc/uid/TP40006517-SW3) the comment. | `Mozilla/5.0 (Linux; U; Android 4.0.3; de-ch; HTC Sensation Build/IML74K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30`               |
+| Blink-based (Chromium, Google Chrome, Opera 15+, Edge on Android) | `Mobile Safari` token [outside](https://developers.google.com/chrome/mobile/docs/user-agent) the comment.                                                                                                                                           | `Mozilla/5.0 (Linux; Android 4.4.2); Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.117 Mobile Safari/537.36 OPR/20.0.1396.72047` |
+| Presto-based (Opera 12-)                                          | `Opera Mobi/xyz` token [inside](https://my.opera.com/community/openweb/idopera/) the comment.                                                                                                                                                       | `Opera/9.80 (Android 2.3.3; Linux; Opera Mobi/ADR-1111101157; U; es-ES) Presto/2.9.201 Version/11.50`                                                            |
+| Internet Explorer                                                 | `IEMobile/xyz` token in the comment.                                                                                                                                                                                                                | `Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)`                                                                            |
+| Edge on Windows 10 Mobile                                         | `Mobile/xyz` and `Edge/` tokens outside the comment.                                                                                                                                                                                                | `Mozilla/5.0 (Windows Phone 10.0; Android 6.0.1; Xbox; Xbox One) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Mobile Safari/537.36 Edge/16.16299` |
+
+In summary, we recommend looking for the string `Mobi` anywhere in the User Agent to detect a mobile device.
+
+> **Note:** If the device is large enough that it's not marked with `Mobi`, you should serve your desktop site (which, as a best practice, should support touch input anyway, as more desktop machines are appearing with touchscreens).
diff --git a/files/en-us/web/http/caching/index.md b/files/en-us/web/http/caching/index.md
index 50ec956ff7e29cb..2dc9d3da2a1dfe0 100644
--- a/files/en-us/web/http/caching/index.md
+++ b/files/en-us/web/http/caching/index.md
@@ -6,183 +6,175 @@ tags:
   - Guide
   - HTTP
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The performance of web sites and applications can be significantly improved by reusing previously fetched resources. Web caches reduce latency and network traffic and thus lessen the time needed to display a representation of a resource. By making use of HTTP caching, Web sites become more responsive.

+The performance of web sites and applications can be significantly improved by reusing previously fetched resources. Web caches reduce latency and network traffic and thus lessen the time needed to display a representation of a resource. By making use of HTTP caching, Web sites become more responsive.
 
-
Different kinds of caches

+## Different kinds of caches
 
-
Caching is a technique that stores a copy of a given resource and serves it back when requested. When a web cache has a requested resource in its store, it intercepts the request and returns its copy instead of re-downloading from the originating server. This achieves several goals: it eases the load of the server that doesn’t need to serve all clients itself, and it improves performance by being closer to the client, i.e., it takes less time to transmit the resource back. For a web site, it is a major component in achieving high performance. On the other side, it has to be configured properly as not all resources stay identical forever: it is important to cache a resource only until it changes, not longer.

+Caching is a technique that stores a copy of a given resource and serves it back when requested. When a web cache has a requested resource in its store, it intercepts the request and returns its copy instead of re-downloading from the originating server. This achieves several goals: it eases the load of the server that doesn’t need to serve all clients itself, and it improves performance by being closer to the client, i.e., it takes less time to transmit the resource back. For a web site, it is a major component in achieving high performance. On the other side, it has to be configured properly as not all resources stay identical forever: it is important to cache a resource only until it changes, not longer.
 
-
There are several kinds of caches: these can be grouped into two main categories: private or shared caches. A shared cache is a cache that stores responses for reuse by more than one user. A private cache is dedicated to a single user. This page will mostly talk about browser and proxy caches, but there are also gateway caches, CDN, reverse proxy caches and load balancers that are deployed on web servers for better reliability, performance and scaling of web sites and web applications.

+There are several kinds of caches: these can be grouped into two main categories: private or shared caches. A _shared cache_ is a cache that stores responses for reuse by more than one user. A _private cache_ is dedicated to a single user. This page will mostly talk about browser and proxy caches, but there are also gateway caches, CDN, reverse proxy caches and load balancers that are deployed on web servers for better reliability, performance and scaling of web sites and web applications.
 
-
What a cache provide, advantages/disadvantages of shared/private caches.

+![What a cache provide, advantages/disadvantages of shared/private caches.](http_cache_type.png)
 
-
Private browser caches

+### Private browser caches
 
-
A private cache is dedicated to a single user. You might have seen "caching" in your browser's settings already. A browser cache holds all documents downloaded via HTTP by the user. This cache is used to make visited documents available for back/forward navigation, saving, viewing-as-source, etc. without requiring an additional trip to the server. It likewise improves offline browsing of cached content.

+A private cache is dedicated to a single user. You might have seen "caching" in your browser's settings already. A browser cache holds all documents downloaded via [HTTP](/en-US/docs/Web/HTTP) by the user. This cache is used to make visited documents available for back/forward navigation, saving, viewing-as-source, etc. without requiring an additional trip to the server. It likewise improves offline browsing of cached content.
 
-
Shared proxy caches

+### Shared proxy caches
 
-
A shared cache is a cache that stores responses to be reused by more than one user. For example, an ISP or your company might have set up a web proxy as part of its local network infrastructure to serve many users so that popular resources are reused a number of times, reducing network traffic and latency.

+A shared cache is a cache that stores responses to be reused by more than one user. For example, an ISP or your company might have set up a web proxy as part of its local network infrastructure to serve many users so that popular resources are reused a number of times, reducing network traffic and latency.
 
-
Targets of caching operations

+## Targets of caching operations
 
-
HTTP caching is optional but usually desirable. HTTP caches are typically limited to caching responses to {{HTTPMethod("GET")}}; they may decline other methods. The primary cache key consists of the request method and target URI (often only the URI is used — this is because only GET requests are caching targets).

+HTTP caching is optional but usually desirable. HTTP caches are typically limited to caching responses to {{HTTPMethod("GET")}}; they may decline other methods. The primary cache key consists of the request method and target URI (often only the URI is used — this is because only `GET` requests are caching targets).
 
-
Common forms of caching entries are:

+Common forms of caching entries are:
 
-
    
- 
  • Successful results of a retrieval request: a {{HTTPStatus(200)}} (OK) response to a {{HTTPMethod("GET")}} request containing a resource like HTML documents, images or files.
    • 
- 
  • Permanent redirects: a {{HTTPStatus(301)}} (Moved Permanently) response.
    • 
- 
  • Error responses: a {{HTTPStatus(404)}} (Not Found) result page.
    • 
- 
  • Incomplete results: a {{HTTPStatus(206)}} (Partial Content) response.
    • 
- 
  • Responses other than {{HTTPMethod("GET")}} if something suitable for use as a cache key is defined.
    • 
-

+- Successful results of a retrieval request: a {{HTTPStatus(200)}} (OK) response to a {{HTTPMethod("GET")}} request containing a resource like HTML documents, images or files.
+- Permanent redirects: a {{HTTPStatus(301)}} (Moved Permanently) response.
+- Error responses: a {{HTTPStatus(404)}} (Not Found) result page.
+- Incomplete results: a {{HTTPStatus(206)}} (Partial Content) response.
+- Responses other than {{HTTPMethod("GET")}} if something suitable for use as a cache key is defined.
 
-
A cache entry might also consist of multiple stored responses differentiated by a secondary key, if the request is target of content negotiation. For more details see the information about the {{HTTPHeader("Vary")}} header below.

+A cache entry might also consist of multiple stored responses differentiated by a secondary key, if the request is target of content negotiation. For more details see the information about the {{HTTPHeader("Vary")}} header [below](#varying_responses).
 
-
Controlling caching

+## Controlling caching
 
-
The Cache-Control header

+### The `Cache-Control` header
 
-
The {{HTTPHeader("Cache-Control")}} HTTP/1.1 general-header field is used to specify directives for caching mechanisms in both requests and responses. Use this header to define your caching policies with the variety of directives it provides.

+The {{HTTPHeader("Cache-Control")}} HTTP/1.1 general-header field is used to specify directives for caching mechanisms in both requests and responses. Use this header to define your caching policies with the variety of directives it provides.
 
-
No caching

+#### No caching
 
-
The cache should not store anything about the client request or server response. A request is sent to the server and a full response is downloaded each and every time.

+The cache should not store anything about the client request or server response. A request is sent to the server and a full response is downloaded each and every time.
 
-
Cache-Control: no-store

+    Cache-Control: no-store
 
-
Cache but revalidate

+#### Cache but revalidate
 
-
A cache will send the request to the origin server for validation before releasing a cached copy.

+A cache will send the request to the origin server for validation before releasing a cached copy.
 
-
Cache-Control: no-cache

+    Cache-Control: no-cache
 
-
Private and public caches

+#### Private and public caches
 
-
The "public" directive indicates that the response may be cached by any cache. This can be useful if pages with HTTP authentication, or response status codes that aren't normally cacheable, should now be cached.

+The "public" directive indicates that the response may be cached by any cache. This can be useful if pages with HTTP authentication, or response status codes that aren't normally cacheable, should now be cached.
 
-
On the other hand, "private" indicates that the response is intended for a single user only and must not be stored by a shared cache. A private browser cache may store the response in this case.

+On the other hand, "private" indicates that the response is intended for a single user only and must not be stored by a shared cache. A private browser cache may store the response in this case.
 
-
Cache-Control: private
-Cache-Control: public
-

+    Cache-Control: private
+    Cache-Control: public
 
-
Expiration

+#### Expiration
 
-
The most important directive here is max-age=<seconds>, which is the maximum amount of time in which a resource will be considered fresh. This directive is relative to the time of the request, and overrides the {{HTTPHeader("Expires")}} header (if set). For the files in the application that will not change, you can normally use aggressive caching. This includes static files such as images, CSS files, and JavaScript files, for example.

+The most important directive here is `max-age=`, which is the maximum amount of time in which a resource will be considered fresh. This directive is relative to the time of the request, and overrides the {{HTTPHeader("Expires")}} header (if set). For the files in the application that will not change, you can normally use aggressive caching. This includes static files such as images, CSS files, and JavaScript files, for example.
 
-
For more details, see also the Freshness section below.

+For more details, see also the [Freshness](#freshness) section below.
 
-
Cache-Control: max-age=31536000

+    Cache-Control: max-age=31536000
 
-
Validation

+#### Validation
 
-
When using the "must-revalidate" directive, the cache must verify the status of the stale resources before using it and expired ones should not be used. For more details, see the Validation section below.

+When using the "`must-revalidate`" directive, the cache must verify the status of the stale resources before using it and expired ones should not be used. For more details, see the [Validation](#cache_validation) section below.
 
-
Cache-Control: must-revalidate

+    Cache-Control: must-revalidate
 
-
The Pragma header

+### The `Pragma` header
 
-
{{HTTPHeader("Pragma")}} is an HTTP/1.0 header. Pragma: no-cache is like Cache-Control: no-cache in that it forces caches to submit the request to the origin server for validation, before releasing a cached copy. However, Pragma is not specified for HTTP responses and is therefore not a reliable replacement for the general HTTP/1.1 Cache-Control header.

+{{HTTPHeader("Pragma")}} is an HTTP/1.0 header. `Pragma: no-cache` is like `Cache-Control: no-cache` in that it forces caches to submit the request to the origin server for validation, before releasing a cached copy. However, `Pragma` is not specified for HTTP responses and is therefore not a reliable replacement for the general HTTP/1.1 `Cache-Control` header.
 
-
Pragma should only be used for backwards compatibility with HTTP/1.0 caches where the Cache-Control HTTP/1.1 header is not yet present.

+`Pragma` should only be used for backwards compatibility with HTTP/1.0 caches where the `Cache-Control` HTTP/1.1 header is not yet present.
 
-
Freshness

+## Freshness
 
-
Once a resource is stored in a cache, it could theoretically be served by the cache forever. Caches have finite storage so items are periodically removed from storage. This process is called cache eviction. On the other side, some resources may change on the server so the cache should be updated. As HTTP is a client-server protocol, servers can't contact caches and clients when a resource changes; they have to communicate an expiration time for the resource. Before this expiration time, the resource is fresh; after the expiration time, the resource is stale. Eviction algorithms often privilege fresh resources over stale resources. Note that a stale resource is not evicted or ignored; when the cache receives a request for a stale resource, it forwards this request with a {{HTTPHeader("If-None-Match")}} to check if it is in fact still fresh. If so, the server returns a {{HTTPStatus("304")}} (Not Modified) header without sending the body of the requested resource, saving some bandwidth.

+Once a resource is stored in a cache, it could theoretically be served by the cache forever. Caches have finite storage so items are periodically removed from storage. This process is called _cache eviction_. On the other side, some resources may change on the server so the cache should be updated. As HTTP is a client-server protocol, servers can't contact caches and clients when a resource changes; they have to communicate an expiration time for the resource. Before this expiration time, the resource is _fresh_; after the expiration time, the resource is *stale*. Eviction algorithms often privilege fresh resources over stale resources. Note that a stale resource is not evicted or ignored; when the cache receives a request for a stale resource, it forwards this request with a {{HTTPHeader("If-None-Match")}} to check if it is in fact still fresh. If so, the server returns a {{HTTPStatus("304")}} (Not Modified) header without sending the body of the requested resource, saving some bandwidth.
 
-
Here is an example of this process with a shared cache proxy:

+Here is an example of this process with a shared cache proxy:
 
-
Show how a proxy cache acts when a doc is not cache, in the cache and fresh, in the cache and stale.

+![Show how a proxy cache acts when a doc is not cache, in the cache and fresh, in the cache and stale.](http_staleness.png)
 
-
The freshness lifetime is calculated based on several headers. If a "Cache-Control: max-age=N" header is specified, then the freshness lifetime is equal to N. If this header is not present, which is very often the case, it is checked if an {{HTTPHeader("Expires")}} header is present. If an Expires header exists, then its value minus the value of the {{HTTPHeader("Date")}} header determines the freshness lifetime.

+The freshness lifetime is calculated based on several headers. If a "`Cache-Control: max-age=N`" header is specified, then the freshness lifetime is equal to N. If this header is not present, which is very often the case, it is checked if an {{HTTPHeader("Expires")}} header is present. If an `Expires` header exists, then its value minus the value of the {{HTTPHeader("Date")}} header determines the freshness lifetime.
 
-
Heuristic freshness checking

+### Heuristic freshness checking
 
-
If an origin server does not explicitly specify freshness (e.g. using {{HTTPHeader("Cache-Control")}} or {{HTTPHeader("Expires")}} header) then a heuristic approach may be used.

+If an origin server does not explicitly specify freshness (e.g. using {{HTTPHeader("Cache-Control")}} or {{HTTPHeader("Expires")}} header) then a heuristic approach may be used.
 
-
In this case look for a {{HTTPHeader("Last-Modified")}} header. If this header is present, then the cache's freshness lifetime is equal to the value of the Date header minus the value of the Last-modified header divided by 10. The expiration time is computed as follows:

+In this case look for a {{HTTPHeader("Last-Modified")}} header. If this header is present, then the cache's freshness lifetime is equal to the value of the `Date` header minus the value of the `Last-modified` header divided by 10. The expiration time is computed as follows:
 
-
expirationTime = responseTime + freshnessLifetime - currentAge

+    expirationTime = responseTime + freshnessLifetime - currentAge
 
-
where responseTime is the time at which the response was received according to the browser. For more information see RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): 4.2.2.  Calculating Heuristic Freshness.

+where `responseTime` is the time at which the response was received according to the browser. For more information see [RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): 4.2.2.  Calculating Heuristic Freshness](https://datatracker.ietf.org/doc/html/rfc7234#section-4.2.2).
 
-
Revved resources

+### Revved resources
 
-
The more we use cached resources, the better the responsiveness and the performance of a Web site will be. To optimize this, good practices recommend to set expiration times as far in the future as possible. This is possible on resources that are regularly updated, or often, but is problematic for resources that are rarely and infrequently updated. They are the resources that would benefit the most from caching resources, yet this makes them very difficult to update. This is typical of the technical resources included and linked from each Web pages: JavaScript and CSS files change infrequently, but when they change you want them to be updated quickly.

+The more we use cached resources, the better the responsiveness and the performance of a Web site will be. To optimize this, good practices recommend to set expiration times as far in the future as possible. This is possible on resources that are regularly updated, or often, but is problematic for resources that are rarely and infrequently updated. They are the resources that would benefit the most from caching resources, yet this makes them very difficult to update. This is typical of the technical resources included and linked from each Web pages: JavaScript and CSS files change infrequently, but when they change you want them to be updated quickly.
 
-
Web developers invented a technique that Steve Souders called revving. Infrequently updated files are named in a specific way: in their URL, usually in the filename, a revision (or version) number is added. That way each new revision of this resource is considered as a resource on its own that never changes and that can have an expiration time very far in the future, usually one year or even more. In order to have the new versions, all the links to them must be changed, that is the drawback of this method: additional complexity that is usually taken care of by the tool chain used by Web developers. When the infrequently variable resources change they induce an additional change to often variable resources. When these are read, the new versions of the others are also read.

+Web developers invented a technique that Steve Souders called [revving](https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/). Infrequently updated files are named in a specific way: in their URL, usually in the filename, a revision (or version) number is added. That way each new revision of this resource is considered as a resource on its own that _never_ changes and that can have an expiration time very far in the future, usually one year or even more. In order to have the new versions, all the links to them must be changed, that is the drawback of this method: additional complexity that is usually taken care of by the tool chain used by Web developers. When the infrequently variable resources change they induce an additional change to often variable resources. When these are read, the new versions of the others are also read.
 
-
This technique has an additional benefit: updating two cached resources at the same time will not lead to the situation where the out-dated version of one resource is used in combination with the new version of the other one. This is very important when web sites have CSS stylesheets or JS scripts that have mutual dependencies, i.e., they depend on each other because they refer to the same HTML elements.

+This technique has an additional benefit: updating two cached resources at the same time will not lead to the situation where the out-dated version of one resource is used in combination with the new version of the other one. This is very important when web sites have CSS stylesheets or JS scripts that have mutual dependencies, i.e., they depend on each other because they refer to the same HTML elements.
 
-
How the revved cache mechanism works. With minor typo fix to grammar issue: https://github.com/mdn/sprints/issues/2618

+![How the revved cache mechanism works. With minor typo fix to grammar issue: https://github.com/mdn/sprints/issues/2618](http_revved_fix_typo.png)
 
-
The revision version added to revved resources doesn't need to be a classical revision string like 1.1.3, or even a monotonously growing suite of number. It can be anything that prevent collisions, like a hash or a date.

+The revision version added to revved resources doesn't need to be a classical revision string like 1.1.3, or even a monotonously growing suite of number. It can be anything that prevent collisions, like a hash or a date.
 
-
Cache validation

+## Cache validation
 
-
When a cached document's expiration time has been reached, it is either validated or fetched again. Validation can only occur if the server provided either a strong validator or a weak validator.

+When a cached document's expiration time has been reached, it is either validated or fetched again. Validation can only occur if the server provided either a _strong validator_ or a _weak validator_.
 
-
Revalidation is triggered when the user presses the reload button. It is also triggered under normal browsing if the cached response includes the "Cache-Control: must-revalidate" header. Another factor is the cache validation preferences in the Advanced->Cache preferences panel. There is an option to force a validation each time a document is loaded.

+Revalidation is triggered when the user presses the reload button. It is also triggered under normal browsing if the cached response includes the "`Cache-Control: must-revalidate`" header. Another factor is the cache validation preferences in the `Advanced->Cache` preferences panel. There is an option to force a validation each time a document is loaded.
 
-
ETags

+### ETags
 
-
The {{HTTPHeader("ETag")}} response header is an opaque-to-the-useragent value that can be used as a strong validator. That means that a HTTP user-agent, such as the browser, does not know what this string represents and can't predict what its value would be. If the ETag header was part of the response for a resource, the client can issue an {{HTTPHeader("If-None-Match")}} in the header of future requests – in order to validate the cached resource.

+The {{HTTPHeader("ETag")}} response header is an _opaque-to-the-useragent_ value that can be used as a strong validator. That means that a HTTP user-agent, such as the browser, does not know what this string represents and can't predict what its value would be. If the `ETag` header was part of the response for a resource, the client can issue an {{HTTPHeader("If-None-Match")}} in the header of future requests – in order to validate the cached resource.
 
-
Last-Modified

+### Last-Modified
 
-
The {{HTTPHeader("Last-Modified")}} response header can be used as a weak validator. It is considered weak because it only has 1-second resolution. If the Last-Modified header is present in a response, then the client can issue an {{HTTPHeader("If-Modified-Since")}} request header to validate the cached document.

+The {{HTTPHeader("Last-Modified")}} response header can be used as a weak validator. It is considered weak because it only has 1-second resolution. If the `Last-Modified` header is present in a response, then the client can issue an {{HTTPHeader("If-Modified-Since")}} request header to validate the cached document.
 
-
When a validation request is made, the server can either ignore the validation request and respond with a normal {{HTTPStatus(200)}} OK, or it can return {{HTTPStatus(304)}} Not Modified (with an empty body) to instruct the browser to use its cached copy. The latter response can also include headers that update the expiration time of the cached document.

+When a validation request is made, the server can either ignore the validation request and respond with a normal {{HTTPStatus(200)}} `OK`, or it can return {{HTTPStatus(304)}} `Not Modified` (with an empty body) to instruct the browser to use its cached copy. The latter response can also include headers that update the expiration time of the cached document.
 
-
Varying responses

+## Varying responses
 
-
The {{HTTPHeader("Vary")}} HTTP response header determines how to match future request headers to decide whether a cached response can be used, or if a fresh one must be requested from the origin server.

+The {{HTTPHeader("Vary")}} HTTP response header determines how to match future request headers to decide whether a cached response can be used, or if a fresh one must be requested from the origin server.
 
-
When a cache receives a request that has a Vary header field, it must not use a cached response by default unless all header fields specified in the Vary header match in both the original (cached) request and the new request.

+When a cache receives a request that has a `Vary` header field, it must not use a cached response by default unless all header fields specified in the `Vary` header match in both the original (cached) request and the new request.
 
-
The Vary header leads cache to use more HTTP headers as key for the cache.This feature is commonly used to allow a resource to be cached in uncompressed and (various) compressed forms, and served appropriately to user agents based on the encodings that they support. For example, a server can set Vary: Accept-Encoding to ensure that a separate version of a resource is cached for all requests that specify support for a particular set of encodings, e.g. Accept-Encoding: gzip,deflate,sdch.

+![The Vary header leads cache to use more HTTP headers as key for the cache.](http_vary.png)This feature is commonly used to allow a resource to be cached in uncompressed and (various) compressed forms, and served appropriately to user agents based on the encodings that they support. For example, a server can set `Vary: Accept-Encoding` to ensure that a separate version of a resource is cached for all requests that specify support for a particular set of encodings, e.g. `Accept-Encoding: gzip,deflate,sdch`.
 
-
Vary: Accept-Encoding

+    Vary: Accept-Encoding
 
-

-  
Note: Use Vary with care—it can easily reduce the effectiveness of caching! A caching server should use normalization to reduce duplicated cache entries and unnecessary requests to the origin server. This is particularly true when using Vary with headers and header values that can have many values.

-

+> **Note:** Use `Vary` with care—it can easily reduce the effectiveness of caching! A caching server should use [normalization](#normalization) to reduce duplicated cache entries and unnecessary requests to the origin server. This is particularly true when using `Vary` with headers and header values that can have many values.
 
-
The Vary header can also be useful for serving different content to desktop and mobile users, or to allow search engines to discover the mobile version of a page (and perhaps also tell them that no Cloaking is intended). This is usually achieved with the Vary: User-Agent header, and works because the {{HTTPHeader("User-Agent")}} header value is different for mobile and desktop clients.

+The `Vary` header can also be useful for serving different content to desktop and mobile users, or to allow search engines to discover the mobile version of a page (and perhaps also tell them that no [Cloaking](https://en.wikipedia.org/wiki/Cloaking) is intended). This is usually achieved with the `Vary: User-Agent` header, and works because the {{HTTPHeader("User-Agent")}} header value is different for mobile and desktop clients.
 
-
Vary: User-Agent

+    Vary: User-Agent
 
-
Normalization

+### Normalization
 
-
As discussed above, caching servers will by default match future requests only to requests with exactly the same headers and header values. That means a request will be made to the origin and a new cache will be created for every slight variant that might be specified by different user-agents.

+As discussed above, caching servers will by default match future requests _only_ to requests with _exactly_ the same headers and header values. That means a request will be made to the origin and a new cache will be created for every slight variant that might be specified by different user-agents.
 
-
For example, by default all of the following result in a separate request to the origin and a separate cache entry: Accept-Encoding: gzip,deflate,sdch, Accept-Encoding: gzip,deflateAccept-Encoding: gzip. This is true even though the origin server will probably respond with — and store — the same resource for all requests (a gzip)!

+For example, by default all of the following result in a separate request to the origin and a separate cache entry: `Accept-Encoding: gzip,deflate,sdch`, `Accept-Encoding: gzip,deflate`, `Accept-Encoding: gzip`. This is true even though the origin server will probably respond with — and store — the same resource for all requests (a gzip)!
 
-
To avoid unnecessary requests and duplicated cache entries, caching servers should use normalization to pre-process the request and cache only files that are needed. For example, in the case of Accept-Encoding you could check for gzip and other compression types in the header before doing further processing, and otherwise unset the header. In "pseudo code" this might look like:

+To avoid unnecessary requests and duplicated cache entries, caching servers should use **normalization** to pre-process the request and cache only files that are needed. For example, in the case of `Accept-Encoding` you could check for `gzip` and other compression types in the header before doing further processing, and otherwise unset the header. In "pseudo code" this might look like:
 
-
// Normalize Accept-Encoding
-if (req.http.Accept-Encoding) {
-  if (req.http.Accept-Encoding ~ "gzip") {
-    set req.http.Accept-Encoding = "gzip";
-  }
-  // elsif other encoding types to check
-  else {
-    unset req.http.Accept-Encoding;
-  }
-}
-

+    // Normalize Accept-Encoding
+    if (req.http.Accept-Encoding) {
+      if (req.http.Accept-Encoding ~ "gzip") {
+        set req.http.Accept-Encoding = "gzip";
+      }
+      // elsif other encoding types to check
+      else {
+        unset req.http.Accept-Encoding;
+      }
+    }
 
-
User-Agent has even more variation than Accept-Encoding. So if using Vary: User-Agent for caching mobile/desktop variants of files you'd similarly check for the presence of "mobile" and "desktop" in the request User-Agent header, and then clear it.

+`User-Agent` has even more variation than `Accept-Encoding`. So if using `Vary: User-Agent` for caching mobile/desktop variants of files you'd similarly check for the presence of `"mobile"` and `"desktop"` in the request `User-Agent` header, and then clear it.
 
-
See also

+## See also
 
-
+- [RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): Caching](https://datatracker.ietf.org/doc/html/rfc7234)
+- [Caching Tutorial – Mark Nottingham](https://www.mnot.net/cache_docs)
+- [HTTP caching – Ilya Grigorik](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching)
+- [RedBot](https://redbot.org/), a tool to check your cache-related HTTP headers.
diff --git a/files/en-us/web/http/compression/index.md b/files/en-us/web/http/compression/index.md
index b8f20b0212ace77..d435db09ebedb1f 100644
--- a/files/en-us/web/http/compression/index.md
+++ b/files/en-us/web/http/compression/index.md
@@ -6,63 +6,57 @@ tags:
   - HTTP
   - compression
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Compression is an important way to increase the performance of a Web site. For some documents, size reduction of up to 70% lowers the bandwidth capacity needs. Over the years, algorithms also got more efficient, and new ones are supported by clients and servers.

+**Compression** is an important way to increase the performance of a Web site. For some documents, size reduction of up to 70% lowers the bandwidth capacity needs. Over the years, algorithms also got more efficient, and new ones are supported by clients and servers.
 
-
In practice, web developers don't need to implement compression mechanisms, both browsers and servers have it implemented already, but they have to be sure that the server is configured adequately. Compression happens at three different levels:

+In practice, web developers don't need to implement compression mechanisms, both browsers and servers have it implemented already, but they have to be sure that the server is configured adequately. Compression happens at three different levels:
 
-
    
- 
  • first some file formats are compressed with specific optimized methods,
    • 
- 
  • then general encryption can happen at the HTTP level (the resource is transmitted compressed from end to end),
    • 
- 
  • and finally compression can be defined at the connection level, between two nodes of an HTTP connection.
    • 
-

+- first some file formats are compressed with specific optimized methods,
+- then general encryption can happen at the HTTP level (the resource is transmitted compressed from end to end),
+- and finally compression can be defined at the connection level, between two nodes of an HTTP connection.
 
-
File format compression

+## File format compression
 
-
Each data type has some redundancy, that is wasted space, in it. If text can typically have as much as 60% redundancy, this rate can be much higher for some other media like audio and video. Unlike text, these other media types use lot of space to store their data and the need to optimize storage and regain space was apparent very early. Engineers designed the optimized compression algorithm used by file formats designed for this specific purpose. Compression algorithms used for files can be grouped into two broad categories:

+Each data type has some redundancy, that is _wasted space_, in it. If text can typically have as much as 60% redundancy, this rate can be much higher for some other media like audio and video. Unlike text, these other media types use lot of space to store their data and the need to optimize storage and regain space was apparent very early. Engineers designed the optimized compression algorithm used by file formats designed for this specific purpose. Compression algorithms used for files can be grouped into two broad categories:
 
-
    
- 
  • Loss-less compression, where the compression-uncompression cycle doesn't alter the data that is recovered. It matches (byte to byte) with the original.
    
-  For images, gif or png are using loss-less compression.
    • 
- 
  • Lossy compression, where the cycle alters the original data in a (hopefully) imperceptible way for the user.
    
-  Video formats on the Web are lossy; the jpeg image format is also lossy.
    • 
-

+- _Loss-less compression_, where the compression-uncompression cycle doesn't alter the data that is recovered. It matches (byte to byte) with the original.
+  For images, `gif` or `png` are using loss-less compression.
+- _Lossy compression_, where the cycle alters the original data in a (hopefully) imperceptible way for the user.
+  Video formats on the Web are lossy; the `jpeg` image format is also lossy.
 
-
Some formats can be used for both loss-less or lossy compression, like webp, and usually lossy algorithm can be configured to compress more or less, which then of course leads to less or more quality. For better performance of a Web site, it is ideal to compress as much as possible, while keeping an acceptable level of quality. For images, an image generated by a tool could be not optimized enough for the Web; it is recommended to use tools that will compress as much as possible with the required quality. There are numerous tools that are specialized for this.

+Some formats can be used for both loss-less or lossy compression, like `webp`, and usually lossy algorithm can be configured to compress more or less, which then of course leads to less or more quality. For better performance of a Web site, it is ideal to compress as much as possible, while keeping an acceptable level of quality. For images, an image generated by a tool could be not optimized enough for the Web; it is recommended to use tools that will compress as much as possible with the required quality. There are [numerous tools](https://www.creativebloq.com/design/image-compression-tools-1132865) that are specialized for this.
 
-
Lossy compression algorithms are usually more efficient than loss-less ones.

+Lossy compression algorithms are usually more efficient than loss-less ones.
 
-

-  
Note: As compression works better on a specific kind of files, it usually provides nothing to compress them a second time. In fact, this is often counter productive as the cost of the overhead (algorithms usually need a dictionary that add to the initial size) can be higher than the extra gain in compression resulting in a larger file. Do not use the two following techniques for files in a compressed format.

-

+> **Note:** As compression works better on a specific kind of files, it usually provides nothing to compress them a second time. In fact, this is often counter productive as the cost of the overhead (algorithms usually need a dictionary that add to the initial size) can be higher than the extra gain in compression resulting in a larger file. Do not use the two following techniques for files in a compressed format.
 
-
End-to-end compression

+## End-to-end compression
 
-
For compression, end-to-end compression is where the largest performance improvements of Web sites reside. End-to-end compression refers to a compression of the body of a message that is done by the server and will last unchanged until it reaches the client. Whatever the intermediate nodes are, they leave the body untouched.

+For compression, end-to-end compression is where the largest performance improvements of Web sites reside. End-to-end compression refers to a compression of the body of a message that is done by the server and will last unchanged until it reaches the client. Whatever the intermediate nodes are, they leave the body untouched.
 
-

+![](httpenco1.png)
 
-
All modern browsers and servers do support it and the only thing to negotiate is the compression algorithm to use. These algorithm are optimized for text. In the 1990s, compression technology was advancing at a rapid pace and numerous successive algorithms have been added to the set of possible choices. Nowadays, only two are relevant: gzip, the most common one, and br the new challenger.

+All modern browsers and servers do support it and the only thing to negotiate is the compression algorithm to use. These algorithm are optimized for text. In the 1990s, compression technology was advancing at a rapid pace and numerous successive algorithms have been added to the set of possible choices. Nowadays, only two are relevant: `gzip`, the most common one, and `br` the new challenger.
 
-
To select the algorithm to use, browsers and servers use proactive content negotiation. The browser sends an {{HTTPHeader("Accept-Encoding")}} header with the algorithm it supports and its order of precedence, the server picks one, uses it to compress the body of the response and uses the {{HTTPHeader("Content-Encoding")}} header to tell the browser the algorithm it has chosen. As content negotiation has been used to choose a representation based on its encoding, the server must send a {{HTTPHeader("Vary")}} header containing at least {{HTTPHeader("Accept-Encoding")}} alongside this header in the response; that way, caches will be able to cache the different representations of the resource.

+To select the algorithm to use, browsers and servers use [proactive content negotiation](/en-US/docs/Web/HTTP/Content_negotiation). The browser sends an {{HTTPHeader("Accept-Encoding")}} header with the algorithm it supports and its order of precedence, the server picks one, uses it to compress the body of the response and uses the {{HTTPHeader("Content-Encoding")}} header to tell the browser the algorithm it has chosen. As content negotiation has been used to choose a representation based on its encoding, the server must send a {{HTTPHeader("Vary")}} header containing at least {{HTTPHeader("Accept-Encoding")}} alongside this header in the response; that way, caches will be able to cache the different representations of the resource.
 
-

+![](httpcompression1.png)
 
-
As compression brings significant performance improvements, it is recommended to activate it for all files, but already compressed ones like images, audio files and videos.

+As compression brings significant performance improvements, it is recommended to activate it for all files, but already compressed ones like images, audio files and videos.
 
-
Apache supports compression and uses mod_deflate; for nginx there is ngx_http_gzip_module; for IIS, the <httpCompression> element.

+Apache supports compression and uses [mod_deflate](https://httpd.apache.org/docs/current/mod/mod_deflate.html); for nginx there is [ngx_http_gzip_module](https://nginx.org/en/docs/http/ngx_http_gzip_module.html); for IIS, the [``](https://www.iis.net/configreference/system.webserver/httpcompression) element.
 
-
Hop-by-hop compression

+## Hop-by-hop compression
 
-
Hop-by-hop compression, though similar to end-to-end compression, differs by one fundamental element: the compression doesn't happen on the resource in the server, creating a specific representation that is then transmitted, but on the body of the message between any two nodes on the path between the client and the server. Connections between successive intermediate nodes may apply a different compression.

+Hop-by-hop compression, though similar to end-to-end compression, differs by one fundamental element: the compression doesn't happen on the resource in the server, creating a specific representation that is then transmitted, but on the body of the message between any two nodes on the path between the client and the server. Connections between successive intermediate nodes may apply a _different_ compression.
 
-

+![](httpte1.png)
 
-
To do this, HTTP uses a mechanism similar to the content negotiation for end-to-end compression: the node transmitting the request advertizes its will using the {{HTTPHeader("TE")}} header and the other node chooses the adequate method, applies it, and indicates its choice with the {{HTTPHeader("Transfer-Encoding")}} header.

+To do this, HTTP uses a mechanism similar to the content negotiation for end-to-end compression: the node transmitting the request advertizes its will using the {{HTTPHeader("TE")}} header and the other node chooses the adequate method, applies it, and indicates its choice with the {{HTTPHeader("Transfer-Encoding")}} header.
 
-

+![](httpcomp2.png)
 
-
In practice, hop-by-hop compression is transparent for the server and the client, and is rarely used. {{HTTPHeader("TE")}} and {{HTTPHeader("Transfer-Encoding")}} are mostly used to send a response by chunks, allowing to start transmitting a resource without knowing its length.

+In practice, hop-by-hop compression is transparent for the server and the client, and is rarely used. {{HTTPHeader("TE")}} and {{HTTPHeader("Transfer-Encoding")}} are mostly used to send a response by chunks, allowing to start transmitting a resource without knowing its length.
 
-
Note that using {{HTTPHeader("Transfer-Encoding")}} and compression at the hop level is so rare that most servers, like Apache, nginx, or IIS, have no easy way to configure it. Such configuration usually happens at the proxy level.

+Note that using {{HTTPHeader("Transfer-Encoding")}} and compression at the hop level is so rare that most servers, like Apache, nginx, or IIS, have no easy way to configure it. Such configuration usually happens at the proxy level.
diff --git a/files/en-us/web/http/conditional_requests/index.md b/files/en-us/web/http/conditional_requests/index.md
index ad2f66980c0c7dc..e02423768c11579 100644
--- a/files/en-us/web/http/conditional_requests/index.md
+++ b/files/en-us/web/http/conditional_requests/index.md
@@ -6,142 +6,134 @@ tags:
   - Guide
   - HTTP
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
HTTP has a concept of conditional requests, where the result, and even the success of a request, can be changed by comparing the affected resources with the value of a validator. Such requests can be useful to validate the content of a cache, and sparing a useless control, to verify the integrity of a document, like when resuming a download, or when preventing to lose updates when uploading or modifying a document on the server.

+HTTP has a concept of _conditional requests_, where the result, and even the success of a request, can be changed by comparing the affected resources with the value of a _validator_. Such requests can be useful to validate the content of a cache, and sparing a useless control, to verify the integrity of a document, like when resuming a download, or when preventing to lose updates when uploading or modifying a document on the server.
 
-
Principles

+## Principles
 
-
HTTP conditional requests are requests that are executed differently, depending on the value of specific headers. These headers define a precondition, and the result of the request will be different if the precondition is matched or not.

+HTTP conditional requests are requests that are executed differently, depending on the value of specific headers. These headers define a precondition, and the result of the request will be different if the precondition is matched or not.
 
-
The different behaviors are defined by the method of the request used, and by the set of headers used for a precondition:

+The different behaviors are defined by the method of the request used, and by the set of headers used for a precondition:
 
-
    
- 
  • for {{glossary("Safe/HTTP", "safe")}} methods, like {{HTTPMethod("GET")}}, which usually tries to fetch a document, the conditional request can be used to send back the document, if relevant only. Therefore, this spares bandwidth.
    • 
- 
  • for {{glossary("Safe/HTTP", "unsafe")}} methods, like {{HTTPMethod("PUT")}}, which usually uploads a document, the conditional request can be used to upload the document, only if the original it is based on is the same as that stored on the server.
    • 
-

+- for {{glossary("Safe/HTTP", "safe")}} methods, like {{HTTPMethod("GET")}}, which usually tries to fetch a document, the conditional request can be used to send back the document, if relevant only. Therefore, this spares bandwidth.
+- for {{glossary("Safe/HTTP", "unsafe")}} methods, like {{HTTPMethod("PUT")}}, which usually uploads a document, the conditional request can be used to upload the document, only if the original it is based on is the same as that stored on the server.
 
-
Validators

+## Validators
 
-
All conditional headers try to check if the resource stored on the server matches a specific version. To achieve this, the conditional requests need to indicate the version of the resource. As comparing the whole resource byte to byte is impracticable, and not always what is wanted, the request transmits a value describing the version. Such values are called validators, and are of two kinds:

+All conditional headers try to check if the resource stored on the server matches a specific version. To achieve this, the conditional requests need to indicate the version of the resource. As comparing the whole resource byte to byte is impracticable, and not always what is wanted, the request transmits a value describing the version. Such values are called _validators_, and are of two kinds:
 
-
    
- 
  • the date of last modification of the document, the last-modified date.
    • 
- 
  • an opaque string, uniquely identifying each version, called the entity tag, or the etag.
    • 
-

+- the date of last modification of the document, the _last-modified_ date.
+- an opaque string, uniquely identifying each version, called the _entity tag_, or the _etag_.
 
-
Comparing versions of the same resource is a bit tricky: depending on the context, there are two kinds of equality checks:

+Comparing versions of the same resource is a bit tricky: depending on the context, there are two kinds of _equality checks_:
 
-
    
- 
  • Strong validation is used when byte to byte identity is expected, for example when resuming a download.
    • 
- 
  • Weak validation is used when the user-agent only needs to determine if the two resources have the same content. This is even if they are minor differences; like different ads, or a footer with a different date.
    • 
-

+- _Strong validation_ is used when byte to byte identity is expected, for example when resuming a download.
+- _Weak validation_ is used when the user-agent only needs to determine if the two resources have the same content. This is even if they are minor differences; like different ads, or a footer with a different date.
 
-
The kind of validation is independent of the validator used. Both {{HTTPHeader("Last-Modified")}} and {{HTTPHeader("ETag")}} allow both types of validation, though the complexity to implement it on the server side may vary. HTTP uses strong validation by default, and it specifies when weak validation can be used.

+The kind of validation is independent of the validator used. Both {{HTTPHeader("Last-Modified")}} and {{HTTPHeader("ETag")}} allow both types of validation, though the complexity to implement it on the server side may vary. HTTP uses strong validation by default, and it specifies when weak validation can be used.
 
-
Strong validation

+### Strong validation
 
-
Strong validation consists of guaranteeing that the resource is, byte to byte, identical to the one it is compared too. This is mandatory for some conditional headers, and the default for the others. Strong validation is very strict and may be difficult to guarantee at the server level, but it does guarantee no data loss at any time, sometimes at the expense of performance.

+Strong validation consists of guaranteeing that the resource is, byte to byte, identical to the one it is compared too. This is mandatory for some conditional headers, and the default for the others. Strong validation is very strict and may be difficult to guarantee at the server level, but it does guarantee no data loss at any time, sometimes at the expense of performance.
 
-
It is quite difficult to have a unique identifier for strong validation with {{HTTPHeader("Last-Modified")}}. Often this is done using an {{HTTPHeader("ETag")}} with the MD5 hash of the resource (or a derivative).

+It is quite difficult to have a unique identifier for strong validation with {{HTTPHeader("Last-Modified")}}. Often this is done using an {{HTTPHeader("ETag")}} with the MD5 hash of the resource (or a derivative).
 
-
Weak validation

+### Weak validation
 
-
Weak validation differs from strong validation, as it considers two versions of the document as identical if the content is equivalent. For example, a page that would differ from another only by a different date in its footer, or different advertising, would be considered identical to the other with weak validation. These same two versions are considered different when using strong validation. Building a system of etags that creates weak validation may be complex, as it involves knowing the importance of the different elements of a page, but is very useful towards optimizing cache performance.

+Weak validation differs from strong validation, as it considers two versions of the document as identical if the content is equivalent. For example, a page that would differ from another only by a different date in its footer, or different advertising, would be considered _identical_ to the other with weak validation. These same two versions are considered _different_ when using strong validation. Building a system of etags that creates weak validation may be complex, as it involves knowing the importance of the different elements of a page, but is very useful towards optimizing cache performance.
 
-
Conditional headers

+## Conditional headers
 
-
Several HTTP headers, called conditional headers, lead to conditional requests. These are:

+Several HTTP headers, called conditional headers, lead to conditional requests. These are:
 
-

- 
{{HTTPHeader("If-Match")}}

- 
Succeeds if the {{HTTPHeader("ETag")}} of the distant resource is equal to one listed in this header. By default, unless the etag is prefixed with 'W/', it performs a strong validation.

- 
{{HTTPHeader("If-None-Match")}}

- 
Succeeds if the {{HTTPHeader("ETag")}} of the distant resource is different to each listed in this header. By default, unless the etag is prefixed with 'W/', it performs a strong validation.

- 
{{HTTPHeader("If-Modified-Since")}}

- 
Succeeds if the {{HTTPHeader("Last-Modified")}} date of the distant resource is more recent than the one given in this header.

- 
{{HTTPHeader("If-Unmodified-Since")}}

- 
Succeeds if the {{HTTPHeader("Last-Modified")}} date of the distant resource is older or the same than the one given in this header.

- 
{{HTTPHeader("If-Range")}}

- 
Similar to {{HTTPHeader("If-Match")}}, or {{HTTPHeader("If-Unmodified-Since")}}, but can have only one single etag, or one date. If it fails, the range request fails, and instead of a {{HTTPStatus("206")}} Partial Content response, a {{HTTPStatus("200")}} OK is sent with the complete resource.

-

+- {{HTTPHeader("If-Match")}}
+  - : Succeeds if the {{HTTPHeader("ETag")}} of the distant resource is equal to one listed in this header. By default, unless the etag is prefixed with `'W/'`, it performs a strong validation.
+- {{HTTPHeader("If-None-Match")}}
+  - : Succeeds if the {{HTTPHeader("ETag")}} of the distant resource is different to each listed in this header. By default, unless the etag is prefixed with `'W/'`, it performs a strong validation.
+- {{HTTPHeader("If-Modified-Since")}}
+  - : Succeeds if the {{HTTPHeader("Last-Modified")}} date of the distant resource is more recent than the one given in this header.
+- {{HTTPHeader("If-Unmodified-Since")}}
+  - : Succeeds if the {{HTTPHeader("Last-Modified")}} date of the distant resource is older or the same than the one given in this header.
+- {{HTTPHeader("If-Range")}}
+  - : Similar to {{HTTPHeader("If-Match")}}, or {{HTTPHeader("If-Unmodified-Since")}}, but can have only one single etag, or one date. If it fails, the range request fails, and instead of a {{HTTPStatus("206")}} `Partial Content` response, a {{HTTPStatus("200")}} `OK` is sent with the complete resource.
 
-
Use cases

+## Use cases
 
-
Cache update

+### Cache update
 
-
The most common use case for conditional requests is updating a cache. With an empty cache, or without a cache, the requested resource is sent back with a status of {{HTTPStatus("200")}} OK.

+The most common use case for conditional requests is updating a cache. With an empty cache, or without a cache, the requested resource is sent back with a status of {{HTTPStatus("200")}} `OK`.
 
-
The request issued when the cache is empty triggers the resource to be downloaded, with both validator value sent as headers. The cache is then filled.

+![The request issued when the cache is empty triggers the resource to be downloaded, with both validator value sent as headers. The cache is then filled.](cache1.png)
 
-
Together with the resource, the validators are sent in the headers. In this example, both {{HTTPHeader("Last-Modified")}} and {{HTTPHeader("ETag")}} are sent, but it could equally have been only one of them. These validators are cached with the resource (like all headers) and will be used to craft conditional requests, once the cache becomes stale.

+Together with the resource, the validators are sent in the headers. In this example, both {{HTTPHeader("Last-Modified")}} and {{HTTPHeader("ETag")}} are sent, but it could equally have been only one of them. These validators are cached with the resource (like all headers) and will be used to craft conditional requests, once the cache becomes stale.
 
-
As long as the cache is not stale, no requests are issued at all. But once it has become stale, this is mostly controlled by the {{HTTPHeader("Cache-Control")}} header, the client doesn't use the cached value directly but issues a conditional request. The value of the validator is used as a parameter of the {{HTTPHeader("If-Modified-Since")}} and {{HTTPHeader("If-Match")}} headers.

+As long as the cache is not stale, no requests are issued at all. But once it has become stale, this is mostly controlled by the {{HTTPHeader("Cache-Control")}} header, the client doesn't use the cached value directly but issues a _conditional request_. The value of the validator is used as a parameter of the {{HTTPHeader("If-Modified-Since")}} and {{HTTPHeader("If-Match")}} headers.
 
-
If the resource has not changed, the server sends back a {{HTTPStatus("304")}} Not Modified response. This makes the cache fresh again, and the client uses the cached resource. Although there is a response/request round-trip that consumes some resources, this is more efficient than to transmit the whole resource over the wire again.

+If the resource has not changed, the server sends back a {{HTTPStatus("304")}} `Not Modified` response. This makes the cache fresh again, and the client uses the cached resource. Although there is a response/request round-trip that consumes some resources, this is more efficient than to transmit the whole resource over the wire again.
 
-
With a stale cache, the conditional request is sent. The server can determine if the resource changed, and, as in this case, decide not to send it again as it is the same.

+![With a stale cache, the conditional request is sent. The server can determine if the resource changed, and, as in this case, decide not to send it again as it is the same.](httpcache2.png)
 
-
If the resource has changed, the server just sends back a {{HTTPStatus("200")}} OK response, with the new version of the resource, like if the request wasn't conditional and the client uses this new resource (and caches it).

+If the resource has changed, the server just sends back a {{HTTPStatus("200")}}` OK` response, with the new version of the resource, like if the request wasn't conditional and the client uses this new resource (and caches it).
 
-
In the case where the resource was changed, it is sent back as if the request wasn't conditional.

+![In the case where the resource was changed, it is sent back as if the request wasn't conditional.](httpcache3.png)
 
-
Besides the setting of the validators on the server side, this mechanism is transparent: all browsers manage a cache and send such conditional requests without any special work to be done by Web developers.

+Besides the setting of the validators on the server side, this mechanism is transparent: all browsers manage a cache and send such conditional requests without any special work to be done by Web developers.
 
-
Integrity of a partial download

+### Integrity of a partial download
 
-
Partial downloading of files is a functionality of HTTP that allows to resume previous operations, saving bandwidth and time, by keeping the already obtained information:

+Partial downloading of files is a functionality of HTTP that allows to resume previous operations, saving bandwidth and time, by keeping the already obtained information:
 
-
A download has been stopped and only partial content has been retrieved.

+![A download has been stopped and only partial content has been retrieved.](httpresume1.png)
 
-
A server supporting partial downloads broadcasts this by sending the {{HTTPHeader("Accept-Ranges")}} header. Once this happens, the client can resume a download by sending a {{HTTPHeader("Ranges")}} header with the missing ranges:

+A server supporting partial downloads broadcasts this by sending the {{HTTPHeader("Accept-Ranges")}} header. Once this happens, the client can resume a download by sending a {{HTTPHeader("Ranges")}} header with the missing ranges:
 
-
The client resumes the requests by indicating the range he needs and preconditions checking the validators of the partially obtained request.

+![The client resumes the requests by indicating the range he needs and preconditions checking the validators of the partially obtained request.](httpresume2.png)
 
-
The principle is simple, but there is one potential problem: if the downloaded resource has been modified between both downloads, the obtained ranges will correspond to two different versions of the resource, and the final document will be corrupted.

+The principle is simple, but there is one potential problem: if the downloaded resource has been modified between both downloads, the obtained ranges will correspond to two different versions of the resource, and the final document will be corrupted.
 
-
To prevent this, conditional requests are used. For ranges, there are two ways of doing this. The more flexible one makes use of {{HTTPHeader("If-Unmodified-Since")}} and {{HTTPHeader("If-Match")}} and the server returns an error if the precondition fails; the client then restarts the download from the beginning:

+To prevent this, conditional requests are used. For ranges, there are two ways of doing this. The more flexible one makes use of {{HTTPHeader("If-Unmodified-Since")}} and {{HTTPHeader("If-Match")}} and the server returns an error if the precondition fails; the client then restarts the download from the beginning:
 
-
When the partially downloaded resource has been modified, the preconditions will fail and the resource will have to be downloaded again completely.

+![When the partially downloaded resource has been modified, the preconditions will fail and the resource will have to be downloaded again completely.](httpresume3.png)
 
-
Even if this method works, it adds an extra response/request exchange when the document has been changed. This impairs performance, and HTTP has a specific header to avoid this scenario: {{HTTPHeader("If-Range")}}:

+Even if this method works, it adds an extra response/request exchange when the document has been changed. This impairs performance, and HTTP has a specific header to avoid this scenario: {{HTTPHeader("If-Range")}}:
 
-
The If-Range headers allows the server to directly send back the complete resource if it has been modified, no need to send a 412 error and wait for the client to re-initiate the download.

+![The If-Range headers allows the server to directly send back the complete resource if it has been modified, no need to send a 412 error and wait for the client to re-initiate the download.](httpresume4.png)
 
-
This solution is more efficient, but slightly less flexible, as only one etag can be used in the condition. Rarely is such additional flexibility needed.

+This solution is more efficient, but slightly less flexible, as only one etag can be used in the condition. Rarely is such additional flexibility needed.
 
-
Avoiding the lost update problem with optimistic locking

+### Avoiding the lost update problem with optimistic locking
 
-
A common operation in Web applications is to update a remote document. This is very common in any file system or source control applications, but any application that allows to store remote resources needs such a mechanism. Common Web sites, like wikis and other CMS, have such a need.

+A common operation in Web applications is to _update_ a remote document. This is very common in any file system or source control applications, but any application that allows to store remote resources needs such a mechanism. Common Web sites, like wikis and other CMS, have such a need.
 
-
With the {{HTTPMethod("PUT")}} method you are able to implement this. The client first reads the original files, modifies them, and finally pushes them to the server:

+With the {{HTTPMethod("PUT")}} method you are able to implement this. The client first reads the original files, modifies them, and finally pushes them to the server:
 
-
Updating a file with a PUT is very simple when concurrency is not involved.

+![Updating a file with a PUT is very simple when concurrency is not involved.](httplock1.png)
 
-
Unfortunately, things get a little inaccurate as soon as we take into account concurrency. While a client is locally modifying its new copy of the resource, a second client can fetch the same resource and do the same on its copy. What happens next is very unfortunate: when they commit back to the server, the modifications from the first client are discarded by the next client push, as this second client is unaware of the first client's changes to the resource. The decision on who wins, is not communicated to the other party. Which client's changes are to be kept, will vary with the speed they commit; this depends on the performance of the clients, of the server, and even of the human editing the document at the client. The winner will change from one time to the next. This is a {{glossary("race condition")}} and leads to problematic behaviors, which are difficult to detect and to debug:

+Unfortunately, things get a little inaccurate as soon as we take into account concurrency. While a client is locally modifying its new copy of the resource, a second client can fetch the same resource and do the same on its copy. What happens next is very unfortunate: when they commit back to the server, the modifications from the first client are discarded by the next client push, as this second client is unaware of the first client's changes to the resource. The decision on who wins, is not communicated to the other party. Which client's changes are to be kept, will vary with the speed they commit; this depends on the performance of the clients, of the server, and even of the human editing the document at the client. The winner will change from one time to the next. This is a {{glossary("race condition")}} and leads to problematic behaviors, which are difficult to detect and to debug:
 
-
When several clients update the same resource in parallel, we are facing a race condition: the slowest win, and the others don't even know they lost. Problematic!

+![When several clients update the same resource in parallel, we are facing a race condition: the slowest win, and the others don't even know they lost. Problematic!](httplock2.png)
 
-
There is no way to deal with this problem without annoying one of the two clients. However, lost updates and race conditions are to be avoided. We want predictable results, and expect that the clients are notified when their changes are rejected.

+There is no way to deal with this problem without annoying one of the two clients. However, lost updates and race conditions are to be avoided. We want predictable results, and expect that the clients are notified when their changes are rejected.
 
-
Conditional requests allow implementing the optimistic locking algorithm (used by most wikis or source control systems). The concept is to allow all clients to get copies of the resource, then let them modify it locally, controlling concurrency by successfully allowing the first client submitting an update. All subsequent updates, based on the now obsolete version of the resource, are rejected:

+Conditional requests allow implementing the _optimistic locking algorithm_ (used by most wikis or source control systems). The concept is to allow all clients to get copies of the resource, then let them modify it locally, controlling concurrency by successfully allowing the first client submitting an update. All subsequent updates, based on the now obsolete version of the resource, are rejected:
 
-
Conditional requests allow to implement optimistic locking: now the quickest wins, and the others get an error.

+![Conditional requests allow to implement optimistic locking: now the quickest wins, and the others get an error.](httplock3.png)
 
-
This is implemented using the {{HTTPHeader("If-Match")}} or {{HTTPHeader("If-Unmodified-Since")}} headers. If the etag doesn't match the original file, or if the file has been modified since it has been obtained, the change is rejected with a {{HTTPStatus("412")}} Precondition Failed error. It is then up to the client to deal with the error: either by notifying the user to start again (this time on the newest version), or by showing the user a diff of both versions, helping them decide which changes they wish to keep.

+This is implemented using the {{HTTPHeader("If-Match")}} or {{HTTPHeader("If-Unmodified-Since")}} headers. If the etag doesn't match the original file, or if the file has been modified since it has been obtained, the change is rejected with a {{HTTPStatus("412")}} `Precondition Failed` error. It is then up to the client to deal with the error: either by notifying the user to start again (this time on the newest version), or by showing the user a _diff_ of both versions, helping them decide which changes they wish to keep.
 
-
Dealing with the first upload of a resource

+### Dealing with the first upload of a resource
 
-
The first upload of a resource is an edge case of the previous. Like any update of a resource, it is subject to a race condition if two clients try to perform at the similar times. To prevent this, conditional requests can be used: by adding {{HTTPHeader("If-None-Match")}} with the special value of '*', representing any etag. The request will succeed, only if the resource didn't exist before:

+The first upload of a resource is an edge case of the previous. Like any update of a resource, it is subject to a race condition if two clients try to perform at the similar times. To prevent this, conditional requests can be used: by adding {{HTTPHeader("If-None-Match")}} with the special value of `'*'`, representing any etag. The request will succeed, only if the resource didn't exist before:
 
-
Like for a regular upload, the first upload of a resource is subject to a race condition: If-None-Match can prevent it.

+![Like for a regular upload, the first upload of a resource is subject to a race condition: If-None-Match can prevent it.](httpfirst.png)
 
-
If-None-Match will only work with HTTP/1.1 (and later) compliant servers. If unsure if the server will be compliant, you need first to issue a {{HTTPMethod("HEAD")}} request to the resource to check this.

+`If-None-Match` will only work with HTTP/1.1 (and later) compliant servers. If unsure if the server will be compliant, you need first to issue a {{HTTPMethod("HEAD")}} request to the resource to check this.
 
-
Conclusion

+## Conclusion
 
-
Conditional requests are a key feature of HTTP, and allow the building of efficient and complex applications. For caching or resuming downloads, the only work required for webmasters is to configure the server correctly; setting correct etags in some environments can be tricky. Once achieved, the browser will serve the expected conditional requests.

+Conditional requests are a key feature of HTTP, and allow the building of efficient and complex applications. For caching or resuming downloads, the only work required for webmasters is to configure the server correctly; setting correct etags in some environments can be tricky. Once achieved, the browser will serve the expected conditional requests.
 
-
For locking mechanisms, it is the opposite: Web developers need to issue a request with the proper headers, while webmasters can mostly rely on the application to carry out the checks for them.

+For locking mechanisms, it is the opposite: Web developers need to issue a request with the proper headers, while webmasters can mostly rely on the application to carry out the checks for them.
 
-
In both cases it's clear, conditional requests are a fundamental feature behind the Web.

+In both cases it's clear, conditional requests are a fundamental feature behind the Web.
diff --git a/files/en-us/web/http/configuring_servers_for_ogg_media/index.md b/files/en-us/web/http/configuring_servers_for_ogg_media/index.md
index ba76d6e2af3b321..ea9d1d65ad3bbc5 100644
--- a/files/en-us/web/http/configuring_servers_for_ogg_media/index.md
+++ b/files/en-us/web/http/configuring_servers_for_ogg_media/index.md
@@ -8,114 +8,105 @@ tags:
   - Ogg
   - Video
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
HTML {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements allow media presentation without the need for the user to install any plug-ins or other software to do so.
-  This guide covers a few server configuration changes that may be necessary for your web server to correctly serve Ogg media files.
-  This information may also be useful if you encounter other media types your server isn't already configured to recognize.

+HTML {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements allow media presentation without the need for the user to install any plug-ins or other software to do so.
+This guide covers a few server configuration changes that may be necessary for your web server to correctly serve Ogg media files.
+This information may also be useful if you encounter other media types your server isn't already configured to recognize.
 
-
Serve media with the correct MIME type

+## Serve media with the correct MIME type
 
-
*.ogg and *.ogv files containing video (possibly with an audio track as well, of course), should be served with the video/ogg MIME type. *.oga and *.ogg files containing only audio should be served with the audio/ogg MIME type.

+`*.ogg` and `*.ogv` files containing video (possibly with an audio track as well, of course), should be served with the `video/ogg` MIME type. `*.oga` and `*.ogg` files containing only audio should be served with the `audio/ogg` MIME type.
 
-
If you don't know whether the Ogg file contains audio or video, you can serve it with the MIME type application/ogg, and the browser will treat it as a video file.

+If you don't know whether the Ogg file contains audio or video, you can serve it with the MIME type `application/ogg`, and the browser will treat it as a video file.
 
-
Most servers don't by default serve Ogg media with the correct MIME types, so you'll likely need to add the appropriate configuration for this.

+Most servers don't by default serve Ogg media with the correct MIME types, so you'll likely need to add the appropriate configuration for this.
 
-
For Apache, you can add the following to your configuration:

+For Apache, you can add the following to your configuration:
 
-
AddType audio/ogg .oga
-AddType video/ogg .ogv
-AddType application/ogg .ogg
-

+    AddType audio/ogg .oga
+    AddType video/ogg .ogv
+    AddType application/ogg .ogg
 
-
You can find specific information about possible media file types and the codecs used within them in our comprehensive guide to media types and formats on the web. In particular, the article on media container formats will be especially helpful when configuring servers to host media properly.

+You can find specific information about possible media file types and the codecs used within them in our comprehensive [guide to media types and formats on the web](/en-US/docs/Web/Media/Formats). In particular, the article on [media container formats](/en-US/docs/Web/Media/Formats/Containers) will be especially helpful when configuring servers to host media properly.
 
-
Handle HTTP 1.1 byte range requests correctly

+## Handle HTTP 1.1 byte range requests correctly
 
-
In order to support seeking and playing back regions of the media that aren't yet downloaded, Gecko uses HTTP 1.1 byte-range requests to retrieve the media from the seek target position. In addition, Gecko uses byte-range requests to seek to the end of the media (assuming you serve the {{HTTPHeader("Content-Length")}} header) in order to determine the duration of the media.

+In order to support seeking and playing back regions of the media that aren't yet downloaded, Gecko uses HTTP 1.1 byte-range requests to retrieve the media from the seek target position. In addition, Gecko uses byte-range requests to seek to the end of the media (assuming you serve the {{HTTPHeader("Content-Length")}} header) in order to determine the duration of the media.
 
-
Your server should accept the {{HTTPHeader("Accept-Ranges")}}: bytes HTTP header if it can accept byte-range requests. It must return {{HTTPStatus("206")}}: Partial content to all byte range requests; otherwise, browsers can't be sure you actually support byte range requests.

+Your server should accept the {{HTTPHeader("Accept-Ranges")}}`: bytes` HTTP header if it can accept byte-range requests. It must return {{HTTPStatus("206")}}`: Partial content` to all byte range requests; otherwise, browsers can't be sure you actually support byte range requests.
 
-
Your server must also return 206: Partial Content for the request Range: bytes=0- as well.

+Your server must also return `206: Partial Content` for the request `Range: bytes=0-` as well.
 
-
Include regular key frames

+## Include regular key frames
 
-
When the browser seeks through Ogg media to a specified time, it has to seek to the nearest key frame before the seek target, then download and decode the video from there until the requested target time. The farther apart your key frames are, the longer this takes, so it's helpful to include key frames at regular intervals.

+When the browser seeks through Ogg media to a specified time, it has to seek to the nearest key frame before the seek target, then download and decode the video from there until the requested target time. The farther apart your key frames are, the longer this takes, so it's helpful to include key frames at regular intervals.
 
-
By default, ffmpeg2theora uses one key frame every 64 frames (or about every 2 seconds at 30 frames per second), which works pretty well.

+By default, [`ffmpeg2theora`](https://v2v.cc/~j/ffmpeg2theora/) uses one key frame every 64 frames (or about every 2 seconds at 30 frames per second), which works pretty well.
 
-

-  
Note: Of course, the more key frames you use, the larger your video file is, so you may need to experiment a bit to get the right balance between file size and seek performance.

-

+> **Note:** Of course, the more key frames you use, the larger your video file is, so you may need to experiment a bit to get the right balance between file size and seek performance.
 
-
Consider using the preload attribute

+## Consider using the preload attribute
 
-
The HTML {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements provide the preload attribute, which tells the browser to attempt to download the entire media when the page loads. Without preload, the browser only downloads enough of the media to display the first video frame, and to determine the media's duration.

+The HTML {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements provide the `preload` attribute, which tells the browser to attempt to download the entire media when the page loads. Without `preload`, the browser only downloads enough of the media to display the first video frame, and to determine the media's duration.
 
-
preload is off by default, so if getting to video is the point of your web page, your users may appreciate it if you include preload in your video elements. using preload="metadata" will preload the media file's metadata and possibly the first few frames of video. Setting payload to auto tells the browser to automatically begin downloading the media as soon as the page is loaded, under the assumption that the user will play it.

+`preload` is off by default, so if getting to video is the point of your web page, your users may appreciate it if you include `preload` in your video elements. using `preload="metadata"` will preload the media file's metadata and possibly the first few frames of video. Setting `payload` to `auto` tells the browser to automatically begin downloading the media as soon as the page is loaded, under the assumption that the user will play it.
 
-
Configuration for older Firefox versions

+## Configuration for older Firefox versions
 
-
Serve X-Content-Duration headers

+### Serve X-Content-Duration headers
 
-

-  
Note: As of Firefox 41, the X-Content-Duration header is no longer supported. See {{Bug(1160695)}} for more details.

-

+> **Note:** As of [Firefox 41](/en-US/docs/Mozilla/Firefox/Releases/41), the `X-Content-Duration` header is no longer supported. See {{Bug(1160695)}} for more details.
 
-
The Ogg format doesn't encapsulate the duration of media, so for the progress bar on the video controls to display the duration of the video, Gecko needs to determine the length of the media using other means.

+The Ogg format doesn't encapsulate the duration of media, so for the progress bar on the video controls to display the duration of the video, Gecko needs to determine the length of the media using other means.
 
-
There are two ways Gecko can do this. The best way is to offer an X-Content-Duration header when serving Ogg media files. This header provides the duration of the video in seconds (not in HH:MM:SS format) as a floating-point value.

+There are two ways Gecko can do this. The best way is to offer an `X-Content-Duration` header when serving Ogg media files. This header provides the duration of the video in seconds (**not** in HH:MM:SS format) as a floating-point value.
 
-
For example, if the video is 1 minute and 32.6 seconds long, this header would be:

+For example, if the video is 1 minute and 32.6 seconds long, this header would be:
 
-
X-Content-Duration: 92.6
-

+    X-Content-Duration: 92.6
 
-
If your server provides the X-Content-Duration header when serving Ogg media, Gecko doesn't have to do any extra HTTP requests to seek to the end of the file to calculate its duration. This makes the entire process much more efficient as well as more accurate.

+If your server provides the `X-Content-Duration` header when serving Ogg media, Gecko doesn't have to do any extra HTTP requests to seek to the end of the file to calculate its duration. This makes the entire process much more efficient as well as more accurate.
 
-
As an inferior alternative, Gecko can estimate the video length based on the Content-Length. See next point.

+As an inferior alternative, Gecko can estimate the video length based on the Content-Length. See next point.
 
-
Don't use HTTP compression for media files

+### Don't use HTTP compression for media files
 
-
One common way to reduce the load on a web server is to use gzip or deflate compression when serving to a supporting web browser.

+One common way to reduce the load on a web server is to use [gzip or deflate compression](https://betterexplained.com/articles/how-to-optimize-your-site-with-gzip-compression/) when serving to a supporting web browser.
 
-
Although it's unlikely, it's possible the browser may advertise that it supports HTTP compression (gzip/deflate) using the Accept-Encoding: gzip,deflate header when requesting media files. Your server should be configured to not do so. The data in media files is already compressed, so you won't get any real benefit from compression, and the use of compression makes it impossible for the browser to properly seek the video or determine its duration.

+Although it's unlikely, it's possible the browser may advertise that it supports HTTP compression (gzip/deflate) using the `Accept-Encoding: gzip,deflate` header when requesting media files. Your server should be configured to not do so. The data in media files is already compressed, so you won't get any real benefit from compression, and the use of compression makes it impossible for the browser to properly seek the video or determine its duration.
 
-
Another probelm with allowing HTTP compression for media streaming: Apache servers don't send the {{HTTPHeader("Content-Length")}} response header if gzip encoding is used.

+Another probelm with allowing HTTP compression for media streaming: Apache servers don't send the {{HTTPHeader("Content-Length")}} response header if gzip encoding is used.
 
-
Getting the duration of Ogg media

+### Getting the duration of Ogg media
 
-
You can use the oggz-info tool to get the media duration; this tool is included with the oggz-tools package. The output from oggz-info looks like this:

+You can use the `oggz-info` tool to get the media duration; this tool is included with the [`oggz-tools`](https://www.xiph.org/oggz/) package. The output from `oggz-info` looks like this:
 
-
 $ oggz-info /g/media/bruce_vs_ironman.ogv
- Content-Duration: 00:01:00.046
+     $ oggz-info /g/media/bruce_vs_ironman.ogv
+     Content-Duration: 00:01:00.046
 
- Skeleton: serialno 1976223438
-         4 packets in 3 pages, 1.3 packets/page, 27.508% Ogg overhead
-         Presentation-Time: 0.000
-         Basetime: 0.000
+     Skeleton: serialno 1976223438
+             4 packets in 3 pages, 1.3 packets/page, 27.508% Ogg overhead
+             Presentation-Time: 0.000
+             Basetime: 0.000
 
- Theora: serialno 0170995062
-         1790 packets in 1068 pages, 1.7 packets/page, 1.049% Ogg overhead
-         Video-Framerate: 29.983 fps
-         Video-Width: 640
-         Video-Height: 360
+     Theora: serialno 0170995062
+             1790 packets in 1068 pages, 1.7 packets/page, 1.049% Ogg overhead
+             Video-Framerate: 29.983 fps
+             Video-Width: 640
+             Video-Height: 360
 
- Vorbis: serialno 0708996688
-         4531 packets in 167 pages, 27.1 packets/page, 1.408% Ogg overhead
-         Audio-Samplerate: 44100 Hz
-         Audio-Channels: 2
-

+     Vorbis: serialno 0708996688
+             4531 packets in 167 pages, 27.1 packets/page, 1.408% Ogg overhead
+             Audio-Samplerate: 44100 Hz
+             Audio-Channels: 2
 
-
Note that you can't serve up the reported Content-Duration line reported by oggz-info, because it's reported in HH:MM:SS format. You'll need to convert it to seconds only, then serve that as your X-Content-Duration value. Just parse out the HH, MM, and SS into numbers, then do (HH*3600)+(MM*60)+SS to get the value you should report.

+Note that you can't serve up the reported Content-Duration line reported by `oggz-info`, because it's reported in HH:MM:SS format. You'll need to convert it to seconds only, then serve that as your `X-Content-Duration` value. Just parse out the HH, MM, and SS into numbers, then do (HH\*3600)+(MM\*60)+SS to get the value you should report.
 
-
It's important to note that it appears that oggz-info makes a read pass of the media in order to calculate its duration, so it's a good idea to store the duration value in order to avoid lengthy delays while the value is calculated for every HTTP request of your Ogg media.

+It's important to note that it appears that `oggz-info` makes a read pass of the media in order to calculate its duration, so it's a good idea to store the duration value in order to avoid lengthy delays while the value is calculated for every HTTP request of your Ogg media.
 
-
See also

+## See also
 
-
+- [Guide to media types and formats on the web](/en-US/docs/Web/Media/Formats)
+- [Video and audio content](/en-US/docs/Learn/HTML/Multimedia_and_embedding/Video_and_audio_content)
+- [The "codecs" parameter in common media types](/en-US/docs/Web/Media/Formats/codecs_parameter)
diff --git a/files/en-us/web/http/connection_management_in_http_1.x/index.md b/files/en-us/web/http/connection_management_in_http_1.x/index.md
index 5ad27d9fa4288b7..97dd861c7dcfcd0 100644
--- a/files/en-us/web/http/connection_management_in_http_1.x/index.md
+++ b/files/en-us/web/http/connection_management_in_http_1.x/index.md
@@ -9,82 +9,74 @@ tags:
   - Performance
   - WebMechanics
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Connection management is a key topic in HTTP: opening and maintaining connections largely impacts the performance of Web sites and Web applications. In HTTP/1.x, there are several models: short-lived connections, persistent connections, and HTTP pipelining. 

+Connection management is a key topic in HTTP: opening and maintaining connections largely impacts the performance of Web sites and Web applications. In HTTP/1.x, there are several models: _short-lived connections_, _persistent connections_, and _HTTP pipelining._
 
-
HTTP mostly relies on TCP for its transport protocol, providing a connection between the client and the server. In its infancy, HTTP used a single model to handle such connections. These connections were short-lived: a new one created each time a request needed sending, and closed once the answer had been received.

+HTTP mostly relies on TCP for its transport protocol, providing a connection between the client and the server. In its infancy, HTTP used a single model to handle such connections. These connections were short-lived: a new one created each time a request needed sending, and closed once the answer had been received.
 
-
This simple model held an innate limitation on performance: opening each TCP connection is a resource-consuming operation. Several messages must be exchanged between the client and the server. Network latency and bandwidth affect performance when a request needs sending. Modern Web pages require many requests (a dozen or more) to serve the amount of information needed, proving this earlier model inefficient.

+This simple model held an innate limitation on performance: opening each TCP connection is a resource-consuming operation. Several messages must be exchanged between the client and the server. Network latency and bandwidth affect performance when a request needs sending. Modern Web pages require many requests (a dozen or more) to serve the amount of information needed, proving this earlier model inefficient.
 
-
Two newer models were created in HTTP/1.1. The persistent-connection model keeps connections opened between successive requests, reducing the time needed to open new connections. The HTTP pipelining model goes one step further, by sending several successive requests without even waiting for an answer, reducing much of the latency in the network.

+Two newer models were created in HTTP/1.1. The persistent-connection model keeps connections opened between successive requests, reducing the time needed to open new connections. The HTTP pipelining model goes one step further, by sending several successive requests without even waiting for an answer, reducing much of the latency in the network.
 
-
Compares the performance of the three HTTP/1.x connection models: short-lived connections, persistent connections, and HTTP pipelining.

+![Compares the performance of the three HTTP/1.x connection models: short-lived connections, persistent connections, and HTTP pipelining.](http1_x_connections.png)
 
-

-  
Note: HTTP/2 adds additional models for connection management.

-

+> **Note:** HTTP/2 adds additional models for connection management.
 
-
It's important point to note that connection management in HTTP applies to the connection between two consecutive nodes, which is hop-by-hop and not end-to-end. The model used in connections between a client and its first proxy may differ from the model between a proxy and the destination server (or any intermediate proxies). The HTTP headers involved in defining the connection model, like {{HTTPHeader("Connection")}} and {{HTTPHeader("Keep-Alive")}}, are hop-by-hop headers with their values able to be changed by intermediary nodes.

+It's important point to note that connection management in HTTP applies to the connection between two consecutive nodes, which is [hop-by-hop](/en-US/docs/Web/HTTP/Headers#hbh) and not [end-to-end](/en-US/docs/Web/HTTP/Headers#e2e). The model used in connections between a client and its first proxy may differ from the model between a proxy and the destination server (or any intermediate proxies). The HTTP headers involved in defining the connection model, like {{HTTPHeader("Connection")}} and {{HTTPHeader("Keep-Alive")}}, are [hop-by-hop](/en-US/docs/Web/HTTP/Headers#hbh) headers with their values able to be changed by intermediary nodes.
 
-
A related topic is the concept of HTTP connection upgrades, wherein an HTTP/1.1 connection is upgraded to a different protocol, such as TLS/1.0, WebSocket, or even HTTP/2 in cleartext. This protocol upgrade mechanism is documented in more detail elsewhere.

+A related topic is the concept of HTTP connection upgrades, wherein an HTTP/1.1 connection is upgraded to a different protocol, such as TLS/1.0, WebSocket, or even HTTP/2 in cleartext. This [protocol upgrade mechanism](/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism) is documented in more detail elsewhere.
 
-
Short-lived connections

+## Short-lived connections
 
-
The original model of HTTP, and the default one in HTTP/1.0, is short-lived connections. Each HTTP request is completed on its own connection; this means a TCP handshake happens before each HTTP request, and these are serialized.

+The original model of HTTP, and the default one in HTTP/1.0, is _short-lived connections_. Each HTTP request is completed on its own connection; this means a TCP handshake happens before each HTTP request, and these are serialized.
 
-
The TCP handshake itself is time-consuming, but a TCP connection adapts to its load, becoming more efficient with more sustained (or warm) connections. Short-lived connections do not make use of this efficiency feature of TCP, and performance degrades from optimum by persisting to transmit over a new, cold connection.

+The TCP handshake itself is time-consuming, but a TCP connection adapts to its load, becoming more efficient with more sustained (or warm) connections. Short-lived connections do not make use of this efficiency feature of TCP, and performance degrades from optimum by persisting to transmit over a new, cold connection.
 
-
This model is the default model used in HTTP/1.0 (if there is no {{HTTPHeader("Connection")}} header, or if its value is set to close). In HTTP/1.1, this model is only used when the {{HTTPHeader("Connection")}} header is sent with a value of close.

+This model is the default model used in HTTP/1.0 (if there is no {{HTTPHeader("Connection")}} header, or if its value is set to `close`). In HTTP/1.1, this model is only used when the {{HTTPHeader("Connection")}} header is sent with a value of `close`.
 
-

-  
Note: Unless dealing with a very old system, which doesn't support a persistent connection, there is no compelling reason to use this model.

-

+> **Note:** Unless dealing with a very old system, which doesn't support a persistent connection, there is no compelling reason to use this model.
 
-
Persistent connections

+## Persistent connections
 
-
Short-lived connections have two major hitches: the time taken to establish a new connection is significant, and performance of the underlying TCP connection gets better only when this connection has been in use for some time (warm connection). To ease these problems, the concept of a persistent connection has been designed, even prior to HTTP/1.1. Alternatively this may be called a keep-alive connection.

+Short-lived connections have two major hitches: the time taken to establish a new connection is significant, and performance of the underlying TCP connection gets better only when this connection has been in use for some time (warm connection). To ease these problems, the concept of a _persistent connection_ has been designed, even prior to HTTP/1.1. Alternatively this may be called a _keep-alive connection_.
 
-
A persistent connection is one which remains open for a period of time, and can be reused for several requests, saving the need for a new TCP handshake, and utilizing TCP's performance enhancing capabilities. This connection will not stay open forever: idle connections are closed after some time (a server may use the {{HTTPHeader("Keep-Alive")}} header to specify a minimum time the connection should be kept open).

+A persistent connection is one which remains open for a period of time, and can be reused for several requests, saving the need for a new TCP handshake, and utilizing TCP's performance enhancing capabilities. This connection will not stay open forever: idle connections are closed after some time (a server may use the {{HTTPHeader("Keep-Alive")}} header to specify a minimum time the connection should be kept open).
 
-
Persistent connections also have drawbacks; even when idling they consume server resources, and under heavy load, {{glossary("DoS attack", "DoS attacks")}} can be conducted. In such cases, using non-persistent connections, which are closed as soon as they are idle, can provide better performance.

+Persistent connections also have drawbacks; even when idling they consume server resources, and under heavy load, {{glossary("DoS attack", "DoS attacks")}} can be conducted. In such cases, using non-persistent connections, which are closed as soon as they are idle, can provide better performance.
 
-
HTTP/1.0 connections are not persistent by default. Setting {{HTTPHeader("Connection")}} to anything other than close, usually retry-after, will make them persistent.

+HTTP/1.0 connections are not persistent by default. Setting {{HTTPHeader("Connection")}} to anything other than `close`, usually `retry-after`, will make them persistent.
 
-
In HTTP/1.1, persistence is the default, and the header is no longer needed (but it is often added as a defensive measure against cases requiring a fallback to HTTP/1.0).

+In HTTP/1.1, persistence is the default, and the header is no longer needed (but it is often added as a defensive measure against cases requiring a fallback to HTTP/1.0).
 
-
HTTP pipelining

+## HTTP pipelining
 
-

-  
Note: HTTP pipelining is not activated by default in modern browsers:

-  
    
-    
  • Buggy proxies are still common and these lead to strange and erratic behaviors that Web developers cannot foresee and diagnose easily.
    • 
-    
  • Pipelining is complex to implement correctly: the size of the resource being transferred, the effective RTT that will be used, as well as the effective bandwidth, have a direct incidence on the improvement provided by the pipeline. Without knowing these, important messages may be delayed behind unimportant ones. The notion of important even evolves during page layout! HTTP pipelining therefore brings a marginal improvement in most cases only.
    • 
-    
  • Pipelining is subject to the HOL problem.
    • 
-  

-  
For these reasons, pipelining has been superseded by a better algorithm, multiplexing, that is used by HTTP/2.

-

+> **Note:** HTTP pipelining is not activated by default in modern browsers:
+>
+> - Buggy [proxies](https://en.wikipedia.org/wiki/Proxy_server) are still common and these lead to strange and erratic behaviors that Web developers cannot foresee and diagnose easily.
+> - Pipelining is complex to implement correctly: the size of the resource being transferred, the effective [RTT](https://en.wikipedia.org/wiki/Round-trip_delay_time) that will be used, as well as the effective bandwidth, have a direct incidence on the improvement provided by the pipeline. Without knowing these, important messages may be delayed behind unimportant ones. The notion of important even evolves during page layout! HTTP pipelining therefore brings a marginal improvement in most cases only.
+> - Pipelining is subject to the [HOL](https://en.wikipedia.org/wiki/Head-of-line_blocking) problem.
+>
+> For these reasons, pipelining has been superseded by a better algorithm, _multiplexing_, that is used by HTTP/2.
 
-
By default, HTTP requests are issued sequentially. The next request is only issued once the response to the current request has been received. As they are affected by network latencies and bandwidth limitations, this can result in significant delay before the next request is seen by the server.

+By default, [HTTP](/en-US/docs/Web/HTTP) requests are issued sequentially. The next request is only issued once the response to the current request has been received. As they are affected by network latencies and bandwidth limitations, this can result in significant delay before the next request is _seen_ by the server.
 
-
Pipelining is the process to send successive requests, over the same persistent connection, without waiting for the answer. This avoids latency of the connection. Theoretically, performance could also be improved if two HTTP requests were to be packed into the same TCP message. The typical MSS (Maximum Segment Size), is big enough to contain several simple requests, although the demand in size of HTTP requests continues to grow.

+Pipelining is the process to send successive requests, over the same persistent connection, without waiting for the answer. This avoids latency of the connection. Theoretically, performance could also be improved if two HTTP requests were to be packed into the same TCP message. The typical [MSS](https://en.wikipedia.org/wiki/Maximum_segment_size) (Maximum Segment Size), is big enough to contain several simple requests, although the demand in size of HTTP requests continues to grow.
 
-
Not all types of HTTP requests can be pipelined: only {{glossary("idempotent")}} methods, that is {{HTTPMethod("GET")}}, {{HTTPMethod("HEAD")}}, {{HTTPMethod("PUT")}} and {{HTTPMethod("DELETE")}}, can be replayed safely: should a failure happen, the pipeline content can be repeated.

+Not all types of HTTP requests can be pipelined: only {{glossary("idempotent")}} methods, that is {{HTTPMethod("GET")}}, {{HTTPMethod("HEAD")}}, {{HTTPMethod("PUT")}} and {{HTTPMethod("DELETE")}}, can be replayed safely: should a failure happen, the pipeline content can be repeated.
 
-
Today, every HTTP/1.1-compliant proxy and server should support pipelining, though many have limitations in practice: a significant reason no modern browser activates this feature by default.

+Today, every HTTP/1.1-compliant proxy and server should support pipelining, though many have limitations in practice: a significant reason no modern browser activates this feature by default.
 
-
Domain sharding

+## Domain sharding
 
-

-  
Note: Unless you have a very specific immediate need, don't use this deprecated technique; switch to HTTP/2 instead. In HTTP/2, domain sharding is no longer useful: the HTTP/2 connection is able to handle parallel unprioritized requests very well. Domain sharding is even detrimental to performance. Most HTTP/2 implementations use a technique called connection coalescing to revert eventual domain sharding.

-

+> **Note:** Unless you have a very specific immediate need, don't use this deprecated technique; switch to HTTP/2 instead. In HTTP/2, domain sharding is no longer useful: the HTTP/2 connection is able to handle parallel unprioritized requests very well. Domain sharding is even detrimental to performance. Most HTTP/2 implementations use a technique called [connection coalescing](https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/) to revert eventual domain sharding.
 
-
As an HTTP/1.x connection is serializing requests, even without any ordering, it can't be optimal without large enough available bandwidth. As a solution, browsers open several connections to each domain, sending parallel requests. Default was once 2 to 3 connections, but this has now increased to a more common use of 6 parallel connections. There is a risk of triggering DoS protection on the server side if attempting more than this number.

+As an HTTP/1.x connection is serializing requests, even without any ordering, it can't be optimal without large enough available bandwidth. As a solution, browsers open several connections to each domain, sending parallel requests. Default was once 2 to 3 connections, but this has now increased to a more common use of 6 parallel connections. There is a risk of triggering [DoS](/en-US/docs/Glossary/DOS_attack) protection on the server side if attempting more than this number.
 
-
If the server wishes a faster Web site or application response, it is possible for the server to force the opening of more connections. For example, Instead of having all resources on the same domain, say www.example.com, it could split over several domains, www1.example.com, www2.example.com, www3.example.com. Each of these domains resolve to the same server, and the Web browser will open 6 connections to each (in our example, boosting the connections to 18). This technique is called domain sharding.

+If the server wishes a faster Web site or application response, it is possible for the server to force the opening of more connections. For example, Instead of having all resources on the same domain, say `www.example.com`, it could split over several domains, `www1.example.com`, `www2.example.com`, `www3.example.com`. Each of these domains resolve to the _same_ server, and the Web browser will open 6 connections to each (in our example, boosting the connections to 18). This technique is called _domain sharding_.
 
-

+![](httpsharding.png)
 
-
Conclusion

+## Conclusion
 
-
Improved connection management allows considerable boosting of performance in HTTP. With HTTP/1.1 or HTTP/1.0, using a persistent connection – at least until it becomes idle – leads to the best performance. However, the failure of pipelining has lead to designing superior connection management models, which have been incorporated into HTTP/2.

+Improved connection management allows considerable boosting of performance in HTTP. With HTTP/1.1 or HTTP/1.0, using a persistent connection – at least until it becomes idle – leads to the best performance. However, the failure of pipelining has lead to designing superior connection management models, which have been incorporated into HTTP/2.
diff --git a/files/en-us/web/http/content_negotiation/index.md b/files/en-us/web/http/content_negotiation/index.md
index 07ce32beca1b735..d6fb53a0d875d0b 100644
--- a/files/en-us/web/http/content_negotiation/index.md
+++ b/files/en-us/web/http/content_negotiation/index.md
@@ -7,133 +7,102 @@ tags:
   - HTTP
   - Reference
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
In HTTP, content negotiation is the mechanism that is used for serving different representations of a resource at the same URI, so that the user agent can specify which is best suited for the user (for example, which language of a document, which image format, or which content encoding).

+In [HTTP](/en-US/docs/Glossary/HTTP), **_content negotiation_** is the mechanism that is used for serving different representations of a resource at the same URI, so that the user agent can specify which is best suited for the user (for example, which language of a document, which image format, or which content encoding).
 
-

-  
Note: Some disadvantages of HTTP content negotiation are explained in a wiki page from WHATWG. HTML5 provides alternatives to content negotiation via, for example, the <source> element.

-

+> **Note:** Some disadvantages of HTTP content negotiation are explained in [a wiki page from WHATWG](https://wiki.whatwg.org/wiki/Why_not_conneg). HTML5 provides alternatives to content negotiation via, for example, the [`` element](/en-US/docs/Web/HTML/Element/source).
 
-
Principles of content negotiation

+## Principles of content negotiation
 
-
A specific document is called a resource. When a client wants to obtain a resource, the client requests it using its URL. The server uses this URL to choose one of the variants it provides – each variant being called a representation – and returns a specific representation to the client. The overall resource, as well as each of the representations, have a specific URL. How a specific representation is chosen when the resource is called is determined by content negotiation and there are several ways of negotiating between the client and the server.

+A specific document is called a _resource_. When a client wants to obtain a resource, the client requests it using its URL. The server uses this URL to choose one of the variants it provides – each variant being called a _representation_ – and returns a specific representation to the client. The overall resource, as well as each of the representations, have a specific URL. How a specific representation is chosen when the resource is called is determined by _content negotiation_ and there are several ways of negotiating between the client and the server.
 
-

+![](httpnego.png)
 
-
The determination of the best suited representation is made through one of two mechanisms:

+The determination of the best suited representation is made through one of two mechanisms:
 
-
    
- 
  • Specific HTTP headers by the client (server-driven negotiation or proactive negotiation), which is the standard way of negotiating a specific kind of resource.
    • 
- 
  • The {{HTTPStatus("300")}} (Multiple Choices) or {{HTTPStatus("406")}} (Not Acceptable), {{HTTPStatus("415")}} (Unsupported Media Type) HTTP response codes by the server (agent-driven negotiation or reactive negotiation), that are used as fallback mechanisms.
    • 
-

+- Specific [HTTP headers](/en-US/docs/Web/HTTP/Headers) by the client (_server-driven negotiation_ or _proactive negotiation_), which is the standard way of negotiating a specific kind of resource.
+- The {{HTTPStatus("300")}} (Multiple Choices) or {{HTTPStatus("406")}} (Not Acceptable), {{HTTPStatus("415")}} (Unsupported Media Type) [HTTP response codes](/en-US/docs/Web/HTTP/Status) by the server (_agent-driven negotiation_ or _reactive negotiation_), that are used as fallback mechanisms.
 
-
Over the years, other content negotiation proposals, like transparent content negotiation and the Alternates header, have been proposed. They failed to get traction and got abandoned.

+Over the years, other content negotiation proposals, like [transparent content negotiation](https://datatracker.ietf.org/doc/html/rfc2295) and the `Alternates` header, have been proposed. They failed to get traction and got abandoned.
 
-
Server-driven content negotiation

+## Server-driven content negotiation
 
-
In server-driven content negotiation, or proactive content negotiation, the browser (or any other kind of user-agent) sends several HTTP headers along with the URL. These headers describe the preferred choice of the user. The server uses them as hints and an internal algorithm chooses the best content to serve to the client. If it cannot provide a suitable resource, as a fallback it might respond with {{HTTPStatus("406")}} (Not Acceptable) or {{HTTPStatus("415")}} (Unsupported Media Type) and set headers for the types of media that it does support (e.g. using the {{HTTPHeader("Accept-Post")}} or {{HTTPHeader("Accept-Patch")}} for POST and PATCH requests, respectively). The algorithm is server-specific and not defined in the standard. See, for example, the Apache negotiation algorithm.

+In _server-driven content negotiation_, or proactive content negotiation, the browser (or any other kind of user-agent) sends several HTTP headers along with the URL. These headers describe the preferred choice of the user. The server uses them as hints and an internal algorithm chooses the best content to serve to the client. If it cannot provide a suitable resource, as a fallback it might respond with {{HTTPStatus("406")}} (Not Acceptable) or {{HTTPStatus("415")}} (Unsupported Media Type) and set headers for the types of media that it does support (e.g. using the {{HTTPHeader("Accept-Post")}} or {{HTTPHeader("Accept-Patch")}} for POST and PATCH requests, respectively). The algorithm is server-specific and not defined in the standard. See, for example, the [Apache negotiation algorithm](https://httpd.apache.org/docs/current/en/content-negotiation.html#algorithm).
 
-

+![](httpnegoserver.png)
 
-
The HTTP/1.1 standard defines list of the standard headers that start server-driven negotiation (such as {{HTTPHeader("Accept")}}, {{HTTPHeader("Accept-Encoding")}}, and {{HTTPHeader("Accept-Language")}}). Though strictly speaking {{HTTPHeader("User-Agent")}} is not in this list, it is sometimes also used to send a specific representation of the requested resource, though this is not considered as a good practice. The server uses the {{HTTPHeader("Vary")}} header to indicate which headers it actually used for content negotiation (or more precisely the associated response headers), so that caches can work optimally.

+The HTTP/1.1 standard defines list of the standard headers that start server-driven negotiation (such as {{HTTPHeader("Accept")}}, {{HTTPHeader("Accept-Encoding")}}, and {{HTTPHeader("Accept-Language")}}). Though strictly speaking {{HTTPHeader("User-Agent")}} is not in this list, it is sometimes also used to send a specific representation of the requested resource, though this is not considered as a good practice. The server uses the {{HTTPHeader("Vary")}} header to indicate which headers it actually used for content negotiation (or more precisely the associated response headers), so that [caches](/en-US/docs/Web/HTTP/Caching) can work optimally.
 
-
In addition to these, there is an experimental proposal to add more headers to the list of available headers, called client hints. Client hints advertise what kind of device the user agent runs on (for example, if it is a desktop computer or a mobile device).

+In addition to these, there is an experimental proposal to add more headers to the list of available headers, called _client hints_. Client hints advertise what kind of device the user agent runs on (for example, if it is a desktop computer or a mobile device).
 
-
Even if server-driven content negotiation is the most common way to agree on a specific representation of a resource, it has several drawbacks:

+Even if server-driven content negotiation is the most common way to agree on a specific representation of a resource, it has several drawbacks:
 
-
    
- 
  • The server doesn't have total knowledge of the browser. Even with the Client Hints extension, it has not a complete knowledge of the capabilities of the browser. Unlike reactive content negotiation where the client makes the choice, the server choice is always somewhat arbitrary.
    • 
- 
  • The information by the client is quite verbose (HTTP/2 header compression mitigates this problem) and a privacy risk (HTTP fingerprinting)
    • 
- 
  • As several representations of a given resource are sent, shared caches are less efficient and server implementations are more complex.
    • 
-

+- The server doesn't have total knowledge of the browser. Even with the Client Hints extension, it has not a complete knowledge of the capabilities of the browser. Unlike reactive content negotiation where the client makes the choice, the server choice is always somewhat arbitrary.
+- The information by the client is quite verbose (HTTP/2 header compression mitigates this problem) and a privacy risk (HTTP fingerprinting)
+- As several representations of a given resource are sent, shared caches are less efficient and server implementations are more complex.
 
-
The Accept header

+### The Accept header
 
-
The {{HTTPHeader("Accept")}} header lists the MIME types of media resources that the agent is willing to process. It is comma-separated lists of MIME types, each combined with a quality factor, a parameter indicating the relative degree of preference between the different MIME types.

+The {{HTTPHeader("Accept")}} header lists the MIME types of media resources that the agent is willing to process. It is comma-separated lists of MIME types, each combined with a quality factor, a parameter indicating the relative degree of preference between the different MIME types.
 
-
The {{HTTPHeader("Accept")}} header is defined by the browser, or any other user-agent, and can vary according to the context, like fetching an HTML page or an image, a video, or a script: It is different when fetching a document entered in the address bar or an element linked via an {{ HTMLElement("img") }}, {{ HTMLElement("video") }} or {{ HTMLElement("audio") }} element. Browsers are free to use the value of the header that they think is the most adequate; an exhaustive list of default values for common browsers is available.

+The {{HTTPHeader("Accept")}} header is defined by the browser, or any other user-agent, and can vary according to the context, like fetching an HTML page or an image, a video, or a script: It is different when fetching a document entered in the address bar or an element linked via an {{ HTMLElement("img") }}, {{ HTMLElement("video") }} or {{ HTMLElement("audio") }} element. Browsers are free to use the value of the header that they think is the most adequate; an exhaustive list of [default values for common browsers](/en-US/docs/Web/HTTP/Content_negotiation/List_of_default_Accept_values) is available.
 
-
The Accept-CH header {{experimental_inline}}

+### The Accept-CH header {{experimental_inline}}
 
-

-  
Note: This is part of an experimental technology called Client Hints. Initial support is in Chrome 46 or later. The Device-Memory value is in Chrome 61 or later.

-

+> **Note:** This is part of an **experimental** technology called _Client Hints_. Initial support is in Chrome 46 or later. The Device-Memory value is in Chrome 61 or later.
 
-
The experimental {{HTTPHeader("Accept-CH")}} lists configuration data that can be used by the server to select an appropriate response. Valid values are:

+The experimental {{HTTPHeader("Accept-CH")}} lists configuration data that can be used by the server to select an appropriate response. Valid values are:
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
ValueMeaning
Device-MemoryIndicates the approximate amount of device RAM. This value is an approximation given by rounding to the nearest power of 2 and dividing that number by 1024. For example, 512 megabytes will be reported as 0.5.
Viewport-WidthIndicates the layout viewport width in CSS pixels.
WidthIndicates the resource width in physical pixels (in other words the intrinsic size of an image).

+| Value            | Meaning                                                                                                                                                                                                            |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `Device-Memory`  | Indicates the approximate amount of device RAM. This value is an approximation given by rounding to the nearest power of 2 and dividing that number by 1024. For example, 512 megabytes will be reported as `0.5`. |
+| `Viewport-Width` | Indicates the layout viewport width in CSS pixels.                                                                                                                                                                 |
+| `Width`          | Indicates the resource width in physical pixels (in other words the intrinsic size of an image).                                                                                                                   |
 
-
The Accept-CH-Lifetime header

+### The Accept-CH-Lifetime header
 
-

-  
Note: This is part of an experimental technology called Client Hints and is only available in Chrome 61 or later.

-

+> **Note:** This is part of an **experimental** technology called _Client Hints_ and is only available in Chrome 61 or later.
 
-
The {{HTTPHeader("Accept-CH-Lifetime")}} header is used with the Device-Memory value of the Accept-CH header and indicates the amount of time the device should opt-in to sharing the amount of device memory with the server. The value is given in milliseconds and it's use is optional.

+The {{HTTPHeader("Accept-CH-Lifetime")}} header is used with the `Device-Memory` value of the `Accept-CH` header and indicates the amount of time the device should opt-in to sharing the amount of device memory with the server. The value is given in milliseconds and it's use is optional.
 
-
The Accept-Encoding header

+### The Accept-Encoding header
 
-
The {{HTTPHeader("Accept-Encoding")}} header defines the acceptable content-encoding (supported compressions). The value is a q-factor list (e.g.: br, gzip;q=0.8) that indicates the priority of the encoding values. The default value identity is at the lowest priority (unless otherwise declared).

+The {{HTTPHeader("Accept-Encoding")}} header defines the acceptable content-encoding (supported compressions). The value is a q-factor list (e.g.: `br, gzip;q=0.8`) that indicates the priority of the encoding values. The default value `identity` is at the lowest priority (unless otherwise declared).
 
-
Compressing HTTP messages is one of the most important ways to improve the performance of a Web site, it shrinks the size of the data transmitted and makes better use of the available bandwidth; browsers always send this header and the server should be configured to abide to it and to use compression.

+Compressing HTTP messages is one of the most important ways to improve the performance of a Web site, it shrinks the size of the data transmitted and makes better use of the available bandwidth; browsers always send this header and the server should be configured to abide to it and to use compression.
 
-
The Accept-Language header

+### The Accept-Language header
 
-
The {{HTTPHeader("Accept-Language")}} header is used to indicate the language preference of the user. It is a list of values with quality factors (like: "de, en;q=0.7"). A default value is often set according the language of the graphical interface of the user agent, but most browsers allow to set different language preferences.

+The {{HTTPHeader("Accept-Language")}} header is used to indicate the language preference of the user. It is a list of values with quality factors (like: `"de, en;q=0.7`"). A default value is often set according the language of the graphical interface of the user agent, but most browsers allow to set different language preferences.
 
-
Due to the configuration-based entropy increase, a modified value can be used to fingerprint the user, it is not recommended to change it and a Web site cannot trust this value to reflect the actual wish of the user. Site designers must not be over-zealous by using language detection via this header as it can lead to a poor user experience:

+Due to the [configuration-based entropy](https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy) increase, a modified value can be used to fingerprint the user, it is not recommended to change it and a Web site cannot trust this value to reflect the actual wish of the user. Site designers must not be over-zealous by using language detection via this header as it can lead to a poor user experience:
 
-
    
- 
  • They should always provide a way to overcome the server-chosen language, e.g., by providing a language menu on the site. Most user-agents provide a default value for the Accept-Language header, adapted to the user interface language and end users often do not modify it, either by not knowing how, or by not being able to do it, as in an Internet café for instance.
    • 
- 
  • Once a user has overridden the server-chosen language, a site should no longer use language detection and should stick with the explicitly-chosen language. In other words, only entry pages of a site should select the proper language using this header.
    • 
-

+- They should always provide a way to overcome the server-chosen language, e.g., by providing a language menu on the site. Most user-agents provide a default value for the `Accept-Language` header, adapted to the user interface language and end users often do not modify it, either by not knowing how, or by not being able to do it, as in an Internet café for instance.
+- Once a user has overridden the server-chosen language, a site should no longer use language detection and should stick with the explicitly-chosen language. In other words, only entry pages of a site should select the proper language using this header.
 
-
The User-Agent header

+### The User-Agent header
 
-

-  
Note: Though there are legitimate uses of this header for selecting content, it is considered bad practice to rely on it to define what features are supported by the user agent.

-

+> **Note:** Though there are legitimate uses of this header for selecting content, [it is considered bad practice](/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent) to rely on it to define what features are supported by the user agent.
 
-
The {{HTTPHeader("User-Agent")}} header identifies the browser sending the request. This string may contain a space-separated list of product tokens and comments.

+The {{HTTPHeader("User-Agent")}} header identifies the browser sending the request. This string may contain a space-separated list of _product tokens_ and _comments_.
 
-
A product token is a name followed by a '/' and a version number, like Firefox/4.0.1. There may be as many of them as the user-agent wants. A comment is a free string delimited by parentheses. Obviously parentheses cannot be used in that string. The inner format of a comment is not defined by the standard, though several browser put several tokens in it, separated by ';'.

+A _product token_ is a name followed by a '`/`' and a version number, like `Firefox/4.0.1`. There may be as many of them as the user-agent wants. A _comment_ is a free string delimited by parentheses. Obviously parentheses cannot be used in that string. The inner format of a comment is not defined by the standard, though several browser put several tokens in it, separated by '`;`'.
 
-
The Vary response header

+### The Vary response header
 
-
In contrast to the previous Accept-* headers, which are sent by the client, the {{HTTPHeader("Vary")}} HTTP header is sent by the web server in its response. It indicates the list of headers used by the server during the server-driven content negotiation phase. The header is needed in order to inform the cache of the decision criteria so that it can reproduce it, allowing the cache to be functional while preventing serving erroneous content to the user.

+In contrast to the previous `Accept-*` headers, which are sent by the client, the {{HTTPHeader("Vary")}} HTTP header is sent by the web server in its response. It indicates the list of headers used by the server during the server-driven content negotiation phase. The header is needed in order to inform the cache of the decision criteria so that it can reproduce it, allowing the cache to be functional while preventing serving erroneous content to the user.
 
-
The special value of '*' means that the server-driven content negotiation also uses information not conveyed in a header to choose the appropriate content.

+The special value of '`*`' means that the server-driven content negotiation also uses information not conveyed in a header to choose the appropriate content.
 
-
The Vary header was added in the version 1.1 of HTTP and is necessary in order to allow caches to work appropriately. A cache, in order to work with server-driven content negotiation, needs to know which criteria was used by the server to select the transmitted content. That way, the cache can replay the algorithm and will be able to serve acceptable content directly, without more request to the server. Obviously, the wildcard '*' prevents caching from occurring, as the cache cannot know what element is behind it. For more information HTTP caching > Varying responses.

+The `Vary` header was added in the version 1.1 of HTTP and is necessary in order to allow caches to work appropriately. A cache, in order to work with server-driven content negotiation, needs to know which criteria was used by the server to select the transmitted content. That way, the cache can replay the algorithm and will be able to serve acceptable content directly, without more request to the server. Obviously, the wildcard '`*`' prevents caching from occurring, as the cache cannot know what element is behind it. For more information [HTTP caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses).
 
-
Agent-driven negotiation

+## Agent-driven negotiation
 
-
Server-driven negotiation suffers from a few downsides: it doesn't scale well. There is one header per feature used in the negotiation. If you want to use screen size, resolution or other dimensions, a new HTTP header must be created. Sending of the headers must be done on every request. This is not too problematic with few headers, but with the eventual multiplications of them, the message size would lead to a decrease in performance. The more precise headers are sent, the more entropy is sent, allowing for more HTTP fingerprinting and corresponding privacy concern.

+Server-driven negotiation suffers from a few downsides: it doesn't scale well. There is one header per feature used in the negotiation. If you want to use screen size, resolution or other dimensions, a new HTTP header must be created. Sending of the headers must be done on every request. This is not too problematic with few headers, but with the eventual multiplications of them, the message size would lead to a decrease in performance. The more precise headers are sent, the more entropy is sent, allowing for more HTTP fingerprinting and corresponding privacy concern.
 
-
From the beginnings of HTTP, the protocol allowed another negotiation type: agent-driven negotiation or reactive negotiation. In this negotiation, when facing an ambiguous request, the server sends back a page containing links to the available alternative resources. The user is presented the resources and choose the one to use.

+From the beginnings of HTTP, the protocol allowed another negotiation type: _agent-driven negotiation_ or _reactive negotiation_. In this negotiation, when facing an ambiguous request, the server sends back a page containing links to the available alternative resources. The user is presented the resources and choose the one to use.
 
-

+![](httpnego3.png)
 
-
Unfortunately, the HTTP standard does not specify the format of the page for choosing between the available resource, which prevents the process being automated. Besides falling back to the server-driven negotiation, this method is almost always used in conjunction with scripting, especially with JavaScript redirection: after having checked for the negotiation criteria, the script performs the redirection. A second problem is that one more request is needed in order to fetch the real resource, slowing the availability of the resource to the user.

+Unfortunately, the HTTP standard does not specify the format of the page for choosing between the available resource, which prevents the process being automated. Besides falling back to the _server-driven negotiation_, this method is almost always used in conjunction with scripting, especially with JavaScript redirection: after having checked for the negotiation criteria, the script performs the redirection. A second problem is that one more request is needed in order to fetch the real resource, slowing the availability of the resource to the user.
diff --git a/files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.md b/files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.md
index fee94e519109ff0..f627bdd9ab377f2 100644
--- a/files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.md
+++ b/files/en-us/web/http/content_negotiation/list_of_default_accept_values/index.md
@@ -7,233 +7,101 @@ tags:
   - HTTP
   - Reference
 ---
-
{{HTTPSidebar}}

-
-
This article documents the default values for the HTTP Accept header for specific inputs and browser versions.

-
-
Default values

-
-
These are the values sent when the context doesn't give better information. Note that all browsers add the */* MIME Type to cover all cases. This is typically used for requests initiated via the address bar of a browser, or via an HTML {{HTMLElement("a")}} element.

-
-
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-  
-    
-    
-  
-
User AgentValue
Firefox 72 and later [1]text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Firefox 66 to 71 [1]text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Firefox 65 [1]text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Firefox 64 and earlier [1]text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Safari, Chrometext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Safari 5 [2]text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Internet Explorer 8 [3]image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, */*
Edgetext/html, application/xhtml+xml, image/jxr, */*
Operatext/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

-
-
[1] This value can be modified using the network.http.accept.default parameter.

-
[2] This is an improvement over earlier Accept headers as it no longer ranks image/png above text/html.

-
[3] See IE and the Accept Header (IEInternals' MSDN blog).

-
-
Values for an image

-
-
When requesting an image, like through an HTML {{HTMLElement("img")}} element, user-agent often sets a specific list of media types to be welcomed.

-
-
- 
-  
-   
-   
-  
-  
-   
-   
-  
-    
-    
-  
-  
-    
-    
-  
-  
-   
-   
-  
-  
-    
-    
-  
-  
-   
-   
-  
-  
-    
-    
-   
-  
-   
-   
-  
-
- 
-
User AgentValue
Firefox 65 and later [1]image/webp,*/*
Firefox 47 to 63 [1]*/*
Firefox prior to 47 [1]image/png,image/*;q=0.8,*/*;q=0.5
Safari (since Mac OS Big Sur)image/webp,image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5
Safari (before Mac OS Big Sur)image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5
Chromeimage/avif,image/webp,image/apng,image/*,*/*;q=0.8
Internet Explorer 9image/png,image/svg+xml,image/*;q=0.8, */*;q=0.5
Internet Explorer 8 or earlier source*/*

-
-
[1] This value can be modified using the image.http.accept parameter (source).

-
-
Values for a video

-
-
When a video is requested, via the {{HTMLElement("video")}} HTML element, most browsers use specific values.

-
-
- 
-  
-   
-   
-  
-  
-    
-    
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
User AgentValue
Firefox 3.6 and latervideo/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5
Firefox earlier than 3.6no support for {{HTMLElement("video")}}
Chrome*/*
Internet Explorer 8 or earlierno support for {{HTMLElement("video")}}

-
-
Values for audio resources

-
-
When an audio file is requested, like via the {{HTMLElement("audio")}} HTML element, most browsers use specific values.

-
-
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
User AgentValue
Firefox 3.6 and later [1]audio/webm,audio/ogg,audio/wav,audio/*;q=0.9,application/ogg;q=0.7,video/*;q=0.6,*/*;q=0.5
Safari, Chrome*/*
Internet Explorer 8 or earlierno support for {{HTMLElement("audio")}}
Internet Explorer 9?

-
-
[1] See bug 489071.

-
-
Values for scripts

-
-
When a script is requested, like via the {{HTMLElement("script")}} HTML element, some browsers use specific values.

-
-
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
User AgentValue
Firefox [1]*/*
Safari, Chrome*/*
Internet Explorer 8 or earlier [2]*/*
Internet Explorer 9application/javascript, */*;q=0.8

-
[1] See bug 170789.

-
[2] See IE and the Accept Header (IEInternals' MSDN blog).

-
Values for a CSS stylesheet

-
-
When a CSS stylesheet is requested, via the <link rel="stylesheet"> HTML element, most browsers use specific values.

-
-
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
User AgentValue
Firefox 4 [1]text/css,*/*;q=0.1
Internet Explorer 8 or earlier [2]*/*
Internet Explorer 9text/css
Safari, Chrometext/css,*/*;q=0.1
Opera 11.10text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 
Konqueror 4.6text/css,*/*;q=0.1

-
[1] See bug 170789.

-
[2] See IE and the Accept Header (IEInternals' MSDN blog).

+{{HTTPSidebar}}
+
+This article documents the default values for the HTTP [`Accept`](/en-US/docs/Web/HTTP/Headers/Accept) header for specific inputs and browser versions.
+
+## Default values
+
+These are the values sent when the context doesn't give better information. Note that all browsers add the `*/*` MIME Type to cover all cases. This is typically used for requests initiated via the address bar of a browser, or via an HTML {{HTMLElement("a")}} element.
+
+| User Agent                 | Value                                                                                                                                                                   |
+| -------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Firefox 72 and later [1]   | `text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8`                                                                                            |
+| Firefox 66 to 71 [1]       | `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8`                                                                                                       |
+| Firefox 65 [1]             | `text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8`                                                                                            |
+| Firefox 64 and earlier [1] | `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8`                                                                                                       |
+| Safari, Chrome             | `text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8`                                                                                 |
+| Safari 5 [2]               | `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8`                                                                                                       |
+| Internet Explorer 8 [3]    | `image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/msword, */*` |
+| Edge                       | `text/html, application/xhtml+xml, image/jxr, */*`                                                                                                                      |
+| Opera                      | `text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1`                                     |
+
+\[1] This value can be modified using the [`network.http.accept.default`](http://kb.mozillazine.org/Network.http.accept.default) parameter.
+
+\[2] This is an improvement over earlier `Accept` headers as it no longer ranks `image/png` above `text/html`.
+
+\[3] See [IE and the Accept Header (IEInternals' MSDN blog)](https://docs.microsoft.com/en-us/archive/blogs/ieinternals/ie-and-the-accept-header).
+
+## Values for an image
+
+When requesting an image, like through an HTML {{HTMLElement("img")}} element, user-agent often sets a specific list of media types to be welcomed.
+
+| User Agent                                                                                                                     | Value                                                                      |
+| ------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------- |
+| Firefox 65 and later [1]                                                                                                       | `image/webp,*/*`                                                           |
+| Firefox 47 to 63 [1]                                                                                                           | `*/*`                                                                      |
+| Firefox prior to 47 [1]                                                                                                        | `image/png,image/*;q=0.8,*/*;q=0.5`                                        |
+| Safari (since Mac OS Big Sur)                                                                                                  | `image/webp,image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5` |
+| Safari (before Mac OS Big Sur)                                                                                                 | `image/png,image/svg+xml,image/*;q=0.8,video/*;q=0.8,*/*;q=0.5`            |
+| Chrome                                                                                                                         | `image/avif,image/webp,image/apng,image/*,*/*;q=0.8`                       |
+| Internet Explorer 9                                                                                                            | `image/png,image/svg+xml,image/*;q=0.8, */*;q=0.5`                         |
+| Internet Explorer 8 or earlier _[source](https://docs.microsoft.com/en-us/archive/blogs/ieinternals/ie-and-the-accept-header)_ | `*/*`                                                                      |
+
+\[1] This value can be modified using the `image.http.accept` parameter (_[source](https://searchfox.org/mozilla-central/search?q=image.http.accept)_).
+
+## Values for a video
+
+When a video is requested, via the {{HTMLElement("video")}} HTML element, most browsers use specific values.
+
+| User Agent                     | Value                                                                              |
+| ------------------------------ | ---------------------------------------------------------------------------------- |
+| Firefox 3.6 and later          | `video/webm,video/ogg,video/*;q=0.9,application/ogg;q=0.7,audio/*;q=0.6,*/*;q=0.5` |
+| Firefox earlier than 3.6       | _no support for {{HTMLElement("video")}}_                                  |
+| Chrome                         | `*/*`                                                                              |
+| Internet Explorer 8 or earlier | _no support for {{HTMLElement("video")}}_                                  |
+
+## Values for audio resources
+
+When an audio file is requested, like via the {{HTMLElement("audio")}} HTML element, most browsers use specific values.
+
+| User Agent                     | Value                                                                                        |
+| ------------------------------ | -------------------------------------------------------------------------------------------- |
+| Firefox 3.6 and later [1]      | `audio/webm,audio/ogg,audio/wav,audio/*;q=0.9,application/ogg;q=0.7,video/*;q=0.6,*/*;q=0.5` |
+| Safari, Chrome                 | `*/*`                                                                                        |
+| Internet Explorer 8 or earlier | _no support for {{HTMLElement("audio")}}_                                            |
+| Internet Explorer 9            | ?                                                                                            |
+
+\[1] See [bug 489071](https://bugzilla.mozilla.org/show_bug.cgi?id=489071).
+
+## Values for scripts
+
+When a script is requested, like via the {{HTMLElement("script")}} HTML element, some browsers use specific values.
+
+| User Agent                         | Value                               |
+| ---------------------------------- | ----------------------------------- |
+| Firefox [1]                        | `*/*`                               |
+| Safari, Chrome                     | `*/*`                               |
+| Internet Explorer 8 or earlier [2] | `*/*`                               |
+| Internet Explorer 9                | `application/javascript, */*;q=0.8` |
+
+\[1] See [bug 170789](https://bugzilla.mozilla.org/show_bug.cgi?id=170789).
+
+\[2] See [IE and the Accept Header (IEInternals' MSDN blog)](https://docs.microsoft.com/en-us/archive/blogs/ieinternals/ie-and-the-accept-header).
+
+## Values for a CSS stylesheet
+
+When a CSS stylesheet is requested, via the `` HTML element, most browsers use specific values.
+
+| User Agent                         | Value                                                                                                                               |
+| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| Firefox 4 [1]                      | `text/css,*/*;q=0.1`                                                                                                                |
+| Internet Explorer 8 or earlier [2] | `*/*`                                                                                                                               |
+| Internet Explorer 9                | `text/css`                                                                                                                          |
+| Safari, Chrome                     | `text/css,*/*;q=0.1`                                                                                                                |
+| Opera 11.10                        | `text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1` |
+| Konqueror 4.6                      | `text/css,*/*;q=0.1`                                                                                                                |
+
+\[1] See [bug 170789](https://bugzilla.mozilla.org/show_bug.cgi?id=170789).
+
+\[2] See [IE and the Accept Header (IEInternals' MSDN blog)](https://docs.microsoft.com/en-us/archive/blogs/ieinternals/ie-and-the-accept-header).
diff --git a/files/en-us/web/http/cookies/index.md b/files/en-us/web/http/cookies/index.md
index 5c3915f2a1a5843..d6b9da05dddbb94 100644
--- a/files/en-us/web/http/cookies/index.md
+++ b/files/en-us/web/http/cookies/index.md
@@ -19,234 +19,205 @@ tags:
   - request
   - tracking
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server.
-  Typically, it is used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

+An **HTTP cookie** (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server.
+Typically, it is used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the [stateless](/en-US/docs/Web/HTTP/Overview#http_is_stateless_but_not_sessionless) HTTP protocol.
 
-
Cookies are mainly used for three purposes:

+Cookies are mainly used for three purposes:
 
-

- 
Session management

- 
Logins, shopping carts, game scores, or anything else the server should remember

- 
Personalization

- 
User preferences, themes, and other settings

- 
Tracking

- 
Recording and analyzing user behavior

-

+- Session management
+  - : Logins, shopping carts, game scores, or anything else the server should remember
+- Personalization
+  - : User preferences, themes, and other settings
+- Tracking
+  - : Recording and analyzing user behavior
 
-
Cookies were once used for general client-side storage. While this was legitimate when they were the only way to store data on the client, it is now recommended to use modern storage APIs. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the Web Storage API (localStorage and sessionStorage) and IndexedDB.

+Cookies were once used for general client-side storage. While this was legitimate when they were the only way to store data on the client, it is now recommended to use modern storage APIs. Cookies are sent with every request, so they can worsen performance (especially for mobile data connections). Modern APIs for client storage are the [Web Storage API](/en-US/docs/Web/API/Web_Storage_API "DOM Storage") (`localStorage` and `sessionStorage`) and [IndexedDB](/en-US/docs/Web/API/IndexedDB_API).
 
-

-  
Note: To see stored cookies (and other storage that a web page can use), you can enable the Storage Inspector in Developer Tools and select Cookies from the storage tree.

-

+> **Note:** To see stored cookies (and other storage that a web page can use), you can enable the [Storage Inspector](/en-US/docs/Tools/Storage_Inspector) in Developer Tools and select Cookies from the storage tree.
 
-
Creating cookies

+## Creating cookies
 
-
After receiving an HTTP request, a server can send one or more {{HTTPHeader("Set-Cookie")}} headers with the response. The cookie is usually stored by the browser, and then the cookie is sent with requests made to the same server inside a {{HTTPHeader("Cookie")}} HTTP header. An expiration date or duration can be specified, after which the cookie is no longer sent. Additional restrictions to a specific domain and path can be set, limiting where the cookie is sent. For details about the header attributes mentioned below, refer to the {{HTTPHeader("Set-Cookie")}} reference article.

+After receiving an HTTP request, a server can send one or more {{HTTPHeader("Set-Cookie")}} headers with the response. The cookie is usually stored by the browser, and then the cookie is sent with requests made to the same server inside a {{HTTPHeader("Cookie")}} HTTP header. An expiration date or duration can be specified, after which the cookie is no longer sent. Additional restrictions to a specific domain and path can be set, limiting where the cookie is sent. For details about the header attributes mentioned below, refer to the {{HTTPHeader("Set-Cookie")}} reference article.
 
-
+### The `Set-Cookie` and `Cookie` headers
 
-
The {{HTTPHeader("Set-Cookie")}} HTTP response header sends cookies from the server to the user agent. A simple cookie is set like this:

+The {{HTTPHeader("Set-Cookie")}} HTTP response header sends cookies from the server to the user agent. A simple cookie is set like this:
 
-
Set-Cookie: <cookie-name>=<cookie-value>

+```html
+Set-Cookie: =
+```
 
-
This shows the server sending headers to tell the client to store a pair of cookies:

+This shows the server sending headers to tell the client to store a pair of cookies:
 
-
HTTP/2.0 200 OK
-Content-Type: text/html
-Set-Cookie: yummy_cookie=choco
-Set-Cookie: tasty_cookie=strawberry
+    HTTP/2.0 200 OK
+    Content-Type: text/html
+    Set-Cookie: yummy_cookie=choco
+    Set-Cookie: tasty_cookie=strawberry
 
-[page content]

+    [page content]
 
-
Then, with every subsequent request to the server, the browser sends back all previously stored cookies to the server using the {{HTTPHeader("Cookie")}} header.

+Then, with every subsequent request to the server, the browser sends back all previously stored cookies to the server using the {{HTTPHeader("Cookie")}} header.
 
-
GET /sample_page.html HTTP/2.0
-Host: www.example.org
-Cookie: yummy_cookie=choco; tasty_cookie=strawberry

+    GET /sample_page.html HTTP/2.0
+    Host: www.example.org
+    Cookie: yummy_cookie=choco; tasty_cookie=strawberry
 
-

-  
Note: Here's how to use the Set-Cookie header in various server-side applications:

-  
-

+> **Note:** Here's how to use the `Set-Cookie` header in various server-side applications:
+>
+> - [PHP](https://secure.php.net/manual/en/function.setcookie.php)
+> - [Node.JS](https://nodejs.org/dist/latest-v14.x/docs/api/http.html#http_response_setheader_name_value)
+> - [Python](https://docs.python.org/3/library/http.cookies.html)
+> - [Ruby on Rails](https://api.rubyonrails.org/classes/ActionDispatch/Cookies.html)
 
-
+### Define the lifetime of a cookie
 
-
The lifetime of a cookie can be defined in two ways:

+The lifetime of a cookie can be defined in two ways:
 
-
    
- 
  • Session cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting, which can cause session cookies to last indefinitely long.
    • 
- 
  • Permanent cookies are deleted at a date specified by the Expires attribute, or after a period of time specified by the Max-Age attribute.
    • 
-

+- _Session_ cookies are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use _session restoring_ when restarting, which can cause session cookies to last indefinitely long.
+- _Permanent_ cookies are deleted at a date specified by the `Expires` attribute, or after a period of time specified by the `Max-Age` attribute.
 
-
For example:

+For example:
 
-
Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;

+    Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
 
-

-  
Note: When an Expires date is set, the time and date set is relative to the client the cookie is being set on, not the server.

-

+> **Note:** When an `Expires` date is set, the time and date set is relative to the client the cookie is being set on, not the server.
 
-
If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever the user authenticates. This technique helps prevent session fixation attacks, where a third party can reuse a user's session.

+If your site authenticates users, it should regenerate and resend session cookies, even ones that already exist, whenever the user authenticates. This technique helps prevent [session fixation attacks](/en-US/docs/Web/Security/Types_of_attacks#session_fixation), where a third party can reuse a user's session.
 
-
Restrict access to cookies

+### Restrict access to cookies
 
-
There are a couple of ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the Secure attribute and the HttpOnly attribute.

+There are a couple of ways to ensure that cookies are sent securely and are not accessed by unintended parties or scripts: the `Secure` attribute and the `HttpOnly` attribute.
 
-
A cookie with the Secure attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can't easily be accessed by a {{Glossary("MitM", "man-in-the-middle")}} attacker. Insecure sites (with http: in the URL) can't set cookies with the Secure attribute. However, do not assume that Secure prevents all access to sensitive information in cookies; for example, it can be read and modified by someone with access to the client's hard disk (or JavaScript if the HttpOnly attribute is not set).

+A cookie with the `Secure` attribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost), and therefore can't easily be accessed by a {{Glossary("MitM", "man-in-the-middle")}} attacker. Insecure sites (with `http:` in the URL) can't set cookies with the `Secure` attribute. However, do not assume that `Secure` prevents all access to sensitive information in cookies; for example, it can be read and modified by someone with access to the client's hard disk (or JavaScript if the `HttpOnly` attribute is not set).
 
-
A cookie with the HttpOnly attribute is inaccessible to the JavaScript {{domxref("Document.cookie")}} API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the HttpOnly attribute. This precaution helps mitigate cross-site scripting (XSS) attacks.

+A cookie with the `HttpOnly` attribute is inaccessible to the JavaScript {{domxref("Document.cookie")}} API; it is sent only to the server. For example, cookies that persist server-side sessions don't need to be available to JavaScript, and should have the `HttpOnly` attribute. This precaution helps mitigate cross-site scripting ([XSS]()) attacks.
 
-
Here is an example:

+Here is an example:
 
-
Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly

+    Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
 
-
Define where cookies are sent

+### Define where cookies are sent
 
-
The Domain and Path attributes define the scope of the cookie: what URLs the cookies should be sent to.

+The `Domain` and `Path` attributes define the _scope_ of the cookie: what URLs the cookies should be sent to.
 
-
Domain attribute

+#### Domain attribute
 
-
The Domain attribute specifies which hosts are allowed to receive the cookie. If unspecified, it defaults to the same {{Glossary("host")}} that set the cookie, excluding subdomains. If Domain is specified, then subdomains are always included. Therefore, specifying Domain is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.

+The `Domain` attribute specifies which hosts are allowed to receive the cookie. If unspecified, it defaults to the same {{Glossary("host")}} that set the cookie, _excluding subdomains_. If `Domain` _is_ specified, then subdomains are always included. Therefore, specifying `Domain` is less restrictive than omitting it. However, it can be helpful when subdomains need to share information about a user.
 
-
For example, if Domain=mozilla.org is set, then cookies are available on subdomains like developer.mozilla.org.

+For example, if `Domain=mozilla.org` is set, then cookies are available on subdomains like `developer.mozilla.org`.
 
-
Path attribute

+#### Path attribute
 
-
The Path attribute indicates a URL path that must exist in the requested URL in order to send the Cookie header. The %x2F ("/") character is considered a directory separator, and subdirectories match as well.

+The `Path` attribute indicates a URL path that must exist in the requested URL in order to send the `Cookie` header. The `%x2F` ("/") character is considered a directory separator, and subdirectories match as well.
 
-
For example, if Path=/docs is set, these paths match:

+For example, if `Path=/docs` is set, these paths match:
 
-
    
- 
  • /docs
    • 
- 
  • /docs/Web/
    • 
- 
  • /docs/Web/HTTP
    • 
-

+- `/docs`
+- `/docs/Web/`
+- `/docs/Web/HTTP`
 
-
SameSite attribute

+#### SameSite attribute
 
-
The SameSite attribute lets servers specify whether/when cookies are sent with cross-site requests (where {{Glossary("Site")}} is defined by the registrable domain), which provides some protection against cross-site request forgery attacks ({{Glossary("CSRF")}}).

+The [`SameSite` ](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)attribute lets servers specify whether/when cookies are sent with cross-site requests (where {{Glossary("Site")}} is defined by the registrable domain), which provides some protection against cross-site request forgery attacks ({{Glossary("CSRF")}}).
 
-
It takes three possible values: Strict, Lax, and None. With Strict, the cookie is sent only to the same site as the one that originated it; Lax is similar, except that cookies are sent when the user navigates to the cookie's origin site, for example, by following a link from an external site; None specifies that cookies are sent on both originating and cross-site requests, but only in secure contexts (i.e. if SameSite=None then the Secure attribute must also be set). If no SameSite attribute is set then the cookie is treated as Lax.

+It takes three possible values: `Strict`, `Lax`, and `None`. With `Strict`, the cookie is sent only to the same site as the one that originated it; `Lax` is similar, except that cookies are sent when the user _navigates_ to the cookie's origin site, for example, by following a link from an external site; `None` specifies that cookies are sent on both originating and cross-site requests, but *only in secure contexts* (i.e. if `SameSite=None` then the `Secure` attribute must also be set). If no `SameSite` attribute is set then the cookie is treated as `Lax`.
 
-
Here is an example:

+Here is an example:
 
-
Set-Cookie: mykey=myvalue; SameSite=Strict

+    Set-Cookie: mykey=myvalue; SameSite=Strict
 
-

-
Note: Standard related to SameSite recently changed (MDN documents the new behavior above). See the cookies Browser compatibility table for information about how the attribute is handled in specific browser versions:

+> **Note:** Standard related to `SameSite` recently changed (MDN documents the new behavior above). See the cookies [Browser compatibility](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility) table for information about how the attribute is handled in specific browser versions:
+>
+> - `SameSite=Lax` is the new default if `SameSite` is not specified. Previously the default was that cookies were sent for all requests.
+> - Cookies with `SameSite=None` must now also specify the `Secure` attribute (they require a secure context).
 
-
    
- 
  • SameSite=Lax is the new default if SameSite is not specified. Previously the default was that cookies were sent for all requests.
    • 
- 
  • Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context).
    • 
-

-

+#### Cookie prefixes
 
-
+The design of the cookie mechanism is such that a server is unable to confirm that a cookie was set on a secure origin or even to tell _where_ a cookie was originally set.
 
-
The design of the cookie mechanism is such that a server is unable to confirm that a cookie was set on a secure origin or even to tell where a cookie was originally set.

+A vulnerable application on a sub-domain can set a cookie with the `Domain` attribute, which gives access to that cookie on all other subdomains. This mechanism can be abused in a _session fixation_ attack. See [session fixation](/en-US/docs/Web/Security/Types_of_attacks#session_fixation) for primary mitigation methods.
 
-
A vulnerable application on a sub-domain can set a cookie with the Domain attribute, which gives access to that cookie on all other subdomains. This mechanism can be abused in a session fixation attack. See session fixation for primary mitigation methods.

+As a [defense-in-depth measure](), however, it is possible to use _cookie prefixes_ to assert specific facts about the cookie. Two prefixes are available:
 
-
As a defense-in-depth measure, however, it is possible to use cookie prefixes to assert specific facts about the cookie. Two prefixes are available:

+- `__Host-`
+  - : If a cookie name has this prefix, it is accepted in a {{HTTPHeader("Set-Cookie")}} header only if it is also marked with the `Secure` attribute, was sent from a secure origin, does _not_ include a `Domain` attribute, and has the `Path` attribute set to `/`. In this way, these cookies can be seen as "domain-locked".
+- `__Secure-`
+  - : If a cookie name has this prefix, it is accepted in a {{HTTPHeader("Set-Cookie")}} header only if it is marked with the `Secure` attribute and was sent from a secure origin. This is weaker than the `__Host-` prefix.
 
-

- 
__Host-

- 
If a cookie name has this prefix, it is accepted in a {{HTTPHeader("Set-Cookie")}} header only if it is also marked with the Secure attribute, was sent from a secure origin, does not include a Domain attribute, and has the Path attribute set to /. In this way, these cookies can be seen as "domain-locked".

- 
__Secure-

- 
If a cookie name has this prefix, it is accepted in a {{HTTPHeader("Set-Cookie")}} header only if it is marked with the Secure attribute and was sent from a secure origin. This is weaker than the __Host- prefix.

-

+Cookies with these prefixes that are not compliant with their restrictions are rejected by the browser. Note that this ensures that if a subdomain were to create a cookie with a prefix, it would either be confined to the subdomain or be ignored completely. As the application server checks for a specific cookie name only when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defense measure against session fixation.
 
-
Cookies with these prefixes that are not compliant with their restrictions are rejected by the browser. Note that this ensures that if a subdomain were to create a cookie with a prefix, it would either be confined to the subdomain or be ignored completely. As the application server checks for a specific cookie name only when determining if the user is authenticated or a CSRF token is correct, this effectively acts as a defense measure against session fixation.

+> **Note:** On the application server, the web application _must_ check for the full cookie name including the prefix—user agents _do not_ strip the prefix from the cookie before sending it in a request's {{HTTPHeader("Cookie")}} header.
 
-

-  
Note: On the application server, the web application must check for the full cookie name including the prefix—user agents do not strip the prefix from the cookie before sending it in a request's {{HTTPHeader("Cookie")}} header.

-

+For more information about cookie prefixes and the current state of browser support, see the [Prefixes section of the Set-Cookie reference article](/en-US/docs/Web/HTTP/Headers/Set-Cookie#cookie_prefixes).
 
-
For more information about cookie prefixes and the current state of browser support, see the Prefixes section of the Set-Cookie reference article.

+#### JavaScript access using Document.cookie
 
-
JavaScript access using Document.cookie

+New cookies can be created via JavaScript using the {{domxref("Document.cookie")}} property, and existing cookies can be accessed from JavaScript as well, if the `HttpOnly` flag is not set.
 
-
New cookies can be created via JavaScript using the {{domxref("Document.cookie")}} property, and existing cookies can be accessed from JavaScript as well, if the HttpOnly flag is not set.

-
-
document.cookie = "yummy_cookie=choco";
+```js
+document.cookie = "yummy_cookie=choco";
 document.cookie = "tasty_cookie=strawberry";
 console.log(document.cookie);
-// logs "yummy_cookie=choco; tasty_cookie=strawberry"

+// logs "yummy_cookie=choco; tasty_cookie=strawberry"
+```
 
-
Cookies created via JavaScript cannot include the HttpOnly flag.

+Cookies created via JavaScript cannot include the `HttpOnly` flag.
 
-
Please note the security issues in the Security section below. Cookies available to JavaScript can be stolen through XSS.

+Please note the security issues in the [Security](#security) section below. Cookies available to JavaScript can be stolen through XSS.
 
-
Security

+## Security
 
-

-  
Note: Information should be stored in cookies with the understanding that all cookie values are visible to, and can be changed by, the end-user. Depending on the application, it may be desirable to use an opaque identifier which is looked-up by the server or to investigate alternative authentication/confidentiality mechanisms such as JSON Web Tokens.

-

+> **Note:** Information should be stored in cookies with the understanding that all cookie values are visible to, and can be changed by, the end-user. Depending on the application, it may be desirable to use an opaque identifier which is looked-up by the server or to investigate alternative authentication/confidentiality mechanisms such as JSON Web Tokens.
 
-
Ways to mitigate attacks involving cookies:

+Ways to mitigate attacks involving cookies:
 
-
    
- 
  • Use the HttpOnly attribute to prevent access to cookie values via JavaScript.
    • 
- 
  • Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the SameSite attribute set to Strict or Lax. (See SameSite cookies, above.) In browsers that support SameSite, this has the effect of ensuring that the authentication cookie is not sent with cross-site requests, so such a request is effectively unauthenticated to the application server.
    • 
-

+- Use the `HttpOnly` attribute to prevent access to cookie values via JavaScript.
+- Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the `SameSite` attribute set to `Strict` or `Lax`. (See [SameSite cookies](#), above.) In [browsers that support SameSite](/en-US/docs/Web/HTTP/Headers/Set-Cookie#browser_compatibility), this has the effect of ensuring that the authentication cookie is not sent with cross-site requests, so such a request is effectively unauthenticated to the application server.
 
-
Tracking and privacy

+## Tracking and privacy
 
-
Third-party cookies

+### Third-party cookies
 
-
A cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a first-party cookie. If the domain is different, it is a third-party cookie. While the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners), which may set third-party cookies. These are mainly used for advertising and tracking across the web. See for example the types of cookies used by Google.

+A cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a _first-party cookie_. If the domain is different, it is a _third-party cookie_. While the server hosting a web page sets first-party cookies, the page may contain images or other components stored on servers in other domains (for example, ad banners), which may set third-party cookies. These are mainly used for advertising and tracking across the web. See for example the [types of cookies used by Google](https://policies.google.com/technologies/types).
 
-
A third party server can build up a profile of a user's browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. Firefox, by default, blocks third-party cookies that are known to contain trackers. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions. Cookie blocking can cause some third-party components (such as social media widgets) to not function as intended.

+A third party server can build up a profile of a user's browsing history and habits based on cookies sent to it by the same browser when accessing multiple sites. Firefox, by default, blocks third-party cookies that are known to contain trackers. Third-party cookies (or just tracking cookies) may also be blocked by other browser settings or extensions. Cookie blocking can cause some third-party components (such as social media widgets) to not function as intended.
 
-

-  
Note: Servers can (and should) set the cookie SameSite attribute to specify whether or not cookies may be sent to third party sites.

-

+> **Note:** Servers can (and should) set the cookie [SameSite attribute](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) to specify whether or not cookies may be sent to third party sites.
 
-
+### Cookie-related regulations
 
-
Legislation or regulations that cover the use of cookies include:

+Legislation or regulations that cover the use of cookies include:
 
-
    
- 
  • The General Data Privacy Regulation (GDPR) in the European Union
    • 
- 
  • The ePrivacy Directive in the EU
    • 
- 
  • The California Consumer Privacy Act
    • 
-

+- The General Data Privacy Regulation (GDPR) in the European Union
+- The ePrivacy Directive in the EU
+- The California Consumer Privacy Act
 
-
These regulations have global reach, because they apply to any site on the World Wide Web that is accessed by users from these jurisdictions (the EU and California, with the caveat that California's law applies only to entities with gross revenue over 25 million USD, among other things.)

+These regulations have global reach, because they apply to any site on the _World Wide_ Web that is accessed by users from these jurisdictions (the EU and California, with the caveat that California's law applies only to entities with gross revenue over 25 million USD, among other things.)
 
-
These regulations include requirements such as:

+These regulations include requirements such as:
 
-
    
- 
  • Notifying users that your site uses cookies.
    • 
- 
  • Allowing users to opt out of receiving some or all cookies.
    • 
- 
  • Allowing users to use the bulk of your service without receiving cookies.
    • 
-

+- Notifying users that your site uses cookies.
+- Allowing users to opt out of receiving some or all cookies.
+- Allowing users to use the bulk of your service without receiving cookies.
 
-
There may be other regulations governing the use of cookies in your locality. The burden is on you to know and comply with these regulations. There are companies that offer "cookie banner" code that helps you comply with these regulations.

+There may be other regulations governing the use of cookies in your locality. The burden is on you to know and comply with these regulations. There are companies that offer "cookie banner" code that helps you comply with these regulations.
 
-
Other ways to store information in the browser

+## Other ways to store information in the browser
 
-
Another approach to storing data in the browser is the Web Storage API. The window.sessionStorage and window.localStorage properties correspond to session and permanent cookies in duration, but have larger storage limits than cookies, and are never sent to a server. More structured and larger amounts of data can be stored using the IndexedDB API, or a library built on it.

+Another approach to storing data in the browser is the [Web Storage API](/en-US/docs/Web/API/Web_Storage_API/Using_the_Web_Storage_API). The [window.sessionStorage](/en-US/docs/Web/API/Window/sessionStorage) and [window.localStorage](/en-US/docs/Web/API/Window/localStorage) properties correspond to session and permanent cookies in duration, but have larger storage limits than cookies, and are never sent to a server. More structured and larger amounts of data can be stored using the [IndexedDB API](/en-US/docs/Web/API/IndexedDB_API), or a library built on it.
 
-
Other techniques have been created to cause cookies to be recreated after they are deleted, known as "zombie" cookies. These techniques violate the principles of user privacy and user control, may violate data privacy regulations, and could expose a website using them to legal liability.

+Other techniques have been created to cause cookies to be recreated after they are deleted, known as "zombie" cookies. These techniques violate the principles of user privacy and user control, may violate data privacy regulations, and could expose a website using them to legal liability.
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Set-Cookie")}}
+- {{HTTPHeader("Cookie")}}
+- {{domxref("Document.cookie")}}
+- {{domxref("Navigator.cookieEnabled")}}
+- [SameSite cookies](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
+- [Inspecting cookies using the Storage Inspector](/en-US/docs/Tools/Storage_Inspector)
+- [Cookie specification: RFC 6265](https://datatracker.ietf.org/doc/html/rfc6265)
+- [HTTP cookie on Wikipedia](https://en.wikipedia.org/wiki/HTTP_cookie)
+- [Cookies, the GDPR, and the ePrivacy Directive](https://gdpr.eu/cookies/)
diff --git a/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md b/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md
index d1853a35707f766..ff21cb90ef6e559 100644
--- a/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md
+++ b/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md
@@ -2,54 +2,53 @@
 title: 'Reason: CORS header ''Access-Control-Allow-Origin'' does not match ''xyz'''
 slug: Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin
 tags:
-- CORS
-- CORSAllowOriginNotMatchingOrigin
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSAllowOriginNotMatchingOrigin
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'

+```html
+Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
+```
 
-
What went wrong?

+## What went wrong?
 
-
The origin making the request does not match the origin permitted by the {{HTTPHeader("Access-Control-Allow-Origin")}} header. This error can also occur if the response includes more than one
-  Access-Control-Allow-Origin header.

+The origin making the request does not match the origin permitted by the {{HTTPHeader("Access-Control-Allow-Origin")}} header. This error can also occur if the response includes more than one
+`Access-Control-Allow-Origin` header.
 
-
If the service your code is accessing uses a CORS request under your control, make
-  sure it is configured to include your origin in its
-  Access-Control-Allow-Origin header. In addition, confirm that only one such header is
-  included in responses, and that it includes only a single origin.

+If the service your code is accessing uses a CORS request under your control, make
+sure it is configured to include your origin in its
+`Access-Control-Allow-Origin` header. In addition, confirm that only one such header is
+included in responses, and that it includes only a single origin.
 
-
For example, in Apache, add a line such as the following to the server's configuration
-  (within the appropriate <Directory>, <Location>,
-  <Files>, or <VirtualHost> section). The
-  configuration is typically found in a .conf file (httpd.conf
-  and apache.conf are common names for these), or in an
-  .htaccess file.

+For example, in Apache, add a line such as the following to the server's configuration
+(within the appropriate ``, ``,
+``, or `` section). The
+configuration is typically found in a `.conf` file (`httpd.conf`
+and `apache.conf` are common names for these), or in an
+`.htaccess` file.
 
-
Header set Access-Control-Allow-Origin 'origin'

+    Header set Access-Control-Allow-Origin 'origin'
 
-
For Nginx, the command to set up this header is:

+For Nginx, the command to set up this header is:
 
-
add_header 'Access-Control-Allow-Origin' 'origin'

+    add_header 'Access-Control-Allow-Origin' 'origin'
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [Enable CORS: I want to add CORS
+  support to my server](https://enable-cors.org/server.html)
diff --git a/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md b/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md
index 02e07ddc65d2529..dcd7936cb29e19a 100644
--- a/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md
+++ b/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md
@@ -2,52 +2,49 @@
 title: 'Reason: CORS request did not succeed'
 slug: Web/HTTP/CORS/Errors/CORSDidNotSucceed
 tags:
-- CORS
-- CORSDidNotSucceed
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSDidNotSucceed
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS request did not succeed

+```html
+Reason: CORS request did not succeed
+```
 
-
What went wrong?

+## What went wrong?
 
-
The {{Glossary("HTTP")}} request which makes use of CORS failed because the HTTP
-  connection failed at either the network or protocol level. The error is not directly
-  related to CORS, but is a fundamental network error of some kind.

+The {{Glossary("HTTP")}} request which makes use of CORS failed because the HTTP
+connection failed at either the network or protocol level. The error is not directly
+related to CORS, but is a fundamental network error of some kind.
 
-
In many cases, it is caused by a browser plugin (e.g. an ad blocker or privacy
-  protector) blocking the request.

+In many cases, it is caused by a browser plugin (e.g. an ad blocker or privacy
+protector) blocking the request.
 
-
Other possible causes include:

+Other possible causes include:
 
-
    
-  
  • Trying to access an https resource that has an invalid certificate will
-    cause this error.
    • 
-  
  • Trying to access an http resource from a page with an
-    https origin will also cause this error.
    • 
-  
  • As of Firefox 68, https pages are not permitted to access
-    http://localhost, although this may be changed by Bug 1488740.
    • 
-  
  • The server did not respond to the actual request (even if it responded to the
-    {{Glossary("Preflight request")}}). One scenario might be an HTTP service being
-    developed that panicked without returning any data.
    • 
-

+- Trying to access an `https` resource that has an invalid certificate will
+  cause this error.
+- Trying to access an `http` resource from a page with an
+  `https` origin will also cause this error.
+- As of Firefox 68, `https` pages are not permitted to access
+  `http://localhost`, although this may be changed by [Bug 1488740](https://bugzilla.mozilla.org/show_bug.cgi?id=1488740).
+- The server did not respond to the actual request (even if it responded to the
+  {{Glossary("Preflight request")}}). One scenario might be an HTTP service being
+  developed that panicked without returning any data.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corsdisabled/index.md b/files/en-us/web/http/cors/errors/corsdisabled/index.md
index cb9fdbc9a93011b..4dfb9f11608b7ad 100644
--- a/files/en-us/web/http/cors/errors/corsdisabled/index.md
+++ b/files/en-us/web/http/cors/errors/corsdisabled/index.md
@@ -2,44 +2,44 @@
 title: 'Reason: CORS disabled'
 slug: Web/HTTP/CORS/Errors/CORSDisabled
 tags:
-- Authentication
-- Authentication Article
-- CORS
-- Cross-Origin
-- Disabled
-- Errors
-- HTTP
-- HTTPS
-- Messages
-- Resource
-- Same Origin
-- Same-origin
-- Security
-- Sharing
-- Validation
-- secure
-- troubleshooting
+  - Authentication
+  - Authentication Article
+  - CORS
+  - Cross-Origin
+  - Disabled
+  - Errors
+  - HTTP
+  - HTTPS
+  - Messages
+  - Resource
+  - Same Origin
+  - Same-origin
+  - Security
+  - Sharing
+  - Validation
+  - secure
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS disabled

+```html
+Reason: CORS disabled
+```
 
-
What went wrong?

+## What went wrong?
 
-
A request that needs to use {{Glossary("CORS")}} was attempted, but CORS is disabled in
-  the user's browser. When this happens, the user needs to turn CORS back on in their
-  browser.

+A request that needs to use {{Glossary("CORS")}} was attempted, but CORS is disabled in
+the user's browser. When this happens, the user needs to turn CORS back on in their
+browser.
 
-
In Firefox, the preference that disables CORS is content.cors.disable.
-  Setting this to true disables CORS, so whenever that's the case, CORS
-  requests will always fail with this error.

+In Firefox, the preference that disables CORS is `content.cors.disable`.
+Setting this to `true` disables CORS, so whenever that's the case, CORS
+requests will always fail with this error.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md b/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md
index 4d2c5b07ef21c9a..80d2d22daf8d6b5 100644
--- a/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md
+++ b/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md
@@ -2,44 +2,43 @@
 title: 'Reason: CORS request external redirect not allowed'
 slug: Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed
 tags:
-- CORS
-- CORSOriginHeaderNotAdded
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSOriginHeaderNotAdded
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS request external redirect not allowed

+```html
+Reason: CORS request external redirect not allowed
+```
 
-
What went wrong?

+## What went wrong?
 
-
The {{Glossary("CORS")}} request was responded to by the server with an HTTP redirect
-  to a URL on a different origin than the original request, which is not permitted during
-  CORS requests.

+The {{Glossary("CORS")}} request was responded to by the server with an HTTP redirect
+to a URL on a different origin than the original request, which is not permitted during
+CORS requests.
 
-
For example, if the page https://service.tld/fetchdata were requested, and
-  the HTTP response is "301 Moved Permanently", "307 Temporary Redirect", or "308
-  Permanent Redirect" with a Location of
-  https://anotherservice.net/getdata, the CORS request will fail in this
-  manner.

+For example, if the page `https://service.tld/fetchdata` were requested, and
+the HTTP response is "301 Moved Permanently", "307 Temporary Redirect", or "308
+Permanent Redirect" with a `Location` of
+`https://anotherservice.net/getdata`, the CORS request will fail in this
+manner.
 
-
To fix the problem, update your code to use the new URL as reported by the redirect,
-  thereby avoiding the redirect.

+To fix the problem, update your code to use the new URL as reported by the redirect,
+thereby avoiding the redirect.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md b/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md
index 07c2cdda84be5df..f18f17cc9988eb1 100644
--- a/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md
+++ b/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md
@@ -2,47 +2,45 @@
 title: 'Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’'
 slug: Web/HTTP/CORS/Errors/CORSInvalidAllowHeader
 tags:
-- CORS
-- CORSInvalidAllowHeader
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSInvalidAllowHeader
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’

+```html
+Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’
+```
 
-
What went wrong?

+## What went wrong?
 
-
The response to the {{Glossary("CORS")}} request that was sent by the server includes
-  an {{HTTPHeader("Access-Control-Allow-Headers")}} header which includes at least one
-  invalid header name.

+The response to the {{Glossary("CORS")}} request that was sent by the server includes
+an {{HTTPHeader("Access-Control-Allow-Headers")}} header which includes at least one
+invalid header name.
 
-
The Access-Control-Allow-Headers header is sent by the server in response
-  to a {{Glossary("preflight request")}}; it lets the client know which HTTP headers are permitted in CORS requests.
-  If the client {{Glossary("user agent")}} finds among the comma-delineated values
-  provided by the header any header name it does not recognize, this error occurs.

+The `Access-Control-Allow-Headers` header is sent by the server in response
+to a {{Glossary("preflight request")}}; it lets the client know which [HTTP headers](/en-US/docs/Web/HTTP/Headers) are permitted in CORS requests.
+If the client {{Glossary("user agent")}} finds among the comma-delineated values
+provided by the header any header name it does not recognize, this error occurs.
 
-
This is a problem that most likely can only be fixed on the server side, by modifying
-  the server's configuration to no longer send the invalid or unknown header name with the
-  Access-Control-Allow-Headers header. It may also be worth checking to
-  ensure that the user agent or HTTP library you're using on the client is up-to-date.

+This is a problem that most likely can only be fixed on the server side, by modifying
+the server's configuration to no longer send the invalid or unknown header name with the
+`Access-Control-Allow-Headers` header. It may also be worth checking to
+ensure that the user agent or HTTP library you're using on the client is up-to-date.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [HTTP headers](/en-US/docs/Web/HTTP/Headers)
diff --git a/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md b/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md
index 5b8a9fe6ddb0c19..4e10d3b19dcad9f 100644
--- a/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md
+++ b/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md
@@ -2,48 +2,47 @@
 title: 'Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’'
 slug: Web/HTTP/CORS/Errors/CORSInvalidAllowMethod
 tags:
-- CORS
-- CORSInvalidAllowMethod
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSInvalidAllowMethod
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’

+```html
+Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’
+```
 
-
What went wrong?

+## What went wrong?
 
-
The response to the {{Glossary("CORS")}} request that was sent by the server includes
-  an {{HTTPHeader("Access-Control-Allow-Methods")}} header which includes at least one
-  invalid method name.

+The response to the {{Glossary("CORS")}} request that was sent by the server includes
+an {{HTTPHeader("Access-Control-Allow-Methods")}} header which includes at least one
+invalid method name.
 
-
The Access-Control-Allow-Methods header is sent by the server to let the
-  client know what HTTP request methods it
-  supports for CORS requests. The header's value is a comma-delineated string of HTTP
-  method names, such as {{HTTPMethod("GET")}}, {{HTTPMethod("POST")}}, or
-  {{HTTPMethod("HEAD")}}. If any of the specified values are not recognized by the client
-  {{Glossary("user agent")}}, this error occurs.

+The `Access-Control-Allow-Methods` header is sent by the server to let the
+client know what [HTTP request methods](/en-US/docs/Web/HTTP/Methods) it
+supports for CORS requests. The header's value is a comma-delineated string of HTTP
+method names, such as {{HTTPMethod("GET")}}, {{HTTPMethod("POST")}}, or
+{{HTTPMethod("HEAD")}}. If any of the specified values are not recognized by the client
+{{Glossary("user agent")}}, this error occurs.
 
-
This is a problem that most likely can only be fixed on the server side, by modifying
-  the server's configuration to no longer send the invalid or unknown method name with the
-  Access-Control-Allow-Methods header. It may also be worth checking to
-  ensure that the user agent or HTTP library you're using on the client is up-to-date.

+This is a problem that most likely can only be fixed on the server side, by modifying
+the server's configuration to no longer send the invalid or unknown method name with the
+`Access-Control-Allow-Methods` header. It may also be worth checking to
+ensure that the user agent or HTTP library you're using on the client is up-to-date.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [HTTP request methods](/en-US/docs/Web/HTTP/Methods)
diff --git a/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md b/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md
index bb0d5f8eb50860c..1717761cdebfb44 100644
--- a/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md
+++ b/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md
@@ -2,53 +2,50 @@
 title: 'Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’'
 slug: Web/HTTP/CORS/Errors/CORSMethodNotFound
 tags:
-- CORS
-- CORSMethodNotFound
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSMethodNotFound
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’

+```html
+Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’
+```
 
-
What went wrong?

+## What went wrong?
 
-
The HTTP method being used by the {{Glossary("CORS")}} request is not included in the
-  list of methods specified by the response's
-  {{HTTPHeader("Access-Control-Allow-Methods")}} header. This header specifies a
-  comma-delineated list of the HTTP methods which may be used when using CORS to access
-  the URL specified in the request; if the request is using any other method, this error
-  occurs.

+The HTTP method being used by the {{Glossary("CORS")}} request is not included in the
+list of methods specified by the response's
+{{HTTPHeader("Access-Control-Allow-Methods")}} header. This header specifies a
+comma-delineated list of the HTTP methods which may be used when using CORS to access
+the URL specified in the request; if the request is using any other method, this error
+occurs.
 
-
For example, if the response includes:

+For example, if the response includes:
 
-
Access-Control-Allow-Methods: GET,HEAD,POST

+    Access-Control-Allow-Methods: GET,HEAD,POST
 
-
Trying to use a {{HTTPMethod("PUT")}} request will fail with this error.

+Trying to use a {{HTTPMethod("PUT")}} request will fail with this error.
 
-
Make sure your code only uses the permitted HTTP methods when accessing the service.
-

+Make sure your code only uses the permitted HTTP methods when accessing the service.
 
-
Note: If the server includes any unrecognized or undefined method
-  names in its Access-Control-Allow-methods header, a different error occurs:
-  Reason: invalid token ‘xyz' in CORS header ‘Access-Control-Allow-Methods’.
-

+**Note:** If the server includes any unrecognized or undefined method
+names in its `Access-Control-Allow-methods` header, a different error occurs:
+[`Reason: invalid token ‘xyz' in CORS header ‘Access-Control-Allow-Methods’`](/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod).
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [HTTP request methods](/en-US/docs/Web/HTTP/Methods)
diff --git a/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md b/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md
index 00b9f0e9e23a250..6f89fe8c4984670 100644
--- a/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md
+++ b/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md
@@ -2,53 +2,50 @@
 title: 'Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’'
 slug: Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials
 tags:
-- CORS
-- CORSMissingAllowCredentials
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSMissingAllowCredentials
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’

+```html
+Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’
+```
 
-
What went wrong?

+## What went wrong?
 
-
The {{Glossary("CORS")}} request requires that the server permit the use of
-  credentials, but the server's {{HTTPHeader("Access-Control-Allow-Credentials")}}
-  header's value isn't set to true to enable their use.

+The {{Glossary("CORS")}} request requires that the server permit the use of
+credentials, but the server's {{HTTPHeader("Access-Control-Allow-Credentials")}}
+header's value isn't set to `true` to enable their use.
 
-
To fix this problem on the client side, revise the code to not request the use of
-  credentials.

+To fix this problem on the client side, revise the code to not request the use of
+credentials.
 
-
    
-  
  • If the request is being issued using {{domxref("XMLHttpRequest")}}, make sure you're
-    not setting {{domxref("XMLHttpRequest.withCredentials", "withCredentials")}} to
-    true.
    • 
-  
  • If using Server-sent events,
-    make sure {{domxref("EventSource.withCredentials")}} is false (it's the
-    default value).
    • 
-  
  • If using the Fetch API, make sure
-    {{domxref("Request.credentials")}} is "omit".
    • 
-

+- If the request is being issued using {{domxref("XMLHttpRequest")}}, make sure you're
+  not setting {{domxref("XMLHttpRequest.withCredentials", "withCredentials")}} to
+  `true`.
+- If using [Server-sent events](/en-US/docs/Web/API/Server-sent_events),
+  make sure {{domxref("EventSource.withCredentials")}} is `false` (it's the
+  default value).
+- If using the [Fetch API](/en-US/docs/Web/API/Fetch_API), make sure
+  {{domxref("Request.credentials")}} is `"omit"`.
 
-
To eliminate this error by changing the server's configuration, adjust the server's
-  configuration to set the Access-Control-Allow-Credentials header's value to
-  true.

+To eliminate this error by changing the server's configuration, adjust the server's
+configuration to set the `Access-Control-Allow-Credentials` header's value to
+`true`.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md b/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md
index 6018e4939796ffd..35324bd84f68cbc 100644
--- a/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md
+++ b/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md
@@ -16,23 +16,23 @@ tags:
   - console
   - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel

+```html
+Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
+```
 
-
What went wrong?

+## What went wrong?
 
-
The Access-Control-Allow-Headers header is sent by the server to let the client know which headers it supports for {{Glossary("CORS")}} requests. The value of Access-Control-Allow-Headers should be a comma-delineated list of header names, such as "X-Custom-Information" or any of the standard but non-basic header names (which are always allowed).

+The `Access-Control-Allow-Headers` header is sent by the server to let the client know which headers it supports for {{Glossary("CORS")}} requests. The value of `Access-Control-Allow-Headers` should be a comma-delineated list of header names, such as "`X-Custom-Information`" or any of the standard but non-basic header names (which are always allowed).
 
-
This error occurs when attempting to preflight a header that is not expressly allowed (that is, it's not included in the list specified by the Access-Control-Allow-Headers header sent by the server). To fix this, the server needs to be updated so that it allows the indicated header, or you need to avoid using that header.

+This error occurs when attempting to preflight a header that is not expressly allowed (that is, it's not included in the list specified by the `Access-Control-Allow-Headers` header sent by the server). To fix this, the server needs to be updated so that it allows the indicated header, or you need to avoid using that header.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [HTTP headers](/en-US/docs/Web/HTTP/Headers)
diff --git a/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md b/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md
index 08cc9c4976e38ae..71c7911c33b401f 100644
--- a/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md
+++ b/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md
@@ -2,79 +2,75 @@
 title: 'Reason: CORS header ''Access-Control-Allow-Origin'' missing'
 slug: Web/HTTP/CORS/Errors/CORSMissingAllowOrigin
 tags:
-- CORS
-- CORSMissingAllowOrigin
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSMissingAllowOrigin
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS header 'Access-Control-Allow-Origin' missing

+```html
+Reason: CORS header 'Access-Control-Allow-Origin' missing
+```
 
-
What went wrong?

+## What went wrong?
 
-
The response to the {{Glossary("CORS")}} request is missing the required
-  {{HTTPHeader("Access-Control-Allow-Origin")}} header, which is used to determine whether
-  or not the resource can be accessed by content operating within the current origin.

+The response to the {{Glossary("CORS")}} request is missing the required
+{{HTTPHeader("Access-Control-Allow-Origin")}} header, which is used to determine whether
+or not the resource can be accessed by content operating within the current origin.
 
-
If the server is under your control, add the origin of the requesting site to the set
-  of domains permitted access by adding it to the Access-Control-Allow-Origin
-  header's value.

+If the server is under your control, add the origin of the requesting site to the set
+of domains permitted access by adding it to the `Access-Control-Allow-Origin`
+header's value.
 
-
For example, to allow a site at https://amazing.site to access the resource using CORS,
-  the header should be:

+For example, to allow a site at https\://amazing.site to access the resource using CORS,
+the header should be:
 
-
Access-Control-Allow-Origin: https://amazing.site

+    Access-Control-Allow-Origin: https://amazing.site
 
-
You can also configure a site to allow any site to access it by using the
-  * wildcard. You should only use this for public APIs. Private APIs should
-  never use *, and should instead have a specific domain or domains set. In
-  addition, the wildcard only works for requests made with the
-  {{htmlattrxref("crossorigin")}} attribute set to anonymous, and it prevents
-  sending credentials like cookies in requests.

+You can also configure a site to allow any site to access it by using the
+`*` wildcard. You should only use this for public APIs. Private APIs should
+never use `*`, and should instead have a specific domain or domains set. In
+addition, the wildcard only works for requests made with the
+{{htmlattrxref("crossorigin")}} attribute set to `anonymous`, and it prevents
+sending credentials like cookies in requests.
 
-
Access-Control-Allow-Origin: *

+    Access-Control-Allow-Origin: *
 
-

-  
Warning: Using the wildcard to allow all sites to access a private
-    API is a bad idea.

-

+> **Warning:** Using the wildcard to allow all sites to access a private
+> API is a bad idea.
 
-
To allow any site to make CORS requests without using the *
-  wildcard (for example, to enable credentials), your server must read the value of the
-  request's Origin header and use that value to set
-  Access-Control-Allow-Origin, and must also set a Vary: Origin
-  header to indicate that some headers are being set dynamically depending on the origin.
-

+To allow any site to make CORS requests _without_ using the `*`
+wildcard (for example, to enable credentials), your server must read the value of the
+request's `Origin` header and use that value to set
+`Access-Control-Allow-Origin`, and must also set a `Vary: Origin`
+header to indicate that some headers are being set dynamically depending on the origin.
 
-
The exact directive for setting headers depends on your web server. In Apache, add a
-  line such as the following to the server's configuration (within the appropriate
-  <Directory>, <Location>,
-  <Files>, or <VirtualHost> section). The
-  configuration is typically found in a .conf file (httpd.conf
-  and apache.conf are common names for these), or in an
-  .htaccess file.

+The exact directive for setting headers depends on your web server. In Apache, add a
+line such as the following to the server's configuration (within the appropriate
+``, ``,
+``, or `` section). The
+configuration is typically found in a `.conf` file (`httpd.conf`
+and `apache.conf` are common names for these), or in an
+`.htaccess` file.
 
-
Header set Access-Control-Allow-Origin 'origin-list'

+    Header set Access-Control-Allow-Origin 'origin-list'
 
-
For Nginx, the command to set up this header is:

+For Nginx, the command to set up this header is:
 
-
add_header 'Access-Control-Allow-Origin' 'origin-list';

+    add_header 'Access-Control-Allow-Origin' 'origin-list';
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md b/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md
index d67312ec27598c3..530d6b73e7b98ca 100644
--- a/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md
+++ b/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md
@@ -2,41 +2,40 @@
 title: 'Reason: Multiple CORS header ''Access-Control-Allow-Origin'' not allowed'
 slug: Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed
 tags:
-- CORS
-- CORSMultipleAllowOriginNotAllowed
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSMultipleAllowOriginNotAllowed
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed

+```html
+Reason: Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed
+```
 
-
What went wrong?

+## What went wrong?
 
-
More than one {{HTTPHeader("Access-Control-Allow-Origin")}} header was sent by the
-  server. This isn't allowed.

+More than one {{HTTPHeader("Access-Control-Allow-Origin")}} header was sent by the
+server. This isn't allowed.
 
-
If you have access to the server you can change your implementation to echo back an
-  origin in the Access-Control-Allow-Origin header. You cannot send back a
-  list of origins, because browsers only accept a value that is either a single origin or
-  null 

+If you have access to the server you can change your implementation to echo back an
+origin in the `Access-Control-Allow-Origin` header. You cannot send back a
+list of origins, because browsers only accept a value that is either a single origin or
+null
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [Enable CORS: I want to add CORS
+  support to my server](https://enable-cors.org/server.html)
diff --git a/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md b/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md
index 9d0c542c5219a44..835a1fed02fd3fa 100644
--- a/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md
+++ b/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md
@@ -16,30 +16,28 @@ tags:
   - console
   - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’

+```html
+Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
+```
 
-
What went wrong?

+## What went wrong?
 
-
The {{Glossary("CORS")}} request was attempted with the credentials flag set, but the server is configured using the wildcard ("*") as the value of {{HTTPHeader("Access-Control-Allow-Origin")}}, which doesn't allow the use of credentials.

+The {{Glossary("CORS")}} request was attempted with the credentials flag set, but the server is configured using the wildcard (`"*"`) as the value of {{HTTPHeader("Access-Control-Allow-Origin")}}, which doesn't allow the use of credentials.
 
-
To correct this problem on the client side, ensure that the credentials flag's value is false when issuing your CORS request.

+To correct this problem on the client side, ensure that the credentials flag's value is `false` when issuing your CORS request.
 
-
    
- 
  • If the request is being issued using {{domxref("XMLHttpRequest")}}, make sure you're not setting {{domxref("XMLHttpRequest.withCredentials", "withCredentials")}} to true.
    • 
- 
  • If using Server-sent events, make sure {{domxref("EventSource.withCredentials")}} is false (it's the default value).
    • 
- 
  • If using the Fetch API, make sure {{domxref("Request.credentials")}} is "omit".
    • 
-

+- If the request is being issued using {{domxref("XMLHttpRequest")}}, make sure you're not setting {{domxref("XMLHttpRequest.withCredentials", "withCredentials")}} to `true`.
+- If using [Server-sent events](/en-US/docs/Web/API/Server-sent_events), make sure {{domxref("EventSource.withCredentials")}} is `false` (it's the default value).
+- If using the [Fetch API](/en-US/docs/Web/API/Fetch_API), make sure {{domxref("Request.credentials")}} is `"omit"`.
 
-
If, instead, you need to adjust the server's behavior, you'll need to change the value of Access-Control-Allow-Origin to grant access to the origin from which the client is loaded.

+If, instead, you need to adjust the server's behavior, you'll need to change the value of `Access-Control-Allow-Origin` to grant access to the origin from which the client is loaded.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md b/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md
index 6b6033274a7e738..f86ad85b15f6ae9 100644
--- a/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md
+++ b/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md
@@ -2,37 +2,37 @@
 title: 'Reason: CORS header ‘Origin’ cannot be added'
 slug: Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded
 tags:
-- CORS
-- CORSOriginHeaderNotAdded
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSOriginHeaderNotAdded
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS header ‘Origin’ cannot be added

+```html
+Reason: CORS header ‘Origin’ cannot be added
+```
 
-
What went wrong?

+## What went wrong?
 
-
The {{Glossary("user agent")}} was unable to add the required {{HTTPHeader("Origin")}}
-  header to the {{Glossary("HTTP")}} request. All CORS requests must have an
-  Origin header.

+The {{Glossary("user agent")}} was unable to add the required {{HTTPHeader("Origin")}}
+header to the {{Glossary("HTTP")}} request. All CORS requests must have an
+`Origin` header.
 
-
This can happen if the JavaScript code is running with enhanced privileges allowing it
-  access to multiple domains' content, for example.

+This can happen if the JavaScript code is running with enhanced privileges allowing it
+access to multiple domains' content, for example.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md b/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md
index a10afe6e7260969..aa24b1187925652 100644
--- a/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md
+++ b/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md
@@ -2,41 +2,39 @@
 title: 'Reason: CORS preflight channel did not succeed'
 slug: Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed
 tags:
-- CORS
-- CORSPreflightDidNotSucceed
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSPreflightDidNotSucceed
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS preflight channel did not succeed

+```html
+Reason: CORS preflight channel did not succeed
+```
 
-
What went wrong?

+## What went wrong?
 
-
The {{Glossary("CORS")}} request requires  preflight, preflighting could not be
-  performed. There are a couple of reasons why preflighting might fail:

+The {{Glossary("CORS")}} request requires  preflight, preflighting could not be
+performed. There are a couple of reasons why preflighting might fail:
 
-
    
-  
  • A cross-site request has previously been performed that already did a preflight, and
-    doing the preflight again is not permitted. Make sure your code only preflights once
-    per connection.
    • 
-  
  • The preflight request suffered any kind of networking error that might ordinarily
-    occur.
    • 
-

+- A cross-site request has previously been performed that already did a preflight, and
+  doing the preflight again is not permitted. Make sure your code only preflights once
+  per connection.
+- The preflight request suffered any kind of networking error that might ordinarily
+  occur.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md b/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md
index a532bb998e19895..3f608973724c1f4 100644
--- a/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md
+++ b/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md
@@ -2,55 +2,53 @@
 title: 'Reason: CORS request not HTTP'
 slug: Web/HTTP/CORS/Errors/CORSRequestNotHttp
 tags:
-- CORS
-- CORSRequestNotHttp
-- Cross-Origin
-- Error
-- HTTP
-- HTTPS
-- Messages
-- Reasons
-- Security
-- console
-- troubleshooting
+  - CORS
+  - CORSRequestNotHttp
+  - Cross-Origin
+  - Error
+  - HTTP
+  - HTTPS
+  - Messages
+  - Reasons
+  - Security
+  - console
+  - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Reason

+## Reason
 
-
Reason: CORS request not HTTP

+```html
+Reason: CORS request not HTTP
+```
 
-
What went wrong?

+## What went wrong?
 
-
{{Glossary("CORS")}} requests may only use the HTTPS URL scheme, but the URL specified
-  by the request is of a different type. This often occurs if the URL specifies a local
-  file, using a file:/// URL.

+{{Glossary("CORS")}} requests may only use the HTTPS URL scheme, but the URL specified
+by the request is of a different type. This often occurs if the URL specifies a local
+file, using a `file:///` URL.
 
-
To fix this problem, make sure you use HTTPS URLs when issuing requests involving CORS,
-  such as {{domxref("XMLHttpRequest")}}, Fetch
-  APIs, Web Fonts (@font-face), and WebGL
-    textures, and XSL stylesheets.

+To fix this problem, make sure you use HTTPS URLs when issuing requests involving CORS,
+such as {{domxref("XMLHttpRequest")}}, [Fetch](/en-US/docs/Web/API/Fetch_API)
+APIs, Web Fonts (`@font-face`), and [WebGL
+textures](/en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL), and XSL stylesheets.
 
-
Local File Security in Firefox 68

+### Local File Security in Firefox 68
 
-
When a user opened a page using a file:/// URI in Firefox 67 and earlier,
-  the origin of the page was defined as the directory from which the page was opened.
-  Resources in the same directory and its subdirectories were treated as having the same
-  origin for purposes of the CORS same-origin rule.

+When a user opened a page using a `file:///` URI in Firefox 67 and earlier,
+the origin of the page was defined as the directory from which the page was opened.
+Resources in the same directory and its subdirectories were treated as having the same
+origin for purposes of the CORS same-origin rule.
 
-
In response to CVE-2019-11730,
-  Firefox 68 and later define the origin of a page opened using a file:///
-  URI as unique. Therefore, other resources in the same directory or its subdirectories no
-  longer satisfy the CORS same-origin rule. This new behavior is enabled by default using
-  the privacy.file_unique_origin preference.

+In response to [CVE-2019-11730](https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730),
+Firefox 68 and later define the origin of a page opened using a `file:///`
+URI as unique. Therefore, other resources in the same directory or its subdirectories no
+longer satisfy the CORS same-origin rule. This new behavior is enabled by default using
+the `privacy.file_unique_origin` preference.
 
-
See also

+## See also
 
-
+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [What is a URL?](/en-US/docs/Learn/Common_questions/What_is_a_URL)
diff --git a/files/en-us/web/http/cors/errors/index.md b/files/en-us/web/http/cors/errors/index.md
index 2ee1ce61f32e089..b5cbf7342a21eba 100644
--- a/files/en-us/web/http/cors/errors/index.md
+++ b/files/en-us/web/http/cors/errors/index.md
@@ -12,62 +12,54 @@ tags:
   - console
   - troubleshooting
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Cross-Origin Resource Sharing ({{Glossary("CORS")}}) is a standard that allows a server to relax the same-origin policy. This is used to explicitly allow some cross-origin requests while rejecting others. For example, if a site offers an embeddable service, it may be necessary to relax certain restrictions. Setting up such a CORS configuration isn't necessarily easy and may present some challenges. In these pages, we'll look into some common CORS error messages and how to resolve them.

+[Cross-Origin Resource Sharing](/en-US/docs/Web/HTTP/CORS) ({{Glossary("CORS")}}) is a standard that allows a server to relax the [same-origin policy](/en-US/docs/Web/Security/Same-origin_policy). This is used to explicitly allow some cross-origin requests while rejecting others. For example, if a site offers an embeddable service, it may be necessary to relax certain restrictions. Setting up such a CORS configuration isn't necessarily easy and may present some challenges. In these pages, we'll look into some common CORS error messages and how to resolve them.
 
-
If the CORS configuration isn't setup correctly, the browser console will present an error like "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at $somesite" indicating that the request was blocked due to violating the CORS security rules. This might not necessarily be a set-up mistake, though. It's possible that the request is in fact intentionally being disallowed by the user's web application and remote external service. However, If the endpoint is meant to be available, some debugging is needed to succeed.

+If the CORS configuration isn't setup correctly, the browser console will present an error like `"Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at $somesite"` indicating that the request was blocked due to violating the CORS security rules. This might not necessarily be a set-up mistake, though. It's possible that the request is in fact intentionally being disallowed by the user's web application and remote external service. However, If the endpoint is meant to be available, some debugging is needed to succeed.
 
-
Identifying the issue

+## Identifying the issue
 
-
To understand the underlying issue with the CORS configuration, you need to find out which request is at fault and why. These steps may help you do so:

+To understand the underlying issue with the CORS configuration, you need to find out which request is at fault and why. These steps may help you do so:
 
-
    
- 
  1. Navigate to the web site or web app in question and open the Developer Tools.
    2. 
- 
  2. Now try to reproduce the failing transaction and check the console if you are seeing a CORS violation error message. It will probably look like this:
    3. 
-

+1.  Navigate to the web site or web app in question and open the [Developer Tools](/en-US/docs/Tools).
+2.  Now try to reproduce the failing transaction and check the [console](/en-US/docs/Tools/Web_Console) if you are seeing a CORS violation error message. It will probably look like this:
 
-
Firefox console showing CORS error

+![Firefox console showing CORS error](cors-error2.png)
 
-
The text of the error message will be something similar to the following:

+The text of the error message will be something similar to the following:
 
-
Cross-Origin Request Blocked: The Same Origin Policy disallows
-reading the remote resource at https://some-url-here. (Reason:
-additional information here).

+    Cross-Origin Request Blocked: The Same Origin Policy disallows
+    reading the remote resource at https://some-url-here. (Reason:
+    additional information here).
 
-

-  
Note: For security reasons, specifics about what went wrong with a CORS request are not available to JavaScript code. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.

-

+> **Note:** For security reasons, specifics about what went wrong with a CORS request _are not available to JavaScript code_. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.
 
-
CORS error messages

+## CORS error messages
 
-
Firefox's console displays messages in its console when requests fail due to CORS. Part of the error text is a "reason" message that provides added insight into what went wrong.  The reason messages are listed below; click the message to open an article explaining the error in more detail and offering possible solutions.

+Firefox's console displays messages in its console when requests fail due to CORS. Part of the error text is a "reason" message that provides added insight into what went wrong.  The reason messages are listed below; click the message to open an article explaining the error in more detail and offering possible solutions.
 
-
+- [Reason: CORS disabled](/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled)
+- [Reason: CORS request did not succeed](/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed)
+- [Reason: CORS header ‘Origin’ cannot be added](/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded)
+- [Reason: CORS request external redirect not allowed](/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed)
+- [Reason: CORS request not http](/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp)
+- [Reason: CORS header ‘Access-Control-Allow-Origin’ missing](/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin)
+- [Reason: CORS header ‘Access-Control-Allow-Origin’ does not match ‘xyz’](/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin)
+- [Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘\*’](/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials)
+- [Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’](/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound)
+- [Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’](/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials)
+- [Reason: CORS preflight channel did not succeed](/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed)
+- [Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’](/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod)
+- [Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’](/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader)
+- [Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel](/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight)
+- [Reason: Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed](/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed)
 
-
See also

+## See also
 
-
+- Glossary: {{Glossary("CORS")}}
+- [CORS introduction](/en-US/docs/Web/HTTP/CORS)
+- [Server-side CORS settings](/en-US/docs/Web/HTTP/CORS)
+- [CORS enabled image](/en-US/docs/Web/HTML/CORS_enabled_image)
+- [CORS settings attributes](/en-US/docs/Web/HTML/Attributes/crossorigin)
+-  – page to test CORS requests
diff --git a/files/en-us/web/http/cors/index.md b/files/en-us/web/http/cors/index.md
index cee68d75b751a90..1edccc762f88e34 100644
--- a/files/en-us/web/http/cors/index.md
+++ b/files/en-us/web/http/cors/index.md
@@ -14,285 +14,262 @@ tags:
   - XMLHttpRequest
   - l10n:priority
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Cross-Origin Resource Sharing ({{Glossary("CORS")}}) is an {{Glossary("HTTP")}}-header based mechanism that allows a server to indicate any {{glossary("origin")}}s (domain, scheme, or port) other than its own from which a browser should permit loading of resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.

+**Cross-Origin Resource Sharing** ({{Glossary("CORS")}}) is an {{Glossary("HTTP")}}-header based mechanism that allows a server to indicate any {{glossary("origin")}}s (domain, scheme, or port) other than its own from which a browser should permit loading of resources. CORS also relies on a mechanism by which browsers make a "preflight" request to the server hosting the cross-origin resource, in order to check that the server will permit the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers that will be used in the actual request.
 
-
An example of a cross-origin request: the front-end JavaScript code served from https://domain-a.com uses {{domxref("XMLHttpRequest")}} to make a request for https://domain-b.com/data.json.

+An example of a cross-origin request: the front-end JavaScript code served from `https://domain-a.com` uses {{domxref("XMLHttpRequest")}} to make a request for `https://domain-b.com/data.json`.
 
-
For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, XMLHttpRequest and the Fetch API follow the same-origin policy. This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.

+For security reasons, browsers restrict cross-origin HTTP requests initiated from scripts. For example, `XMLHttpRequest` and the [Fetch API](/en-US/docs/Web/API/Fetch_API) follow the [same-origin policy](/en-US/docs/Web/Security/Same-origin_policy). This means that a web application using those APIs can only request resources from the same origin the application was loaded from unless the response from other origins includes the right CORS headers.
 
-

+![](cors_principle.png)
 
-
The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as XMLHttpRequest or Fetch to mitigate the risks of cross-origin HTTP requests.

+The CORS mechanism supports secure cross-origin requests and data transfers between browsers and servers. Modern browsers use CORS in APIs such as `XMLHttpRequest` or [Fetch](/en-US/docs/Web/API/Fetch_API) to mitigate the risks of cross-origin HTTP requests.
 
-
Who should read this article?

+## Who should read this article?
 
-
Everyone, really.

+Everyone, really.
 
-
More specifically, this article is for web administrators, server developers, and front-end developers. Modern browsers handle the client side of cross-origin sharing, including headers and policy enforcement. But the CORS standard means servers have to handle new request and response headers.

+More specifically, this article is for **web administrators**, **server developers**, and **front-end developers**. Modern browsers handle the client side of cross-origin sharing, including headers and policy enforcement. But the CORS standard means servers have to handle new request and response headers.
 
-
What requests use CORS?

+## What requests use CORS?
 
-
This cross-origin sharing standard can enable cross-site HTTP requests for:

+This [cross-origin sharing standard](https://fetch.spec.whatwg.org/#http-cors-protocol) can enable cross-site HTTP requests for:
 
-
+- Invocations of the {{domxref("XMLHttpRequest")}} or [Fetch APIs](/en-US/docs/Web/API/Fetch_API), as discussed above.
+- Web Fonts (for cross-domain font usage in `@font-face` within CSS), [so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so.](https://www.w3.org/TR/css-fonts-3/#font-fetching-requirements)
+- [WebGL textures](/en-US/docs/Web/API/WebGL_API/Tutorial/Using_textures_in_WebGL).
+- Images/video frames drawn to a canvas using {{domxref("CanvasRenderingContext2D.drawImage()", "drawImage()")}}.
+- [CSS Shapes from images.](/en-US/docs/Web/CSS/CSS_Shapes/Shapes_From_Images)
 
-
This article is a general discussion of Cross-Origin Resource Sharing and includes a discussion of the necessary HTTP headers.

+This article is a general discussion of Cross-Origin Resource Sharing and includes a discussion of the necessary HTTP headers.
 
-
Functional overview

+## Functional overview
 
-
The Cross-Origin Resource Sharing standard works by adding new HTTP headers that let servers describe which origins are permitted to read that information from a web browser. Additionally, for HTTP request methods that can cause side-effects on server data (in particular, HTTP methods other than {{HTTPMethod("GET")}}, or {{HTTPMethod("POST")}} with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with the HTTP {{HTTPMethod("OPTIONS")}} request method, and then, upon "approval" from the server, sending the actual request. Servers can also inform clients whether "credentials" (such as Cookies and HTTP Authentication) should be sent with requests.

+The Cross-Origin Resource Sharing standard works by adding new [HTTP headers](/en-US/docs/Web/HTTP/Headers) that let servers describe which origins are permitted to read that information from a web browser. Additionally, for HTTP request methods that can cause side-effects on server data (in particular, HTTP methods other than {{HTTPMethod("GET")}}, or {{HTTPMethod("POST")}} with certain [MIME types](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types)), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with the HTTP {{HTTPMethod("OPTIONS")}} request method, and then, upon "approval" from the server, sending the actual request. Servers can also inform clients whether "credentials" (such as [Cookies](/en-US/docs/Web/HTTP/Cookies) and [HTTP Authentication](/en-US/docs/Web/HTTP/Authentication)) should be sent with requests.
 
-
CORS failures result in errors, but for security reasons, specifics about the error are not available to JavaScript. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.

+CORS failures result in errors, but for security reasons, specifics about the error _are not available to JavaScript_. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.
 
-
Subsequent sections discuss scenarios, as well as provide a breakdown of the HTTP headers used.

+Subsequent sections discuss scenarios, as well as provide a breakdown of the HTTP headers used.
 
-
Examples of access control scenarios

+## Examples of access control scenarios
 
-
We present three scenarios that demonstrate how Cross-Origin Resource Sharing works. All these examples use {{domxref("XMLHttpRequest")}}, which can make cross-site requests in any supporting browser.

+We present three scenarios that demonstrate how Cross-Origin Resource Sharing works. All these examples use {{domxref("XMLHttpRequest")}}, which can make cross-site requests in any supporting browser.
 
-
Simple requests

+### Simple requests
 
-
Some requests don't trigger a {{Glossary("Preflight_request","CORS preflight")}}. Those are called simple requests, though the {{SpecName('Fetch')}} spec (which defines CORS) doesn't use that term. A simple request is one that meets all the following conditions:

+Some requests don't trigger a {{Glossary("Preflight_request","CORS preflight")}}. Those are called _simple requests_, though the {{SpecName('Fetch')}} spec (which defines CORS) doesn't use that term. A _simple request_ is one that **meets all the following conditions**:
 
-
    
- 
  • One of the allowed methods:
-  
      
-   
    • {{HTTPMethod("GET")}}
      • 
-   
    • {{HTTPMethod("HEAD")}}
      • 
-   
    • {{HTTPMethod("POST")}}
      • 
-  
    
- 
    • 
- 
  • Apart from the headers automatically set by the user agent (for example, {{HTTPHeader("Connection")}}, {{HTTPHeader("User-Agent")}}, or the other headers defined in the Fetch spec as a forbidden header name), the only headers which are allowed to be manually set are those which the Fetch spec defines as a CORS-safelisted request-header, which are:
-  
      
-   
    • {{HTTPHeader("Accept")}}
      • 
-   
    • {{HTTPHeader("Accept-Language")}}
      • 
-   
    • {{HTTPHeader("Content-Language")}}
      • 
-   
    • {{HTTPHeader("Content-Type")}} (but note the additional requirements below)
      • 
-  
    
- 
    • 
- 
  • The only allowed values for the {{HTTPHeader("Content-Type")}} header are:
-  
      
-   
    • application/x-www-form-urlencoded
      • 
-   
    • multipart/form-data
      • 
-   
    • text/plain
      • 
-  
    
- 
    • 
- 
  • If the request is made using an {{domxref("XMLHttpRequest")}} object, no event listeners are registered on the object returned by the {{domxref("XMLHttpRequest.upload")}} property used in the request; that is, given an {{domxref("XMLHttpRequest")}} instance xhr, no code has called xhr.upload.addEventListener() to add an event listener to monitor the upload.
    • 
- 
  • No {{domxref("ReadableStream")}} object is used in the request.
    • 
-

+- One of the allowed methods:
 
-

-  
Note: WebKit Nightly and Safari Technology Preview place additional restrictions on the values allowed in the {{HTTPHeader("Accept")}}, {{HTTPHeader("Accept-Language")}}, and {{HTTPHeader("Content-Language")}} headers. If any of those headers have "nonstandard" values, WebKit/Safari does not consider the request to be a "simple request". What values WebKit/Safari consider "nonstandard" is not documented, except in the following WebKit bugs:

-  
-  
No other browsers implement these extra restrictions, because they're not part of the spec.

-

+  - {{HTTPMethod("GET")}}
+  - {{HTTPMethod("HEAD")}}
+  - {{HTTPMethod("POST")}}
 
-
For example, suppose web content at https://foo.example wishes to invoke content on domain https://bar.other. Code of this sort might be used in JavaScript deployed on foo.example:

+- Apart from the headers automatically set by the user agent (for example, {{HTTPHeader("Connection")}}, {{HTTPHeader("User-Agent")}}, or [the other headers defined in the Fetch spec as a _forbidden header name_](https://fetch.spec.whatwg.org/#forbidden-header-name)), the only headers which are allowed to be manually set are [those which the Fetch spec defines as a CORS-safelisted request-header](https://fetch.spec.whatwg.org/#cors-safelisted-request-header), which are:
 
-
const xhr = new XMLHttpRequest();
+  - {{HTTPHeader("Accept")}}
+  - {{HTTPHeader("Accept-Language")}}
+  - {{HTTPHeader("Content-Language")}}
+  - {{HTTPHeader("Content-Type")}} (but note the additional requirements below)
+
+- The only allowed values for the {{HTTPHeader("Content-Type")}} header are:
+
+  - `application/x-www-form-urlencoded`
+  - `multipart/form-data`
+  - `text/plain`
+
+- If the request is made using an {{domxref("XMLHttpRequest")}} object, no event listeners are registered on the object returned by the {{domxref("XMLHttpRequest.upload")}} property used in the request; that is, given an {{domxref("XMLHttpRequest")}} instance `xhr`, no code has called `xhr.upload.addEventListener()` to add an event listener to monitor the upload.
+- No {{domxref("ReadableStream")}} object is used in the request.
+
+> **Note:** WebKit Nightly and Safari Technology Preview place additional restrictions on the values allowed in the {{HTTPHeader("Accept")}}, {{HTTPHeader("Accept-Language")}}, and {{HTTPHeader("Content-Language")}} headers. If any of those headers have "nonstandard" values, WebKit/Safari does not consider the request to be a "simple request". What values WebKit/Safari consider "nonstandard" is not documented, except in the following WebKit bugs:
+>
+> - [Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language](https://bugs.webkit.org/show_bug.cgi?id=165178)
+> - [Allow commas in Accept, Accept-Language, and Content-Language request headers for simple CORS](https://bugs.webkit.org/show_bug.cgi?id=165566)
+> - [Switch to a blacklist model for restricted Accept headers in simple CORS requests](https://bugs.webkit.org/show_bug.cgi?id=166363)
+>
+> No other browsers implement these extra restrictions, because they're not part of the spec.
+
+For example, suppose web content at `https://foo.example` wishes to invoke content on domain `https://bar.other`. Code of this sort might be used in JavaScript deployed on `foo.example`:
+
+```js
+const xhr = new XMLHttpRequest();
 const url = 'https://bar.other/resources/public-data/';
 
 xhr.open('GET', url);
 xhr.onreadystatechange = someHandler;
 xhr.send();
-

+```
 
-
This performs a simple exchange between the client and the server, using CORS headers to handle the privileges:

+This performs a simple exchange between the client and the server, using CORS headers to handle the privileges:
 
-

+![](simple-req-updated.png)
 
-
Let's look at what the browser will send to the server in this case, and let's see how the server responds:

+Let's look at what the browser will send to the server in this case, and let's see how the server responds:
 
-
GET /resources/public-data/ HTTP/1.1
-Host: bar.other
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-us,en;q=0.5
-Accept-Encoding: gzip,deflate
-Connection: keep-alive
-Origin: https://foo.example
-

+    GET /resources/public-data/ HTTP/1.1
+    Host: bar.other
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-us,en;q=0.5
+    Accept-Encoding: gzip,deflate
+    Connection: keep-alive
+    Origin: https://foo.example
 
-
The request header of note is {{HTTPHeader("Origin")}}, which shows that the invocation is coming from https://foo.example.

+The request header of note is {{HTTPHeader("Origin")}}, which shows that the invocation is coming from `https://foo.example`.
 
-
HTTP/1.1 200 OK
-Date: Mon, 01 Dec 2008 00:23:53 GMT
-Server: Apache/2
-Access-Control-Allow-Origin: *
-Keep-Alive: timeout=2, max=100
-Connection: Keep-Alive
-Transfer-Encoding: chunked
-Content-Type: application/xml
+    HTTP/1.1 200 OK
+    Date: Mon, 01 Dec 2008 00:23:53 GMT
+    Server: Apache/2
+    Access-Control-Allow-Origin: *
+    Keep-Alive: timeout=2, max=100
+    Connection: Keep-Alive
+    Transfer-Encoding: chunked
+    Content-Type: application/xml
 
-[…XML Data…]

+    […XML Data…]
 
-
In response, the server sends back an {{HTTPHeader("Access-Control-Allow-Origin")}} header with Access-Control-Allow-Origin: *, which means that the resource can be accessed by any origin.

+In response, the server sends back an {{HTTPHeader("Access-Control-Allow-Origin")}} header with `Access-Control-Allow-Origin: *`, which means that the resource can be accessed by **any** origin.
 
-
Access-Control-Allow-Origin: *

+```html
+Access-Control-Allow-Origin: *
+```
 
-
This pattern of the {{HTTPHeader("Origin")}} and {{HTTPHeader("Access-Control-Allow-Origin")}} headers is the simplest use of the access control protocol. If the resource owners at https://bar.other wished to restrict access to the resource to requests only from https://foo.example, (i.e no domain other than https://foo.example can access the resource in a cross-site manner) they would send:

+This pattern of the {{HTTPHeader("Origin")}} and {{HTTPHeader("Access-Control-Allow-Origin")}} headers is the simplest use of the access control protocol. If the resource owners at `https://bar.other` wished to restrict access to the resource to requests _only_ from `https://foo.example`, (i.e no domain other than `https://foo.example` can access the resource in a cross-site manner) they would send:
 
-
Access-Control-Allow-Origin: https://foo.example
-

+    Access-Control-Allow-Origin: https://foo.example
 
-

-  
Note: When responding to a credentialed requests request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.

-

+> **Note:** When responding to a [credentialed requests](#requests_with_credentials) request, the server **must** specify an origin in the value of the `Access-Control-Allow-Origin` header, instead of specifying the "`*`" wildcard.
 
-
Preflighted requests

+### Preflighted requests
 
-
Unlike simple requests , for "preflighted" requests the browser first sends an HTTP request using the {{HTTPMethod("OPTIONS")}} method to the resource on the other origin, in order to determine if the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data.

+Unlike [_simple requests_ ](#simple_requests), for "preflighted" requests the browser first sends an HTTP request using the {{HTTPMethod("OPTIONS")}} method to the resource on the other origin, in order to determine if the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data.
 
-
The following is an example of a request that will be preflighted:

+The following is an example of a request that will be preflighted:
 
-
const xhr = new XMLHttpRequest();
+```js
+const xhr = new XMLHttpRequest();
 xhr.open('POST', 'https://bar.other/resources/post-here/');
 xhr.setRequestHeader('X-PINGOTHER', 'pingpong');
 xhr.setRequestHeader('Content-Type', 'application/xml');
 xhr.onreadystatechange = handler;
-xhr.send('<person><name>Arun</name></person>');
-

-
-
The example above creates an XML body to send with the POST request. Also, a non-standard HTTP X-PINGOTHER request header is set. Such headers are not part of HTTP/1.1, but are generally useful to web applications. Since the request uses a Content-Type of application/xml, and since a custom header is set, this request is preflighted.

-
-

+xhr.send('Arun');
+```
+
+The example above creates an XML body to send with the `POST` request. Also, a non-standard HTTP `X-PINGOTHER` request header is set. Such headers are not part of HTTP/1.1, but are generally useful to web applications. Since the request uses a `Content-Type` of `application/xml`, and since a custom header is set, this request is preflighted.
 
-

-  
Note: As described below, the actual POST request does not include the Access-Control-Request-* headers; they are needed only for the OPTIONS request.

-

+![](preflight_correct.png)
 
-
Let's look at the full exchange between client and server. The first exchange is the preflight request/response:

+> **Note:** As described below, the actual `POST` request does not include the `Access-Control-Request-*` headers; they are needed only for the `OPTIONS` request.
 
-
OPTIONS /doc HTTP/1.1
-Host: bar.other
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-us,en;q=0.5
-Accept-Encoding: gzip,deflate
-Connection: keep-alive
-Origin: https://foo.example
-Access-Control-Request-Method: POST
-Access-Control-Request-Headers: X-PINGOTHER, Content-Type
+Let's look at the full exchange between client and server. The first exchange is the _preflight request/response_:
 
-HTTP/1.1 204 No Content
-Date: Mon, 01 Dec 2008 01:15:39 GMT
-Server: Apache/2
-Access-Control-Allow-Origin: https://foo.example
-Access-Control-Allow-Methods: POST, GET, OPTIONS
-Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
-Access-Control-Max-Age: 86400
-Vary: Accept-Encoding, Origin
-Keep-Alive: timeout=2, max=100
-Connection: Keep-Alive
-

+    OPTIONS /doc HTTP/1.1
+    Host: bar.other
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-us,en;q=0.5
+    Accept-Encoding: gzip,deflate
+    Connection: keep-alive
+    Origin: https://foo.example
+    Access-Control-Request-Method: POST
+    Access-Control-Request-Headers: X-PINGOTHER, Content-Type
 
-
Lines 1 - 10 above represent the preflight request with the {{HTTPMethod("OPTIONS")}} method. The browser determines that it needs to send this based on the request parameters that the JavaScript code snippet above was using, so that the server can respond whether it is acceptable to send the request with the actual request parameters. OPTIONS is an HTTP/1.1 method that is used to determine further information from servers, and is a {{Glossary("Safe/HTTP", "safe")}} method, meaning that it can't be used to change the resource. Note that along with the OPTIONS request, two other request headers are sent (lines 9 and 10 respectively):

+    HTTP/1.1 204 No Content
+    Date: Mon, 01 Dec 2008 01:15:39 GMT
+    Server: Apache/2
+    Access-Control-Allow-Origin: https://foo.example
+    Access-Control-Allow-Methods: POST, GET, OPTIONS
+    Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
+    Access-Control-Max-Age: 86400
+    Vary: Accept-Encoding, Origin
+    Keep-Alive: timeout=2, max=100
+    Connection: Keep-Alive
 
-
Access-Control-Request-Method: POST
-Access-Control-Request-Headers: X-PINGOTHER, Content-Type
-

+Lines 1 - 10 above represent the preflight request with the {{HTTPMethod("OPTIONS")}} method. The browser determines that it needs to send this based on the request parameters that the JavaScript code snippet above was using, so that the server can respond whether it is acceptable to send the request with the actual request parameters. OPTIONS is an HTTP/1.1 method that is used to determine further information from servers, and is a {{Glossary("Safe/HTTP", "safe")}} method, meaning that it can't be used to change the resource. Note that along with the OPTIONS request, two other request headers are sent (lines 9 and 10 respectively):
 
-
The {{HTTPHeader("Access-Control-Request-Method")}} header notifies the server as part of a preflight request that when the actual request is sent, it will be sent with a POST request method. The {{HTTPHeader("Access-Control-Request-Headers")}} header notifies the server that when the actual request is sent, it will be sent with a X-PINGOTHER and Content-Type custom headers. The server now has an opportunity to determine whether it wishes to accept a request under these circumstances.

+    Access-Control-Request-Method: POST
+    Access-Control-Request-Headers: X-PINGOTHER, Content-Type
 
-
Lines 13 - 22 above are the response that the server sends back, which indicate that the request method (POST) and request headers (X-PINGOTHER) are acceptable. In particular, let's look at lines 16-19:

+The {{HTTPHeader("Access-Control-Request-Method")}} header notifies the server as part of a preflight request that when the actual request is sent, it will be sent with a `POST` request method. The {{HTTPHeader("Access-Control-Request-Headers")}} header notifies the server that when the actual request is sent, it will be sent with a `X-PINGOTHER` and `Content-Type` custom headers. The server now has an opportunity to determine whether it wishes to accept a request under these circumstances.
 
-
Access-Control-Allow-Origin: https://foo.example
-Access-Control-Allow-Methods: POST, GET, OPTIONS
-Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
-Access-Control-Max-Age: 86400

+Lines 13 - 22 above are the response that the server sends back, which indicate that the request method (`POST`) and request headers (`X-PINGOTHER`) are acceptable. In particular, let's look at lines 16-19:
 
-
The server responds with Access-Control-Allow-Origin: https://foo.example, restricting access to just the requesting origin domain. It also responds with Access-Control-Allow-Methods, which says that POST and GET are viable methods to query the resource in question (this header is similar to the {{HTTPHeader("Allow")}} response header, but used strictly within the context of access control).

+    Access-Control-Allow-Origin: https://foo.example
+    Access-Control-Allow-Methods: POST, GET, OPTIONS
+    Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
+    Access-Control-Max-Age: 86400
 
-
The server also sends Access-Control-Allow-Headers with a value of "X-PINGOTHER, Content-Type", confirming that these are permitted headers to be used with the actual request. Like Access-Control-Allow-Methods, Access-Control-Allow-Headers is a comma separated list of acceptable headers.

+The server responds with `Access-Control-Allow-Origin: https://foo.example`, restricting access to just the requesting origin domain. It also responds with `Access-Control-Allow-Methods`, which says that `POST` and `GET` are viable methods to query the resource in question (this header is similar to the {{HTTPHeader("Allow")}} response header, but used strictly within the context of access control).
 
-
Finally, {{HTTPHeader("Access-Control-Max-Age")}} gives the value in seconds for how long the response to the preflight request can be cached for without sending another preflight request. In this case, 86400 seconds is 24 hours. Note that each browser has a maximum internal value that takes precedence when the Access-Control-Max-Age is greater.

+The server also sends `Access-Control-Allow-Headers` with a value of "`X-PINGOTHER, Content-Type`", confirming that these are permitted headers to be used with the actual request. Like `Access-Control-Allow-Methods`, `Access-Control-Allow-Headers` is a comma separated list of acceptable headers.
 
-
Once the preflight request is complete, the real request is sent:

+Finally, {{HTTPHeader("Access-Control-Max-Age")}} gives the value in seconds for how long the response to the preflight request can be cached for without sending another preflight request. In this case, 86400 seconds is 24 hours. Note that each browser has a [maximum internal value](/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age) that takes precedence when the `Access-Control-Max-Age` is greater.
 
-
POST /doc HTTP/1.1
-Host: bar.other
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-us,en;q=0.5
-Accept-Encoding: gzip,deflate
-Connection: keep-alive
-X-PINGOTHER: pingpong
-Content-Type: text/xml; charset=UTF-8
-Referer: https://foo.example/examples/preflightInvocation.html
-Content-Length: 55
-Origin: https://foo.example
-Pragma: no-cache
-Cache-Control: no-cache
+Once the preflight request is complete, the real request is sent:
 
-<person><name>Arun</name></person>
+    POST /doc HTTP/1.1
+    Host: bar.other
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-us,en;q=0.5
+    Accept-Encoding: gzip,deflate
+    Connection: keep-alive
+    X-PINGOTHER: pingpong
+    Content-Type: text/xml; charset=UTF-8
+    Referer: https://foo.example/examples/preflightInvocation.html
+    Content-Length: 55
+    Origin: https://foo.example
+    Pragma: no-cache
+    Cache-Control: no-cache
 
-HTTP/1.1 200 OK
-Date: Mon, 01 Dec 2008 01:15:40 GMT
-Server: Apache/2
-Access-Control-Allow-Origin: https://foo.example
-Vary: Accept-Encoding, Origin
-Content-Encoding: gzip
-Content-Length: 235
-Keep-Alive: timeout=2, max=99
-Connection: Keep-Alive
-Content-Type: text/plain
+    Arun
 
-[Some XML payload]
-

+    HTTP/1.1 200 OK
+    Date: Mon, 01 Dec 2008 01:15:40 GMT
+    Server: Apache/2
+    Access-Control-Allow-Origin: https://foo.example
+    Vary: Accept-Encoding, Origin
+    Content-Encoding: gzip
+    Content-Length: 235
+    Keep-Alive: timeout=2, max=99
+    Connection: Keep-Alive
+    Content-Type: text/plain
 
-
Preflighted requests and redirects

+    [Some XML payload]
 
-
Not all browsers currently support following redirects after a preflighted request. If a redirect occurs after a preflighted request, some browsers currently will report an error message such as the following.

+#### Preflighted requests and redirects
 
-

-
The request was redirected to 'https://example.com/foo', which is disallowed for cross-origin requests that require preflight

-

+Not all browsers currently support following redirects after a preflighted request. If a redirect occurs after a preflighted request, some browsers currently will report an error message such as the following.
 
-

-
Request requires preflight, which is disallowed to follow cross-origin redirect

-

+> The request was redirected to 'https\://example.com/foo', which is disallowed for cross-origin requests that require preflight
 
-
The CORS protocol originally required that behavior but was subsequently changed to no longer require it. However, not all browsers have implemented the change, and so still exhibit the behavior that was originally required.

+> Request requires preflight, which is disallowed to follow cross-origin redirect
 
-
Until browsers catch up with the spec, you may be able to work around this limitation by doing one or both of the following:

+The CORS protocol originally required that behavior but [was subsequently changed to no longer require it](https://github.com/whatwg/fetch/commit/0d9a4db8bc02251cc9e391543bb3c1322fb882f2). However, not all browsers have implemented the change, and so still exhibit the behavior that was originally required.
 
-
    
- 
  • Change the server-side behavior to avoid the preflight and/or to avoid the redirect
    • 
- 
  • Change the request such that it is a simple request that doesn’t cause a preflight
    • 
-

+Until browsers catch up with the spec, you may be able to work around this limitation by doing one or both of the following:
 
-
If that's not possible, then another way is to:

+- Change the server-side behavior to avoid the preflight and/or to avoid the redirect
+- Change the request such that it is a [simple request](#simple_requests) that doesn’t cause a preflight
 
-
    
- 
  1. Make a simple request (using {{domxref("Response.url")}} for the Fetch API, or {{domxref("XMLHttpRequest.responseURL")}}) to determine what URL the real preflighted request would end up at.
    2. 
- 
  2. Make another request (the real request) using the URL you obtained from Response.url or XMLHttpRequest.responseURL in the first step.
    3. 
-

+If that's not possible, then another way is to:
 
-
However, if the request is one that triggers a preflight due to the presence of the Authorization header in the request, you won't be able to work around the limitation using the steps above. And you won't be able to work around it at all unless you have control over the server the request is being made to.

+1.  Make a [simple request](#simple_requests) (using {{domxref("Response.url")}} for the Fetch API, or {{domxref("XMLHttpRequest.responseURL")}}) to determine what URL the real preflighted request would end up at.
+2.  Make another request (the _real_ request) using the URL you obtained from `Response.url` or `XMLHttpRequest.responseURL` in the first step.
 
-
Requests with credentials

+However, if the request is one that triggers a preflight due to the presence of the `Authorization` header in the request, you won't be able to work around the limitation using the steps above. And you won't be able to work around it at all unless you have control over the server the request is being made to.
 
-

-  
Note: When making credentialed requests to a different domain, third-party cookie policies will still apply. The policy is always enforced independent of any setup on the server and the client, as described in this chapter.

-

+### Requests with credentials
 
-
The most interesting capability exposed by both {{domxref("XMLHttpRequest")}} or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information. By default, in cross-site XMLHttpRequest or Fetch invocations, browsers will not send credentials. A specific flag has to be set on the XMLHttpRequest object or the {{domxref("Request")}} constructor when it is invoked.

+> **Note:** When making credentialed requests to a different domain, third-party cookie policies will still apply. The policy is always enforced independent of any setup on the server and the client, as described in this chapter.
 
-
In this example, content originally loaded from https://foo.example makes a simple GET request to a resource on https://bar.other which sets Cookies. Content on foo.example might contain JavaScript like this:

+The most interesting capability exposed by both {{domxref("XMLHttpRequest")}} or [Fetch](/en-US/docs/Web/API/Fetch_API) and CORS is the ability to make "credentialed" requests that are aware of [HTTP cookies](/en-US/docs/Web/HTTP/Cookies) and HTTP Authentication information. By default, in cross-site `XMLHttpRequest` or [Fetch](/en-US/docs/Web/API/Fetch_API) invocations, browsers will **not** send credentials. A specific flag has to be set on the `XMLHttpRequest` object or the {{domxref("Request")}} constructor when it is invoked.
 
-
const invocation = new XMLHttpRequest();
+In this example, content originally loaded from `https://foo.example` makes a simple GET request to a resource on `https://bar.other` which sets Cookies. Content on foo.example might contain JavaScript like this:
+
+```js
+const invocation = new XMLHttpRequest();
 const url = 'https://bar.other/resources/credentialed-content/';
 
 function callOtherDomain() {
@@ -302,211 +279,183 @@ function callOtherDomain() {
     invocation.onreadystatechange = handler;
     invocation.send();
   }
-}

+}
+```
+
+Line 7 shows the flag on {{domxref("XMLHttpRequest")}} that has to be set in order to make the invocation with Cookies, namely the `withCredentials` boolean value. By default, the invocation is made without Cookies. Since this is a simple `GET` request, it is not preflighted, but the browser will **reject** any response that does not have the {{HTTPHeader("Access-Control-Allow-Credentials")}}`: true` header, and **not** make the response available to the invoking web content.
 
-
Line 7 shows the flag on {{domxref("XMLHttpRequest")}} that has to be set in order to make the invocation with Cookies, namely the withCredentials boolean value. By default, the invocation is made without Cookies. Since this is a simple GET request, it is not preflighted, but the browser will reject any response that does not have the {{HTTPHeader("Access-Control-Allow-Credentials")}}: true header, and not make the response available to the invoking web content.

+![](cred-req-updated.png)
 
-

+Here is a sample exchange between client and server:
 
-
Here is a sample exchange between client and server:

+    GET /resources/credentialed-content/ HTTP/1.1
+    Host: bar.other
+    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-us,en;q=0.5
+    Accept-Encoding: gzip,deflate
+    Connection: keep-alive
+    Referer: https://foo.example/examples/credential.html
+    Origin: https://foo.example
+    Cookie: pageAccess=2
 
-
GET /resources/credentialed-content/ HTTP/1.1
-Host: bar.other
-User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-us,en;q=0.5
-Accept-Encoding: gzip,deflate
-Connection: keep-alive
-Referer: https://foo.example/examples/credential.html
-Origin: https://foo.example
-Cookie: pageAccess=2
+    HTTP/1.1 200 OK
+    Date: Mon, 01 Dec 2008 01:34:52 GMT
+    Server: Apache/2
+    Access-Control-Allow-Origin: https://foo.example
+    Access-Control-Allow-Credentials: true
+    Cache-Control: no-cache
+    Pragma: no-cache
+    Set-Cookie: pageAccess=3; expires=Wed, 31-Dec-2008 01:34:53 GMT
+    Vary: Accept-Encoding, Origin
+    Content-Encoding: gzip
+    Content-Length: 106
+    Keep-Alive: timeout=2, max=100
+    Connection: Keep-Alive
+    Content-Type: text/plain
 
-HTTP/1.1 200 OK
-Date: Mon, 01 Dec 2008 01:34:52 GMT
-Server: Apache/2
-Access-Control-Allow-Origin: https://foo.example
-Access-Control-Allow-Credentials: true
-Cache-Control: no-cache
-Pragma: no-cache
-Set-Cookie: pageAccess=3; expires=Wed, 31-Dec-2008 01:34:53 GMT
-Vary: Accept-Encoding, Origin
-Content-Encoding: gzip
-Content-Length: 106
-Keep-Alive: timeout=2, max=100
-Connection: Keep-Alive
-Content-Type: text/plain
+    [text/plain payload]
 
-[text/plain payload]
-

+Although line 10 contains the Cookie destined for the content on `https://bar.other`, if bar.other did not respond with an {{HTTPHeader("Access-Control-Allow-Credentials")}}`: true` (line 17) the response would be ignored and not made available to web content.
 
-
Although line 10 contains the Cookie destined for the content on https://bar.other, if bar.other did not respond with an {{HTTPHeader("Access-Control-Allow-Credentials")}}: true (line 17) the response would be ignored and not made available to web content.

+#### Preflight requests and credentials
 
-
Preflight requests and credentials

+CORS-preflight requests must never include credentials. The _response_ to a preflight request must specify `Access-Control-Allow-Credentials: true` to indicate that the actual request can be made with credentials.
 
-
CORS-preflight requests must never include credentials. The response to a preflight request must specify Access-Control-Allow-Credentials: true to indicate that the actual request can be made with credentials.

+> **Note:** Some enterprise authentication services require TLS client certificates be sent in preflight requests, in contravention of the {{SpecName("Fetch","#cors-protocol-and-credentials")}} specification.
+>
+> Firefox 87 allows this non-compliant behavior to be enabled by setting the preference: `network.cors_preflight.allow_client_cert` to `true` ({{bug(1511151)}}). Chromium-based browsers currently always send TLS client certificates in CORS preflight requests ([Chrome bug 775438](https://bugs.chromium.org/p/chromium/issues/detail?id=775438)).
 
-

-  
Note: Some enterprise authentication services require TLS client certificates be sent in preflight requests, in contravention of the {{SpecName("Fetch","#cors-protocol-and-credentials")}} specification.

-  
Firefox 87 allows this non-compliant behavior to be enabled by setting the preference: network.cors_preflight.allow_client_cert to true ({{bug(1511151)}}). Chromium-based browsers currently always send TLS client certificates in CORS preflight requests (Chrome bug 775438).

-

+#### Credentialed requests and wildcards
 
-
Credentialed requests and wildcards

+When responding to a credentialed request, the server **must** specify an origin in the value of the `Access-Control-Allow-Origin` header, instead of specifying the "`*`" wildcard.
 
-
When responding to a credentialed request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.

+Because the request headers in the above example include a `Cookie` header, the request would fail if the value of the `Access-Control-Allow-Origin` header was "\*". But it does not fail: Because the value of the `Access-Control-Allow-Origin` header is "`https://foo.example`" (an actual origin) rather than the "`*`" wildcard, the credential-cognizant content is returned to the invoking web content.
 
-
Because the request headers in the above example include a Cookie header, the request would fail if the value of the Access-Control-Allow-Origin header was "*". But it does not fail: Because the value of the Access-Control-Allow-Origin header is "https://foo.example" (an actual origin) rather than the "*" wildcard, the credential-cognizant content is returned to the invoking web content.

+Note that the `Set-Cookie` response header in the example above also sets a further cookie. In case of failure, an exception—depending on the API used—is raised.
 
-
Note that the Set-Cookie response header in the example above also sets a further cookie. In case of failure, an exception—depending on the API used—is raised.

+#### Third-party cookies
 
-
Third-party cookies

+Note that cookies set in CORS responses are subject to normal third-party cookie policies. In the example above, the page is loaded from `foo.example`, but the cookie on line 20 is sent by `bar.other`, and would thus not be saved if the user has configured their browser to reject all third-party cookies.
 
-
Note that cookies set in CORS responses are subject to normal third-party cookie policies. In the example above, the page is loaded from foo.example, but the cookie on line 20 is sent by bar.other, and would thus not be saved if the user has configured their browser to reject all third-party cookies.

+Cookie in the request (line 10) may also be suppressed in normal third-party cookie policies. The enforced cookie policy may therefore nullify the capability described in this chapter, effectively prevents you from making credentialed requests whatsoever.
 
-
Cookie in the request (line 10) may also be suppressed in normal third-party cookie policies. The enforced cookie policy may therefore nullify the capability described in this chapter, effectively prevents you from making credentialed requests whatsoever.

+Cookie policy around the [SameSite](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) attribute would apply.
 
-
Cookie policy around the SameSite attribute would apply.

+## The HTTP response headers
 
-
The HTTP response headers

+This section lists the HTTP response headers that servers send back for access control requests as defined by the Cross-Origin Resource Sharing specification. The previous section gives an overview of these in action.
 
-
This section lists the HTTP response headers that servers send back for access control requests as defined by the Cross-Origin Resource Sharing specification. The previous section gives an overview of these in action.

+### Access-Control-Allow-Origin
 
-
Access-Control-Allow-Origin

+A returned resource may have one {{HTTPHeader("Access-Control-Allow-Origin")}} header, with the following syntax:
 
-
A returned resource may have one {{HTTPHeader("Access-Control-Allow-Origin")}} header, with the following syntax:

+    Access-Control-Allow-Origin:  | *
 
-
Access-Control-Allow-Origin: <origin> | *
-

+`Access-Control-Allow-Origin` specifies either a single origin, which tells browsers to allow that origin to access the resource; or else — for requests **without** credentials — the "`*`" wildcard, to tell browsers to allow any origin to access the resource.
 
-
Access-Control-Allow-Origin specifies either a single origin, which tells browsers to allow that origin to access the resource; or else — for requests without credentials — the "*" wildcard, to tell browsers to allow any origin to access the resource.

+For example, to allow code from the origin `https://mozilla.org` to access the resource, you can specify:
 
-
For example, to allow code from the origin https://mozilla.org to access the resource, you can specify:

+    Access-Control-Allow-Origin: https://mozilla.org
+    Vary: Origin
 
-
Access-Control-Allow-Origin: https://mozilla.org
-Vary: Origin

+If the server specifies a single origin (that may dynamically change based on the requesting origin as part of a allowlist) rather than the "`*`" wildcard, then the server should also include `Origin` in the {{HTTPHeader("Vary")}} response header — to indicate to clients that server responses will differ based on the value of the {{HTTPHeader("Origin")}} request header.
 
-
If the server specifies a single origin (that may dynamically change based on the requesting origin as part of a allowlist) rather than the "*" wildcard, then the server should also include Origin in the {{HTTPHeader("Vary")}} response header — to indicate to clients that server responses will differ based on the value of the {{HTTPHeader("Origin")}} request header.

+### Access-Control-Expose-Headers
 
-
Access-Control-Expose-Headers

+The {{HTTPHeader("Access-Control-Expose-Headers")}} header adds the specified headers to the allowlist that JavaScript (such as {{domxref("XMLHttpRequest.getResponseHeader()","getResponseHeader()")}}) in browsers is allowed to access.
 
-
The {{HTTPHeader("Access-Control-Expose-Headers")}} header adds the specified headers to the allowlist that JavaScript (such as {{domxref("XMLHttpRequest.getResponseHeader()","getResponseHeader()")}}) in browsers is allowed to access.

+    Access-Control-Expose-Headers: [, ]*
 
-
Access-Control-Expose-Headers: <header-name>[, <header-name>]*
-

+For example, the following:
 
-
For example, the following:

+    Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header
 
-
Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header
-

+…would allow the `X-My-Custom-Header` and `X-Another-Custom-Header` headers to be exposed to the browser.
 
-
…would allow the X-My-Custom-Header and X-Another-Custom-Header headers to be exposed to the browser.

+### Access-Control-Max-Age
 
-
Access-Control-Max-Age

+The {{HTTPHeader("Access-Control-Max-Age")}} header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.
 
-
The {{HTTPHeader("Access-Control-Max-Age")}} header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.

+    Access-Control-Max-Age: 
 
-
Access-Control-Max-Age: <delta-seconds>
-

+The `delta-seconds` parameter indicates the number of seconds the results can be cached.
 
-
The delta-seconds parameter indicates the number of seconds the results can be cached.

+### Access-Control-Allow-Credentials
 
-
Access-Control-Allow-Credentials

+The {{HTTPHeader("Access-Control-Allow-Credentials")}} header indicates whether or not the response to the request can be exposed when the `credentials` flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple `GET` requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.
 
-
The {{HTTPHeader("Access-Control-Allow-Credentials")}} header indicates whether or not the response to the request can be exposed when the credentials flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple GET requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.

+    Access-Control-Allow-Credentials: true
 
-
Access-Control-Allow-Credentials: true
-

+[Credentialed requests](#requests_with_credentials) are discussed above.
 
-
Credentialed requests are discussed above.

+### Access-Control-Allow-Methods
 
-
Access-Control-Allow-Methods

+The {{HTTPHeader("Access-Control-Allow-Methods")}} header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request. The conditions under which a request is preflighted are discussed above.
 
-
The {{HTTPHeader("Access-Control-Allow-Methods")}} header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request. The conditions under which a request is preflighted are discussed above.

+    Access-Control-Allow-Methods: [, ]*
 
-
Access-Control-Allow-Methods: <method>[, <method>]*
-

+An example of a {{Glossary("preflight request")}} is given above, including an example which sends this header to the browser.
 
-
An example of a {{Glossary("preflight request")}} is given above, including an example which sends this header to the browser.

+### Access-Control-Allow-Headers
 
-
Access-Control-Allow-Headers

+The {{HTTPHeader("Access-Control-Allow-Headers")}} header is used in response to a {{Glossary("preflight request")}} to indicate which HTTP headers can be used when making the actual request. This header is the server side response to the browser's {{HTTPHeader("Access-Control-Request-Headers")}} header.
 
-
The {{HTTPHeader("Access-Control-Allow-Headers")}} header is used in response to a {{Glossary("preflight request")}} to indicate which HTTP headers can be used when making the actual request. This header is the server side response to the browser's {{HTTPHeader("Access-Control-Request-Headers")}} header.

+    Access-Control-Allow-Headers: [, ]*
 
-
Access-Control-Allow-Headers: <header-name>[, <header-name>]*
-

+## The HTTP request headers
 
-
The HTTP request headers

+This section lists headers that clients may use when issuing HTTP requests in order to make use of the cross-origin sharing feature. Note that these headers are set for you when making invocations to servers. Developers using cross-site {{domxref("XMLHttpRequest")}} capability do not have to set any cross-origin sharing request headers programmatically.
 
-
This section lists headers that clients may use when issuing HTTP requests in order to make use of the cross-origin sharing feature. Note that these headers are set for you when making invocations to servers. Developers using cross-site {{domxref("XMLHttpRequest")}} capability do not have to set any cross-origin sharing request headers programmatically.

+### Origin
 
-
Origin

+The {{HTTPHeader("Origin")}} header indicates the origin of the cross-site access request or preflight request.
 
-
The {{HTTPHeader("Origin")}} header indicates the origin of the cross-site access request or preflight request.

+    Origin: 
 
-
Origin: <origin>
-

+The origin is a URL indicating the server from which the request initiated. It does not include any path information, but only the server name.
 
-
The origin is a URL indicating the server from which the request initiated. It does not include any path information, but only the server name.

+> **Note:** The `origin` value can be `null`.
 
-

-  
Note: The origin value can be null.

-

+Note that in any access control request, the {{HTTPHeader("Origin")}} header is **always** sent.
 
-
Note that in any access control request, the {{HTTPHeader("Origin")}} header is always sent.

+### Access-Control-Request-Method
 
-
Access-Control-Request-Method

+The {{HTTPHeader("Access-Control-Request-Method")}} is used when issuing a preflight request to let the server know what HTTP method will be used when the actual request is made.
 
-
The {{HTTPHeader("Access-Control-Request-Method")}} is used when issuing a preflight request to let the server know what HTTP method will be used when the actual request is made.

+    Access-Control-Request-Method: 
 
-
Access-Control-Request-Method: <method>
-

+Examples of this usage can be [found above.](#preflighted_requests)
 
-
Examples of this usage can be found above.

+### Access-Control-Request-Headers
 
-
Access-Control-Request-Headers

+The {{HTTPHeader("Access-Control-Request-Headers")}} header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made (such as with {{domxref("XMLHttpRequest.setRequestHeader()","setRequestHeader()")}}). This browser side header will be answered by the complementary server side header of {{HTTPHeader("Access-Control-Allow-Headers")}}.
 
-
The {{HTTPHeader("Access-Control-Request-Headers")}} header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made (such as with {{domxref("XMLHttpRequest.setRequestHeader()","setRequestHeader()")}}). This browser side header will be answered by the complementary server side header of {{HTTPHeader("Access-Control-Allow-Headers")}}.

+    Access-Control-Request-Headers: [, ]*
 
-
Access-Control-Request-Headers: <field-name>[, <field-name>]*
-

+Examples of this usage can be [found above](#preflighted_requests).
 
-
Examples of this usage can be found above.

+## Specifications
 
-
Specifications

+| Specification                                                    | Status                   | Comment                                                                          |
+| ---------------------------------------------------------------- | ------------------------ | -------------------------------------------------------------------------------- |
+| {{SpecName('Fetch', '#cors-protocol', 'CORS')}} | {{Spec2('Fetch')}} | New definition; supplants [W3C CORS](https://www.w3.org/TR/cors/) specification. |
 
-
- 
-  
-   
-   
-   
-  
-  
-   
-   
-   
-  
- 
-
SpecificationStatusComment
{{SpecName('Fetch', '#cors-protocol', 'CORS')}}{{Spec2('Fetch')}}New definition; supplants W3C CORS specification.

+## Browser compatibility
 
-
Browser compatibility

+{{Compat("http.headers.Access-Control-Allow-Origin")}}
 
-
{{Compat("http.headers.Access-Control-Allow-Origin")}}

+## See also
 
-
See also

+- [CORS errors](/en-US/docs/Web/HTTP/CORS/Errors)
+- [Enable CORS: I want to add CORS support to my server](https://enable-cors.org/server.html)
+- {{domxref("XMLHttpRequest")}}
+- [Fetch API](/en-US/docs/Web/API/Fetch_API)
+- [Will it CORS?](https://httptoolkit.tech/will-it-cors) - an interactive CORS explainer & generator
+- [Using CORS with All (Modern) Browsers](https://www.telerik.com/blogs/using-cors-with-all-modern-browsers)
+- [How to run Chrome browser without CORS](https://alfilatov.com/posts/run-chrome-without-cors/)
+- [Stack Overflow answer with “how to” info for dealing with common problems](https://stackoverflow.com/questions/43871637/no-access-control-allow-origin-header-is-present-on-the-requested-resource-whe/43881141#43881141):
 
-
+  - How to avoid the CORS preflight
+  - How to use a CORS proxy to get around _“No Access-Control-Allow-Origin header”_
+  - How to fix _“Access-Control-Allow-Origin header must not be the wildcard”_
diff --git a/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md b/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md
index 6587ba8d1ba5c56..4cc3f1d8d0fcda7 100644
--- a/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md
+++ b/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md
@@ -6,80 +6,59 @@ tags:
   - Reference
   - Security
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Cross-Origin Resource Policy is a policy set by the Cross-Origin-Resource-Policy HTTP header that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like <script> and <img>), to mitigate speculative side-channel attacks, like Spectre, as well as Cross-Site Script Inclusion attacks.

+**Cross-Origin Resource Policy** is a policy set by the [`Cross-Origin-Resource-Policy` HTTP header](/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy) that lets web sites and applications opt in to protection against certain requests from other origins (such as those issued with elements like `
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Content-Security-Policy")}}
    • 
-  
  • {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}
    • 
-  
  • {{domxref("Worker")}}, {{domxref("SharedWorker")}}, {{domxref("ServiceWorker")}}
-  
    • 
-

+- {{HTTPHeader("Content-Security-Policy")}}
+- {{HTMLElement("frame")}} and {{HTMLElement("iframe")}}
+- {{domxref("Worker")}}, {{domxref("SharedWorker")}}, {{domxref("ServiceWorker")}}
diff --git a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md
index 3c360e686e525a4..73d70aee977242d 100644
--- a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md
@@ -12,25 +12,21 @@ tags:
   - source
 browser-compat: http.headers.csp.Content-Security-Policy.connect-src
 ---
-
{{HTTPSidebar}}

-
-
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
-  connect-src directive restricts the URLs which can be
-  loaded using script interfaces. The APIs that are restricted are:

-
-
    
-  
  • {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}},
    • 
-  
  • {{domxref("WindowOrWorkerGlobalScope.fetch")}},
    • 
-  
  • {{domxref("XMLHttpRequest")}},
    • 
-  
  • {{domxref("WebSocket")}},
    • 
-  
  • {{domxref("EventSource")}}, and
    • 
-  
  • {{domxref("Navigator.sendBeacon()")}}.
    • 
-

-
-

-  
Note: connect-src 'self' does not resolve to websocket
-    schemas in all browsers, more info in this issue.

-

+{{HTTPSidebar}}
+
+The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
+**`connect-src`** directive restricts the URLs which can be
+loaded using script interfaces. The APIs that are restricted are:
+
+- {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}},
+- {{domxref("WindowOrWorkerGlobalScope.fetch")}},
+- {{domxref("XMLHttpRequest")}},
+- {{domxref("WebSocket")}},
+- {{domxref("EventSource")}}, and
+- {{domxref("Navigator.sendBeacon()")}}.
+
+> **Note:** `connect-src 'self'` does not resolve to websocket
+> schemas in all browsers, more info in this [issue](https://github.com/w3c/webappsec-csp/issues/7).
 
 
@@ -44,38 +40,44 @@ browser-compat: http.headers.csp.Content-Security-Policy.connect-src
     
-      
+      

   
     

       {{CSP("default-src")}} fallbackYes. If this directive is absent, the user agent will look for the
-        default-src directive.
+        Yes. If this directive is absent, the user agent will look for the
+        default-src directive.
+      
     

   
 

 
-
Syntax

+## Syntax
 
-
One or more sources can be allowed for the connect-src policy:

+One or more sources can be allowed for the connect-src policy:
 
-
Content-Security-Policy: connect-src <source>;
-Content-Security-Policy: connect-src <source> <source>;
-

+```html
+Content-Security-Policy: connect-src ;
+Content-Security-Policy: connect-src  ;
+```
 
-
Sources

+### Sources
 
-
{{page("/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src",
-  "common_sources")}}

+{{page("/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src",
+  "common_sources")}}
 
-
Examples

+## Examples
 
-
Violation cases

+### Violation cases
 
-
Given this CSP header:

+Given this CSP header:
 
-
Content-Security-Policy: connect-src https://example.com/

+```bash
+Content-Security-Policy: connect-src https://example.com/
+```
 
-
The following connections are blocked and won't load:

+The following connections are blocked and won't load:
 
-
<a ping="https://not-example.com">
+```html
+
 
-<script>
+
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
Compatibility notes

+## Compatibility notes
 
-
    
-  
  • Prior to Firefox 23, xhr-src was used in place of the
-    connect-src directive and only restricted the use of
-    {{domxref("XMLHttpRequest")}}.
    • 
-

+- Prior to Firefox 23, `xhr-src` was used in place of the
+  `connect-src` directive and only restricted the use of
+  {{domxref("XMLHttpRequest")}}.
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Content-Security-Policy")}}
    • 
-  
  • {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}}
    • 
-  
  • {{domxref("WindowOrWorkerGlobalScope.fetch")}}
    • 
-  
  • {{domxref("XMLHttpRequest")}}
    • 
-  
  • {{domxref("WebSocket")}}
    • 
-  
  • {{domxref("EventSource")}}
    • 
-

+- {{HTTPHeader("Content-Security-Policy")}}
+- {{HTMLElement("a")}} {{htmlattrxref("ping", "a")}}
+- {{domxref("WindowOrWorkerGlobalScope.fetch")}}
+- {{domxref("XMLHttpRequest")}}
+- {{domxref("WebSocket")}}
+- {{domxref("EventSource")}}
diff --git a/files/en-us/web/http/headers/content-security-policy/default-src/index.md b/files/en-us/web/http/headers/content-security-policy/default-src/index.md
index 3e55e196835ed25..5fe31de924def41 100644
--- a/files/en-us/web/http/headers/content-security-policy/default-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/default-src/index.md
@@ -13,119 +13,109 @@ tags:
   - source
 browser-compat: http.headers.csp.Content-Security-Policy.default-src
 ---
-
{{HTTPSidebar}}

-
-
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) default-src directive serves as a fallback for the other CSP {{Glossary("fetch directive", "fetch directives")}}. For each of the following directives that are absent, the user agent looks for the default-src directive and uses this value for it:

-
-
    
- 
  • {{CSP("child-src")}}
    • 
- 
  • {{CSP("connect-src")}}
    • 
- 
  • {{CSP("font-src")}}
    • 
- 
  • {{CSP("frame-src")}}
    • 
- 
  • {{CSP("img-src")}}
    • 
- 
  • {{CSP("manifest-src")}}
    • 
- 
  • {{CSP("media-src")}}
    • 
- 
  • {{CSP("object-src")}}
    • 
- 
  • {{CSP("prefetch-src")}}
    • 
- 
  • {{CSP("script-src")}}
    • 
- 
  • {{CSP("script-src-elem")}}
    • 
- 
  • {{CSP("script-src-attr")}}
    • 
- 
  • {{CSP("style-src")}}
    • 
- 
  • {{CSP("style-src-elem")}}
    • 
- 
  • {{CSP("style-src-attr")}}
    • 
- 
  • {{CSP("worker-src")}}
    • 
-

+{{HTTPSidebar}}
+
+The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`default-src`** directive serves as a fallback for the other CSP {{Glossary("fetch directive", "fetch directives")}}. For each of the following directives that are absent, the user agent looks for the `default-src` directive and uses this value for it:
+
+- {{CSP("child-src")}}
+- {{CSP("connect-src")}}
+- {{CSP("font-src")}}
+- {{CSP("frame-src")}}
+- {{CSP("img-src")}}
+- {{CSP("manifest-src")}}
+- {{CSP("media-src")}}
+- {{CSP("object-src")}}
+- {{CSP("prefetch-src")}}
+- {{CSP("script-src")}}
+- {{CSP("script-src-elem")}}
+- {{CSP("script-src-attr")}}
+- {{CSP("style-src")}}
+- {{CSP("style-src-elem")}}
+- {{CSP("style-src-attr")}}
+- {{CSP("worker-src")}}
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
CSP version1
Directive type{{Glossary("Fetch directive")}}
CSP version1
Directive type{{Glossary("Fetch directive")}}

 

 
-
Syntax

+## Syntax
 
-
One or more sources can be allowed for the default-src policy:

+One or more sources can be allowed for the `default-src` policy:
 
-
Content-Security-Policy: default-src <source>;
-Content-Security-Policy: default-src <source> <source>;
-

+```html
+Content-Security-Policy: default-src ;
+Content-Security-Policy: default-src  ;
+```
 
-
Sources

+### Sources
 
-
<source> can be one of the following:

+\ can be one of the following:
 
-

-  
<host-source>

-  
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.

-    Examples:
-    
    
-      
  • http://*.example.com: Matches all attempts to load from any subdomain of example.com using the http: URL scheme.
    • 
-      
  • mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
    • 
-      
  • https://store.example.com: Matches all attempts to access store.example.com using https:.
    • 
-      
  • *.example.com: Matches all attempts to load from any subdomain of example.com using the current protocol.
    • 
-    

-  

-
-  
<scheme-source>

-  
A scheme such as http: or https:. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
-    
    
-      
  • data: Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
    • 
-      
  • mediastream: Allows mediastream: URIs to be used as a content source.
    • 
-      
  • blob: Allows blob: URIs to be used as a content source.
    • 
-      
  • filesystem: Allows filesystem: URIs to be used as a content source.
    • 
-    

-  

+- ``
 
-  
'self'

-  
Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute.

+  - : Internet hosts by name or IP address, as well as an optional [URL scheme](/en-US/docs/Learn/Common_questions/What_is_a_URL) and/or port number. The site's address may include an optional leading wildcard (the asterisk character, `'*'`), and you may use a wildcard (again, `'*'`) as the port number, indicating that all legal ports are valid for the source.
+    Examples:
 
-  
'unsafe-eval'

-  
Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.

+    - `http://*.example.com`: Matches all attempts to load from any subdomain of example.com using the `http:` URL scheme.
+    - `mail.example.com:443`: Matches all attempts to access port 443 on mail.example.com.
+    - `https://store.example.com`: Matches all attempts to access store.example.com using `https:`.
+    - `*.example.com`: Matches all attempts to load from any subdomain of example.com using the current protocol.
 
-  
'unsafe-hashes'

-  
Allows enabling specific inline event handlers. If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or javascript: URLs, this is a safer method than using the unsafe-inline expression.

+- ``
 
-  
'unsafe-inline'

-  
Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, javascript: URLs, inline event handlers, and inline {{HTMLElement("style")}} elements. The single quotes are required.

+  - : A scheme such as `http:` or `https:`. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
 
-  
'none'

-  
Refers to the empty set; that is, no URLs match. The single quotes are required.

+    - `data:` Allows [`data:` URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) to be used as a content source. _This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts._
+    - `mediastream:` Allows [`mediastream:` URIs](/en-US/docs/Web/API/Media_Streams_API) to be used as a content source.
+    - `blob:` Allows [`blob:` URIs](/en-US/docs/Web/API/Blob) to be used as a content source.
+    - `filesystem:` Allows [`filesystem:` URIs](/en-US/docs/Web/API/FileSystem) to be used as a content source.
 
-  
'nonce-<base64-value>'

-  
An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See unsafe inline script for an example. Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.
-    

-      
Note: The CSP nonce source can only be applied to nonceable elements (e.g., as the {{HTMLElement("img")}} element has no nonce attribute, there is no way to associate it with this CSP source).

-    

-  

+- `'self'`
+  - : Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives. Sites needing to allow these content types can specify them using the Data attribute.
+- `'unsafe-eval'`
+  - : Allows the use of `eval()` and similar methods for creating code from strings. You must include the single quotes.
+- `'unsafe-hashes'`
+  - : Allows enabling specific inline [event handlers](/en-US/docs/Web/Events/Event_handlers). If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or `javascript:` URLs, this is a safer method than using the `unsafe-inline` expression.
+- `'unsafe-inline'`
+  - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, `javascript:` URLs, inline event handlers, and inline {{HTMLElement("style")}} elements. The single quotes are required.
+- `'none'`
+  - : Refers to the empty set; that is, no URLs match. The single quotes are required.
+- `'nonce-'`
 
-  
'<hash-algorithm>-<base64-value>'

-  
A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the <script> or <style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace. See unsafe inline script for an example. In CSP 2.0, this is applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

+  - : An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource's policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. Specifying nonce makes a modern browser ignore `'unsafe-inline'` which could still be set for older browsers without nonce support.
 
-  
'strict-dynamic'

-  
The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as 'self' or 'unsafe-inline' are ignored. See script-src for an example.

+    > **Note:** The CSP `nonce` source can only be applied to _nonceable_ elements (e.g., as the {{HTMLElement("img")}} element has no `nonce` attribute, there is no way to associate it with this CSP source).
 
-  
'report-sample'

-  
Requires a sample of the violating code to be included in the violation report.

-

+- `'-'`
+  - : A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the \
+```
 
-
However, scripts without integrity won't load anymore:

+However, scripts without integrity won't load anymore:
 
-
<script src="https://code.jquery.com/jquery-3.1.1.slim.js"></script>

+```html example-bad
+
+```
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Content-Security-Policy")}}
+- [Subresource Integrity](/en-US/docs/Web/Security/Subresource_Integrity)
diff --git a/files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.md b/files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.md
index 3e350a61448ddf8..e9cc53a5dfaa6a1 100644
--- a/files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/require-trusted-types-for/index.md
@@ -8,59 +8,55 @@ tags:
   - Security
 browser-compat: http.headers.csp.Content-Security-Policy.require-trusted-types-for
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) require-trusted-types-for {{experimental_inline}} directive instructs user agents to control the data passed to DOM XSS sink functions, like {{DOMxRef("Element.innerHTML")}} setter.

+The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`require-trusted-types-for`** {{experimental_inline}} directive instructs user agents to control the data passed to DOM XSS sink functions, like {{DOMxRef("Element.innerHTML")}} setter.
 
-
When used, those functions only accept non-spoofable, typed values created by Trusted Type policies, and reject strings. Together with trusted-types directive, which guards creation of Trusted Type policies, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review.

+When used, those functions only accept non-spoofable, typed values created by Trusted Type policies, and reject strings. Together with **[`trusted-types`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types)** directive, which guards creation of Trusted Type policies, this allows authors to define rules guarding writing values to the DOM and thus reducing the DOM XSS attack surface to small, isolated parts of the web application codebase, facilitating their monitoring and code review.
 
-
Syntax

+## Syntax
 
-
Content-Security-Policy: require-trusted-types-for 'script';
-

+    Content-Security-Policy: require-trusted-types-for 'script';
 
-

- 
'script'

- 
Disallows using strings with DOM XSS injection sink functions, and requires matching types created by Trusted Type policies.

-

+- `'script'`
+  - : Disallows using strings with DOM XSS injection sink functions, and requires matching types created by Trusted Type policies.
 
-
Examples

+## Examples
 
-
// Content-Security-Policy: require-trusted-types-for 'script'; trusted-types foo;
+```js
+// Content-Security-Policy: require-trusted-types-for 'script'; trusted-types foo;
 
-const attackerInput = '<svg onload="alert(/cross-site-scripting/)" />';
+const attackerInput = '';
 const el = document.createElement('div');
 
 if (typeof trustedTypes !== 'undefined') {
   // Create a policy that can create TrustedHTML values
   // after sanitizing the input strings with DOMPurify library.
   const sanitizer = trustedTypes.createPolicy('foo', {
-    createHTML: (input) => DOMPurify.sanitize(input)
+    createHTML: (input) => DOMPurify.sanitize(input)
   });
 
   el.innerHTML = sanitizer.createHTML(attackerInput);  // Puts the sanitized value into the DOM.
   el.innerHTML = attackerInput;                        // Rejects a string value; throws a TypeError.
 }
-

+```
 
-
Polyfill

+## Polyfill
 
-
A polyfill for Trusted Types is available on Github.

+A [polyfill for Trusted Types](https://github.com/w3c/webappsec-trusted-types#polyfill) is available on Github.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Content-Security-Policy")}}
+- [Cross-Site Scripting (XSS)](/en-US/docs/Glossary/Cross-site_scripting)
+- [DOM XSS injection sinks covered by Trusted Types](https://w3c.github.io/webappsec-trusted-types/dist/spec/#injection-sinks)
+- [Prevent DOM-based cross-site scripting vulnerabilities with Trusted Types](https://web.dev/trusted-types)
+- Trusted Types with [DOMPurify](https://github.com/cure53/DOMPurify#what-about-dompurify-and-trusted-types) XSS sanitizer
diff --git a/files/en-us/web/http/headers/content-security-policy/sandbox/index.md b/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
index 1b2555e75e35525..e7a303e80ccfc1c 100644
--- a/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
@@ -10,13 +10,13 @@ tags:
   - Security
 browser-compat: http.headers.csp.Content-Security-Policy.sandbox
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
-  sandbox directive enables a sandbox for the requested
-  resource similar to the {{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}}
-  attribute. It applies restrictions to a page's actions including preventing popups,
-  preventing the execution of plugins and scripts, and enforcing a same-origin policy.

+The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
+**`sandbox`** directive enables a sandbox for the requested
+resource similar to the {{HTMLElement("iframe")}} {{htmlattrxref("sandbox", "iframe")}}
+attribute. It applies restrictions to a page's actions including preventing popups,
+preventing the execution of plugins and scripts, and enforcing a same-origin policy.
 
 
@@ -29,80 +29,81 @@ browser-compat: http.headers.csp.Content-Security-Policy.sandbox
       
-      
+      

   
{{Glossary("Document directive")}}
     

     
This directive is not supported in the
-        {{HTMLElement("meta")}} element or by the
-        {{HTTPHeader("Content-Security-policy-Report-Only")}} header field.
+        This directive is not supported in the {{HTMLElement("meta")}}
+        element or by the
+        {{HTTPHeader("Content-Security-policy-Report-Only")}}
+        header field.
+      
     

   
 

 
-
Syntax

+## Syntax
 
-
Content-Security-Policy: sandbox;
-Content-Security-Policy: sandbox <value>;
-

+```html
+Content-Security-Policy: sandbox;
+Content-Security-Policy: sandbox ;
+```
 
-
where <value> can optionally be one of the following values:

+where `` can optionally be one of the following values:
 
-

-  
allow-downloads

-  
Allows for downloads after the user clicks a button or link.

-  
allow-downloads-without-user-activation {{experimental_inline}}

-  
Allows for downloads to occur without a gesture from the user.

-  
allow-forms

-  
Allows the page to submit forms. If this keyword is not used, this operation is not
-    allowed.

-  
allow-modals

-  
Allows the page to open modal windows.

-  
allow-orientation-lock

-  
Allows the page to disable the ability to lock the screen orientation.

-  
allow-pointer-lock

-  
Allows the page to use the Pointer Lock
-      API.

-  
allow-popups

-  
Allows popups (like from window.open, target="_blank",
-    showModalDialog). If this keyword is not used, that functionality will
-    silently fail.

-  
allow-popups-to-escape-sandbox

-  
Allows a sandboxed document to open new windows without forcing the sandboxing flags
+- `allow-downloads`
+  - : Allows for downloads after the user clicks a button or link.
+- `allow-downloads-without-user-activation` {{experimental_inline}}
+  - : Allows for downloads to occur without a gesture from the user.
+- `allow-forms`
+  - : Allows the page to submit forms. If this keyword is not used, this operation is not
+    allowed.
+- `allow-modals`
+  - : Allows the page to open modal windows.
+- `allow-orientation-lock`
+  - : Allows the page to disable the ability to lock the screen orientation.
+- `allow-pointer-lock`
+  - : Allows the page to use the [Pointer Lock
+    API](/en-US/docs/Web/API/Pointer_Lock_API).
+- `allow-popups`
+  - : Allows popups (like from `window.open`, `target="_blank"`,
+    `showModalDialog`). If this keyword is not used, that functionality will
+    silently fail.
+- `allow-popups-to-escape-sandbox`
+  - : Allows a sandboxed document to open new windows without forcing the sandboxing flags
     upon them. This will allow, for example, a third-party advertisement to be safely
-    sandboxed without forcing the same restrictions upon a landing page.

-  
allow-presentation

-  
Allows embedders to have control over whether an iframe can start a presentation
-    session.

-  
allow-same-origin

-  
Allows the content to be treated as being from its normal origin. If this keyword is
-    not used, the embedded content is treated as being from a unique origin.

-  
allow-scripts

-  
Allows the page to run scripts (but not create pop-up windows). If this keyword is
-    not used, this operation is not allowed.

-  
allow-storage-access-by-user-activation {{experimental_inline}}

-  
Lets the resource request access to the parent's storage capabilities with the Storage Access API.

-  
allow-top-navigation

-  
Allows the page to navigate (load) content to the top-level browsing context. If
-    this keyword is not used, this operation is not allowed.

-  
allow-top-navigation-by-user-activation

-  
Lets the resource navigate the top-level browsing context, but only if initiated by
-    a user gesture.

-

+    sandboxed without forcing the same restrictions upon a landing page.
+- `allow-presentation`
+  - : Allows embedders to have control over whether an iframe can start a presentation
+    session.
+- `allow-same-origin`
+  - : Allows the content to be treated as being from its normal origin. If this keyword is
+    not used, the embedded content is treated as being from a unique origin.
+- `allow-scripts`
+  - : Allows the page to run scripts (but not create pop-up windows). If this keyword is
+    not used, this operation is not allowed.
+- `allow-storage-access-by-user-activation` {{experimental_inline}}
+  - : Lets the resource request access to the parent's storage capabilities with the [Storage Access API](/en-US/docs/Web/API/Storage_Access_API).
+- `allow-top-navigation`
+  - : Allows the page to navigate (load) content to the top-level browsing context. If
+    this keyword is not used, this operation is not allowed.
+- `allow-top-navigation-by-user-activation`
+  - : Lets the resource navigate the top-level browsing context, but only if initiated by
+    a user gesture.
 
-
Examples

+## Examples
 
-
Content-Security-Policy: sandbox allow-scripts;

+```bash
+Content-Security-Policy: sandbox allow-scripts;
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Content-Security-Policy")}}
    • 
-  
  • {{htmlattrxref("sandbox", "iframe")}} attribute on {{HTMLElement("iframe")}}
-    elements
    • 
-

+- {{HTTPHeader("Content-Security-Policy")}}
+- {{htmlattrxref("sandbox", "iframe")}} attribute on {{HTMLElement("iframe")}}
+  elements
diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md
index e42573072747e06..3ef35bcf560703a 100644
--- a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md
@@ -14,13 +14,13 @@ tags:
   - source
 browser-compat: http.headers.csp.Content-Security-Policy.script-src-attr
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
-  script-src-attr directive specifies valid sources for
-  JavaScript inline event handlers. This includes only inline script event handlers like
-  onclick, but not URLs loaded directly into {{HTMLElement("script")}}
-  elements.

+The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
+**`script-src-attr`** directive specifies valid sources for
+JavaScript inline event handlers. This includes only inline script event handlers like
+`onclick`, but not URLs loaded directly into {{HTMLElement("script")}}
+elements.
 
 
@@ -34,104 +34,94 @@ browser-compat: http.headers.csp.Content-Security-Policy.script-src-attr
     
-      
+      

   
     

       {{CSP("default-src")}} fallbackYes. If this directive is absent, the user agent will look for
-        the {{CSP("script-src")}} directive, and if both of them are absent, fallback
-        to default-src directive.
+        Yes. If this directive is absent, the user agent will look for
+        the {{CSP("script-src")}} directive, and if both of them are
+        absent, fallback to default-src directive.
+      
     

   
 

 
-
Syntax

+## Syntax
 
-
One or more sources can be allowed for the script-src-attr policy:

+One or more sources can be allowed for the `script-src-attr` policy:
 
-
Content-Security-Policy: script-src-attr <source>;
-Content-Security-Policy: script-src-attr <source> <source>;
-

+```html
+Content-Security-Policy: script-src-attr ;
+Content-Security-Policy: script-src-attr  ;
+```
 
-
script-src-attr can be used in conjunction with {{CSP("script-src")}}:

+`script-src-attr` can be used in conjunction with {{CSP("script-src")}}:
 
-
Content-Security-Policy: script-src <source>;
-Content-Security-Policy: script-src-attr <source>;
-

+```html
+Content-Security-Policy: script-src ;
+Content-Security-Policy: script-src-attr ;
+```
 
-
Sources

+### Sources
 
-

-  
<host-source>

-  
Internet hosts by name or IP address, as well as an optional URL scheme and/or port number. The site's address may include an optional leading wildcard (the asterisk character, '*'), and you may use a wildcard (again, '*') as the port number, indicating that all legal ports are valid for the source.

-    Examples:
-    
    
-      
  • http://*.example.com: Matches all attempts to load from any subdomain of example.com using the http: URL scheme.
    • 
-      
  • mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.
    • 
-      
  • https://store.example.com: Matches all attempts to access store.example.com using https:.
    • 
-      
  • *.example.com: Matches all attempts to load from any subdomain of example.com using the current protocol.
    • 
-    

-  

-
-  
<scheme-source>

-  
A scheme such as http: or https:. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
-    
    
-      
  • data: Allows data: URIs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts.
    • 
-      
  • mediastream: Allows mediastream: URIs to be used as a content source.
    • 
-      
  • blob: Allows blob: URIs to be used as a content source.
    • 
-      
  • filesystem: Allows filesystem: URIs to be used as a content source.
    • 
-    

-  

+- ``
 
-  
'self'

-  
Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the Data attribute.

+  - : Internet hosts by name or IP address, as well as an optional [URL scheme](/en-US/docs/Learn/Common_questions/What_is_a_URL) and/or port number. The site's address may include an optional leading wildcard (the asterisk character, `'*'`), and you may use a wildcard (again, `'*'`) as the port number, indicating that all legal ports are valid for the source.
+    Examples:
 
-  
'unsafe-eval'

-  
Allows the use of eval() and similar methods for creating code from strings. You must include the single quotes.

+    - `http://*.example.com`: Matches all attempts to load from any subdomain of example.com using the `http:` URL scheme.
+    - `mail.example.com:443`: Matches all attempts to access port 443 on mail.example.com.
+    - `https://store.example.com`: Matches all attempts to access store.example.com using `https:`.
+    - `*.example.com`: Matches all attempts to load from any subdomain of example.com using the current protocol.
 
-  
'unsafe-hashes'

-  
Allows enabling specific inline event handlers. If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or javascript: URLs, this is a safer method than using the unsafe-inline expression.

+- ``
 
-  
'unsafe-inline'

-  
Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, javascript: URLs, and inline event handlers. The single quotes are required.

+  - : A scheme such as `http:` or `https:`. The colon is required. Unlike other values below, single quotes shouldn't be used. You can also specify data schemes (not recommended).
 
-  
'none'

-  
Refers to the empty set; that is, no URLs match. The single quotes are required.

+    - `data:` Allows [`data:` URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs) to be used as a content source. _This is insecure; an attacker can also inject arbitrary data: URIs. Use this sparingly and definitely not for scripts._
+    - `mediastream:` Allows [`mediastream:` URIs](/en-US/docs/Web/API/Media_Streams_API) to be used as a content source.
+    - `blob:` Allows [`blob:` URIs](/en-US/docs/Web/API/Blob) to be used as a content source.
+    - `filesystem:` Allows [`filesystem:` URIs](/en-US/docs/Web/API/FileSystem) to be used as a content source.
 
-  
'nonce-<base64-value>'

-  
An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource^s policy is otherwise trivial. See unsafe inline script for an example. Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.
-    

-      
Note: The CSP nonce source can only be applied to nonceable elements (e.g., as the {{HTMLElement("img")}} element has no nonce attribute, there is no way to associate it with this CSP source).

-    

-  

+- `'self'`
+  - : Refers to the origin from which the protected document is being served, including the same URL scheme and port number. You must include the single quotes. Some browsers specifically exclude `blob` and `filesystem` from source directives. Sites needing to allow these content types can specify them using the Data attribute.
+- `'unsafe-eval'`
+  - : Allows the use of `eval()` and similar methods for creating code from strings. You must include the single quotes.
+- `'unsafe-hashes'`
+  - : Allows enabling specific inline [event handlers](/en-US/docs/Web/Events/Event_handlers). If you only need to allow inline event handlers and not inline {{HTMLElement("script")}} elements or `javascript:` URLs, this is a safer method than using the `unsafe-inline` expression.
+- `'unsafe-inline'`
+  - : Allows the use of inline resources, such as inline {{HTMLElement("script")}} elements, `javascript:` URLs, and inline event handlers. The single quotes are required.
+- `'none'`
+  - : Refers to the empty set; that is, no URLs match. The single quotes are required.
+- `'nonce-'`
 
-  
'<hash-algorithm>-<base64-value>'

-  
A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the <script> or <style> tags and note that capitalization and whitespace matter, including leading or trailing whitespace. See unsafe inline script for an example. In CSP 2.0, this is applied only to inline scripts. CSP 3.0 allows it in the case of script-src for external scripts.

+  - : An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource^s policy is otherwise trivial. See [unsafe inline script](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script) for an example. Specifying nonce makes a modern browser ignore `'unsafe-inline'` which could still be set for older browsers without nonce support.
 
-  
'strict-dynamic'

-  
The strict-dynamic source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any allow-list or source expressions such as 'self' or 'unsafe-inline' are ignored. See script-src for an example.

+    > **Note:** The CSP `nonce` source can only be applied to _nonceable_ elements (e.g., as the {{HTMLElement("img")}} element has no `nonce` attribute, there is no way to associate it with this CSP source).
 
-  
'report-sample'

-  
Requires a sample of the violating code to be included in the violation report.

-

+- `'-'`
+  - : A sha256, sha384 or sha512 hash of scripts or styles. The use of this source consists of two portions separated by a dash: the encryption algorithm used to create the hash and the base64-encoded hash of the script or style. When generating the hash, don't include the \
+```
 
-
<script src="https://not-example.com/js/library.js"></script>

+Note that inline event handlers are blocked as well:
 
-
Note that inline event handlers are blocked as well:

+```html
+
+
+```
 
-
The request looks something like this (less interesting headers are omitted here):

+The request looks something like this (less interesting headers are omitted here):
 
-
POST /foo HTTP/1.1
-Content-Length: 68137
-Content-Type: multipart/form-data; boundary=---------------------------974767299852498929531610575
+    POST /foo HTTP/1.1
+    Content-Length: 68137
+    Content-Type: multipart/form-data; boundary=---------------------------974767299852498929531610575
 
------------------------------974767299852498929531610575
-Content-Disposition: form-data; name="description"
+    -----------------------------974767299852498929531610575
+    Content-Disposition: form-data; name="description"
 
-some text
------------------------------974767299852498929531610575
-Content-Disposition: form-data; name="myFile"; filename="foo.txt"
-Content-Type: text/plain
+    some text
+    -----------------------------974767299852498929531610575
+    Content-Disposition: form-data; name="myFile"; filename="foo.txt"
+    Content-Type: text/plain
 
-(content of the uploaded file foo.txt)
------------------------------974767299852498929531610575--
-

+    (content of the uploaded file foo.txt)
+    -----------------------------974767299852498929531610575--
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Accept")}}
    • 
- 
  • {{HTTPHeader("Content-Disposition")}}
    • 
- 
  • {{HTTPStatus("206")}} Partial Content
    • 
- 
  • {{HTTPHeader("X-Content-Type-Options")}}
    • 
-

+- {{HTTPHeader("Accept")}}
+- {{HTTPHeader("Content-Disposition")}}
+- {{HTTPStatus("206")}} Partial Content
+- {{HTTPHeader("X-Content-Type-Options")}}
diff --git a/files/en-us/web/http/headers/cookie/index.md b/files/en-us/web/http/headers/cookie/index.md
index bedcc25e3282df7..9ead3f23b708f7f 100644
--- a/files/en-us/web/http/headers/cookie/index.md
+++ b/files/en-us/web/http/headers/cookie/index.md
@@ -9,51 +9,49 @@ tags:
   - request
 browser-compat: http.headers.Cookie
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Cookie HTTP request header contains stored HTTP cookies associated with the server (i.e. previously sent by the server with the {{HTTPHeader("Set-Cookie")}} header or set in Javascript using {{domxref("Document.cookie")}}).

+The **`Cookie`** HTTP request header contains stored [HTTP cookies](/en-US/docs/Web/HTTP/Cookies) associated with the server (i.e. previously sent by the server with the {{HTTPHeader("Set-Cookie")}} header or set in Javascript using {{domxref("Document.cookie")}}).
 
-
The Cookie header is optional and may be omitted if, for example, the browser's privacy settings block cookies.

+The `Cookie` header is optional and may be omitted if, for example, the browser's privacy settings block cookies.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes

 

 
-
Syntax

+## Syntax
 
-
Cookie: <cookie-list>
+```html
+Cookie: 
 Cookie: name=value
-Cookie: name=value; name2=value2; name3=value3

+Cookie: name=value; name2=value2; name3=value3
+```
 
-

- 
<cookie-list>

- 
A list of name-value pairs in the form of <cookie-name>=<cookie-value>. Pairs in the list are separated by a semicolon and a space ('; ').

-

+- \
+  - : A list of name-value pairs in the form of `=`. Pairs in the list are separated by a semicolon and a space (`'; '`).
 
-
Examples

+## Examples
 
-
Cookie: PHPSESSID=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1

+    Cookie: PHPSESSID=298zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Set-Cookie")}}
    • 
- 
  • {{domxref("Document.cookie")}}
    • 
-

+- {{HTTPHeader("Set-Cookie")}}
+- {{domxref("Document.cookie")}}
diff --git a/files/en-us/web/http/headers/cookie2/index.md b/files/en-us/web/http/headers/cookie2/index.md
index 1cfaed7ccf079a8..1beaa08726f15ca 100644
--- a/files/en-us/web/http/headers/cookie2/index.md
+++ b/files/en-us/web/http/headers/cookie2/index.md
@@ -9,49 +9,38 @@ tags:
   - request
 browser-compat: http.headers.Cookie2
 ---
-
{{HTTPSidebar}} {{deprecated_header}}

+{{HTTPSidebar}} {{deprecated_header}}
 
-
The obsolete Cookie2 HTTP request header used to advise the server that the user agent understands "new-style" cookies, but nowadays user agents will use the {{HTTPHeader("Cookie")}} header instead, not this one.

+The obsolete **`Cookie2`** HTTP request header used to advise the server that the user agent understands "new-style" cookies, but nowadays user agents will use the {{HTTPHeader("Cookie")}} header instead, not this one.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes

 

 
-
Examples

+## Examples
 
-
Cookie2: $Version="1"

+    Cookie2: $Version="1"
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("2965", "Cookie2")}}Historic specification of HTTP State Management Mechanism, obsoleted by {{RFC("6265")}}

+| Specification                        | Title                                                                                        |
+| ------------------------------------ | -------------------------------------------------------------------------------------------- |
+| {{RFC("2965", "Cookie2")}} | Historic specification of HTTP State Management Mechanism, obsoleted by {{RFC("6265")}} |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Cookie")}}
    • 
- 
  • {{domxref("Document.cookie")}}
    • 
-

+- {{HTTPHeader("Cookie")}}
+- {{domxref("Document.cookie")}}
diff --git a/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md b/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
index d6453568364406e..7c9511004889b16 100644
--- a/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
+++ b/files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
@@ -9,74 +9,74 @@ tags:
   - header
 browser-compat: http.headers.Cross-Origin-Embedder-Policy
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP Cross-Origin-Embedder-Policy (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using CORP or CORS).

+The HTTP **`Cross-Origin-Embedder-Policy`** (COEP) response header prevents a document from loading any cross-origin resources that don't explicitly grant the document permission (using [CORP]() or [CORS](/en-US/docs/Web/HTTP/CORS)).
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
Cross-Origin-Embedder-Policy: unsafe-none | require-corp
-

+```html
+Cross-Origin-Embedder-Policy: unsafe-none | require-corp
+```
 
-
Directives

+### Directives
 
-

- 
unsafe-none

- 
This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header.

- 
require-corp

- 
A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.

- If a cross origin resource supports CORS, the crossorigin attribute or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header must be used to load it without being blocked by COEP.

-

+- `unsafe-none`
+  - : This is the default value. Allows the document to fetch cross-origin resources without giving explicit permission through the CORS protocol or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header.
+- `require-corp`
+  - : A document can only load resources from the same origin, or resources explicitly marked as loadable from another origin.
+    If a cross origin resource supports CORS, the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute or the {{HTTPHeader("Cross-Origin-Resource-Policy")}} header must be used to load it without being blocked by COEP.
 
-
Examples

+## Examples
 
-
Certain features depend on cross-origin isolation

+### Certain features depend on cross-origin isolation
 
-
You can only access certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers, if your document has a COEP header with the value require-corp value set.

+You can only access certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers, if your document has a COEP header with the value `require-corp` value set.
 
-
Cross-Origin-Embedder-Policy: require-corp
-Cross-Origin-Opener-Policy: same-origin
-

+    Cross-Origin-Embedder-Policy: require-corp
+    Cross-Origin-Opener-Policy: same-origin
 
-
See also the {{HTTPHeader("Cross-Origin-Opener-Policy")}} header which you'll need to set as well.

+See also the {{HTTPHeader("Cross-Origin-Opener-Policy")}} header which you'll need to set as well.
 
-
To check if cross origin isolation has been successful, you can test against the crossOriginIsolated property available to window and worker contexts:

+To check if cross origin isolation has been successful, you can test against the [`crossOriginIsolated`](/en-US/docs/Web/API/WindowOrWorkerGlobalScope/crossOriginIsolated) property available to window and worker contexts:
 
-
if (crossOriginIsolated) {
+```js
+if (crossOriginIsolated) {
   // Post SharedArrayBuffer
 } else {
   // Do something else
-}

+}
+```
 
-
Avoiding COEP blockage with CORS

+### Avoiding COEP blockage with CORS
 
-
If you enable COEP using require-corp and have a cross origin resource that needs to be loaded, it needs to support CORS and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP. For example, you can use the crossorigin attribute for this image from a third-party site:

+If you enable COEP using `require-corp` and have a cross origin resource that needs to be loaded, it needs to support [CORS](/en-US/docs/Web/HTTP/CORS) and you need to explicitly mark the resource as loadable from another origin to avoid blockage from COEP. For example, you can use the [`crossorigin`](/en-US/docs/Web/HTML/Attributes/crossorigin) attribute for this image from a third-party site:
 
-
<img src="https://thirdparty.com/img.png" crossorigin>

+```html
+
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{httpheader("Cross-Origin-Opener-Policy")}}
    • 
-

+- {{httpheader("Cross-Origin-Opener-Policy")}}
diff --git a/files/en-us/web/http/headers/cross-origin-opener-policy/index.md b/files/en-us/web/http/headers/cross-origin-opener-policy/index.md
index 1d812e605b52f90..29146ecd5abd994 100644
--- a/files/en-us/web/http/headers/cross-origin-opener-policy/index.md
+++ b/files/en-us/web/http/headers/cross-origin-opener-policy/index.md
@@ -9,73 +9,71 @@ tags:
   - header
 browser-compat: http.headers.Cross-Origin-Opener-Policy
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP Cross-Origin-Opener-Policy (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.

+The HTTP **`Cross-Origin-Opener-Policy`** (COOP) response header allows you to ensure a top-level document does not share a browsing context group with cross-origin documents.
 
-
COOP will process-isolate your document and potential attackers can't access to your global object if they were opening it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.

+COOP will process-isolate your document and potential attackers can't access to your global object if they were opening it in a popup, preventing a set of cross-origin attacks dubbed [XS-Leaks](https://github.com/xsleaks/xsleaks).
 
-
If a cross-origin document with COOP is opened in a new window, the opening document will not have a reference to it, and the window.opener property of the new window will be null. This allows you to have more control over references to a window than rel=noopener, which only affects outgoing navigations.

+If a cross-origin document with COOP is opened in a new window, the opening document will not have a reference to it, and the [`window.opener`](/en-US/docs/Web/API/Window/opener) property of the new window will be `null`. This allows you to have more control over references to a window than [`rel=noopener`](/en-US/docs/Web/HTML/Link_types/noopener), which only affects outgoing navigations.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
Cross-Origin-Opener-Policy: unsafe-none | same-origin-allow-popups | same-origin
-

+```html
+Cross-Origin-Opener-Policy: unsafe-none | same-origin-allow-popups | same-origin
+```
 
-
Directives

+### Directives
 
-

- 
unsafe-none

- 
This is the default value. Allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of same-origin or same-origin-allow-popups.

- 
same-origin-allow-popups

- 
Retains references to newly opened windows or tabs which either don't set COOP or which opt out of isolation by setting a COOP of unsafe-none.

- 
same-origin

- 
Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.

-

+- `unsafe-none`
+  - : This is the default value. Allows the document to be added to its opener's browsing context group unless the opener itself has a COOP of `same-origin` or `same-origin-allow-popups`.
+- `same-origin-allow-popups`
+  - : Retains references to newly opened windows or tabs which either don't set COOP or which opt out of isolation by setting a COOP of `unsafe-none`.
+- `same-origin`
+  - : Isolates the browsing context exclusively to same-origin documents. Cross-origin documents are not loaded in the same browsing context.
 
-
Examples

+## Examples
 
-
Certain features depend on cross-origin isolation

+### Certain features depend on cross-origin isolation
 
-
Certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers are only available if your document has a COOP header with the value same-origin value set.

+Certain features like {{jsxref("SharedArrayBuffer")}} objects or {{domxref("Performance.now()")}} with unthrottled timers are only available if your document has a COOP header with the value `same-origin` value set.
 
-
Cross-Origin-Opener-Policy: same-origin
-Cross-Origin-Embedder-Policy: require-corp
-

+    Cross-Origin-Opener-Policy: same-origin
+    Cross-Origin-Embedder-Policy: require-corp
 
-
See also the {{HTTPHeader("Cross-Origin-Embedder-Policy")}} header which you'll need to set as well.

+See also the {{HTTPHeader("Cross-Origin-Embedder-Policy")}} header which you'll need to set as well.
 
-
To check if cross-origin isolation has been successful, you can test against the crossOriginIsolated property available to window and worker contexts:

+To check if cross-origin isolation has been successful, you can test against the [`crossOriginIsolated`](/en-US/docs/Web/API/WindowOrWorkerGlobalScope/crossOriginIsolated) property available to window and worker contexts:
 
-
if (crossOriginIsolated) {
+```js
+if (crossOriginIsolated) {
   // Post SharedArrayBuffer
 } else {
   // Do something else
-}

+}
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{httpheader("Cross-Origin-Embedder-Policy")}}
    • 
-

+- {{httpheader("Cross-Origin-Embedder-Policy")}}
diff --git a/files/en-us/web/http/headers/cross-origin-resource-policy/index.md b/files/en-us/web/http/headers/cross-origin-resource-policy/index.md
index 069f99c7ed422d7..3af21386a9120ec 100644
--- a/files/en-us/web/http/headers/cross-origin-resource-policy/index.md
+++ b/files/en-us/web/http/headers/cross-origin-resource-policy/index.md
@@ -2,31 +2,27 @@
 title: Cross-Origin-Resource-Policy
 slug: Web/HTTP/Headers/Cross-Origin-Resource-Policy
 tags:
-- HTTP
-- HTTP Header
-- Reference
-- Response Header
-- header
+  - HTTP
+  - HTTP Header
+  - Reference
+  - Response Header
+  - header
 browser-compat: http.headers.Cross-Origin-Resource-Policy
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-

-  

-    Note: Due to a bug in Chrome,
-    setting Cross-Origin-Resource-Policy can break PDF rendering,
-    preventing visitors from being able to read past the first page of some PDFs.
-    Due to a bug in Firefox,
-    setting Cross-Origin-Resource-Policy can prevent some resources
-    (such as PDFs)
-    from being downloaded in some circumstances.
-    Exercise caution using this header in a production environment.
-  

-

+> **Note:** Due to a [bug in Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=1074261),
+> setting Cross-Origin-Resource-Policy can break PDF rendering,
+> preventing visitors from being able to read past the first page of some PDFs.
+> Due to a [bug in Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=1638323),
+> setting Cross-Origin-Resource-Policy can prevent some resources
+> (such as PDFs)
+> from being downloaded in some circumstances.
+> Exercise caution using this header in a production environment.
 
-
The HTTP Cross-Origin-Resource-Policy response header
-  conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the
-  given resource.

+The HTTP **`Cross-Origin-Resource-Policy`** response header
+conveys a desire that the browser blocks no-cors cross-origin/cross-site requests to the
+given resource.
 
 
@@ -41,36 +37,33 @@ browser-compat: http.headers.Cross-Origin-Resource-Policy
   

   
 

 
-
Syntax

+## Syntax
 
-
Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
-

+```html
+Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
+```
 
-
Examples

+## Examples
 
-
The response header below will cause compatible user agents to disallow cross-origin
-  no-cors requests:

+The response header below will cause compatible user agents to disallow cross-origin
+no-cors requests:
 
-
Cross-Origin-Resource-Policy: same-origin
-

+    Cross-Origin-Resource-Policy: same-origin
 
-
For more examples, see https://resourcepolicy.fyi/.

+For more examples, see .
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Cross-Origin
+  Resource Policy (CORP) explainer]()
+- [Consider deploying Cross-Origin Resource
+  Policy](https://resourcepolicy.fyi/)
+- {{httpheader("Access-Control-Allow-Origin")}}
diff --git a/files/en-us/web/http/headers/date/index.md b/files/en-us/web/http/headers/date/index.md
index 40ee4e9c0571453..4e04bec927bcd67 100644
--- a/files/en-us/web/http/headers/date/index.md
+++ b/files/en-us/web/http/headers/date/index.md
@@ -2,91 +2,90 @@
 title: Date
 slug: Web/HTTP/Headers/Date
 tags:
-- HTTP
-- HTTP Header
-- Request header
-- Response header
-- Reference
+  - HTTP
+  - HTTP Header
+  - Request header
+  - Response header
+  - Reference
 browser-compat: http.headers.Date
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
+
+The **`Date`** general HTTP header contains the date and time
+at which the message was originated.
+
+> **Warning:** `Date` is listed
+> in the [forbidden header names](https://fetch.spec.whatwg.org/#forbidden-header-name)
+> in the fetch spec, so this code will not send the `Date` header:
+>
+> ```js
+> fetch('https://httpbin.org/get', {
+>       'headers': {
+>         'Date': (new Date()).toUTCString()
+>       }
+>     })
+> ```
 
-
The Date general HTTP header contains the date and time
-	at which the message was originated.

+
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
+
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}}
+      
{{Glossary("Forbidden header name")}}yes

 
-

-	
Warning: Date is listed
-    in the forbidden header names
-    in the fetch spec, so this code will not send the Date header:

+## Syntax
 
-	  
fetch('https://httpbin.org/get', {
-      'headers': {
-        'Date': (new Date()).toUTCString()
-      }
-    })

-

+```html
+Date: ,    :: GMT
+```
 
-
-	
-		
-			
-			
-		
-		
-			
-			
-		
-	
-
Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes

+## Directives
+
+- \
+  - : One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).
+- \
+  - : 2 digit day number, e.g. "04" or "23".
+- \
+  - : One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct",
+    "Nov", "Dec" (case sensitive).
+- \
+  - : 4 digit year number, e.g. "1990" or "2016".
+- \
+  - : 2 digit hour number, e.g. "09" or "23".
+- \
+  - : 2 digit minute number, e.g. "04" or "59".
+- \
+  - : 2 digit second number, e.g. "04" or "59".
+- GMT
+  - : Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local
+    time.
+
+## Examples
+
+    Date: Wed, 21 Oct 2015 07:28:00 GMT
+
+```js
+new Date().toUTCString()
+// "Mon, 09 Mar 2020 08:13:24 GMT"
+```
 
-
Syntax

-
-
Date: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
-

-
-
Directives

-
-

-	
<day-name>

-	
One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).

-	
<day>

-	
2 digit day number, e.g. "04" or "23".

-	
<month>

-	
One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct",
-		"Nov", "Dec" (case sensitive).

-	
<year>

-	
4 digit year number, e.g. "1990" or "2016".

-	
<hour>

-	
2 digit hour number, e.g. "09" or "23".

-	
<minute>

-	
2 digit minute number, e.g. "04" or "59".

-	
<second>

-	
2 digit second number, e.g. "04" or "59".

-	
GMT

-	

-		
Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local
-			time.

-	

-

-
-
Examples

-
-
Date: Wed, 21 Oct 2015 07:28:00 GMT
-

-
-
new Date().toUTCString()
-// "Mon, 09 Mar 2020 08:13:24 GMT"

-
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-	
  • {{HTTPHeader("Age")}}
    • 
-

+- {{HTTPHeader("Age")}}
diff --git a/files/en-us/web/http/headers/device-memory/index.md b/files/en-us/web/http/headers/device-memory/index.md
index e7c169247491661..af85ce9ebbc37fa 100644
--- a/files/en-us/web/http/headers/device-memory/index.md
+++ b/files/en-us/web/http/headers/device-memory/index.md
@@ -11,78 +11,72 @@ tags:
   - Experimental
 browser-compat: http.headers.Device-Memory
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}} {{securecontext_header}}

+{{HTTPSidebar}} {{SeeCompatTable}} {{securecontext_header}}
 
-
The Device-Memory {{Glossary("Client hints","device client hint")}} request header field indicates the approximate amount of available RAM on the client device. The header is part of the Device Memory API.

+The **`Device-Memory`** {{Glossary("Client hints","device client hint")}} request header field indicates the approximate amount of available RAM on the client device. The header is part of the [Device Memory API](/en-US/docs/Web/API/Device_Memory_API).
 
 
-   
-    
-    
-   
-   
-    
-    
-   
+    
+      
+      
+    
+    
+      
+      
+    
- 

   
Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}
{{Glossary("Forbidden header name")}}no
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      
{{Glossary("Forbidden header name")}}no

   

+
 
-

-  
Note:

-    
    
-      
  • Client Hints are accessible only on secure origins (via TLS).
    • 
-      
  • A server has to opt in to receive the Device-Memory header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
    • 
-      
  • Servers that opt in to the Device-Memory client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
    • 
-    

-

+> **Note:**
+>
+> - Client Hints are accessible only on secure origins (via TLS).
+> - A server has to opt in to receive the `Device-Memory` header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
+> - Servers that opt in to the `Device-Memory` client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
 
-
Syntax

+## Syntax
 
-
Device-Memory: <number>

+    Device-Memory: 
 
-
Directives

+## Directives
 
-

- 
 <number>

- 
The approximate amount of device RAM. Possible values are: 0.25, 0.5, 1, 2, 4, 8.

-

+- ``
+  - : The approximate amount of device RAM. Possible values are: `0.25`, `0.5`, `1`, `2`, `4`, `8`.
 
-
The amount of device RAM can be used as a fingerprinting variable, so values for the header are intentionally coarse to reduce the potential for its misuse.

+The amount of device RAM can be used as a fingerprinting variable, so values for the header are intentionally coarse to reduce the potential for its misuse.
 
-
Examples

+## Examples
 
-
The server first needs to opt in to receive Device-Memory header by sending the response headers {{HTTPHeader("Accept-CH")}} containing Device-Memory.

+The server first needs to opt in to receive `Device-Memory` header by sending the response headers {{HTTPHeader("Accept-CH")}} containing `Device-Memory`.
 
-
Accept-CH: Device-Memory
-

+    Accept-CH: Device-Memory
 
-
Then on subsequent requests the client might send Device-Memory header back:

+Then on subsequent requests the client might send `Device-Memory` header back:
 
-
Device-Memory: 1

+    Device-Memory: 1
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- [Device Memory API](/en-US/docs/Web/API/Device_Memory_API)
+- {{DOMxRef("Navigator.deviceMemory")}}
+- Device client hints
+
+  - {{HTTPHeader("Content-DPR")}}
+  - {{HTTPHeader("DPR")}}
+  - {{HTTPHeader("Viewport-Width")}}
+  - {{HTTPHeader("Width")}}
+
+- {{HTTPHeader("Accept-CH")}}
+- [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses) and {{HTTPHeader("Vary")}}
diff --git a/files/en-us/web/http/headers/digest/index.md b/files/en-us/web/http/headers/digest/index.md
index 24466b4d0d5f057..97761b6d32774e3 100644
--- a/files/en-us/web/http/headers/digest/index.md
+++ b/files/en-us/web/http/headers/digest/index.md
@@ -2,31 +2,27 @@
 title: Digest
 slug: Web/HTTP/Headers/Digest
 tags:
-- HTTP
-- HTTP Header
+  - HTTP
+  - HTTP Header
 browser-compat: http.headers.Digest
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Digest response HTTP header provides a
-  {{Glossary("digest")}} of the requested resource.

+The **`Digest`** response HTTP header provides a
+{{Glossary("digest")}} of the requested resource.
 
-

-  In RFC 7231 terms,
-  this is the selected representation of a resource.
-  The selected representation depends
-  on the Content-Type
-  and Content-Encoding header values,
-  so a single resource may have multiple different digest values.
-

+In [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231) terms,
+this is the _selected representation_ of a resource.
+The selected representation depends
+on the [`Content-Type`](/en-US/docs/Web/HTTP/Headers/Content-Type)
+and [`Content-Encoding`](/en-US/docs/Web/HTTP/Headers/Content-Encoding) header values,
+so a single resource may have multiple different digest values.
 
-
The digest is calculated over the entire representation. The representation itself may be:

+The digest is calculated over the entire representation. The representation itself may be:
 
-
    
-  
  • fully contained in the response message body,
    • 
-  
  • not at all contained in the message body (for example, in a response to a HEAD request),
    • 
-  
  • or partially contained in the message body (for example, in a response to a range request).
    • 
-

+- fully contained in the response message body,
+- not at all contained in the message body (for example, in a response to a [`HEAD`](/en-US/docs/Web/HTTP/Methods/HEAD) request),
+- or partially contained in the message body (for example, in a response to a [range request](/en-US/docs/Web/HTTP/Range_requests)).
 
 
@@ -41,61 +37,45 @@ browser-compat: http.headers.Digest
   

   
 

 
-
Syntax

+## Syntax
 
-
Digest: <digest-algorithm>=<digest-value>
-Digest: <digest-algorithm>=<digest-value>,<digest-algorithm>=<digest-value>
-

+    Digest: =
+    Digest: =,=
 
-
Directives

+## Directives
 
-

-  
<digest-algorithm>

-  
Supported digest algorithms are defined in RFC 3230 and RFC 5843, and include
-    SHA-256 and SHA-512. Some of the supported algorithms,
-    including unixsum and MD5 are subject to collisions and are
-    thus not suitable for applications in which collision-resistance is important.

-  
<digest-value>

-  
The result of applying the digest algorithm to the resource representation and
+- ``
+  - : Supported digest algorithms are defined in [RFC 3230](https://datatracker.ietf.org/doc/html/rfc3230) and [RFC 5843](https://datatracker.ietf.org/doc/html/rfc5843), and include
+    `SHA-256` and `SHA-512`. Some of the supported algorithms,
+    including `unixsum` and `MD5` are subject to collisions and are
+    thus not suitable for applications in which collision-resistance is important.
+- ``
+  - : The result of applying the digest algorithm to the resource representation and
     encoding the result. The choice of digest algorithm also determines the encoding to
-    use: for example SHA-256 uses base64 encoding.

-

+    use: for example `SHA-256` uses base64 encoding.
 
-
Examples

+## Examples
 
-
Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
-Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=,unixsum=30637

+    Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
+    Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=,unixsum=30637
 
-
Specifications

+## Specifications
 
-
-    
-      
-    
-    
-      
-    
-
Specification
draft-ietf-httpbis-digest-headers-latest

+| Specification                                                                                                  |
+| -------------------------------------------------------------------------------------------------------------- |
+| [draft-ietf-httpbis-digest-headers-latest](https://datatracker.ietf.org/doc/draft-ietf-httpbis-digest-headers) |
 
-

-  This header was originally defined in RFC 3230,
-  but the definition of "selected representation" in RFC 7231 made the original definition inconsistent with current HTTP specifications.
-  When released, The "Resource Digests for HTTP" draft therefore will obsolete RFC 3230
-  and will update the standard to be consistent.
-

+This header was originally defined in [RFC 3230](https://datatracker.ietf.org/doc/html/rfc3230),
+but the definition of "selected representation" in [RFC 7231](https://www.rfc-editor.org/info/rfc7231) made the original definition inconsistent with current HTTP specifications.
+When released, The "Resource Digests for HTTP" draft therefore will obsolete RFC 3230
+and will update the standard to be consistent.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Want-Digest")}}
+- [HTTP range requests](/en-US/docs/Web/HTTP/Range_requests)
+- [`206 Partial Content`](/en-US/docs/Web/HTTP/Status/206 "The HTTP 206 Partial Content success status response code indicates that the request has succeeded and has the body contains the requested ranges of data, as described in the Range header of the request.")
diff --git a/files/en-us/web/http/headers/dnt/index.md b/files/en-us/web/http/headers/dnt/index.md
index cde38ebf855d8a2..f2934065bff5186 100644
--- a/files/en-us/web/http/headers/dnt/index.md
+++ b/files/en-us/web/http/headers/dnt/index.md
@@ -2,17 +2,17 @@
 title: DNT
 slug: Web/HTTP/Headers/DNT
 tags:
-- DNT
-- HTTP
-- Reference
-- header
+  - DNT
+  - HTTP
+  - Reference
+  - header
 browser-compat: http.headers.DNT
 ---
-
{{HTTPSidebar}}{{Deprecated_header}}

+{{HTTPSidebar}}{{Deprecated_header}}
 
-
The DNT (Do Not
-  Track) request header indicates the user's tracking preference. It lets
-  users indicate whether they would prefer privacy rather than personalized content.

+The **`DNT`** (**D**o **N**ot
+**T**rack) request header indicates the user's tracking preference. It lets
+users indicate whether they would prefer privacy rather than personalized content.
 
 
@@ -27,57 +27,51 @@ browser-compat: http.headers.DNT
   

   
 

 
-
Syntax

+## Syntax
 
-
DNT: 0
+```html
+DNT: 0
 DNT: 1
 DNT: null
-

+```
 
-
Directives

+## Directives
 
-

-  
0

-  
The user prefers to allow tracking on the target site.

-  
1

-  
The user prefers not to be tracked on the target site.

-  
null

-  
The user has not specified a preference about tracking.

-

+- 0
+  - : The user prefers to allow tracking on the target site.
+- 1
+  - : The user prefers not to be tracked on the target site.
+- null
+  - : The user has not specified a preference about tracking.
 
-
Examples

+## Examples
 
-
Reading Do Not Track status from
-  JavaScript

+### Reading Do Not Track status from JavaScript
 
-
The user's DNT preference can also be read from JavaScript using the
-  {{domxref("Navigator.doNotTrack")}} property:

+The user's DNT preference can also be read from JavaScript using the
+{{domxref("Navigator.doNotTrack")}} property:
 
-
navigator.doNotTrack; // "0" or "1"

+```js
+navigator.doNotTrack; // "0" or "1"
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

-
-
{{Compat}}

-
-
See also

-
-
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- {{domxref("Navigator.doNotTrack")}}
+- {{HTTPHeader("Tk")}} header
+- [Do Not Track on Wikipedia](https://en.wikipedia.org/wiki/Do_Not_Track)
+- [What
+  Does the "Track" in "Do Not Track" Mean? – EFF](https://www.eff.org/deeplinks/2011/02/what-does-track-do-not-track-mean)
+- [donottrack.us](https://donottrack.us/)
+- DNT browser settings help:
+
+  - [Firefox](https://www.mozilla.org/en-US/firefox/dnt/)
+  - [Chrome](https://support.google.com/chrome/answer/2790761)
diff --git a/files/en-us/web/http/headers/downlink/index.md b/files/en-us/web/http/headers/downlink/index.md
index d6db253ec7912c1..5fb4dbf2de6888c 100644
--- a/files/en-us/web/http/headers/downlink/index.md
+++ b/files/en-us/web/http/headers/downlink/index.md
@@ -11,72 +11,68 @@ tags:
   - Experimental
 browser-compat: http.headers.downlink
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The Downlink {{Glossary("Client hints","network client hint")}} request header field provides the approximate bandwidth of the client's connection to the server, in Mbps.

+The **`Downlink`** {{Glossary("Client hints","network client hint")}} request header field provides the approximate bandwidth of the client's connection to the server, in Mbps.
 
 
-   
-    
-    
-   
-   
-    
-    
-   
+    
+      
+      
+    
+    
+      
+      
+    
- 

   
Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}
{{Glossary("Forbidden header name")}}no
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      
{{Glossary("Forbidden header name")}}no

   

+
 
-
The Downlink value is given in Mbps and rounded to the nearest 25 kilobits per second to prevent fingerprinting; There are many other mechanisms an attacker might use to obtain similar information.

+The `Downlink` value is given in Mbps and rounded to the nearest 25 kilobits per second to prevent fingerprinting; There are many other mechanisms an attacker might use to obtain similar information.
 
-
The hint allows a server to choose what information is sent based on the network bandwidth. For example, a server might choose to send smaller versions of images and other resources on low bandwidth networks.

+The hint allows a server to choose what information is sent based on the network bandwidth. For example, a server might choose to send smaller versions of images and other resources on low bandwidth networks.
 
-

-  
Note: The {{HTTPHeader("Vary")}} header is used in responses to indicate that a different resource is sent for every different value of the header (see HTTP Caching > Varying responses). Even if {{HTTPHeader("Downlink")}} is used to configure what resources are sent, consider omitting it in the {{HTTPHeader("Vary")}} header — it is likely to change often, which effectively makes the resource uncachable.

-

+> **Note:** The {{HTTPHeader("Vary")}} header is used in responses to indicate that a different resource is sent for every different value of the header (see [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses)). Even if {{HTTPHeader("Downlink")}} is used to configure what resources are sent, consider omitting it in the {{HTTPHeader("Vary")}} header — it is likely to change often, which effectively makes the resource uncachable.
 
-
Syntax

+## Syntax
 
-
Downlink: <number>

+    Downlink: 
 
-
Directives

+## Directives
 
-

- 
<number>

- 
The downlink rate in Mbps, rounded to the nearest 25 kilobits.

-

+- \
+  - : The downlink rate in Mbps, rounded to the nearest 25 kilobits.
 
-
Examples

+## Examples
 
-
A server first needs to opt in to receive the Downlink header by sending the {{HTTPHeader("Accept-CH")}} response header containing Downlink.

+A server first needs to opt in to receive the `Downlink` header by sending the {{HTTPHeader("Accept-CH")}} response header containing `Downlink`.
 
-
Accept-CH: Downlink

+    Accept-CH: Downlink
 
-
Then on subsequent requests the client might send a Downlink header back:

+Then on subsequent requests the client might send a `Downlink` header back:
 
-
Downlink: 1.7

+    Downlink: 1.7
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- Network client hints
+
+  - {{HTTPHeader("RTT")}}
+  - {{HTTPHeader("ECT")}}
+  - {{HTTPHeader("Save-Data")}}
+
+- {{HTTPHeader("Accept-CH")}}
+- [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses) and {{HTTPHeader("Vary")}}
+- {{domxref("NetworkInformation.effectiveType")}}
diff --git a/files/en-us/web/http/headers/dpr/index.md b/files/en-us/web/http/headers/dpr/index.md
index 2f167c8d00cc71d..437453ea1a11021 100644
--- a/files/en-us/web/http/headers/dpr/index.md
+++ b/files/en-us/web/http/headers/dpr/index.md
@@ -12,85 +12,75 @@ tags:
   - Exerimental
 browser-compat: http.headers.DPR
 ---
-
{{HTTPSidebar}} {{deprecated_header}}{{securecontext_header}}

+{{HTTPSidebar}} {{deprecated_header}}{{securecontext_header}}
 
-
The DPR device client hint request header provides the client device pixel ratio. This ratio is the number of physical device pixels corresponding to every {{Glossary("CSS pixel")}}.

+The **`DPR`** [device client hint](/en-US/docs/Glossary/Client_hints) request header provides the client device pixel ratio. This ratio is the number of physical device pixels corresponding to every {{Glossary("CSS pixel")}}.
 
 
-   
-    
-    
-   
-   
-    
-    
-   
+    
+      
+      
+    
+    
+      
+      
+    
- 

   
Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}
{{Glossary("Forbidden header name")}}no
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      
{{Glossary("Forbidden header name")}}no

   

+
 
-
The hint is useful when selecting image sources that best correspond to a screen's pixel density. This is similar to the role played by x descriptors in the <img> srcset attribute to allow user agents to select a preferred image.

+The hint is useful when selecting image sources that best correspond to a screen's pixel density. This is similar to the role played by `x` descriptors in the `` [`srcset`](/en-US/docs/Web/HTML/Element/img#attr-srcset) attribute to allow user agents to select a preferred image.
 
-
If a server uses the DPR hint to choose which resource is sent in a response, the response must include the {{HTTPHeader("Content-DPR")}} header. The client must use the value in Content-DPR for layout if it differs from the value in the request's DPR header.

+If a server uses the `DPR` hint to choose which resource is sent in a response, the response must include the {{HTTPHeader("Content-DPR")}} header. The client must use the value in `Content-DPR` for layout if it differs from the value in the request's `DPR` header.
 
-
If the DPR header appears more than once in a message the last occurrence is used.

+If the `DPR` header appears more than once in a message the last occurrence is used.
 
-

-  
Note:

-    
    
-      
  • Client Hints are accessible only on secure origins (via TLS).
    • 
-      
  • A server has to opt in to receive the DPR header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
    • 
-      
  • Servers that opt in to the DPR client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
    • 
-      
  • DPR was removed from the client hints specification in draft-ietf-httpbis-client-hints-07. The proposed replacement is Sec-CH-DPR (Responsive Image Client Hints).
    • 
-    

-

+> **Note:**
+>
+> - Client Hints are accessible only on secure origins (via TLS).
+> - A server has to opt in to receive the `DPR` header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
+> - Servers that opt in to the `DPR` client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
+> - `DPR` was removed from the client hints specification in [draft-ietf-httpbis-client-hints-07](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-client-hints-07). The proposed replacement is [`Sec-CH-DPR`](https://wicg.github.io/responsive-image-client-hints/#sec-ch-dpr) (Responsive Image Client Hints).
 
-
Syntax

+## Syntax
 
-
DPR: <number>

+    DPR: 
 
-
Directives

+## Directives
 
-

- 
 <number>

- 
The client device pixel ratio.

-

+- ``
+  - : The client device pixel ratio.
 
-
Examples

+## Examples
 
-
A server must first opt in to receive the DPR header by sending the response header {{HTTPHeader("Accept-CH")}} containing the directive DPR.

+A server must first opt in to receive the `DPR` header by sending the response header {{HTTPHeader("Accept-CH")}} containing the directive `DPR`.
 
-
Accept-CH: DPR

+    Accept-CH: DPR
 
-
Then on subsequent requests the client might send DPR header to the server:

+Then on subsequent requests the client might send `DPR` header to the server:
 
-
DPR: 2.0
-

+    DPR: 2.0
 
-
If a request with the DPR header (as shown above) is for an image resource, then the server response must include the {{HTTPHeader("Content-DPR")}} header:

+If a request with the `DPR` header (as shown above) is for an image resource, then the server response must include the {{HTTPHeader("Content-DPR")}} header:
 
-
Content-DPR: 2.0
-

+    Content-DPR: 2.0
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
+## See also
 
-
See also

-
-
+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- Device client hints
 
+  - {{HTTPHeader("Content-DPR")}}
+  - {{HTTPHeader("Device-Memory")}}
+  - {{HTTPHeader("Viewport-Width")}}
+  - {{HTTPHeader("Width")}}
 
+- {{HTTPHeader("Accept-CH")}}
+- [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses) and {{HTTPHeader("Vary")}}
diff --git a/files/en-us/web/http/headers/early-data/index.md b/files/en-us/web/http/headers/early-data/index.md
index bbed841965da952..e00fb03acd0dc2f 100644
--- a/files/en-us/web/http/headers/early-data/index.md
+++ b/files/en-us/web/http/headers/early-data/index.md
@@ -11,16 +11,15 @@ tags:
   - Experimental
 browser-compat: http.headers.Early-Data
 ---
-
{{SeeCompatTable}}{{HTTPSidebar}}

+{{SeeCompatTable}}{{HTTPSidebar}}
 
-
The Early-Data header is set by
-    an intermediary to indicate that the request has been conveyed in TLS early data,
-    and also indicates that the intermediary understands the {{HTTPStatus("425", "425 (Too
-    Early)")}} status code.

+The **`Early-Data`** header is set by
+an intermediary to indicate that the request has been conveyed in [TLS early data](/en-US/docs/Web/Security/Transport_Layer_Security#tls_1.3),
+and also indicates that the intermediary understands the {{HTTPStatus("425", "425 (Too
+    Early)")}} status code.
 
-
The Early-Data header is not set by the originator of the
-  request (i.e., a browser).

+The `Early-Data` header is **not** set by the originator of the
+request (i.e., a browser).
 
 
@@ -35,21 +34,22 @@ browser-compat: http.headers.Early-Data
   

   
 

 
-
Syntax

+## Syntax
 
-
Early-Data: 1
-

+```html
+Early-Data: 1
+```
 
-
Examples

+## Examples
 
-
GET /resource HTTP/1.0
-Host: example.com
-Early-Data: 1

+    GET /resource HTTP/1.0
+    Host: example.com
+    Early-Data: 1
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
diff --git a/files/en-us/web/http/headers/ect/index.md b/files/en-us/web/http/headers/ect/index.md
index 5475017515c7210..987564c5e69b170 100644
--- a/files/en-us/web/http/headers/ect/index.md
+++ b/files/en-us/web/http/headers/ect/index.md
@@ -11,73 +11,68 @@ tags:
   - Experimental
 browser-compat: http.headers.ect
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The ECT {{Glossary("Client hints","network client hint")}} request header field indicates the {{Glossary("effective connection type")}}: slow-2g, 2g, 3g, 4g.

+The **`ECT`** {{Glossary("Client hints","network client hint")}} request header field indicates the {{Glossary("effective connection type")}}: `slow-2g`, `2g`, `3g`, `4g`.
 
 
-   
-    
-    
-   
-   
-    
-    
-   
+    
+      
+      
+    
+    
+      
+      
+    
- 

   
Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}
{{Glossary("Forbidden header name")}}no
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      
{{Glossary("Forbidden header name")}}no

   

+
 
- 
The value represents the "network profile" that best matches the connection's latency and bandwidth, rather than the actual mechanisms used for transferring the data. For example, 2g might be used to represent a slow wifi connection with high latency and low bandwidth, while 4g might be used to represent a fast fibre-based broadband network.

+The value represents the "network profile" that best matches the connection's latency and bandwidth, rather than the actual mechanisms used for transferring the data. For example, `2g` might be used to represent a slow wifi connection with high latency and low bandwidth, while `4g` might be used to represent a fast fibre-based broadband network.
 
-
The hint allows a server to choose what information is sent based on the broad characteristics of the network. For example, a server might choose to send smaller versions of images and other resources on less capable connections. The value might also be used as a starting point for determining what information is sent, which is further refined using information in {{HTTPHeader("RTT")}} and {{HTTPHeader("Downlink")}} hints.

+The hint allows a server to choose what information is sent based on the broad characteristics of the network. For example, a server might choose to send smaller versions of images and other resources on less capable connections. The value might also be used as a starting point for determining what information is sent, which is further refined using information in {{HTTPHeader("RTT")}} and {{HTTPHeader("Downlink")}} hints.
 
-

-  
Note: A server that specifies {{HTTPHeader("ECT")}} in {{HTTPHeader("Accept-CH")}} may also specify it in {{HTTPHeader("Vary")}} to indicate that responses should be cached for different ECT values.

-

+> **Note:** A server that specifies {{HTTPHeader("ECT")}} in {{HTTPHeader("Accept-CH")}} may also specify it in {{HTTPHeader("Vary")}} to indicate that responses should be cached for different ECT values.
 
-
Syntax

+## Syntax
 
-
ECT: <value>

+    ECT: 
 
-
Directives

+## Directives
 
-

- 
<value>

- 
A value indicating {{Glossary("effective connection type")}}. This is one of: slow-2g, 2g, 3g, or 4g.

-

+- \
+  - : A value indicating {{Glossary("effective connection type")}}. This is one of: `slow-2g`, `2g`, `3g`, or `4g`.
 
-
Examples

+## Examples
 
-
A server first needs to opt in to receive the ECT header by sending the {{HTTPHeader("Accept-CH")}} response header containing ECT.

+A server first needs to opt in to receive the `ECT` header by sending the {{HTTPHeader("Accept-CH")}} response header containing `ECT`.
 
-
Accept-CH: ECT

+    Accept-CH: ECT
 
-
Then on subsequent requests the client might send an ECT header back:

+Then on subsequent requests the client might send an `ECT` header back:
 
-
ECT: 2g

+    ECT: 2g
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
+## See also
 
-
See also

+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- Network client hints
 
-
+  - {{HTTPHeader("Downlink")}}
+  - {{HTTPHeader("RTT")}}
+  - {{HTTPHeader("Save-Data")}}
+
+- {{HTTPHeader("Accept-CH")}}
+- [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses) and {{HTTPHeader("Vary")}}
+- {{domxref("NetworkInformation.effectiveType")}}
diff --git a/files/en-us/web/http/headers/etag/index.md b/files/en-us/web/http/headers/etag/index.md
index 3b361ca1bccb754..6e9bdbd813bdf54 100644
--- a/files/en-us/web/http/headers/etag/index.md
+++ b/files/en-us/web/http/headers/etag/index.md
@@ -8,19 +8,19 @@ tags:
   - header
 browser-compat: http.headers.ETag
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The ETag HTTP response header is an identifier for a
-  specific version of a resource. It lets caches be more efficient and save bandwidth, as
-  a web server does not need to resend a full response if the content has not changed.
-  Additionally, etags help prevent simultaneous updates of a resource from overwriting
-  each other ("mid-air collisions").

+The **`ETag`** HTTP response header is an identifier for a
+specific version of a resource. It lets caches be more efficient and save bandwidth, as
+a web server does not need to resend a full response if the content has not changed.
+Additionally, etags help prevent simultaneous updates of a resource from overwriting
+each other (["mid-air collisions"](#avoiding_mid-air_collisions)).
 
-
If the resource at a given URL changes, a new Etag value must be
-  generated. A comparison of them can determine whether two representations of a resource
-  are the same. Etags are therefore similar to fingerprints, and might also be used for
-  tracking purposes by some servers. They might also be set to persist indefinitely by a
-  tracking server.

+If the resource at a given URL changes, a new `Etag` value _must_ be
+generated. A comparison of them can determine whether two representations of a resource
+are the same. Etags are therefore similar to fingerprints, and might also be used for
+tracking purposes by some servers. They might also be set to persist indefinitely by a
+tracking server.
 
 
@@ -35,90 +35,83 @@ browser-compat: http.headers.ETag
   

   
 

 
-
Syntax

+## Syntax
 
-
ETag: W/"<etag_value>"
-ETag: "<etag_value>"
-

+```html
+ETag: W/""
+ETag: ""
+```
 
-
Directives

+## Directives
 
-

-  
W/ {{optional_inline}}

-  
'W/' (case-sensitive) indicates that a weak validator
+- `W/` {{optional_inline}}
+  - : `'W/'` (case-sensitive) indicates that a [weak validator](/en-US/docs/Web/HTTP/Conditional_requests#weak_validation)
     is used. Weak etags are easy to generate, but are far less useful for comparisons.
     Strong validators are ideal for comparisons but can be very difficult to generate
-    efficiently. Weak ETag values of two representations of the same
+    efficiently. Weak `ETag` values of two representations of the same
     resources might be semantically equivalent, but not byte-for-byte identical. This
-    means weak etags prevent caching when byte range requests are used,
-    but strong etags mean range requests can still be cached.

-  
"<etag_value>"

-  
Entity tag uniquely representing the requested resource. They are a string of ASCII
-    characters placed between double quotes, like "675af34563dc-tr34". The
-    method by which ETag values are generated is not specified. Often, a hash
+    means weak etags prevent caching when [byte range requests](/en-US/docs/Web/HTTP/Headers/Accept-Ranges) are used,
+    but strong etags mean range requests can still be cached.
+- "\"
+  - : Entity tag uniquely representing the requested resource. They are a string of ASCII
+    characters placed between double quotes, like `"675af34563dc-tr34"`. The
+    method by which `ETag` values are generated is not specified. Often, a hash
     of the content, a hash of the last modification timestamp, or just a revision number
-    is used. For example, MDN uses a hexadecimal hash of the wiki article content.

-

+    is used. For example, MDN uses a hexadecimal hash of the wiki article content.
 
-
Examples

+## Examples
 
-
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
-ETag: W/"0815"

+    ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
+    ETag: W/"0815"
 
-
Avoiding mid-air collisions

+### Avoiding mid-air collisions
 
-
With the help of the ETag and the {{HTTPHeader("If-Match")}} headers, you
-  can detect mid-air edit collisions.

+With the help of the `ETag` and the {{HTTPHeader("If-Match")}} headers, you
+can detect mid-air edit collisions.
 
-
For example, when editing a wiki, the current wiki content may be hashed
-  and put into an Etag header in the response:

+For example, when editing a wiki, the current wiki content may be hashed
+and put into an `Etag` header in the response:
 
-
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

+    ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
 
-
When saving changes to a wiki page (posting data), the {{HTTPMethod("POST")}} request
-  will contain the {{HTTPHeader("If-Match")}} header containing the ETag
-  values to check freshness against.

+When saving changes to a wiki page (posting data), the {{HTTPMethod("POST")}} request
+will contain the {{HTTPHeader("If-Match")}} header containing the `ETag`
+values to check freshness against.
 
-
If-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"

+    If-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
 
-
If the hashes don't match, it means that the document has been edited in-between and a
-  {{HTTPStatus("412")}} Precondition Failed error is thrown.

+If the hashes don't match, it means that the document has been edited in-between and a
+{{HTTPStatus("412")}} `Precondition Failed` error is thrown.
 
-
Caching of unchanged resources

+### Caching of unchanged resources
 
-
Another typical use of the ETag header is to cache resources that are
-  unchanged. If a user visits a given URL again (that has an ETag set), and
-  it is stale (too old to be considered usable), the client will send the value
-  of its ETag along in an {{HTTPHeader("If-None-Match")}} header field:

+Another typical use of the `ETag` header is to cache resources that are
+unchanged. If a user visits a given URL again (that has an `ETag` set), and
+it is _stale_ (too old to be considered usable), the client will send the value
+of its `ETag` along in an {{HTTPHeader("If-None-Match")}} header field:
 
-
If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"

+    If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
 
-
The server compares the client's ETag (sent with
-  If-None-Match) with the ETag for its current version of the
-  resource, and if both values match (that is, the resource has not changed), the server
-  sends back a {{HTTPStatus("304")}} Not Modified status, without a body,
-  which tells the client that the cached version of the response is still good to use
-  (fresh).

+The server compares the client's `ETag` (sent with
+`If-None-Match`) with the `ETag` for its current version of the
+resource, and if both values match (that is, the resource has not changed), the server
+sends back a {{HTTPStatus("304")}} `Not Modified` status, without a body,
+which tells the client that the cached version of the response is still good to use
+(_fresh_).
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("If-Match")}}
+- {{HTTPHeader("If-None-Match")}}
+- {{HTTPStatus("304")}}` Not Modified`
+- {{HTTPStatus("412")}}` Precondition Failed`
+- [W3C Note: Editing the Web – Detecting
+  the Lost Update Problem Using Unreserved Checkout](https://www.w3.org/1999/04/Editing/)
diff --git a/files/en-us/web/http/headers/expect-ct/index.md b/files/en-us/web/http/headers/expect-ct/index.md
index bddba55da11032d..d5cb81b278e644f 100644
--- a/files/en-us/web/http/headers/expect-ct/index.md
+++ b/files/en-us/web/http/headers/expect-ct/index.md
@@ -7,101 +7,81 @@ tags:
   - header
 browser-compat: http.headers.Expect-CT
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements, to prevent the use of misissued certificates for that site from going unnoticed.

+The `Expect-CT` header lets sites opt in to reporting and/or enforcement of [Certificate Transparency](/en-US/docs/Web/Security/Certificate_Transparency) requirements, to prevent the use of misissued certificates for that site from going unnoticed.
 
-
CT requirements can be satisfied via any one of the following mechanisms:

+CT requirements can be satisfied via any one of the following mechanisms:
 
-
    
- 
  • X.509v3 certificate extension to allow embedding of signed certificate timestamps issued by individual logs
    • 
- 
  • A TLS extension of type signed_certificate_timestamp sent during the handshake
    • 
- 
  • Supporting OCSP stapling (that is, the status_request TLS extension) and providing a SignedCertificateTimestampList
    • 
-

+- X.509v3 certificate extension to allow embedding of signed certificate timestamps issued by individual logs
+- A TLS extension of type `signed_certificate_timestamp` sent during the handshake
+- Supporting OCSP stapling (that is, the `status_request` TLS extension) and providing a `SignedCertificateTimestampList`
 
-

-  
Note: When a site enables the Expect-CT header, they are requesting that the browser check that any certificate for that site appears in public CT logs.

-

+> **Note:** When a site enables the `Expect-CT` header, they are requesting that the browser check that any certificate for that site appears in **[public CT logs](https://www.certificate-transparency.org/known-logs)**.
 
-

-  
Note: Browsers ignore the Expect-CT header over HTTP; the header only has effect on HTTPS connections.

-

+> **Note:** Browsers **ignore** the `Expect-CT` header over HTTP; the header only has effect on HTTPS connections.
 
-

-
Note: The Expect-CT will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.

-

+> **Note:** The `Expect-CT` will likely become obsolete in June 2021. Since May 2018 new certificates are expected to support SCTs by default. Certificates before March 2018 were allowed to have a lifetime of 39 months, those will all be expired in June 2021.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes

 

 
-
Syntax

+## Syntax
 
-
Expect-CT: report-uri="<uri>",
-           enforce,
-           max-age=<age>

+    Expect-CT: report-uri="",
+               enforce,
+               max-age=
 
-
 Directives

+##  Directives
 
-

- 
max-age

- 

- 
The number of seconds after reception of the Expect-CT header field during which the user agent should regard the host of the received message as a known Expect-CT host.

+- `max-age`
 
- 
If a cache receives a value greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider this value to be either 2,147,483,648 (2^31) or the greatest positive integer it can represent.

- 

- 
report-uri="<uri>" {{optional_inline}}

- 

- 
The URI where the user agent should report Expect-CT failures.

- When present with the enforce directive, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.

- 
enforce {{optional_inline}}

- 

- 
Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.

+  - : The number of seconds after reception of the `Expect-CT` header field during which the user agent should regard the host of the received message as a known `Expect-CT` host.
 
- 
When both the enforce directive and the report-uri directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.

- 

-

+    If a cache receives a value greater than it can represent, or if any of its subsequent calculations overflows, the cache will consider this value to be either 2,147,483,648 (2^31) or the greatest positive integer it can represent.
 
-
Example

+- `report-uri=""` {{optional_inline}}
 
-
The following example specifies enforcement of Certificate Transparency for 24 hours and reports violations to foo.example.

+  - : The URI where the user agent should report `Expect-CT` failures.
 
-
Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"

+    When present with the `enforce` directive, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced _and_ that violations should be reported.
 
-
Notes

+- `enforce` {{optional_inline}}
 
-
Root CAs manually added to the trust store override and suppress Expect-CT reports/enforcement.

+  - : Signals to the user agent that compliance with the Certificate Transparency policy should be enforced (rather than only reporting compliance) and that the user agent should refuse future connections that violate its Certificate Transparency policy.
 
-
Browsers will not remember an Expect-CT policy, unless the site has 'proven' it can serve a certificate satisfying the certificate transparency requirements. Browsers implement their own trust model regarding which CT logs are considered trusted for the certificate to have been logged to.

+    When both the `enforce` directive and the `report-uri` directive are present, the configuration is referred to as an "enforce-and-report" configuration, signalling to the user agent both that compliance to the Certificate Transparency policy should be enforced and that violations should be reported.
 
-
Builds of Chrome are designed to stop enforcing the Expect-CT policy 10 weeks after the installation's build date.

+## Example
 
-
Specifications

+The following example specifies enforcement of Certificate Transparency for 24 hours and reports violations to `foo.example`.
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
Internet DraftExpect-CT Extension for HTTP

+    Expect-CT: max-age=86400, enforce, report-uri="https://foo.example/report"
+
+## Notes
+
+Root CAs manually added to the trust store override and suppress `Expect-CT` reports/enforcement.
+
+Browsers will not remember an `Expect-CT` policy, unless the site has 'proven' it can serve a certificate satisfying the certificate transparency requirements. Browsers implement their own trust model regarding which CT logs are considered trusted for the certificate to have been logged to.
+
+Builds of Chrome are designed to stop enforcing the `Expect-CT` policy 10 weeks after the installation's build date.
+
+## Specifications
+
+| Specification                                                                           | Title                        |
+| --------------------------------------------------------------------------------------- | ---------------------------- |
+| [Internet Draft](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-expect-ct-08) | Expect-CT Extension for HTTP |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
diff --git a/files/en-us/web/http/headers/expect/index.md b/files/en-us/web/http/headers/expect/index.md
index a776dcf923e6355..b29c40331a6e3d1 100644
--- a/files/en-us/web/http/headers/expect/index.md
+++ b/files/en-us/web/http/headers/expect/index.md
@@ -2,32 +2,30 @@
 title: Expect
 slug: Web/HTTP/Headers/Expect
 tags:
-- HTTP
-- HTTP Header
-- Reference
-- Request header
+  - HTTP
+  - HTTP Header
+  - Reference
+  - Request header
 browser-compat: http.headers.Expect
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Expect HTTP request header indicates expectations
-  that need to be fulfilled by the server in order to properly handle the request.

+The **`Expect`** HTTP request header indicates expectations
+that need to be fulfilled by the server in order to properly handle the request.
 
-
The only expectation defined in the specification is Expect: 100-continue,
-  to which the server shall respond with:

+The only expectation defined in the specification is `Expect: 100-continue`,
+to which the server shall respond with:
 
-
    
-  
  • {{HTTPStatus("100")}} if the information contained in the header is sufficient to
-    cause an immediate success,
    • 
-  
  • {{HTTPStatus("417")}} (Expectation Failed) if it cannot meet the expectation; or any
-    other 4xx status otherwise.
    • 
-

+- {{HTTPStatus("100")}} if the information contained in the header is sufficient to
+  cause an immediate success,
+- {{HTTPStatus("417")}} (Expectation Failed) if it cannot meet the expectation; or any
+  other 4xx status otherwise.
 
-
For example, the server may reject a request if its {{HTTPHeader("Content-Length")}} is
-  too large.

+For example, the server may reject a request if its {{HTTPHeader("Content-Length")}} is
+too large.
 
-
No common browsers send the Expect header, but some other clients such as
-  cURL do so by default.

+No common browsers send the `Expect` header, but some other clients such as
+cURL do so by default.
 
 
@@ -42,52 +40,48 @@ browser-compat: http.headers.Expect
   

   
 

 
-
Syntax

+## Syntax
 
-
No other expectations except "100-continue" are specified currently.

+No other expectations except "100-continue" are specified currently.
 
-
Expect: 100-continue
-

+```html
+Expect: 100-continue
+```
 
-
Directives

+## Directives
 
-

-  
100-continue

-  
Informs recipients that the client is about to send a (presumably large) message
+- 100-continue
+  - : Informs recipients that the client is about to send a (presumably large) message
     body in this request and wishes to receive a {{HTTPStatus("100")}} (Continue) interim
-    response.

-

+    response.
 
-
Examples

+## Examples
 
-
Large message body

+### Large message body
 
-
A client sends a request with a Expect header and waits for the server to respond
-  before sending the message body.

+A client sends a request with a Expect header and waits for the server to respond
+before sending the message body.
 
-
PUT /somewhere/fun HTTP/1.1
-Host: origin.example.com
-Content-Type: video/h264
-Content-Length: 1234567890987
-Expect: 100-continue
-

+    PUT /somewhere/fun HTTP/1.1
+    Host: origin.example.com
+    Content-Type: video/h264
+    Content-Length: 1234567890987
+    Expect: 100-continue
 
-
The server now checks the request headers and may respond with a {{HTTPStatus("100")}}
-  (Continue) response to instruct the client to go ahead and send the message body, or it
-  will send a {{HTTPStatus("417")}} (Expectation Failed) status if any of the expectations
-  cannot be met.

+The server now checks the request headers and may respond with a {{HTTPStatus("100")}}
+(Continue) response to instruct the client to go ahead and send the message body, or it
+will send a {{HTTPStatus("417")}} (Expectation Failed) status if any of the expectations
+cannot be met.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus("417")}} Expectation Failed
    • 
-  
  • {{HTTPStatus("100")}} Continue
    • 
-

+- {{HTTPStatus("417")}}` Expectation Failed`
+- {{HTTPStatus("100")}}` Continue`
diff --git a/files/en-us/web/http/headers/expires/index.md b/files/en-us/web/http/headers/expires/index.md
index c2d991d762949f1..8be7c6b18c1ed25 100644
--- a/files/en-us/web/http/headers/expires/index.md
+++ b/files/en-us/web/http/headers/expires/index.md
@@ -2,25 +2,23 @@
 title: Expires
 slug: Web/HTTP/Headers/Expires
 tags:
-- Caching
-- HTTP
-- Response
-- header
+  - Caching
+  - HTTP
+  - Response
+  - header
 browser-compat: http.headers.Expires
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Expires header contains the date/time after which the
-  response is considered stale.

+The **`Expires`** header contains the date/time after which the
+response is considered stale.
 
-
Invalid dates, like the value 0, represent a date in the past and mean that the
-  resource is already expired.

+Invalid dates, like the value 0, represent a date in the past and mean that the
+resource is already expired.
 
-

-  
Note: If there is a {{HTTPHeader("Cache-Control")}} header
-    with the max-age or s-maxage directive in the response,
-    the Expires header is ignored.

-

+> **Note:** If there is a {{HTTPHeader("Cache-Control")}} header
+> with the `max-age` or `s-maxage` directive in the response,
+> the `Expires` header is ignored.
 
 
@@ -33,41 +31,38 @@ browser-compat: http.headers.Expires
       
-      
+      

   
no
     

     
{{Glossary("CORS-safelisted response header")}}
+        {{Glossary("CORS-safelisted response header")}}
+      
       yes
     

   
 

 
-
Syntax

+## Syntax
 
-
Expires: <http-date>
-

+```html
+Expires: 
+```
 
-
Directives

+## Directives
 
-

-  
<http-date>

-  

-    
An HTTP-date timestamp.

-  

-

+- \
+  - : An HTTP-date timestamp.
 
-
Examples

+## Examples
 
-
Expires: Wed, 21 Oct 2015 07:28:00 GMT

+    Expires: Wed, 21 Oct 2015 07:28:00 GMT
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Cache-Control")}}
    • 
-  
  • {{HTTPHeader("Age")}}
    • 
-

+- {{HTTPHeader("Cache-Control")}}
+- {{HTTPHeader("Age")}}
diff --git a/files/en-us/web/http/headers/feature-policy/accelerometer/index.md b/files/en-us/web/http/headers/feature-policy/accelerometer/index.md
index 7d3f4597e740ee4..66d3150a0df273b 100644
--- a/files/en-us/web/http/headers/feature-policy/accelerometer/index.md
+++ b/files/en-us/web/http/headers/feature-policy/accelerometer/index.md
@@ -10,36 +10,31 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.accelerometer
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader('Feature-Policy')}} header accelerometer directive controls whether the current document is allowed to gather information about the acceleration of the device through the {{domxref('Accelerometer')}} interface.

+The HTTP {{HTTPHeader('Feature-Policy')}} header `accelerometer` directive controls whether the current document is allowed to gather information about the acceleration of the device through the {{domxref('Accelerometer')}} interface.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: accelerometer <allowlist>;

+    Feature-Policy: accelerometer ;
 
-

- 
<allowlist>

- 
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The default allowlist value for this feature is: 'self'.

+The default `allowlist` value for this feature is: `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

-
-
+- {{HTTPHeader('Feature-Policy')}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md b/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md
index f76e582f3caa353..8d388222474ca26 100644
--- a/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md
+++ b/files/en-us/web/http/headers/feature-policy/ambient-light-sensor/index.md
@@ -8,36 +8,31 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.ambient-light-sensor
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader('Feature-Policy')}} header ambient-light-sensor directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the {{domxref('AmbientLightSensor')}} interface.

+The HTTP {{HTTPHeader('Feature-Policy')}} header `ambient-light-sensor` directive controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the {{domxref('AmbientLightSensor')}} interface.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: ambient-light-sensor <allowlist>;

+    Feature-Policy: ambient-light-sensor ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

- 

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for ambient-light-sensor is 'self'.

+Default allow list for `ambient-light-sensor` is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

-
-
+- {{HTTPHeader('Feature-Policy')}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/autoplay/index.md b/files/en-us/web/http/headers/feature-policy/autoplay/index.md
index e9bc60cb5457737..dd0878a70b67895 100644
--- a/files/en-us/web/http/headers/feature-policy/autoplay/index.md
+++ b/files/en-us/web/http/headers/feature-policy/autoplay/index.md
@@ -11,48 +11,42 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.autoplay
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header
-    autoplay directive controls whether the current document is allowed to
-    autoplay media requested through the {{domxref("HTMLMediaElement")}} interface.
-  When this policy is enabled and there were no user gestures, the {{jsxref("Promise")}}
-  returned by {{domxref("HTMLMediaElement.play()")}} will reject with
-  a {{domxref("DOMException")}}. The {{htmlattrxref("autoplay", "audio")}} attribute on
-  {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements will be ignored.

+The HTTP {{HTTPHeader("Feature-Policy")}} header
+`autoplay` directive controls whether the current document is allowed to
+autoplay media requested through the {{domxref("HTMLMediaElement")}} interface.
+When this policy is enabled and there were no user gestures, the {{jsxref("Promise")}}
+returned by {{domxref("HTMLMediaElement.play()")}} will reject with
+a {{domxref("DOMException")}}. The {{htmlattrxref("autoplay", "audio")}} attribute on
+{{HTMLElement("audio")}} and {{HTMLElement("video")}} elements will be ignored.
 
-
For more details on autoplay and autoplay blocking, see the article Autoplay guide for media and Web Audio
-    APIs.

+For more details on autoplay and autoplay blocking, see the article [Autoplay guide for media and Web Audio
+APIs](/en-US/docs/Web/Media/Autoplay_guide).
 
-
Syntax

+## Syntax
 
-
Feature-Policy: autoplay <allowlist>;

+    Feature-Policy: autoplay ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

- 

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The default value in Google Chrome is
-  'self'.

+The default value in [Google Chrome](https://www.chromestatus.com/feature/5100524789563392) is
+`'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature
+  Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/battery/index.md b/files/en-us/web/http/headers/feature-policy/battery/index.md
index b5df7d9564e7140..47ab34157942260 100644
--- a/files/en-us/web/http/headers/feature-policy/battery/index.md
+++ b/files/en-us/web/http/headers/feature-policy/battery/index.md
@@ -7,40 +7,35 @@ tags:
   - HTTP
   - Experimental
 browser-compat: http.headers.Feature-Policy.battery
-
 ---
-
{{HTTPSidebar}}{{SeeCompatTable}}

+{{HTTPSidebar}}{{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header battery directive controls whether the current document is allowed to gather information about the battery of the device through the {{DOMxRef("BatteryManager")}} interface obtained via {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}}.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `battery` directive controls whether the current document is allowed to gather information about the battery of the device through the {{DOMxRef("BatteryManager")}} interface obtained via {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}}.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: battery <allowlist>;

+    Feature-Policy: battery ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

- 

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for battery is 'self'.

+Default allow list for `battery` is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
+- [Battery Status API](/en-US/docs/Web/API/Battery_Status_API)
+- {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}}
+- {{DOMxRef("BatteryManager")}}
diff --git a/files/en-us/web/http/headers/feature-policy/camera/index.md b/files/en-us/web/http/headers/feature-policy/camera/index.md
index c3293e1a5b48d4e..09eda44d03276bd 100644
--- a/files/en-us/web/http/headers/feature-policy/camera/index.md
+++ b/files/en-us/web/http/headers/feature-policy/camera/index.md
@@ -11,39 +11,35 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.camera
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}} 

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header
-    camera directive controls whether the current document is allowed to use
-    video input devices. When this policy is enabled, the {{jsxref("Promise")}} returned
-    by {{domxref("MediaDevices.getUserMedia()")}} will reject with
-    a NotAllowedError {{domxref("DOMException")}}.

+The HTTP {{HTTPHeader("Feature-Policy")}} header
+`camera` directive controls whether the current document is allowed to use
+video input devices. When this policy is enabled, the {{jsxref("Promise")}} returned
+by {{domxref("MediaDevices.getUserMedia()")}} will reject with
+a `NotAllowedError` {{domxref("DOMException")}}.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: camera <allowlist>;

+    Feature-Policy: camera ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

- 

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for camera is 'self'.

+Default allow list for `camera` is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/display-capture/index.md b/files/en-us/web/http/headers/feature-policy/display-capture/index.md
index 06bf052b4125ed6..1ae3384625ffc79 100644
--- a/files/en-us/web/http/headers/feature-policy/display-capture/index.md
+++ b/files/en-us/web/http/headers/feature-policy/display-capture/index.md
@@ -10,40 +10,35 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.display-capture
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}} 

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header display-capture directive controls whether or not the document is permitted to use Screen Capture API, that is, {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} to capture the screen's contents.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `display-capture` directive controls whether or not the document is permitted to use [Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API), that is, {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} to capture the screen's contents.
 
-
If display-capture is disabled in a document, the document will not be able to initiate screen capture via {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}}.

+If `display-capture` is disabled in a document, the document will not be able to initiate screen capture via {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}}.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: display-capture <allowlist>;

+    Feature-Policy: display-capture ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for display-capture is 'self'.

+Default allow list for `display-capture` is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

-
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
+- [Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API)
+- [Using the Screen Capture API](/en-US/docs/Web/API/Screen_Capture_API/Using_Screen_Capture)
diff --git a/files/en-us/web/http/headers/feature-policy/document-domain/index.md b/files/en-us/web/http/headers/feature-policy/document-domain/index.md
index 140c40b9f803ff1..acceaeb6965b3ec 100644
--- a/files/en-us/web/http/headers/feature-policy/document-domain/index.md
+++ b/files/en-us/web/http/headers/feature-policy/document-domain/index.md
@@ -2,49 +2,45 @@
 title: 'Feature-Policy: document-domain'
 slug: Web/HTTP/Headers/Feature-Policy/document-domain
 tags:
-- Directive
-- Experimental
-- Feature Policy
-- Feature-Policy
-- HTTP
-- Reference
-- document-domain
-- Header
+  - Directive
+  - Experimental
+  - Feature Policy
+  - Feature-Policy
+  - HTTP
+  - Reference
+  - document-domain
+  - Header
 browser-compat: http.headers.Feature-Policy.document-domain
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header
-    document-domain directive controls whether the current document is
-    allowed to set {{domxref("document.domain")}}. When this policy is disabled, attempting
-    to set {{domxref("document.domain")}} will fail and cause a SecurityError
-    {{domxref("DOMException")}} to be thrown.

+The HTTP {{HTTPHeader("Feature-Policy")}} header
+`document-domain` directive controls whether the current document is
+allowed to set {{domxref("document.domain")}}. When this policy is disabled, attempting
+to set {{domxref("document.domain")}} will fail and cause a `SecurityError`
+{{domxref("DOMException")}} to be thrown.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: document-domain <allowlist>;

+    Feature-Policy: document-domain ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for document-domain is *.

+Default allow list for `document-domain` is `*`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md b/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md
index aff353eb7469ede..5d63eff902d1265 100644
--- a/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md
+++ b/files/en-us/web/http/headers/feature-policy/encrypted-media/index.md
@@ -11,35 +11,31 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.encrypted-media
 ---
-
{{HTTPSidebar}}{{SeeCompatTable}}

+{{HTTPSidebar}}{{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header encrypted-media directive controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is enabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMediaKeySystemAccess","Navigator.requestMediaKeySystemAccess()")}} will reject with a {{domxref("DOMException")}}.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `encrypted-media` directive controls whether the current document is allowed to use the [Encrypted Media Extensions](/en-US/docs/Web/API/Encrypted_Media_Extensions_API) API (EME). When this policy is enabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMediaKeySystemAccess","Navigator.requestMediaKeySystemAccess()")}} will reject with a {{domxref("DOMException")}}.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: encrypted-media <allowlist>;

+    Feature-Policy: encrypted-media ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for encrypted-media is 'self'.

+Default allow list for `encrypted-media` is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/fullscreen/index.md b/files/en-us/web/http/headers/feature-policy/fullscreen/index.md
index 3937b9005d8bf36..094c7e011dd3cef 100644
--- a/files/en-us/web/http/headers/feature-policy/fullscreen/index.md
+++ b/files/en-us/web/http/headers/feature-policy/fullscreen/index.md
@@ -10,62 +10,61 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.fullscreen
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header fullscreen directive controls whether the current document is allowed to use {{domxref('Element.requestFullScreen()')}}. When this policy is enabled, the returned {{jsxref('Promise')}} rejects with a {{jsxref('TypeError')}}.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `fullscreen` directive controls whether the current document is allowed to use {{domxref('Element.requestFullScreen()')}}. When this policy is enabled, the returned {{jsxref('Promise')}} rejects with a {{jsxref('TypeError')}}.
 
-
By default, top-level documents and their same-origin child frames can request and enter fullscreen mode. This directive allows or prevents cross-origin frames from using fullscreen mode. This includes same-origin frames.

+By default, top-level documents and their same-origin child frames can request and enter fullscreen mode. This directive allows or prevents cross-origin frames from using fullscreen mode. This includes same-origin frames.
 
-

-  
Note: If both this directive (i.e. via the allow attribute) and the allowfullscreen attribute are present on an <iframe> element, this directive takes precedence. There was a bug whereby the fullscreen directive didn't work unless the allowfullscreen attribute was also present, but this has been fixed as of Firefox 80 ({{bug(1608358)}}).

-

+> **Note:** If both this directive (i.e. via the `allow` attribute) and the `allowfullscreen` attribute are present on an `
+```
 
-
<iframe src="https://other.com/videoplayer" allow="fullscreen"></iframe>

+iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.
 
-
iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.

+## Specifications
 
-
Specifications

+{{Specifications}}
 
-
{{Specifications}}

+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

-
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/gamepad/index.md b/files/en-us/web/http/headers/feature-policy/gamepad/index.md
index f45699693c272b0..a563193fa5991ee 100644
--- a/files/en-us/web/http/headers/feature-policy/gamepad/index.md
+++ b/files/en-us/web/http/headers/feature-policy/gamepad/index.md
@@ -7,63 +7,62 @@ tags:
   - HTTP
   - header
   - Experimental
-
 browser-compat: http.headers.Feature-Policy.gamepad
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header gamepad directive controls whether the current document is allowed to use the Gamepad API.
-  When this policy is disabled, calls to {{domxref('Navigator.getGamepads()')}} will throw a SecurityError {{domxref('DOMException')}}.
-  In addition, the {{event("gamepadconnected")}} and {{event("gamepaddisconnected")}} events will not fire.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `gamepad` directive controls whether the current document is allowed to use the [Gamepad API](/en-US/docs/Web/API/Gamepad_API).
+When this policy is disabled, calls to {{domxref('Navigator.getGamepads()')}} will throw a `SecurityError` {{domxref('DOMException')}}.
+In addition, the {{event("gamepadconnected")}} and {{event("gamepaddisconnected")}} events will not fire.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: gamepad <allowlist>;

+    Feature-Policy: gamepad ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for gamepad is 'self'.

+Default allow list for `gamepad` is `'self'`.
 
-
Examples

+## Examples
 
-
General example

+### General example
 
-
SecureCorp Inc. wants to disable the Gamepad API within all browsing contexts except for its own origin and those whose origin is https://example.com.
-  It can do so by delivering the following HTTP response header to define a feature policy:

+SecureCorp Inc. wants to disable the Gamepad API within all browsing contexts except for its own origin and those whose origin is `https://example.com`.
+It can do so by delivering the following HTTP response header to define a feature policy:
 
-
Feature-Policy: gamepad 'self' https://example.com

+```bash
+Feature-Policy: gamepad 'self' https://example.com
+```
 
-
With an <iframe> element

+### With an \
 
-
iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.

+iframe attributes can selectively enable features in certain frames, and not in others, even if those frames contain documents from the same origin.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature
+  Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/geolocation/index.md b/files/en-us/web/http/headers/feature-policy/geolocation/index.md
index 81751f568c738df..3df76c649f3c344 100644
--- a/files/en-us/web/http/headers/feature-policy/geolocation/index.md
+++ b/files/en-us/web/http/headers/feature-policy/geolocation/index.md
@@ -7,76 +7,74 @@ tags:
   - HTTP
   - header
   - Experimental
-
 browser-compat: http.headers.Feature-Policy.geolocation
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header
-    geolocation directive controls whether the current document is allowed to
-    use the {{domxref('Geolocation')}} Interface. When this policy is enabled, calls to
-    {{domxref('Geolocation.getCurrentPosition','getCurrentPosition()')}} and
-    {{domxref('Geolocation.watchPosition','watchPosition()')}} will cause those functions'
-    callbacks to be invoked with a {{domxref('GeolocationPositionError')}} code of
-    PERMISSION_DENIED.

+The HTTP {{HTTPHeader("Feature-Policy")}} header
+`geolocation` directive controls whether the current document is allowed to
+use the {{domxref('Geolocation')}} Interface. When this policy is enabled, calls to
+{{domxref('Geolocation.getCurrentPosition','getCurrentPosition()')}} and
+{{domxref('Geolocation.watchPosition','watchPosition()')}} will cause those functions'
+callbacks to be invoked with a {{domxref('GeolocationPositionError')}} code of
+`PERMISSION_DENIED`.
 
-
By default, the Geolocation API can be used within top-level documents and their
-  same-origin child frames. This directive allows or prevents cross-origin frames from
-  accessing geolocation. This includes same-origin frames.

+By default, the Geolocation API can be used within top-level documents and their
+same-origin child frames. This directive allows or prevents cross-origin frames from
+accessing geolocation. This includes same-origin frames.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: geolocation <allowlist>;

+    Feature-Policy: geolocation ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for geolocation is 'self'.

+Default allow list for `geolocation` is `'self'`.
 
-
Examples

+## Examples
 
-
General example

+### General example
 
-
SecureCorp Inc. wants to disable the Geolocation API within all browsing contexts
-  except for its own origin and those whose origin is https://example.com. It
-  can do so by delivering the following HTTP response header to define a feature policy:
-

+SecureCorp Inc. wants to disable the Geolocation API within all browsing contexts
+except for its own origin and those whose origin is `https://example.com`. It
+can do so by delivering the following HTTP response header to define a feature policy:
 
-
Feature-Policy: geolocation 'self' https://example.com

+```bash
+Feature-Policy: geolocation 'self' https://example.com
+```
 
-
With an <iframe> element

+### With an \
 
-
iframe attributes can selectively enable features in certain frames, and not in others,
-  even if those frames contain documents from the same origin.

+iframe attributes can selectively enable features in certain frames, and not in others,
+even if those frames contain documents from the same origin.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature
+  Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/gyroscope/index.md b/files/en-us/web/http/headers/feature-policy/gyroscope/index.md
index 08ddf40309fbc6c..51e008fb0dec106 100644
--- a/files/en-us/web/http/headers/feature-policy/gyroscope/index.md
+++ b/files/en-us/web/http/headers/feature-policy/gyroscope/index.md
@@ -9,35 +9,31 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.gyroscope
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header gyroscope directive controls whether the current document is allowed to gather information about the orientation of the device through the {{domxref("Gyroscope")}} interface.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `gyroscope` directive controls whether the current document is allowed to gather information about the orientation of the device through the {{domxref("Gyroscope")}} interface.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: gyroscope <allowlist>;

+    Feature-Policy: gyroscope ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for gyroscope is 'self'.

+Default allow list for `gyroscope` is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/index.md b/files/en-us/web/http/headers/feature-policy/index.md
index 02393c6729bd2f3..33037b7b7c20ccf 100644
--- a/files/en-us/web/http/headers/feature-policy/index.md
+++ b/files/en-us/web/http/headers/feature-policy/index.md
@@ -13,165 +13,143 @@ tags:
   - header
 browser-compat: http.headers.Feature-Policy
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-

-  
Warning: The header has now been renamed to Permissions-Policy in the spec, and this article will eventually be updated to reflect that change.

-

+> **Warning:** The header has now been renamed to `Permissions-Policy` in the spec, and this article will eventually be updated to reflect that change.
 
-
The HTTP Feature-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any {{HTMLElement("iframe")}} elements in the document.

+The HTTP **`Feature-Policy`** header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any {{HTMLElement("iframe")}} elements in the document.
 
-
For more information, see the main Feature Policy article.

+For more information, see the main [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy) article.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes

 

 
-
Syntax

-
-
Feature-Policy: <directive> <allowlist>

-
-

- 
<directive>

- 
The Feature Policy directive to apply the allowlist to. See Directives below for a list of the permitted directive names.

- 
<allowlist>

- 
An allowlist is a list of origins that takes one or more of the following values, separated by spaces:

-
-  
    
-   
  • *: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
    • 
-   
  • 'self': The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.
    • 
-   
  • 'src': (In an iframe allow attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's {{HTMLElement('iframe','src','#Attributes')}} attribute.
-    
    
-      
    Note: The 'src' origin is used in the iframe allow attribute only, and is the default allowlist value.
    
-    
    
-   
    • 
-   
  • 'none': The feature is disabled in top-level and nested browsing contexts.
    • 
-   
  • <origin(s)>: The feature is allowed for specific origins (for example, https://example.com). Origins should be separated by a space.
    • 
-  

-
-  
The values * (enable for all origins) or 'none' (disable for all origins) may only be used alone, while 'self' and 'src' may be used with one or more origins.

-  
Features have a default allowlist, which is one of: *, 'self', or 'none'.

-

-

-
-
-
-
-
Directives

-
-

- 
{{httpheader('Feature-Policy/accelerometer','accelerometer')}}

- 
Controls whether the current document is allowed to gather information about the acceleration of the device through the {{DOMxRef("Accelerometer")}} interface.

- 
{{httpheader('Feature-Policy/ambient-light-sensor','ambient-light-sensor')}}

- 
Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the {{DOMxRef("AmbientLightSensor")}} interface.

- 
{{httpheader('Feature-Policy/autoplay','autoplay')}}

- 
Controls whether the current document is allowed to autoplay media requested through the {{domxref("HTMLMediaElement")}} interface. When this policy is disabled and there were no user gestures, the {{jsxref("Promise")}} returned by {{domxref("HTMLMediaElement.play()")}} will reject with a {{domxref("DOMException")}}. The autoplay attribute on {{HTMLELement("audio")}} and {{HTMLElement("video")}} elements will be ignored.

- 
{{httpheader('Feature-Policy/battery','battery')}}

- 
Controls whether the use of the Battery Status API is allowed. When this policy is disabled, the {{JSxRef("Promise")}} returned by {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}} will reject with a {{Exception("NotAllowedError")}} {{DOMxRef("DOMException")}}.

- 
{{httpheader('Feature-Policy/camera', 'camera')}}

- 
Controls whether the current document is allowed to use video input devices. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("MediaDevices.getUserMedia", "getUserMedia()")}} will reject with a {{Exception("NotAllowedError")}} {{DOMxRef("DOMException")}}.

- 
{{HTTPHeader('Feature-Policy/display-capture', 'display-capture')}}

- 
Controls whether or not the current document is permitted to use the {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} method to capture screen contents. When this policy is disabled, the promise returned by getDisplayMedia() will reject with a {{Exception("NotAllowedError")}} if permission is not obtained to capture the display's contents.

- 
{{httpheader('Feature-Policy/document-domain','document-domain')}}

- 
Controls whether the current document is allowed to set {{domxref("document.domain")}}. When this policy is disabled, attempting to set {{domxref("document.domain")}} will fail and cause a {{Exception("SecurityError")}} {{domxref("DOMException")}} to be thrown.

- 
{{httpheader('Feature-Policy/encrypted-media', 'encrypted-media')}}

- 
Controls whether the current document is allowed to use the Encrypted Media Extensions API (EME). When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMediaKeySystemAccess()")}} will reject with a {{domxref("DOMException")}}.

- 
{{httpheader('Feature-Policy/execution-while-not-rendered', 'execution-while-not-rendered')}}

- 
Controls whether tasks should execute in frames while they're not being rendered (e.g. if an iframe is hidden or display: none).

- 
{{httpheader('Feature-Policy/execution-while-out-of-viewport', 'execution-while-out-of-viewport')}}

- 
Controls whether tasks should execute in frames while they're outside of the visible viewport.

- 
{{httpheader('Feature-Policy/fullscreen','fullscreen')}}

- 
Controls whether the current document is allowed to use {{DOMxRef("Element.requestFullScreen()")}}. When this policy is disabled, the returned {{JSxRef("Promise")}} rejects with a {{JSxRef("TypeError")}}.

- 
{{httpheader('Feature-Policy/gamepad','gamepad')}}

- 
Controls whether the current document is allowed to use the Gamepad API.
-  When this policy is disabled, calls to {{domxref('Navigator.getGamepads()')}} will throw a SecurityError {{domxref('DOMException')}}, and the {{event("gamepadconnected")}} and {{event("gamepaddisconnected")}} events will not fire.

- 
{{httpheader('Feature-Policy/geolocation','geolocation')}}

- 
Controls whether the current document is allowed to use the {{domxref('Geolocation')}} Interface. When this policy is disabled, calls to {{domxref('Geolocation.getCurrentPosition','getCurrentPosition()')}} and {{domxref('Geolocation.watchPosition','watchPosition()')}} will cause those functions' callbacks to be invoked with a {{domxref('GeolocationPositionError')}} code of PERMISSION_DENIED.

- 
{{httpheader('Feature-Policy/gyroscope','gyroscope')}}

- 
Controls whether the current document is allowed to gather information about the orientation of the device through the {{DOMxRef("Gyroscope")}} interface.

- 
{{httpheader('Feature-Policy/layout-animations','layout-animations')}}

- 
Controls whether the current document is allowed to show layout animations.

- 
{{httpheader('Feature-Policy/legacy-image-formats','legacy-image-formats')}}

- 
Controls whether the current document is allowed to display images in legacy formats.

- 
{{httpheader('Feature-Policy/magnetometer','magnetometer')}}

- 
Controls whether the current document is allowed to gather information about the orientation of the device through the {{DOMxRef("Magnetometer")}} interface.

- 
{{httpheader('Feature-Policy/microphone','microphone')}}

- 
Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("MediaDevices.getUserMedia()")}} will reject with a {{Exception("NotAllowedError")}}.

- 
{{httpheader('Feature-Policy/midi', 'midi')}}

- 
Controls whether the current document is allowed to use the Web MIDI API. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMIDIAccess()")}} will reject with a {{domxref("DOMException")}}.

- 
{{httpheader('Feature-Policy/navigation-override','navigation-override')}}

- 
Controls the availability of mechanisms that enables the page author to take control over the behavior of spatial navigation, or to cancel it outright.

- 
{{httpheader('Feature-Policy/oversized-images','oversized-images')}}

- 
Controls whether the current document is allowed to download and display large images.

- 
{{httpheader('Feature-Policy/payment', 'payment')}}

- 
Controls whether the current document is allowed to use the Payment Request API. When this policy is enabled, the {{domxref("PaymentRequest","PaymentRequest()")}} constructor will throw a {{Exception("SecurityError")}} {{domxref("DOMException")}}.

- 
{{httpheader('Feature-Policy/picture-in-picture', 'picture-in-picture')}}

- 
Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.

- 
{{httpheader("Feature-Policy/publickey-credentials-get", "publickey-credentials-get")}}

- 
Controls whether the current document is allowed to use the Web Authentication API to retrieve already stored public-key credentials, i.e. via {{domxref("CredentialsContainer.get","navigator.credentials.get({publicKey: ..., ...})")}}.

- 
{{httpheader('Feature-Policy/sync-xhr', 'sync-xhr')}}

- 
Controls whether the current document is allowed to make synchronous {{DOMxRef("XMLHttpRequest")}} requests.

- 
{{httpheader('Feature-Policy/unoptimized-images', 'unoptimized-images')}} {{experimental_inline}}{{Non-standard_Inline}}

- 
Controls whether the current document is allowed to download and display unoptimized images.

- 
{{httpheader('Feature-Policy/unsized-media', 'unsized-media')}} {{experimental_inline}}{{Non-standard_Inline}}

- 
Controls whether the current document is allowed to change the size of media elements after the initial layout is complete.

- 
{{httpheader('Feature-Policy/usb', 'usb')}}

- 
Controls whether the current document is allowed to use the WebUSB API.

- 
{{httpheader('Feature-Policy/vibrate', 'vibrate')}} {{deprecated_inline}}{{experimental_inline}}{{Non-standard_Inline}}

- 
Controls whether the current document is  allowed to trigger device vibrations via {{DOMxRef("Navigator.vibrate","Navigator.vibrate()")}} method of Vibration API.

- 
{{httpheader('Feature-Policy/vr', 'vr')}} {{deprecated_inline}}

- 
Controls whether the current document is allowed to use the WebVR API. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.getVRDisplays","Navigator.getVRDisplays()")}} will reject with a {{domxref("DOMException")}}. Keep in mind that the WebVR standard is in the process of being replaced with WebXR.

- 
{{httpheader('Feature-Policy/screen-wake-lock', 'screen-wake-lock')}}

- 
Controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not turn off or dim the screen.

- 
{{httpheader("Feature-Policy/web-share", "web-share")}}

- 
Controls whether or not the current document is allowed to use the {{domxref("Navigator.share","Navigator.share()")}} of Web Share API to share text, links, images, and other content to arbitrary destinations of user's choice, e.g. mobile apps.

- 
{{httpheader("Feature-Policy/xr-spatial-tracking", "xr-spatial-tracking")}}

- 
Controls whether or not the current document is allowed to use the WebXR Device API to interact with a WebXR session.

-

-
-
Example

-
-
SecureCorp Inc. wants to disable Microphone and Geolocation APIs in its application. It can do so by delivering the following HTTP response header to define a feature policy:

-
-
Feature-Policy: microphone 'none'; geolocation 'none'

-
-
By specifying the 'none' keyword for the origin list, the specified features will be disabled for all browsing contexts (this includes all iframes), regardless of their origin.

-
-
Specifications

-
-
- 
-  
-   
-  
- 
- 
-  
-   
-  
- 
-
Specification
Permissions Policy

-
-
Browser compatibility

-
-
{{Compat}}

-
-
See also

-
-
+## Syntax
+
+    Feature-Policy:  
+
+- ``
+  - : The Feature Policy directive to apply the `allowlist` to. See [Directives](#directives) below for a list of the permitted directive names.
+- \
+
+  - : An `allowlist` is a list of origins that takes one or more of the following values, separated by spaces:
+
+    - `*`: The feature will be allowed in this document, and all nested browsing contexts (iframes) regardless of their origin.
+    - `'self'`: The feature will be allowed in this document, and in all nested browsing contexts (iframes) in the same origin. The feature is not allowed in cross-origin documents in nested browsing contexts.
+    - `'src'`: (In an iframe `allow` attribute only) The feature will be allowed in this iframe, as long as the document loaded into it comes from the same origin as the URL in the iframe's {{HTMLElement('iframe','src','#Attributes')}} attribute.
+
+      > **Note:** The `'src'` origin is used in the iframe `allow` attribute only, and is the _default_ `allowlist` value.
+
+    - `'none'`: The feature is disabled in top-level and nested browsing contexts.
+    - \: The feature is allowed for specific origins (for example, https\://example.com). Origins should be separated by a space.
+
+    The values `*` (enable for all origins) or `'none'` (disable for all origins) may only be used alone, while `'self'` and `'src'` may be used with one or more origins.
+
+    Features have a _default_ allowlist, which is one of: `*`, `'self'`, or `'none'`.
+
+## Directives
+
+- {{httpheader('Feature-Policy/accelerometer','accelerometer')}}
+  - : Controls whether the current document is allowed to gather information about the acceleration of the device through the {{DOMxRef("Accelerometer")}} interface.
+- {{httpheader('Feature-Policy/ambient-light-sensor','ambient-light-sensor')}}
+  - : Controls whether the current document is allowed to gather information about the amount of light in the environment around the device through the {{DOMxRef("AmbientLightSensor")}} interface.
+- {{httpheader('Feature-Policy/autoplay','autoplay')}}
+  - : Controls whether the current document is allowed to autoplay media requested through the {{domxref("HTMLMediaElement")}} interface. When this policy is disabled and there were no user gestures, the {{jsxref("Promise")}} returned by {{domxref("HTMLMediaElement.play()")}} will reject with a {{domxref("DOMException")}}. The autoplay attribute on {{HTMLELement("audio")}} and {{HTMLElement("video")}} elements will be ignored.
+- {{httpheader('Feature-Policy/battery','battery')}}
+  - : Controls whether the use of the [Battery Status API](/en-US/docs/Web/API/Battery_Status_API) is allowed. When this policy is disabled, the {{JSxRef("Promise")}} returned by {{DOMxRef("Navigator.getBattery","Navigator.getBattery()")}} will reject with a {{Exception("NotAllowedError")}} {{DOMxRef("DOMException")}}.
+- {{httpheader('Feature-Policy/camera', 'camera')}}
+  - : Controls whether the current document is allowed to use video input devices. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("MediaDevices.getUserMedia", "getUserMedia()")}} will reject with a {{Exception("NotAllowedError")}} {{DOMxRef("DOMException")}}.
+- {{HTTPHeader('Feature-Policy/display-capture', 'display-capture')}}
+  - : Controls whether or not the current document is permitted to use the {{domxref("MediaDevices.getDisplayMedia", "getDisplayMedia()")}} method to capture screen contents. When this policy is disabled, the promise returned by `getDisplayMedia()` will reject with a {{Exception("NotAllowedError")}} if permission is not obtained to capture the display's contents.
+- {{httpheader('Feature-Policy/document-domain','document-domain')}}
+  - : Controls whether the current document is allowed to set {{domxref("document.domain")}}. When this policy is disabled, attempting to set {{domxref("document.domain")}} will fail and cause a {{Exception("SecurityError")}} {{domxref("DOMException")}} to be thrown.
+- {{httpheader('Feature-Policy/encrypted-media', 'encrypted-media')}}
+  - : Controls whether the current document is allowed to use the [Encrypted Media Extensions](/en-US/docs/Web/API/Encrypted_Media_Extensions_API) API (EME). When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMediaKeySystemAccess()")}} will reject with a {{domxref("DOMException")}}.
+- {{httpheader('Feature-Policy/execution-while-not-rendered', 'execution-while-not-rendered')}}
+  - : Controls whether tasks should execute in frames while they're not being rendered (e.g. if an iframe is [`hidden`](/en-US/docs/Web/HTML/Global_attributes/hidden) or `display: none`).
+- {{httpheader('Feature-Policy/execution-while-out-of-viewport', 'execution-while-out-of-viewport')}}
+  - : Controls whether tasks should execute in frames while they're outside of the visible viewport.
+- {{httpheader('Feature-Policy/fullscreen','fullscreen')}}
+  - : Controls whether the current document is allowed to use {{DOMxRef("Element.requestFullScreen()")}}. When this policy is disabled, the returned {{JSxRef("Promise")}} rejects with a {{JSxRef("TypeError")}}.
+- {{httpheader('Feature-Policy/gamepad','gamepad')}}
+  - : Controls whether the current document is allowed to use the [Gamepad API](/en-US/docs/Web/API/Gamepad_API).
+    When this policy is disabled, calls to {{domxref('Navigator.getGamepads()')}} will throw a `SecurityError` {{domxref('DOMException')}}, and the {{event("gamepadconnected")}} and {{event("gamepaddisconnected")}} events will not fire.
+- {{httpheader('Feature-Policy/geolocation','geolocation')}}
+  - : Controls whether the current document is allowed to use the {{domxref('Geolocation')}} Interface. When this policy is disabled, calls to {{domxref('Geolocation.getCurrentPosition','getCurrentPosition()')}} and {{domxref('Geolocation.watchPosition','watchPosition()')}} will cause those functions' callbacks to be invoked with a {{domxref('GeolocationPositionError')}} code of `PERMISSION_DENIED`.
+- {{httpheader('Feature-Policy/gyroscope','gyroscope')}}
+  - : Controls whether the current document is allowed to gather information about the orientation of the device through the {{DOMxRef("Gyroscope")}} interface.
+- {{httpheader('Feature-Policy/layout-animations','layout-animations')}}
+  - : Controls whether the current document is allowed to show layout animations.
+- {{httpheader('Feature-Policy/legacy-image-formats','legacy-image-formats')}}
+  - : Controls whether the current document is allowed to display images in legacy formats.
+- {{httpheader('Feature-Policy/magnetometer','magnetometer')}}
+  - : Controls whether the current document is allowed to gather information about the orientation of the device through the {{DOMxRef("Magnetometer")}} interface.
+- {{httpheader('Feature-Policy/microphone','microphone')}}
+  - : Controls whether the current document is allowed to use audio input devices. When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("MediaDevices.getUserMedia()")}} will reject with a {{Exception("NotAllowedError")}}.
+- {{httpheader('Feature-Policy/midi', 'midi')}}
+  - : Controls whether the current document is allowed to use the [Web MIDI API](/en-US/docs/Web/API/Web_MIDI_API). When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMIDIAccess()")}} will reject with a {{domxref("DOMException")}}.
+- {{httpheader('Feature-Policy/navigation-override','navigation-override')}}
+  - : Controls the availability of mechanisms that enables the page author to take control over the behavior of [spatial navigation](https://www.w3.org/TR/css-nav/), or to cancel it outright.
+- {{httpheader('Feature-Policy/oversized-images','oversized-images')}}
+  - : Controls whether the current document is allowed to download and display large images.
+- {{httpheader('Feature-Policy/payment', 'payment')}}
+  - : Controls whether the current document is allowed to use the [Payment Request API](/en-US/docs/Web/API/Payment_Request_API). When this policy is enabled, the {{domxref("PaymentRequest","PaymentRequest()")}} constructor will throw a {{Exception("SecurityError")}} {{domxref("DOMException")}}.
+- {{httpheader('Feature-Policy/picture-in-picture', 'picture-in-picture')}}
+  - : Controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.
+- {{httpheader("Feature-Policy/publickey-credentials-get", "publickey-credentials-get")}}
+  - : Controls whether the current document is allowed to use the [Web Authentication API](/en-US/docs/Web/API/Web_Authentication_API) to retrieve already stored public-key credentials, i.e. via {{domxref("CredentialsContainer.get","navigator.credentials.get({publicKey: ..., ...})")}}.
+- {{httpheader('Feature-Policy/sync-xhr', 'sync-xhr')}}
+  - : Controls whether the current document is allowed to make synchronous {{DOMxRef("XMLHttpRequest")}} requests.
+- {{httpheader('Feature-Policy/unoptimized-images', 'unoptimized-images')}} {{experimental_inline}}{{Non-standard_Inline}}
+  - : Controls whether the current document is allowed to download and display unoptimized images.
+- {{httpheader('Feature-Policy/unsized-media', 'unsized-media')}} {{experimental_inline}}{{Non-standard_Inline}}
+  - : Controls whether the current document is allowed to change the size of media elements after the initial layout is complete.
+- {{httpheader('Feature-Policy/usb', 'usb')}}
+  - : Controls whether the current document is allowed to use the [WebUSB API](https://wicg.github.io/webusb/).
+- {{httpheader('Feature-Policy/vibrate', 'vibrate')}} {{deprecated_inline}}{{experimental_inline}}{{Non-standard_Inline}}
+  - : Controls whether the current document is allowed to trigger device vibrations via {{DOMxRef("Navigator.vibrate","Navigator.vibrate()")}} method of [Vibration API](/en-US/docs/Web/API/Vibration_API).
+- {{httpheader('Feature-Policy/vr', 'vr')}} {{deprecated_inline}}
+  - : Controls whether the current document is allowed to use the [WebVR API](/en-US/docs/Web/API/WebVR_API). When this policy is disabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.getVRDisplays","Navigator.getVRDisplays()")}} will reject with a {{domxref("DOMException")}}. Keep in mind that the WebVR standard is in the process of being replaced with [WebXR](/en-US/docs/Web/API/WebXR_Device_API).
+- {{httpheader('Feature-Policy/screen-wake-lock', 'screen-wake-lock')}}
+  - : Controls whether the current document is allowed to use [Screen Wake Lock API](/en-US/docs/Web/API/Screen_Wake_Lock_API) to indicate that device should not turn off or dim the screen.
+- {{httpheader("Feature-Policy/web-share", "web-share")}}
+  - : Controls whether or not the current document is allowed to use the {{domxref("Navigator.share","Navigator.share()")}} of Web Share API to share text, links, images, and other content to arbitrary destinations of user's choice, e.g. mobile apps.
+- {{httpheader("Feature-Policy/xr-spatial-tracking", "xr-spatial-tracking")}}
+  - : Controls whether or not the current document is allowed to use the [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API) to interact with a WebXR session.
+
+## Example
+
+SecureCorp Inc. wants to disable Microphone and Geolocation APIs in its application. It can do so by delivering the following HTTP response header to define a feature policy:
+
+    Feature-Policy: microphone 'none'; geolocation 'none'
+
+By specifying the `'none'` keyword for the origin list, the specified features will be disabled for all browsing contexts (this includes all iframes), regardless of their origin.
+
+## Specifications
+
+| Specification                                                                                                  |
+| -------------------------------------------------------------------------------------------------------------- |
+| [Permissions Policy](https://w3c.github.io/webappsec-permissions-policy/#permissions-policy-http-header-field) |
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
+- {{DOMxRef("Document.featurePolicy")}} and {{DOMxRef("FeaturePolicy")}}
+- [Feature-Policy Tester (Chrome Developer Tools extension)](https://chrome.google.com/webstore/detail/feature-policy-tester-dev/pchamnkhkeokbpahnocjaeednpbpacop)
+- {{HTTPHeader("Content-Security-Policy")}}
+- {{HTTPHeader("Referrer-Policy")}}
diff --git a/files/en-us/web/http/headers/feature-policy/layout-animations/index.md b/files/en-us/web/http/headers/feature-policy/layout-animations/index.md
index 4974d5eb546682b..f42b6add04512c3 100644
--- a/files/en-us/web/http/headers/feature-policy/layout-animations/index.md
+++ b/files/en-us/web/http/headers/feature-policy/layout-animations/index.md
@@ -11,31 +11,27 @@ tags:
   - Non-standard
 browser-compat: http.headers.Feature-Policy.layout-animations
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}}

+{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header layout-animations directive controls whether the current document is allowed to show layout animations.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `layout-animations` directive controls whether the current document is allowed to show layout animations.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: layout-animations <allowlist>;

+    Feature-Policy: layout-animations ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for layout-animations is 'self'.

+Default allow list for `layout-animations` is `'self'`.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md b/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md
index 20c8297a97ac762..2d2eab69542bf9e 100644
--- a/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md
+++ b/files/en-us/web/http/headers/feature-policy/legacy-image-formats/index.md
@@ -11,31 +11,27 @@ tags:
   - Non-standard
 browser-compat: http.headers.Feature-Policy.legacy-image-formats
 ---
-
{{HTTPSidebar}}{{SeeCompatTable}}{{Non-standard_header}}

+{{HTTPSidebar}}{{SeeCompatTable}}{{Non-standard_header}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header legacy-image-formats directive controls whether the current document is allowed to display images in legacy formats.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `legacy-image-formats` directive controls whether the current document is allowed to display images in legacy formats.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: legacy-image-formats <allowlist>;

+    Feature-Policy: legacy-image-formats ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for legacy-image-formats is 'self'.

+Default allow list for `legacy-image-formats` is `'self'`.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/magnetometer/index.md b/files/en-us/web/http/headers/feature-policy/magnetometer/index.md
index 07700baa9488c74..3c747de4a1fde6b 100644
--- a/files/en-us/web/http/headers/feature-policy/magnetometer/index.md
+++ b/files/en-us/web/http/headers/feature-policy/magnetometer/index.md
@@ -10,36 +10,31 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.magnetometer
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header magnetometer directive controls whether the current document is allowed to gather information about the orientation of the device through the {{domxref("Magnetometer")}} interface.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `magnetometer` directive controls whether the current document is allowed to gather information about the orientation of the device through the {{domxref("Magnetometer")}} interface.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: magnetometer <allowlist>;

+    Feature-Policy: magnetometer ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for magnetometer is 'self'.

+Default allow list for `magnetometer` is `'self'`.
 
+## Specifications
 
-
Specifications

+{{Specifications}}
 
-
{{Specifications}}

+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

-
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/microphone/index.md b/files/en-us/web/http/headers/feature-policy/microphone/index.md
index e3fb1a3993b7541..f3dbfa8d1d3dc8b 100644
--- a/files/en-us/web/http/headers/feature-policy/microphone/index.md
+++ b/files/en-us/web/http/headers/feature-policy/microphone/index.md
@@ -2,49 +2,44 @@
 title: 'Feature-Policy: microphone'
 slug: Web/HTTP/Headers/Feature-Policy/microphone
 tags:
-- Feature Policy
-- Feature-Policy
-- HTTP
-- header
-- microphone
-- Experimental
+  - Feature Policy
+  - Feature-Policy
+  - HTTP
+  - header
+  - microphone
+  - Experimental
 browser-compat: http.headers.Feature-Policy.microphone
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header
-    microphone directive controls whether the current document is allowed to
-    use audio input devices. When this policy is enabled, the {{jsxref("Promise")}}
-    returned by {{domxref("MediaDevices.getUserMedia()")}} will reject with a
-    NotAllowedError.

+The HTTP {{HTTPHeader("Feature-Policy")}} header
+`microphone` directive controls whether the current document is allowed to
+use audio input devices. When this policy is enabled, the {{jsxref("Promise")}}
+returned by {{domxref("MediaDevices.getUserMedia()")}} will reject with a
+`NotAllowedError`.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: microphone <allowlist>;

+    Feature-Policy: microphone ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for microphone is 'self'.

+Default allow list for `microphone` is `'self'`.
 
+## Specifications
 
-
Specifications

+{{Specifications}}
 
-
{{Specifications}}

+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

-
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature
+  Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/midi/index.md b/files/en-us/web/http/headers/feature-policy/midi/index.md
index 605e2e10cffadfa..dcd1ab225abcfe8 100644
--- a/files/en-us/web/http/headers/feature-policy/midi/index.md
+++ b/files/en-us/web/http/headers/feature-policy/midi/index.md
@@ -11,35 +11,31 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.midi
 ---
-
{{HTTPSidebar}}{{SeeCompatTable}}

+{{HTTPSidebar}}{{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header midi directive controls whether the current document is allowed to use the Web MIDI API. When this policy is enabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMIDIAccess()")}} will reject with a DOMException.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `midi` directive controls whether the current document is allowed to use the [Web MIDI API](/en-US/docs/Web/API/Web_MIDI_API). When this policy is enabled, the {{jsxref("Promise")}} returned by {{domxref("Navigator.requestMIDIAccess()")}} will reject with a `DOMException`.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: midi <allowlist>;

+    Feature-Policy: midi ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The allow list is 'self'.

+The allow list is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/oversized-images/index.md b/files/en-us/web/http/headers/feature-policy/oversized-images/index.md
index 313104cc93bec2e..d79cf9e5142e5c0 100644
--- a/files/en-us/web/http/headers/feature-policy/oversized-images/index.md
+++ b/files/en-us/web/http/headers/feature-policy/oversized-images/index.md
@@ -10,31 +10,27 @@ tags:
   - Non-standard
 browser-compat: http.headers.Feature-Policy.oversized-images
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}}

+{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header oversized-images directive controls whether the current document is allowed to download and display large images.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `oversized-images` directive controls whether the current document is allowed to download and display large images.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: oversized-images <allowlist>;

+    Feature-Policy: oversized-images ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default value

+## Default value
 
-
The default value is '*'.

+The default value is `'*'`.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/payment/index.md b/files/en-us/web/http/headers/feature-policy/payment/index.md
index 3870b9f98a4250f..b89ce3d29a3c869 100644
--- a/files/en-us/web/http/headers/feature-policy/payment/index.md
+++ b/files/en-us/web/http/headers/feature-policy/payment/index.md
@@ -12,55 +12,34 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.payment
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header field's payment directive controls whether the current document is allowed to use the Payment Request API. When this policy is disabled, the {{DOMxRef("PaymentRequest()")}} constructor will throw a {{exception("SyntaxError")}}.

+The HTTP {{HTTPHeader("Feature-Policy")}} header field's `payment` directive controls whether the current document is allowed to use the [Payment Request API](/en-US/docs/Web/API/Payment_Request_API). When this policy is disabled, the {{DOMxRef("PaymentRequest()")}} constructor will throw a {{exception("SyntaxError")}}.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: payment <allowlist>;

+    Feature-Policy: payment ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The payment feature's default allowlist value is 'self'.

+The `payment` feature's default allowlist value is `'self'`.
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-   
-  
- 
- 
-  
-   
-   
-   
-  
-  
-   
-   
-   
-  
- 
-
SpecificationStatusComment
{{SpecName('Payment')}}{{Spec2('Payment')}}See Section 16. Feature Policy integration.
{{SpecName('Feature Policy')}}{{Spec2('Feature Policy')}}Initial definition.

+| Specification                            | Status                               | Comment                                                                                              |
+| ---------------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------------------------------- |
+| {{SpecName('Payment')}}         | {{Spec2('Payment')}}         | See [Section 16. Feature Policy integration](https://w3c.github.io/payment-request/#feature-policy). |
+| {{SpecName('Feature Policy')}} | {{Spec2('Feature Policy')}} | Initial definition.                                                                                  |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header field
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md b/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md
index 54e62d4cae4876d..7d271064d683da4 100644
--- a/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md
+++ b/files/en-us/web/http/headers/feature-policy/picture-in-picture/index.md
@@ -10,50 +10,33 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.picture-in-picture
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header picture-in-picture directive controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `picture-in-picture` directive controls whether the current document is allowed to play a video in a Picture-in-Picture mode via the corresponding API.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: picture-in-picture <allowlist>;

+    Feature-Policy: picture-in-picture ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
As of June 2019, the spec draft and Google Chrome set default allow list to *.

+As of June 2019, the [spec draft](https://wicg.github.io/picture-in-picture/#feature-policy) and [Google Chrome](https://bugs.chromium.org/p/chromium/issues/detail?id=806249#c17) set default allow list to `*`.
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-   
-  
- 
- 
-  
-   
-   
-   
-  
- 
-
SpecificationStatusComment
{{SpecName('Feature Policy')}}{{Spec2('Feature Policy')}}Initial definition.

+| Specification                            | Status                               | Comment             |
+| ---------------------------------------- | ------------------------------------ | ------------------- |
+| {{SpecName('Feature Policy')}} | {{Spec2('Feature Policy')}} | Initial definition. |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md b/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md
index c084fb09860fa65..fc94b180e55feeb 100644
--- a/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md
+++ b/files/en-us/web/http/headers/feature-policy/publickey-credentials-get/index.md
@@ -10,39 +10,35 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.publickey-credentials-get
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header publickey-credentials-get directive controls whether the current document is allowed to access the Web Authentication API to retrieve public-key credentials; i.e, via {{DOMxRef("CredentialsContainer.get", "navigator.credentials.get({publicKey: ..., ...})")}}.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `publickey-credentials-get` directive controls whether the current document is allowed to access the [Web Authentication API](/en-US/docs/Web/API/Web_Authentication_API) to retrieve public-key credentials; i.e, via {{DOMxRef("CredentialsContainer.get", "navigator.credentials.get({publicKey: ..., ...})")}}.
 
-
When this policy is enabled, any attempt to query public key credentials will result in an error.

+When this policy is enabled, any attempt to query public key credentials will result in an error.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: publickey-credentials-get <allowlist>;

+    Feature-Policy: publickey-credentials-get ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The default allowlist is 'self'.

+The default allowlist is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
+- [Web Authentication API](/en-US/docs/Web/API/Web_Authentication_API)
+- {{DOMxRef("PublicKeyCredential")}} interface
diff --git a/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md b/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md
index 8c1394d74700b56..cad64577b71c29f 100644
--- a/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md
+++ b/files/en-us/web/http/headers/feature-policy/screen-wake-lock/index.md
@@ -11,61 +11,38 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.screen-wake-lock
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header screen-wake-lock directive controls whether the current document is allowed to use Screen Wake Lock API to indicate that device should not dim or turn off the screen.

+The HTTP {{HTTPHeader("Feature-Policy")}} header **`screen-wake-lock`** directive controls whether the current document is allowed to use [Screen Wake Lock API](/en-US/docs/Web/API/Screen_Wake_Lock_API) to indicate that device should not dim or turn off the screen.
 
-

-  
Note: In earlier specification drafts this directive was called wake-lock")}}.

-

+> **Note:** In earlier specification drafts this directive was called `wake-lock`")}}.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: screen-wake-lock <allowlist>;

+    Feature-Policy: screen-wake-lock ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for screen-wake-lock is 'self'.

+Default allow list for `screen-wake-lock` is `'self'`.
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-   
-  
- 
- 
-  
-   
-   
-   
-  
-  
-   
-   
-   
-  
- 
-
SpecificationStatusComment
{{SpecName('Feature Policy')}}{{Spec2('Feature Policy')}}Initial definition.
Screen Wake Lock APIEditor's DraftInitial definition of screen-wake-lock feature directive.

+| Specification                                                                                         | Status                               | Comment                                                     |
+| ----------------------------------------------------------------------------------------------------- | ------------------------------------ | ----------------------------------------------------------- |
+| {{SpecName('Feature Policy')}}                                                              | {{Spec2('Feature Policy')}} | Initial definition.                                         |
+| [Screen Wake Lock API](https://w3c.github.io/screen-wake-lock/#the-screen-wake-lock-powerful-feature) | Editor's Draft                       | Initial definition of `screen-wake-lock` feature directive. |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Screen Wake Lock API](/en-US/docs/Web/API/Screen_Wake_Lock_API)
+- {{HTTPHeader('Feature-Policy')}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
+- [Default value of the allow list](https://www.w3.org/TR/wake-lock/#wake-locks)
diff --git a/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md b/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md
index 9bac4b62427a063..f7a57f80127b6e1 100644
--- a/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md
+++ b/files/en-us/web/http/headers/feature-policy/sync-xhr/index.md
@@ -11,30 +11,26 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.sync-xhr
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header sync-xhr directive controls whether the current document is allowed to make synchronous {{domxref("XMLHttpRequest")}} requests.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `sync-xhr` directive controls whether the current document is allowed to make synchronous {{domxref("XMLHttpRequest")}} requests.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: sync-xhr <allowlist>;

+    Feature-Policy: sync-xhr ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
By default the policy is set to *, which means synchronous requests are allowed in all frames.

+By default the policy is set to `*`, which means synchronous requests are allowed in all frames.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md b/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md
index e78fd678ba5d938..b42cfccf6e229b4 100644
--- a/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md
+++ b/files/en-us/web/http/headers/feature-policy/unoptimized-images/index.md
@@ -11,31 +11,27 @@ tags:
   - Non-standard
 browser-compat: http.headers.Feature-Policy.unoptimized-images
 ---
-
{{HTTPSidebar}}{{SeeCompatTable}}{{Non-standard_header}}

+{{HTTPSidebar}}{{SeeCompatTable}}{{Non-standard_header}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header unoptimized-images directive controls whether the current document is allowed to download and display unoptimized images.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `unoptimized-images` directive controls whether the current document is allowed to download and display unoptimized images.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: unoptimized-images <allowlist>;

+    Feature-Policy: unoptimized-images ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for unoptimized-images is 'self'.

+Default allow list for `unoptimized-images` is `'self'`.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/unsized-media/index.md b/files/en-us/web/http/headers/feature-policy/unsized-media/index.md
index 77413131c491964..70767872d4a25cb 100644
--- a/files/en-us/web/http/headers/feature-policy/unsized-media/index.md
+++ b/files/en-us/web/http/headers/feature-policy/unsized-media/index.md
@@ -10,34 +10,30 @@ tags:
   - Non-standard
 browser-compat: http.headers.Feature-Policy.unsized-media
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}}

+{{HTTPSidebar}} {{SeeCompatTable}}{{Non-standard_header}}
 
-
The HTTP {{HTTPHeader('Feature-Policy')}} header unsized-media directive controls whether the current document is allowed to change the size of media elements after the initial layout is complete.

+The HTTP {{HTTPHeader('Feature-Policy')}} header `unsized-media` directive controls whether the current document is allowed to change the size of media elements after the initial layout is complete.
 
-
This restriction solves "layout instability" problem caused by providing default dimensions for images whose size is not specified in advance so that image doesn't change size after loading.

+This restriction solves "layout instability" problem caused by providing default dimensions for images whose size is not specified in advance so that image doesn't change size after loading.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: unsized-media <allowlist>;

+    Feature-Policy: unsized-media ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default value

+## Default value
 
-
The default value for unsized-media is '*', that is unsized media elements are allowed for all origins by default. The page will re-flow every time an image with unknown dimensions is loaded.

+The default value for unsized-media is `'*'`, that is unsized media elements are allowed for all origins by default. The page will re-flow every time an image with unknown dimensions is loaded.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader('Feature-Policy')}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
+- [Proposal](https://github.com/w3c/webappsec-feature-policy/blob/master/policies/unsized-media.md)
diff --git a/files/en-us/web/http/headers/feature-policy/usb/index.md b/files/en-us/web/http/headers/feature-policy/usb/index.md
index 8134e6d62b898d2..9c2db489f6e52c7 100644
--- a/files/en-us/web/http/headers/feature-policy/usb/index.md
+++ b/files/en-us/web/http/headers/feature-policy/usb/index.md
@@ -11,35 +11,31 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.usb
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header usb directive controls whether the current document is allowed to use the WebUSB API.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `usb` directive controls whether the current document is allowed to use the WebUSB API.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: usb <allowlist>;

+    Feature-Policy: usb ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The default value is 'self'.

+The default value is `'self'`.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader('Feature-Policy')}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/vibrate/index.md b/files/en-us/web/http/headers/feature-policy/vibrate/index.md
index 8c2200ca7f3bff9..35232f3e54e9f09 100644
--- a/files/en-us/web/http/headers/feature-policy/vibrate/index.md
+++ b/files/en-us/web/http/headers/feature-policy/vibrate/index.md
@@ -12,52 +12,35 @@ tags:
   - Non-standard
 browser-compat: http.headers.Feature-Policy.vibrate
 ---
-
{{HTTPSidebar}} {{Deprecated_Header}}

+{{HTTPSidebar}} {{Deprecated_Header}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header vibrate {{deprecated_inline}} directive controls whether the current document is allowed to trigger device vibrations via {{DOMxRef("Navigator.vibrate","Navigator.vibrate()")}} method of Vibration API.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `vibrate` {{deprecated_inline}} directive controls whether the current document is allowed to trigger device vibrations via {{DOMxRef("Navigator.vibrate","Navigator.vibrate()")}} method of [Vibration API](/en-US/docs/Web/API/Vibration_API).
 
-
Syntax

+## Syntax
 
-
Feature-Policy: vibrate <allowlist>;

+    Feature-Policy: vibrate ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
Default allow list for vibrate is 'self'.

+Default allow list for `vibrate` is `'self'`.
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-   
-  
- 
- 
-  
-   
-   
-   
-  
- 
-
SpecificationStatusComment
{{SpecName('Feature Policy')}}{{Spec2('Feature Policy')}}Initial definition.

+| Specification                            | Status                               | Comment             |
+| ---------------------------------------- | ------------------------------------ | ------------------- |
+| {{SpecName('Feature Policy')}} | {{Spec2('Feature Policy')}} | Initial definition. |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
+- [Vibration API](/en-US/docs/Web/API/Vibration_API)
+- {{DOMxRef("Navigator.vibrate","Navigator.vibrate()")}}
diff --git a/files/en-us/web/http/headers/feature-policy/vr/index.md b/files/en-us/web/http/headers/feature-policy/vr/index.md
index b977fc87e084392..cf725450e783e8f 100644
--- a/files/en-us/web/http/headers/feature-policy/vr/index.md
+++ b/files/en-us/web/http/headers/feature-policy/vr/index.md
@@ -11,62 +11,39 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.vr
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-

-  
Warning: The WebVR API has been replaced with the WebXR Device API
-  and is currently being removed from the web platform.
-  Use the feature identifier {{HTTPHeader("Feature-Policy/xr-spatial-tracking","xr-spatial-tracking")}} for WebXR Device API instead.

-

+> **Warning:** The [WebVR API](/en-US/docs/Web/API/WebVR_API) has been replaced with the [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API)
+> and is currently being removed from the web platform.
+> Use the feature identifier {{HTTPHeader("Feature-Policy/xr-spatial-tracking","xr-spatial-tracking")}} for WebXR Device API instead.
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header vr directive controls whether the current document is allowed to use the WebVR API. When this policy is enabled, the {{JSxRef("Promise")}} returned by {{DOMxRef("Navigator.getVRDisplays","Navigator.getVRDisplays()")}} will reject with a {{DOMxRef("DOMException")}}.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `vr` directive controls whether the current document is allowed to use the [WebVR API](/en-US/docs/Web/API/WebVR_API). When this policy is enabled, the {{JSxRef("Promise")}} returned by {{DOMxRef("Navigator.getVRDisplays","Navigator.getVRDisplays()")}} will reject with a {{DOMxRef("DOMException")}}.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: vr <allowlist>;

+    Feature-Policy: vr ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The default allowlist is 'self'.

+The default allowlist is `'self'`.
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-   
-  
- 
- 
-  
-   
-   
-   
-  
-  
-   
-   
-   
-  
- 
-
SpecificationStatusComment
{{SpecName("Feature Policy")}}{{Spec2("Feature Policy")}}Initial definition.
{{SpecName("WebVR 1.1")}}{{Spec2("WebVR 1.1")}}

+| Specification                            | Status                               | Comment             |
+| ---------------------------------------- | ------------------------------------ | ------------------- |
+| {{SpecName("Feature Policy")}} | {{Spec2("Feature Policy")}} | Initial definition. |
+| {{SpecName("WebVR 1.1")}}         | {{Spec2("WebVR 1.1")}}         |                     |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Feature-Policy/xr-spatial-tracking","Feature-Policy: xr-spatial-tracking")}}
    • 
- 
  • {{HTTPHeader("Feature-Policy")}} header
    • 
- 
  • Feature Policy
    • 
- 
  • Using Feature Policy
    • 
-

+- {{HTTPHeader("Feature-Policy/xr-spatial-tracking","Feature-Policy: xr-spatial-tracking")}}
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/web-share/index.md b/files/en-us/web/http/headers/feature-policy/web-share/index.md
index 7c3185bac79d9d4..e740ebe77ede035 100644
--- a/files/en-us/web/http/headers/feature-policy/web-share/index.md
+++ b/files/en-us/web/http/headers/feature-policy/web-share/index.md
@@ -8,37 +8,33 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.web-share
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader('Feature-Policy')}} header web-share directive controls whether the current document is allowed to use the {{domxref("Navigator.share","Navigator.share()")}} method of the Web Share API to share text, links, images, and other content to arbitrary destinations of the user's choice.

+The HTTP {{HTTPHeader('Feature-Policy')}} header `web-share` directive controls whether the current document is allowed to use the {{domxref("Navigator.share","Navigator.share()")}} method of the Web Share API to share text, links, images, and other content to arbitrary destinations of the user's choice.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: web-share <allowlist>;

+    Feature-Policy: web-share ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

-

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The default value is 'self'.

+The default value is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
Browser implementation is being discussed in https://github.com/w3c/web-share/issues/169.

+Browser implementation is being discussed in .
 
-
See also

+## See also
 
-
+- {{HTTPHeader('Feature-Policy')}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md b/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md
index 5a6f8b24533c5af..ef8589865de5a47 100644
--- a/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md
+++ b/files/en-us/web/http/headers/feature-policy/xr-spatial-tracking/index.md
@@ -11,37 +11,33 @@ tags:
   - Experimental
 browser-compat: http.headers.Feature-Policy.xr-spatial-tracking
 ---
-
{{HTTPSidebar}}{{Draft}}{{SeeCompatTable}}

+{{HTTPSidebar}}{{Draft}}{{SeeCompatTable}}
 
-
The HTTP {{HTTPHeader("Feature-Policy")}} header xr-spatial-tracking directive controls whether the current document is allowed to use the WebXR Device API. This policy controls whether {{DOMxRef("XRSystem/requestSession","navigator.xr.requestSession()")}} can return {{DOMxRef("XRSession")}} that requires spatial tracking and whether user agent can indicate support for sessions supporting spatial tracking via {{DOMxRef("XRSystem/isSessionSupported","navigator.xr.isSessionSupported()")}} and {{Event("devicechange")}} event on {{DOMxRef("Navigator.xr","navigator.xr")}} object.

+The HTTP {{HTTPHeader("Feature-Policy")}} header `xr-spatial-tracking` directive controls whether the current document is allowed to use the [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API). This policy controls whether {{DOMxRef("XRSystem/requestSession","navigator.xr.requestSession()")}} can return {{DOMxRef("XRSession")}} that requires spatial tracking and whether user agent can indicate support for sessions supporting spatial tracking via {{DOMxRef("XRSystem/isSessionSupported","navigator.xr.isSessionSupported()")}} and {{Event("devicechange")}} event on {{DOMxRef("Navigator.xr","navigator.xr")}} object.
 
-
Syntax

+## Syntax
 
-
Feature-Policy: xr-spatial-tracking <allowlist>;

+    Feature-Policy: xr-spatial-tracking ;
 
-

-  
<allowlist>

-  
A list of origins for which the feature is allowed. See Feature-Policy.

- 

+- \
+  - : A list of origins for which the feature is allowed. See [`Feature-Policy`](/en-US/docs/Web/HTTP/Headers/Feature-Policy#syntax).
 
-
Default policy

+## Default policy
 
-
The default allowlist is 'self'.

+The default allowlist is `'self'`.
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • WebXR Device API
    • 
- 
  • {{DOMxRef("XRSystem/requestSession","navigator.xr.requestSession()")}}, and {{DOMxRef("XRSystem/isSessionSupported","navigator.xr.isSessionSupported()")}} and {{Event("devicechange")}} event on {{DOMxRef("Navigator.xr","navigator.xr")}}
    • 
- 
  • {{HTTPHeader("Feature-Policy")}} header
    • 
- 
  • Feature Policy
    • 
- 
  • Using Feature Policy
    • 
-

+- [WebXR Device API](/en-US/docs/Web/API/WebXR_Device_API)
+- {{DOMxRef("XRSystem/requestSession","navigator.xr.requestSession()")}}, and {{DOMxRef("XRSystem/isSessionSupported","navigator.xr.isSessionSupported()")}} and {{Event("devicechange")}} event on {{DOMxRef("Navigator.xr","navigator.xr")}}
+- {{HTTPHeader("Feature-Policy")}} header
+- [Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy)
+- [Using Feature Policy](/en-US/docs/Web/HTTP/Feature_Policy/Using_Feature_Policy)
diff --git a/files/en-us/web/http/headers/feature-policy/xr/index.md b/files/en-us/web/http/headers/feature-policy/xr/index.md
index 529d794a46d8291..cddf9e58c3f9154 100644
--- a/files/en-us/web/http/headers/feature-policy/xr/index.md
+++ b/files/en-us/web/http/headers/feature-policy/xr/index.md
@@ -4,8 +4,7 @@ slug: Web/HTTP/Headers/Feature-Policy/xr
 tags:
   - Deprecated
   - Experimental
-
 ---
-
{{HTTPSidebar}} {{Deprecated_Header}}

+{{HTTPSidebar}} {{Deprecated_Header}}
 
-
This Feature Policy directive was at one point defined as xr (but implemented in Chrome as {{httpheader("Feature-Policy/vr", "vr")}}), use {{httpheader("Feature-Policy/xr-spatial-tracking", "xr-spatial-tracking")}} instead.

+This Feature Policy directive was at one point defined as `xr` (but implemented in Chrome as {{httpheader("Feature-Policy/vr", "vr")}}), use {{httpheader("Feature-Policy/xr-spatial-tracking", "xr-spatial-tracking")}} instead.
diff --git a/files/en-us/web/http/headers/forwarded/index.md b/files/en-us/web/http/headers/forwarded/index.md
index c337c4febf52679..58e34072ef57662 100644
--- a/files/en-us/web/http/headers/forwarded/index.md
+++ b/files/en-us/web/http/headers/forwarded/index.md
@@ -9,95 +9,88 @@ tags:
   - header
 browser-compat: http.headers.Forwarded
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Forwarded header contains information from the reverse proxy servers that is altered or lost when a proxy is involved in the path of the request.

+The **`Forwarded`** header contains information from the [reverse proxy servers](/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling) that is altered or lost when a proxy is involved in the path of the request.
 
-
The alternative and de-facto standard versions of this header are the {{HTTPHeader("X-Forwarded-For")}}, {{HTTPHeader("X-Forwarded-Host")}} and {{HTTPHeader("X-Forwarded-Proto")}} headers.

+The alternative and de-facto standard versions of this header are the {{HTTPHeader("X-Forwarded-For")}}, {{HTTPHeader("X-Forwarded-Host")}} and {{HTTPHeader("X-Forwarded-Proto")}} headers.
 
-
This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client. Therefore the user's privacy must be kept in mind when deploying this header.

+This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client. Therefore the user's privacy must be kept in mind when deploying this header.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
Forwarded: by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>
-

+```html
+Forwarded: by=;for=;host=;proto=
+```
 
-
Directives

+## Directives
 
-

- 
<identifier>

- 
An identifier disclosing the information that is altered or lost when using a proxy. This can be either:
- 
    
-  
  • an IP address (v4 or v6, optionally with a port, and ipv6 quoted and enclosed in square brackets),
    • 
-  
  • an obfuscated identifier (such as "_hidden" or "_secret"),
    • 
-  
  • or "unknown" when the preceding entity is not known (and you still want to indicate that forwarding of the request was made).
    • 
- 

- 

- 
by=<identifier>

- 
The interface where the request came in to the proxy server.

- 
for=<identifier>

- 
The client that initiated the request and subsequent proxies in a chain of proxies.

- 
host=<host>

- 
The {{HTTPHeader("Host")}} request header field as received by the proxy.

- 
proto=<http|https>

- 

- 
Indicates which protocol was used to make the request (typically "http" or "https").

- 

-

+- \
 
-
Examples

+  - : An identifier disclosing the information that is altered or lost when using a proxy. This can be either:
 
-
Using the Forwarded header

+    - an IP address (v4 or v6, optionally with a port, and ipv6 quoted and enclosed in square brackets),
+    - an obfuscated identifier (such as "\_hidden" or "\_secret"),
+    - or "unknown" when the preceding entity is not known (and you still want to indicate that forwarding of the request was made).
 
-
Forwarded: for="_mdn"
+- by=\
+  - : The interface where the request came in to the proxy server.
+- for=\
+  - : The client that initiated the request and subsequent proxies in a chain of proxies.
+- host=\
+  - : The {{HTTPHeader("Host")}} request header field as received by the proxy.
+- proto=\
+  - : Indicates which protocol was used to make the request (typically "http" or "https").
 
-# case insensitive
-Forwarded: For="[2001:db8:cafe::17]:4711"
+## Examples
 
-# separated by semicolon
-Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
+### Using the `Forwarded` header
 
-# multiple values can be appended using a comma
-Forwarded: for=192.0.2.43, for=198.51.100.17
-

+    Forwarded: for="_mdn"
 
-
Transitioning from X-Forwarded-For to Forwarded

+    # case insensitive
+    Forwarded: For="[2001:db8:cafe::17]:4711"
 
-
If your application, server, or proxy supports the standardized Forwarded header, the {{HTTPHeader("X-Forwarded-For")}} header can be replaced. Note that IPv6 address are quoted and enclosed in square brackets in Forwarded.

+    # separated by semicolon
+    Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43
 
-
X-Forwarded-For: 123.34.567.89
-Forwarded: for=123.34.567.89
+    # multiple values can be appended using a comma
+    Forwarded: for=192.0.2.43, for=198.51.100.17
 
-X-Forwarded-For: 192.0.2.43, "[2001:db8:cafe::17]"
-Forwarded: for=192.0.2.43, for="[2001:db8:cafe::17]"
-

+### Transitioning from `X-Forwarded-For` to `Forwarded`
 
-
Specifications

+If your application, server, or proxy supports the standardized `Forwarded` header, the {{HTTPHeader("X-Forwarded-For")}} header can be replaced. Note that IPv6 address are quoted and enclosed in square brackets in `Forwarded`.
+
+    X-Forwarded-For: 123.34.567.89
+    Forwarded: for=123.34.567.89
+
+    X-Forwarded-For: 192.0.2.43, "[2001:db8:cafe::17]"
+    Forwarded: for=192.0.2.43, for="[2001:db8:cafe::17]"
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("X-Forwarded-For")}}
    • 
- 
  • {{HTTPHeader("X-Forwarded-Host")}}
    • 
- 
  • {{HTTPHeader("X-Forwarded-Proto")}}
    • 
- 
  • {{HTTPHeader("Via")}} – provides information about the proxy itself, not about the client connecting to it.
    • 
-

+- {{HTTPHeader("X-Forwarded-For")}}
+- {{HTTPHeader("X-Forwarded-Host")}}
+- {{HTTPHeader("X-Forwarded-Proto")}}
+- {{HTTPHeader("Via")}} – provides information about the proxy itself, not about the client connecting to it.
diff --git a/files/en-us/web/http/headers/from/index.md b/files/en-us/web/http/headers/from/index.md
index df4f2d4d4b76eba..4628109ce3f65fb 100644
--- a/files/en-us/web/http/headers/from/index.md
+++ b/files/en-us/web/http/headers/from/index.md
@@ -2,25 +2,21 @@
 title: From
 slug: Web/HTTP/Headers/From
 tags:
-- HTTP
-- Reference
-- header
+  - HTTP
+  - Reference
+  - header
 browser-compat: http.headers.From
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The From request header contains an Internet email
-  address for a human user who controls the requesting user agent.

+The **`From`** request header contains an Internet email
+address for a human user who controls the requesting user agent.
 
-
If you are running a robotic user agent (e.g. a crawler), the From header
-  should be sent, so you can be contacted if problems occur on servers, such as if the
-  robot is sending excessive, unwanted, or invalid requests.

+If you are running a robotic user agent (e.g. a crawler), the `From` header
+should be sent, so you can be contacted if problems occur on servers, such as if the
+robot is sending excessive, unwanted, or invalid requests.
 
-

-  

-    Warning: You shouldn't use the From header for access control or authentication.
-  

-

+> **Warning:** You shouldn't use the `From` header for access control or authentication.
 
 
@@ -35,32 +31,29 @@ browser-compat: http.headers.From
   

   
 

 
-
Syntax

+## Syntax
 
-
From: <email>
-

+```html
+From: 
+```
 
-
Directives

+## Directives
 
-

-  
<email>

-  
A machine-usable email address.

-

+- \
+  - : A machine-usable email address.
 
-
Examples

+## Examples
 
-
From: webmaster@example.org

+    From: webmaster@example.org
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Host")}}
    • 
-

+- {{HTTPHeader("Host")}}
diff --git a/files/en-us/web/http/headers/host/index.md b/files/en-us/web/http/headers/host/index.md
index d03233c185c642f..299f62dbc7795b0 100644
--- a/files/en-us/web/http/headers/host/index.md
+++ b/files/en-us/web/http/headers/host/index.md
@@ -2,22 +2,22 @@
 title: Host
 slug: Web/HTTP/Headers/Host
 tags:
-- HTTP
-- Reference
-- header
+  - HTTP
+  - Reference
+  - header
 browser-compat: http.headers.Host
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Host request header specifies the host and port
-  number of the server to which the request is being sent.

+The **`Host`** request header specifies the host and port
+number of the server to which the request is being sent.
 
-
If no port is included, the default port for the service requested (e.g.,
-  443 for an HTTPS URL, and 80 for an HTTP URL) is implied.

+If no port is included, the default port for the service requested (e.g.,
+`443` for an HTTPS URL, and `80` for an HTTP URL) is implied.
 
-
A Host header field must be sent in all HTTP/1.1 request messages. A
-  {{HTTPStatus("400")}} (Bad Request) status code may be sent to any HTTP/1.1 request
-  message that lacks a Host header field or that contains more than one.

+A `Host` header field must be sent in all HTTP/1.1 request messages. A
+{{HTTPStatus("400")}} (Bad Request) status code may be sent to any HTTP/1.1 request
+message that lacks a `Host` header field or that contains more than one.
 
 
@@ -32,35 +32,32 @@ browser-compat: http.headers.Host
   

   
 

 
-
Syntax

+## Syntax
 
-
Host: <host>:<port>
-

+```html
+Host: :
+```
 
-
Directives

+## Directives
 
-

-  
<host>

-  
the domain name of the server (for virtual hosting).

-  
<port> {{optional_inline}}

-  
TCP port number on which the server is listening.

-

+- \
+  - : the domain name of the server (for virtual hosting).
+- \ {{optional_inline}}
+  - : TCP port number on which the server is listening.
 
-
Examples

+## Examples
 
-
Host: developer.mozilla.org

+    Host: developer.mozilla.org
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus("400")}}
    • 
-  
  • {{HTMLElement("base")}}
    • 
-

+- {{HTTPStatus("400")}}
+- {{HTMLElement("base")}}
diff --git a/files/en-us/web/http/headers/if-match/index.md b/files/en-us/web/http/headers/if-match/index.md
index 09cac4823e3d97d..08774efe5a83580 100644
--- a/files/en-us/web/http/headers/if-match/index.md
+++ b/files/en-us/web/http/headers/if-match/index.md
@@ -2,41 +2,38 @@
 title: If-Match
 slug: Web/HTTP/Headers/If-Match
 tags:
-- Conditional Requests
-- HTTP
-- HTTP Header
-- Reference
-- Request header
+  - Conditional Requests
+  - HTTP
+  - HTTP Header
+  - Reference
+  - Request header
 browser-compat: http.headers.If-Match
 ---
-
{{HTTPSidebar}}

-
-
The If-Match HTTP request header makes the request
-  conditional. For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, the server
-  will send back the requested resource only if it matches one of the listed
-  ETags. For {{HTTPMethod("PUT")}} and other non-safe methods, it will only
-  upload the resource in this case.

-
-
The comparison with the stored {{HTTPHeader("ETag")}} uses the strong comparison
-    algorithm, meaning two files are considered identical byte to byte only. If a
-  listed ETag has the W/ prefix indicating a weak entity tag, it
-  will never match under this comparison algorithm.

-
-
There are two common use cases:

-
-
    
-  
  • For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, used in combination
-    with a {{HTTPHeader("Range")}} header, it can guarantee that the new ranges requested
-    comes from the same resource than the previous one. If it doesn't match, then a
-    {{HTTPStatus("416")}} (Range Not Satisfiable) response is returned.
    • 
-  
  • For other methods, and in particular for {{HTTPMethod("PUT")}},
-    If-Match can be used to prevent the lost update problem. It can check
-    if the modification of a resource that the user wants to upload will not override
-    another change that has been done since the original resource was fetched. If the
-    request cannot be fulfilled, the {{HTTPStatus("412")}} (Precondition Failed) response
-    is returned.
    • 
-

+{{HTTPSidebar}}
+
+The **`If-Match`** HTTP request header makes the request
+conditional. For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, the server
+will send back the requested resource only if it matches one of the listed
+`ETags`. For {{HTTPMethod("PUT")}} and other non-safe methods, it will only
+upload the resource in this case.
+
+The comparison with the stored {{HTTPHeader("ETag")}} uses the _strong comparison
+algorithm_, meaning two files are considered identical byte to byte only. If a
+listed `ETag` has the `W/` prefix indicating a weak entity tag, it
+will never match under this comparison algorithm.
+
+There are two common use cases:
+
+- For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, used in combination
+  with a {{HTTPHeader("Range")}} header, it can guarantee that the new ranges requested
+  comes from the same resource than the previous one. If it doesn't match, then a
+  {{HTTPStatus("416")}} (Range Not Satisfiable) response is returned.
+- For other methods, and in particular for {{HTTPMethod("PUT")}},
+  `If-Match` can be used to prevent the [lost update problem](https://www.w3.org/1999/04/Editing/#3.1). It can check
+  if the modification of a resource that the user wants to upload will not override
+  another change that has been done since the original resource was fetched. If the
+  request cannot be fulfilled, the {{HTTPStatus("412")}} (Precondition Failed) response
+  is returned.
 
 
@@ -51,49 +48,45 @@ browser-compat: http.headers.If-Match
   

   
 

 
-
Syntax

+## Syntax
 
-
If-Match: <etag_value>
-If-Match: <etag_value>, <etag_value>, …
-

+```html
+If-Match: 
+If-Match: , , …
+```
 
-
Directives

+## Directives
 
-

-  
<etag_value>

-  
Entity tags uniquely representing the requested resources. They are a string of
-    ASCII characters placed between double quotes (like "675af34563dc-tr34").
-    They may be prefixed by W/ to indicate that they are "weak", i.e. that
+- \
+  - : Entity tags uniquely representing the requested resources. They are a string of
+    ASCII characters placed between double quotes (like `"675af34563dc-tr34"`).
+    They may be prefixed by `W/` to indicate that they are "weak", i.e. that
     they represent the resource semantically, but not byte-for-byte. However, in an
-    If-Match header, weak entity tags will never match.

-  
*

-  
The asterisk is a special value representing any resource.

-

+    **`If-Match`** header, weak entity tags will never match.
+- `*`
+  - : The asterisk is a special value representing any resource.
 
-
Examples

+## Examples
 
-
If-Match: "bfc13a64729c4290ef5b2c2730249c88ca92d82d"
+    If-Match: "bfc13a64729c4290ef5b2c2730249c88ca92d82d"
 
-If-Match: "67ab43", "54ed21", "7892dd"
+    If-Match: "67ab43", "54ed21", "7892dd"
 
-If-Match: *
-

+    If-Match: *
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("ETag")}}
    • 
-  
  • {{HTTPHeader("If-Unmodified-Since")}}
    • 
-  
  • {{HTTPHeader("If-Modified-Since")}}
    • 
-  
  • {{HTTPHeader("If-None-Match")}}
    • 
-  
  • {{HTTPStatus("416")}} Range Not Satisfiable
    • 
-  
  • {{HTTPStatus("412")}} Precondition Failed
    • 
-

+- {{HTTPHeader("ETag")}}
+- {{HTTPHeader("If-Unmodified-Since")}}
+- {{HTTPHeader("If-Modified-Since")}}
+- {{HTTPHeader("If-None-Match")}}
+- {{HTTPStatus("416")}}` Range Not Satisfiable`
+- {{HTTPStatus("412")}}` Precondition Failed`
diff --git a/files/en-us/web/http/headers/if-modified-since/index.md b/files/en-us/web/http/headers/if-modified-since/index.md
index aa9afbfa9af3522..221489264ff5b24 100644
--- a/files/en-us/web/http/headers/if-modified-since/index.md
+++ b/files/en-us/web/http/headers/if-modified-since/index.md
@@ -2,29 +2,29 @@
 title: If-Modified-Since
 slug: Web/HTTP/Headers/If-Modified-Since
 tags:
-- Conditional Requests
-- HTTP
-- HTTP Header
-- Reference
-- Request header
+  - Conditional Requests
+  - HTTP
+  - HTTP Header
+  - Reference
+  - Request header
 browser-compat: http.headers.If-Modified-Since
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The If-Modified-Since request HTTP header makes the
-  request conditional: the server will send back the requested resource, with a
-  {{HTTPStatus("200")}} status, only if it has been last modified after the given date. If
-  the resource has not been modified since, the response will be a {{HTTPStatus("304")}}
-  without any body; the {{HTTPHeader("Last-Modified")}} response header of a previous
-  request will contain the date of last modification. Unlike
-  {{HTTPHeader("If-Unmodified-Since")}}, If-Modified-Since can only be used
-  with a {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}}.

+The **`If-Modified-Since`** request HTTP header makes the
+request conditional: the server will send back the requested resource, with a
+{{HTTPStatus("200")}} status, only if it has been last modified after the given date. If
+the resource has not been modified since, the response will be a {{HTTPStatus("304")}}
+without any body; the {{HTTPHeader("Last-Modified")}} response header of a previous
+request will contain the date of last modification. Unlike
+{{HTTPHeader("If-Unmodified-Since")}}, `If-Modified-Since` can only be used
+with a {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}}.
 
-
When used in combination with {{HTTPHeader("If-None-Match")}}, it is ignored, unless
-  the server doesn't support If-None-Match.

+When used in combination with {{HTTPHeader("If-None-Match")}}, it is ignored, unless
+the server doesn't support `If-None-Match`.
 
-
The most common use case is to update a cached entity that has no associated
-  {{HTTPHeader("ETag")}}.

+The most common use case is to update a cached entity that has no associated
+{{HTTPHeader("ETag")}}.
 
 
@@ -39,55 +39,48 @@ browser-compat: http.headers.If-Modified-Since
   

   
 

 
-
Syntax

-
-
If-Modified-Since: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
-

-
-
Directives

-
-

-  
<day-name>

-  
One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).

-  
<day>

-  
2 digit day number, e.g. "04" or "23".

-  
<month>

-  
One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
-    "Dec" (case sensitive).

-  
<year>

-  
4 digit year number, e.g. "1990" or "2016".

-  
<hour>

-  
2 digit hour number, e.g. "09" or "23".

-  
<minute>

-  
2 digit minute number, e.g. "04" or "59".

-  
<second>

-  
2 digit second number, e.g. "04" or "59".

-  
GMT

-  

-    
Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
-    

-  

-

-
-
Examples

-
-
If-Modified-Since: Wed, 21 Oct 2015 07:28:00 GMT
-

-
-
Specifications

+## Syntax
+
+```html
+If-Modified-Since: ,    :: GMT
+```
+
+## Directives
+
+- \
+  - : One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).
+- \
+  - : 2 digit day number, e.g. "04" or "23".
+- \
+  - : One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
+    "Dec" (case sensitive).
+- \
+  - : 4 digit year number, e.g. "1990" or "2016".
+- \
+  - : 2 digit hour number, e.g. "09" or "23".
+- \
+  - : 2 digit minute number, e.g. "04" or "59".
+- \
+  - : 2 digit second number, e.g. "04" or "59".
+- `GMT`
+  - : Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
+
+## Examples
+
+    If-Modified-Since: Wed, 21 Oct 2015 07:28:00 GMT
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("ETag")}}
    • 
-  
  • {{HTTPHeader("If-Unmodified-since")}}
    • 
-  
  • {{HTTPHeader("If-Match")}}
    • 
-  
  • {{HTTPHeader("If-None-Match")}}
    • 
-  
  • {{HTTPStatus("304")}} Not Modified
    • 
-

+- {{HTTPHeader("ETag")}}
+- {{HTTPHeader("If-Unmodified-since")}}
+- {{HTTPHeader("If-Match")}}
+- {{HTTPHeader("If-None-Match")}}
+- {{HTTPStatus("304")}}` Not Modified`
diff --git a/files/en-us/web/http/headers/if-none-match/index.md b/files/en-us/web/http/headers/if-none-match/index.md
index d7266057cdc22c2..bdef9f56a31e8b1 100644
--- a/files/en-us/web/http/headers/if-none-match/index.md
+++ b/files/en-us/web/http/headers/if-none-match/index.md
@@ -9,75 +9,70 @@ tags:
   - Request header
 browser-compat: http.headers.If-None-Match
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The If-None-Match HTTP request header makes the request conditional. For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, the server will send back the requested resource, with a {{HTTPStatus("200")}} status, only if it doesn't have an {{HTTPHeader("ETag")}} matching the given ones. For other methods, the request will be processed only if the eventually existing resource's {{HTTPHeader("ETag")}} doesn't match any of the values listed.

+The **`If-None-Match`** HTTP request header makes the request conditional. For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, the server will send back the requested resource, with a {{HTTPStatus("200")}} status, only if it doesn't have an {{HTTPHeader("ETag")}} matching the given ones. For other methods, the request will be processed only if the eventually existing resource's {{HTTPHeader("ETag")}} doesn't match any of the values listed.
 
-
When the condition fails for {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, then the server must return HTTP status code 304 (Not Modified). For methods that apply server-side changes, the status code 412 (Precondition Failed) is used. Note that the server generating a 304 response MUST generate any of the following header fields that would have been sent in a 200 (OK) response to the same request: Cache-Control, Content-Location, Date, ETag, Expires, and Vary.

+When the condition fails for {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, then the server must return HTTP status code 304 (Not Modified). For methods that apply server-side changes, the status code 412 (Precondition Failed) is used. Note that the server generating a 304 response MUST generate any of the following header fields that would have been sent in a 200 (OK) response to the same request: Cache-Control, Content-Location, Date, ETag, Expires, and Vary.
 
-
The comparison with the stored {{HTTPHeader("ETag")}} uses the weak comparison algorithm, meaning two files are considered identical if the content is equivalent — they don't have to be identical byte for byte. For example, two pages that differ by the date of generation in the footer would still be considered as identical.

+The comparison with the stored {{HTTPHeader("ETag")}} uses the _weak comparison algorithm_, meaning two files are considered identical if the content is equivalent — they don't have to be identical byte for byte. For example, two pages that differ by the date of generation in the footer would still be considered as identical.
 
-
When used in combination with {{HTTPHeader("If-Modified-Since")}}, If-None-Match has precedence (if the server supports it).

+When used in combination with {{HTTPHeader("If-Modified-Since")}}, **`If-None-Match`** has precedence (if the server supports it).
 
-
There are two common use cases:

+There are two common use cases:
 
-
    
- 
  • For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, to update a cached entity that has an associated {{HTTPHeader("ETag")}}.
    • 
- 
  • For other methods, and in particular for {{HTTPMethod("PUT")}}, If-None-Match used with the * value can be used to save a file not known to exist, guaranteeing that another upload didn't happen before, losing the data of the previous put; this problem is a variation of the lost update problem.
    • 
-

+- For {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}} methods, to update a cached entity that has an associated {{HTTPHeader("ETag")}}.
+- For other methods, and in particular for {{HTTPMethod("PUT")}}, `If-None-Match` used with the `*` value can be used to save a file not known to exist, guaranteeing that another upload didn't happen before, losing the data of the previous put; this problem is a variation of the [lost update problem](https://www.w3.org/1999/04/Editing/#3.1).
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
If-None-Match: "<etag_value>"
-If-None-Match: "<etag_value>", "<etag_value>", …
-If-None-Match: *

+```html
+If-None-Match: ""
+If-None-Match: "", "", …
+If-None-Match: *
+```
 
-
Directives

+## Directives
 
-

- 
<etag_value>

- 
Entity tags uniquely representing the requested resources. They are a string of ASCII characters placed between double quotes (Like "675af34563dc-tr34") and may be prefixed by W/ to indicate that the weak comparison algorithm should be used (This is useless with If-None-Match as it only uses that algorithm).

- 
*

- 
The asterisk is a special value representing any resource. They are only useful when uploading a resource, usually with {{HTTPMethod("PUT")}}, to check if another resource with the identity has already been uploaded before.

-

+- \
+  - : Entity tags uniquely representing the requested resources. They are a string of ASCII characters placed between double quotes (Like `"675af34563dc-tr34"`) and may be prefixed by `W/` to indicate that the weak comparison algorithm should be used (This is useless with `If-None-Match` as it only uses that algorithm).
+- `*`
+  - : The asterisk is a special value representing any resource. They are only useful when uploading a resource, usually with {{HTTPMethod("PUT")}}, to check if another resource with the identity has already been uploaded before.
 
-
Examples

+## Examples
 
-
If-None-Match: "bfc13a64729c4290ef5b2c2730249c88ca92d82d"
+    If-None-Match: "bfc13a64729c4290ef5b2c2730249c88ca92d82d"
 
-If-None-Match: W/"67ab43", "54ed21", "7892dd"
+    If-None-Match: W/"67ab43", "54ed21", "7892dd"
 
-If-None-Match: *
-

+    If-None-Match: *
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("ETag")}}
    • 
- 
  • {{HTTPHeader("If-Unmodified-Since")}}
    • 
- 
  • {{HTTPHeader("If-Modified-Since")}}
    • 
- 
  • {{HTTPHeader("If-Match")}}
    • 
- 
  • {{HTTPStatus("304")}} Not Modified
    • 
- 
  • {{HTTPStatus("412")}} Precondition Failed
    • 
-

+- {{HTTPHeader("ETag")}}
+- {{HTTPHeader("If-Unmodified-Since")}}
+- {{HTTPHeader("If-Modified-Since")}}
+- {{HTTPHeader("If-Match")}}
+- {{HTTPStatus("304")}}` Not Modified`
+- {{HTTPStatus("412")}}` Precondition Failed`
diff --git a/files/en-us/web/http/headers/if-range/index.md b/files/en-us/web/http/headers/if-range/index.md
index cde5ba791431f09..3405a39e1fd2350 100644
--- a/files/en-us/web/http/headers/if-range/index.md
+++ b/files/en-us/web/http/headers/if-range/index.md
@@ -2,27 +2,27 @@
 title: If-Range
 slug: Web/HTTP/Headers/If-Range
 tags:
-- Condtional Requests
-- HTTP
-- HTTP Header
-- Range Requests
-- Reference
-- Request header
+  - Condtional Requests
+  - HTTP
+  - HTTP Header
+  - Range Requests
+  - Reference
+  - Request header
 browser-compat: http.headers.If-Range
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The If-Range HTTP request header makes a range request
-  conditional: if the condition is fulfilled, the range request will be issued and the
-  server sends back a {{HTTPStatus("206")}} Partial Content answer with the
-  appropriate body. If the condition is not fulfilled, the full resource is sent back,
-  with a {{HTTPStatus("200")}} OK status.

+The **`If-Range`** HTTP request header makes a range request
+conditional: if the condition is fulfilled, the range request will be issued and the
+server sends back a {{HTTPStatus("206")}} `Partial Content` answer with the
+appropriate body. If the condition is not fulfilled, the full resource is sent back,
+with a {{HTTPStatus("200")}} `OK` status.
 
-
This header can be used either with a {{HTTPHeader("Last-Modified")}} validator, or
-  with an {{HTTPHeader("ETag")}}, but not with both.

+This header can be used either with a {{HTTPHeader("Last-Modified")}} validator, or
+with an {{HTTPHeader("ETag")}}, but not with both.
 
-
The most common use case is to resume a download, to guarantee that the stored resource
-  has not been modified since the last fragment has been received.

+The most common use case is to resume a download, to guarantee that the stored resource
+has not been modified since the last fragment has been received.
 
 
@@ -37,64 +37,57 @@ browser-compat: http.headers.If-Range
   

   
 

 
-
Syntax

-
-
If-Range: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
-If-Range: <etag>

-
-
Directives

-
-

-  
<etag>

-  
An entity tag uniquely representing the requested resource. It is a string of ASCII
-    characters placed between double quotes (Like "675af34563dc-tr34") and
-    may be prefixed by W/ to indicate that the weak comparison algorithm
-    should be used.

-  
<day-name>

-  
One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).

-  
<day>

-  
2 digit day number, e.g. "04" or "23".

-  
<month>

-  
One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
-    "Dec" (case sensitive).

-  
<year>

-  
4 digit year number, e.g. "1990" or "2016".

-  
<hour>

-  
2 digit hour number, e.g. "09" or "23".

-  
<minute>

-  
2 digit minute number, e.g. "04" or "59".

-  
<second>

-  
2 digit second number, e.g. "04" or "59".

-  
GMT

-  

-    
Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
-    

-  

-

-
-
Examples

-
-
If-Range: Wed, 21 Oct 2015 07:28:00 GMT
-

-
-
Specifications

+## Syntax
+
+```html
+If-Range: ,    :: GMT
+If-Range: 
+```
+
+## Directives
+
+- \
+  - : An entity tag uniquely representing the requested resource. It is a string of ASCII
+    characters placed between double quotes (Like `"675af34563dc-tr34"`) and
+    may be prefixed by `W/` to indicate that the weak comparison algorithm
+    should be used.
+- \
+  - : One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).
+- \
+  - : 2 digit day number, e.g. "04" or "23".
+- \
+  - : One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
+    "Dec" (case sensitive).
+- \
+  - : 4 digit year number, e.g. "1990" or "2016".
+- \
+  - : 2 digit hour number, e.g. "09" or "23".
+- \
+  - : 2 digit minute number, e.g. "04" or "59".
+- \
+  - : 2 digit second number, e.g. "04" or "59".
+- `GMT`
+  - : Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
+
+## Examples
+
+    If-Range: Wed, 21 Oct 2015 07:28:00 GMT
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("ETag")}}
    • 
-  
  • {{HTTPHeader("Last-Modified")}}
    • 
-  
  • {{HTTPHeader("If-Modified-Since")}}
    • 
-  
  • {{HTTPHeader("If-Unmodified-Since")}}
    • 
-  
  • {{HTTPHeader("If-Match")}}
    • 
-  
  • {{HTTPHeader("If-None-Match")}}
    • 
-  
  • {{HTTPStatus("206")}} Partial Content
    • 
-  
  • HTTP Conditional Requests
-  
    • 
-

+- {{HTTPHeader("ETag")}}
+- {{HTTPHeader("Last-Modified")}}
+- {{HTTPHeader("If-Modified-Since")}}
+- {{HTTPHeader("If-Unmodified-Since")}}
+- {{HTTPHeader("If-Match")}}
+- {{HTTPHeader("If-None-Match")}}
+- {{HTTPStatus("206")}}` Partial Content`
+- [HTTP Conditional Requests](/en-US/docs/Web/HTTP/Conditional_requests)
diff --git a/files/en-us/web/http/headers/if-unmodified-since/index.md b/files/en-us/web/http/headers/if-unmodified-since/index.md
index 78415d9bb52577e..9fb66f9076cef6c 100644
--- a/files/en-us/web/http/headers/if-unmodified-since/index.md
+++ b/files/en-us/web/http/headers/if-unmodified-since/index.md
@@ -2,33 +2,29 @@
 title: If-Unmodified-Since
 slug: Web/HTTP/Headers/If-Unmodified-Since
 tags:
-- HTTP
-- HTTP Header
-- Reference
-- Request header
+  - HTTP
+  - HTTP Header
+  - Reference
+  - Request header
 browser-compat: http.headers.If-Unmodified-Since
 ---
-
{{HTTPSidebar}}

-
-
The If-Unmodified-Since request HTTP header makes the
-  request conditional: the server will send back the requested resource, or accept it in
-  the case of a {{HTTPMethod("POST")}} or another non-{{Glossary("Safe/HTTP", "safe")}} method, only if
-  it has not been last modified after the given date. If the resource has been modified
-  after the given date, the response will be a {{HTTPStatus("412")}} (Precondition Failed)
-  error.

-
-
There are two common use cases:

-
-
    
-  
  • In conjunction with non-{{Glossary("Safe/HTTP", "safe")}} methods, like {{HTTPMethod("POST")}},
-    it can be used to implement an optimistic
-      concurrency control, like done by some wikis: editions are rejected if the
-    stored document has been modified since the original has been retrieved.
    • 
-  
  • In conjunction with a range request with a {{HTTPHeader("If-Range")}} header, it can
-    be used to ensure that the new fragment requested comes from an unmodified document.
-  
    • 
-

+{{HTTPSidebar}}
+
+The **`If-Unmodified-Since`** request HTTP header makes the
+request conditional: the server will send back the requested resource, or accept it in
+the case of a {{HTTPMethod("POST")}} or another non-{{Glossary("Safe/HTTP", "safe")}} method, only if
+it has not been last modified after the given date. If the resource has been modified
+after the given date, the response will be a {{HTTPStatus("412")}} (Precondition Failed)
+error.
+
+There are two common use cases:
+
+- In conjunction with non-{{Glossary("Safe/HTTP", "safe")}} methods, like {{HTTPMethod("POST")}},
+  it can be used to implement an [optimistic
+  concurrency control](https://en.wikipedia.org/wiki/Optimistic_concurrency_control), like done by some wikis: editions are rejected if the
+  stored document has been modified since the original has been retrieved.
+- In conjunction with a range request with a {{HTTPHeader("If-Range")}} header, it can
+  be used to ensure that the new fragment requested comes from an unmodified document.
 
 
@@ -43,56 +39,49 @@ browser-compat: http.headers.If-Unmodified-Since
   

   
 

 
-
Syntax

-
-
If-Unmodified-Since: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
-

-
-
Directives

-
-

-  
<day-name>

-  
One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).

-  
<day>

-  
2 digit day number, e.g. "04" or "23".

-  
<month>

-  
One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
-    "Dec" (case sensitive).

-  
<year>

-  
4 digit year number, e.g. "1990" or "2016".

-  
<hour>

-  
2 digit hour number, e.g. "09" or "23".

-  
<minute>

-  
2 digit minute number, e.g. "04" or "59".

-  
<second>

-  
2 digit second number, e.g. "04" or "59".

-  
GMT

-  

-    
Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
-    

-  

-

-
-
Examples

-
-
If-Unmodified-Since: Wed, 21 Oct 2015 07:28:00 GMT
-

-
-
Specifications

+## Syntax
+
+```html
+If-Unmodified-Since: ,    :: GMT
+```
+
+## Directives
+
+- \
+  - : One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).
+- \
+  - : 2 digit day number, e.g. "04" or "23".
+- \
+  - : One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
+    "Dec" (case sensitive).
+- \
+  - : 4 digit year number, e.g. "1990" or "2016".
+- \
+  - : 2 digit hour number, e.g. "09" or "23".
+- \
+  - : 2 digit minute number, e.g. "04" or "59".
+- \
+  - : 2 digit second number, e.g. "04" or "59".
+- `GMT`
+  - : Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
+
+## Examples
+
+    If-Unmodified-Since: Wed, 21 Oct 2015 07:28:00 GMT
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Last-Modified")}}
    • 
-  
  • {{HTTPHeader("If-Modified-Since")}}
    • 
-  
  • {{HTTPHeader("If-Match")}}
    • 
-  
  • {{HTTPHeader("If-None-Match")}}
    • 
-  
  • {{HTTPHeader("If-Range")}}
    • 
-  
  • {{HTTPStatus("412")}} Precondition Failed
    • 
-

+- {{HTTPHeader("Last-Modified")}}
+- {{HTTPHeader("If-Modified-Since")}}
+- {{HTTPHeader("If-Match")}}
+- {{HTTPHeader("If-None-Match")}}
+- {{HTTPHeader("If-Range")}}
+- {{HTTPStatus("412")}}` Precondition Failed`
diff --git a/files/en-us/web/http/headers/index.md b/files/en-us/web/http/headers/index.md
index 054a239b50b4126..3a2f5ea36733e6b 100644
--- a/files/en-us/web/http/headers/index.md
+++ b/files/en-us/web/http/headers/index.md
@@ -9,447 +9,390 @@ tags:
   - Overview
   - Reference
 ---
-
{{HTTPSidebar}}

-
-
HTTP headers let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon (:), then by its value. {{Glossary("Whitespace")}} before the value is ignored.

-
-
Custom proprietary headers have historically been used with an X- prefix, but this convention was deprecated in June 2012 because of the inconveniences it caused when nonstandard fields became standard in RFC 6648; others are listed in an IANA registry, whose original content was defined in RFC 4229. IANA also maintains a registry of proposed new HTTP headers.

-
-
Headers can be grouped according to their contexts:

-
-
    
- 
  • {{Glossary("Request header", "Request headers")}} contain more information about the resource to be fetched, or about the client requesting the resource.
    • 
- 
  • {{Glossary("Response header", "Response headers")}} hold additional information about the response, like its location or about the server providing it.
    • 
- 
  • {{Glossary("Representation header", "Representation headers")}} contain information about the body of the resource, like its MIME type, or encoding/compression applied.
    • 
- 
  • {{Glossary("Payload header","Payload headers")}} contain representation-independent information about payload data, including content length and the encoding used for transport.
    • 
-

-
-
Headers can also be grouped according to how {{Glossary("Proxy_server", "proxies")}} handle them:

-
-
    
- 
  • {{ httpheader("Connection") }}
    • 
- 
  • {{ httpheader("Keep-Alive") }}
    • 
- 
  • {{ httpheader("Proxy-Authenticate") }}
    • 
- 
  • {{ httpheader("Proxy-Authorization") }}
    • 
- 
  • {{ httpheader("TE") }}
    • 
- 
  • {{ httpheader("Trailer") }}
    • 
- 
  • {{ httpheader("Transfer-Encoding") }}
    • 
- 
  • {{ httpheader("Upgrade") }} (see also Protocol upgrade mechanism).
    • 
-

-
-

- 
End-to-end headers

- 
These headers must be transmitted to the final recipient of the message: the server for a request, or the client for a response. Intermediate proxies must retransmit these headers unmodified and caches must store them.

- 
Hop-by-hop headers

- 
These headers are meaningful only for a single transport-level connection, and must not be retransmitted by proxies or cached. Note that only hop-by-hop headers may be set using the {{httpheader("Connection")}} header.

-

-
-
Authentication

-
-

- 
{{HTTPHeader("WWW-Authenticate")}}

- 
Defines the authentication method that should be used to access a resource.

- 
{{HTTPHeader("Authorization")}}

- 
Contains the credentials to authenticate a user-agent with a server.

- 
{{HTTPHeader("Proxy-Authenticate")}}

- 
Defines the authentication method that should be used to access a resource behind a proxy server.

- 
{{HTTPHeader("Proxy-Authorization")}}

- 
Contains the credentials to authenticate a user agent with a proxy server.

-

-
-
Caching

-
-

- 
{{HTTPHeader("Age")}}

- 
The time, in seconds, that the object has been in a proxy cache.

- 
{{HTTPHeader("Cache-Control")}}

- 
Directives for caching mechanisms in both requests and responses.

- 
{{HTTPHeader("Clear-Site-Data")}}

- 
Clears browsing data (e.g. cookies, storage, cache) associated with the requesting website.

- 
{{HTTPHeader("Expires")}}

- 
The date/time after which the response is considered stale.

- 
{{HTTPHeader("Pragma")}}

- 
Implementation-specific header that may have various effects anywhere along the request-response chain. Used for backwards compatibility with HTTP/1.0 caches where the Cache-Control header is not yet present.

- 
{{HTTPHeader("Warning")}}

- 
General warning information about possible problems.

-

-
-
Client hints

-
-
HTTP {{Glossary("Client_hints", "Client hints")}} are a set of request headers that provide useful information about the client such as device type and network conditions, and allow servers to optimize what is served for those conditions.

-
-
Servers proactively requests the client hint headers they are interested in from the client using {{HTTPHeader("Accept-CH")}}. The client may then choose to include the requested headers in subsequent requests.

-
-

- 
{{HTTPHeader("Accept-CH")}} {{experimental_inline}}

- 
Servers can advertise support for Client Hints using the Accept-CH header field or an equivalent HTML <meta> element with http-equiv attribute.

- 
{{HTTPHeader("Accept-CH-Lifetime")}} {{experimental_inline}} {{deprecated_inline}}

- 
Servers can ask the client to remember the set of Client Hints that the server supports for a specified period of time, to enable delivery of Client Hints on subsequent requests to the server’s origin.

-

-
-
The different categories of client hints are listed below.

-
-
Device client hints

-
-

-  
{{HTTPHeader("Content-DPR")}} {{deprecated_inline}}{{experimental_inline}}

-  
Response header used to confirm the image device to pixel ratio in requests where the {{HTTPHeader("DPR")}} client hint was used to select an image resource.

-  
{{HTTPHeader("Device-Memory")}} {{deprecated_inline}}{{experimental_inline}}

-  
Approximate amount of available client RAM memory. This is part of the Device Memory API.

-  
{{HTTPHeader("DPR")}} {{deprecated_inline}}{{experimental_inline}}

-  
Client device pixel ratio (DPR), which is the number of physical device pixels corresponding to every CSS pixel.

-  
{{HTTPHeader("Viewport-Width")}} {{deprecated_inline}}{{experimental_inline}}

-  
A number that indicates the layout viewport width in CSS pixels. The provided pixel value is a number rounded to the smallest following integer (i.e. ceiling value).

-  
{{HTTPHeader("Width")}} {{deprecated_inline}}{{experimental_inline}}

-  
The Width request header field is a number that indicates the desired resource width in physical pixels (i.e. intrinsic size of an image).

- 

-
-
-
Network client hints

-
-
Network client hints allow a server to choose what information is sent based on the user choice and network bandwidth and latency.

-
-

-  
{{HTTPHeader("Downlink")}}

-  
Approximate bandwidth of the client's connection to the server, in Mbps. This is part of the Network Information API.

-  
{{HTTPHeader("ECT")}}

-  
The {{Glossary("effective connection type")}} ("network profile") that best matches the connection's latency and bandwidth. This is part of the Network Information API.

-  
{{HTTPHeader("RTT")}}

-  
Application layer round trip time (RTT) in miliseconds, which includes the server processing time. This is part of the Network Information API.

-  
{{HTTPHeader("Save-Data")}} {{experimental_inline}}

-  
A boolean that indicates the user agent's preference for reduced data usage.

- 

-
-
Conditionals

-
-

- 
{{HTTPHeader("Last-Modified")}}

- 
The last modification date of the resource, used to compare several versions of the same resource. It is less accurate than {{HTTPHeader("ETag")}}, but easier to calculate in some environments. Conditional requests using {{HTTPHeader("If-Modified-Since")}} and {{HTTPHeader("If-Unmodified-Since")}} use this value to change the behavior of the request.

- 
{{HTTPHeader("ETag")}}

- 
A unique string identifying the version of the resource. Conditional requests using {{HTTPHeader("If-Match")}} and {{HTTPHeader("If-None-Match")}} use this value to change the behavior of the request.

- 
{{HTTPHeader("If-Match")}}

- 
Makes the request conditional, and applies the method only if the stored resource matches one of the given ETags.

- 
{{HTTPHeader("If-None-Match")}}

- 
Makes the request conditional, and applies the method only if the stored resource doesn't match any of the given ETags. This is used to update caches (for safe requests), or to prevent to upload a new resource when one already exists.

- 
{{HTTPHeader("If-Modified-Since")}}

- 
Makes the request conditional, and expects the resource to be transmitted only if it has been modified after the given date. This is used to transmit data only when the cache is out of date.

- 
{{HTTPHeader("If-Unmodified-Since")}}

- 
Makes the request conditional, and expects the resource to be transmitted only if it has not been modified after the given date. This ensures the coherence of a new fragment of a specific range with previous ones, or to implement an optimistic concurrency control system when modifying existing documents.

- 
{{HTTPHeader("Vary")}}

- 
Determines how to match request headers to decide whether a cached response can be used rather than requesting a fresh one from the origin server.

-

-
-
Connection management

-
-

- 
{{HTTPHeader("Connection")}}

- 
Controls whether the network connection stays open after the current transaction finishes.

- 
{{HTTPHeader("Keep-Alive")}}

- 
Controls how long a persistent connection should stay open.

-

-
-
-
Content negotiation

-
-
Content negotiation headers.

-

- 
{{HTTPHeader("Accept")}}

- 
Informs the server about the {{Glossary("MIME_type", "types")}} of data that can be sent back.

- 
{{HTTPHeader("Accept-Encoding")}}

- 
The encoding algorithm, usually a compression algorithm, that can be used on the resource sent back.

- 
{{HTTPHeader("Accept-Language")}}

- 
Informs the server about the human language the server is expected to send back. This is a hint and is not necessarily under the full control of the user: the server should always pay attention not to override an explicit user choice (like selecting a language from a dropdown).

-

-
-
Controls

-
-

- 
{{HTTPHeader("Expect")}}

- 
Indicates expectations that need to be fulfilled by the server to properly handle the request.

- 
{{HTTPHeader("Max-Forwards")}}

- 
TBD

-

-
-
Cookies

-
-

- 
{{HTTPHeader("Cookie")}}

- 
Contains stored HTTP cookies previously sent by the server with the {{HTTPHeader("Set-Cookie")}} header.

- 
{{HTTPHeader("Set-Cookie")}}

- 
Send cookies from the server to the user-agent.

- 
{{HTTPHeader("Cookie2")}} {{deprecated_inline}}

- 
Contains an HTTP cookie previously sent by the server with the {{HTTPHeader("Set-Cookie2")}} header, but has been obsoleted. Use {{HTTPHeader("Cookie")}} instead.

- 
{{HTTPHeader("Set-Cookie2")}} {{deprecated_inline}}

- 
Sends cookies from the server to the user-agent, but has been obsoleted. Use {{HTTPHeader("Set-Cookie")}} instead.

-

-
-
CORS

-
-
Learn more about CORS here.

-
-

- 
{{HTTPHeader("Access-Control-Allow-Origin")}}

- 
Indicates whether the response can be shared.

- 
{{HTTPHeader("Access-Control-Allow-Credentials")}}

- 
Indicates whether the response to the request can be exposed when the credentials flag is true.

- 
{{HTTPHeader("Access-Control-Allow-Headers")}}

- 
Used in response to a {{Glossary("Preflight_request", "preflight request")}} to indicate which HTTP headers can be used when making the actual request.

- 
{{HTTPHeader("Access-Control-Allow-Methods")}}

- 
Specifies the methods allowed when accessing the resource in response to a preflight request.

- 
{{HTTPHeader("Access-Control-Expose-Headers")}}

- 
Indicates which headers can be exposed as part of the response by listing their names.

- 
{{HTTPHeader("Access-Control-Max-Age")}}

- 
Indicates how long the results of a preflight request can be cached.

- 
{{HTTPHeader("Access-Control-Request-Headers")}}

- 
Used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.

- 
{{HTTPHeader("Access-Control-Request-Method")}}

- 
Used when issuing a preflight request to let the server know which HTTP method will be used when the actual request is made.

- 
{{HTTPHeader("Origin")}}

- 
Indicates where a fetch originates from.

- 
{{HTTPHeader("Timing-Allow-Origin")}}

- 
Specifies origins that are allowed to see values of attributes retrieved via features of the Resource Timing API, which would otherwise be reported as zero due to cross-origin restrictions.

-

-
-
Downloads

-
-

- 
{{HTTPHeader("Content-Disposition")}}

- 
Indicates if the resource transmitted should be displayed inline (default behavior without the header), or if it should be handled like a download and the browser should present a “Save As” dialog.

-

-
-
Message body information

-
-

- 
{{HTTPHeader("Content-Length")}}

- 
The size of the resource, in decimal number of bytes.

- 
{{HTTPHeader("Content-Type")}}

- 
Indicates the media type of the resource.

- 
{{HTTPHeader("Content-Encoding")}}

- 
Used to specify the compression algorithm.

- 
{{HTTPHeader("Content-Language")}}

- 
Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.

- 
{{HTTPHeader("Content-Location")}}

- 
Indicates an alternate location for the returned data.

-

-
-
Proxies

-
-

- 
{{HTTPHeader("Forwarded")}}

- 
Contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request.

- 
{{HTTPHeader("X-Forwarded-For")}} {{non-standard_inline}}

- 
Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or a load balancer.

- 
{{HTTPHeader("X-Forwarded-Host")}} {{non-standard_inline}}

- 
Identifies the original host requested that a client used to connect to your proxy or load balancer.

- 
{{HTTPHeader("X-Forwarded-Proto")}} {{non-standard_inline}}

- 
Identifies the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.

- 
{{HTTPHeader("Via")}}

- 
Added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers.

-

-
-
Redirects

-
-

- 
{{HTTPHeader("Location")}}

- 
Indicates the URL to redirect a page to.

-

-
-
Request context

-
-

- 
{{HTTPHeader("From")}}

- 
Contains an Internet email address for a human user who controls the requesting user agent.

- 
{{HTTPHeader("Host")}}

- 
Specifies the domain name of the server (for virtual hosting), and (optionally) the TCP port number on which the server is listening.

- 
{{HTTPHeader("Referer")}}

- 
The address of the previous web page from which a link to the currently requested page was followed.

- 
{{HTTPHeader("Referrer-Policy")}}

- 
Governs which referrer information sent in the {{HTTPHeader("Referer")}} header should be included with requests made.

- 
{{HTTPHeader("User-Agent")}}

- 
Contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent. See also the Firefox user agent string reference.

-

-
-
Response context

-
-

- 
{{HTTPHeader("Allow")}}

- 
Lists the set of HTTP request methods supported by a resource.

- 
{{HTTPHeader("Server")}}

- 
Contains information about the software used by the origin server to handle the request.

-

-
-
Range requests

-
-

- 
{{HTTPHeader("Accept-Ranges")}}

- 
Indicates if the server supports range requests, and if so in which unit the range can be expressed.

- 
{{HTTPHeader("Range")}}

- 
Indicates the part of a document that the server should return.

- 
{{HTTPHeader("If-Range")}}

- 
Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.

- 
{{HTTPHeader("Content-Range")}}

- 
Indicates where in a full body message a partial message belongs.

-

-
-
Security

-
-

- 
{{HTTPHeader("Cross-Origin-Embedder-Policy")}} (COEP)

- 
Allows a server to declare an embedder policy for a given document.

- 
{{HTTPHeader("Cross-Origin-Opener-Policy")}} (COOP)

- 
Prevents other domains from opening/controlling a window.

- 
{{HTTPHeader("Cross-Origin-Resource-Policy")}} (CORP)

- 
Prevents other domains from reading the response of the resources to which this header is applied.

- 
{{HTTPHeader("Content-Security-Policy")}} ({{Glossary("CSP")}})

- 
Controls resources the user agent is allowed to load for a given page.

- 
{{HTTPHeader("Content-Security-Policy-Report-Only")}}

- 
Allows web developers to experiment with policies by monitoring, but not enforcing, their effects. These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP POST request to the specified URI.

- 
{{HTTPHeader("Expect-CT")}}

- 
Allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.

- 
{{HTTPHeader("Feature-Policy")}}

- 
Provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.

- 
{{HTTPHeader("Origin-Isolation")}} {{experimental_inline}}

- 
Provides a mechanism to allow web applications to isolate their origins.

- 
{{HTTPHeader("Strict-Transport-Security")}} ({{Glossary("HSTS")}})

- 
Force communication using HTTPS instead of HTTP.

- 
{{HTTPHeader("Upgrade-Insecure-Requests")}}

- 
Sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the {{CSP("upgrade-insecure-requests")}} directive.

- 
{{HTTPHeader("X-Content-Type-Options")}}

- 
Disables MIME sniffing and forces browser to use the type given in {{HTTPHeader("Content-Type")}}.

- 
{{HTTPHeader("X-Download-Options")}}

- 
The X-Download-Options HTTP header indicates that the browser (Internet Explorer) should not display the option to "Open" a file that has been downloaded from an application, to prevent phishing attacks as the file otherwise would gain access to execute in the context of the application. (Note: related MS Edge bug).

- 
{{HTTPHeader("X-Frame-Options")}} (XFO)

- 
Indicates whether a browser should be allowed to render a page in a {{HTMLElement("frame")}}, {{HTMLElement("iframe")}}, {{HTMLElement("embed")}} or {{HTMLElement("object")}}.

- 
{{HTTPHeader("X-Permitted-Cross-Domain-Policies")}}

- 
Specifies if a cross-domain policy file (crossdomain.xml) is allowed. The file may define a policy to grant clients, such as Adobe's Flash Player (now obsolete), Adobe Acrobat, Microsoft Silverlight (now obsolete), or Apache Flex, permission to handle data across domains that would otherwise be restricted due to the Same-Origin Policy. See the Cross-domain Policy File Specification for more information.

- 
{{HTTPHeader("X-Powered-By")}}

- 
May be set by hosting environments or other frameworks and contains information about them while not providing any usefulness to the application or its visitors. Unset this header to avoid exposing potential vulnerabilities.

- 
{{HTTPHeader("X-XSS-Protection")}}

- 
Enables cross-site scripting filtering.

-

-
-
HTTP Public Key Pinning (HPKP)

-
-
{{Glossary("HPKP", "HTTP Public Key Pinning")}} has been deprecated and removed in favor of Certificate Transparency and {{HTTPHeader("Expect-CT")}}.

-
-

- 
{{HTTPHeader("Public-Key-Pins")}}

- 
Associates a specific cryptographic public key with a certain web server to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates.

- 
{{HTTPHeader("Public-Key-Pins-Report-Only")}}

- 
Sends reports to the report-uri specified in the header and does still allow clients to connect to the server even if the pinning is violated.

-

-
-
Fetch metadata request headers

-
-
{{Glossary("Fetch metadata request header", "Fetch metadata request headers")}} provides information about the context from which the request originated. This allows a server to make decisions about whether a request should be allowed based on where the request came from and how the resource will be used.

-
-

- 
{{HTTPHeader("Sec-Fetch-Site")}}

- 
It is a request header that indicates the relationship between a request initiator's origin and its target's origin. It is a Structured Header whose value is a token with possible values cross-site, same-origin, same-site, and none.

- 
{{HTTPHeader("Sec-Fetch-Mode")}}

- 
It is a request header that indicates the request's mode to a server. It is a Structured Header whose value is a token with possible values cors, navigate, no-cors, same-origin, and websocket.

- 
{{HTTPHeader("Sec-Fetch-User")}}

- 
It is a request header that indicates whether or not a navigation request was triggered by user activation. It is a Structured Header whose value is a boolean so possible values are ?0 for false and ?1 for true.

- 
{{HTTPHeader("Sec-Fetch-Dest")}}

- 
It is a request header that indicates the request's destination to a server. It is a Structured Header whose value is a token with possible values audio, audioworklet, document, embed, empty, font, image, manifest, object, paintworklet, report, script, serviceworker, sharedworker, style, track, video, worker, and xslt.

-

-
-
Server-sent events

-
-

- 
{{HTTPHeader("Last-Event-ID")}}

- 
TBD

- 
{{HTTPHeader("NEL")}} {{experimental_inline}}

- 
Defines a mechanism that enables developers to declare a network error reporting policy.

- 
{{HTTPHeader("Ping-From")}}

- 
TBD

- 
{{HTTPHeader("Ping-To")}}

- 
TBD

- 
{{HTTPHeader("Report-To")}}

- 
Used to specify a server endpoint for the browser to send warning and error reports to.

-

-
-
Transfer coding

-
-

- 
{{HTTPHeader("Transfer-Encoding")}}

- 
Specifies the form of encoding used to safely transfer the resource to the user.

- 
{{HTTPHeader("TE")}}

- 
Specifies the transfer encodings the user agent is willing to accept.

- 
{{HTTPHeader("Trailer")}}

- 
Allows the sender to include additional fields at the end of chunked message.

-

-
-
WebSockets

-
-

- 
{{HTTPHeader("Sec-WebSocket-Key")}}

- 
TBD

- 
{{HTTPHeader("Sec-WebSocket-Extensions")}}

- 
TBD

- 
{{HTTPHeader("Sec-WebSocket-Accept")}}

- 
TBD

- 
{{HTTPHeader("Sec-WebSocket-Protocol")}}

- 
TBD

- 
{{HTTPHeader("Sec-WebSocket-Version")}}

- 
TBD

-

-
-
Other

-
-

- 
{{HTTPHeader("Accept-Push-Policy")}} {{experimental_inline}}

- 
A client can express the desired push policy for a request by sending an Accept-Push-Policy header field in the request.

- 
{{HTTPHeader("Accept-Signature")}} {{experimental_inline}}

- 
A client can send the Accept-Signature header field to indicate intention to take advantage of any available signatures and to indicate what kinds of signatures it supports.

- 
{{HTTPHeader("Alt-Svc")}}

- 
Used to list alternate ways to reach this service.

- 
{{HTTPHeader("Date")}}

- 
Contains the date and time at which the message was originated.

- 
{{HTTPHeader("Early-Data")}} {{experimental_inline}}

- 
Indicates that the request has been conveyed in TLS early data.

- 
{{HTTPHeader("Large-Allocation")}}

- 
Tells the browser that the page being loaded is going to want to perform a large allocation.

- 
{{HTTPHeader("Link")}}

- 
The Link entity-header field provides a means for serialising one or more links in HTTP headers. It is semantically equivalent to the HTML {{HTMLElement("link")}} element.

- 
{{HTTPHeader("Push-Policy")}} {{experimental_inline}}

- 
A Push-Policy defines the server behavior regarding push when processing a request.

- 
{{HTTPHeader("Retry-After")}}

- 
Indicates how long the user agent should wait before making a follow-up request.

- 
{{HTTPHeader("Signature")}} {{experimental_inline}}

- 
The Signature header field conveys a list of signatures for an exchange, each one accompanied by information about how to determine the authority of and refresh that signature.

- 
{{HTTPHeader("Signed-Headers")}} {{experimental_inline}}

- 
The Signed-Headers header field identifies an ordered list of response header fields to include in a signature.

- 
{{HTTPHeader("Server-Timing")}}

- 
Communicates one or more metrics and descriptions for the given request-response cycle.

- 
{{HTTPHeader("Service-Worker-Allowed")}}

- 
Used to remove the path restriction by including this header in the response of the Service Worker script.

- 
{{HTTPHeader("SourceMap")}}

- 
Links generated code to a source map.

- 
{{HTTPHeader("Upgrade")}}

- 
The relevant RFC document for the Upgrade header field is RFC 7230, section 6.7. The standard establishes rules for upgrading or changing to a different protocol on the current client, server, transport protocol connection. For example, this header standard allows a client to change from HTTP 1.1 to HTTP 2.0, assuming the server decides to acknowledge and implement the Upgrade header field. Neither party is required to accept the terms specified in the Upgrade header field. It can be used in both client and server headers. If the Upgrade header field is specified, then the sender MUST also send the Connection header field with the upgrade option specified. For details on the Connection header field please see section 6.1 of the aforementioned RFC.

- 
{{HTTPHeader("X-DNS-Prefetch-Control")}}

- 
Controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.

- 
{{HTTPHeader("X-Firefox-Spdy")}} {{deprecated_inline}} {{non-standard_inline}}

- 
TBD

- 
{{HTTPHeader("X-Pingback")}} {{non-standard_inline}}

- 
TBD

- 
{{HTTPHeader("X-Requested-With")}}

- 
TBD

- 
{{HTTPHeader("X-Robots-Tag")}}{{non-standard_inline}}

- 
The X-Robots-Tag HTTP header is used to indicate how a web page is to be indexed within public search engine results. The header is effectively equivalent to <meta name="robots" content="...">.

- 
{{HTTPHeader("X-UA-Compatible")}} {{non-standard_inline}}

- 
Used by Internet Explorer to signal which document mode to use.

-

-
-
Contributing

-
-
You can help by writing new entries or improving the existing ones.

-
-
See also

-
-
+{{HTTPSidebar}}
+
+**HTTP headers** let the client and the server pass additional information with an HTTP request or response. An HTTP header consists of its case-insensitive name followed by a colon (`:`), then by its value. {{Glossary("Whitespace")}} before the value is ignored.
+
+Custom proprietary headers have historically been used with an `X-` prefix, but this convention was deprecated in June 2012 because of the inconveniences it caused when nonstandard fields became standard in [RFC 6648](https://datatracker.ietf.org/doc/html/rfc6648); others are listed in an [IANA registry](https://www.iana.org/assignments/message-headers/perm-headers.html), whose original content was defined in [RFC 4229](https://datatracker.ietf.org/doc/html/rfc4229). IANA also maintains a [registry of proposed new HTTP headers](https://www.iana.org/assignments/message-headers/prov-headers.html).
+
+Headers can be grouped according to their contexts:
+
+- {{Glossary("Request header", "Request headers")}} contain more information about the resource to be fetched, or about the client requesting the resource.
+- {{Glossary("Response header", "Response headers")}} hold additional information about the response, like its location or about the server providing it.
+- {{Glossary("Representation header", "Representation headers")}} contain information about the body of the resource, like its [MIME type](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types), or encoding/compression applied.
+- {{Glossary("Payload header","Payload headers")}} contain representation-independent information about payload data, including content length and the encoding used for transport.
+
+Headers can also be grouped according to how {{Glossary("Proxy_server", "proxies")}} handle them:
+
+- {{ httpheader("Connection") }}
+- {{ httpheader("Keep-Alive") }}
+- {{ httpheader("Proxy-Authenticate") }}
+- {{ httpheader("Proxy-Authorization") }}
+- {{ httpheader("TE") }}
+- {{ httpheader("Trailer") }}
+- {{ httpheader("Transfer-Encoding") }}
+- {{ httpheader("Upgrade") }} (see also [Protocol upgrade mechanism](/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism)).
+
+
+
+- End-to-end headers
+  - : These headers _must_ be transmitted to the final recipient of the message: the server for a request, or the client for a response. Intermediate proxies must retransmit these headers unmodified and caches must store them.
+- Hop-by-hop headers
+  - : These headers are meaningful only for a single transport-level connection, and _must not_ be retransmitted by proxies or cached. Note that only hop-by-hop headers may be set using the {{httpheader("Connection")}} header.
+
+## Authentication
+
+- {{HTTPHeader("WWW-Authenticate")}}
+  - : Defines the authentication method that should be used to access a resource.
+- {{HTTPHeader("Authorization")}}
+  - : Contains the credentials to authenticate a user-agent with a server.
+- {{HTTPHeader("Proxy-Authenticate")}}
+  - : Defines the authentication method that should be used to access a resource behind a proxy server.
+- {{HTTPHeader("Proxy-Authorization")}}
+  - : Contains the credentials to authenticate a user agent with a proxy server.
+
+## Caching
+
+- {{HTTPHeader("Age")}}
+  - : The time, in seconds, that the object has been in a proxy cache.
+- {{HTTPHeader("Cache-Control")}}
+  - : Directives for caching mechanisms in both requests and responses.
+- {{HTTPHeader("Clear-Site-Data")}}
+  - : Clears browsing data (e.g. cookies, storage, cache) associated with the requesting website.
+- {{HTTPHeader("Expires")}}
+  - : The date/time after which the response is considered stale.
+- {{HTTPHeader("Pragma")}}
+  - : Implementation-specific header that may have various effects anywhere along the request-response chain. Used for backwards compatibility with HTTP/1.0 caches where the `Cache-Control` header is not yet present.
+- {{HTTPHeader("Warning")}}
+  - : General warning information about possible problems.
+
+## Client hints
+
+HTTP {{Glossary("Client_hints", "Client hints")}} are a set of request headers that provide useful information about the client such as device type and network conditions, and allow servers to optimize what is served for those conditions.
+
+Servers proactively requests the client hint headers they are interested in from the client using {{HTTPHeader("Accept-CH")}}. The client may then choose to include the requested headers in subsequent requests.
+
+- {{HTTPHeader("Accept-CH")}} {{experimental_inline}}
+  - : Servers can advertise support for Client Hints using the `Accept-CH` header field or an equivalent HTML `` element with [`http-equi`v](/en-US/docs/Web/HTML/Element/meta#attr-http-equiv) attribute.
+- {{HTTPHeader("Accept-CH-Lifetime")}} {{experimental_inline}} {{deprecated_inline}}
+  - : Servers can ask the client to remember the set of Client Hints that the server supports for a specified period of time, to enable delivery of Client Hints on subsequent requests to the server’s origin.
+
+The different categories of client hints are listed below.
+
+### Device client hints
+
+- {{HTTPHeader("Content-DPR")}} {{deprecated_inline}}{{experimental_inline}}
+  - : Response header used to confirm the image device to pixel ratio in requests where the {{HTTPHeader("DPR")}} client hint was used to select an image resource.
+- {{HTTPHeader("Device-Memory")}} {{deprecated_inline}}{{experimental_inline}}
+  - : Approximate amount of available client RAM memory. This is part of the [Device Memory API](/en-US/docs/Web/API/Device_Memory_API).
+- {{HTTPHeader("DPR")}} {{deprecated_inline}}{{experimental_inline}}
+  - : Client device pixel ratio (DPR), which is the number of physical device pixels corresponding to every CSS pixel.
+- {{HTTPHeader("Viewport-Width")}} {{deprecated_inline}}{{experimental_inline}}
+  - : A number that indicates the layout viewport width in CSS pixels. The provided pixel value is a number rounded to the smallest following integer (i.e. ceiling value).
+- {{HTTPHeader("Width")}} {{deprecated_inline}}{{experimental_inline}}
+  - : The `Width` request header field is a number that indicates the desired resource width in physical pixels (i.e. intrinsic size of an image).
+
+### Network client hints
+
+Network client hints allow a server to choose what information is sent based on the user choice and network bandwidth and latency.
+
+- {{HTTPHeader("Downlink")}}
+  - : Approximate bandwidth of the client's connection to the server, in Mbps. This is part of the [Network Information API](/en-US/docs/Web/API/Network_Information_API).
+- {{HTTPHeader("ECT")}}
+  - : The {{Glossary("effective connection type")}} ("network profile") that best matches the connection's latency and bandwidth. This is part of the [Network Information API](/en-US/docs/Web/API/Network_Information_API).
+- {{HTTPHeader("RTT")}}
+  - : Application layer round trip time (RTT) in miliseconds, which includes the server processing time. This is part of the [Network Information API](/en-US/docs/Web/API/Network_Information_API).
+- {{HTTPHeader("Save-Data")}} {{experimental_inline}}
+  - : A boolean that indicates the user agent's preference for reduced data usage.
+
+## Conditionals
+
+- {{HTTPHeader("Last-Modified")}}
+  - : The last modification date of the resource, used to compare several versions of the same resource. It is less accurate than {{HTTPHeader("ETag")}}, but easier to calculate in some environments. Conditional requests using {{HTTPHeader("If-Modified-Since")}} and {{HTTPHeader("If-Unmodified-Since")}} use this value to change the behavior of the request.
+- {{HTTPHeader("ETag")}}
+  - : A unique string identifying the version of the resource. Conditional requests using {{HTTPHeader("If-Match")}} and {{HTTPHeader("If-None-Match")}} use this value to change the behavior of the request.
+- {{HTTPHeader("If-Match")}}
+  - : Makes the request conditional, and applies the method only if the stored resource matches one of the given ETags.
+- {{HTTPHeader("If-None-Match")}}
+  - : Makes the request conditional, and applies the method only if the stored resource _doesn't_ match any of the given ETags. This is used to update caches (for safe requests), or to prevent to upload a new resource when one already exists.
+- {{HTTPHeader("If-Modified-Since")}}
+  - : Makes the request conditional, and expects the resource to be transmitted only if it has been modified after the given date. This is used to transmit data only when the cache is out of date.
+- {{HTTPHeader("If-Unmodified-Since")}}
+  - : Makes the request conditional, and expects the resource to be transmitted only if it has not been modified after the given date. This ensures the coherence of a new fragment of a specific range with previous ones, or to implement an optimistic concurrency control system when modifying existing documents.
+- {{HTTPHeader("Vary")}}
+  - : Determines how to match request headers to decide whether a cached response can be used rather than requesting a fresh one from the origin server.
+
+## Connection management
+
+- {{HTTPHeader("Connection")}}
+  - : Controls whether the network connection stays open after the current transaction finishes.
+- {{HTTPHeader("Keep-Alive")}}
+  - : Controls how long a persistent connection should stay open.
+
+## Content negotiation
+
+[Content negotiation](/en-US/docs/Web/HTTP/Content_negotiation) headers.
+
+- {{HTTPHeader("Accept")}}
+  - : Informs the server about the {{Glossary("MIME_type", "types")}} of data that can be sent back.
+- {{HTTPHeader("Accept-Encoding")}}
+  - : The encoding algorithm, usually a [compression algorithm](/en-US/docs/Web/HTTP/Compression), that can be used on the resource sent back.
+- {{HTTPHeader("Accept-Language")}}
+  - : Informs the server about the human language the server is expected to send back. This is a hint and is not necessarily under the full control of the user: the server should always pay attention not to override an explicit user choice (like selecting a language from a dropdown).
+
+## Controls
+
+- {{HTTPHeader("Expect")}}
+  - : Indicates expectations that need to be fulfilled by the server to properly handle the request.
+- {{HTTPHeader("Max-Forwards")}}
+  - : TBD
+
+## Cookies
+
+- {{HTTPHeader("Cookie")}}
+  - : Contains stored [HTTP cookies](/en-US/docs/Web/HTTP/Cookies) previously sent by the server with the {{HTTPHeader("Set-Cookie")}} header.
+- {{HTTPHeader("Set-Cookie")}}
+  - : Send cookies from the server to the user-agent.
+- {{HTTPHeader("Cookie2")}} {{deprecated_inline}}
+  - : Contains an HTTP cookie previously sent by the server with the {{HTTPHeader("Set-Cookie2")}} header, but has been **obsoleted**. Use {{HTTPHeader("Cookie")}} instead.
+- {{HTTPHeader("Set-Cookie2")}} {{deprecated_inline}}
+  - : Sends cookies from the server to the user-agent, but has been **obsoleted**. Use {{HTTPHeader("Set-Cookie")}} instead.
+
+## CORS
+
+_Learn more about CORS [here](CORS)._
+
+- {{HTTPHeader("Access-Control-Allow-Origin")}}
+  - : Indicates whether the response can be shared.
+- {{HTTPHeader("Access-Control-Allow-Credentials")}}
+  - : Indicates whether the response to the request can be exposed when the credentials flag is true.
+- {{HTTPHeader("Access-Control-Allow-Headers")}}
+  - : Used in response to a {{Glossary("Preflight_request", "preflight request")}} to indicate which HTTP headers can be used when making the actual request.
+- {{HTTPHeader("Access-Control-Allow-Methods")}}
+  - : Specifies the methods allowed when accessing the resource in response to a preflight request.
+- {{HTTPHeader("Access-Control-Expose-Headers")}}
+  - : Indicates which headers can be exposed as part of the response by listing their names.
+- {{HTTPHeader("Access-Control-Max-Age")}}
+  - : Indicates how long the results of a preflight request can be cached.
+- {{HTTPHeader("Access-Control-Request-Headers")}}
+  - : Used when issuing a preflight request to let the server know which HTTP headers will be used when the actual request is made.
+- {{HTTPHeader("Access-Control-Request-Method")}}
+  - : Used when issuing a preflight request to let the server know which [HTTP method](/en-US/docs/Web/HTTP/Methods) will be used when the actual request is made.
+- {{HTTPHeader("Origin")}}
+  - : Indicates where a fetch originates from.
+- {{HTTPHeader("Timing-Allow-Origin")}}
+  - : Specifies origins that are allowed to see values of attributes retrieved via features of the [Resource Timing API](/en-US/docs/Web/API/Resource_Timing_API), which would otherwise be reported as zero due to cross-origin restrictions.
+
+## Downloads
+
+- {{HTTPHeader("Content-Disposition")}}
+  - : Indicates if the resource transmitted should be displayed inline (default behavior without the header), or if it should be handled like a download and the browser should present a “Save As” dialog.
+
+## Message body information
+
+- {{HTTPHeader("Content-Length")}}
+  - : The size of the resource, in decimal number of bytes.
+- {{HTTPHeader("Content-Type")}}
+  - : Indicates the media type of the resource.
+- {{HTTPHeader("Content-Encoding")}}
+  - : Used to specify the compression algorithm.
+- {{HTTPHeader("Content-Language")}}
+  - : Describes the human language(s) intended for the audience, so that it allows a user to differentiate according to the users' own preferred language.
+- {{HTTPHeader("Content-Location")}}
+  - : Indicates an alternate location for the returned data.
+
+## Proxies
+
+- {{HTTPHeader("Forwarded")}}
+  - : Contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request.
+- {{HTTPHeader("X-Forwarded-For")}} {{non-standard_inline}}
+  - : Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or a load balancer.
+- {{HTTPHeader("X-Forwarded-Host")}} {{non-standard_inline}}
+  - : Identifies the original host requested that a client used to connect to your proxy or load balancer.
+- {{HTTPHeader("X-Forwarded-Proto")}} {{non-standard_inline}}
+  - : Identifies the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.
+- {{HTTPHeader("Via")}}
+  - : Added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers.
+
+## Redirects
+
+- {{HTTPHeader("Location")}}
+  - : Indicates the URL to redirect a page to.
+
+## Request context
+
+- {{HTTPHeader("From")}}
+  - : Contains an Internet email address for a human user who controls the requesting user agent.
+- {{HTTPHeader("Host")}}
+  - : Specifies the domain name of the server (for virtual hosting), and (optionally) the TCP port number on which the server is listening.
+- {{HTTPHeader("Referer")}}
+  - : The address of the previous web page from which a link to the currently requested page was followed.
+- {{HTTPHeader("Referrer-Policy")}}
+  - : Governs which referrer information sent in the {{HTTPHeader("Referer")}} header should be included with requests made.
+- {{HTTPHeader("User-Agent")}}
+  - : Contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent. See also the [Firefox user agent string reference](/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox).
+
+## Response context
+
+- {{HTTPHeader("Allow")}}
+  - : Lists the set of HTTP request methods supported by a resource.
+- {{HTTPHeader("Server")}}
+  - : Contains information about the software used by the origin server to handle the request.
+
+## Range requests
+
+- {{HTTPHeader("Accept-Ranges")}}
+  - : Indicates if the server supports range requests, and if so in which unit the range can be expressed.
+- {{HTTPHeader("Range")}}
+  - : Indicates the part of a document that the server should return.
+- {{HTTPHeader("If-Range")}}
+  - : Creates a conditional range request that is only fulfilled if the given etag or date matches the remote resource. Used to prevent downloading two ranges from incompatible version of the resource.
+- {{HTTPHeader("Content-Range")}}
+  - : Indicates where in a full body message a partial message belongs.
+
+## Security
+
+- {{HTTPHeader("Cross-Origin-Embedder-Policy")}} (COEP)
+  - : Allows a server to declare an embedder policy for a given document.
+- {{HTTPHeader("Cross-Origin-Opener-Policy")}} (COOP)
+  - : Prevents other domains from opening/controlling a window.
+- {{HTTPHeader("Cross-Origin-Resource-Policy")}} (CORP)
+  - : Prevents other domains from reading the response of the resources to which this header is applied.
+- {{HTTPHeader("Content-Security-Policy")}} ({{Glossary("CSP")}})
+  - : Controls resources the user agent is allowed to load for a given page.
+- {{HTTPHeader("Content-Security-Policy-Report-Only")}}
+  - : Allows web developers to experiment with policies by monitoring, but not enforcing, their effects. These violation reports consist of {{Glossary("JSON")}} documents sent via an HTTP `POST` request to the specified URI.
+- {{HTTPHeader("Expect-CT")}}
+  - : Allows sites to opt in to reporting and/or enforcement of Certificate Transparency requirements, which prevents the use of misissued certificates for that site from going unnoticed. When a site enables the Expect-CT header, they are requesting that Chrome check that any certificate for that site appears in public CT logs.
+- {{HTTPHeader("Feature-Policy")}}
+  - : Provides a mechanism to allow and deny the use of browser features in its own frame, and in iframes that it embeds.
+- {{HTTPHeader("Origin-Isolation")}} {{experimental_inline}}
+  - : Provides a mechanism to allow web applications to isolate their origins.
+- {{HTTPHeader("Strict-Transport-Security")}} ({{Glossary("HSTS")}})
+  - : Force communication using HTTPS instead of HTTP.
+- {{HTTPHeader("Upgrade-Insecure-Requests")}}
+  - : Sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the {{CSP("upgrade-insecure-requests")}} directive.
+- {{HTTPHeader("X-Content-Type-Options")}}
+  - : Disables MIME sniffing and forces browser to use the type given in {{HTTPHeader("Content-Type")}}.
+- {{HTTPHeader("X-Download-Options")}}
+  - : The [`X-Download-Options`]() HTTP header indicates that the browser (Internet Explorer) should not display the option to "Open" a file that has been downloaded from an application, to prevent phishing attacks as the file otherwise would gain access to execute in the context of the application. (Note: related [MS Edge bug](https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/18488178/)).
+- {{HTTPHeader("X-Frame-Options")}} (XFO)
+  - : Indicates whether a browser should be allowed to render a page in a {{HTMLElement("frame")}}, {{HTMLElement("iframe")}}, {{HTMLElement("embed")}} or {{HTMLElement("object")}}.
+- {{HTTPHeader("X-Permitted-Cross-Domain-Policies")}}
+  - : Specifies if a cross-domain policy file (`crossdomain.xml`) is allowed. The file may define a policy to grant clients, such as Adobe's Flash Player (now obsolete), Adobe Acrobat, Microsoft Silverlight (now obsolete), or Apache Flex, permission to handle data across domains that would otherwise be restricted due to the [Same-Origin Policy](/en-US/docs/Web/Security/Same-origin_policy). See the [Cross-domain Policy File Specification](https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html) for more information.
+- {{HTTPHeader("X-Powered-By")}}
+  - : May be set by hosting environments or other frameworks and contains information about them while not providing any usefulness to the application or its visitors. Unset this header to avoid exposing potential vulnerabilities.
+- {{HTTPHeader("X-XSS-Protection")}}
+  - : Enables cross-site scripting filtering.
+
+### HTTP Public Key Pinning (HPKP)
+
+{{Glossary("HPKP", "HTTP Public Key Pinning")}} has been deprecated and removed in favor of Certificate Transparency and {{HTTPHeader("Expect-CT")}}.
+
+- {{HTTPHeader("Public-Key-Pins")}}
+  - : Associates a specific cryptographic public key with a certain web server to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates.
+- {{HTTPHeader("Public-Key-Pins-Report-Only")}}
+  - : Sends reports to the report-uri specified in the header and does still allow clients to connect to the server even if the pinning is violated.
+
+### Fetch metadata request headers
+
+{{Glossary("Fetch metadata request header", "Fetch metadata request headers")}} provides information about the context from which the request originated. This allows a server to make decisions about whether a request should be allowed based on where the request came from and how the resource will be used.
+
+- {{HTTPHeader("Sec-Fetch-Site")}}
+  - : It is a request header that indicates the relationship between a request initiator's origin and its target's origin. It is a Structured Header whose value is a token with possible values `cross-site`, `same-origin`, `same-site`, and `none`.
+- {{HTTPHeader("Sec-Fetch-Mode")}}
+  - : It is a request header that indicates the request's mode to a server. It is a Structured Header whose value is a token with possible values `cors`, `navigate`, `no-cors`, `same-origin`, and `websocket`.
+- {{HTTPHeader("Sec-Fetch-User")}}
+  - : It is a request header that indicates whether or not a navigation request was triggered by user activation. It is a Structured Header whose value is a boolean so possible values are `?0` for false and `?1` for true.
+- {{HTTPHeader("Sec-Fetch-Dest")}}
+  - : It is a request header that indicates the request's destination to a server. It is a Structured Header whose value is a token with possible values `audio`, `audioworklet`, `document`, `embed`, `empty`, `font`, `image`, `manifest`, `object`, `paintworklet`, `report`, `script`, `serviceworker`, `sharedworker`, `style`, `track`, `video`, `worker`, and `xslt`.
+
+## Server-sent events
+
+- {{HTTPHeader("Last-Event-ID")}}
+  - : TBD
+- {{HTTPHeader("NEL")}} {{experimental_inline}}
+  - : Defines a mechanism that enables developers to declare a network error reporting policy.
+- {{HTTPHeader("Ping-From")}}
+  - : TBD
+- {{HTTPHeader("Ping-To")}}
+  - : TBD
+- {{HTTPHeader("Report-To")}}
+  - : Used to specify a server endpoint for the browser to send warning and error reports to.
+
+## Transfer coding
+
+- {{HTTPHeader("Transfer-Encoding")}}
+  - : Specifies the form of encoding used to safely transfer the resource to the user.
+- {{HTTPHeader("TE")}}
+  - : Specifies the transfer encodings the user agent is willing to accept.
+- {{HTTPHeader("Trailer")}}
+  - : Allows the sender to include additional fields at the end of chunked message.
+
+## WebSockets
+
+- {{HTTPHeader("Sec-WebSocket-Key")}}
+  - : TBD
+- {{HTTPHeader("Sec-WebSocket-Extensions")}}
+  - : TBD
+- {{HTTPHeader("Sec-WebSocket-Accept")}}
+  - : TBD
+- {{HTTPHeader("Sec-WebSocket-Protocol")}}
+  - : TBD
+- {{HTTPHeader("Sec-WebSocket-Version")}}
+  - : TBD
+
+## Other
+
+- {{HTTPHeader("Accept-Push-Policy")}} {{experimental_inline}}
+  - : A client can express the desired push policy for a request by sending an [`Accept-Push-Policy`](https://datatracker.ietf.org/doc/html/draft-ruellan-http-accept-push-policy-00#section-3.1) header field in the request.
+- {{HTTPHeader("Accept-Signature")}} {{experimental_inline}}
+  - : A client can send the [`Accept-Signature`](https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#rfc.section.3.7) header field to indicate intention to take advantage of any available signatures and to indicate what kinds of signatures it supports.
+- {{HTTPHeader("Alt-Svc")}}
+  - : Used to list alternate ways to reach this service.
+- {{HTTPHeader("Date")}}
+  - : Contains the date and time at which the message was originated.
+- {{HTTPHeader("Early-Data")}} {{experimental_inline}}
+  - : Indicates that the request has been conveyed in TLS early data.
+- {{HTTPHeader("Large-Allocation")}}
+  - : Tells the browser that the page being loaded is going to want to perform a large allocation.
+- {{HTTPHeader("Link")}}
+  - : The [`Link`](https://datatracker.ietf.org/doc/html/rfc5988#section-5) entity-header field provides a means for serialising one or more links in HTTP headers. It is semantically equivalent to the HTML {{HTMLElement("link")}} element.
+- {{HTTPHeader("Push-Policy")}} {{experimental_inline}}
+  - : A [`Push-Policy`](https://datatracker.ietf.org/doc/html/draft-ruellan-http-accept-push-policy-00#section-3.2) defines the server behavior regarding push when processing a request.
+- {{HTTPHeader("Retry-After")}}
+  - : Indicates how long the user agent should wait before making a follow-up request.
+- {{HTTPHeader("Signature")}} {{experimental_inline}}
+  - : The [`Signature`](https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#rfc.section.3.1) header field conveys a list of signatures for an exchange, each one accompanied by information about how to determine the authority of and refresh that signature.
+- {{HTTPHeader("Signed-Headers")}} {{experimental_inline}}
+  - : The [`Signed-Headers`](https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#rfc.section.5.1.2) header field identifies an ordered list of response header fields to include in a signature.
+- {{HTTPHeader("Server-Timing")}}
+  - : Communicates one or more metrics and descriptions for the given request-response cycle.
+- {{HTTPHeader("Service-Worker-Allowed")}}
+  - : Used to remove the [path restriction](https://w3c.github.io/ServiceWorker/#path-restriction) by including this header [in the response of the Service Worker script](https://w3c.github.io/ServiceWorker/#service-worker-script-response).
+- {{HTTPHeader("SourceMap")}}
+  - : Links generated code to a [source map](/en-US/docs/Tools/Debugger/How_to/Use_a_source_map).
+- {{HTTPHeader("Upgrade")}}
+  - : The relevant RFC document for the [Upgrade header field is RFC 7230, section 6.7](https://datatracker.ietf.org/doc/html/rfc7230#section-6.7). The standard establishes rules for upgrading or changing to a different protocol on the current client, server, transport protocol connection. For example, this header standard allows a client to change from HTTP 1.1 to HTTP 2.0, assuming the server decides to acknowledge and implement the Upgrade header field. Neither party is required to accept the terms specified in the Upgrade header field. It can be used in both client and server headers. If the Upgrade header field is specified, then the sender MUST also send the Connection header field with the upgrade option specified. For details on the Connection header field [please see section 6.1 of the aforementioned RFC](https://datatracker.ietf.org/doc/html/rfc7230#section-6.1).
+- {{HTTPHeader("X-DNS-Prefetch-Control")}}
+  - : Controls DNS prefetching, a feature by which browsers proactively perform domain name resolution on both links that the user may choose to follow as well as URLs for items referenced by the document, including images, CSS, JavaScript, and so forth.
+- {{HTTPHeader("X-Firefox-Spdy")}} {{deprecated_inline}} {{non-standard_inline}}
+  - : TBD
+- {{HTTPHeader("X-Pingback")}} {{non-standard_inline}}
+  - : TBD
+- {{HTTPHeader("X-Requested-With")}}
+  - : TBD
+- {{HTTPHeader("X-Robots-Tag")}}{{non-standard_inline}}
+  - : The [`X-Robots-Tag`](https://developers.google.com/search/reference/robots_meta_tag#xrobotstag) HTTP header is used to indicate how a web page is to be indexed within public search engine results. The header is effectively equivalent to ``.
+- {{HTTPHeader("X-UA-Compatible")}} {{non-standard_inline}}
+  - : Used by Internet Explorer to signal which document mode to use.
+
+## Contributing
+
+You can help by [writing new entries](/en-US/docs/MDN/Contribute/Howto/Document_an_HTTP_header) or improving the existing ones.
+
+## See also
+
+- [Wikipedia page on List of HTTP headers](https://en.wikipedia.org/wiki/List_of_HTTP_header_fields)
+- [IANA registry](https://www.iana.org/assignments/message-headers/perm-headers.html)
+- [HTTP Working Group](https://httpwg.org/specs/)
diff --git a/files/en-us/web/http/headers/keep-alive/index.md b/files/en-us/web/http/headers/keep-alive/index.md
index a4087bf4466ec8a..7bed22ca0b9d491 100644
--- a/files/en-us/web/http/headers/keep-alive/index.md
+++ b/files/en-us/web/http/headers/keep-alive/index.md
@@ -9,74 +9,70 @@ tags:
   - Reference
 browser-compat: http.headers.Keep-Alive
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Keep-Alive general header allows the sender to hint about how the connection may be used to set a timeout and a maximum amount of requests.

+The **`Keep-Alive`** general header allows the sender to hint about how the connection may be used to set a timeout and a maximum amount of requests.
 
-

-  
Note: The {{HTTPHeader("Connection")}} header needs to be set to "keep-alive" for this header to have any meaning.

-

+> **Note:** The {{HTTPHeader("Connection")}} header needs to be set to "keep-alive" for this header to have any meaning.
 
-

-  
Warning: Connection-specific header fields such as {{HTTPHeader("Connection")}} and {{HTTPHeader("Keep-Alive")}} are prohibited in HTTP/2. Chrome and Firefox ignore them in HTTP/2 responses, but Safari conforms to the HTTP/2 spec requirements and won't load any response which contains them.

-

+> **Warning:** Connection-specific header fields such as {{HTTPHeader("Connection")}} and {{HTTPHeader("Keep-Alive")}} are [prohibited in HTTP/2](https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.2). Chrome and Firefox ignore them in HTTP/2 responses, but Safari conforms to the HTTP/2 spec requirements and won't load any response which contains them.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}}
+      
{{Glossary("Forbidden header name")}}yes

 

 
-
Syntax

+## Syntax
 
-
Keep-Alive: parameters

+```html
+Keep-Alive: parameters
+```
 
-
Directives

+## Directives
 
-

- 
parameters

- 
A comma-separated list of parameters, each consisting of an identifier and a value separated by the equal sign ('='). The following identifiers are possible:
- 
    
-  
  • timeout: An integer representing the time in seconds that the host will allow an idle connection to remain open before it is closed. A connection is idle if no data is sent or received by a host. A host may keep an idle connection open for longer than timeout seconds, but the host should attempt to retain a connection for at least timeout seconds.
    • 
-  
  • max: indicating the maximum number of requests that can be sent on this connection before closing it. Unless 0, this value is ignored for non-pipelined connections as another request will be sent in the next response. An HTTP pipeline can use it to limit the pipelining.
    • 
- 

- 

-

+- `parameters`
 
-
Examples

+  - : A comma-separated list of parameters, each consisting of an identifier and a value separated by the equal sign (`'='`). The following identifiers are possible:
 
-
A response containing a Keep-Alive header:

+    - `timeout`: An integer representing the time in seconds that the host will allow an idle connection to remain open before it is closed. A connection is idle if no data is sent or received by a host. A host may keep an idle connection open for longer than `timeout` seconds, but the host should attempt to retain a connection for at least `timeout` seconds.
+    - `max`: indicating the maximum number of requests that can be sent on this connection before closing it. Unless `0`, this value is ignored for non-pipelined connections as another request will be sent in the next response. An HTTP pipeline can use it to limit the pipelining.
 
-
HTTP/1.1 200 OK
-Connection: Keep-Alive
-Content-Encoding: gzip
-Content-Type: text/html; charset=utf-8
-Date: Thu, 11 Aug 2016 15:23:13 GMT
-Keep-Alive: timeout=5, max=1000
-Last-Modified: Mon, 25 Jul 2016 04:32:39 GMT
-Server: Apache
+## Examples
 
-(body)

+A response containing a `Keep-Alive` header:
 
-
Specifications

+    HTTP/1.1 200 OK
+    Connection: Keep-Alive
+    Content-Encoding: gzip
+    Content-Type: text/html; charset=utf-8
+    Date: Thu, 11 Aug 2016 15:23:13 GMT
+    Keep-Alive: timeout=5, max=1000
+    Last-Modified: Mon, 25 Jul 2016 04:32:39 GMT
+    Server: Apache
+
+    (body)
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Connection")}}
+- [Connection management in HTTP/1.x](/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x)
+- [Keep-Alive Header](https://datatracker.ietf.org/doc/html/draft-thomson-hybi-http-timeout-03#section-2) IETF Internet Draft
diff --git a/files/en-us/web/http/headers/large-allocation/index.md b/files/en-us/web/http/headers/large-allocation/index.md
index aad7e7d8b26abc0..5efd6ba83cca979 100644
--- a/files/en-us/web/http/headers/large-allocation/index.md
+++ b/files/en-us/web/http/headers/large-allocation/index.md
@@ -10,19 +10,18 @@ tags:
   - header
 browser-compat: http.headers.Large-Allocation
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The non-standard Large-Allocation response header tells
-  the browser that the page being loaded is going to want to perform a large allocation.
-  It is currently only implemented in Firefox, but is harmless to send to every browser.
-

+The non-standard **`Large-Allocation`** response header tells
+the browser that the page being loaded is going to want to perform a large allocation.
+It is currently only implemented in Firefox, but is harmless to send to every browser.
 
-
WebAssembly or asm.js applications can use large
-  contiguous blocks of allocated memory. For complex games, for example, these allocations
-  can be quite large, sometimes as large as 1GB. The Large-Allocation tells
-  the browser that the web content in the to-be-loaded page is going to want to perform a
-  large contiguous memory allocation and the browser can react to this header by starting
-  a dedicated process for the to-be-loaded document, for example.

+[WebAssembly](/en-US/docs/WebAssembly) or asm.js applications can use large
+contiguous blocks of allocated memory. For complex games, for example, these allocations
+can be quite large, sometimes as large as 1GB. The `Large-Allocation` tells
+the browser that the web content in the to-be-loaded page is going to want to perform a
+large contiguous memory allocation and the browser can react to this header by starting
+a dedicated process for the to-be-loaded document, for example.
 
 
@@ -37,96 +36,86 @@ browser-compat: http.headers.Large-Allocation
   

   
 

 
-
Syntax

+## Syntax
 
-
Large-Allocation: 0
-Large-Allocation: <megabytes>
-

+```html
+Large-Allocation: 0
+Large-Allocation: 
+```
 
-
Directives

+## Directives
 
-

-  
0

-  
0 is a special value which represents uncertainty as to what the size of the
-    allocation is.

-  
<megabytes>

-  
The expected size of the allocation to be performed, in megabytes.

-

+- `0`
+  - : 0 is a special value which represents uncertainty as to what the size of the
+    allocation is.
+- ``
+  - : The expected size of the allocation to be performed, in megabytes.
 
-
Examples

+## Examples
 
-
Large-Allocation: 0
-Large-Allocation: 500
-

+    Large-Allocation: 0
+    Large-Allocation: 500
 
-
Troubleshooting errors

+## Troubleshooting errors
 
-
The Large-Allocation header throws warnings or error messages when used
-  incorrectly. You'll encounter them in the web
-    console.

+The `Large-Allocation` header throws warnings or error messages when used
+incorrectly. You'll encounter them in the [web
+console](/en-US/docs/Tools/Web_Console).
 
-

-  
This page was loaded in a new process due to a Large-Allocation header.
-  

-  
This message means that the browser saw the Large-Allocation header,
+- This page was loaded in a new process due to a `Large-Allocation` header.
+  - : This message means that the browser saw the `Large-Allocation` header,
     and was able to reload the page into a new process which should have more available
-    contiguous memory.

-  
A Large-Allocation header was ignored due to the load being triggered
-    by a non-GET request.

-  
When a {{HTTPMethod("POST")}} request is used to load a document, that load cannot
+    contiguous memory.
+- A `Large-Allocation` header was ignored due to the load being triggered
+  by a non-GET request.
+  - : When a {{HTTPMethod("POST")}} request is used to load a document, that load cannot
     currently be redirected into a new process. This error is displayed when loading a
-    document with a Large-Allocation header with a non-GET HTTP method. This
+    document with a `Large-Allocation` header with a non-GET HTTP method. This
     could be caused due to the document being loaded by a form submission, for example.
-  

-  
A Large-Allocation header was ignored due to the presence of windows
-    which have a reference to this browsing context through the frame hierarchy or
-    {{domxref("window.opener")}}.

-  

-    
This error means that the document was not loaded at the top level of an
-      user-opened or noopener-opened tab or window. It can occur in these situations:

-
-    
    
-      
  • The document with the Large-Allocation header was loaded in an
-        {{HTMLElement("iframe")}}. Firefox cannot move an iframe into a new process
-        currently, so the document must load in the current process.
    • 
-      
  • The document with the Large-Allocation header was loaded in a
-        window which was opened by {{domxref("window.open()")}},
-        <a target="_blank"> or other similar methods without
-        rel="noopener" or the "noopener" feature being set.
-        These windows must remain in the same process as their opener, as they can
-        communicate, meaning that we cannot allow them to switch processes.
    • 
-      
  • The document with the Large-Allocation header has opened another
-        window with {{domxref("window.open()")}}, <a target="_blank">
-        or other similar methods without rel="noopener" or the
-        "noopener" feature being set. This is for the same reason as above,
-        namely that they can communicate and thus we cannot allow them to switch
-        processes.
    • 
-    

-  

-  
This page would be loaded in a new process due to a Large-Allocation
-    header, however Large-Allocation process creation is disabled on
-    non-Win32 platforms.

-  
Firefox currently only supports the Large-Allocation header in our
+- A `Large-Allocation` header was ignored due to the presence of windows
+  which have a reference to this browsing context through the frame hierarchy or
+  {{domxref("window.opener")}}.
+
+  - : This error means that the document was not loaded at the top level of an
+    user-opened or noopener-opened tab or window. It can occur in these situations:
+
+    - The document with the `Large-Allocation` header was loaded in an
+      {{HTMLElement("iframe")}}. Firefox cannot move an iframe into a new process
+      currently, so the document must load in the current process.
+    - The document with the `Large-Allocation` header was loaded in a
+      window which was opened by {{domxref("window.open()")}},
+      `` or other similar methods without
+      `rel="noopener"` or the `"noopener"` feature being set.
+      These windows must remain in the same process as their opener, as they can
+      communicate, meaning that we cannot allow them to switch processes.
+    - The document with the `Large-Allocation header` has opened another
+      window with {{domxref("window.open()")}}, ``
+      or other similar methods without `rel="noopener"` or the
+      `"noopener"` feature being set. This is for the same reason as above,
+      namely that they can communicate and thus we cannot allow them to switch
+      processes.
+
+- This page would be loaded in a new process due to a `Large-Allocation`
+  header, however `Large-Allocation` process creation is disabled on
+  non-Win32 platforms.
+
+  - : Firefox currently only supports the `Large-Allocation` header in our
     32-bit Windows builds, as memory fragmentation is not an issue in 64-bit builds. If
     you are running a non-win32 version of Firefox, this error will appear. This check can
     be disabled with the "dom.largeAllocation.
-    
forceEnable" boolean preferece in about:config.

-  

-

 
-
Specifications

+    forceEnable" boolean preferece in about:config.
 
-
Not part of any current specifications. An explainer of the ideas behind this header
-  can be found in this
-    document.

+## Specifications
 
-
Browser compatibility

+Not part of any current specifications. An explainer of the ideas behind this header
+can be found in [this
+document](https://gist.github.com/mystor/5739e222e398efc6c29108be55eb6fe3).
 
-
{{Compat}}

+## Browser compatibility
 
-
See also

+{{Compat}}
 
-
+## See also
+
+- [WebAssembly](/en-US/docs/WebAssembly)
diff --git a/files/en-us/web/http/headers/last-modified/index.md b/files/en-us/web/http/headers/last-modified/index.md
index 20571df647c5515..9001eadaf4851c0 100644
--- a/files/en-us/web/http/headers/last-modified/index.md
+++ b/files/en-us/web/http/headers/last-modified/index.md
@@ -2,20 +2,20 @@
 title: Last-Modified
 slug: Web/HTTP/Headers/Last-Modified
 tags:
-- HTTP
-- HTTP Header
-- Reference
-- Response Header
+  - HTTP
+  - HTTP Header
+  - Reference
+  - Response Header
 browser-compat: http.headers.Last-Modified
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Last-Modified response HTTP header contains the date
-  and time at which the origin server believes the resource was last modified. It is used
-  as a validator to determine if a resource received or stored is the same. Less accurate
-  than an {{HTTPHeader("ETag")}} header, it is a fallback mechanism. Conditional requests
-  containing {{HTTPHeader("If-Modified-Since")}} or {{HTTPHeader("If-Unmodified-Since")}}
-  headers make use of this field.

+The **`Last-Modified`** response HTTP header contains the date
+and time at which the origin server believes the resource was last modified. It is used
+as a validator to determine if a resource received or stored is the same. Less accurate
+than an {{HTTPHeader("ETag")}} header, it is a fallback mechanism. Conditional requests
+containing {{HTTPHeader("If-Modified-Since")}} or {{HTTPHeader("If-Unmodified-Since")}}
+headers make use of this field.
 
 
@@ -28,59 +28,54 @@ browser-compat: http.headers.Last-Modified
       
-      
+      

   
no
     

     
{{Glossary("CORS-safelisted response header")}}
+        {{Glossary("CORS-safelisted response header")}}
+      
       yes
     

   
 

 
-
Syntax

+## Syntax
 
-
Last-Modified: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT
-

+```html
+Last-Modified: ,    :: GMT
+```
 
-
Directives

+## Directives
 
-

-  
<day-name>

-  
One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).

-  
<day>

-  
2 digit day number, e.g. "04" or "23".

-  
<month>

-  
One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
-    "Dec" (case sensitive).

-  
<year>

-  
4 digit year number, e.g. "1990" or "2016".

-  
<hour>

-  
2 digit hour number, e.g. "09" or "23".

-  
<minute>

-  
2 digit minute number, e.g. "04" or "59".

-  
<second>

-  
2 digit second number, e.g. "04" or "59".

-  
GMT

-  

-    
Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
-    

-  

-

+- \
+  - : One of "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", or "Sun" (case-sensitive).
+- \
+  - : 2 digit day number, e.g. "04" or "23".
+- \
+  - : One of "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov",
+    "Dec" (case sensitive).
+- \
+  - : 4 digit year number, e.g. "1990" or "2016".
+- \
+  - : 2 digit hour number, e.g. "09" or "23".
+- \
+  - : 2 digit minute number, e.g. "04" or "59".
+- \
+  - : 2 digit second number, e.g. "04" or "59".
+- `GMT`
+  - : Greenwich Mean Time. HTTP dates are always expressed in GMT, never in local time.
 
-
Examples

+## Examples
 
-
Last-Modified: Wed, 21 Oct 2015 07:28:00 GMT
-

+    Last-Modified: Wed, 21 Oct 2015 07:28:00 GMT
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("If-Modified-Since")}}
    • 
-  
  • {{HTTPHeader("If-Unmodified-Since")}}
    • 
-  
  • {{HTTPHeader("Etag")}}
    • 
-

+- {{HTTPHeader("If-Modified-Since")}}
+- {{HTTPHeader("If-Unmodified-Since")}}
+- {{HTTPHeader("Etag")}}
diff --git a/files/en-us/web/http/headers/link/index.md b/files/en-us/web/http/headers/link/index.md
index 4cd05ff43299182..66e81b6db920734 100644
--- a/files/en-us/web/http/headers/link/index.md
+++ b/files/en-us/web/http/headers/link/index.md
@@ -12,47 +12,49 @@ tags:
   - Reference
 browser-compat: http.headers.Link
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP Link entity-header field provides a means for serialising one or more links in HTTP headers. It is semantically equivalent to the HTML {{HTMLElement("link")}} element.

+The HTTP **`Link`** entity-header field provides a means for serialising one or more links in HTTP headers. It is semantically equivalent to the HTML {{HTMLElement("link")}} element.
 
-
Syntax

+## Syntax
 
-
Link: < uri-reference >; param1=value1; param2="value2"

+```html
+Link: < uri-reference >; param1=value1; param2="value2"
+```
 
-

- 
<uri-reference>

- 
The URI reference, must be enclosed between < and >.

-

+- ``
+  - : The URI reference, must be enclosed between `<` and `>`.
 
-
Parameters

+### Parameters
 
-
The link header contains parameters, which are separated with ; and are equivalent to attributes of the {{HTMLElement("link")}} element.

+The link header contains parameters, which are separated with `;` and are equivalent to attributes of the {{HTMLElement("link")}} element.
 
-
Examples

+## Examples
 
-
The URI (absolute or relative) must be enclosed between < and >:

+The URI (absolute or relative) must be enclosed between `<` and `>`:
 
-
Link: <https://example.com>; rel="preconnect"

+```plain example-good
+Link: ; rel="preconnect"
+```
 
-
Link: https://bad.example; rel="preconnect"

+```plain example-bad
+Link: https://bad.example; rel="preconnect"
+```
 
-
+### Specifying multiple links
 
-
You can specify multiple links separated by commas, for example:

+You can specify multiple links separated by commas, for example:
 
-
Link: <https://one.example.com>; rel="preconnect", <https://two.example.com>; rel="preconnect", <https://three.example.com>; rel="preconnect"

+    Link: ; rel="preconnect", ; rel="preconnect", ; rel="preconnect"
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPStatus(103, "103 Early Hints")}}
    • 
-

+- {{HTTPStatus(103, "103 Early Hints")}}
diff --git a/files/en-us/web/http/headers/location/index.md b/files/en-us/web/http/headers/location/index.md
index 40d9c2a440d1451..1f5dd6cc39bce50 100644
--- a/files/en-us/web/http/headers/location/index.md
+++ b/files/en-us/web/http/headers/location/index.md
@@ -2,44 +2,41 @@
 title: Location
 slug: Web/HTTP/Headers/Location
 tags:
-- HTTP
-- HTTP Header
-- Reference
-- Response Header
+  - HTTP
+  - HTTP Header
+  - Reference
+  - Response Header
 browser-compat: http.headers.Location
 ---
-
{{HTTPSidebar}}

-
-
The Location response header indicates the URL to
-  redirect a page to. It only provides a meaning when served with a
-  3xx (redirection) or 201 (created) status response.

-
-
In cases of redirection, the HTTP method used to make the new request to fetch the page
-  pointed to by Location depends of the original method and of the kind of
-  redirection:

-
-
    
-  
  • If {{HTTPStatus("303")}} (See Also) responses always lead to the use of a
-    {{HTTPMethod("GET")}} method, {{HTTPStatus("307")}} (Temporary Redirect) and
-    {{HTTPStatus("308")}} (Permanent Redirect) don't change the method used in the
-    original request;
    • 
-  
  • {{HTTPStatus("301")}} (Moved Permanently) and {{HTTPStatus("302")}} (Found) doesn't
-    change the method most of the time, though older user-agents may (so you basically
-    don't know).
    • 
-

-
-
All responses with one of these status codes send a Location header.

-
-
In cases of resource creation, it indicates the URL to the newly created resource.

-
-
Location and {{HTTPHeader("Content-Location")}} are different:
-  Location indicates the target of a redirection (or the URL of a newly
-  created resource), while {{HTTPHeader("Content-Location")}} indicates the direct URL to
-  use to access the resource when content negotiation happened,
-  without the need of further content negotiation. Location is a header
-  associated with the response, while {{HTTPHeader("Content-Location")}} is associated
-  with the entity returned.

+{{HTTPSidebar}}
+
+The **`Location`** response header indicates the URL to
+redirect a page to. It only provides a meaning when served with a
+`3xx` (redirection) or `201` (created) status response.
+
+In cases of redirection, the HTTP method used to make the new request to fetch the page
+pointed to by `Location` depends of the original method and of the kind of
+redirection:
+
+- If {{HTTPStatus("303")}} (See Also) responses always lead to the use of a
+  {{HTTPMethod("GET")}} method, {{HTTPStatus("307")}} (Temporary Redirect) and
+  {{HTTPStatus("308")}} (Permanent Redirect) don't change the method used in the
+  original request;
+- {{HTTPStatus("301")}} (Moved Permanently) and {{HTTPStatus("302")}} (Found) doesn't
+  change the method most of the time, though older user-agents may (so you basically
+  don't know).
+
+All responses with one of these status codes send a `Location` header.
+
+In cases of resource creation, it indicates the URL to the newly created resource.
+
+`Location` and {{HTTPHeader("Content-Location")}} are different:
+`Location` indicates the target of a redirection (or the URL of a newly
+created resource), while {{HTTPHeader("Content-Location")}} indicates the direct URL to
+use to access the resource when [content negotiation](/en-US/docs/Web/HTTP/Content_negotiation) happened,
+without the need of further content negotiation. `Location` is a header
+associated with the response, while {{HTTPHeader("Content-Location")}} is associated
+with the entity returned.
 
 
@@ -54,35 +51,32 @@ browser-compat: http.headers.Location
   

   
 

 
-
Syntax

+## Syntax
 
-
Location: <url>
-

+```html
+Location: 
+```
 
-
Directives

+## Directives
 
-

-  
<url>

-  
A relative (to the request URL) or absolute URL.

-

+- \
+  - : A relative (to the request URL) or absolute URL.
 
-
Examples

+## Examples
 
-
Location: /index.html

+    Location: /index.html
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Content-Location")}}
    • 
-  
  • Status of responses including a Location header: {{HTTPStatus("201")}},
-    {{HTTPStatus("301")}}, {{HTTPStatus("302")}}, {{HTTPStatus("303")}},
-    {{HTTPStatus("307")}}, {{HTTPStatus("308")}}.
    • 
-

+- {{HTTPHeader("Content-Location")}}
+- Status of responses including a `Location` header: {{HTTPStatus("201")}},
+  {{HTTPStatus("301")}}, {{HTTPStatus("302")}}, {{HTTPStatus("303")}},
+  {{HTTPStatus("307")}}, {{HTTPStatus("308")}}.
diff --git a/files/en-us/web/http/headers/nel/index.md b/files/en-us/web/http/headers/nel/index.md
index aecc6e5fe7da161..f31fb90de91f9b7 100644
--- a/files/en-us/web/http/headers/nel/index.md
+++ b/files/en-us/web/http/headers/nel/index.md
@@ -10,36 +10,35 @@ tags:
   - header
 browser-compat: http.headers.NEL
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP NEL response header is used to configure network request logging.

+The HTTP **`NEL`** response header is used to configure network request logging.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
NEL: { "report_to": "name_of_reporting_group", "max_age": 12345, "include_subdomains": false, "success_fraction": 0.0, "failure_fraction": 1.0 }
-

+```html
+NEL: { "report_to": "name_of_reporting_group", "max_age": 12345, "include_subdomains": false, "success_fraction": 0.0, "failure_fraction": 1.0 }
+```
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Network Error Logging (NEL) explainer](/en-US/docs/Web/HTTP/Network_Error_Logging)
diff --git a/files/en-us/web/http/headers/origin/index.md b/files/en-us/web/http/headers/origin/index.md
index 1461593c1bc78d0..dd347a4fea3aa01 100644
--- a/files/en-us/web/http/headers/origin/index.md
+++ b/files/en-us/web/http/headers/origin/index.md
@@ -9,66 +9,61 @@ tags:
   - origin
 browser-compat: http.headers.Origin
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Origin request header indicates where a request originates from. It doesn't include any path information. It is similar to the {{HTTPHeader("Referer")}} header, but, unlike that header, it doesn't disclose the whole path.

+The **`Origin`** request header indicates where a request originates from. It doesn't include any path information. It is similar to the {{HTTPHeader("Referer")}} header, but, unlike that header, it doesn't disclose the whole path.
 
-

-  
Note: Basically, browsers add the {{httpheader("Origin")}} request header to:

-  
    
-    
  • all {{Glossary("CORS", "cross origin")}} requests.
    • 
-    
  • same-origin requests except for {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} requests (i.e. they are added to same-origin {{HTTPMethod("POST")}}, {{HTTPMethod("OPTIONS")}}, {{HTTPMethod("PUT")}}, {{HTTPMethod("PATCH")}}, and {{HTTPMethod("DELETE")}} requests).
    • 
-  

-  
There are some exceptions to the above rules; for example if a cross-origin {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} request is made in no-cors mode the Origin header will not be added.

-

+> **Note:** Basically, browsers add the {{httpheader("Origin")}} request header to:
+>
+> - all {{Glossary("CORS", "cross origin")}} requests.
+> - [same-origin](/en-US/docs/Web/Security/Same-origin_policy) requests except for {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} requests (i.e. they are added to same-origin {{HTTPMethod("POST")}}, {{HTTPMethod("OPTIONS")}}, {{HTTPMethod("PUT")}}, {{HTTPMethod("PATCH")}}, and {{HTTPMethod("DELETE")}} requests).
+>
+> There are some exceptions to the above rules; for example if a cross-origin {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} request is made in [no-cors mode](/en-US/docs/Web/API/Request/mode#value) the `Origin` header will not be added.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes

 

 
-
Syntax

+## Syntax
 
-
Origin: null
-Origin: <scheme> "://" <hostname> [ ":" <port> ]
-

+```html
+Origin: null
+Origin:  "://"  [ ":"  ]
+```
 
-
Directives

+## Directives
 
-

- 
<scheme>

- 
The protocol that is used. Usually it is the HTTP protocol or its secured version, HTTPS.

- 
<hostname>

- 
The domain name of the server (for virtual hosting) or the IP.

- 
<port> {{optional_inline}}

- 
TCP port number on which the server is listening. If no port is given, the default port for the service requested (e.g., "80" for an HTTP URL) is implied.

-

+- \
+  - : The protocol that is used. Usually it is the HTTP protocol or its secured version, HTTPS.
+- \
+  - : The domain name of the server (for virtual hosting) or the IP.
+- \ {{optional_inline}}
+  - : TCP port number on which the server is listening. If no port is given, the default port for the service requested (e.g., "80" for an HTTP URL) is implied.
 
-
Examples

+## Examples
 
-
Origin: https://developer.mozilla.org

+    Origin: https://developer.mozilla.org
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Host")}}
+- {{HTTPHeader("Referer")}}
+- [Same-origin policy](/en-US/docs/Web/Security/Same-origin_policy)
+- Stack Overflow: [When do browsers send the Origin header? When do browsers set the origin to null?](https://stackoverflow.com/a/42242802/)
diff --git a/files/en-us/web/http/headers/pragma/index.md b/files/en-us/web/http/headers/pragma/index.md
index 6d4fe57d758da1a..0c19623f0cc7af4 100644
--- a/files/en-us/web/http/headers/pragma/index.md
+++ b/files/en-us/web/http/headers/pragma/index.md
@@ -10,69 +10,68 @@ tags:
   - Response header
 browser-compat: http.headers.Pragma
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Pragma HTTP/1.0 general header is an
-  implementation-specific header that may have various effects along the request-response
-  chain. It is used for backwards compatibility with HTTP/1.0 caches where the
-  {{HTTPHeader("Cache-Control")}} HTTP/1.1 header is not yet present.

+The **`Pragma`** HTTP/1.0 general header is an
+implementation-specific header that may have various effects along the request-response
+chain. It is used for backwards compatibility with HTTP/1.0 caches where the
+{{HTTPHeader("Cache-Control")}} HTTP/1.1 header is not yet present.
 
-

-  
Note: Pragma is not specified for HTTP responses and is
-    therefore not a reliable replacement for the general HTTP/1.1
-    Cache-Control header, although it does behave the same as
-    Cache-Control: no-cache, if the Cache-Control header field
-    is omitted in a request. Use Pragma only for backwards compatibility with
-    HTTP/1.0 clients.

-

+> **Note:** `Pragma` is not specified for HTTP responses and is
+> therefore not a reliable replacement for the general HTTP/1.1
+> `Cache-Control` header, although it does behave the same as
+> `Cache-Control: no-cache`, if the `Cache-Control` header field
+> is omitted in a request. Use `Pragma` only for backwards compatibility with
+> HTTP/1.0 clients.
 
 
-      
+      
-      
+      

   
     

       Header type{{Glossary("Request header")}}, {{Glossary("Response header")}} (response behavior is not specified and thus implementation-specific).
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}} (response behavior is not
+        specified and thus implementation-specific).
+      
     

     

       {{Glossary("Forbidden header name")}}
       no
     

     
{{Glossary("CORS-safelisted response header")}}
+        {{Glossary("CORS-safelisted response header")}}
+      
       yes
     

   
 

 
-
Syntax

+## Syntax
 
-
Pragma: no-cache
-

+```html
+Pragma: no-cache
+```
 
-
Directives

+## Directives
 
-

-  
no-cache

-  

-    
Same as Cache-Control: no-cache. Forces caches to submit the request
-      to the origin server for validation before releasing a cached copy.

-  

-

+- no-cache
+  - : Same as `Cache-Control: no-cache`. Forces caches to submit the request
+    to the origin server for validation before releasing a cached copy.
 
-
Examples

+## Examples
 
-
Pragma: no-cache

+    Pragma: no-cache
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Cache-Control")}}
    • 
-  
  • {{HTTPHeader("Expires")}}
    • 
-

+- {{HTTPHeader("Cache-Control")}}
+- {{HTTPHeader("Expires")}}
diff --git a/files/en-us/web/http/headers/proxy-authenticate/index.md b/files/en-us/web/http/headers/proxy-authenticate/index.md
index c1c9e7ce0027fe8..7cbe06ef71380f3 100644
--- a/files/en-us/web/http/headers/proxy-authenticate/index.md
+++ b/files/en-us/web/http/headers/proxy-authenticate/index.md
@@ -9,15 +9,15 @@ tags:
   - Response Header
 browser-compat: http.headers.Proxy-Authenticate
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP Proxy-Authenticate response header defines the
-  authentication method that should be used to gain access to a resource behind a
-  {{Glossary("proxy server")}}. It authenticates the request to the proxy server, allowing
-  it to transmit the request further.

+The HTTP **`Proxy-Authenticate`** response header defines the
+authentication method that should be used to gain access to a resource behind a
+{{Glossary("proxy server")}}. It authenticates the request to the proxy server, allowing
+it to transmit the request further.
 
-
The Proxy-Authenticate header is sent along with a {{HTTPStatus("407")}}
-  Proxy Authentication Required.

+The `Proxy-Authenticate` header is sent along with a {{HTTPStatus("407")}}
+`Proxy Authentication Required`.
 
 
@@ -32,47 +32,41 @@ browser-compat: http.headers.Proxy-Authenticate
   

   
 

 
-
Syntax

+## Syntax
 
-
Proxy-Authenticate: <type> realm=<realm>
-

+```html
+Proxy-Authenticate:  realm=
+```
 
-
Directives

+## Directives
 
-

-  
<type>

-  
Authentication
-      type. A common type is "Basic".
-    IANA maintains a list
-      of authentication schemes.

-  
realm=<realm>

-  
A description of the protected area, the realm. If no realm is specified, clients
-    often display a formatted host name instead.

-

+- \
+  - : [Authentication
+    type](/en-US/docs/Web/HTTP/Authentication#authentication_schemes). A common type is ["Basic"](/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme).
+    IANA maintains a [list
+    of authentication schemes](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml).
+- realm=\
+  - : A description of the protected area, the realm. If no realm is specified, clients
+    often display a formatted host name instead.
 
-
Examples

+## Examples
 
-
Proxy-Authenticate: Basic
+    Proxy-Authenticate: Basic
 
-Proxy-Authenticate: Basic realm="Access to the internal site"
-

+    Proxy-Authenticate: Basic realm="Access to the internal site"
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • HTTP authentication
    • 
-  
  • {{HTTPHeader("Authorization")}}
    • 
-  
  • {{HTTPHeader("Proxy-Authorization")}}
    • 
-  
  • {{HTTPHeader("WWW-Authenticate")}}
    • 
-  
  • {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
    • 
-

+- [HTTP authentication](/en-US/docs/Web/HTTP/Authentication)
+- {{HTTPHeader("Authorization")}}
+- {{HTTPHeader("Proxy-Authorization")}}
+- {{HTTPHeader("WWW-Authenticate")}}
+- {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
diff --git a/files/en-us/web/http/headers/proxy-authorization/index.md b/files/en-us/web/http/headers/proxy-authorization/index.md
index 68c2f137ae19417..09769a67b6d719d 100644
--- a/files/en-us/web/http/headers/proxy-authorization/index.md
+++ b/files/en-us/web/http/headers/proxy-authorization/index.md
@@ -8,12 +8,12 @@ tags:
   - Request header
   - header
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP Proxy-Authorization request header contains the
-  credentials to authenticate a user agent to a proxy server, usually after the server has
-  responded with a {{HTTPStatus("407")}} Proxy Authentication Required status
-  and the {{HTTPHeader("Proxy-Authenticate")}} header.

+The HTTP **`Proxy-Authorization`** request header contains the
+credentials to authenticate a user agent to a proxy server, usually after the server has
+responded with a {{HTTPStatus("407")}} `Proxy Authentication Required` status
+and the {{HTTPHeader("Proxy-Authenticate")}} header.
 
 
@@ -28,55 +28,45 @@ tags:
   

   
 

 
-
Syntax

+## Syntax
 
-
Proxy-Authorization: <type> <credentials>

+```html
+Proxy-Authorization:  
+```
 
-
Directives

+## Directives
 
-

-  
<type>

-  
Authentication
-      type. A common type is "Basic".
-    See also the IANA
-      registry of Authentication schemes.

-  
<credentials>

-  
The credentials are constructed like this:
-    
    
-      
  • The username and the password are combined with a colon
-        (aladdin:opensesame).
    • 
-      
  • The resulting string is base64
-        encoded (YWxhZGRpbjpvcGVuc2VzYW1l).
    • 
-    

+- \
+  - : [Authentication
+    type](/en-US/docs/Web/HTTP/Authentication#authentication_schemes). A common type is ["Basic"](/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme).
+    See also the [IANA
+    registry of Authentication schemes](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml).
+- \
 
-    

-      
Note: Base64 encoding does not mean encryption or hashing! This
-        method is equally secure as sending the credentials in clear text (base64 is a
-        reversible encoding). Prefer to use HTTPS in conjunction with Basic
-        Authentication.

-    

-  

-

+  - : The credentials are constructed like this:
 
-
Examples

+    - The username and the password are combined with a colon
+      (`aladdin:opensesame`).
+    - The resulting string is [base64](/en-US/docs/Glossary/Base64)
+      encoded (`YWxhZGRpbjpvcGVuc2VzYW1l`).
 
-
Proxy-Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
-

+    > **Note:** Base64 encoding does not mean encryption or hashing! This
+    > method is equally secure as sending the credentials in clear text (base64 is a
+    > reversible encoding). Prefer to use HTTPS in conjunction with Basic
+    > Authentication.
 
-
Specifications

+## Examples
+
+    Proxy-Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
+
+## Specifications
 
 {{Specifications}}
 
-
See also

+## See also
 
-
    
-  
  • HTTP authentication
    • 
-  
  • {{HTTPHeader("Proxy-Authenticate")}}
    • 
-  
  • {{HTTPHeader("WWW-Authenticate")}}
    • 
-  
  • {{HTTPHeader("Authorization")}}
    • 
-  
  • {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
    • 
-

+- [HTTP authentication](/en-US/docs/Web/HTTP/Authentication)
+- {{HTTPHeader("Proxy-Authenticate")}}
+- {{HTTPHeader("WWW-Authenticate")}}
+- {{HTTPHeader("Authorization")}}
+- {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
diff --git a/files/en-us/web/http/headers/public-key-pins-report-only/index.md b/files/en-us/web/http/headers/public-key-pins-report-only/index.md
index 13b78d81475ba6d..061308cd1fba957 100644
--- a/files/en-us/web/http/headers/public-key-pins-report-only/index.md
+++ b/files/en-us/web/http/headers/public-key-pins-report-only/index.md
@@ -2,35 +2,30 @@
 title: Public-Key-Pins-Report-Only
 slug: Web/HTTP/Headers/Public-Key-Pins-Report-Only
 tags:
-- Deprecated
-- HPKP
-- HTTP
-- Deprecated
-- Security
-- header
+  - Deprecated
+  - HPKP
+  - HTTP
+  - Deprecated
+  - Security
+  - header
 browser-compat: http.headers.Public-Key-Pins-Report-Only
 ---
-
{{HTTPSidebar}}{{deprecated_header}}

-
-

-  

-    Note: Public Key Pinning mechanism was deprecated in favor of
-    Certificate Transparency
-    and {{HTTPHeader("Expect-CT")}} header.
-  

-

-
-
The HTTP Public-Key-Pins-Report-Only response header was
-  used to send reports of pinning violation to the report-uri specified in
-  the header but, unlike {{HTTPHeader("Public-Key-Pins")}} still allows browsers to
-  connect to the server if the pinning is violated. The header is silently ignored in
-  modern browsers as support for HPKP has been removed. Use Certificate Transparency
-  and the {{HTTPHeader("Expect-CT")}} header instead.

-
-
For more information, see the {{HTTPHeader("Public-Key-Pins")}} header reference page
-  and the HTTP Public Key Pinning
-  article.

+{{HTTPSidebar}}{{deprecated_header}}
+
+> **Note:** Public Key Pinning mechanism was deprecated in favor of
+> [Certificate Transparency](/en-US/docs/Web/Security/Certificate_Transparency)
+> and {{HTTPHeader("Expect-CT")}} header.
+
+The HTTP **`Public-Key-Pins-Report-Only`** response header was
+used to send reports of pinning violation to the `report-uri` specified in
+the header but, unlike {{HTTPHeader("Public-Key-Pins")}} still allows browsers to
+connect to the server if the pinning is violated. The header is silently ignored in
+modern browsers as support for HPKP has been removed. Use [Certificate Transparency](/en-US/docs/Web/Security/Certificate_Transparency)
+and the {{HTTPHeader("Expect-CT")}} header instead.
+
+For more information, see the {{HTTPHeader("Public-Key-Pins")}} header reference page
+and the [HTTP Public Key Pinning](/en-US/docs/Web/HTTP/Public_Key_Pinning)
+article.
 
 
@@ -45,59 +40,57 @@ browser-compat: http.headers.Public-Key-Pins-Report-Only
   

   
 

 
-
Syntax

+## Syntax
 
-
Public-Key-Pins-Report-Only: pin-sha256="<pin-value>";
-                             max-age=<expire-time>;
+```html
+Public-Key-Pins-Report-Only: pin-sha256="";
+                             max-age=;
                              includeSubDomains;
-                             report-uri="<uri>"

+                             report-uri=""
+```
 
-
Directives

+## Directives
 
-

-  
pin-sha256="<pin-value>"

-  
The quoted string is the Base64 encoded Subject Public Key Information
+- `pin-sha256=""`
+  - : The quoted string is the Base64 encoded Subject Public Key Information
     ({{Glossary("SPKI")}}) fingerprint. It is possible to specify multiple pins for
     different public keys. Some browsers might allow other hashing algorithms than SHA-256
-    in the future.

-  
max-age=<expire-time>

-  
This directive is meaningless for the Public-Key-Pins-Report-Only header, it will be
-    ignored by user agents and the header will not be cached.

-  
includeSubDomains {{optional_inline}}

-  
If this optional parameter is specified, this rule applies to all of the site's
-    subdomains as well.

-  
report-uri="<uri>"

-  
Pin validation failures are reported to the given URL. This directive should be used
-    with this header, otherwise this header will be a no-op.

-

-
-
Example

-
-
Public-Key-Pins-Report-Only:
-  pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
-  pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
-  includeSubDomains;
-  report-uri="https://www.example.org/hpkp-report"

-
-
In this example,
-  pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=" pins the
-  server's public key used in production. The second pin declaration
-  pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=" also pins the
-  backup key. This key pinning is also valid for all subdomains, which is told by the
-  includeSubDomains declaration. Finally,
-  report-uri="https://www.example.org/hpkp-report" explains where to
-  report pin validation failures.

-
-
Specifications

+    in the future.
+- max-age=\
+  - : This directive is meaningless for the Public-Key-Pins-Report-Only header, it will be
+    ignored by user agents and the header will not be cached.
+- `includeSubDomains `{{optional_inline}}
+  - : If this optional parameter is specified, this rule applies to all of the site's
+    subdomains as well.
+- `report-uri=""`
+  - : Pin validation failures are reported to the given URL. This directive should be used
+    with this header, otherwise this header will be a no-op.
+
+## Example
+
+    Public-Key-Pins-Report-Only:
+      pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
+      pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
+      includeSubDomains;
+      report-uri="https://www.example.org/hpkp-report"
+
+In this example,
+**pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="** pins the
+server's public key used in production. The second pin declaration
+**pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="** also pins the
+backup key. This key pinning is also valid for all subdomains, which is told by the
+**includeSubDomains** declaration. Finally,
+**report-uri="https\://www\.example.org/hpkp-report"** explains where to
+report pin validation failures.
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Public-Key-Pins")}}
    • 
-

+- {{HTTPHeader("Public-Key-Pins")}}
diff --git a/files/en-us/web/http/headers/public-key-pins/index.md b/files/en-us/web/http/headers/public-key-pins/index.md
index 8762e0abc96fb62..04ce2160452d5c3 100644
--- a/files/en-us/web/http/headers/public-key-pins/index.md
+++ b/files/en-us/web/http/headers/public-key-pins/index.md
@@ -2,34 +2,29 @@
 title: Public-Key-Pins
 slug: Web/HTTP/Headers/Public-Key-Pins
 tags:
-- Deprecated
-- HPKP
-- HTTP
-- Deprecated
-- Reference
-- Security
-- header
+  - Deprecated
+  - HPKP
+  - HTTP
+  - Deprecated
+  - Reference
+  - Security
+  - header
 browser-compat: http.headers.Public-Key-Pins
 ---
-
{{HTTPSidebar}}{{deprecated_header}}

-
-

-  

-    Note: Public Key Pinning mechanism was deprecated
-    in favor of Certificate Transparency
-    and {{HTTPHeader("Expect-CT")}} header.
-  

-

-
-
The HTTP Public-Key-Pins response header used to
-  associate a specific cryptographic public {{Glossary("key")}} with a certain web server
-  to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates, however,
-  it has been removed from modern browsers and is no longer supported. Use Certificate
-    Transparency and {{HTTPHeader("Expect-CT")}} header instead.

-
-
For more information, see the HTTP
-    Public Key Pinning article.

+{{HTTPSidebar}}{{deprecated_header}}
+
+> **Note:** Public Key Pinning mechanism was deprecated
+> in favor of [Certificate Transparency](/en-US/docs/Web/Security/Certificate_Transparency)
+> and {{HTTPHeader("Expect-CT")}} header.
+
+The HTTP **`Public-Key-Pins`** response header used to
+associate a specific cryptographic public {{Glossary("key")}} with a certain web server
+to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates, however,
+it has been removed from modern browsers and is no longer supported. Use [Certificate
+Transparency](/en-US/docs/Web/Security/Certificate_Transparency) and {{HTTPHeader("Expect-CT")}} header instead.
+
+For more information, see the [HTTP
+Public Key Pinning](/en-US/docs/Web/HTTP/Public_Key_Pinning) article.
 
 
@@ -44,70 +39,64 @@ browser-compat: http.headers.Public-Key-Pins
   

   
 

 
-
Syntax

+## Syntax
 
-
Public-Key-Pins: pin-sha256="<pin-value>";
-                 max-age=<expire-time>;
+```html
+Public-Key-Pins: pin-sha256="";
+                 max-age=;
                  includeSubDomains;
-                 report-uri="<uri>"

+                 report-uri=""
+```
 
-
Directives

+## Directives
 
-

-  
pin-sha256="<pin-value>"

-  
The quoted string is the Base64 encoded Subject Public Key Information
+- `pin-sha256=""`
+  - : The quoted string is the Base64 encoded Subject Public Key Information
     ({{Glossary("SPKI")}}) fingerprint. It is possible to specify multiple pins for
     different public keys. Some browsers might allow other hashing algorithms than SHA-256
-    in the future.

-  
max-age=<expire-time>

-  
The time, in seconds, that the browser should remember that this site is only to be
-    accessed using one of the defined keys.

-  
includeSubDomains {{optional_inline}}

-  
If this optional parameter is specified, this rule applies to all of the site's
-    subdomains as well.

-  
report-uri="<uri>" {{optional_inline}}

-  
If this optional parameter is specified, pin validation failures are reported to the
-    given URL.

-

-
-
Example

-
-

-  

-    Warning: HPKP has the potential to lock out users for a long time
-    if used incorrectly!
-    The use of backup certificates and/or pinning the CA certificate is recommended.
-  

-

-
-
Public-Key-Pins:
-  pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
-  pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
-  max-age=5184000; includeSubDomains;
-  report-uri="https://www.example.org/hpkp-report"

-
-
In this example,
-  pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=" pins the
-  server's public key used in production. The second pin declaration
-  pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=" also pins the
-  backup key. max-age=5184000 tells the client to store this information
-  for two months, which is a reasonable time limit according to the IETF RFC. This key
-  pinning is also valid for all subdomains, which is told by the
-  includeSubDomains declaration. Finally,
-  report-uri="https://www.example.org/hpkp-report" explains where to
-  report pin validation failures.

-
-
Specifications

+    in the future.
+- `max-age=`
+  - : The time, in seconds, that the browser should remember that this site is only to be
+    accessed using one of the defined keys.
+- `includeSubDomains `{{optional_inline}}
+  - : If this optional parameter is specified, this rule applies to all of the site's
+    subdomains as well.
+- `report-uri=""` {{optional_inline}}
+  - : If this optional parameter is specified, pin validation failures are reported to the
+    given URL.
+
+## Example
+
+> **Warning:** HPKP has the potential to lock out users for a long time
+> if used incorrectly!
+> The use of backup certificates and/or pinning the CA certificate is recommended.
+
+    Public-Key-Pins:
+      pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
+      pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
+      max-age=5184000; includeSubDomains;
+      report-uri="https://www.example.org/hpkp-report"
+
+In this example,
+**pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="** pins the
+server's public key used in production. The second pin declaration
+**pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="** also pins the
+backup key. **max-age=5184000** tells the client to store this information
+for two months, which is a reasonable time limit according to the IETF RFC. This key
+pinning is also valid for all subdomains, which is told by the
+**includeSubDomains** declaration. Finally,
+**report-uri="https\://www\.example.org/hpkp-report"** explains where to
+report pin validation failures.
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Public-Key-Pins-Report-Only")}}
    • 
-  
  • {{HTTPHeader("Expect-CT")}}
    • 
-

+- {{HTTPHeader("Public-Key-Pins-Report-Only")}}
+- {{HTTPHeader("Expect-CT")}}
diff --git a/files/en-us/web/http/headers/range/index.md b/files/en-us/web/http/headers/range/index.md
index f2a1dbce9f586f6..b020b61530039c1 100644
--- a/files/en-us/web/http/headers/range/index.md
+++ b/files/en-us/web/http/headers/range/index.md
@@ -9,70 +9,66 @@ tags:
   - Request header
 browser-compat: http.headers.Range
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Range HTTP request header indicates the part of a document that the server should return. Several parts can be requested with one Range header at once, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the {{HTTPStatus("206")}} Partial Content for the response. If the ranges are invalid, the server returns the {{HTTPStatus("416")}} Range Not Satisfiable error. The server can also ignore the Range header and return the whole document with a {{HTTPStatus("200")}} status code.

+The **`Range`** HTTP request header indicates the part of a document that the server should return. Several parts can be requested with one `Range` header at once, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the {{HTTPStatus("206")}}` Partial Content` for the response. If the ranges are invalid, the server returns the {{HTTPStatus("416")}}` Range Not Satisfiable` error. The server can also ignore the `Range` header and return the whole document with a {{HTTPStatus("200")}} status code.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
Range: <unit>=<range-start>-
-Range: <unit>=<range-start>-<range-end>
-Range: <unit>=<range-start>-<range-end>, <range-start>-<range-end>
-Range: <unit>=<range-start>-<range-end>, <range-start>-<range-end>, <range-start>-<range-end>
-Range: <unit>=-<suffix-length>

+```html
+Range: =-
+Range: =-
+Range: =-, -
+Range: =-, -, -
+Range: =-
+```
 
-
Directives

+## Directives
 
-

- 
<unit>

- 
The unit in which ranges are specified. This is usually bytes.

- 
<range-start>

- 
An integer in the given unit indicating the beginning of the request range.

- 
<range-end>

- 
An integer in the given unit indicating the end of the requested range. This value is optional and, if omitted, the end of the document is taken as the end of the range.

- 
<suffix-length>

- 
An integer in the given unit indicating the number of units at the end of the file to return.

-

+- \
+  - : The unit in which ranges are specified. This is usually `bytes`.
+- \
+  - : An integer in the given unit indicating the beginning of the request range.
+- \
+  - : An integer in the given unit indicating the end of the requested range. This value is optional and, if omitted, the end of the document is taken as the end of the range.
+- \
+  - : An integer in the given unit indicating the number of units at the end of the file to return.
 
-
Examples

+## Examples
 
-
Requesting three ranges from the file.

+Requesting three ranges from the file.
 
-
Range: bytes=200-1000, 2000-6576, 19000-
-

+    Range: bytes=200-1000, 2000-6576, 19000-
 
-
Requesting the first 500 and last 500 bytes of the file. The request may be rejected by the server if the ranges overlap.

+Requesting the first 500 and last 500 bytes of the file. The request may be rejected by the server if the ranges overlap.
 
-
Range: bytes=0-499, -500
-

+    Range: bytes=0-499, -500
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("If-Range")}}
    • 
- 
  • {{HTTPHeader("Content-Range")}}
    • 
- 
  • {{HTTPHeader("Content-Type")}}
    • 
- 
  • {{HTTPStatus("206")}} Partial Content
    • 
- 
  • {{HTTPStatus("416")}} Range Not Satisfiable
    • 
-

+- {{HTTPHeader("If-Range")}}
+- {{HTTPHeader("Content-Range")}}
+- {{HTTPHeader("Content-Type")}}
+- {{HTTPStatus("206")}}` Partial Content`
+- {{HTTPStatus("416")}}` Range Not Satisfiable`
diff --git a/files/en-us/web/http/headers/referer/index.md b/files/en-us/web/http/headers/referer/index.md
index 91808f927123c37..4f7ee0bcb7fcf95 100644
--- a/files/en-us/web/http/headers/referer/index.md
+++ b/files/en-us/web/http/headers/referer/index.md
@@ -9,66 +9,58 @@ tags:
   - referrer
 browser-compat: http.headers.Referer
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Referer HTTP request header contains an absolute or partial address of the page making the request. When following a link, this would be the address of the page containing the link. When making resource requests to another domain, this would be the address of the page using the resource. The Referer header allows servers to identify where people are visiting them from, which can then be used for analytics, logging, optimized caching, and more.

+The **`Referer`** HTTP request header contains an absolute or partial address of the page making the request. When following a link, this would be the address of the page containing the link. When making resource requests to another domain, this would be the address of the page using the resource. The `Referer` header allows servers to identify where people are visiting them from, which can then be used for analytics, logging, optimized caching, and more.
 
-
The Referer header may not contain URL fragments (i.e. "#section") or "username:password" information. It can potentially contain an origin, path, and querystring. What is sent, if anything, depends on the referrer policy for the request. See {{HTTPHeader("Referrer-Policy")}} for information and examples.
+The `Referer` header may not contain URL fragments (i.e. "#section") or "username:password" information. It can potentially contain an _origin_, _path_, and _querystring_. What is sent, if anything, depends on the _referrer policy_ for the request. See {{HTTPHeader("Referrer-Policy")}} for [information](/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives) and [examples](/en-US/docs/Web/HTTP/Headers/Referrer-Policy#examples).
 
-

-  
Note: The header name "referer" is actually a misspelling of the word "referrer". See {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}} for more details.

-

+> **Note:** The header name "referer" is actually a misspelling of the word "referrer". See {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}} for more details.
 
-

-  
Warning: Although this header has many innocent uses it can have undesirable consequences for user security and privacy. See Referer header: privacy and security concerns for more information and mitigations.

-

+> **Warning:** Although this header has many innocent uses it can have undesirable consequences for user security and privacy. See [Referer header: privacy and security concerns](/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) for more information and mitigations.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}yes

 

 
-
Syntax

+## Syntax
 
-
Referer: <url>
-

+```html
+Referer: 
+```
 
-
Directives

+## Directives
 
-

- 
<url>

- 
An absolute or partial address of the web page making the request. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https://username:password@example.com/foo/bar/") are not included. Origin, path, and querystring may be included, depending on the referrer policy.

-

+- \
+  - : An absolute or partial address of the web page making the request. URL fragments (i.e. "#section") and userinfo (i.e. "username:password" in "https\://username:password\@example.com/foo/bar/") are not included. Origin, path, and querystring may be included, depending on the [referrer policy](/en-US/docs/Web/HTTP/Headers/Referrer-Policy#directives).
 
-
Examples

+## Examples
 
-
Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
-Referer: https://example.com/page?q=123
-Referer: https://example.com/
-

+    Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
+    Referer: https://example.com/page?q=123
+    Referer: https://example.com/
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}
+- [Fetch](/en-US/docs/Web/API/Fetch_API): {{domxref("Request.referrerPolicy")}}
+- The obsolete {{HTTPHeader("Content-Security-Policy")}} {{HTTPHeader("Content-Security-Policy/referrer", "referrer")}} {{deprecated_inline}} directive.
+- [Same-origin policy](/en-US/docs/Web/Security/Same-origin_policy)
+- [Tighter Control Over Your Referrers – Mozilla Security Blog](https://blog.mozilla.org/security/2015/01/21/meta-referrer/)
diff --git a/files/en-us/web/http/headers/referrer-policy/index.md b/files/en-us/web/http/headers/referrer-policy/index.md
index c55cee68241aa3a..68636d6b1bfb976 100644
--- a/files/en-us/web/http/headers/referrer-policy/index.md
+++ b/files/en-us/web/http/headers/referrer-policy/index.md
@@ -12,26 +12,27 @@ tags:
   - referrer
 browser-compat: http.headers.Referrer-Policy
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Referrer-Policy {{glossary("HTTP header")}} controls how much referrer information (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can set this policy in HTML.

+The **`Referrer-Policy`** {{glossary("HTTP header")}} controls how much [referrer information](/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns) (sent via the {{HTTPHeader("Referer")}} header) should be included with requests. Aside from the HTTP header, you can [set this policy in HTML](#integration_with_html).
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
Referrer-Policy: no-referrer
+```html
+Referrer-Policy: no-referrer
 Referrer-Policy: no-referrer-when-downgrade
 Referrer-Policy: origin
 Referrer-Policy: origin-when-cross-origin
@@ -39,270 +40,159 @@ Referrer-Policy: same-origin
 Referrer-Policy: strict-origin
 Referrer-Policy: strict-origin-when-cross-origin
 Referrer-Policy: unsafe-url
-

-
-

-  
Note: The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The Referrer-Policy header does not share this misspelling.

-

-
-
Directives

-
-

- 
no-referrer

- 
The {{HTTPHeader("Referer")}} header will be omitted entirely. No referrer information is sent along with requests.

- 
no-referrer-when-downgrade

- 
Send the {{glossary("origin")}}, path, and querystring in {{HTTPHeader("Referer")}} when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
- 

- 
origin

- 
Send the {{glossary("origin")}} (only) in the {{HTTPHeader("Referer")}} header.

- For example, a document at https://example.com/page.html will send the referrer https://example.com/.

- 
origin-when-cross-origin

- 
Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request to the same protocol level. Send origin (only) for cross origin requests and requests to less secure destinations.

- 
same-origin

- 
Send the {{glossary("origin")}}, path, and query string for {{glossary("Same-origin_policy", "same-origin")}} requests. Don't send the {{HTTPHeader("Referer")}} header for cross-origin requests.

- 
strict-origin

- 
Send the origin (only) when the protocol security level stays the same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).

- 
strict-origin-when-cross-origin (default)

- 
Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).
-
-  

-    
Note: This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision November 2020). Previously the default was no-referrer-when-downgrade.    

-  

- 

- 
unsafe-url

- 
Send the origin, path, and query string when performing any request, regardless of security.
- 

-   
Warning: This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.

- 

- 

-

-
-
Integration with HTML

-
-
You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a {{HTMLElement("meta")}} element with a name of referrer:

-
-
<meta name="referrer" content="origin">

-
-
Or set it for individual requests with the referrerpolicy attribute on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:

-
-
<a href="http://example.com" referrerpolicy="origin">

-
-
Alternatively, a noreferrer link relation on an a, area, or link element can be set:

-
-
<a href="http://example.com" rel="noreferrer">

-
-

-  
Warning: As seen above, the noreferrer link relation is written without a dash — noreferrer. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written with a dash: <meta name="referrer" content="no-referrer">.

-

-
-
Integration with CSS

-
-
CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:

-
-
    
- 
  • External CSS stylesheets use the default policy (strict-origin-when-cross-origin), unless it's overwritten via a Referrer-Policy HTTP header on the CSS stylesheet's response.
    • 
- 
  • For {{HTMLElement("style")}} elements or style attributes, the owner document's referrer policy is used.
    • 
-

-
-
Examples

-
-
no-referrer

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/pageanywhere(no referrer)

+```
 
-
no-referrer-when-downgrade

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.orghttps://example.com/page
https://example.com/pagehttp://example.com(no referrer)

+> **Note:** The original header name {{HTTPHeader("Referer")}} is a misspelling of the word "referrer". The `Referrer-Policy` header does not share this misspelling.
 
-
origin

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/pageanywherehttps://example.com/

+## Directives
 
-
origin-when-cross-origin

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.orghttps://example.com/
https://example.com/pagehttp://example.com/pagehttps://example.com/

+- `no-referrer`
+  - : The {{HTTPHeader("Referer")}} header will be omitted entirely. No referrer information is sent along with requests.
+- `no-referrer-when-downgrade`
+  - : Send the {{glossary("origin")}}, path, and querystring in {{HTTPHeader("Referer")}} when the protocol security level stays the same or improves (HTTP→HTTP, HTTP→HTTPS, HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header for requests to less secure destinations (HTTPS→HTTP, HTTPS→file).
+- `origin`
+  - : Send the {{glossary("origin")}} (only) in the {{HTTPHeader("Referer")}} header.
+    For example, a document at `https://example.com/page.html` will send the referrer `https://example.com/`.
+- `origin-when-cross-origin`
+  - : Send the {{glossary("origin")}}, path, and query string when performing a {{glossary("Same-origin_policy", "same-origin")}} request to the same protocol level. Send origin (only) for cross origin requests and requests to less secure destinations.
+- `same-origin`
+  - : Send the {{glossary("origin")}}, path, and query string for {{glossary("Same-origin_policy", "same-origin")}} requests. Don't send the {{HTTPHeader("Referer")}} header for cross-origin requests.
+- `strict-origin`
+  - : Send the origin (only) when the protocol security level stays the same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).
+- `strict-origin-when-cross-origin` (default)
 
-
>same-origin

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.org(no referrer)

+  - : Send the origin, path, and querystring when performing a same-origin request. For cross-origin requests send the origin (only) when the protocol security level stays same (HTTPS→HTTPS). Don't send the {{HTTPHeader("Referer")}} header to less secure destinations (HTTPS→HTTP).
 
-
strict-origin

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/pagehttps://mozilla.orghttps://example.com/
https://example.com/pagehttp://example.com(no referrer)
http://example.com/pageanywherehttp://example.com/

+    > **Note:** This is the default policy if no policy is specified, or if the provided value is invalid (see spec revision [November 2020](https://github.com/whatwg/fetch/pull/1066)). Previously the default was `no-referrer-when-downgrade`.
 
-
strict-origin-when-cross-origin

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/pagehttps://example.com/otherpagehttps://example.com/page
https://example.com/pagehttps://mozilla.orghttps://example.com/
https://example.com/pagehttp://example.com(no referrer)

+- `unsafe-url`
 
-
unsafe-url

-
-  
-    
-    
-    
-  
-  
-    
-    
-    
-  
-
From documentNavigation toReferrer used
https://example.com/page?q=123anywherehttps://example.com/page?q=123

+  - : Send the origin, path, and query string when performing any request, regardless of security.
+
+    > **Warning:** This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.
+
+## Integration with HTML
+
+You can also set referrer policies inside HTML. For example, you can set the referrer policy for the entire document with a {{HTMLElement("meta")}} element with a [name](/en-US/docs/Web/HTML/Element/meta#attr-name) of `referrer`:
+
+```html
+
+```
+
+Or set it for individual requests with the `referrerpolicy` attribute on {{HTMLElement("a")}}, {{HTMLElement("area")}}, {{HTMLElement("img")}}, {{HTMLElement("iframe")}}, {{HTMLElement("script")}}, or {{HTMLElement("link")}} elements:
+
+```html
+
+```
+
+Alternatively, a `noreferrer` [link relation](/en-US/docs/Web/HTML/Link_types) on an `a`, `area`, or `link` element can be set:
+
+```html
+
+```
+
+> **Warning:** As seen above, the `noreferrer` link relation is written without a dash — `noreferrer`. When the referrer policy is specified for the entire document with a {{HTMLElement("meta")}} element, it's written _with_ a dash: ``.
+
+## Integration with CSS
+
+CSS can fetch resources referenced from stylesheets. These resources follow a referrer policy as well:
+
+- External CSS stylesheets use the default policy (`strict-origin-when-cross-origin`), unless it's overwritten via a `Referrer-Policy` HTTP header on the CSS stylesheet's response.
+- For {{HTMLElement("style")}} elements or [`style` attributes](/en-US/docs/Web/API/HTMLElement/style), the owner document's referrer policy is used.
+
+## Examples
+
+### `no-referrer`
+
+| From document            | Navigation to | Referrer used   |
+| ------------------------ | ------------- | --------------- |
+| https://example.com/page | _anywhere_    | _(no referrer)_ |
+
+### `no-referrer-when-downgrade`
+
+| From document            | Navigation to                 | Referrer used            |
+| ------------------------ | ----------------------------- | ------------------------ |
+| https://example.com/page | https://example.com/otherpage | https://example.com/page |
+| https://example.com/page | https://mozilla.org           | https://example.com/page |
+| https://example.com/page | **http**://example.com        | _(no referrer)_          |
+
+### `origin`
+
+| From document            | Navigation to | Referrer used        |
+| ------------------------ | ------------- | -------------------- |
+| https://example.com/page | _anywhere_    | https://example.com/ |
+
+### `origin-when-cross-origin`
+
+| From document            | Navigation to                 | Referrer used            |
+| ------------------------ | ----------------------------- | ------------------------ |
+| https://example.com/page | https://example.com/otherpage | https://example.com/page |
+| https://example.com/page | https://mozilla.org           | https://example.com/     |
+| https://example.com/page | **http**://example.com/page   | https://example.com/     |
+
+### >`same-origin`
+
+| From document            | Navigation to                 | Referrer used            |
+| ------------------------ | ----------------------------- | ------------------------ |
+| https://example.com/page | https://example.com/otherpage | https://example.com/page |
+| https://example.com/page | https://mozilla.org           | _(no referrer)_          |
+
+### `strict-origin`
+
+| From document               | Navigation to          | Referrer used        |
+| --------------------------- | ---------------------- | -------------------- |
+| https://example.com/page    | https://mozilla.org    | https://example.com/ |
+| https://example.com/page    | **http**://example.com | _(no referrer)_      |
+| **http**://example.com/page | _anywhere_             | http://example.com/  |
+
+### `strict-origin-when-cross-origin`
+
+| From document            | Navigation to                 | Referrer used            |
+| ------------------------ | ----------------------------- | ------------------------ |
+| https://example.com/page | https://example.com/otherpage | https://example.com/page |
+| https://example.com/page | https://mozilla.org           | https://example.com/     |
+| https://example.com/page | **http**://example.com        | _(no referrer)_          |
+
+### `unsafe-url`
+
+| From document                  | Navigation to | Referrer used                  |
+| ------------------------------ | ------------- | ------------------------------ |
+| https://example.com/page?q=123 | _anywhere_    | https://example.com/page?q=123 |
+
+### Specifying a fallback policy
+
+If you want to specify a fallback policy in any case the desired policy hasn't got wide enough browser support, use a comma-separated list with the desired policy specified last:
 
-
Specifying a fallback policy

+    Referrer-Policy: no-referrer, strict-origin-when-cross-origin
 
-
If you want to specify a fallback policy in any case the desired policy hasn't got wide enough browser support, use a comma-separated list with the desired policy specified last:

+In the above scenario, `no-referrer` will only be used if `strict-origin-when-cross-origin` is not supported by the browser.
 
-
Referrer-Policy: no-referrer, strict-origin-when-cross-origin

+> **Note:** Specifying multiple values is only supported in the `Referrer-Policy` HTTP header, and not in the `referrerpolicy` attribute.
 
-
In the above scenario, no-referrer will only be used if strict-origin-when-cross-origin is not supported by the browser.

+## Browser-specific preferences/settings
 
-

-  
Note: Specifying multiple values is only supported in the Referrer-Policy HTTP header, and not in the referrerpolicy attribute.

-

+### Firefox preferences
 
-
Browser-specific preferences/settings

-
Firefox preferences

+Firefox preferences can be used to configure the _default_ referrer policy. The preference names are version specific:
 
-
Firefox preferences can be used to configure the default referrer policy. The preference names are version specific:

-
    
-  
  • Firefox version 59 and later: network.http.referer.defaultPolicy (and network.http.referer.defaultPolicy.pbmode for private networks)
    • 
-  
  • Firefox versions 53 to 58: network.http.referer.userControlPolicy
    • 
-

-
All of these settings take the same set of values: 0 = no-referrer, 1 = same-origin, 2 = strict-origin-when-cross-origin, 3 = no-referrer-when-downgrade.

+- Firefox version 59 and later: `network.http.referer.defaultPolicy` (and `network.http.referer.defaultPolicy.pbmode` for private networks)
+- Firefox versions 53 to 58: `network.http.referer.userControlPolicy`
 
+All of these settings take the same set of values: `0 = no-referrer`, `1 = same-origin`, `2 = strict-origin-when-cross-origin`, `3 = no-referrer-when-downgrade`.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Web security > Referer header: privacy and security concerns](/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns)
+- {{interwiki("wikipedia", "HTTP_referer", "HTTP referer on Wikipedia")}}
+- When using [Fetch](/en-US/docs/Web/API/Fetch_API): {{domxref("Request.referrerPolicy")}}
+- The obsolete {{HTTPHeader("Content-Security-Policy")}}'s {{HTTPHeader("Content-Security-Policy/referrer", "referrer")}} {{deprecated_inline}} directive.
+- [Same-origin policy](/en-US/docs/Web/Security/Same-origin_policy)
+- [Tighter Control Over Your Referrers – Mozilla Security Blog](https://blog.mozilla.org/security/2015/01/21/meta-referrer/)
diff --git a/files/en-us/web/http/headers/retry-after/index.md b/files/en-us/web/http/headers/retry-after/index.md
index 4832e3f70c00988..e4ada5166056eea 100644
--- a/files/en-us/web/http/headers/retry-after/index.md
+++ b/files/en-us/web/http/headers/retry-after/index.md
@@ -2,28 +2,26 @@
 title: Retry-After
 slug: Web/HTTP/Headers/Retry-After
 tags:
-- HTTP
-- Reference
-- Response
-- Response Header
-- header
+  - HTTP
+  - Reference
+  - Response
+  - Response Header
+  - header
 browser-compat: http.headers.Retry-After
 ---
-
{{HTTPSidebar}}

-
-
The Retry-After response HTTP header indicates how long
-  the user agent should wait before making a follow-up request. There are three main cases
-  this header is used:

-
-
    
-  
  • When sent with a {{HTTPStatus(503)}} (Service Unavailable) response, this indicates
-    how long the service is expected to be unavailable.
    • 
-  
  • When sent with a {{HTTPStatus(429)}} (Too Many Requests) response, this indicates
-    how long to wait before making a new request.
    • 
-  
  • When sent with a redirect response, such as {{HTTPStatus(301)}} (Moved Permanently),
-    this indicates the minimum time that the user agent is asked to wait before issuing
-    the redirected request.
    • 
-

+{{HTTPSidebar}}
+
+The **`Retry-After`** response HTTP header indicates how long
+the user agent should wait before making a follow-up request. There are three main cases
+this header is used:
+
+- When sent with a {{HTTPStatus(503)}} (Service Unavailable) response, this indicates
+  how long the service is expected to be unavailable.
+- When sent with a {{HTTPStatus(429)}} (Too Many Requests) response, this indicates
+  how long to wait before making a new request.
+- When sent with a redirect response, such as {{HTTPStatus(301)}} (Moved Permanently),
+  this indicates the minimum time that the user agent is asked to wait before issuing
+  the redirected request.
 
 
@@ -38,51 +36,46 @@ browser-compat: http.headers.Retry-After
   

   
 

 
-
Syntax

+## Syntax
 
-
Retry-After: <http-date>
-Retry-After: <delay-seconds>
-

+```html
+Retry-After: 
+Retry-After: 
+```
 
-
Directives

+## Directives
 
-

-  
<http-date>

-  
A date after which to retry. See the {{HTTPHeader("Date")}} header for more details
-    on the HTTP date format.

-  
<delay-seconds>

-  
A non-negative decimal integer indicating the seconds to delay after the response is
-    received.

-

+- \
+  - : A date after which to retry. See the {{HTTPHeader("Date")}} header for more details
+    on the HTTP date format.
+- \
+  - : A non-negative decimal integer indicating the seconds to delay after the response is
+    received.
 
-
Examples

+## Examples
 
-
Dealing with scheduled downtime

+### Dealing with scheduled downtime
 
-
Support for the Retry-After header on both clients and servers is still
-  inconsistent. However, some crawlers and spiders, like the Googlebot, honor the
-  Retry-After header. It is useful to send it along with a
-  {{HTTPStatus(503)}} (Service Unavailable) response, so that search engines will keep
-  indexing your site when the downtime is over.

+Support for the `Retry-After` header on both clients and servers is still
+inconsistent. However, some crawlers and spiders, like the Googlebot, honor the
+`Retry-After` header. It is useful to send it along with a
+{{HTTPStatus(503)}} (Service Unavailable) response, so that search engines will keep
+indexing your site when the downtime is over.
 
-
Retry-After: Wed, 21 Oct 2015 07:28:00 GMT
-Retry-After: 120
-

+    Retry-After: Wed, 21 Oct 2015 07:28:00 GMT
+    Retry-After: 120
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Google
+  Webmaster blog: How to deal with planned site downtime](https://webmasters.googleblog.com/2011/01/how-to-deal-with-planned-site-downtime.html)
+- {{HTTPStatus(503)}} (Service Unavailable)
+- {{HTTPStatus(301)}} (Moved Permanently)
diff --git a/files/en-us/web/http/headers/rtt/index.md b/files/en-us/web/http/headers/rtt/index.md
index 7c99a18c7e0c47d..3fb9209949cecc0 100644
--- a/files/en-us/web/http/headers/rtt/index.md
+++ b/files/en-us/web/http/headers/rtt/index.md
@@ -11,73 +11,68 @@ tags:
   - Experimental
 browser-compat: http.headers.rtt
 ---
-
{{HTTPSidebar}} {{SeeCompatTable}}

+{{HTTPSidebar}} {{SeeCompatTable}}
 
-
The RTT {{Glossary("Client hints","network client hint")}} request header field provides the approximate round trip time on the application layer, in milliseconds. The RTT hint, unlike transport layer RTT, includes server processing time.

+The **`RTT`** {{Glossary("Client hints","network client hint")}} request header field provides the approximate round trip time on the application layer, in milliseconds. The RTT hint, unlike transport layer RTT, includes server processing time.
 
 
-   
-    
-    
-   
-   
-    
-    
-   
+    
+      
+      
+    
+    
+      
+      
+    
- 

   
Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}
{{Glossary("Forbidden header name")}}no
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      
{{Glossary("Forbidden header name")}}no

   

+
 
-
The RTT value is rounded to the nearest 25 milliseconds to prevent fingerprinting; There are many other mechanisms an attacker might use to obtain similar round-trip information.

+The RTT value is rounded to the nearest 25 milliseconds to prevent fingerprinting; There are many other mechanisms an attacker might use to obtain similar round-trip information.
 
-
The hint allows a server to choose what information is sent based on the network responsiveness/latency. For example, it might choose to send fewer resources.

+The hint allows a server to choose what information is sent based on the network responsiveness/latency. For example, it might choose to send fewer resources.
 
-

-  
Note: The {{HTTPHeader("Vary")}} header is used in responses to indicate that a different resource is sent for every different value of the header (see HTTP Caching > Varying responses). Even if {{HTTPHeader("RTT")}} is used to configure what resources are sent consider omitting it in the {{HTTPHeader("Vary")}} header  — it is likely to change often, which effectively makes the resource uncachable.

-

+> **Note:** The {{HTTPHeader("Vary")}} header is used in responses to indicate that a different resource is sent for every different value of the header (see [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses)). Even if {{HTTPHeader("RTT")}} is used to configure what resources are sent consider omitting it in the {{HTTPHeader("Vary")}} header — it is likely to change often, which effectively makes the resource uncachable.
 
-
Syntax

+## Syntax
 
-
RTT: <number>

+    RTT: 
 
-
Directives

+## Directives
 
-

- 
<number>

- 
The approximate round trip time in milliseconds, rounded to the nearest 25 milliseconds.

-

+- \
+  - : The approximate round trip time in milliseconds, rounded to the nearest 25 milliseconds.
 
-
Examples

+## Examples
 
-
A server first needs to opt in to receive the RTT header by sending the {{HTTPHeader("Accept-CH")}} response header containing RTT.

+A server first needs to opt in to receive the `RTT` header by sending the {{HTTPHeader("Accept-CH")}} response header containing `RTT`.
 
-
Accept-CH: RTT

+    Accept-CH: RTT
 
-
Then on subsequent requests the client might send an RTT header back:

+Then on subsequent requests the client might send an `RTT` header back:
 
-
RTT: 125

+    RTT: 125
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- Network client hints
 
+  - {{HTTPHeader("Downlink")}}
+  - {{HTTPHeader("ECT")}}
+  - {{HTTPHeader("Save-Data")}}
+
+- {{HTTPHeader("Accept-CH")}}
+- [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses) and {{HTTPHeader("Vary")}}
+- {{domxref("NetworkInformation.effectiveType")}}
diff --git a/files/en-us/web/http/headers/save-data/index.md b/files/en-us/web/http/headers/save-data/index.md
index 4ae32ed3cdab1bf..47155d7de8a9152 100644
--- a/files/en-us/web/http/headers/save-data/index.md
+++ b/files/en-us/web/http/headers/save-data/index.md
@@ -10,121 +10,114 @@ tags:
   - Request header
 browser-compat: http.headers.Save-Data
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Save-Data {{Glossary("Client hints","network client hint")}} request header field is a boolean which indicates the client's preference for reduced data usage. This could be for reasons such as high transfer costs, slow connection speeds, etc.

+The **`Save-Data`** {{Glossary("Client hints","network client hint")}} request header field is a boolean which indicates the client's preference for reduced data usage. This could be for reasons such as high transfer costs, slow connection speeds, etc.
 
-  
-    
-     
+

+  
+    
-      
-     
-     
+      
+    
+    
-     
-     
-      
+    
+    
+      
-     
-    
-   

       Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}

+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      

       {{Glossary("Forbidden header name")}}
       no
{{Glossary("CORS-safelisted response header")}}

+        {{Glossary("CORS-safelisted response header")}}
+      
       no

+    
+  
+
 
-
A value of On indicates explicit user opt-in into a reduced data usage
-  mode on the client, and when communicated to origins allows them to deliver alternative
-  content to reduce the data downloaded such as smaller image and video resources,
-  different markup and styling, disabled polling and automatic updates, and so on.

+A value of `On` indicates explicit user opt-in into a reduced data usage
+mode on the client, and when communicated to origins allows them to deliver alternative
+content to reduce the data downloaded such as smaller image and video resources,
+different markup and styling, disabled polling and automatic updates, and so on.
 
-

-  
Note: Disabling HTTP/2 Server Push ({{RFC("7540", "Server Push",
-    "8.2")}}) might be desirable too for reducing data downloads.

-

+> **Note:** Disabling HTTP/2 Server Push ({{RFC("7540", "Server Push",
+    "8.2")}}) might be desirable too for reducing data downloads.
 
-

-  
Note: The Save-Data {{Glossary("Client hints","network client hint")}} should be used to reduce data set to the client irrespective of the values of other client client hints that indicate network capability, like {{HTTPHeader("Downlink")}} and {{HTTPHeader("RTT")}}.

-

+> **Note:** The **`Save-Data`** {{Glossary("Client hints","network client hint")}} should be used to reduce data set to the client irrespective of the values of other client client hints that indicate network capability, like {{HTTPHeader("Downlink")}} and {{HTTPHeader("RTT")}}.
 
-
Syntax

+## Syntax
 
-
Save-Data: <sd-token>

+    Save-Data: 
 
-
Directives

+## Directives
 
-

-  
<sd-token>

-  
A value indicating whether the client wants to opt in to reduced data
-    usage mode. on indicates yes, while off (the default)
-    indicates no.

-

+- ``
+  - : A value indicating whether the client wants to opt in to reduced data
+    usage mode. `on` indicates yes, while `off` (the default)
+    indicates no.
 
-
Examples

+## Examples
 
-
The {{HTTPHeader("Vary")}} header ensures that the content is cached properly (for
-  instance ensuring that the user is not served a lower-quality image from the cache when
-  Save-Data header is no longer present [e.g. after having switched
-  from cellular to Wi-Fi]).

+The {{HTTPHeader("Vary")}} header ensures that the content is cached properly (for
+instance ensuring that the user is not served a lower-quality image from the cache when
+`Save-Data` header is no longer present \[_e.g._ after having switched
+from cellular to Wi-Fi]).
 
-
With Save-Data: on

+### With `Save-Data: on`
 
-
Request:

+Request:
 
-
GET /image.jpg HTTP/1.0
-Host: example.com
-Save-Data: on

+    GET /image.jpg HTTP/1.0
+    Host: example.com
+    Save-Data: on
 
-
Response:

+Response:
 
-
HTTP/1.0 200 OK
-Content-Length: 102832
-Vary: Accept-Encoding, Save-Data
-Cache-Control: public, max-age=31536000
-Content-Type: image/jpeg
+    HTTP/1.0 200 OK
+    Content-Length: 102832
+    Vary: Accept-Encoding, Save-Data
+    Cache-Control: public, max-age=31536000
+    Content-Type: image/jpeg
 
-[...]
-

+    [...]
 
-
Without Save-Data

+### Without `Save-Data`
 
-
Request:

+Request:
 
-
GET /image.jpg HTTP/1.0
-Host: example.com
-

+    GET /image.jpg HTTP/1.0
+    Host: example.com
 
-
Response:

+Response:
 
-
HTTP/1.0 200 OK
-Content-Length: 481770
-Vary: Accept-Encoding, Save-Data
-Cache-Control: public, max-age=31536000
-Content-Type: image/jpeg
+    HTTP/1.0 200 OK
+    Content-Length: 481770
+    Vary: Accept-Encoding, Save-Data
+    Cache-Control: public, max-age=31536000
+    Content-Type: image/jpeg
 
-[...]
-

+    [...]
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Help Your Users \`Save-Data\` - CSS Tricks](https://css-tricks.com/help-users-save-data/)
+- [Delivering Fast and Light Applications with Save-Data - Google Developers](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/save-data/)
+- {{HTTPHeader("Vary")}} header which indicate that the content served varies by `Save-Data` (see [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses))
+- CSS @media feature [`prefers-reduced-data`](/en-US/docs/Web/CSS/@media/prefers-reduced-data) {{experimental_inline}}
+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- Network client hints
+
+  - {{HTTPHeader("Downlink")}}
+  - {{HTTPHeader("RTT")}}
+  - {{HTTPHeader("ECT")}}
+
+- {{domxref("NetworkInformation.saveData")}}
diff --git a/files/en-us/web/http/headers/sec-fetch-dest/index.md b/files/en-us/web/http/headers/sec-fetch-dest/index.md
index 5f1dfe2dd28d307..64dcb502a9bede4 100644
--- a/files/en-us/web/http/headers/sec-fetch-dest/index.md
+++ b/files/en-us/web/http/headers/sec-fetch-dest/index.md
@@ -10,135 +10,127 @@ tags:
   - Request header
 browser-compat: http.headers.Sec-Fetch-Dest
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Sec-Fetch-Dest {{Glossary("Fetch metadata request header", "fetch metadata request header")}} indicates the request's destination. That is the initiator of the original fetch request, which is where (and how) the fetched data will be used.

+The **`Sec-Fetch-Dest`** {{Glossary("Fetch metadata request header", "fetch metadata request header")}} indicates the request's _destination_. That is the initiator of the original fetch request, which is where (and how) the fetched data will be used.
 
-
This allows servers determine whether to service a request based on whether it is appropriate for how it is expected to be used. For example, a request with an audio destination should request audio data, not some other type of resource (for example, a document that includes senstive user information).

+This allows servers determine whether to service a request based on whether it is appropriate for how it is _expected_ to be used. For example, a request with an `audio` destination should request audio data, not some other type of resource (for example, a document that includes senstive user information).
 
 
-	
-		
-			
-			
-		
-		
-			
-			
-		
-		
-			
-			
-		
-	
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)
{{Glossary("CORS-safelisted request header")}}no
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)

+        {{Glossary("CORS-safelisted request header")}}
+      no

 

 
-
Syntax

-
-
Sec-Fetch-Dest: audio
-Sec-Fetch-Dest: audioworklet
-Sec-Fetch-Dest: document
-Sec-Fetch-Dest: embed
-Sec-Fetch-Dest: empty
-Sec-Fetch-Dest: font
-Sec-Fetch-Dest: frame
-Sec-Fetch-Dest: iframe
-Sec-Fetch-Dest: image
-Sec-Fetch-Dest: manifest
-Sec-Fetch-Dest: object
-Sec-Fetch-Dest: paintworklet
-Sec-Fetch-Dest: report
-Sec-Fetch-Dest: script
-Sec-Fetch-Dest: serviceworker
-Sec-Fetch-Dest: sharedworker
-Sec-Fetch-Dest: style
-Sec-Fetch-Dest: track
-Sec-Fetch-Dest: video
-Sec-Fetch-Dest: worker
-Sec-Fetch-Dest: xslt
-

-
-
Servers should ignore this header if it contains any other value.

-
-
Directives

-
-

-	
Note: These directives correspond to the values returned by {{domxref("Request.destination")}}).

-

-
-

-	
audio

-	
The destination is audio data. This might originate from an HTML {{HTMLElement("audio")}} tag.

-	
audioworklet

-	
The destination is data being fetched for use by an audio worklet. This might originate from a call to {{domxref("Worklet.addModule()", "audioWorklet.addModule()")}}.

-	
document

-	
The destination is a document (HTML or XML), and the request is the result of a user-initiated top-level navigation (e.g. resulting from a user clicking a link).

-	
embed

-	
The destination is embedded content. This might originate from an HTML {{HTMLElement("embed")}} tag.

-	
empty

-	
The destination is the empty string. This is used for destinations that do not have their own value. For example fetch(), {{domxref("navigator.sendBeacon()")}}, {{domxref("EventSource")}}, {{domxref("XMLHttpRequest")}}, {{domxref("WebSocket")}}, etc.

-	
font

-	
The destination is a font. This might originate from CSS {{cssxref("@font-face")}}.

-	
frame

-	
The destination is a frame. This might originate from an HTML {{HTMLElement("frame")}} tag.

-	
iframe

-	
The destination is an iframe. This might originate from an HTML {{HTMLElement("iframe")}} tag.

-	
image

-	
The destination is an image. This might originate from an HTML {{HTMLElement("image")}}, SVG {{SVGElement("image")}}, CSS {{cssxref("background-image")}}, CSS {{cssxref("cursor")}}, CSS {{cssxref("list-style-image")}}, etc.

-	
manifest

-	
The destination is a manifest. This might originate from an HTML <link rel=manifest>).

-	
object

-	
The destination is an object. This might originate from an HTML {{HTMLElement("object")}} tag.

-	
paintworklet

-	
The destination is a paint worklet. This might originate from a call to {{domxref('Worklet.addModule', 'CSS.PaintWorklet.addModule()')}}.

-	
report

-	
The destination is a report (for example, a content security policy report).

-	
script

-	
The destination is a script. This might originate from an HTML {{HTMLElement("script")}} tag or a call to {{domxref("WorkerGlobalScope.importScripts()")}}.

-	
serviceworker

-	
The destination is a service worker. This might originate from a call to {{domxref("ServiceWorkerContainer.register","navigator.serviceWorker.register()")}}.

-	
sharedworker

-	
The destination is a shared worker. This might originate from a {{domxref("SharedWorker")}}.

-	
style

-	
The destination is a style. This might originate from an HTML {{HTMLElement("link","<link rel=stylesheet>")}} or a CSS {{cssxref("@import")}}.

-	
track

-	
The destination is an HTML text track. This might originate from an HTML {{HTMLElement("track")}} tag.

-	
video

-	
The destination is video data. This might originate from an HTML {{HTMLElement("video")}} tag.

-	
worker

-	
The destination is a {{domxref("Worker")}}.

-	
xslt

-	
The destination is an XLST transform.

-

-
-
-
Examples

-
-
A cross-site request generated by an {{HTMLElement("img")}} element would result in a request with the following HTTP request headers (note that the destination is image):

-
-
Sec-Fetch-Dest: image
-Sec-Fetch-Mode: no-cors
-Sec-Fetch-Site: cross-site
-

-
-
Specifications

-
-
{{Specifications}}

-
-
Browser compatibility

-
-
{{Compat}}

-
-
See also

-
-
+## Syntax
+
+    Sec-Fetch-Dest: audio
+    Sec-Fetch-Dest: audioworklet
+    Sec-Fetch-Dest: document
+    Sec-Fetch-Dest: embed
+    Sec-Fetch-Dest: empty
+    Sec-Fetch-Dest: font
+    Sec-Fetch-Dest: frame
+    Sec-Fetch-Dest: iframe
+    Sec-Fetch-Dest: image
+    Sec-Fetch-Dest: manifest
+    Sec-Fetch-Dest: object
+    Sec-Fetch-Dest: paintworklet
+    Sec-Fetch-Dest: report
+    Sec-Fetch-Dest: script
+    Sec-Fetch-Dest: serviceworker
+    Sec-Fetch-Dest: sharedworker
+    Sec-Fetch-Dest: style
+    Sec-Fetch-Dest: track
+    Sec-Fetch-Dest: video
+    Sec-Fetch-Dest: worker
+    Sec-Fetch-Dest: xslt
+
+Servers should ignore this header if it contains any other value.
+
+## Directives
+
+> **Note:** These directives correspond to the values returned by {{domxref("Request.destination")}}).
+
+- `audio`
+  - : The destination is audio data. This might originate from an HTML {{HTMLElement("audio")}} tag.
+- `audioworklet`
+  - : The destination is data being fetched for use by an audio worklet. This might originate from a call to {{domxref("Worklet.addModule()", "audioWorklet.addModule()")}}.
+- `document`
+  - : The destination is a document (HTML or XML), and the request is the result of a user-initiated top-level navigation (e.g. resulting from a user clicking a link).
+- `embed`
+  - : The destination is embedded content. This might originate from an HTML {{HTMLElement("embed")}} tag.
+- `empty`
+  - : The destination is the empty string. This is used for destinations that do not have their own value. For example `fetch()`, {{domxref("navigator.sendBeacon()")}}, {{domxref("EventSource")}}, {{domxref("XMLHttpRequest")}}, {{domxref("WebSocket")}}, etc.
+- `font`
+  - : The destination is a font. This might originate from CSS {{cssxref("@font-face")}}.
+- `frame`
+  - : The destination is a frame. This might originate from an HTML {{HTMLElement("frame")}} tag.
+- `iframe`
+  - : The destination is an iframe. This might originate from an HTML {{HTMLElement("iframe")}} tag.
+- `image`
+  - : The destination is an image. This might originate from an HTML {{HTMLElement("image")}}, SVG {{SVGElement("image")}}, CSS {{cssxref("background-image")}}, CSS {{cssxref("cursor")}}, CSS {{cssxref("list-style-image")}}, etc.
+- `manifest`
+  - : The destination is a manifest. This might originate from an HTML [\](/en-US/docs/Web/HTML/Link_types/manifest)).
+- `object`
+  - : The destination is an object. This might originate from an HTML {{HTMLElement("object")}} tag.
+- `paintworklet`
+  - : The destination is a paint worklet. This might originate from a call to {{domxref('Worklet.addModule', 'CSS.PaintWorklet.addModule()')}}.
+- `report`
+  - : The destination is a report (for example, a content security policy report).
+- `script`
+  - : The destination is a script. This might originate from an HTML {{HTMLElement("script")}} tag or a call to {{domxref("WorkerGlobalScope.importScripts()")}}.
+- `serviceworker`
+  - : The destination is a service worker. This might originate from a call to {{domxref("ServiceWorkerContainer.register","navigator.serviceWorker.register()")}}.
+- `sharedworker`
+  - : The destination is a shared worker. This might originate from a {{domxref("SharedWorker")}}.
+- `style`
+  - : The destination is a style. This might originate from an HTML {{HTMLElement("link","<link rel=stylesheet>")}} or a CSS {{cssxref("@import")}}.
+- `track`
+  - : The destination is an HTML text track. This might originate from an HTML {{HTMLElement("track")}} tag.
+- `video`
+  - : The destination is video data. This might originate from an HTML {{HTMLElement("video")}} tag.
+- `worker`
+  - : The destination is a {{domxref("Worker")}}.
+- `xslt`
+  - : The destination is an XLST transform.
+
+## Examples
+
+A cross-site request generated by an {{HTMLElement("img")}} element would result in a request with the following HTTP request headers (note that the destination is `image`):
+
+    Sec-Fetch-Dest: image
+    Sec-Fetch-Mode: no-cors
+    Sec-Fetch-Site: cross-site
+
+## Specifications
+
+{{Specifications}}
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- Related headers
+
+  - {{HTTPHeader("Sec-Fetch-Mode")}}
+  - {{HTTPHeader("Sec-Fetch-Site")}}
+  - {{HTTPHeader("Sec-Fetch-User")}}
+
+- [Protect your resources from web attacks with Fetch Metadata](https://web.dev/fetch-metadata/) (web.dev)
+- [Fetch Metadata Request Headers playground](https://secmetadata.appspot.com/) (secmetadata.appspot.com)
diff --git a/files/en-us/web/http/headers/sec-fetch-mode/index.md b/files/en-us/web/http/headers/sec-fetch-mode/index.md
index 92a5eb97388ae43..30a852494c687d2 100644
--- a/files/en-us/web/http/headers/sec-fetch-mode/index.md
+++ b/files/en-us/web/http/headers/sec-fetch-mode/index.md
@@ -10,96 +10,86 @@ tags:
   - Request header
 browser-compat: http.headers.Sec-Fetch-Mode
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Sec-Fetch-Mode {{Glossary("Fetch metadata request header", "fetch metadata request header")}} indicates the mode of the request.

+The **`Sec-Fetch-Mode`** {{Glossary("Fetch metadata request header", "fetch metadata request header")}} indicates the [mode](/en-US/docs/Web/API/Request/mode) of the request.
 
-
Broadly speaking, this allows a server to distinguish between: requests originating from a user navigating between HTML pages, and requests to load images and other resources. For example, this header would contain navigate for top level navigation requests, while no-cors is used for loading an image.

+Broadly speaking, this allows a server to distinguish between: requests originating from a user navigating between HTML pages, and requests to load images and other resources. For example, this header would contain `navigate` for top level navigation requests, while `no-cors` is used for loading an image.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)
{{Glossary("CORS-safelisted request header")}}no
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)

+        {{Glossary("CORS-safelisted request header")}}
+      no

 

 
-
Syntax

+## Syntax
 
-
Sec-Fetch-Mode: cors
-Sec-Fetch-Mode: navigate
-Sec-Fetch-Mode: no-cors
-Sec-Fetch-Mode: same-origin
-Sec-Fetch-Mode: websocket
-

+    Sec-Fetch-Mode: cors
+    Sec-Fetch-Mode: navigate
+    Sec-Fetch-Mode: no-cors
+    Sec-Fetch-Mode: same-origin
+    Sec-Fetch-Mode: websocket
 
-
Servers should ignore this header if it contains any other value.

+Servers should ignore this header if it contains any other value.
 
+## Directives
 
-
Directives

+> **Note:** These directives correspond to the values in [`Request.mode`](/en-US/docs/Web/API/Request/mode#value).
 
-

-  
Note: These directives correspond to the values in Request.mode.

-

+- `cors`
+  - : The request is a [CORS protocol](/en-US/docs/Web/HTTP/CORS) request.
+- `navigate`
+  - : The request is initiated by navigation between HTML documents.
+- `no-cors`
+  - : The request is a no-cors request (see [`Request.mode`](/en-US/docs/Web/API/Request/mode#value)).
+- `same-origin`
+  - : The request is made from the same origin as the resource that is being requested.
+- `websocket`
+  - : The request is being made to establish a [WebSocket](/en-US/docs/Web/API/WebSockets_API) connection.
 
-

- 
cors

- 
The request is a CORS protocol request.

- 
navigate

- 
The request is initiated by navigation between HTML documents.

- 
no-cors

- 
The request is a no-cors request (see Request.mode).

- 
same-origin

- 
The request is made from the same origin as the resource that is being requested.

- 
websocket

- 
The request is being made to establish a WebSocket connection.

-

+## Examples
 
+If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers (note that the mode is `navigate`):
 
-
Examples

+    Sec-Fetch-Dest: document
+    Sec-Fetch-Mode: navigate
+    Sec-Fetch-Site: same-origin
+    Sec-Fetch-User: ?1
 
-
If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers (note that the mode is navigate):

+A cross-site request generated by an {{HTMLElement("img")}} element would result in a request with the following HTTP request headers (note that the mode is `no-cors`):
 
-
Sec-Fetch-Dest: document
-Sec-Fetch-Mode: navigate
-Sec-Fetch-Site: same-origin
-Sec-Fetch-User: ?1
-

+    Sec-Fetch-Dest: image
+    Sec-Fetch-Mode: no-cors
+    Sec-Fetch-Site: cross-site
 
-
A cross-site request generated by an {{HTMLElement("img")}} element would result in a request with the following HTTP request headers (note that the mode is no-cors):

+## Specifications
 
-
Sec-Fetch-Dest: image
-Sec-Fetch-Mode: no-cors
-Sec-Fetch-Site: cross-site
-

+{{Specifications}}
 
-
Specifications

+## Browser compatibility
 
-
{{Specifications}}

+{{Compat}}
 
-
Browser compatibility

+## See also
 
-
{{Compat}}

+- Related headers
 
-
See also

+  - {{HTTPHeader("Sec-Fetch-Dest")}}
+  - {{HTTPHeader("Sec-Fetch-Site")}}
+  - {{HTTPHeader("Sec-Fetch-User")}}
 
-
+- [Protect your resources from web attacks with Fetch Metadata](https://web.dev/fetch-metadata/) (web.dev)
+- [Fetch Metadata Request Headers playground](https://secmetadata.appspot.com/) (secmetadata.appspot.com)
diff --git a/files/en-us/web/http/headers/sec-fetch-site/index.md b/files/en-us/web/http/headers/sec-fetch-site/index.md
index 92443d9c0dbdae8..0851a9d822b577a 100644
--- a/files/en-us/web/http/headers/sec-fetch-site/index.md
+++ b/files/en-us/web/http/headers/sec-fetch-site/index.md
@@ -10,89 +10,83 @@ tags:
   - Request header
 browser-compat: http.headers.Sec-Fetch-Site
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Sec-Fetch-Site {{Glossary("Fetch metadata request header", "fetch metadata request header")}} indicates the relationship between a request initiator's origin and the origin of the requested resource.

+The **`Sec-Fetch-Site`** {{Glossary("Fetch metadata request header", "fetch metadata request header")}} indicates the relationship between a request initiator's origin and the origin of the requested resource.
 
-
In other words, this header tells a server whether a request for a resource is coming from the same origin, the same site, a different site, or is a "user initiated" request. The server can then use this information to decide if the request should be allowed.

+In other words, this header tells a server whether a request for a resource is coming from the same origin, the same site, a different site, or is a "user initiated" request. The server can then use this information to decide if the request should be allowed.
 
-
Same-origin requests would usually be allowed by default, but what happens for requests from other origins may further depend on what resource is being requested, or information in other {{Glossary("Fetch metadata request header","Fetch metadata request headers")}}. By default, requests that are not accepted should be rejected with a {{HTTPStatus("403")}} response code.

+Same-origin requests would usually be allowed by default, but what happens for requests from other origins may further depend on what resource is being requested, or information in other {{Glossary("Fetch metadata request header","Fetch metadata request headers")}}. By default, requests that are not accepted should be rejected with a {{HTTPStatus("403")}} response code.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)
{{Glossary("CORS-safelisted request header")}}no
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)

+        {{Glossary("CORS-safelisted request header")}}
+      no

 

 
-
Syntax

+## Syntax
 
-
Sec-Fetch-Site: cross-site
-Sec-Fetch-Site: same-origin
-Sec-Fetch-Site: same-site
-Sec-Fetch-Site: none
-

+    Sec-Fetch-Site: cross-site
+    Sec-Fetch-Site: same-origin
+    Sec-Fetch-Site: same-site
+    Sec-Fetch-Site: none
 
-
Directives

+## Directives
 
-

-  
cross-site

-  
The request initiator and the server hosting the resource have a different site (i.e. a request by "potentially-evil.com" for a resource at "example.com").

-  
same-origin

-  
The request initiator and the server hosting the resource have the same {{Glossary("origin")}} (same scheme, host and port).

-  
same-site

-  
The request initiator and the server hosting the resource have the same scheme, domain and/or subdomain, but not necessarily the same port.

-  
none

-  
This request is a user-originated operation. For example: entering a URL into the address bar, opening a bookmark, or dragging-and-dropping a file into the browser window.

- 

+- `cross-site`
+  - : The request initiator and the server hosting the resource have a different site (i.e. a request by "potentially-evil.com" for a resource at "example.com").
+- `same-origin`
+  - : The request initiator and the server hosting the resource have the same {{Glossary("origin")}} (same scheme, host and port).
+- `same-site`
+  - : The request initiator and the server hosting the resource have the same scheme, domain and/or subdomain, but not necessarily the same port.
+- `none`
+  - : This request is a user-originated operation. For example: entering a URL into the address bar, opening a bookmark, or dragging-and-dropping a file into the browser window.
 
+## Examples
 
- 
Examples

+A fetch request to `https://mysite.example/foo.json` originating from a web page on `https://mysite.example` (with the same port) is a same-origin request.
+The browser will generate the `Sec-Fetch-Site: same-origin` header as shown below, and the server will typically allow the request:
 
- 
A fetch request to https://mysite.example/foo.json originating from a web page on https://mysite.example (with the same port) is a same-origin request.
-The browser will generate the Sec-Fetch-Site: same-origin header as shown below, and the server will typically allow the request:

+    GET /foo.json
+    Sec-Fetch-Dest: empty
+    Sec-Fetch-Mode: cors
+    Sec-Fetch-Site: same-origin
 
- 
GET /foo.json
-Sec-Fetch-Dest: empty
-Sec-Fetch-Mode: cors
-Sec-Fetch-Site: same-origin
-

+A fetch request to the same URL from another site, for example `potentially-evil.com`, causes the browser to generate a different header (e.g. `Sec-Fetch-Site: cross-site`), which the server can choose to accept or reject:
 
-
A fetch request to the same URL from another site, for example potentially-evil.com, causes the browser to generate a different header (e.g. Sec-Fetch-Site: cross-site), which the server can choose to accept or reject:

+    GET /foo.json
+    Sec-Fetch-Dest: empty
+    Sec-Fetch-Mode: cors
+    Sec-Fetch-Site: cross-site
 
-
GET /foo.json
-Sec-Fetch-Dest: empty
-Sec-Fetch-Mode: cors
-Sec-Fetch-Site: cross-site
-

+## Specifications
 
-
Specifications

+{{Specifications}}
 
-
{{Specifications}}

+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

+- Related headers
 
-
+  - {{HTTPHeader("Sec-Fetch-Mode")}}
+  - {{HTTPHeader("Sec-Fetch-User")}}
+  - {{HTTPHeader("Sec-Fetch-Dest")}}
+
+- [Protect your resources from web attacks with Fetch Metadata](https://web.dev/fetch-metadata/) (web.dev)
+- [Fetch Metadata Request Headers playground](https://secmetadata.appspot.com/) (secmetadata.appspot.com)
diff --git a/files/en-us/web/http/headers/sec-fetch-user/index.md b/files/en-us/web/http/headers/sec-fetch-user/index.md
index a17a60777e26ffe..321085f17952da7 100644
--- a/files/en-us/web/http/headers/sec-fetch-user/index.md
+++ b/files/en-us/web/http/headers/sec-fetch-user/index.md
@@ -10,66 +10,63 @@ tags:
   - Request header
 browser-compat: http.headers.Sec-Fetch-User
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Sec-Fetch-User {{Glossary("Fetch metadata request header", "fetch metadata request header")}} is only sent for requests initiated by user activation, and its value will always be ?1.

+The **`Sec-Fetch-User`** {{Glossary("Fetch metadata request header", "fetch metadata request header")}} is only sent for requests initiated by user activation, and its value will always be `?1`.
 
-
A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.

+A server can use this header to identify whether a navigation request from a document, iframe, etc., was originated by the user.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)
{{Glossary("CORS-safelisted request header")}}no
Header type{{Glossary("Fetch Metadata Request Header")}}
{{Glossary("Forbidden header name")}}yes (prefix Sec-)

+        {{Glossary("CORS-safelisted request header")}}
+      no

 

 
-
Syntax

+## Syntax
 
-
Sec-Fetch-User: ?1
-

+    Sec-Fetch-User: ?1
 
-
Directives

+## Directives
 
-
The value will always be ?1. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.

+The value will always be `?1`. When a request is triggered by something other than a user activation, the spec requires browsers to omit the header completely.
 
-
Examples

+## Examples
 
-
If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:

+If a user clicks on a page link to another page on the same origin, the resulting request would have the following headers:
 
-
Sec-Fetch-Dest: document
-Sec-Fetch-Mode: navigate
-Sec-Fetch-Site: same-origin
-Sec-Fetch-User: ?1
-

+    Sec-Fetch-Dest: document
+    Sec-Fetch-Mode: navigate
+    Sec-Fetch-Site: same-origin
+    Sec-Fetch-User: ?1
 
-
Specifications

+## Specifications
 
-
{{Specifications}}

+{{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- Related headers
+
+  - {{HTTPHeader("Sec-Fetch-Dest")}}
+  - {{HTTPHeader("Sec-Fetch-Mode")}}
+  - {{HTTPHeader("Sec-Fetch-Site")}}
+
+- [Protect your resources from web attacks with Fetch Metadata](https://web.dev/fetch-metadata/) (web.dev)
+- [Fetch Metadata Request Headers playground](https://secmetadata.appspot.com/) (secmetadata.appspot.com)
diff --git a/files/en-us/web/http/headers/sec-websocket-accept/index.md b/files/en-us/web/http/headers/sec-websocket-accept/index.md
index e0857f07f2490f1..0021cad81444209 100644
--- a/files/en-us/web/http/headers/sec-websocket-accept/index.md
+++ b/files/en-us/web/http/headers/sec-websocket-accept/index.md
@@ -12,12 +12,11 @@ tags:
   - header
 browser-compat: http.headers.Sec-WebSocket-Accept
 ---
-
{{HTTPSidebar}}{{Draft}}

+{{HTTPSidebar}}{{Draft}}
 
-
The Sec-WebSocket-Accept header is used in the websocket opening
-  handshake. It would appear in the response headers. That is, this is header is sent from
-  server to client to inform that server is willing to initiate a websocket connection.
-

+The **Sec-WebSocket-Accept** header is used in the websocket opening
+handshake. It would appear in the response headers. That is, this is header is sent from
+server to client to inform that server is willing to initiate a websocket connection.
 
 
@@ -32,37 +31,32 @@ browser-compat: http.headers.Sec-WebSocket-Accept
   

   
 

 
-
Syntax

+## Syntax
 
-
Sec-WebSocket-Accept: <hashed key>

+```html
+Sec-WebSocket-Accept: 
+```
 
-
Directives

+## Directives
 
-

-  
<hashed key>

-  

-    
The server takes the value of the Sec-WebSocket-Key sent in the handshake request,
-      appends 258EAFA5-E914-47DA-95CA-C5AB0DC85B11, takes SHA-1 of the new
-      value, and is then base64
-      encoded.

-  

-

+- \
+  - : The server takes the value of the Sec-WebSocket-Key sent in the handshake request,
+    appends `258EAFA5-E914-47DA-95CA-C5AB0DC85B11`, takes SHA-1 of the new
+    value, and is then [base64](/en-US/docs/Glossary/Base64)
+    encoded.
 
-
Examples

+## Examples
 
-
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

+    Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Sec-WebSocket-Key")}}
    • 
-

+- {{HTTPHeader("Sec-WebSocket-Key")}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
diff --git a/files/en-us/web/http/headers/server-timing/index.md b/files/en-us/web/http/headers/server-timing/index.md
index d281e2161432545..0cac37dc6284165 100644
--- a/files/en-us/web/http/headers/server-timing/index.md
+++ b/files/en-us/web/http/headers/server-timing/index.md
@@ -8,65 +8,62 @@ tags:
   - header
 browser-compat: http.headers.Server-Timing
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Server-Timing header communicates one or more metrics and descriptions for a given request-response cycle. It is used to surface any backend server timing metrics (e.g. database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the {{domxref("PerformanceServerTiming")}} interface.

+The **`Server-Timing`** header communicates one or more metrics and descriptions for a given request-response cycle. It is used to surface any backend server timing metrics (e.g. database read/write, CPU time, file system access, etc.) in the developer tools in the user's browser or in the {{domxref("PerformanceServerTiming")}} interface.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
The syntax of the Server-Timing header allows you to communicate metrics in different ways: server metric name only, metric with value, metric with value and description, and metric with description.

+The syntax of the `Server-Timing` header allows you to communicate metrics in different ways: server metric name only, metric with value, metric with value and description, and metric with description.
 
-
The specification advices that names and descriptions should be kept as short as possible (use abbreviations and omit optional values where possible) to minimize the HTTP overhead.

+The specification advices that names and descriptions should be kept as short as possible (use abbreviations and omit optional values where possible) to minimize the HTTP overhead.
 
-
// Single metric without value
-Server-Timing: missedCache
+    // Single metric without value
+    Server-Timing: missedCache
 
-// Single metric with value
-Server-Timing: cpu;dur=2.4
+    // Single metric with value
+    Server-Timing: cpu;dur=2.4
 
-// Single metric with description and value
-Server-Timing: cache;desc="Cache Read";dur=23.2
+    // Single metric with description and value
+    Server-Timing: cache;desc="Cache Read";dur=23.2
 
-// Two metrics with value
-Server-Timing: db;dur=53, app;dur=47.2
+    // Two metrics with value
+    Server-Timing: db;dur=53, app;dur=47.2
 
-// Server-Timing as trailer
-Trailer: Server-Timing
---- response body ---
-Server-Timing: total;dur=123.4
-

+    // Server-Timing as trailer
+    Trailer: Server-Timing
+    --- response body ---
+    Server-Timing: total;dur=123.4
 
-
Privacy and security

+## Privacy and security
 
-
The Server-Timing header may expose potentially sensitive application and infrastructure information. Consider to control which metrics are returned when and to whom on the server side. For example, you could only show metrics to authenticated users and nothing to the public.

+The `Server-Timing` header may expose potentially sensitive application and infrastructure information. Consider to control which metrics are returned when and to whom on the server side. For example, you could only show metrics to authenticated users and nothing to the public.
 
-
PerformanceServerTiming interface

+## PerformanceServerTiming interface
 
-
In addition to having Server-Timing header metrics appear in the developer tools of the browser, the {{domxref("PerformanceServerTiming")}} interface enables tools to automatically collect and process metrics from JavaScript. This interface is restricted to the same origin, but you can use the {{HTTPHeader("Timing-Allow-Origin")}} header to specify the domains that are allowed to access the server metrics. The interface is only available in secure contexts (HTTPS) in some browsers.

+In addition to having `Server-Timing` header metrics appear in the developer tools of the browser, the {{domxref("PerformanceServerTiming")}} interface enables tools to automatically collect and process metrics from JavaScript. This interface is restricted to the same origin, but you can use the {{HTTPHeader("Timing-Allow-Origin")}} header to specify the domains that are allowed to access the server metrics. The interface is only available in secure contexts (HTTPS) in some browsers.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{domxref("PerformanceServerTiming")}}
    • 
-

+- {{domxref("PerformanceServerTiming")}}
diff --git a/files/en-us/web/http/headers/server/index.md b/files/en-us/web/http/headers/server/index.md
index e5f9b37cafdaba7..487f98ca5d312c9 100644
--- a/files/en-us/web/http/headers/server/index.md
+++ b/files/en-us/web/http/headers/server/index.md
@@ -2,21 +2,19 @@
 title: Server
 slug: Web/HTTP/Headers/Server
 tags:
-- HTTP
-- Reference
-- header
+  - HTTP
+  - Reference
+  - header
 browser-compat: http.headers.Server
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Server header describes the
-    software used by the origin server that handled the request — that is, the server that
-    generated the response.

+The **`Server`** header describes the
+software used by the origin server that handled the request — that is, the server that
+generated the response.
 
-

-  
Warning: Avoid overly-detailed Server values, as they can reveal information that
-    might make it (slightly) easier for attackers to exploit known security holes.

-

+> **Warning:** Avoid overly-detailed `Server` values, as they can reveal information that
+> might make it (slightly) easier for attackers to exploit known security holes.
 
 
@@ -31,41 +29,36 @@ browser-compat: http.headers.Server
   

   
 

 
-
Syntax

+## Syntax
 
-
Server: <product>
-

+```html
+Server: 
+```
 
-
Directives

+## Directives
 
-

-  
<product>

-  

-    
The name of the software or product that handled the request. Usually in a format
-      similar to {{HTTPHeader('User-Agent')}}.

-  

-

+- ``
+  - : The name of the software or product that handled the request. Usually in a format
+    similar to {{HTTPHeader('User-Agent')}}.
 
-
How much detail to include is an interesting balance to strike; exposing the OS version
-  is probably a bad idea, as mentioned in the earlier warning about overly-detailed
-  values. However, exposed Apache versions helped browsers work around a bug those
-  versions had with {{HTTPHeader('Content-Encoding')}} combined with
-  {{HTTPHeader('Range')}}.

+How much detail to include is an interesting balance to strike; exposing the OS version
+is probably a bad idea, as mentioned in the earlier warning about overly-detailed
+values. However, exposed Apache versions helped browsers work around a bug those
+versions had with {{HTTPHeader('Content-Encoding')}} combined with
+{{HTTPHeader('Range')}}.
 
-
Examples

+## Examples
 
-
Server: Apache/2.4.1 (Unix)

+    Server: Apache/2.4.1 (Unix)
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Allow")}}
    • 
-

+- {{HTTPHeader("Allow")}}
diff --git a/files/en-us/web/http/headers/set-cookie/index.md b/files/en-us/web/http/headers/set-cookie/index.md
index c8861f0f2bb2d30..93762426aae4c57 100644
--- a/files/en-us/web/http/headers/set-cookie/index.md
+++ b/files/en-us/web/http/headers/set-cookie/index.md
@@ -10,261 +10,227 @@ tags:
   - samesite
 browser-compat: http.headers.Set-Cookie
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.

+The **`Set-Cookie`** HTTP response header is used to send a cookie from the server to the user agent, so the user agent can send it back to the server later. To send multiple cookies, multiple **`Set-Cookie`** headers should be sent in the same response.
 
-

-  
Warning: Browsers block frontend JavaScript code from accessing the Set Cookie header, as required by the Fetch spec, which defines Set-Cookie as a forbidden response-header name that must be filtered out from any response exposed to frontend code.

-

+> **Warning:** Browsers block frontend JavaScript code from accessing the `Set Cookie` header, as required by the Fetch spec, which defines `Set-Cookie` as a [forbidden response-header name](https://fetch.spec.whatwg.org/#forbidden-response-header-name) that [must be filtered out](https://fetch.spec.whatwg.org/#ref-for-forbidden-response-header-name%E2%91%A0) from any response exposed to frontend code.
 
-
For more information, see the guide on Using HTTP cookies.

+For more information, see the guide on [Using HTTP cookies](/en-US/docs/Web/HTTP/Cookies).
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Forbidden response-header nameyes
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

+        Forbidden response-header name
+      yes

 

 
-
Syntax

+## Syntax
 
-
Set-Cookie: <cookie-name>=<cookie-value>
-Set-Cookie: <cookie-name>=<cookie-value>; Expires=<date>
-Set-Cookie: <cookie-name>=<cookie-value>; Max-Age=<number>
-Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>
-Set-Cookie: <cookie-name>=<cookie-value>; Path=<path-value>
-Set-Cookie: <cookie-name>=<cookie-value>; Secure
-Set-Cookie: <cookie-name>=<cookie-value>; HttpOnly
+```html
+Set-Cookie: =
+Set-Cookie: =; Expires=
+Set-Cookie: =; Max-Age=
+Set-Cookie: =; Domain=
+Set-Cookie: =; Path=
+Set-Cookie: =; Secure
+Set-Cookie: =; HttpOnly
 
-Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Strict
-Set-Cookie: <cookie-name>=<cookie-value>; SameSite=Lax
-Set-Cookie: <cookie-name>=<cookie-value>; SameSite=None; Secure
+Set-Cookie: =; SameSite=Strict
+Set-Cookie: =; SameSite=Lax
+Set-Cookie: =; SameSite=None; Secure
 
 // Multiple attributes are also possible, for example:
-Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure; HttpOnly
-

-
-
Attributes

-
-

-  
<cookie-name>=<cookie-value>

-  

-    
A cookie begins with a name-value pair.

-    

-      A <cookie-name> can be any US-ASCII characters,
-      except control characters, spaces, or tabs.
-      It also must not contain a separator character like the following: ( ) < > @ , ; : \ " / [ ] ? = { }.
-    

-    

-      A <cookie-value> can optionally be wrapped in double quotes
-      and include any US-ASCII characters excluding control characters, {{glossary("Whitespace")}}, double quotes, comma, semicolon, and backslash.
-    

-    

-      Encoding: Many implementations perform URL encoding on cookie values,
-      however it is not required per the RFC specification.
-      It does help satisfying the requirements
-      about which characters are allowed for <cookie-value> though.
-    

-    

-      
Note: Some ><cookie-name> have a specific semantic:

-      

-        __Secure- prefix:
-        Cookies names starting with __Secure-
-        (dash is part of the prefix)
-        must be set with the secure flag from a secure page (HTTPS).
-      

-      

-        __Host- prefix: Cookies with names starting with __Host- must be set with the secure flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore aren't sent to subdomains) and the path must be /.
-      

-    

-  

-
-  
Expires=<date> {{optional_inline}}

-  

-    

-      The maximum lifetime of the cookie as an HTTP-date timestamp.
-      See {{HTTPHeader("Date")}} for the required formatting.
-    

-
-    

-      If unspecified, the cookie becomes a session cookie.
-      A session finishes when the client shuts down,
-      and session cookies will be removed.
-    

-
-    

-      
Warning: Many web browsers have a session restore feature that will save all tabs and restore them next time the browser is used. Session cookies will also be restored, as if the browser was never closed.

-    

-
-    
When an Expires date is set, the deadline is relative to the client the cookie is being set on, not the server.

-  

-
-  
Max-Age=<number> {{optional_inline}}

-  
Number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both Expires and Max-Age are set, Max-Age has precedence.

-
-  
Domain=<domain-value> {{optional_inline}}

-  

-    
Host to which the cookie will be sent.

-    

-      If omitted, defaults to the host of the current document URL,
-      not including subdomains.
-    

-    

-      Contrary to earlier specifications,
-      leading dots in domain names (.example.com) are ignored.
-    

-    

-      Multiple host/domain values are not allowed,
-      but if a domain is specified, t
-      hen subdomains are always included.
-    

-  

-
-  
Path=<path-value> {{optional_inline}}

-  

-    

-      A path that must exist in the requested URL,
-      or the browser won't send the Cookie header.
-    

-    

-      The forward slash (/) character is interpreted as a directory separator,
-      and subdirectories will be matched as well:
-      for Path=/docs, /docs, /docs/Web/, and /docs/Web/HTTP will all match.
-    

-
-  
Secure {{optional_inline}}

-  
Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistent to man-in-the-middle attacks.
-    

-      
Note: Do not assume that Secure prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the HttpOnly cookie attribute is not set.

-      
Insecure sites (http:) can't set cookies with the Secure attribute (since Chrome 52 and Firefox 52). For Firefox, the https: requirements are ignored when the Secure attribute is set by localhost (since Firefox 75).

-    

-  

-
-  
HttpOnly {{optional_inline}}

-  
Forbids JavaScript from accessing the cookie, for example, through the {{domxref("Document.cookie")}} property. Note that a cookie that has been created with HttpOnly will still be sent with JavaScript-initiated requests, e.g. when calling {{domxref("XMLHttpRequest.send()")}} or {{domxref("WindowOrWorkerGlobalScope.fetch")}}. This mitigates attacks against cross-site scripting ({{Glossary("Cross-site_scripting", "XSS")}}).

-
-  
SameSite=<samesite-value> {{optional_inline}}

-  

-    

-      Controls whether a cookie is sent with cross-origin requests,
-      providing some protection against cross-site request forgery attacks ({{Glossary("CSRF")}}).
-    

-    

-      
Note: Standards related to the SameSite Cookies recently changed such that:

-      
    
-        
  1. The cookie-sending behavior if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests.
    2. 
-        
  2. Cookies with SameSite=None must now
    
-        also specify the Secure attribute (i.e. they require a secure context).
    3. 
-      

-      
The options below covers the new behavior. See the Browser compatibility table for information about specific browser implementation (rows: "SameSite: Defaults to Lax" and "SameSite: Secure context required").

-    

-    
Inline options are: Strict, Lax, and None.

-    

-      Strict means that the browser sends the cookie only for same-site requests,
-      that is, requests originating from the same site that set the cookie.
-      If the request originated from a different URL than the current one,
-      no cookies with the SameSite=Strict attribute are sent.
-    

-    

-      Laxmeans that the cookie is not sent on cross-site requests,
-      such as calls to load images or frames,
-      but is sent when a user is navigating to the origin site from an external site
-      (e.g., if following a link).
-      This is the default behavior
-      if the SameSite attribute is not specified.
-    

-    

-      Finally, None means that the browser sends the cookie with both cross-site and same-site requests.
-      The Secure attribute must also be set when SameSite=None!
-    

-  

-

-
-
Examples

-
-
-
-
Session cookies are removed when the client shuts down. Cookies are session cookies if they don't specify the Expires or Max-Age attributes.

-
-
Set-Cookie: sessionId=38afes7a8

-
-
-
-
Instead of expiring when the client is closed, permanent cookies expire at a specific date (Expires) or after a specific length of time (Max-Age).

-
-
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT
-

-
-
Set-Cookie: id=a3fWa; Max-Age=2592000

-
-
Invalid domains

-
-
A cookie for a domain that does not include the server that set it should be rejected by the user agent.

-
-
The following cookie will be rejected if set by a server hosted on originalcompany.com:

-
-
Set-Cookie: qwerty=219ffwef9w0f; Domain=somecompany.co.uk

-
-
A cookie for a sub domain of the serving domain will be rejected.

-
-
The following cookie will be rejected if set by a server hosted on example.com:

-
-
Set-Cookie: sessionId=e8bb43229de9; Domain=foo.example.com

-
-
-
-
Cookies names prefixed with __Secure- or __Host- can be used only if they are set with the secure attribute from a secure (HTTPS) origin.

-
-
In addition, cookies with the __Host- prefix must have a path of / (meaning any path at the host) and must not have a Domain attribute.

-
-

-  
Warning: For clients that don't implement cookie prefixes, you cannot count on these additional assurances, and prefixed cookies will always be accepted.

-

-
-
// Both accepted when from a secure origin (HTTPS)
-Set-Cookie: __Secure-ID=123; Secure; Domain=example.com
-Set-Cookie: __Host-ID=123; Secure; Path=/
+Set-Cookie: =; Domain=; Secure; HttpOnly
+```
 
-// Rejected due to missing Secure attribute
-Set-Cookie: __Secure-id=1
+## Attributes
 
-// Rejected due to the missing Path=/ attribute
-Set-Cookie: __Host-id=1; Secure
+- `=`
 
-// Rejected due to setting a Domain
-Set-Cookie: __Host-id=1; Secure; Path=/; Domain=example.com
-

+  - : A cookie begins with a name-value pair.
 
-
Specifications

+    A `` can be any US-ASCII characters,
+    except control characters, spaces, or tabs.
+    It also must not contain a separator character like the following: `( ) < > @ , ; : \ " / [ ] ? = { }`.
+
+    A `` can optionally be wrapped in double quotes
+    and include any US-ASCII characters excluding control characters, {{glossary("Whitespace")}}, double quotes, comma, semicolon, and backslash.
+
+    **Encoding**: Many implementations perform URL encoding on cookie values,
+    however it is not required per the RFC specification.
+    It does help satisfying the requirements
+    about which characters are allowed for \ though.
+
+    > **Note:** Some `>` have a specific semantic:
+    >
+    > **`__Secure-` prefix**:
+    > Cookies names starting with` __Secure-`
+    > (dash is part of the prefix)
+    > must be set with the `secure` flag from a secure page (HTTPS).
+    >
+    > **`__Host-` prefix**: Cookies with names starting with `__Host-` must be set with the `secure` flag, must be from a secure page (HTTPS), must not have a domain specified (and therefore aren't sent to subdomains) and the path must be `/`.
+
+- `Expires=` {{optional_inline}}
+
+  - : The maximum lifetime of the cookie as an HTTP-date timestamp.
+    See {{HTTPHeader("Date")}} for the required formatting.
+
+    If unspecified, the cookie becomes a **session cookie**.
+    A session finishes when the client shuts down,
+    and session cookies will be removed.
+
+    > **Warning:** Many web browsers have a _session restore_ feature that will save all tabs and restore them next time the browser is used. Session cookies will also be restored, as if the browser was never closed.
+
+    When an `Expires` date is set, the deadline is relative to the _client_ the cookie is being set on, not the server.
+
+- `Max-Age= `{{optional_inline}}
+  - : Number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both `Expires` and `Max-Age` are set, `Max-Age` has precedence.
+- `Domain=` {{optional_inline}}
+
+  - : Host to which the cookie will be sent.
+
+    If omitted, defaults to the host of the current document URL,
+    not including subdomains.
+
+    Contrary to earlier specifications,
+    leading dots in domain names (`.example.com`) are ignored.
+
+    Multiple host/domain values are _not_ allowed,
+    but if a domain _is_ specified, t
+    hen subdomains are always included.
+
+- `Path=` {{optional_inline}}
+
+  - : A path that must exist in the requested URL,
+    or the browser won't send the `Cookie` header.
+
+    The forward slash (`/`) character is interpreted as a directory separator,
+    and subdirectories will be matched as well:
+    for `Path=/docs`, `/docs`, `/docs/Web/`, and `/docs/Web/HTTP` will all match.
+
+- `Secure` {{optional_inline}}
+
+  - : Cookie is only sent to the server when a request is made with the `https:` scheme (except on localhost), and therefore is more resistent to [man-in-the-middle](/en-US/docs/Glossary/MitM) attacks.
+
+    > **Note:** Do not assume that `Secure` prevents all access to sensitive information in cookies (session keys, login details, etc.). Cookies with this attribute can still be read/modified with access to the client's hard disk, or from JavaScript if the `HttpOnly` cookie attribute is not set.
+    >
+    > Insecure sites (`http:`) can't set cookies with the `Secure` attribute (since Chrome 52 and Firefox 52). For Firefox, the `https:` requirements are ignored when the `Secure` attribute is set by localhost (since Firefox 75).
+
+- `HttpOnly` {{optional_inline}}
+  - : Forbids JavaScript from accessing the cookie, for example, through the {{domxref("Document.cookie")}} property. Note that a cookie that has been created with HttpOnly will still be sent with JavaScript-initiated requests, e.g. when calling {{domxref("XMLHttpRequest.send()")}} or {{domxref("WindowOrWorkerGlobalScope.fetch")}}. This mitigates attacks against cross-site scripting ({{Glossary("Cross-site_scripting", "XSS")}}).
+- `SameSite=` {{optional_inline}}
+
+  - : Controls whether a cookie is sent with cross-origin requests,
+    providing some protection against cross-site request forgery attacks ({{Glossary("CSRF")}}).
+
+    > **Note:** Standards related to the [SameSite Cookies](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) recently changed such that:
+    >
+    > 1.  The cookie-sending behavior if `SameSite` is not specified is `SameSite=Lax`. Previously the default was that cookies were sent for all requests.
+    > 2.  Cookies with `SameSite=None` must now
+    >     also specify the `Secure` attribute (i.e. they require a secure context).
+    >
+    > The options below covers the new behavior. See the [Browser compatibility](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility) table for information about specific browser implementation (rows: "`SameSite`: Defaults to `Lax`" and "`SameSite`: Secure context required").
+
+    Inline options are: `Strict`, `Lax`, and `None`.
+
+    `Strict` means that the browser sends the cookie only for same-site requests,
+    that is, requests originating from the same site that set the cookie.
+    If the request originated from a different URL than the current one,
+    no cookies with the `SameSite=Strict` attribute are sent.
+
+    `Lax`means that the cookie is not sent on cross-site requests,
+    such as calls to load images or frames,
+    but is sent when a user is navigating to the origin site from an external site
+    (e.g., if following a link).
+    This is the default behavior
+    if the `SameSite` attribute is not specified.
+
+    Finally, `None` means that the browser sends the cookie with both cross-site and same-site requests.
+    The `Secure` attribute must also be set when `SameSite=None`!
+
+## Examples
+
+### Session cookie
+
+**Session cookies** are removed when the client shuts down. Cookies are session cookies if they don't specify the `Expires` or `Max-Age` attributes.
+
+    Set-Cookie: sessionId=38afes7a8
+
+### Permanent cookie
+
+Instead of expiring when the client is closed, **permanent cookies** expire at a specific date (`Expires`) or after a specific length of time (`Max-Age`).
+
+    Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT
+
+
+
+    Set-Cookie: id=a3fWa; Max-Age=2592000
+
+### Invalid domains
+
+A cookie for a domain that does not include the server that set it [should be rejected by the user agent](https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.3).
+
+The following cookie will be rejected if set by a server hosted on `originalcompany.com`:
+
+    Set-Cookie: qwerty=219ffwef9w0f; Domain=somecompany.co.uk
+
+A cookie for a sub domain of the serving domain will be rejected.
+
+The following cookie will be rejected if set by a server hosted on `example.com`:
+
+    Set-Cookie: sessionId=e8bb43229de9; Domain=foo.example.com
+
+### Cookie prefixes
+
+Cookies names prefixed with `__Secure-` or `__Host-` can be used only if they are set with the `secure` attribute from a secure (HTTPS) origin.
+
+In addition, cookies with the `__Host-` prefix must have a path of `/` (meaning any path at the host) and must not have a `Domain` attribute.
+
+> **Warning:** For clients that don't implement cookie prefixes, you cannot count on these additional assurances, and prefixed cookies will always be accepted.
+
+    // Both accepted when from a secure origin (HTTPS)
+    Set-Cookie: __Secure-ID=123; Secure; Domain=example.com
+    Set-Cookie: __Host-ID=123; Secure; Path=/
+
+    // Rejected due to missing Secure attribute
+    Set-Cookie: __Secure-id=1
+
+    // Rejected due to the missing Path=/ attribute
+    Set-Cookie: __Host-id=1; Secure
+
+    // Rejected due to setting a Domain
+    Set-Cookie: __Host-id=1; Secure; Path=/; Domain=example.com
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
Compatibility notes

+## Compatibility notes
 
-
    
- 
  • Starting with Chrome 52 and Firefox 52, insecure sites (http:) can't set cookies with the Secure attribute anymore.
    • 
-

+- Starting with Chrome 52 and Firefox 52, insecure sites (`http:`) can't set cookies with the `Secure` attribute anymore.
 
-
See also

+## See also
 
-
+- [HTTP cookies](/en-US/docs/Web/HTTP/Cookies)
+- {{HTTPHeader("Cookie")}}
+- {{domxref("Document.cookie")}}
+- [SameSite cookies](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)
diff --git a/files/en-us/web/http/headers/set-cookie/samesite/index.md b/files/en-us/web/http/headers/set-cookie/samesite/index.md
index 48c2056bbc25a2d..676e92c282fcedf 100644
--- a/files/en-us/web/http/headers/set-cookie/samesite/index.md
+++ b/files/en-us/web/http/headers/set-cookie/samesite/index.md
@@ -8,129 +8,115 @@ tags:
   - samesite
 browser-compat: http.headers.Set-Cookie.SameSite
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The SameSite attribute of the {{HTTPHeader("Set-Cookie")}} HTTP response header allows you to declare if your cookie should be restricted to a first-party or same-site context.

+The **`SameSite`** attribute of the {{HTTPHeader("Set-Cookie")}} HTTP response header allows you to declare if your cookie should be restricted to a [first-party](/en-US/docs/Web/HTTP/Cookies#third-party_cookies) or same-site context.
 
-

-  
Note: Standards related to the Cookie SameSite attribute recently changed such that:

-  
    
-    
  • The cookie-sending behavior if SameSite is not specified is SameSite=Lax. Previously the default was that cookies were sent for all requests.
    • 
-  
  • Cookies with SameSite=None must now also specify the Secure attribute (they require a secure context/HTTPS).
    • 
-  

+> **Note:** Standards related to the Cookie `SameSite` attribute recently changed such that:
+>
+> - The cookie-sending behavior if `SameSite` is not specified is `SameSite=Lax`. Previously the default was that cookies were sent for all requests.
+> - Cookies with `SameSite=None` must now also specify the `Secure` attribute (they require a secure context/HTTPS).
+>
+> This article documents the new standard. See [Browser Compatibility](#browser_compatibility) below for information about specific versions where the behavior changed.
 
-  
This article documents the new standard. See Browser Compatibility below for information about specific versions where the behavior changed.

-

+## Values
 
-
Values

+The `SameSite` attribute accepts three values:
 
-
The SameSite attribute accepts three values:

+### `Lax`
 
-
Lax

+Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is _navigating to_ the origin site (i.e., when following a link).
 
-
Cookies are not sent on normal cross-site subrequests (for example to load images or frames into a third party site), but are sent when a user is navigating to the origin site (i.e., when following a link).

+This is the default cookie value if `SameSite` has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).
 
-
This is the default cookie value if SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to Lax" feature in the Browser Compatibility).

+> **Note:** `Lax` replaced `None` as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery ({{Glossary("CSRF")}}) attacks.
 
-

-  
Note: Lax replaced None as the default value in order to ensure that users have reasonably robust defense against some classes of cross-site request forgery ({{Glossary("CSRF")}}) attacks.

-

+### `Strict`
 
-
Strict

+Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
 
-
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.

+### `None`
 
-
None

+Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-origin requests. If `SameSite=None` is set, the cookie [`Secure`](/en-US/docs/Web/HTTP/Headers/Set-Cookie#secure) attribute must also be set (or the cookie will be blocked).
 
-
Cookies will be sent in all contexts, i.e. in responses to both first-party and cross-origin requests. If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked).

+## Fixing common warnings
 
-
Fixing common warnings

+### `SameSite=None` requires `Secure`
 
-
SameSite=None requires Secure

+Warnings like the ones below might appear in your console:
 
-
Warnings like the ones below might appear in your console:

+```html
+Cookie “myCookie” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute.
 
-
Cookie “myCookie” rejected because it has the “SameSite=None” attribute but is missing the “secure” attribute.
+This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".
+```
 
-This Set-Cookie was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".

+The warning appears because any cookie that requests `SameSite=None` but is not marked `Secure` will be rejected.
 
-
The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected.

+```plain example-bad
+Set-Cookie: flavor=choco; SameSite=None
+```
 
-
Set-Cookie: flavor=choco; SameSite=None

+To fix this, you will have to add the `Secure` attribute to your `SameSite=None` cookies.
 
-
To fix this, you will have to add the Secure attribute to your SameSite=None cookies.

+```plain example-good
+Set-Cookie: flavor=choco; SameSite=None; Secure
+```
 
-
Set-Cookie: flavor=choco; SameSite=None; Secure

+A [`Secure`](#secure) cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (`http:`) can't set cookies with the `Secure` directive.
 
-
A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol. Note that insecure sites (http:) can't set cookies with the Secure directive.

+> **Note:** On older browser versions you might get a warning that the cookie will be blocked in future. For example:
+>
+> Cookie `myCookie` will be soon rejected
+> because it has the `SameSite` attribute set to `None`
+> or an invalid value, without the `secure` attribute.
 
-

-  
Note: On older browser versions you might get a warning that the cookie will be blocked in future. For example:

-  

-    Cookie myCookie will be soon rejected
-    because it has the SameSite attribute set to None
-    or an invalid value, without the secure attribute.
-  

-

+### Cookies without `SameSite` default to `SameSite=Lax`
 
-
Cookies without SameSite default to SameSite=Lax

+Recent versions of modern browsers provide a more secure default for `SameSite` to your cookies and so the following message might appear in your console:
 
-
Recent versions of modern browsers provide a more secure default for SameSite to your cookies and so the following message might appear in your console:

+```html
+Cookie “myCookie” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.
+```
 
-
Cookie “myCookie” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute.
-

+The warning appears because the `SameSite` policy for a cookie was not explicitly specified:
 
-
The warning appears because the SameSite policy for a cookie was not explicitly specified:

+```plain example-bad
+Set-Cookie: flavor=choco
+```
 
-
Set-Cookie: flavor=choco

+You should explicitly communicate the intended `SameSite` policy for your cookie (rather than relying on browsers to apply `SameSite=Lax` automatically). This will also improve the experience across browsers as not all of them default to `Lax` yet.
 
-
You should explicitly communicate the intended SameSite policy for your cookie (rather than relying on browsers to apply SameSite=Lax automatically). This will also improve the experience across browsers as not all of them default to Lax yet.

+```plain example-good
+Set-Cookie: flavor=choco; SameSite=Lax
+```
 
-
Set-Cookie: flavor=choco; SameSite=Lax

+## Example:
 
-
Example:

+    RewriteEngine on
+    RewriteBase "/"
+    RewriteCond "%{HTTP_HOST}"       "^example\.org$" [NC]
+    RewriteRule "^(.*)"              "https://www.example.org/index.html" [R=301,L,QSA]
+    RewriteRule "^(.*)\.ht$"         "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;01;https://www.example.org;30/;SameSite=None;Secure]
+    RewriteRule "^(.*)\.htm$"        "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;02;https://www.example.org;30/;SameSite=None;Secure]
+    RewriteRule "^(.*)\.html$"       "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;03;https://www.example.org;30/;SameSite=None;Secure]
+    [...]
+    RewriteRule "^admin/(.*)\.html$" "admin/index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;09;https://www.example.org:30/;SameSite=Strict;Secure]
 
-
RewriteEngine on
-RewriteBase "/"
-RewriteCond "%{HTTP_HOST}"       "^example\.org$" [NC]
-RewriteRule "^(.*)"              "https://www.example.org/index.html" [R=301,L,QSA]
-RewriteRule "^(.*)\.ht$"         "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;01;https://www.example.org;30/;SameSite=None;Secure]
-RewriteRule "^(.*)\.htm$"        "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;02;https://www.example.org;30/;SameSite=None;Secure]
-RewriteRule "^(.*)\.html$"       "index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;03;https://www.example.org;30/;SameSite=None;Secure]
-[...]
-RewriteRule "^admin/(.*)\.html$" "admin/index.php?nav=$1 [NC,L,QSA,CO=RewriteRule;09;https://www.example.org:30/;SameSite=Strict;Secure]
-

+## Specifications
 
-
Specifications

+| Specification                                                                                              | Title                                                         |
+| ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("6265", "Set-Cookie", "4.1")}}                                                           | HTTP State Management Mechanism                               |
+| [draft-ietf-httpbis-rfc6265bis-05](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-05) | Cookie Prefixes, Same-Site Cookies, and Strict Secure Cookies |
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("6265", "Set-Cookie", "4.1")}}HTTP State Management Mechanism
draft-ietf-httpbis-rfc6265bis-05Cookie Prefixes, Same-Site Cookies, and Strict Secure Cookies

+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

-
-
+- [HTTP cookies](/en-US/docs/Web/HTTP/Cookies)
+- {{HTTPHeader("Cookie")}}
+- {{domxref("Document.cookie")}}
+- [Samesite cookies explained](https://web.dev/samesite-cookies-explained/) (web.dev blog)
diff --git a/files/en-us/web/http/headers/set-cookie2/index.md b/files/en-us/web/http/headers/set-cookie2/index.md
index 2f144e8ec599d8d..9411f2cf04b352b 100644
--- a/files/en-us/web/http/headers/set-cookie2/index.md
+++ b/files/en-us/web/http/headers/set-cookie2/index.md
@@ -2,18 +2,18 @@
 title: Set-Cookie2
 slug: Web/HTTP/Headers/Set-Cookie2
 tags:
-- Cookies
-- HTTP
-- Deprecated
-- Reference
-- header
+  - Cookies
+  - HTTP
+  - Deprecated
+  - Reference
+  - header
 browser-compat: http.headers.Set-Cookie2
 ---
-
{{HTTPSidebar}} {{deprecated_header}}

+{{HTTPSidebar}} {{deprecated_header}}
 
-
The obsolete Set-Cookie2 HTTP response header used to
-  send cookies from the server to the user agent, but has been deprecated by the
-  specification. Use {{HTTPHeader("Set-Cookie")}} instead.

+The obsolete **`Set-Cookie2`** HTTP response header used to
+send cookies from the server to the user agent, but has been deprecated by the
+specification. Use {{HTTPHeader("Set-Cookie")}} instead.
 
 
@@ -28,49 +28,38 @@ browser-compat: http.headers.Set-Cookie2
   

   
 

 
-
Syntax

+## Syntax
 
-
Set-Cookie2: <cookie-name>=<cookie-value>
-Set-Cookie2: <cookie-name>=<cookie-value>; Comment=<value>
-Set-Cookie2: <cookie-name>=<cookie-value>; CommentURL=<http-url>
-Set-Cookie2: <cookie-name>=<cookie-value>; Discard
-Set-Cookie2: <cookie-name>=<cookie-value>; Domain=<domain-value>
-Set-Cookie2: <cookie-name>=<cookie-value>; Max-Age=<non-zero-digit>
-Set-Cookie2: <cookie-name>=<cookie-value>; Path=<path-value>
-Set-Cookie2: <cookie-name>=<cookie-value>; Port=<port-number>
-Set-Cookie2: <cookie-name>=<cookie-value>; Secure
-Set-Cookie2: <cookie-name>=<cookie-value>; Version=<version-number>
+```html
+Set-Cookie2: =
+Set-Cookie2: =; Comment=
+Set-Cookie2: =; CommentURL=
+Set-Cookie2: =; Discard
+Set-Cookie2: =; Domain=
+Set-Cookie2: =; Max-Age=
+Set-Cookie2: =; Path=
+Set-Cookie2: =; Port=
+Set-Cookie2: =; Secure
+Set-Cookie2: =; Version=
 
 // Multiple directives are also possible, for example:
-Set-Cookie2: <cookie-name>=<cookie-value>; Domain=<domain-value>; Secure
+Set-Cookie2: =; Domain=; Secure
 
 // Multiple cookies are separated by a comma
-Set-Cookie2: <cookie-name>=<cookie-value>, <cookie-name>=<cookie-value>, ...
-

+Set-Cookie2: =, =, ...
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("2965", "Set-Cookie2")}}Historic specification of HTTP State Management Mechanism, obsoleted
-        by {{RFC("6265")}}

+| Specification                            | Title                                                                                        |
+| ---------------------------------------- | -------------------------------------------------------------------------------------------- |
+| {{RFC("2965", "Set-Cookie2")}} | Historic specification of HTTP State Management Mechanism, obsoleted by {{RFC("6265")}} |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Set-Cookie")}}
    • 
-  
  • {{domxref("Document.cookie")}}
    • 
-

+- {{HTTPHeader("Set-Cookie")}}
+- {{domxref("Document.cookie")}}
diff --git a/files/en-us/web/http/headers/sourcemap/index.md b/files/en-us/web/http/headers/sourcemap/index.md
index 4acd42bd1d4ea4c..c0a8eeaec127965 100644
--- a/files/en-us/web/http/headers/sourcemap/index.md
+++ b/files/en-us/web/http/headers/sourcemap/index.md
@@ -9,61 +9,49 @@ tags:
   - header
 browser-compat: http.headers.SourceMap
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The SourceMap HTTP response header links generated code to a source map, enabling the browser to reconstruct the original source and present the reconstructed original in the debugger.

+The **`SourceMap`** [HTTP](/en-US/docs/Web/HTTP) response header links generated code to a [source map](/en-US/docs/Tools/Debugger/How_to/Use_a_source_map), enabling the browser to reconstruct the original source and present the reconstructed original in the debugger.
 
 
-	
-		
-			
-			
-		
-		
-			
-			
-		
-	
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
SourceMap: <url>
-X-SourceMap: <url> (deprecated)
-

+```html
+SourceMap: 
+X-SourceMap:  (deprecated)
+```
 
-
Directives

+### Directives
 
-

-	
<url>

-	
A relative (to the request URL) or absolute URL pointing to a source map file.

-

+- ``
+  - : A relative (to the request URL) or absolute URL pointing to a source map file.
 
-
Examples

+## Examples
 
-
SourceMap: /path/to/file.js.map

+    SourceMap: /path/to/file.js.map
 
-
Specifications

+## Specifications
 
-
-	
-		
-			
-			
-		
-		
-			
-			
-		
-	
-
SpecificationTitle
Draft documentSource Map Revision 3 Proposal

+| Specification                                       | Title                          |
+| --------------------------------------------------- | ------------------------------ |
+| [Draft document](https://sourcemaps.info/spec.html) | Source Map Revision 3 Proposal |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Firefox Developer Tools: using a source map](/en-US/docs/Tools/Debugger/How_to/Use_a_source_map)
diff --git a/files/en-us/web/http/headers/strict-transport-security/index.md b/files/en-us/web/http/headers/strict-transport-security/index.md
index 5ca4149a1dc04da..40f1803e32fe696 100644
--- a/files/en-us/web/http/headers/strict-transport-security/index.md
+++ b/files/en-us/web/http/headers/strict-transport-security/index.md
@@ -2,18 +2,18 @@
 title: Strict-Transport-Security
 slug: Web/HTTP/Headers/Strict-Transport-Security
 tags:
-- HSTS
-- HTTP
-- HTTPS
-- Security
-- header
+  - HSTS
+  - HTTP
+  - HTTPS
+  - Security
+  - header
 browser-compat: http.headers.Strict-Transport-Security
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP Strict-Transport-Security response header (often
-  abbreviated as {{Glossary("HSTS")}}) lets a web site tell browsers that it should only
-  be accessed using HTTPS, instead of using HTTP.

+The **HTTP `Strict-Transport-Security`** response header (often
+abbreviated as {{Glossary("HSTS")}}) lets a web site tell browsers that it should only
+be accessed using HTTPS, instead of using HTTP.
 
 
@@ -28,135 +28,121 @@ browser-compat: http.headers.Strict-Transport-Security
   

   
 

 
-
Syntax

-
-
Strict-Transport-Security: max-age=<expire-time>
-Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
-Strict-Transport-Security: max-age=<expire-time>; preload
-

-
-
Directives

-
-

-  
max-age=<expire-time>

-  
The time, in seconds, that the browser should remember that a site is only to be
-    accessed using HTTPS.

-  
includeSubDomains {{optional_inline}}

-  
If this optional parameter is specified, this rule applies to all of the site's
-    subdomains as well.

-  
preload {{optional_inline}}

-  
See {{anch("Preloading Strict Transport Security")}} for details. Not part of the
-    specification.

-

-
-
Description

-
-
If a website accepts a connection through HTTP and redirects to HTTPS, visitors may
-  initially communicate with the non-encrypted version of the site before being
-  redirected, if, for example, the visitor types http://www.foo.com/ or even just foo.com.
-  This creates an opportunity for a man-in-the-middle attack. The redirect could be
-  exploited to direct visitors to a malicious site instead of the secure version of the
-  original site.

-
-
The HTTP Strict Transport Security header informs the browser that it should never load
-  a site using HTTP and should automatically convert all attempts to access the site using
-  HTTP to HTTPS requests instead.

-
-

-  
Note: The Strict-Transport-Security header
-  is ignored by the browser when your site is accessed using HTTP; this
-  is because an attacker may intercept HTTP connections and inject the header or remove
-  it. When your site is accessed over HTTPS with no certificate errors, the browser knows
-  your site is HTTPS capable and will honor the Strict-Transport-Security
-  header.

-

-
-
An example scenario

-
-
You log into a free WiFi access point at an airport and start surfing the web, visiting
-  your online banking service to check your balance and pay a couple of bills.
-  Unfortunately, the access point you're using is actually a hacker's laptop, and they're
-  intercepting your original HTTP request and redirecting you to a clone of your bank's
-  site instead of the real thing. Now your private data is exposed to the hacker.

-
-
Strict Transport Security resolves this problem; as long as you've accessed your bank's
-  web site once using HTTPS, and the bank's web site uses Strict Transport Security, your
-  browser will know to automatically use only HTTPS, which prevents hackers from
-  performing this sort of man-in-the-middle attack.

-
-
How the browser handles it

-
-
The first time your site is accessed using HTTPS and it returns the
-  Strict-Transport-Security header, the browser records this information, so
-  that future attempts to load the site using HTTP will automatically use HTTPS instead.
-

-
-
When the expiration time specified by the Strict-Transport-Security header elapses, the
-  next attempt to load the site via HTTP will proceed as normal instead of automatically
-  using HTTPS.

-
-
Whenever the Strict-Transport-Security header is delivered to the browser, it will
-  update the expiration time for that site, so sites can refresh this information and
-  prevent the timeout from expiring. Should it be necessary to disable Strict Transport
-  Security, setting the max-age to 0 (over a https connection) will immediately expire the
-  Strict-Transport-Security header, allowing access via http.

-
-
Preloading Strict Transport Security

-
-
Google maintains an HSTS preload service. By
-  following the guidelines and successfully submitting your domain, browsers will never
-  connect to your domain using an insecure connection. While the service is hosted by
-  Google, all browsers have stated an intent to use (or actually started using) the
-  preload list. However, it is not part of the HSTS specification and should not be
-  treated as official.

-
-
-
-
Examples

-
-
All present and future subdomains will be HTTPS for a max-age of 1 year. This blocks
-  access to pages or sub domains that can only be served over HTTP.

-
-
Strict-Transport-Security: max-age=31536000; includeSubDomains

-
-
In the following example, max-age is set to 2 years, raised from what was
-  a former limit max-age of 1 year. Note that 1 year is acceptable for a
-  domain to be included in browsers' HSTS preload lists. 2 years is, however, the
-  recommended goal as a website's final HSTS configuration as explained on https://hstspreload.org. It also suffixed with
-  preload which is necessary for inclusion in most major web browsers' HSTS
-  preload lists, e.g. Chromium, Edge, & Firefox.

-
-
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

-
-
Specifications

+## Syntax
+
+```html
+Strict-Transport-Security: max-age=
+Strict-Transport-Security: max-age=; includeSubDomains
+Strict-Transport-Security: max-age=; preload
+```
+
+## Directives
+
+- `max-age=`
+  - : The time, in seconds, that the browser should remember that a site is only to be
+    accessed using HTTPS.
+- `includeSubDomains` {{optional_inline}}
+  - : If this optional parameter is specified, this rule applies to all of the site's
+    subdomains as well.
+- `preload` {{optional_inline}}
+  - : See {{anch("Preloading Strict Transport Security")}} for details. Not part of the
+    specification.
+
+## Description
+
+If a website accepts a connection through HTTP and redirects to HTTPS, visitors may
+initially communicate with the non-encrypted version of the site before being
+redirected, if, for example, the visitor types http\://www\.foo.com/ or even just foo.com.
+This creates an opportunity for a man-in-the-middle attack. The redirect could be
+exploited to direct visitors to a malicious site instead of the secure version of the
+original site.
+
+The HTTP Strict Transport Security header informs the browser that it should never load
+a site using HTTP and should automatically convert all attempts to access the site using
+HTTP to HTTPS requests instead.
+
+> **Note:** The `Strict-Transport-Security` header
+> is **ignored** by the browser when your site is accessed using HTTP; this
+> is because an attacker may intercept HTTP connections and inject the header or remove
+> it. When your site is accessed over HTTPS with no certificate errors, the browser knows
+> your site is HTTPS capable and will honor the `Strict-Transport-Security`
+> header.
+
+### An example scenario
+
+You log into a free WiFi access point at an airport and start surfing the web, visiting
+your online banking service to check your balance and pay a couple of bills.
+Unfortunately, the access point you're using is actually a hacker's laptop, and they're
+intercepting your original HTTP request and redirecting you to a clone of your bank's
+site instead of the real thing. Now your private data is exposed to the hacker.
+
+Strict Transport Security resolves this problem; as long as you've accessed your bank's
+web site once using HTTPS, and the bank's web site uses Strict Transport Security, your
+browser will know to automatically use only HTTPS, which prevents hackers from
+performing this sort of man-in-the-middle attack.
+
+### How the browser handles it
+
+The first time your site is accessed using HTTPS and it returns the
+`Strict-Transport-Security` header, the browser records this information, so
+that future attempts to load the site using HTTP will automatically use HTTPS instead.
+
+When the expiration time specified by the Strict-Transport-Security header elapses, the
+next attempt to load the site via HTTP will proceed as normal instead of automatically
+using HTTPS.
+
+Whenever the Strict-Transport-Security header is delivered to the browser, it will
+update the expiration time for that site, so sites can refresh this information and
+prevent the timeout from expiring. Should it be necessary to disable Strict Transport
+Security, setting the max-age to 0 (over a https connection) will immediately expire the
+`Strict-Transport-Security` header, allowing access via http.
+
+## Preloading Strict Transport Security
+
+Google maintains [an HSTS preload service](https://hstspreload.org/). By
+following the guidelines and successfully submitting your domain, browsers will never
+connect to your domain using an insecure connection. While the service is hosted by
+Google, all browsers have stated an intent to use (or actually started using) the
+preload list. However, it is not part of the HSTS specification and should not be
+treated as official.
+
+- Information regarding the HSTS preload list in Chrome : 
+- Consultation of the Firefox HSTS preload list : [nsSTSPreloadList.inc](https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/nsSTSPreloadList.inc)
+
+## Examples
+
+All present and future subdomains will be HTTPS for a max-age of 1 year. This blocks
+access to pages or sub domains that can only be served over HTTP.
+
+    Strict-Transport-Security: max-age=31536000; includeSubDomains
+
+In the following example, `max-age` is set to 2 years, raised from what was
+a former limit `max-age` of 1 year. Note that 1 year is acceptable for a
+domain to be included in browsers' HSTS preload lists. 2 years is, however, the
+recommended goal as a website's final HSTS configuration as explained on . It also suffixed with
+`preload` which is necessary for inclusion in most major web browsers' HSTS
+preload lists, e.g. Chromium, Edge, & Firefox.
+
+    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

-
-
{{Compat}}

-
-
See also

-
-
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- Blog post: [HTTP
+  Strict Transport Security has landed!](https://blog.sidstamm.com/2010/08/http-strict-transport-security-has.html)
+- Blog post: [HTTP
+  Strict Transport Security (force HTTPS)](https://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/)
+- OWASP Article: [HTTP
+  Strict Transport Security](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html)
+- Wikipedia: {{interwiki("wikipedia", "HTTP Strict Transport Security")}}
+- Browser test site: [HSTS and
+  HPKP test](https://projects.dm.id.lv/Public-Key-Pins_test)
+- [Features
+  restricted to secure contexts](/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts)
diff --git a/files/en-us/web/http/headers/te/index.md b/files/en-us/web/http/headers/te/index.md
index 2af55bd820ee527..27fa8dbde73c5da 100644
--- a/files/en-us/web/http/headers/te/index.md
+++ b/files/en-us/web/http/headers/te/index.md
@@ -2,28 +2,26 @@
 title: TE
 slug: Web/HTTP/Headers/TE
 tags:
-- HTTP
-- Reference
-- header
+  - HTTP
+  - Reference
+  - header
 browser-compat: http.headers.TE
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The TE request header specifies the transfer encodings
-  the user agent is willing to accept. (you could informally call it
-  Accept-Transfer-Encoding, which would be more intuitive).

+The **`TE`** request header specifies the transfer encodings
+the user agent is willing to accept. (you could informally call it
+_`Accept-Transfer-Encoding`_, which would be more intuitive).
 
-

-  
Note: In HTTP/2,
-    the TE header field is only accepted
-    if the trailers value is set.

-

+> **Note:** [In HTTP/2,
+> the `TE` header field is only accepted
+> if the `trailers` value is set.](https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.2)
 
-
See also the {{HTTPHeader("Transfer-Encoding")}} response header for more details on
-  transfer encodings. Note that chunked is always acceptable for HTTP/1.1
-  recipients and you don't have to specify "chunked" using the
-  TE header. However, it is useful for setting if the client is accepting
-  trailer fields in a chunked transfer coding using the "trailers" value.

+See also the {{HTTPHeader("Transfer-Encoding")}} response header for more details on
+transfer encodings. Note that `chunked` is always acceptable for HTTP/1.1
+recipients and you don't have to specify `"chunked"` using the
+`TE` header. However, it is useful for setting if the client is accepting
+trailer fields in a chunked transfer coding using the "trailers" value.
 
 
@@ -38,55 +36,48 @@ browser-compat: http.headers.TE
   

   
 

 
-
Syntax

+## Syntax
 
-
TE: compress
+```html
+TE: compress
 TE: deflate
 TE: gzip
 TE: trailers
 
 // Multiple directives, weighted with the {{glossary("quality values", "quality value")}} syntax:
 TE: trailers, deflate;q=0.5
-

+```
 
-
Directives

+## Directives
 
-

-  
compress

-  
A format using the Lempel-Ziv-Welch (LZW) algorithm is
-    accepted as a transfer coding name.

-  
deflate

-  
Using the zlib
-    structure is accepted as a transfer coding name.

-  
gzip

-  
A format using the Lempel-Ziv coding
-    (LZ77), with a 32-bit CRC is accepted as a transfer coding name.

-  
trailers

-  
Indicates that the client is willing to accept trailer fields in a chunked transfer
-    coding.

-  
q

-  

-    
When multiple transfer codings are acceptable, the q parameter of the
-      quality value syntax can rank
-      codings by preference.

-  

-

+- `compress`
+  - : A format using the [Lempel-Ziv-Welch](https://en.wikipedia.org/wiki/LZW) (LZW) algorithm is
+    accepted as a transfer coding name.
+- `deflate`
+  - : Using the [zlib](https://en.wikipedia.org/wiki/Zlib)
+    structure is accepted as a transfer coding name.
+- `gzip`
+  - : A format using the [Lempel-Ziv coding](https://en.wikipedia.org/wiki/LZ77_and_LZ78#LZ77)
+    (LZ77), with a 32-bit CRC is accepted as a transfer coding name.
+- `trailers`
+  - : Indicates that the client is willing to accept trailer fields in a chunked transfer
+    coding.
+- `q`
+  - : When multiple transfer codings are acceptable, the `q` parameter of the
+    [quality value](/en-US/docs/Glossary/Quality_values) syntax can rank
+    codings by preference.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Transfer-Encoding")}}
+- {{HTTPHeader("Trailer")}}
+- [Chunked transfer
+  encoding](https://en.wikipedia.org/wiki/Chunked_transfer_encoding)
diff --git a/files/en-us/web/http/headers/timing-allow-origin/index.md b/files/en-us/web/http/headers/timing-allow-origin/index.md
index c3eaaec11f2ec7a..035b52f80ee0a38 100644
--- a/files/en-us/web/http/headers/timing-allow-origin/index.md
+++ b/files/en-us/web/http/headers/timing-allow-origin/index.md
@@ -9,60 +9,57 @@ tags:
   - header
 browser-compat: http.headers.Timing-Allow-Origin
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Timing-Allow-Origin response header specifies origins that are allowed to see values of attributes retrieved via features of the Resource Timing API, which would otherwise be reported as zero due to cross-origin restrictions.

+The **`Timing-Allow-Origin`** response header specifies origins that are allowed to see values of attributes retrieved via features of the [Resource Timing API](/en-US/docs/Web/API/Resource_Timing_API), which would otherwise be reported as zero due to cross-origin restrictions.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
Timing-Allow-Origin: *
-Timing-Allow-Origin: <origin>[, <origin>]*
-

+```html
+Timing-Allow-Origin: *
+Timing-Allow-Origin: [, ]*
+```
 
-
Directives

+## Directives
 
-

- 
*

- 
The server may specify "*" as a wildcard, thereby allowing any origin to see timing resources.

- 
<origin>

- 
Specifies a URI that may see the timing resources. You can specify multiple origins, separated by commas.

-

+- `*`
+  - : The server may specify "\*" as a wildcard, thereby allowing any origin to see timing resources.
+- ``
+  - : Specifies a URI that may see the timing resources. You can specify multiple origins, separated by commas.
 
-
Examples

+## Examples
 
-
To allow any resource to see timing resources:

+To allow any resource to see timing resources:
 
-
Timing-Allow-Origin: *

+    Timing-Allow-Origin: *
 
-
To allow https://developer.mozilla.org to see timing resources, you can specify:

+To allow `https://developer.mozilla.org` to see timing resources, you can specify:
 
-
Timing-Allow-Origin: https://developer.mozilla.org

+    Timing-Allow-Origin: https://developer.mozilla.org
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Resource Timing API](/en-US/docs/Web/API/Resource_Timing_API)
+- [Using the Resource Timing API](/en-US/docs/Web/API/Resource_Timing_API/Using_the_Resource_Timing_API)
+- {{HTTPHeader("Vary")}}
diff --git a/files/en-us/web/http/headers/tk/index.md b/files/en-us/web/http/headers/tk/index.md
index 6bd7253b3989d77..fddf3fa984d6425 100644
--- a/files/en-us/web/http/headers/tk/index.md
+++ b/files/en-us/web/http/headers/tk/index.md
@@ -2,18 +2,18 @@
 title: Tk
 slug: Web/HTTP/Headers/Tk
 tags:
-- DNT
-- HTTP
-- Reference
-- Response
-- header
-- tracking
+  - DNT
+  - HTTP
+  - Reference
+  - Response
+  - header
+  - tracking
 browser-compat: http.headers.Tk
 ---
-
{{HTTPSidebar}}{{Deprecated_header}}

+{{HTTPSidebar}}{{Deprecated_header}}
 
-
The Tk response header indicates the tracking status that
-  applied to the corresponding request.

+The **`Tk`** response header indicates the tracking status that
+applied to the corresponding request.
 
 
@@ -28,9 +28,10 @@ browser-compat: http.headers.Tk
   

   
 

 
-
Syntax

+## Syntax
 
-
Tk: !  (under construction)
+```html
+Tk: !  (under construction)
 Tk: ?  (dynamic)
 Tk: G  (gateway or multiple parties)
 Tk: N  (not tracking)
@@ -39,58 +40,53 @@ Tk: C  (tracking with consent)
 Tk: P  (potential consent)
 Tk: D  (disregarding DNT)
 Tk: U  (updated)
-

+```
 
-
Directives

+### Directives
 
-

-  
!

-  
Under construction. The origin server is currently testing its communication of
-    tracking status.

-  
?

-  
Dynamic. The origin server needs more information to determine tracking status.

-  
G

-  
Gateway or multiple parties. The server is acting as a gateway to an exchange
-    involving multiple parties.

-  
N

-  
Not tracking.

-  
T

-  
Tracking.

-  
C

-  
Tracking with consent. The origin server believes it has received prior consent for
-    tracking this user, user agent, or device.

-  
P

-  
Potential consent. The origin server does not know, in real-time, whether it has
+- !
+  - : Under construction. The origin server is currently testing its communication of
+    tracking status.
+- ?
+  - : Dynamic. The origin server needs more information to determine tracking status.
+- G
+  - : Gateway or multiple parties. The server is acting as a gateway to an exchange
+    involving multiple parties.
+- N
+  - : Not tracking.
+- T
+  - : Tracking.
+- C
+  - : Tracking with consent. The origin server believes it has received prior consent for
+    tracking this user, user agent, or device.
+- P
+  - : Potential consent. The origin server does not know, in real-time, whether it has
     received prior consent for tracking this user, user agent, or device, but promises not
-    to use or share any DNT:1 data until such consent has been determined,
+    to use or share any `DNT:1` data until such consent has been determined,
     and further promises to delete or permanently de-identify within 48 hours any
-    DNT:1 data received for which such consent has not been received.

-  
D

-  
Disregarding DNT. The origin server is unable or unwilling to respect a tracking
-    preference received from the requesting user agent.

-  
U

-  
Updated. The request resulted in a potential change to the tracking status
-    applicable to this user, user agent, or device.

-

+    `DNT:1` data received for which such consent has not been received.
+- D
+  - : Disregarding DNT. The origin server is unable or unwilling to respect a tracking
+    preference received from the requesting user agent.
+- U
+  - : Updated. The request resulted in a potential change to the tracking status
+    applicable to this user, user agent, or device.
 
-
Examples

+## Examples
 
-
A Tk header for a resource that claims not to be tracking would look like:
-

+A `Tk` header for a resource that claims not to be tracking would look like:
 
-
Tk: N

+    Tk: N
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("DNT")}} header
    • 
-  
  • {{domxref("Navigator.doNotTrack")}}
    • 
-

+- {{HTTPHeader("DNT")}} header
+- {{domxref("Navigator.doNotTrack")}}
diff --git a/files/en-us/web/http/headers/trailer/index.md b/files/en-us/web/http/headers/trailer/index.md
index 5e2a616fb1586f1..8712310f804538a 100644
--- a/files/en-us/web/http/headers/trailer/index.md
+++ b/files/en-us/web/http/headers/trailer/index.md
@@ -9,23 +9,25 @@ tags:
   - Payload header
 browser-compat: http.headers.Trailer
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Trailer response header allows the sender to include additional
-  fields at the end of chunked messages in order to supply metadata that might be
-  dynamically generated while the message body is sent, such as a message integrity check,
-  digital signature, or post-processing status.

+The **Trailer** response header allows the sender to include additional
+fields at the end of chunked messages in order to supply metadata that might be
+dynamically generated while the message body is sent, such as a message integrity check,
+digital signature, or post-processing status.
 
-

-  
Note: The {{HTTPHeader("TE")}} request header needs to be set to "trailers" to allow
-    trailer fields.

-

+> **Note:** The {{HTTPHeader("TE")}} request header needs to be set to "trailers" to allow
+> trailer fields.
 
 
-      
+      
@@ -34,69 +36,62 @@ browser-compat: http.headers.Trailer
   

   
     

       Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}, {{Glossary("Payload header")}}
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}},
+        {{Glossary("Payload header")}}
+      
     

     

       {{Glossary("Forbidden header name")}}

 

 
-
Syntax

-
-
Trailer: header-names

-
-
Directives

-
-

-  
header-names

-  
HTTP header fields which will be present in the trailer part of chunked messages.
-    These header fields are disallowed:
-    
    
-      
  • message framing headers (e.g., {{HTTPHeader("Transfer-Encoding")}} and
-        {{HTTPHeader("Content-Length")}}),
    • 
-      
  • routing headers (e.g., {{HTTPHeader("Host")}}),
    • 
-      
  • request modifiers (e.g., controls and conditionals, like
-        {{HTTPHeader("Cache-Control")}}, {{HTTPHeader("Max-Forwards")}}, or
-        {{HTTPHeader("TE")}}), 
    • 
-      
  • authentication headers (e.g., {{HTTPHeader("Authorization")}} or
-        {{HTTPHeader("Set-Cookie")}}),
    • 
-      
  • or {{HTTPHeader("Content-Encoding")}}, {{HTTPHeader("Content-Type")}},
-        {{HTTPHeader("Content-Range")}}, and Trailer itself.
    • 
-    

-  

-

-
-
Examples

-
-
Chunked transfer encoding using
-  a trailing header

-
-
In this example, the {{HTTPHeader("Expires")}} header is used at the end of the chunked
-  message and serves as a trailing header.

-
-
HTTP/1.1 200 OK
-Content-Type: text/plain
-Transfer-Encoding: chunked
-Trailer: Expires
-
-7\r\n
-Mozilla\r\n
-9\r\n
-Developer\r\n
-7\r\n
-Network\r\n
-0\r\n
-Expires: Wed, 21 Oct 2015 07:28:00 GMT\r\n
-\r\n
-

-
-
Specifications

+## Syntax
+
+```html
+Trailer: header-names
+```
+
+## Directives
+
+- `header-names`
+
+  - : HTTP header fields which will be present in the trailer part of chunked messages.
+    These header fields are **disallowed**:
+
+    - message framing headers (e.g., {{HTTPHeader("Transfer-Encoding")}} and
+      {{HTTPHeader("Content-Length")}}),
+    - routing headers (e.g., {{HTTPHeader("Host")}}),
+    - request modifiers (e.g., controls and conditionals, like
+      {{HTTPHeader("Cache-Control")}}, {{HTTPHeader("Max-Forwards")}}, or
+      {{HTTPHeader("TE")}}),
+    - authentication headers (e.g., {{HTTPHeader("Authorization")}} or
+      {{HTTPHeader("Set-Cookie")}}),
+    - or {{HTTPHeader("Content-Encoding")}}, {{HTTPHeader("Content-Type")}},
+      {{HTTPHeader("Content-Range")}}, and `Trailer` itself.
+
+## Examples
+
+### Chunked transfer encoding using a trailing header
+
+In this example, the {{HTTPHeader("Expires")}} header is used at the end of the chunked
+message and serves as a trailing header.
+
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+    Transfer-Encoding: chunked
+    Trailer: Expires
+
+    7\r\n
+    Mozilla\r\n
+    9\r\n
+    Developer\r\n
+    7\r\n
+    Network\r\n
+    0\r\n
+    Expires: Wed, 21 Oct 2015 07:28:00 GMT\r\n
+    \r\n
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Transfer-Encoding")}}
+- {{HTTPHeader("TE")}}
+- [Chunked transfer encoding](https://en.wikipedia.org/wiki/Chunked_transfer_encoding)
diff --git a/files/en-us/web/http/headers/transfer-encoding/index.md b/files/en-us/web/http/headers/transfer-encoding/index.md
index 904eb0e70ff519c..c10ea945742e659 100644
--- a/files/en-us/web/http/headers/transfer-encoding/index.md
+++ b/files/en-us/web/http/headers/transfer-encoding/index.md
@@ -10,34 +10,35 @@ tags:
   - Payload header
 browser-compat: http.headers.Transfer-Encoding
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Transfer-Encoding header specifies the form of
-  encoding used to safely transfer the {{Glossary("Payload body","payload body")}} to the
-  user.

+The **`Transfer-Encoding`** header specifies the form of
+encoding used to safely transfer the {{Glossary("Payload body","payload body")}} to the
+user.
 
-

-  
Note: HTTP/2 doesn't support
-    HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient,
-    mechanisms for data streaming.

-

+> **Note:** [HTTP/2](https://wikipedia.org/wiki/HTTP/2) doesn't support
+> HTTP 1.1's chunked transfer encoding mechanism, as it provides its own, more efficient,
+> mechanisms for data streaming.
 
-
Transfer-Encoding is a hop-by-hop header, that is applied to a
-  message between two nodes, not to a resource itself. Each segment of a multi-node
-  connection can use different Transfer-Encoding values. If you want to
-  compress data over the whole connection, use the end-to-end
-  {{HTTPHeader("Content-Encoding")}} header instead.

+`Transfer-Encoding` is a [hop-by-hop header](/en-US/docs/Web/HTTP/Headers#hbh), that is applied to a
+message between two nodes, not to a resource itself. Each segment of a multi-node
+connection can use different `Transfer-Encoding` values. If you want to
+compress data over the whole connection, use the end-to-end
+{{HTTPHeader("Content-Encoding")}} header instead.
 
-
When present on a response to a {{HTTPMethod("HEAD")}} request that has no body, it
-  indicates the value that would have applied to the corresponding {{HTTPMethod("GET")}}
-  message.

+When present on a response to a {{HTTPMethod("HEAD")}} request that has no body, it
+indicates the value that would have applied to the corresponding {{HTTPMethod("GET")}}
+message.
 
 
-      
+      
@@ -46,90 +47,85 @@ browser-compat: http.headers.Transfer-Encoding
   

   
     

       Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}, {{Glossary("Payload header")}}
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}},
+        {{Glossary("Payload header")}}
+      
     

     

       {{Glossary("Forbidden header name")}}

 

 
-
Syntax

+## Syntax
 
-
Transfer-Encoding: chunked
+```html
+Transfer-Encoding: chunked
 Transfer-Encoding: compress
 Transfer-Encoding: deflate
 Transfer-Encoding: gzip
 Transfer-Encoding: identity
 
-// Several values can be listed, separated by a comma
-Transfer-Encoding: gzip, chunked

+// Several values can be listed, separated by a comma
+Transfer-Encoding: gzip, chunked
+```
 
-
Directives

+## Directives
 
-

-  
chunked

-  
Data is sent in a series of chunks. The {{HTTPHeader("Content-Length")}} header is
+- `chunked`
+  - : Data is sent in a series of chunks. The {{HTTPHeader("Content-Length")}} header is
     omitted in this case and at the beginning of each chunk you need to add the length of
-    the current chunk in hexadecimal format, followed by '\r\n' and then the
-    chunk itself, followed by another '\r\n'. The terminating chunk is a
+    the current chunk in hexadecimal format, followed by '`\r\n`' and then the
+    chunk itself, followed by another '`\r\n`'. The terminating chunk is a
     regular chunk, with the exception that its length is zero. It is followed by the
-    trailer, which consists of a (possibly empty) sequence of header fields. 

-  
compress

-  
A format using the Lempel-Ziv-Welch (LZW) algorithm. The
-    value name was taken from the UNIX compress program, which implemented this
-    algorithm.

+    trailer, which consists of a (possibly empty) sequence of header fields.
+- `compress`
+  - : A format using the [Lempel-Ziv-Welch](https://en.wikipedia.org/wiki/LZW) (LZW) algorithm. The
+    value name was taken from the UNIX _compress_ program, which implemented this
+    algorithm.
     Like the compress program, which has disappeared from most UNIX distributions, this
     content-encoding is used by almost no browsers today, partly because of a patent issue
-    (which expired in 2003).

-  
deflate

-  
Using the zlib
-    structure (defined in RFC 1950), with the deflate
-    compression algorithm (defined in RFC 1951).

-  
gzip

-  
A format using the Lempel-Ziv coding
-    (LZ77), with a 32-bit CRC. This is originally the format of the UNIX gzip
+    (which expired in 2003).
+- `deflate`
+  - : Using the [zlib](https://en.wikipedia.org/wiki/Zlib)
+    structure (defined in [RFC 1950](https://datatracker.ietf.org/doc/html/rfc1950)), with the [_deflate_](https://en.wikipedia.org/wiki/DEFLATE)
+    compression algorithm (defined in [RFC 1951](https://datatracker.ietf.org/doc/html/rfc1952)).
+- `gzip`
+  - : A format using the [Lempel-Ziv coding](https://en.wikipedia.org/wiki/LZ77_and_LZ78#LZ77)
+    (LZ77), with a 32-bit CRC. This is originally the format of the UNIX _gzip_
     program. The HTTP/1.1 standard also recommends that the servers supporting this
-    content-encoding should recognize x-gzip as an alias, for compatibility
-    purposes.

-  
identity

-  
Indicates the identity function (i.e. no compression, nor modification). This token,
-    except if explicitly specified, is always deemed acceptable.

-

+    content-encoding should recognize `x-gzip` as an alias, for compatibility
+    purposes.
+- `identity`
+  - : Indicates the identity function (i.e. no compression, nor modification). This token,
+    except if explicitly specified, is always deemed acceptable.
 
-
Examples

+## Examples
 
-
Chunked encoding

+### Chunked encoding
 
-
Chunked encoding is useful when larger amounts of data are sent to the client and the
-  total size of the response may not be known until the request has been fully processed.
-  For example, when generating a large HTML table resulting from a database query or when
-  transmitting large images. A chunked response looks like this:

+Chunked encoding is useful when larger amounts of data are sent to the client and the
+total size of the response may not be known until the request has been fully processed.
+For example, when generating a large HTML table resulting from a database query or when
+transmitting large images. A chunked response looks like this:
 
-
HTTP/1.1 200 OK
-Content-Type: text/plain
-Transfer-Encoding: chunked
+    HTTP/1.1 200 OK
+    Content-Type: text/plain
+    Transfer-Encoding: chunked
 
-7\r\n
-Mozilla\r\n
-9\r\n
-Developer\r\n
-7\r\n
-Network\r\n
-0\r\n
-\r\n

+    7\r\n
+    Mozilla\r\n
+    9\r\n
+    Developer\r\n
+    7\r\n
+    Network\r\n
+    0\r\n
+    \r\n
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Accept-Encoding")}}
    • 
-  
  • {{HTTPHeader("Content-Encoding")}}
    • 
-  
  • {{HTTPHeader("Content-Length")}}
    • 
-  
  • Header fields that regulate the use of trailers: {{HTTPHeader("TE")}} (requests) and
-    {{HTTPHeader("Trailer")}} (responses).
    • 
-  
  • 
-    
    Chunked transfer
-        encoding
    
-  
    • 
-

+- {{HTTPHeader("Accept-Encoding")}}
+- {{HTTPHeader("Content-Encoding")}}
+- {{HTTPHeader("Content-Length")}}
+- Header fields that regulate the use of trailers: {{HTTPHeader("TE")}} (requests) and
+  {{HTTPHeader("Trailer")}} (responses).
+- [Chunked transfer
+  encoding](https://en.wikipedia.org/wiki/Chunked_transfer_encoding)
diff --git a/files/en-us/web/http/headers/upgrade-insecure-requests/index.md b/files/en-us/web/http/headers/upgrade-insecure-requests/index.md
index a3232528fd4cacc..37f16634aceedf7 100644
--- a/files/en-us/web/http/headers/upgrade-insecure-requests/index.md
+++ b/files/en-us/web/http/headers/upgrade-insecure-requests/index.md
@@ -8,51 +8,51 @@ tags:
   - header
 browser-compat: http.headers.Upgrade-Insecure-Requests
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP Upgrade-Insecure-Requests request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the {{CSP("upgrade-insecure-requests")}} CSP directive.

+The HTTP **`Upgrade-Insecure-Requests`** request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the {{CSP("upgrade-insecure-requests")}} [CSP](/en-US/docs/Web/HTTP/CSP) directive.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
Upgrade-Insecure-Requests: 1

+```html
+Upgrade-Insecure-Requests: 1
+```
 
-
Examples

+## Examples
 
-
A client's request signals to the server that it supports the upgrade mechanisms of {{CSP("upgrade-insecure-requests")}}:

+A client's request signals to the server that it supports the upgrade mechanisms of {{CSP("upgrade-insecure-requests")}}:
 
-
GET / HTTP/1.1
-Host: example.com
-Upgrade-Insecure-Requests: 1

+    GET / HTTP/1.1
+    Host: example.com
+    Upgrade-Insecure-Requests: 1
 
-
The server can now redirect to a secure version of the site. A {{HTTPHeader("Vary")}} header can be used so that the site isn't served by caches to clients that don’t support the upgrade mechanism.

+The server can now redirect to a secure version of the site. A {{HTTPHeader("Vary")}} header can be used so that the site isn't served by caches to clients that don’t support the upgrade mechanism.
 
-
Location: https://example.com/
-Vary: Upgrade-Insecure-Requests

+    Location: https://example.com/
+    Vary: Upgrade-Insecure-Requests
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Content-Security-Policy")}}
    • 
- 
  • CSP {{CSP("upgrade-insecure-requests")}} directive
    • 
-

+- {{HTTPHeader("Content-Security-Policy")}}
+- CSP {{CSP("upgrade-insecure-requests")}} directive
diff --git a/files/en-us/web/http/headers/upgrade/index.md b/files/en-us/web/http/headers/upgrade/index.md
index aff0c375b74eff5..a2c28aed398e203 100644
--- a/files/en-us/web/http/headers/upgrade/index.md
+++ b/files/en-us/web/http/headers/upgrade/index.md
@@ -9,107 +9,96 @@ tags:
   - Upgrade
 browser-compat: http.headers.Upgrade
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 1.1 (only) Upgrade header can be used to upgrade an already established client/server connection to a different protocol (over the same transport protocol). For example, it can be used by a client to upgrade a connection from HTTP 1.1 to HTTP 2.0, or an HTTP or HTTPS connection into a WebSocket.

+The HTTP 1.1 (only) `Upgrade` header can be used to upgrade an already established client/server connection to a different protocol (over the same transport protocol). For example, it can be used by a client to upgrade a connection from HTTP 1.1 to HTTP 2.0, or an HTTP or HTTPS connection into a WebSocket.
 
-

-  
Warning: HTTP/2 explicitly disallows the use of this mechanism/header; it is specific to HTTP/1.1.

-

+> **Warning:** HTTP/2 explicitly disallows the use of this mechanism/header; it is specific to HTTP/1.1.
 
 
-	
-		
-			
-			
-		
-		
-			
-			
-		
-	
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}yes
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}}
+      
{{Glossary("Forbidden header name")}}yes

 

 
-
Overview

+## Overview
 
-
The Upgrade header field may be used by clients to invite a server to switch to one (or more) of the listed protocols, in descending preference order.

+The `Upgrade` header field may be used by clients to invite a server to switch to one (or more) of the listed protocols, in descending preference order.
 
-
For example, the client might send a GET request as shown, listing the preferred protocols to switch to (in this case "example/1" and "foo/2"):

+For example, the client might send a `GET` request as shown, listing the preferred protocols to switch to (in this case "example/1" and "foo/2"):
 
-
GET /index.html HTTP/1.1
-Host: www.example.com
-Connection: upgrade
-Upgrade: example/1, foo/2

+    GET /index.html HTTP/1.1
+    Host: www.example.com
+    Connection: upgrade
+    Upgrade: example/1, foo/2
 
-

-  
Note: Connection: upgrade must be set whenever Upgrade is sent.

-

+> **Note:** `Connection: upgrade` must be set whenever `Upgrade` is sent.
 
-
The server can choose to ignore the request, for any reason, in which case it should just respond as though the Upgrade header had not been sent (for example, with a  {{HTTPStatus(200, "200 OK")}}).

+The server can choose to ignore the request, for any reason, in which case it should just respond as though the `Upgrade` header had not been sent (for example, with a  {{HTTPStatus(200, "200 OK")}}).
 
-
If the server decides to upgrade the connection, it must:

+If the server decides to upgrade the connection, it must:
 
-
    
-	
  1. Send back a {{HTTPStatus(101, "101 Switching Protocols")}} response status with an Upgrade header that specifies the protocol(s) being switched to. For example:
+1.  Send back a {{HTTPStatus(101, "101 Switching Protocols")}} response status with an `Upgrade` header that specifies the protocol(s) being switched to. For example:
 
-	
    HTTP/1.1 101 Switching Protocols
-Upgrade: foo/2
-Connection: Upgrade
    
-	
    2. 
-	
  2. Send a response to the original request using the new protocol (the server may only switch to a protocol with which it can complete the original request).
    3. 
-

+        HTTP/1.1 101 Switching Protocols
+        Upgrade: foo/2
+        Connection: Upgrade
 
-
A server may also send the header as part of a {{HTTPStatus("426")}} Upgrade Required response, to indicate that the server won't perform the request using the current protocol, but might do so if the protocol is changed. The client can then request a protocol change using the process above.

+2.  Send a response to the original request *using the new protocol* (the server may only switch to a protocol with which it can complete the original request).
 
-
More detail and examples are provided in the topic Protocol upgrade mechanism.

+A server may also send the header as part of a {{HTTPStatus("426")}} `Upgrade Required` response, to indicate that the server won't perform the request using the current protocol, but might do so if the protocol is changed. The client can then request a protocol change using the process above.
 
-
Syntax

+More detail and examples are provided in the topic [Protocol upgrade mechanism](/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism).
 
-
Connection: upgrade
-Upgrade: protocol_name[/protocol_version]
-

+## Syntax
 
-
Notes:

+    Connection: upgrade
+    Upgrade: protocol_name[/protocol_version]
 
-
    
-	
  • The {{HTTPHeader("Connection")}} header with type upgrade must always be sent with the Upgrade header (as shown above).
    • 
-	
  • Protocols are listed, comma-separated, in order of descending preference. Protocol version is optional. For example:
-	
      Connection: upgrade
-  Upgrade: a_protocol/1, example ,another_protocol/2.2
-
    
-	
    • 
-

+Notes:
 
-
Directives

+- The {{HTTPHeader("Connection")}} header with type `upgrade` must _always_ be sent with the `Upgrade` header (as shown above).
+- Protocols are listed, comma-separated, in order of descending preference. Protocol version is optional. For example:
 
-

-	
any comma-separated list protocol names (each with optional protocol version)

-	
One or more protocol names with optional version ("/" separated). The protocols are listed in order of descending preference.

-

+        Connection: upgrade
+        Upgrade: a_protocol/1, example ,another_protocol/2.2
 
-
Examples

+## Directives
 
-
Connection: upgrade
-Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11
-

+- any comma-separated list protocol names (each with optional protocol version)
+  - : One or more protocol names with optional version ("/" separated). The protocols are listed in order of descending preference.
 
-
Connection: Upgrade
-Upgrade: websocket
-

+## Examples
 
-
Specifications

+    Connection: upgrade
+    Upgrade: HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11
+
+
+
+    Connection: Upgrade
+    Upgrade: websocket
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-	
  • Protocol upgrade mechanism
    • 
-	
  • {{HTTPStatus("101")}} Switching Protocol
    • 
-	
  • {{HTTPStatus("426")}} Upgrade Required
    • 
-	
  • {{HTTPHeader("Connection")}}
    • 
-

+- [Protocol upgrade mechanism](/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism)
+- {{HTTPStatus("101")}} `Switching Protocol`
+- {{HTTPStatus("426")}} `Upgrade Required`
+- {{HTTPHeader("Connection")}}
diff --git a/files/en-us/web/http/headers/user-agent/firefox/index.md b/files/en-us/web/http/headers/user-agent/firefox/index.md
index f23d5f768cf4ed3..3227da3eac231c9 100644
--- a/files/en-us/web/http/headers/user-agent/firefox/index.md
+++ b/files/en-us/web/http/headers/user-agent/firefox/index.md
@@ -9,459 +9,227 @@ tags:
   - Gecko 2.0
   - Guide
 ---
-
{{HTTPSidebar}}

-
-
This document describes the user agent string used in Firefox 4 and later and applications based on Gecko 2.0 and later. For a breakdown of changes to the string in Gecko 2.0, see Final User Agent string for Firefox 4 (blog post). See also this document on user agent sniffing and this Hacks blog post.

-
-
General form

-
-
The UA string of Firefox itself is broken down into four components:

-
-
Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion

-
-
    
- 
  • Mozilla/5.0 is the general token that says the browser is Mozilla compatible, and is common to almost every browser today.
    • 
- 
  • 
-  
    platform describes the native platform the browser is running on (e.g. Windows, Mac, Linux or Android), and whether or not it's a mobile phone. Firefox OS phones say "Mobile"; the web is the platform. Note that platform can consist of multiple "; "-separated tokens. See below for further details and examples.
    
-
-  
    
-    
    Note: Though fixed in Firefox 69, previous 32-bit versions of Firefox running on 64-bit processors would report that the system is using a 32-bit CPU.
    
-  
    
- 
    • 
- 
  • rv:geckoversion indicates the release version of Gecko (such as "17.0"). In recent browsers, geckoversion is the same as firefoxversion.
    • 
- 
  • Gecko/geckotrail indicates that the browser is based on Gecko.
    • 
- 
  • On Desktop, geckotrail is the fixed string "20100101"
    • 
- 
  • Firefox/firefoxversion indicates the browser is Firefox, and provides the version (such as "17.0").
    • 
- 
  • From Firefox 10 on mobile, geckotrail is the same as firefoxversion.
    • 
-

-
-

-  
Note: The recommended way of sniffing for Gecko-based browsers (if you have to sniff for the browser engine instead of using feature detection) is by the presence of the "Gecko" and "rv:" strings, since some other browsers include a "like Gecko" token.

-

-
-
For other products based on Gecko, the string can take one of two forms, where the tokens have the same meaning except those noted below:

-
-
Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail appname/appversion

- Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion appname/appversion

-
-
    
- 
  • appname/appversion indicates the application name and version. For instance, this could be "Camino/2.1.1", or "SeaMonkey/2.7.1".
    • 
- 
  • 
-  
    Firefox/firefoxversion is an optional compatibility token that some Gecko-based browsers may choose to incorporate, to achieve maximum compatibility with websites that expect Firefox. firefoxversion will generally represent the equivalent Firefox release corresponding to the given Gecko version. Some Gecko-based browsers may not opt into using this token; for this reason, sniffers should be looking for Gecko — not Firefox! Whether this token appears is controlled by the "general.useragent.compatMode.firefox" boolean pref.
    
- 
    • 
-

-
-
Mobile and Tablet indicators

-
-

-  
Note: Only from Firefox 11 to 68.

-

-
-
The platform part of the UA string indicates if Firefox is running on a phone-sized or tablet device. When Firefox runs on a device that has the phone form factor, there is a Mobile; token in the platform part of the UA string. When Firefox runs on a tablet device, there is a Tablet; token in the platform part of the UA string instead. For example:

-
-
Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0
-Mozilla/5.0 (Android 4.4; Tablet; rv:41.0) Gecko/41.0 Firefox/41.0

-
-

-  
Note: The version numbers are not relevant. Avoid inferring materials based on these.

-

-
-
The preferred way to target content to a device form factor is to use CSS Media Queries. However, if you use UA sniffing to target content to a device form factor, please look for Mobi (to include Opera Mobile, which uses "Mobi") for the phone form factor and do not assume any correlation between "Android" and the device form factor. This way, your code will work if/when Firefox ships on other phone/tablet operating systems or Android is used for laptops. Also, please use touch detection to find touch devices rather than looking for "Mobi" or "Tablet", since there may be touch devices which are not tablets.

-
-

-  
Note: Firefox OS devices identify themselves without any operating system indication; for example: "Mozilla/5.0 (Mobile; rv:15.0) Gecko/15.0 Firefox/15.0". The web is the platform.

-

-
-
Windows

-
-
Windows user agents have the following variations, where x.y is the Windows NT version (for instance, Windows NT 6.1).

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Windows versionGecko user agent string
Windows NT on x86 or aarch64 CPUMozilla/5.0 (Windows NT x.y; rv:10.0) Gecko/20100101 Firefox/10.0
Windows NT on x64 CPUMozilla/5.0 (Windows NT x.y; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0

-
-
Macintosh

-
-
Here, x.y is the version of Mac OS X (for instance, Mac OS X 10.15). Starting in Firefox 87, Firefox caps the reported Mac OS X version number to 10.15, so macOS 11.0 Big Sur and later will be reported as "10.15" in the User-Agent string.

-
-
Note that Firefox no longer officially supports Mac OS X on PowerPC.

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Mac OS X versionGecko user agent string
Mac OS X on x86, x86_64, or aarch64Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:10.0) Gecko/20100101 Firefox/10.0
Mac OS X on PowerPCMozilla/5.0 (Macintosh; PPC Mac OS X x.y; rv:10.0) Gecko/20100101 Firefox/10.0

-
-
Linux

-
-
Linux is a more diverse platform. Your distribution of Linux might include an extension that changes your user-agent. A few common examples are given below.

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Linux versionGecko user agent string
Linux desktop on i686 CPUMozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0
Linux desktop on x86_64 CPUMozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0
Nokia N900 Linux mobile, on the Fennec browserMozilla/5.0 (Maemo; Linux armv7l; rv:10.0) Gecko/20100101 Firefox/10.0 Fennec/10.0

-
-
Android (version 40 and below)

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Form factorGecko user agent string
PhoneMozilla/5.0 (Android; Mobile; rv:40.0) Gecko/40.0 Firefox/40.0
TabletMozilla/5.0 (Android; Tablet; rv:40.0) Gecko/40.0 Firefox/40.0

-
-
Android (version 41 and above)

-
-
Beginning in version 41, Firefox for Android will contain the Android version as part of the platform token. For increased interoperability, if the browser is running on a version below 4 it will report 4.4. Android versions 4 and above will report the version accurately. Note that the same Gecko—with the same capabilities—is shipped to all versions of Android.

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Form factorGecko user agent string
PhoneMozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0
TabletMozilla/5.0 (Android 4.4; Tablet; rv:41.0) Gecko/41.0 Firefox/41.0

-
-
Focus for Android

-
-
From version 1, Focus is powered by Android WebView and uses the following user agent string format:

-
-
Mozilla/5.0 (Linux; <Android Version> <Build Tag etc.>) AppleWebKit/<WebKit Rev> (KHTML, like Gecko) Version/4.0 Focus/<focusversion> Chrome/<Chrome Rev> Mobile Safari/<WebKit Rev>

-
-
Tablet versions on WebView mirror mobile, but do not contain a Mobile token.

-
-
Starting in Version 6, users can opt into using a GeckoView-based Focus for Android with a hidden preference: it uses a GeckoView UA string to advertise Gecko compatibility.

-
-
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Focus Version (Rendering Engine)User Agent string
1.0 (WebView Mobile)Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/1.0 Chrome/59.0.3029.83 Mobile Safari/537.36
1.0 (WebView Tablet)Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/1.0 Chrome/59.0.3029.83 Safari/537.36
6.0 (GeckoView)Mozilla/5.0 (Android 7.0; Mobile; rv:62.0) Gecko/62.0 Firefox/62.0

-
-
Klar for Android

-
-
Since version 4.1, Klar for Android uses the same UA string as Focus for Android. Before version 4.1, it sent a Klar/<version> product/version token.

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Klar Version (Rendering Engine)User Agent string
1.0 (WebView)Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Klar/1.0 Chrome/58.0.3029.83 Mobile Safari/537.36
4.1+ (WebView)Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/4.1 Chrome/62.0.3029.83 Mobile Safari/537.36
6.0+ (GeckoView)Mozilla/5.0 (Android 7.0; Mobile; rv:62.0) Gecko/62.0 Firefox/62.0

-
-
Focus for iOS

-
-
Version 7 of Focus for iOS uses a user agent string with the following format:

-
-
Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/7.0.4 Mobile/16B91 Safari/605.1.15

-
-
Note: this user agent was retrieved from an iPhone XR simulator and may be different on device.

-
-
Firefox for Fire TV

-
-
Version 3 (and probably earlier) of Firefox for Fire TV use a user agent string with the following format:

-
-
Mozilla/5.0 (Linux; <Android version>) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/<firefoxversion> Chrome/<Chrome Rev> Safari/<WebKit Rev>

-
-
-  
-   
-   
-  
-  
-   
-   
-  
-
Firefox TV versionUser Agent string
v3.0Mozilla/5.0 (Linux; Android 7.1.2) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/3.0 Chrome/59.0.3017.125 Safari/537.36

-
-
Firefox for Echo Show

-
-
From version 1.1, Firefox for Echo Show uses a user agent string with the following format:

-
-
Mozilla/5.0 (Linux; <Android version>) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/<firefoxversion> Chrome/<Chrome Rev> Safari/<WebKit Rev>
-

-
-
-  
-   
-   
-  
-  
-   
-   
-  
-
Firefox for Echo Show versionUser agent string
v1.1Mozilla/5.0 (Linux; Android 5.1.1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/1.1 Chrome/59.0.3017.125 Safari/537.36

-
-
Firefox OS

-
-
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-
Form factorGecko user agent string
PhoneMozilla/5.0 (Mobile; rv:26.0) Gecko/26.0 Firefox/26.0
TabletMozilla/5.0 (Tablet; rv:26.0) Gecko/26.0 Firefox/26.0
TVMozilla/5.0 (TV; rv:44.0) Gecko/44.0 Firefox/44.0
Device-specificMozilla/5.0 (Mobile; nnnn; rv:26.0) Gecko/26.0 Firefox/26.0

-
-
Device-specific user agent strings

-
-
Although it is strongly discouraged by Mozilla, some handset manufacturers unfortunately include a token in their device's UA string that represents their device id. If this is the case, the Firefox OS UA string will look like the device-specific string in the table above, where nnnn; is the manufacturer's code for the device (see Guidelines). Some of them we have noticed are of the form "NexusOne;", "ZTEOpen;", or "Open C;" (note that putting space is also discouraged). We provide this information to assist with your UA detection logic, but Mozilla discourages the detection of a device id in UA strings.

-
-
Here is a JavaScript regular expression that will detect all mobile devices, including devices with a device id in their UA string:

-
-
/mobi/i

-
-
The i makes it case-insensitive, and mobi matches all mobile browsers.

-
-
Firefox OS version number

-
-
While the version number for Firefox OS is not included in the UA string, it is possible to infer version information from the Gecko version number present in the UA string.

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Firefox OS version numberGecko version number
1.0.118.0
1.118.1
1.226.0
1.328.0
1.430.0
2.032.0
2.134.0
2.237
2.544

-
-

-  
Note: It's easy to find the correspondences by looking at the Mercurial repository names: repositories starting by mozilla-b2g are the release repositories for Firefox OS, and have both Firefox OS and Gecko versions in their names.

-

-
-
Firefox OS has a four-digit version number: X.X.X.Y. The first two digits are owned by the Mozilla product team and denote versions with new features (eg: v1.1, 1.2, etc). The third digit is incremented with regular version tags (about every 6 weeks) for security updates, and the fourth is owned by the OEM.

-
-
Firefox for iOS

-
-
Firefox for iOS uses the default Mobile Safari UA string, with an additional FxiOS/<version> token, similar to how Chrome for iOS identifies itself.

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
Form factorFirefox for iOS user agent string
iPodMozilla/5.0 (iPod touch; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) FxiOS/1.0 Mobile/12F69 Safari/600.1.4
iPhoneMozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) FxiOS/1.0 Mobile/12F69 Safari/600.1.4
iPadMozilla/5.0 (iPad; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) FxiOS/1.0 Mobile/12F69 Safari/600.1.4

-
-
Firefox Web Runtime

-
-
The Web Runtime uses the same user agent string as desktop Firefox.

-
-
Other Gecko-based browsers

-
-
These are some sample UA strings from other Gecko-based browsers on various platforms. Note that many of these have not yet been released on Gecko 2.0!

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
BrowserGecko user agent string
Firefox for Maemo (Nokia N900)Mozilla/5.0 (Maemo; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1
Camino on MacMozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Camino/2.2.1
SeaMonkey on WindowsMozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
SeaMonkey on MacMozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1
SeaMonkey on LinuxMozilla/5.0 (X11; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1

-
-
Implementation notes for applications, vendors, and extensions

-
-
Prior to Firefox 4 and Gecko 2.0, it was possible for extensions to add user agent parts through the general.useragent.extra.identifier preferences. But that has not been possible since {{ Bug(581008) }}.

-
-
In the past, specific plug-ins, add-ons or extensions added user agent parts to notify sites they were installed. The recommended way to do this, if it's absolutely necessary (remember that it slows down every request) is to set a custom HTTP header.

-
-
See also

-
-
+{{HTTPSidebar}}
+
+This document describes the user agent string used in Firefox 4 and later and applications based on Gecko 2.0 and later. For a breakdown of changes to the string in Gecko 2.0, see [Final User Agent string for Firefox 4](https://hacks.mozilla.org/2010/09/final-user-agent-string-for-firefox-4/) (blog post). See also this document on [user agent sniffing](/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent) and this [Hacks blog post](https://hacks.mozilla.org/2013/09/user-agent-detection-history-and-checklist/).
+
+## General form
+
+The UA string of Firefox itself is broken down into four components:
+
+`Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion`
+
+- `Mozilla/5.0` is the general token that says the browser is Mozilla compatible, and is common to almost every browser today.
+- `platform` describes the native platform the browser is running on (e.g. Windows, Mac, Linux or Android), and whether or not it's a mobile phone. Firefox OS phones say "`Mobile`"; the web is the platform. Note that `platform` can consist of multiple "; "-separated tokens. See below for further details and examples.
+
+  > **Note:** Though fixed in Firefox 69, previous 32-bit versions of Firefox running on 64-bit processors would report that the system is using a 32-bit CPU.
+
+- `rv:geckoversion` indicates the release version of Gecko (such as "`17.0`"). In recent browsers, `geckoversion` is the same as `firefoxversion`.
+- `Gecko/geckotrail` indicates that the browser is based on Gecko.
+- On Desktop, `geckotrail` is the fixed string "`20100101`"
+- `Firefox/firefoxversion` indicates the browser is Firefox, and provides the version (such as "`17.0`").
+- From Firefox 10 on mobile, `geckotrail` is the same as `firefoxversion`.
+
+> **Note:** The recommended way of sniffing for Gecko-based browsers (if you _have to_ sniff for the browser engine instead of using feature detection) is by the presence of the "`Gecko`" and "`rv:`" strings, since some other browsers include a "`like Gecko`" token.
+
+For other products based on Gecko, the string can take one of two forms, where the tokens have the same meaning except those noted below:
+
+`Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail appname/appversion`
+`Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion appname/appversion`
+
+- `appname/appversion` indicates the application name and version. For instance, this could be "`Camino/2.1.1`", or "`SeaMonkey/2.7.1`".
+- `Firefox/firefoxversion` is an optional compatibility token that some Gecko-based browsers may choose to incorporate, to achieve maximum compatibility with websites that expect Firefox. `firefoxversion` will generally represent the equivalent Firefox release corresponding to the given Gecko version. Some Gecko-based browsers may not opt into using this token; for this reason, sniffers should be looking for Gecko — not Firefox! Whether this token appears is controlled by the _"general.useragent.compatMode.firefox"_ boolean pref.
+
+## Mobile and Tablet indicators
+
+> **Note:** Only from Firefox 11 to 68.
+
+The `platform` part of the UA string indicates if Firefox is running on a phone-sized or tablet device. When Firefox runs on a device that has the phone form factor, there is a `Mobile;` token in the `platform` part of the UA string. When Firefox runs on a tablet device, there is a `Tablet;` token in the `platform` part of the UA string instead. For example:
+
+    Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0
+    Mozilla/5.0 (Android 4.4; Tablet; rv:41.0) Gecko/41.0 Firefox/41.0
+
+> **Note:** The version numbers are not relevant. Avoid inferring materials based on these.
+
+The preferred way to target content to a device form factor is to use CSS Media Queries. However, if you use UA sniffing to target content to a device form factor, please look for **Mobi** (to include Opera Mobile, which uses "Mobi") for the phone form factor and do **not** assume any correlation between "Android" and the device form factor. This way, your code will work if/when Firefox ships on other phone/tablet operating systems or Android is used for laptops. Also, please use touch detection to find touch devices rather than looking for "Mobi" or "Tablet", since there may be touch devices which are not tablets.
+
+> **Note:** Firefox OS devices identify themselves without any operating system indication; for example: "Mozilla/5.0 (Mobile; rv:15.0) Gecko/15.0 Firefox/15.0". The web is the platform.
+
+## Windows
+
+Windows user agents have the following variations, where _x.y_ is the Windows NT version (for instance, Windows NT 6.1).
+
+| Windows version                  | Gecko user agent string                                                           |
+| -------------------------------- | --------------------------------------------------------------------------------- |
+| Windows NT on x86 or aarch64 CPU | Mozilla/5.0 (Windows NT _x_._y_; rv:10.0) Gecko/20100101 Firefox/10.0             |
+| Windows NT on x64 CPU            | Mozilla/5.0 (Windows NT _x_._y_; Win64; x64; rv:10.0) Gecko/20100101 Firefox/10.0 |
+
+## Macintosh
+
+Here, _x.y_ is the version of Mac OS X (for instance, Mac OS X 10.15). Starting in Firefox 87, Firefox caps the reported Mac OS X version number to 10.15, so macOS 11.0 Big Sur and later will be reported as "10.15" in the User-Agent string.
+
+Note that [Firefox no longer officially supports Mac OS X on PowerPC](https://support.mozilla.org/kb/firefox-no-longer-works-mac-os-10-4-or-powerpc).
+
+| Mac OS X version                    | Gecko user agent string                                                            |
+| ----------------------------------- | ---------------------------------------------------------------------------------- |
+| Mac OS X on x86, x86_64, or aarch64 | Mozilla/5.0 (Macintosh; Intel Mac OS X _x.y_; rv:10.0) Gecko/20100101 Firefox/10.0 |
+| Mac OS X on PowerPC                 | Mozilla/5.0 (Macintosh; PPC Mac OS X _x.y_; rv:10.0) Gecko/20100101 Firefox/10.0   |
+
+## Linux
+
+Linux is a more diverse platform. Your distribution of Linux might include an extension that changes your user-agent. A few common examples are given below.
+
+| Linux version                                  | Gecko user agent string                                                            |
+| ---------------------------------------------- | ---------------------------------------------------------------------------------- |
+| Linux desktop on i686 CPU                      | Mozilla/5.0 (X11; Linux i686; rv:10.0) Gecko/20100101 Firefox/10.0                 |
+| Linux desktop on x86_64 CPU                    | Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0               |
+| Nokia N900 Linux mobile, on the Fennec browser | Mozilla/5.0 (Maemo; Linux armv7l; rv:10.0) Gecko/20100101 Firefox/10.0 Fennec/10.0 |
+
+## Android (version 40 and below)
+
+| Form factor | Gecko user agent string                                        |
+| ----------- | -------------------------------------------------------------- |
+| Phone       | Mozilla/5.0 (Android; Mobile; rv:40.0) Gecko/40.0 Firefox/40.0 |
+| Tablet      | Mozilla/5.0 (Android; Tablet; rv:40.0) Gecko/40.0 Firefox/40.0 |
+
+## Android (version 41 and above)
+
+Beginning in version 41, Firefox for Android will contain the Android version as part of the _platform_ token. For increased interoperability, if the browser is running on a version below 4 it will report 4.4. Android versions 4 and above will report the version accurately. Note that the same Gecko—with the same capabilities—is shipped to all versions of Android.
+
+| Form factor | Gecko user agent string                                            |
+| ----------- | ------------------------------------------------------------------ |
+| Phone       | Mozilla/5.0 (Android 4.4; Mobile; rv:41.0) Gecko/41.0 Firefox/41.0 |
+| Tablet      | Mozilla/5.0 (Android 4.4; Tablet; rv:41.0) Gecko/41.0 Firefox/41.0 |
+
+## Focus for Android
+
+From version 1, Focus is powered by Android WebView and uses the following user agent string format:
+
+    Mozilla/5.0 (Linux;  ) AppleWebKit/ (KHTML, like Gecko) Version/4.0 Focus/ Chrome/ Mobile Safari/
+
+Tablet versions on WebView mirror mobile, but do not contain a `Mobile` token.
+
+Starting in Version 6, users can opt into using a GeckoView-based Focus for Android with a hidden preference: it uses a GeckoView UA string to advertise Gecko compatibility.
+
+| Focus Version (Rendering Engine) | User Agent string                                                                                                                      |
+| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+| 1.0 (WebView Mobile)             | Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/1.0 Chrome/59.0.3029.83 Mobile Safari/537.36 |
+| 1.0 (WebView Tablet)             | Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/1.0 Chrome/59.0.3029.83 Safari/537.36        |
+| 6.0 (GeckoView)                  | Mozilla/5.0 (Android 7.0; Mobile; rv:62.0) Gecko/62.0 Firefox/62.0                                                                     |
+
+## Klar for Android
+
+Since version 4.1, Klar for Android uses the same UA string as [Focus for Android](#focus_for_android). Before version 4.1, it sent a _Klar/\_ _product/version_ token.
+
+| Klar Version (Rendering Engine) | User Agent string                                                                                                                      |
+| ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+| 1.0 (WebView)                   | Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Klar/1.0 Chrome/58.0.3029.83 Mobile Safari/537.36  |
+| 4.1+ (WebView)                  | Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/4.1 Chrome/62.0.3029.83 Mobile Safari/537.36 |
+| 6.0+ (GeckoView)                | Mozilla/5.0 (Android 7.0; Mobile; rv:62.0) Gecko/62.0 Firefox/62.0                                                                     |
+
+## Focus for iOS
+
+Version 7 of Focus for iOS uses a user agent string with the following format:
+
+    Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/7.0.4 Mobile/16B91 Safari/605.1.15
+
+Note: this user agent was retrieved from an iPhone XR simulator and may be different on device.
+
+## Firefox for Fire TV
+
+Version 3 (and probably earlier) of Firefox for Fire TV use a user agent string with the following format:
+
+    Mozilla/5.0 (Linux; ) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/ Chrome/ Safari/
+
+| Firefox TV version | User Agent string                                                                                                                  |
+| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------- |
+| v3.0               | Mozilla/5.0 (Linux; Android 7.1.2) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/3.0 Chrome/59.0.3017.125 Safari/537.36 |
+
+## Firefox for Echo Show
+
+From version 1.1, Firefox for Echo Show uses a user agent string with the following format:
+
+    Mozilla/5.0 (Linux; ) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/ Chrome/ Safari/
+
+| Firefox for Echo Show version | User agent string                                                                                                                  |
+| ----------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
+| v1.1                          | Mozilla/5.0 (Linux; Android 5.1.1) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/1.1 Chrome/59.0.3017.125 Safari/537.36 |
+
+## Firefox OS
+
+| Form factor     | Gecko user agent string                                           |
+| --------------- | ----------------------------------------------------------------- |
+| Phone           | Mozilla/5.0 (Mobile; rv:26.0) Gecko/26.0 Firefox/26.0             |
+| Tablet          | Mozilla/5.0 (Tablet; rv:26.0) Gecko/26.0 Firefox/26.0             |
+| TV              | Mozilla/5.0 (TV; rv:44.0) Gecko/44.0 Firefox/44.0                 |
+| Device-specific | Mozilla/5.0 (Mobile; **_nnnn;_** rv:26.0) Gecko/26.0 Firefox/26.0 |
+
+### Device-specific user agent strings
+
+Although it is **strongly discouraged** by Mozilla, some handset manufacturers unfortunately include a token in their device's UA string that represents their device id. If this is the case, the Firefox OS UA string will look like the device-specific string in the table above, where **_nnnn;_** is the manufacturer's code for the device (see [Guidelines](https://wiki.mozilla.org/B2G/User_Agent/Device_Model_Inclusion_Requirements)). Some of them we have noticed are of the form "**NexusOne;**", "**ZTEOpen;**", or "**Open C;**" (note that putting space is also discouraged). We provide this information to assist with your UA detection logic, but Mozilla discourages the detection of a device id in UA strings.
+
+Here is a JavaScript regular expression that will detect all mobile devices, including devices with a device id in their UA string:
+
+    /mobi/i
+
+The `i` makes it case-insensitive, and `mobi` matches all mobile browsers.
+
+### Firefox OS version number
+
+While the version number for Firefox OS is not included in the UA string, it is possible to infer version information from the Gecko version number present in the UA string.
+
+| Firefox OS version number | Gecko version number |
+| ------------------------- | -------------------- |
+| 1.0.1                     | 18.0                 |
+| 1.1                       | 18.1                 |
+| 1.2                       | 26.0                 |
+| 1.3                       | 28.0                 |
+| 1.4                       | 30.0                 |
+| 2.0                       | 32.0                 |
+| 2.1                       | 34.0                 |
+| 2.2                       | 37                   |
+| 2.5                       | 44                   |
+
+> **Note:** It's easy to find the correspondences by looking at the [Mercurial repository names](https://hg.mozilla.org/releases): repositories starting by `mozilla-b2g` are the release repositories for Firefox OS, and have both Firefox OS and Gecko versions in their names.
+
+Firefox OS has a four-digit version number: `X.X.X.Y`. The first two digits are owned by the Mozilla product team and denote versions with new features (eg: v1.1, 1.2, etc). The third digit is incremented with regular version tags (about every 6 weeks) for security updates, and the fourth is owned by the OEM.
+
+## Firefox for iOS
+
+Firefox for iOS uses the default Mobile Safari UA string, with an additional **FxiOS/\** token, similar to how [Chrome for iOS identifies itself](https://developer.chrome.com/multidevice/user-agent#chrome_for_ios_user_agent).
+
+| Form factor | Firefox for iOS user agent string                                                                                                           |
+| ----------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
+| iPod        | Mozilla/5.0 (iPod touch; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) **FxiOS/1.0** Mobile/12F69 Safari/600.1.4 |
+| iPhone      | Mozilla/5.0 (iPhone; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) **FxiOS/1.0** Mobile/12F69 Safari/600.1.4     |
+| iPad        | Mozilla/5.0 (iPad; CPU iPhone OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) **FxiOS/1.0** Mobile/12F69 Safari/600.1.4       |
+
+## Firefox Web Runtime
+
+The Web Runtime uses the same user agent string as desktop Firefox.
+
+## Other Gecko-based browsers
+
+These are some sample UA strings from other Gecko-based browsers on various platforms. Note that many of these have not yet been released on Gecko 2.0!
+
+| Browser                        | Gecko user agent string                                                                               |
+| ------------------------------ | ----------------------------------------------------------------------------------------------------- |
+| Firefox for Maemo (Nokia N900) | Mozilla/5.0 (Maemo; Linux armv7l; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 Fennec/10.0.1              |
+| Camino on Mac                  | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Camino/2.2.1      |
+| SeaMonkey on Windows           | Mozilla/5.0 (Windows NT 5.2; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1                 |
+| SeaMonkey on Mac               | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1 |
+| SeaMonkey on Linux             | Mozilla/5.0 (X11; Linux i686; rv:10.0.1) Gecko/20100101 Firefox/10.0.1 SeaMonkey/2.7.1                |
+
+## Implementation notes for applications, vendors, and extensions
+
+Prior to Firefox 4 and Gecko 2.0, it was possible for extensions to add user agent parts through the `general.useragent.extra.identifier` preferences. But that has not been possible since {{ Bug(581008) }}.
+
+In the past, specific plug-ins, add-ons or extensions added user agent parts to notify sites they were installed. The recommended way to do this, if it's absolutely necessary (remember that it slows down every request) is to [set a custom HTTP header](/en-US/docs/Setting_HTTP_request_headers).
+
+## See also
+
+- [Firefox OS User Agent String](https://lawrencemandel.com/2012/07/27/decision-made-firefox-os-user-agent-string/) (blog post w/[bug 777710](https://bugzilla.mozilla.org/show_bug.cgi?id=777710) reference)
+- [Final User Agent string for Firefox 4](https://hacks.mozilla.org/2010/09/final-user-agent-string-for-firefox-4/) (blog post)
+- Recommendations on [sniffing the UA string for cross-browser support](/en-US/docs/Browser_Detection_and_Cross_Browser_Support)
+- [window.navigator.userAgent](/en-US/docs/Web/API/Window/navigator)
+- [Add Android version to Fennec UA String (bug 1169772)](https://bugzilla.mozilla.org/show_bug.cgi?id=1169772)
diff --git a/files/en-us/web/http/headers/user-agent/index.md b/files/en-us/web/http/headers/user-agent/index.md
index 1c258da07aef7ac..9452f5ce9a790f5 100644
--- a/files/en-us/web/http/headers/user-agent/index.md
+++ b/files/en-us/web/http/headers/user-agent/index.md
@@ -8,139 +8,136 @@ tags:
   - User-agent
 browser-compat: http.headers.User-Agent
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The User-Agent {{Glossary("request header")}} is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting {{Glossary("user agent")}}.

+The **User-Agent** {{Glossary("request header")}} is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting {{Glossary("user agent")}}.
 
-

-  
Warning: Please read Browser detection using the user agent for why serving different Web pages or services to different browsers is usually a bad idea.

-

+> **Warning:** Please read [Browser detection using the user agent](/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent) for why serving different Web pages or services to different browsers is usually a bad idea.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Request header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
User-Agent: <product> / <product-version> <comment>

+```html
+User-Agent:  /  
+```
 
-
Common format for web browsers:

+Common format for web browsers:
 
-
User-Agent: Mozilla/5.0 (<system-information>) <platform> (<platform-details>) <extensions>

+```html
+User-Agent: Mozilla/5.0 ()  () 
+```
 
-
Directives

+### Directives
 
-

- 
<product>

- 
A product identifier — its name or development codename.

- 
<product-version>

- 
Version number of the product.

- 
<comment>

- 
Zero or more comments containing more details; sub-product information, for example.

-

+- ``
+  - : A product identifier — its name or development codename.
+- ``
+  - : Version number of the product.
+- ``
+  - : Zero or more comments containing more details; sub-product information, for example.
 
-
Firefox UA string

+## Firefox UA string
 
-
For more on Firefox- and Gecko-based user agent strings, see the Firefox user agent string reference. The UA string of Firefox is broken down into 4 components:

+For more on Firefox- and Gecko-based user agent strings, see the [Firefox user agent string reference](/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox). The UA string of Firefox is broken down into 4 components:
 
-
Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion

+    Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion
 
-
    
- 
  1. Mozilla/5.0 is the general token that says the browser is Mozilla-compatible. For historical reasons, almost every browser today sends it.
    2. 
- 
  2. platform describes the native platform the browser is running on (Windows, Mac, Linux, Android, etc.), and if it's a mobile phone. {{Glossary("Firefox OS")}} phones say Mobile — the web is the platform. Note that platform can consist of multiple "; "-separated tokens. See below for further details and examples.
    3. 
- 
  3. rv:geckoversion indicates the release version of Gecko (such as "17.0"). In recent browsers, geckoversion is the same as firefoxversion.
    4. 
- 
  4. Gecko/geckotrail indicates that the browser is based on Gecko. (On Desktop, geckotrail is always the fixed string 20100101.)
    5. 
- 
  5. Firefox/firefoxversion indicates the browser is Firefox, and provides the version (such as "17.0").
    6. 
-

+1.  `Mozilla/5.0` is the general token that says the browser is Mozilla-compatible. For historical reasons, almost every browser today sends it.
+2.  **_platform_** describes the native platform the browser is running on (Windows, Mac, Linux, Android, etc.), and if it's a mobile phone. {{Glossary("Firefox OS")}} phones say `Mobile` — the web is the platform. Note that **_platform_** can consist of multiple "`; `"-separated tokens. See below for further details and examples.
+3.  **rv:_geckoversion_** indicates the release version of Gecko (such as "_17.0_"). In recent browsers, **_geckoversion_** is the same as **_firefoxversion_**.
+4.  **_Gecko/geckotrail_** indicates that the browser is based on Gecko. (On Desktop, **_geckotrail_** is always the fixed string `20100101`.)
+5.  **_Firefox/firefoxversion_** indicates the browser is Firefox, and provides the version (such as "_17.0"_).
 
-
Examples

+### Examples
 
-
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
-Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0
-

+    Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0
+    Mozilla/5.0 (Macintosh; Intel Mac OS X x.y; rv:42.0) Gecko/20100101 Firefox/42.0
 
-
Chrome UA string

+## Chrome UA string
 
-
The Chrome (or Chromium/Blink-based engines) user agent string is similar to Firefox’s. For compatibility, it adds strings like KHTML, like Gecko and Safari.

+The Chrome (or Chromium/Blink-based engines) user agent string is similar to Firefox’s. For compatibility, it adds strings like `KHTML, like Gecko` and `Safari`.
 
-
Examples

+### Examples
 
-
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

+    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
 
-
Opera UA string

+## Opera UA string
 
-
The Opera browser is also based on the Blink engine, which is why it almost looks the same, but adds "OPR/<version>".

+The Opera browser is also based on the Blink engine, which is why it almost looks the same, but adds `"OPR/"`.
 
-
Examples

+### Examples
 
-
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41

+    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
 
-
Older, Presto-based Opera releases used:

+Older, Presto-based Opera releases used:
 
-
Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.2.15 Version/10.00
-Opera/9.60 (Windows NT 6.0; U; en) Presto/2.1.1

+    Opera/9.80 (Macintosh; Intel Mac OS X; U; en) Presto/2.2.15 Version/10.00
+    Opera/9.60 (Windows NT 6.0; U; en) Presto/2.1.1
 
-
Microsoft Edge UA string

+## Microsoft Edge UA string
 
-
The Edge browser is also based on the Blink engine.

+The Edge browser is also based on the Blink engine.
 
-
Examples

+### Examples
 
-
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.59

+    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.59
 
-
Safari UA string

+## Safari UA string
 
-
In this example, the user agent string is mobile Safari’s version. It contains the word "Mobile".

+In this example, the user agent string is mobile Safari’s version. It contains the word `"Mobile"`.
 
-
Examples

+### Examples
 
-
Mozilla/5.0 (iPhone; CPU iPhone OS 13_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Mobile/15E148 Safari/604.1

+    Mozilla/5.0 (iPhone; CPU iPhone OS 13_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.1 Mobile/15E148 Safari/604.1
 
-
Internet Explorer UA string

+## Internet Explorer UA string
 
-
Examples

+### Examples
 
-
Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)

+    Mozilla/5.0 (compatible; MSIE 9.0; Windows Phone OS 7.5; Trident/5.0; IEMobile/9.0)
 
-
Crawler and bot UA strings

+## Crawler and bot UA strings
 
-
Examples

+### Examples
 
-
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

+    Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
 
-
Mozilla/5.0 (compatible; YandexAccessibilityBot/3.0; +http://yandex.com/bots)

+
 
-
Library and net tool UA strings

+    Mozilla/5.0 (compatible; YandexAccessibilityBot/3.0; +http://yandex.com/bots)
 
-
Examples

+## Library and net tool UA strings
 
-
curl/7.64.1

+### Examples
 
-
PostmanRuntime/7.26.5

+    curl/7.64.1
 
-
Specifications

+
+
+    PostmanRuntime/7.26.5
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [User-Agent detection, history and checklist](https://hacks.mozilla.org/2013/09/user-agent-detection-history-and-checklist/)
+- [Firefox user agent string reference](/en-US/docs/Web/HTTP/Headers/User-Agent/Firefox)
+- [Browser detection using the user agent](/en-US/docs/Web/HTTP/Browser_detection_using_the_user_agent)
diff --git a/files/en-us/web/http/headers/vary/index.md b/files/en-us/web/http/headers/vary/index.md
index 8cd63b387c19fec..fde1be63997e947 100644
--- a/files/en-us/web/http/headers/vary/index.md
+++ b/files/en-us/web/http/headers/vary/index.md
@@ -9,17 +9,16 @@ tags:
   - header
 browser-compat: http.headers.Vary
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Vary HTTP response header determines how to match
-  future request headers to decide whether a cached response can be used rather than
-  requesting a fresh one from the origin server. It is used by the server to indicate
-  which headers it used when selecting a representation of a resource in a content negotiation algorithm.

+The **`Vary`** HTTP response header determines how to match
+future request headers to decide whether a cached response can be used rather than
+requesting a fresh one from the origin server. It is used by the server to indicate
+which headers it used when selecting a representation of a resource in a [content negotiation](/en-US/docs/Web/HTTP/Content_negotiation) algorithm.
 
-
The Vary header should be set on a {{HTTPStatus("304")}}
-  Not Modified response exactly like it would have been set on an equivalent
-  {{HTTPStatus("200")}} OK response.

+The `Vary` header should be set on a {{HTTPStatus("304")}}
+`Not Modified` response exactly like it would have been set on an equivalent
+{{HTTPStatus("200")}} `OK` response.
 
 
@@ -34,63 +33,55 @@ browser-compat: http.headers.Vary
   

   
 

 
-
Syntax

+## Syntax
 
-
Vary: *
-Vary: <header-name>, <header-name>, ...
-

+```html
+Vary: *
+Vary: , , ...
+```
 
-
Directives

+## Directives
 
-

-  
*

-  
Each request for a URL is supposed to be treated as a unique and uncacheable
+- \*
+  - : Each request for a URL is supposed to be treated as a unique and uncacheable
     request. A better way to indicate this is to use {{HTTPHeader("Cache-Control")}}:
-    no-store, which is clearer to read and also signals that the object
-    shouldn't be stored ever.

-  
<header-name>

-  
A comma-separated list of header names to take into account when deciding whether or
-    not a cached response can be used.

-

+    `no-store`, which is clearer to read and also signals that the object
+    shouldn't be stored ever.
+- \
+  - : A comma-separated list of header names to take into account when deciding whether or
+    not a cached response can be used.
 
-
Examples

+## Examples
 
-
Dynamic serving

+### Dynamic serving
 
-
When using the Vary: User-Agent header, caching servers should consider
-  the user agent when deciding whether to serve the page from cache. For example, if you
-  are serving different content to mobile users, it can help you to avoid that a cache may
-  mistakenly serve a desktop version of your site to your mobile users. It can help Google
-  and other search engines to discover the mobile version of a page, and might also tell
-  them that no Cloaking is intended.
-

+When using the `Vary: User-Agent` header, caching servers should consider
+the user agent when deciding whether to serve the page from cache. For example, if you
+are serving different content to mobile users, it can help you to avoid that a cache may
+mistakenly serve a desktop version of your site to your mobile users. It can help Google
+and other search engines to discover the mobile version of a page, and might also tell
+them that no [Cloaking](https://en.wikipedia.org/wiki/Cloaking) is intended.
 
-
Vary: User-Agent

+    Vary: User-Agent
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
Compatibility notes

+## Compatibility notes
 
-
+- [Vary
+  with care – Vary header problems in IE6-9](https://blogs.msdn.microsoft.com/ieinternals/2009/06/17/vary-with-care/)
 
-
See also

+## See also
 
-
+- [Understanding
+  The Vary Header - Smashing Magazine](https://www.smashingmagazine.com/2017/11/understanding-vary-header/)
+- [Best
+  Practices for Using the Vary Header – fastly.com](https://www.fastly.com/blog/best-practices-for-using-the-vary-header)
+- [Content
+  negotiation](/en-US/docs/Web/HTTP/Content_negotiation)
diff --git a/files/en-us/web/http/headers/via/index.md b/files/en-us/web/http/headers/via/index.md
index e89e6a0b42b1ed9..61f26567302ecdb 100644
--- a/files/en-us/web/http/headers/via/index.md
+++ b/files/en-us/web/http/headers/via/index.md
@@ -9,18 +9,21 @@ tags:
   - Reference
 browser-compat: http.headers.Via
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Via general header is added by proxies, both forward
-  and reverse proxies, and can appear in the request headers and the response headers. It
-  is used for tracking message forwards, avoiding request loops, and identifying the
-  protocol capabilities of senders along the request/response chain.

+The **`Via`** general header is added by proxies, both forward
+and reverse proxies, and can appear in the request headers and the response headers. It
+is used for tracking message forwards, avoiding request loops, and identifying the
+protocol capabilities of senders along the request/response chain.
 
 
-      
+      
@@ -29,44 +32,40 @@ browser-compat: http.headers.Via
   

   
     

       Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}}
+      
     

     

       {{Glossary("Forbidden header name")}}

 

 
-
Syntax

+## Syntax
 
-
Via: [ <protocol-name> "/" ] <protocol-version> <host> [ ":" <port> ]
+```html
+Via: [  "/" ]   [ ":"  ]
 or
-Via: [ <protocol-name> "/" ] <protocol-version> <pseudonym>
-

+Via: [  "/" ]  
+```
 
-
Directives

+## Directives
 
-

-  
<protocol-name>

-  
Optional. The name of the protocol used, such as "HTTP".

-  
<protocol-version>

-  
The version of the protocol used, such as "1.1".

-  
<host> and <port>

-  
Public proxy URL and port.

-  
<pseudonym>

-  
Name/alias of an internal proxy.

-

+- \
+  - : Optional. The name of the protocol used, such as "HTTP".
+- \
+  - : The version of the protocol used, such as "1.1".
+- \ and \
+  - : Public proxy URL and port.
+- \
+  - : Name/alias of an internal proxy.
 
-
Examples

+## Examples
 
-
Via: 1.1 vegur
-Via: HTTP/1.1 GWA
-Via: 1.0 fred, 1.1 p.example.net
-

+    Via: 1.1 vegur
+    Via: HTTP/1.1 GWA
+    Via: 1.0 fred, 1.1 p.example.net
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("X-Forwarded-For")}}
+- [Heroku's proxy library Vegur](https://github.com/heroku/vegur)
diff --git a/files/en-us/web/http/headers/viewport-width/index.md b/files/en-us/web/http/headers/viewport-width/index.md
index 23b6267c9e90a86..5d70bec287ba39d 100644
--- a/files/en-us/web/http/headers/viewport-width/index.md
+++ b/files/en-us/web/http/headers/viewport-width/index.md
@@ -12,74 +12,69 @@ tags:
   - Exerimental
 browser-compat: http.headers.Viewport-Width
 ---
-
{{HTTPSidebar}} {{deprecated_header}}{{securecontext_header}}

+{{HTTPSidebar}} {{deprecated_header}}{{securecontext_header}}
 
-
The Viewport-Width device client hint request header provides the client's layout viewport width in {{Glossary("CSS pixel","CSS pixels")}}. The value is rounded up to the smallest following integer (i.e. ceiling value).

+The **`Viewport-Width`** [device client hint](/en-US/docs/Glossary/Client_hints) request header provides the client's layout viewport width in {{Glossary("CSS pixel","CSS pixels")}}. The value is rounded up to the smallest following integer (i.e. ceiling value).
 
 
-   
-    
-    
-   
-   
-    
-    
-   
+    
+      
+      
+    
+    
+      
+      
+    
- 

   
Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}
{{Glossary("Forbidden header name")}}no
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      
{{Glossary("Forbidden header name")}}no

   

+
 
-
The hint can be used with other screen-specific hints to deliver images optimized for a specific screen size, or to omit resources that are not needed for a particular screen width.

+The hint can be used with other screen-specific hints to deliver images optimized for a specific screen size, or to omit resources that are not needed for a particular screen width.
 
-
If the Viewport-Width header appears more than once in a message the last occurrence is used.

+If the `Viewport-Width` header appears more than once in a message the last occurrence is used.
 
-

-  
Note:

-    
    
-      
  • Client Hints are accessible only on secure origins (via TLS).
    • 
-      
  • A server has to opt in to receive the Viewport-Width header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
    • 
-      
  • Servers that opt in to the Viewport-Width client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
    • 
-      
  • Viewport-Width was removed from the original client hints specification in draft-ietf-httpbis-client-hints-07. The proposed replacement is Sec-CH-Viewport-Width (Responsive Image Client Hints).
    • 
-    

-

+> **Note:**
+>
+> - Client Hints are accessible only on secure origins (via TLS).
+> - A server has to opt in to receive the `Viewport-Width` header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
+> - Servers that opt in to the `Viewport-Width` client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
+> - `Viewport-Width` was removed from the original client hints specification in [draft-ietf-httpbis-client-hints-07](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-client-hints-07). The proposed replacement is [`Sec-CH-Viewport-Width`](https://wicg.github.io/responsive-image-client-hints/#sec-ch-viewport-width) (Responsive Image Client Hints).
 
-
Syntax

+## Syntax
 
-
Viewport-Width: <number>

+    Viewport-Width: 
 
-
Directives

+## Directives
 
-

- 
 <number>

- 
The width of the user's viewport in {{Glossary("CSS pixel","CSS pixels")}}, rounded up to the nearest integer.

-

+- ``
+  - : The width of the user's viewport in {{Glossary("CSS pixel","CSS pixels")}}, rounded up to the nearest integer.
 
-
Examples

+## Examples
 
-
A server must first opt in to receive the Viewport-Width header by sending the response header {{HTTPHeader("Accept-CH")}} containing the directive Viewport-Width.

+A server must first opt in to receive the `Viewport-Width` header by sending the response header {{HTTPHeader("Accept-CH")}} containing the directive `Viewport-Width`.
 
-
Accept-CH: Viewport-Width

+    Accept-CH: Viewport-Width
 
-
Then on subsequent requests the client might send Viewport-Width header back:

+Then on subsequent requests the client might send `Viewport-Width` header back:
 
-
Viewport-Width: 320

+    Viewport-Width: 320
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- Device client hints
+
+  - {{HTTPHeader("Content-DPR")}}
+  - {{HTTPHeader("Device-Memory")}}
+  - {{HTTPHeader("DPR")}}
+  - {{HTTPHeader("Width")}}
+
+- {{HTTPHeader("Accept-CH")}}
+- [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses) and {{HTTPHeader("Vary")}}
diff --git a/files/en-us/web/http/headers/want-digest/index.md b/files/en-us/web/http/headers/want-digest/index.md
index 14c7a1dfa78a866..de16d9af1884247 100644
--- a/files/en-us/web/http/headers/want-digest/index.md
+++ b/files/en-us/web/http/headers/want-digest/index.md
@@ -8,37 +8,37 @@ tags:
   - Response header
 browser-compat: http.headers.Want-Digest
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The Want-Digest HTTP header is primarily used in a HTTP
-  request, to ask the responder to provide a {{Glossary("digest")}} of the requested
-  resource using the Digest
-  response header.

+The **`Want-Digest`** HTTP header is primarily used in a HTTP
+request, to ask the responder to provide a {{Glossary("digest")}} of the requested
+resource using the [`Digest`](/en-US/docs/Web/HTTP/Headers/Digest)
+response header.
 
-
The header contains identifiers for one or more digest algorithms that the sender
-  wishes the responder to use to create the digest. The sender may use quality values to indicate its
-  preference ordering among the choices it offers.

+The header contains identifiers for one or more digest algorithms that the sender
+wishes the responder to use to create the digest. The sender may use [quality values](/en-US/docs/Glossary/Quality_values) to indicate its
+preference ordering among the choices it offers.
 
-
If Want-Digest does not include any digest algorithms that the server
-  supports, the server may respond with:

+If `Want-Digest` does not include any digest algorithms that the server
+supports, the server may respond with:
 
-
    
-  
  • a digest calculated using a different digest algorithm, or
    • 
-  
  • a 400 Bad Request error,
-    and include another Want-Digest header with that response, listing the
-    algorithms that it does support.
    • 
-

+- a digest calculated using a different digest algorithm, or
+- a [`400 Bad Request`](/en-US/docs/Web/HTTP/Status/400) error,
+  and include another `Want-Digest` header with that response, listing the
+  algorithms that it does support.
 
-
See the page for the
-  Digest header for more
-  information.

+See the page for the
+[`Digest`](/en-US/docs/Web/HTTP/Headers/Digest) header for more
+information.
 
 
-      
+      
@@ -47,104 +47,94 @@ browser-compat: http.headers.Want-Digest
   

   
     

       Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}}
+      
     

     

       {{Glossary("Forbidden header name")}}

 

 
-
Syntax

+## Syntax
 
-
Want-Digest: <digest-algorithm>
+```html
+Want-Digest: 
 
 // Multiple algorithms, weighted with the quality value syntax:
-Want-Digest: <digest-algorithm><q-value>,<digest-algorithm><q-value>

+Want-Digest: ,
+```
 
-
Directives

+## Directives
 
-

-  
<digest-algorithm>

-  
Supported digest algorithms are defined in RFC 3230 and RFC 5843, and include
-    SHA-256 and SHA-512. Some of the supported algorithms,
-    including unixsum and MD5 are subject to collisions and are
-    thus not suitable for applications in which collision-resistance is important.

-  
<q-value>

-  
The quality value to apply to that
-    option.

-

+- ``
+  - : Supported digest algorithms are defined in [RFC 3230](https://datatracker.ietf.org/doc/html/rfc3230) and [RFC 5843](https://datatracker.ietf.org/doc/html/rfc5843), and include
+    `SHA-256` and `SHA-512`. Some of the supported algorithms,
+    including `unixsum` and `MD5` are subject to collisions and are
+    thus not suitable for applications in which collision-resistance is important.
+- ``
+  - : The [quality value](/en-US/docs/Glossary/Quality_values) to apply to that
+    option.
 
-
Examples

+## Examples
 
-
Want-Digest: sha-256
-Want-Digest: SHA-512;q=0.3, sha-256;q=1, md5;q=0

+```html
+Want-Digest: sha-256
+Want-Digest: SHA-512;q=0.3, sha-256;q=1, md5;q=0
+```
 
-
Basic operation

+### Basic operation
 
-
The sender provides a list of digests which it is prepared to accept, and the server
-  uses one of them:

+The sender provides a list of digests which it is prepared to accept, and the server
+uses one of them:
 
-
Request:
+    Request:
 
-  GET /item
-  Want-Digest: sha-256;q=0.3, sha;q=1
+      GET /item
+      Want-Digest: sha-256;q=0.3, sha;q=1
 
-Response:
+    Response:
 
-  HTTP/1.1 200 Ok
-  Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=

+      HTTP/1.1 200 Ok
+      Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
 
-
Unsupported digests

+### Unsupported digests
 
-
The server does not support any of the requested digest algorithms, so uses a different
-  algorithm:

+The server does not support any of the requested digest algorithms, so uses a different
+algorithm:
 
-
Request:
+    Request:
 
-  GET /item
-  Want-Digest: sha;q=1
+      GET /item
+      Want-Digest: sha;q=1
 
-Response:
+    Response:
 
-  HTTP/1.1 200 Ok
-  Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=

+      HTTP/1.1 200 Ok
+      Digest: sha-256=X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=
 
-
The server does not support any of the requested digest algorithms, so responds with a
-  400 error and includes another Want-Digest header, listing the algorithms
-  that it does support:

+The server does not support any of the requested digest algorithms, so responds with a
+400 error and includes another `Want-Digest` header, listing the algorithms
+that it does support:
 
-
Request:
+    Request:
 
-  GET /item
-  Want-Digest: sha;q=1
+      GET /item
+      Want-Digest: sha;q=1
 
-Response:
+    Response:
 
-  HTTP/1.1 400 Bad Request
-  Want-Digest: sha-256, sha-512

+      HTTP/1.1 400 Bad Request
+      Want-Digest: sha-256, sha-512
 
-
Specifications

+## Specifications
 
-
-  
-    
-  
-  
-    
-  
-
Specification
draft-ietf-httpbis-digest-headers-latest

+| Specification                                                                                                  |
+| -------------------------------------------------------------------------------------------------------------- |
+| [draft-ietf-httpbis-digest-headers-latest](https://datatracker.ietf.org/doc/draft-ietf-httpbis-digest-headers) |
 
-

-  This header was originally defined in RFC 3230,
-  but the definition of "selected representation"
-  in RFC 7231
-  made the original definition inconsistent with current HTTP specifications.
-  When released, The "Resource Digests for HTTP" draft therefore will obsolete RFC 3230
-  and will update the standard to be consistent.
-

+This header was originally defined in [RFC 3230](https://datatracker.ietf.org/doc/html/rfc3230),
+but the definition of "selected representation"
+in [RFC 7231](https://www.rfc-editor.org/info/rfc7231)
+made the original definition inconsistent with current HTTP specifications.
+When released, The "Resource Digests for HTTP" draft therefore will obsolete RFC 3230
+and will update the standard to be consistent.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Digest")}}
    • 
-

+- {{HTTPHeader("Digest")}}
diff --git a/files/en-us/web/http/headers/warning/index.md b/files/en-us/web/http/headers/warning/index.md
index 709fb96ab8da730..87c06889c74ada1 100644
--- a/files/en-us/web/http/headers/warning/index.md
+++ b/files/en-us/web/http/headers/warning/index.md
@@ -9,29 +9,29 @@ tags:
   - Reference
 browser-compat: http.headers.Warning
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-

-  
Note: The Warning header is soon to be deprecated; see
-    Warning
-      (https://github.com/httpwg/http-core/issues/139) and Warning: header &
-      stale-while-revalidate (https://github.com/whatwg/fetch/issues/913) for more
-    details.

-

+> **Note:** The `Warning` header is soon to be deprecated; see
+> [Warning
+> (https://github.com/httpwg/http-core/issues/139)](https://github.com/httpwg/http-core/issues/139) and [Warning: header &
+> stale-while-revalidate (https://github.com/whatwg/fetch/issues/913)](https://github.com/whatwg/fetch/issues/913) for more
+> details.
 
-
The Warning general HTTP header contains information
-  about possible problems with the status of the message. More than one
-  Warning header may appear in a response.

+The **`Warning`** general HTTP header contains information
+about possible problems with the status of the message. More than one
+`Warning` header may appear in a response.
 
-
Warning header fields can in general be applied to any message, however
-  some warn-codes are specific to caches and can only be applied to response messages.

+`Warning` header fields can in general be applied to any message, however
+some warn-codes are specific to caches and can only be applied to response messages.
 
 
-      
+      
@@ -40,116 +40,66 @@ browser-compat: http.headers.Warning
   

   
     

       Header type{{Glossary("Request header")}}, {{Glossary("Response header")}}
+        {{Glossary("Request header")}},
+        {{Glossary("Response header")}}
+      
     

     

       {{Glossary("Forbidden header name")}}

 

 
-
Syntax

+## Syntax
 
-
Warning: <warn-code> <warn-agent> <warn-text> [<warn-date>]
-

+```html
+Warning:    []
+```
 
-
Directives

+## Directives
 
-

-  
<warn-code>

-  
A three-digit warning number. The first digit indicates whether the
-    Warning is required to be deleted from a stored response after
+- \
+
+  - : A three-digit warning number. The first digit indicates whether the
+    `Warning` is required to be deleted from a stored response after
     validation.
-    
    
-      
  • 1xx warn-codes describe the freshness or validation status of the
-        response and will be deleted by a cache after deletion.
    • 
-      
  • 
-        
    2xx warn-codes describe some aspect of the representation that is
-          not rectified by a validation and won't be deleted by a cache after validation
-          unless a full response is sent.
    
-      
    • 
-    

-  

-  
<warn-agent>

-  

-    
The name or pseudonym of the server or software adding the Warning
-      header (might be "-" when the agent is unknown).

-  

-  
<warn-text>

-  
Advisory text describing the error.

-  
<warn-date>

-  
Optional. If more than one Warning header is sent, include a date that
-    matches the {{HTTPHeader("Date")}} header.

-

-
-
Warning codes

-
-
The HTTP Warn
-    Codes registry at iana.org defines the namespace for warn codes.

-
-
-  
-    
-      
-      
-      
-    
-  
-  
-    
-      
-      
-      
-    
-    
-      
-      
-      
-    
-    
-      
-      
-      
-    
-    
-      
-      
-      
-    
-    
-      
-      
-      
-    
-    
-      
-      
-      
-    
-    
-      
-      
-      
-    
-  
-
CodeTextDescription
110Response is StaleA response provided by a cache is stale (the expiration time set for it has
-        passed).
111Revalidation FailedAn attempt to validate the response failed, due to an inability to reach the
-        server.
112Disconnected OperationThe cache is disconnected from the rest of the network.
113Heuristic ExpirationSent If a cache heuristically chose a freshness lifetime greater than 24 hours
-        and the response's age is greater than 24 hours.
199Miscellaneous WarningArbitrary, non-specific warning
214Transformation AppliedAdded by a proxy if it applies any transformation to the representation, such as
-        changing the content-coding, media-type or the like.
299Miscellaneous Persistent WarningSame as 199, but indicating a persistent warning

 
-
Examples

+    - `1xx` warn-codes describe the freshness or validation status of the
+      response and will be deleted by a cache after deletion.
+    - `2xx` warn-codes describe some aspect of the representation that is
+      not rectified by a validation and won't be deleted by a cache after validation
+      unless a full response is sent.
+
+- \
+  - : The name or pseudonym of the server or software adding the `Warning`
+    header (might be "-" when the agent is unknown).
+- \
+  - : Advisory text describing the error.
+- \
+  - : Optional. If more than one `Warning` header is sent, include a date that
+    matches the {{HTTPHeader("Date")}} header.
+
+## Warning codes
+
+The [HTTP Warn
+Codes registry at iana.org](https://www.iana.org/assignments/http-warn-codes/http-warn-codes.xhtml) defines the namespace for warn codes.
+
+| Code | Text                             | Description                                                                                                                           |
+| ---- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
+| 110  | Response is Stale                | A response provided by a cache is stale (the expiration time set for it has passed).                                                  |
+| 111  | Revalidation Failed              | An attempt to validate the response failed, due to an inability to reach the server.                                                  |
+| 112  | Disconnected Operation           | The cache is disconnected from the rest of the network.                                                                               |
+| 113  | Heuristic Expiration             | Sent If a cache heuristically chose a freshness lifetime greater than 24 hours and the response's age is greater than 24 hours.       |
+| 199  | Miscellaneous Warning            | Arbitrary, non-specific warning                                                                                                       |
+| 214  | Transformation Applied           | Added by a proxy if it applies any transformation to the representation, such as changing the content-coding, media-type or the like. |
+| 299  | Miscellaneous Persistent Warning | Same as 199, but indicating a persistent warning                                                                                      |
+
+## Examples
 
-
Warning: 110 anderson/1.3.37 "Response is stale"
+    Warning: 110 anderson/1.3.37 "Response is stale"
 
-Date: Wed, 21 Oct 2015 07:28:00 GMT
-Warning: 112 - "cache down" "Wed, 21 Oct 2015 07:28:00 GMT"
-

+    Date: Wed, 21 Oct 2015 07:28:00 GMT
+    Warning: 112 - "cache down" "Wed, 21 Oct 2015 07:28:00 GMT"
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Date")}}
+- [HTTP response status codes](/en-US/docs/Web/HTTP/Status)
diff --git a/files/en-us/web/http/headers/width/index.md b/files/en-us/web/http/headers/width/index.md
index 46a50f8ac625009..e07e15052802b82 100644
--- a/files/en-us/web/http/headers/width/index.md
+++ b/files/en-us/web/http/headers/width/index.md
@@ -12,77 +12,71 @@ tags:
   - Deprecated
 browser-compat: http.headers.Width
 ---
-
{{HTTPSidebar}} {{deprecated_header}}{{securecontext_header}}

+{{HTTPSidebar}} {{deprecated_header}}{{securecontext_header}}
 
-
The Width {{Glossary("Client hints","device client hint")}} request header field indicates the desired resource width in physical pixels — the intrinsic size of an image. The provided pixel value is a number rounded to the smallest following integer (i.e. ceiling value).

+The **`Width`** {{Glossary("Client hints","device client hint")}} request header field indicates the desired resource width in physical pixels — the intrinsic size of an image. The provided pixel value is a number rounded to the smallest following integer (i.e. ceiling value).
 
 
-   
-    
-    
-   
-   
-    
-    
-   
+    
+      
+      
+    
+    
+      
+      
+    
- 

   
Header type{{Glossary("Request header")}}, {{Glossary("Client hints","Client hint")}}
{{Glossary("Forbidden header name")}}no
Header type
+        {{Glossary("Request header")}},
+        {{Glossary("Client hints","Client hint")}}
+      
{{Glossary("Forbidden header name")}}no

   

+
 
-
The hint is particularly useful because it allows the client to request a resource that is optimal for both the screen and the layout: taking into account both the density-corrected width of the screen and the image's extrinsic size within the layout.

+The hint is particularly useful because it allows the client to request a resource that is optimal for both the screen and the layout: taking into account both the density-corrected width of the screen and the image's extrinsic size within the layout.
 
-
If the desired resource width is not known at the time of the request or the resource does not have a display width, the Width header field can be omitted.

+If the desired resource width is not known at the time of the request or the resource does not have a display width, the `Width` header field can be omitted.
 
-
If the Width header appears more than once in a message the last occurrence is used.

+If the `Width` header appears more than once in a message the last occurrence is used.
 
-

-  
Note:

-    
    
-      
  • Client Hints are accessible only on secure origins (via TLS).
    • 
-      
  • A server has to opt in to receive the Width header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
    • 
-      
  • Servers that opt in to the Width client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
    • 
-      
  • Width was removed from the client hints specification in draft-ietf-httpbis-client-hints-07. The proposed replacement is Sec-CH-Width (Responsive Image Client Hints).
    • 
-    

-

+> **Note:**
+>
+> - Client Hints are accessible only on secure origins (via TLS).
+> - A server has to opt in to receive the `Width` header from the client, by sending the {{HTTPHeader("Accept-CH")}} response header.
+> - Servers that opt in to the `Width` client hint will typically also specify it in the {{HTTPHeader("Vary")}} header. This informs caches that the server may send different responses based on the header value in a request.
+> - `Width` was removed from the client hints specification in [draft-ietf-httpbis-client-hints-07](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-client-hints-07). The proposed replacement is [`Sec-CH-Width`](https://wicg.github.io/responsive-image-client-hints/#sec-ch-width) (Responsive Image Client Hints).
 
-
Syntax

+## Syntax
 
-
Width: <number>

+    Width: 
 
-
Directives

+## Directives
 
-

- 
 <number>

- 
The width of the resource in physical pixels, rounded up to the nearest integer.

-

+- ``
+  - : The width of the resource in physical pixels, rounded up to the nearest integer.
 
+## Examples
 
-
Examples

+The server first needs to opt in to receive the `Width` header by sending the response headers {{HTTPHeader("Accept-CH")}} containing `Width`.
 
-
The server first needs to opt in to receive the Width header by sending the response headers {{HTTPHeader("Accept-CH")}} containing Width.

+    Accept-CH: Width
 
-
Accept-CH: Width

+Then on subsequent requests the client might send `Width` header back:
 
-
Then on subsequent requests the client might send Width header back:

+    Width: 1920
 
-
Width: 1920

+## Browser compatibility
 
-
Browser compatibility

+{{Compat}}
 
-
{{Compat}}

+## See also
 
-
See also

+- [Adapting to Users with Client Hints](https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/client-hints) (developer.google.com)
+- Device client hints
 
-
+  - {{HTTPHeader("Content-DPR")}}
+  - {{HTTPHeader("Device-Memory")}}
+  - {{HTTPHeader("DPR")}}
+  - {{HTTPHeader("Viewport-Width")}}
+
+- {{HTTPHeader("Accept-CH")}}
+- [HTTP Caching > Varying responses](/en-US/docs/Web/HTTP/Caching#varying_responses) and {{HTTPHeader("Vary")}}
diff --git a/files/en-us/web/http/headers/www-authenticate/index.md b/files/en-us/web/http/headers/www-authenticate/index.md
index d94b017c3426e4d..c3251a52367939f 100644
--- a/files/en-us/web/http/headers/www-authenticate/index.md
+++ b/files/en-us/web/http/headers/www-authenticate/index.md
@@ -9,64 +9,60 @@ tags:
   - header
 browser-compat: http.headers.WWW-Authenticate
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource.

+The HTTP **`WWW-Authenticate`** response header defines the authentication method that should be used to gain access to a resource.
 
-
The WWW-Authenticate header is sent along with a {{HTTPStatus("401")}} Unauthorized response.

+The `WWW-Authenticate` header is sent along with a {{HTTPStatus("401")}} `Unauthorized` response.
 
 
-	
-		
-			
-			
-		
-		
-			
-			
-		
-	
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
WWW-Authenticate: <type> realm=<realm>[, charset="UTF-8"]
-

+```html
+WWW-Authenticate:  realm=[, charset="UTF-8"]
+```
 
-
Directives

+## Directives
 
-

-	
<type>

-	
Authentication type. A common type is "Basic". IANA maintains a list of Authentication schemes.

-	
realm=<realm>

-	
A description of the protected area. If no realm is specified, clients often display a formatted hostname instead.

-	
charset=<charset>

-	
Tells the client the server's preferred encoding scheme when submitting a username and password. The only allowed value is the case insensitive string "UTF-8". This does not relate to the encoding of the realm string.

-

+- \
+  - : [Authentication type](/en-US/docs/Web/HTTP/Authentication#authentication_schemes). A common type is ["Basic"](/en-US/docs/Web/HTTP/Authentication#basic_authentication_scheme). IANA maintains a [list of Authentication schemes](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml).
+- realm=\
+  - : A description of the protected area. If no realm is specified, clients often display a formatted hostname instead.
+- charset=\
+  - : Tells the client the server's preferred encoding scheme when submitting a username and password. The only allowed value is the case insensitive string "UTF-8". This does not relate to the encoding of the realm string.
 
-
Examples

+## Examples
 
-
Typically, a server response contains a WWW-Authenticate header that looks like this:

+Typically, a server response contains a `WWW-Authenticate` header that looks like this:
 
-
WWW-Authenticate: Basic realm="Access to the staging site", charset="UTF-8"
-

+    WWW-Authenticate: Basic realm="Access to the staging site", charset="UTF-8"
 
-
See also HTTP authentication for examples on how to configure Apache or nginx servers to password protect your site with HTTP basic authentication.

+See also [HTTP authentication](/en-US/docs/Web/HTTP/Authentication) for examples on how to configure Apache or nginx servers to password protect your site with HTTP basic authentication.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-	
  • HTTP authentication
    • 
-	
  • {{HTTPHeader("Authorization")}}
    • 
-	
  • {{HTTPHeader("Proxy-Authorization")}}
    • 
-	
  • {{HTTPHeader("Proxy-Authenticate")}}
    • 
-	
  • {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
    • 
-

+- [HTTP authentication](/en-US/docs/Web/HTTP/Authentication)
+- {{HTTPHeader("Authorization")}}
+- {{HTTPHeader("Proxy-Authorization")}}
+- {{HTTPHeader("Proxy-Authenticate")}}
+- {{HTTPStatus("401")}}, {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
diff --git a/files/en-us/web/http/headers/x-content-type-options/index.md b/files/en-us/web/http/headers/x-content-type-options/index.md
index ceaed505a5dba5e..fe767860bbd4235 100644
--- a/files/en-us/web/http/headers/x-content-type-options/index.md
+++ b/files/en-us/web/http/headers/x-content-type-options/index.md
@@ -8,37 +8,33 @@ tags:
   - Response Header
 browser-compat: http.headers.X-Content-Type-Options
 ---
-
{{HTTPSidebar}}

-
-
The X-Content-Type-Options response HTTP header is a
-  marker used by the server to indicate that the MIME types advertised in the
-  {{HTTPHeader("Content-Type")}} headers should not be changed and be followed. This is a
-  way to opt out of MIME type
-    sniffing, or, in other words, to say that the MIME types are deliberately
-  configured.

-
-
This header was introduced by Microsoft in IE 8 as a way for webmasters to block
-  content sniffing that was happening and could transform non-executable MIME types into
-  executable MIME types. Since then, other browsers have introduced it, even if their MIME
-  sniffing algorithms were less aggressive.

-
-
Starting with Firefox 72, the opting out of MIME sniffing is also applied to top-level
-  documents if a {{HTTPHeader("Content-type")}} is provided. This can cause HTML web pages
-  to be downloaded instead of being rendered when they are served with a MIME type other
-  than text/html. Make sure to set both headers correctly.

-
-
Site security testers usually expect this header to be set.

-
-

-  
Note: X-Content-Type-Options only apply
-    request-blocking due to nosniff
-    for request destinations of "script"
-    and "style". However, it also
-    enables Cross-Origin Read Blocking (CORB)
-    protection for HTML, TXT, JSON and XML files (excluding SVG image/svg+xml).

-

+{{HTTPSidebar}}
+
+The **`X-Content-Type-Options`** response HTTP header is a
+marker used by the server to indicate that the [MIME types](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) advertised in the
+{{HTTPHeader("Content-Type")}} headers should not be changed and be followed. This is a
+way to opt out of [MIME type
+sniffing](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#mime_sniffing), or, in other words, to say that the MIME types are deliberately
+configured.
+
+This header was introduced by Microsoft in IE 8 as a way for webmasters to block
+content sniffing that was happening and could transform non-executable MIME types into
+executable MIME types. Since then, other browsers have introduced it, even if their MIME
+sniffing algorithms were less aggressive.
+
+Starting with Firefox 72, the opting out of MIME sniffing is also applied to top-level
+documents if a {{HTTPHeader("Content-type")}} is provided. This can cause HTML web pages
+to be downloaded instead of being rendered when they are served with a MIME type other
+than `text/html`. Make sure to set both headers correctly.
+
+Site security testers usually expect this header to be set.
+
+> **Note:** `X-Content-Type-Options` only apply
+> [request-blocking due to `nosniff`](https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff?)
+> for [request destinations](https://fetch.spec.whatwg.org/#concept-request-destination) of "`script`"
+> and "`style`". However, it also
+> [enables Cross-Origin Read Blocking (CORB)](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#determining-whether-a-response-is-corb_protected)
+> protection for HTML, TXT, JSON and XML files (excluding SVG `image/svg+xml`).
 
 
@@ -53,51 +49,41 @@ browser-compat: http.headers.X-Content-Type-Options
   

   
 

 
-
Syntax

+## Syntax
 
-
X-Content-Type-Options: nosniff
-

+```html
+X-Content-Type-Options: nosniff
+```
 
-
Directives

+## Directives
 
-

-  
nosniff

-  
Blocks a request if the request destination is of type
-    style and the MIME type is not text/css,
-    or of type script and the MIME type is not a JavaScript MIME type.
-  

-

+- `nosniff`
+  - : Blocks a request if the request destination is of type
+    `style` and the MIME type is not `text/css`,
+    or of type `script` and the MIME type is not a [JavaScript MIME type](https://html.spec.whatwg.org/multipage/scripting.html#javascript-mime-type).
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

-
-
{{Compat}}

-
-
Browser specific notes

-
-
    
-  
  • Firefox 72 enables X-Content-Type-Options: nosniff for top-level
-    documents
    • 
-

-
-
See also

-
-
+## Browser compatibility
+
+{{Compat}}
+
+### Browser specific notes
+
+- Firefox 72 enables `X-Content-Type-Options: nosniff` for top-level
+  documents
+
+## See also
+
+- {{HTTPHeader("Content-Type")}}
+- The [original
+  definition](https://blogs.msdn.microsoft.com/ie/2008/09/02/ie8-security-part-vi-beta-2-update/) of X-Content-Type-Options by Microsoft.
+- The [Mozilla Observatory](https://observatory.mozilla.org/) tool testing
+  the configuration (including this header) of Web sites for safety and security
+- [Mitigating
+  MIME Confusion Attacks in Firefox](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
+- [Cross-Origin Read Blocking (CORB)](https://fetch.spec.whatwg.org/#corb)
+- [Google
+  Docs CORB explainer](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md)
diff --git a/files/en-us/web/http/headers/x-dns-prefetch-control/index.md b/files/en-us/web/http/headers/x-dns-prefetch-control/index.md
index 4cce7c1fff7d584..622d7d981a30c9c 100644
--- a/files/en-us/web/http/headers/x-dns-prefetch-control/index.md
+++ b/files/en-us/web/http/headers/x-dns-prefetch-control/index.md
@@ -2,22 +2,22 @@
 title: X-DNS-Prefetch-Control
 slug: Web/HTTP/Headers/X-DNS-Prefetch-Control
 tags:
-- DNS
-- HTTP
-- X-DNS-Prefetch-Control
-- header
+  - DNS
+  - HTTP
+  - X-DNS-Prefetch-Control
+  - header
 browser-compat: http.headers.X-DNS-Prefetch-Control
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The X-DNS-Prefetch-Control HTTP response header controls
-  DNS prefetching, a feature by which browsers proactively perform domain name resolution
-  on both links that the user may choose to follow as well as URLs for items referenced by
-  the document, including images, CSS, JavaScript, and so forth.

+The **`X-DNS-Prefetch-Control`** HTTP response header controls
+DNS prefetching, a feature by which browsers proactively perform domain name resolution
+on both links that the user may choose to follow as well as URLs for items referenced by
+the document, including images, CSS, JavaScript, and so forth.
 
-
This prefetching is performed in the background, so that the {{glossary("DNS")}} is
-  likely to have been resolved by the time the referenced items are needed. This reduces
-  latency when the user clicks a link.

+This prefetching is performed in the background, so that the {{glossary("DNS")}} is
+likely to have been resolved by the time the referenced items are needed. This reduces
+latency when the user clicks a link.
 
 
@@ -32,95 +32,94 @@ browser-compat: http.headers.X-DNS-Prefetch-Control
   

   
 

 
-
Syntax

+## Syntax
 
-
X-DNS-Prefetch-Control: on
+```html
+X-DNS-Prefetch-Control: on
 X-DNS-Prefetch-Control: off
-

+```
 
-
Directives

+### Directives
 
-

-  
on

-  
Enables DNS prefetching. This is what browsers do, if they support the feature, when
-    this header is not present

-  
off

-  
Disables DNS prefetching. This is useful if you don't control the link on the pages,
-    or know that you don't want to leak information to these domains.

-

+- on
+  - : Enables DNS prefetching. This is what browsers do, if they support the feature, when
+    this header is not present
+- off
+  - : Disables DNS prefetching. This is useful if you don't control the link on the pages,
+    or know that you don't want to leak information to these domains.
 
-
Description

+## Description
 
-
DNS requests are very small in terms of bandwidth, but latency can be quite high,
-  especially on mobile networks. By speculatively prefetching DNS results, latency can be
-  reduced significantly at certain times, such as when the user clicks the link. In some
-  cases, latency can be reduced by a second.

+DNS requests are very small in terms of bandwidth, but latency can be quite high,
+especially on mobile networks. By speculatively prefetching DNS results, latency can be
+reduced significantly at certain times, such as when the user clicks the link. In some
+cases, latency can be reduced by a second.
 
-
The implementation of this prefetching in some browsers allows domain name resolution
-  to occur in parallel with (instead of in serial with) the fetching of actual page
-  content. By doing this, the high-latency domain name resolution process doesn't cause
-  any delay while fetching content.

+The implementation of this prefetching in some browsers allows domain name resolution
+to occur in parallel with (instead of in serial with) the fetching of actual page
+content. By doing this, the high-latency domain name resolution process doesn't cause
+any delay while fetching content.
 
-
Page load times – especially on mobile networks – can be measurably improved in this
-  way. If the domain names for images can be resolved in advance of the images being
-  requested, pages that load many images can see an improvement of 5% or more in the time
-  of loading images.

+Page load times – especially on mobile networks – can be measurably improved in this
+way. If the domain names for images can be resolved in advance of the images being
+requested, pages that load many images can see an improvement of 5% or more in the time
+of loading images.
 
-
Configuring prefetching in the browser
-

+### Configuring prefetching in the browser
 
-
In general, you don't need to do anything to manage prefetching. However, the user may
-  wish to disable prefetching. On Firefox, this can be done by setting the
-  network.dns.disablePrefetch preference to true.

+In general, you don't need to do anything to manage prefetching. However, the user may
+wish to disable prefetching. On Firefox, this can be done by setting the
+`network.dns.disablePrefetch` preference to `true`.
 
-
Also, by default, prefetching of embedded link hostnames is not performed on documents
-  loaded over {{glossary("HTTPS")}}. On Firefox, this can be changed by setting the
-  network.dns.disablePrefetchFromHTTPS preference to false.

+Also, by default, prefetching of embedded link hostnames is not performed on documents
+loaded over {{glossary("HTTPS")}}. On Firefox, this can be changed by setting the
+`network.dns.disablePrefetchFromHTTPS` preference to `false`.
 
-
Examples

+## Examples
 
-
Turning on and off prefetching

+### Turning on and off prefetching
 
-
You can either send the X-DNS-Prefetch-Control header server-side, or from
-  individual documents, using the {{ htmlattrxref("http-equiv", "meta") }} attribute on
-  the {{ HTMLElement("meta") }} element, like this:

+You can either send the `X-DNS-Prefetch-Control` header server-side, or from
+individual documents, using the {{ htmlattrxref("http-equiv", "meta") }} attribute on
+the {{ HTMLElement("meta") }} element, like this:
 
-
<meta http-equiv="x-dns-prefetch-control" content="off">
-

+```html
+
+```
 
-
You can reverse this setting by setting content to "on".

+You can reverse this setting by setting `content` to "`on`".
 
-
Forcing lookup of specific hostnames

+### Forcing lookup of specific hostnames
 
-
You can force the lookup of specific hostnames without providing specific anchors using
-  that hostname by using the {{ htmlattrxref("rel","link") }} attribute on the {{
-  HTMLElement("link") }} element with a link
-    type of dns-prefetch:

+You can force the lookup of specific hostnames without providing specific anchors using
+that hostname by using the {{ htmlattrxref("rel","link") }} attribute on the {{
+  HTMLElement("link") }} element with a [link
+type](/en-US/docs/Web/HTML/Link_types) of `dns-prefetch`:
 
-
<link rel="dns-prefetch" href="https://www.mozilla.org/contribute/">
-

+```html
+
+```
 
-
In this example, the domain name www.mozilla.org/contribute will be pre-resolved.

+In this example, the domain name `www.mozilla.org/contribute` will be pre-resolved.
 
-
Similarly, the link element can be used to resolve hostnames without providing a
-  complete URL, but only, by preceding the hostname with two slashes:

+Similarly, the link element can be used to resolve hostnames without providing a
+complete URL, but only, by preceding the hostname with two slashes:
 
-
<link rel="dns-prefetch" href="//www.mozilla.org/contribute/">
-

+```html
+
+```
 
-
Forced prefetching of hostnames might be useful, for example, on the homepage of a site
-  to force pre-resolution of domain names that are referenced frequently throughout the
-  site even though they are not used on the home page itself. This will improve the
-  overall performance of site even though the performance of the home page may not be
-  affected.

+Forced prefetching of hostnames might be useful, for example, on the homepage of a site
+to force pre-resolution of domain names that are referenced frequently throughout the
+site even though they are not used on the home page itself. This will improve the
+overall performance of site even though the performance of the home page may not be
+affected.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [DNS Prefetching for Firefox (blog post)](https://bitsup.blogspot.com/2008/11/dns-prefetching-for-firefox.html)
+- [Google Chrome handles DNS prefetching control](https://dev.chromium.org/developers/design-documents/dns-prefetching)
diff --git a/files/en-us/web/http/headers/x-forwarded-for/index.md b/files/en-us/web/http/headers/x-forwarded-for/index.md
index 42d7e09d52e3c41..e716071f899dc4c 100644
--- a/files/en-us/web/http/headers/x-forwarded-for/index.md
+++ b/files/en-us/web/http/headers/x-forwarded-for/index.md
@@ -2,33 +2,32 @@
 title: X-Forwarded-For
 slug: Web/HTTP/Headers/X-Forwarded-For
 tags:
-- HTTP
-- HTTP Header
-- Non-standard
-- Reference
-- Request header
-- header
+  - HTTP
+  - HTTP Header
+  - Non-standard
+  - Reference
+  - Request header
+  - header
 browser-compat: http.headers.X-Forwarded-For
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The X-Forwarded-For (XFF) header is a de-facto standard
-  header for identifying the originating IP address of a client connecting to a web server
-  through an HTTP proxy or a load balancer. When traffic is intercepted between clients
-  and servers, server access logs contain the IP address of the proxy or load balancer
-  only. To see the original IP address of the client, the X-Forwarded-For
-  request header is used.

+The **`X-Forwarded-For`** (XFF) header is a de-facto standard
+header for identifying the originating IP address of a client connecting to a web server
+through an HTTP proxy or a load balancer. When traffic is intercepted between clients
+and servers, server access logs contain the IP address of the proxy or load balancer
+only. To see the original IP address of the client, the `X-Forwarded-For`
+request header is used.
 
-
This header is used for debugging, statistics, and generating location-dependent
-  content and by design it exposes privacy sensitive information, such as the IP address
-  of the client. Therefore the user's privacy must be kept in mind when deploying this
-  header.

+This header is used for debugging, statistics, and generating location-dependent
+content and by design it exposes privacy sensitive information, such as the IP address
+of the client. Therefore the user's privacy must be kept in mind when deploying this
+header.
 
-
A standardized version of this header is the HTTP {{HTTPHeader("Forwarded")}} header.
-

+A standardized version of this header is the HTTP {{HTTPHeader("Forwarded")}} header.
 
-
X-Forwarded-For is also an email-header indicating that an email-message
-  was forwarded from another account.

+`X-Forwarded-For` is also an email-header indicating that an email-message
+was forwarded from another account.
 
 
@@ -43,51 +42,46 @@ browser-compat: http.headers.X-Forwarded-For
   

   
 

 
-
Syntax

+## Syntax
 
-
X-Forwarded-For: <client>, <proxy1>, <proxy2>
-

+```html
+X-Forwarded-For: , , 
+```
 
-
Directives

+## Directives
 
-

-  
<client>

-  
The client IP address

-  
<proxy1>, <proxy2>

-  
If a request goes through multiple proxies, the IP addresses of each successive
+- \
+  - : The client IP address
+- \, \
+  - : If a request goes through multiple proxies, the IP addresses of each successive
     proxy is listed. This means, the right-most IP address is the IP address of the most
     recent proxy and the left-most IP address is the IP address of the originating client.
-  

-

 
-
Examples

+## Examples
 
-
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
+    X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348
 
-X-Forwarded-For: 203.0.113.195
+    X-Forwarded-For: 203.0.113.195
 
-X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178
-

+    X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178
 
-
Other non-standard forms:

+Other non-standard forms:
 
-
# Used for some Google services
-X-ProxyUser-Ip: 203.0.113.19

+    # Used for some Google services
+    X-ProxyUser-Ip: 203.0.113.19
 
-
Specifications

+## Specifications
 
-
Not part of any current specification. The standardized version of this header is
-  {{HTTPHeader("Forwarded")}}.

+Not part of any current specification. The standardized version of this header is
+{{HTTPHeader("Forwarded")}}.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Forwarded")}}
    • 
-  
  • {{HTTPHeader("X-Forwarded-Host")}}
    • 
-  
  • {{HTTPHeader("X-Forwarded-Proto")}}
    • 
-  
  • {{HTTPHeader("Via")}}
    • 
-

+- {{HTTPHeader("Forwarded")}}
+- {{HTTPHeader("X-Forwarded-Host")}}
+- {{HTTPHeader("X-Forwarded-Proto")}}
+- {{HTTPHeader("Via")}}
diff --git a/files/en-us/web/http/headers/x-forwarded-host/index.md b/files/en-us/web/http/headers/x-forwarded-host/index.md
index 30e5fe043bbf079..b79ca66e5c3c696 100644
--- a/files/en-us/web/http/headers/x-forwarded-host/index.md
+++ b/files/en-us/web/http/headers/x-forwarded-host/index.md
@@ -2,31 +2,30 @@
 title: X-Forwarded-Host
 slug: Web/HTTP/Headers/X-Forwarded-Host
 tags:
-- HTTP
-- HTTP Header
-- Non-standard
-- Reference
-- Request header
-- header
+  - HTTP
+  - HTTP Header
+  - Non-standard
+  - Reference
+  - Request header
+  - header
 browser-compat: http.headers.X-Forwarded-Host
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The X-Forwarded-Host (XFH) header is a de-facto standard
-  header for identifying the original host requested by the client in the
-  {{HTTPHeader("Host")}} HTTP request header.

+The **`X-Forwarded-Host`** (XFH) header is a de-facto standard
+header for identifying the original host requested by the client in the
+{{HTTPHeader("Host")}} HTTP request header.
 
-
Host names and ports of reverse proxies (load balancers, CDNs) may differ from the
-  origin server handling the request, in that case the X-Forwarded-Host
-  header is useful to determine which Host was originally used.

+Host names and ports of reverse proxies (load balancers, CDNs) may differ from the
+origin server handling the request, in that case the `X-Forwarded-Host`
+header is useful to determine which Host was originally used.
 
-
This header is used for debugging, statistics, and generating location-dependent
-  content and by design it exposes privacy sensitive information, such as the IP address
-  of the client. Therefore the user's privacy must be kept in mind when deploying this
-  header.

+This header is used for debugging, statistics, and generating location-dependent
+content and by design it exposes privacy sensitive information, such as the IP address
+of the client. Therefore the user's privacy must be kept in mind when deploying this
+header.
 
-
A standardized version of this header is the HTTP {{HTTPHeader("Forwarded")}} header.
-

+A standardized version of this header is the HTTP {{HTTPHeader("Forwarded")}} header.
 
 
@@ -41,37 +40,33 @@ browser-compat: http.headers.X-Forwarded-Host
   

   
 

 
-
Syntax

+## Syntax
 
-
X-Forwarded-Host: <host>
-

+```html
+X-Forwarded-Host: 
+```
 
-
Directives

+## Directives
 
-

-  
<host>

-  
The domain name of the forwarded server.

-

+- \
+  - : The domain name of the forwarded server.
 
-
Examples

+## Examples
 
-
X-Forwarded-Host: id42.example-cdn.com
-

+    X-Forwarded-Host: id42.example-cdn.com
 
-
Specifications

+## Specifications
 
-
Not part of any current specification. The standardized version of this header is
-  {{HTTPHeader("Forwarded")}}.

+Not part of any current specification. The standardized version of this header is
+{{HTTPHeader("Forwarded")}}.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Host")}}
    • 
-  
  • {{HTTPHeader("Forwarded")}}
    • 
-  
  • {{HTTPHeader("X-Forwarded-For")}}
    • 
-  
  • {{HTTPHeader("X-Forwarded-Proto")}}
    • 
-

+- {{HTTPHeader("Host")}}
+- {{HTTPHeader("Forwarded")}}
+- {{HTTPHeader("X-Forwarded-For")}}
+- {{HTTPHeader("X-Forwarded-Proto")}}
diff --git a/files/en-us/web/http/headers/x-forwarded-proto/index.md b/files/en-us/web/http/headers/x-forwarded-proto/index.md
index ff36ac9b1779db5..b1c66eddd3dc19e 100644
--- a/files/en-us/web/http/headers/x-forwarded-proto/index.md
+++ b/files/en-us/web/http/headers/x-forwarded-proto/index.md
@@ -2,25 +2,24 @@
 title: X-Forwarded-Proto
 slug: Web/HTTP/Headers/X-Forwarded-Proto
 tags:
-- HTTP
-- HTTP Header
-- Non-standard
-- Reference
-- Request header
-- header
+  - HTTP
+  - HTTP Header
+  - Non-standard
+  - Reference
+  - Request header
+  - header
 browser-compat: http.headers.X-Forwarded-Proto
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The X-Forwarded-Proto (XFP) header is a de-facto standard
-  header for identifying the protocol (HTTP or HTTPS) that a client used to connect to
-  your proxy or load balancer. Your server access logs contain the protocol used between
-  the server and the load balancer, but not the protocol used between the client and the
-  load balancer. To determine the protocol used between the client and the load balancer,
-  the X-Forwarded-Proto request header can be used.

+The **`X-Forwarded-Proto`** (XFP) header is a de-facto standard
+header for identifying the protocol (HTTP or HTTPS) that a client used to connect to
+your proxy or load balancer. Your server access logs contain the protocol used between
+the server and the load balancer, but not the protocol used between the client and the
+load balancer. To determine the protocol used between the client and the load balancer,
+the `X-Forwarded-Proto` request header can be used.
 
-
A standardized version of this header is the HTTP {{HTTPHeader("Forwarded")}} header.
-

+A standardized version of this header is the HTTP {{HTTPHeader("Forwarded")}} header.
 
 
@@ -35,45 +34,41 @@ browser-compat: http.headers.X-Forwarded-Proto
   

   
 

 
-
Syntax

+## Syntax
 
-
X-Forwarded-Proto: <protocol>
-

+```html
+X-Forwarded-Proto: 
+```
 
-
Directives

+## Directives
 
-

-  
<protocol>

-  
The forwarded protocol (http or https).

-

+- \
+  - : The forwarded protocol (http or https).
 
-
Examples

+## Examples
 
-
X-Forwarded-Proto: https

+    X-Forwarded-Proto: https
 
-
Other non-standard forms:

+Other non-standard forms:
 
-
# Microsoft
-Front-End-Https: on
+    # Microsoft
+    Front-End-Https: on
 
-X-Forwarded-Protocol: https
-X-Forwarded-Ssl: on
-X-Url-Scheme: https
-

+    X-Forwarded-Protocol: https
+    X-Forwarded-Ssl: on
+    X-Url-Scheme: https
 
-
Specifications

+## Specifications
 
-
Not part of any current specification. The standardized version of this header is
-  {{HTTPHeader("Forwarded")}}.

+Not part of any current specification. The standardized version of this header is
+{{HTTPHeader("Forwarded")}}.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Forwarded")}}
    • 
-  
  • {{HTTPHeader("X-Forwarded-For")}}
    • 
-  
  • {{HTTPHeader("X-Forwarded-Host")}}
    • 
-

+- {{HTTPHeader("Forwarded")}}
+- {{HTTPHeader("X-Forwarded-For")}}
+- {{HTTPHeader("X-Forwarded-Host")}}
diff --git a/files/en-us/web/http/headers/x-frame-options/index.md b/files/en-us/web/http/headers/x-frame-options/index.md
index 7422c9d9e3d55b7..4039cdd84063c8f 100644
--- a/files/en-us/web/http/headers/x-frame-options/index.md
+++ b/files/en-us/web/http/headers/x-frame-options/index.md
@@ -10,134 +10,123 @@ tags:
   - nginx
 browser-compat: http.headers.X-Frame-Options
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a {{HTMLElement("frame")}}, {{HTMLElement("iframe")}}, {{HTMLElement("embed")}} or {{HTMLElement("object")}}. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

+The **`X-Frame-Options`** [HTTP](/en-US/docs/Web/HTTP) response header can be used to indicate whether or not a browser should be allowed to render a page in a {{HTMLElement("frame")}}, {{HTMLElement("iframe")}}, {{HTMLElement("embed")}} or {{HTMLElement("object")}}. Sites can use this to avoid [click-jacking](/en-US/docs/Web/Security/Types_of_attacks#click-jacking) attacks, by ensuring that their content is not embedded into other sites.
 
-
The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.

+The added security is provided only if the user accessing the document is using a browser that supports `X-Frame-Options`.
 
-

-  
Note: The {{HTTPHeader("Content-Security-Policy")}} HTTP header has a {{HTTPHeader("Content-Security-Policy/frame-ancestors", "frame-ancestors")}} directive which obsoletes this header for supporting browsers.

-

+> **Note:** The {{HTTPHeader("Content-Security-Policy")}} HTTP header has a {{HTTPHeader("Content-Security-Policy/frame-ancestors", "frame-ancestors")}} directive which [obsoletes](https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options) this header for supporting browsers.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
There are two possible directives for X-Frame-Options:

+There are two possible directives for `X-Frame-Options`:
 
-
X-Frame-Options: DENY
+```html
+X-Frame-Options: DENY
 X-Frame-Options: SAMEORIGIN
-

+```
 
-
Directives

+### Directives
 
-
If you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

+If you specify `DENY`, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify `SAMEORIGIN`, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
 
-

- 
DENY

- 
The page cannot be displayed in a frame, regardless of the site attempting to do so.

- 
SAMEORIGIN

- 
The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (see {{bug(725490)}}). Also see {{anch("Browser compatibility")}} for support details.

- 
ALLOW-FROM uri {{deprecated_inline}}

- 
This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin uri. Note that in the legacy Firefox implementation this still suffered from the same problem as SAMEORIGIN did — it doesn't check the frame ancestors to see if they are in the same origin. The {{HTTPHeader("Content-Security-Policy")}} HTTP header has a {{HTTPHeader("Content-Security-Policy/frame-ancestors", "frame-ancestors")}} directive which you can use instead.

-

+- `DENY`
+  - : The page cannot be displayed in a frame, regardless of the site attempting to do so.
+- `SAMEORIGIN`
+  - : The page can only be displayed in a frame on the same origin as the page itself. The spec leaves it up to browser vendors to decide whether this option applies to the top level, the parent, or the whole chain, although it is argued that the option is not very useful unless all ancestors are also in the same origin (see {{bug(725490)}}). Also see {{anch("Browser compatibility")}} for support details.
+- `ALLOW-FROM uri` {{deprecated_inline}}
+  - : This is an obsolete directive that no longer works in modern browsers. Don't use it. In supporting legacy browsers, a page can be displayed in a frame only on the specified origin _uri_. Note that in the legacy Firefox implementation this still suffered from the same problem as `SAMEORIGIN` did — it doesn't check the frame ancestors to see if they are in the same origin. The {{HTTPHeader("Content-Security-Policy")}} HTTP header has a {{HTTPHeader("Content-Security-Policy/frame-ancestors", "frame-ancestors")}} directive which you can use instead.
 
-
Examples

+## Examples
 
-

-  
Note: Setting X-Frame-Options inside the {{HTMLElement("meta")}} element is useless! For instance, <meta http-equiv="X-Frame-Options" content="deny"> has no effect. Do not use it! X-Frame-Options works only by setting through the HTTP header, as in the examples below.

-

+> **Note:** Setting X-Frame-Options inside the {{HTMLElement("meta")}} element is useless! For instance, `` has no effect. Do not use it! `X-Frame-Options` works only by setting through the HTTP header, as in the examples below.
 
-
Configuring Apache

+### Configuring Apache
 
-
To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:

+To configure Apache to send the `X-Frame-Options` header for all pages, add this to your site's configuration:
 
-
Header always set X-Frame-Options "SAMEORIGIN"
-

+    Header always set X-Frame-Options "SAMEORIGIN"
 
-
To configure Apache to set the X-Frame-Options DENY, add this to your site's configuration:

+To configure Apache to set the `X-Frame-Options` DENY, add this to your site's configuration:
 
-
Header set X-Frame-Options "DENY"
-

+    Header set X-Frame-Options "DENY"
 
-
Configuring nginx

+### Configuring nginx
 
-
To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

+To configure nginx to send the `X-Frame-Options` header, add this either to your http, server or location configuration:
 
-
add_header X-Frame-Options SAMEORIGIN always;
-

+    add_header X-Frame-Options SAMEORIGIN always;
 
-
Configuring IIS

+### Configuring IIS
 
-
To configure IIS to send the X-Frame-Options header, add this to your site's Web.config file:

+To configure IIS to send the `X-Frame-Options` header, add this to your site's `Web.config` file:
 
-
<system.webServer>
-  ...
+    
+      ...
 
-  <httpProtocol>
-    <customHeaders>
-      <add name="X-Frame-Options" value="SAMEORIGIN" />
-    </customHeaders>
-  </httpProtocol>
+      
+        
+          
+        
+      
 
-  ...
-</system.webServer>
-

+      ...
+    
 
-
Or see this Microsoft support article on setting this configuration using the IIS Manager user interface.

+Or see this [Microsoft support article on setting this configuration using the IIS Manager](https://support.office.com/en-us/article/Mitigating-framesniffing-with-the-X-Frame-Options-header-1911411b-b51e-49fd-9441-e8301dcdcd79) user interface.
 
-
Configuring HAProxy

+### Configuring HAProxy
 
-
To configure HAProxy to send the X-Frame-Options header, add this to your front-end, listen, or backend configuration:

+To configure HAProxy to send the `X-Frame-Options` header, add this to your front-end, listen, or backend configuration:
 
-
rspadd X-Frame-Options:\ SAMEORIGIN
-

+    rspadd X-Frame-Options:\ SAMEORIGIN
 
-
Alternatively, in newer versions:

+Alternatively, in newer versions:
 
-
http-response set-header X-Frame-Options SAMEORIGIN
-

+    http-response set-header X-Frame-Options SAMEORIGIN
 
-
Configuring Express

+### Configuring Express
 
-
To configure Express to send the X-Frame-Options header, you can use helmet which uses frameguard to set the header. Add this to your server configuration:

+To configure Express to send the `X-Frame-Options` header, you can use [helmet](https://helmetjs.github.io/) which uses [frameguard](https://helmetjs.github.io/docs/frameguard/) to set the header. Add this to your server configuration:
 
-
const helmet = require('helmet');
+```js
+const helmet = require('helmet');
 const app = express();
 app.use(helmet.frameguard({ action: 'SAMEORIGIN' }));
-

+```
 
-
Alternatively, you can use frameguard directly:

+Alternatively, you can use frameguard directly:
 
-
const frameguard = require('frameguard')
+```js
+const frameguard = require('frameguard')
 app.use(frameguard({ action: 'SAMEORIGIN' }))
-

+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Content-Security-Policy")}} directive {{HTTPHeader("Content-Security-Policy/frame-ancestors", "frame-ancestors")}}
+- [HTTP Header Field X-Frame-Options - RFC 7034](https://datatracker.ietf.org/doc/html/rfc7034)
+- [ClickJacking Defenses - IEBlog](https://docs.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-vii-clickjacking-defenses)
+- [Combating ClickJacking with X-Frame-Options - IEInternals](https://docs.microsoft.com/en-us/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options)
diff --git a/files/en-us/web/http/headers/x-xss-protection/index.md b/files/en-us/web/http/headers/x-xss-protection/index.md
index 6dd11007e2e6b3c..98430f9562e238c 100644
--- a/files/en-us/web/http/headers/x-xss-protection/index.md
+++ b/files/en-us/web/http/headers/x-xss-protection/index.md
@@ -9,87 +9,86 @@ tags:
   - header
 browser-compat: http.headers.X-XSS-Protection
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting ({{Glossary("Cross-site_scripting", "XSS")}}) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong {{HTTPHeader("Content-Security-Policy")}} that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support {{Glossary("CSP")}}.

+The HTTP **`X-XSS-Protection`** response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting ({{Glossary("Cross-site_scripting", "XSS")}}) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong {{HTTPHeader("Content-Security-Policy")}} that disables the use of inline JavaScript (`'unsafe-inline'`), they can still provide protections for users of older web browsers that don't yet support {{Glossary("CSP")}}.
 
-

-  
Note: 

-  
-  
This means that if you do not need to support legacy browsers, it is recommended that you use Content-Security-Policy without allowing unsafe-inline scripts instead.

-

+> **Note:**
+>
+> - Chrome has [removed their XSS Auditor](https://www.chromestatus.com/feature/5021976655560704)
+> - Firefox has not, and [will not implement `X-XSS-Protection`](https://bugzilla.mozilla.org/show_bug.cgi?id=528661)
+> - Edge has [retired their XSS filter](https://blogs.windows.com/windowsexperience/2018/07/25/announcing-windows-10-insider-preview-build-17723-and-build-18204/)
+>
+> This means that if you do not need to support legacy browsers, it is recommended that you use [`Content-Security-Policy`](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) without allowing `unsafe-inline` scripts instead.
 
 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
+  
+    
+      
+      
+    
+    
+      
+      
+    
+  
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no
Header type{{Glossary("Response header")}}
{{Glossary("Forbidden header name")}}no

 

 
-
Syntax

+## Syntax
 
-
X-XSS-Protection: 0
+```html
+X-XSS-Protection: 0
 X-XSS-Protection: 1
 X-XSS-Protection: 1; mode=block
-X-XSS-Protection: 1; report=<reporting-uri>
-

+X-XSS-Protection: 1; report=
+```
 
-

- 
0

- 
Disables XSS filtering.

- 
1

- 
Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).

- 
1; mode=block

- 
Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.

- 
1; report=<reporting-URI> (Chromium only)

- 
Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP {{CSP("report-uri")}} directive to send a report.

-

+- 0
+  - : Disables XSS filtering.
+- 1
+  - : Enables XSS filtering (usually default in browsers). If a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).
+- 1; mode=block
+  - : Enables XSS filtering. Rather than sanitizing the page, the browser will prevent rendering of the page if an attack is detected.
+- 1; report=\ (Chromium only)
+  - : Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page and report the violation. This uses the functionality of the CSP {{CSP("report-uri")}} directive to send a report.
 
-
Example

+## Example
 
-
Block pages from loading when they detect reflected XSS attacks:

+Block pages from loading when they detect reflected XSS attacks:
 
-
X-XSS-Protection: 1; mode=block

+```bash
+X-XSS-Protection: 1; mode=block
+```
 
-
PHP

+PHP
 
-
header("X-XSS-Protection: 1; mode=block");

+    header("X-XSS-Protection: 1; mode=block");
 
-
Apache (.htaccess)

+Apache (.htaccess)
 
-
<IfModule mod_headers.c>
+```bash
+
   Header set X-XSS-Protection "1; mode=block"
-</IfModule>

+
+```
 
-
Nginx

+Nginx
 
-
add_header "X-XSS-Protection" "1; mode=block";

+```bash
+add_header "X-XSS-Protection" "1; mode=block";
+```
 
-
Specifications

+## Specifications
 
-
Not part of any specifications or drafts.

+Not part of any specifications or drafts.
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Content-Security-Policy")}}
+- [Controlling the XSS Filter – Microsoft](https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/)
+- [Understanding XSS Auditor – Virtue Security](https://www.virtuesecurity.com/blog/understanding-xss-auditor/)
+- [The misunderstood X-XSS-Protection – blog.innerht.ml](https://blog.innerht.ml/the-misunderstood-x-xss-protection/)
diff --git a/files/en-us/web/http/index.md b/files/en-us/web/http/index.md
index 16ab8e672993625..978a835a4814cf4 100644
--- a/files/en-us/web/http/index.md
+++ b/files/en-us/web/http/index.md
@@ -10,63 +10,55 @@ tags:
   - Web Development
   - l10n:priority
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
Hypertext Transfer Protocol (HTTP) is an application-layer protocol for transmitting hypermedia documents, such as HTML. It was designed for communication between web browsers and web servers, but it can also be used for other purposes. HTTP follows a classical client-server model, with a client opening a connection to make a request, then waiting until it receives a response. HTTP is a stateless protocol, meaning that the server does not keep any data (state) between two requests.

+**_Hypertext Transfer Protocol (HTTP)_** is an [application-layer](https://en.wikipedia.org/wiki/Application_Layer) protocol for transmitting hypermedia documents, such as HTML. It was designed for communication between web browsers and web servers, but it can also be used for other purposes. HTTP follows a classical [client-server model](https://en.wikipedia.org/wiki/Client%E2%80%93server_model), with a client opening a connection to make a request, then waiting until it receives a response. HTTP is a [stateless protocol](https://en.wikipedia.org/wiki/Stateless_protocol), meaning that the server does not keep any data (state) between two requests.
 
-
Tutorials

+## Tutorials
 
-
Learn how to use HTTP with guides and tutorials.

+Learn how to use HTTP with guides and tutorials.
 
-

- 
Overview of HTTP

- 
The basic features of the client-server protocol: what it can do and its intended uses.

- 
HTTP Cache

- 
Caching is very important for fast Web sites. This article describes different methods of caching and how to use HTTP Headers to control them.

- 
HTTP Cookies

- 
How cookies work is defined by RFC 6265. When serving an HTTP request, a server can send a Set-Cookie HTTP header with the response. The client then returns the cookie's value with every request to the same server in the form of a Cookie request header. The cookie can also be set to expire on a certain date, or restricted to a specific domain and path.

- 
Cross-Origin Resource Sharing (CORS)

- 
Cross-site HTTP requests are HTTP requests for resources from a different domain than the domain of the resource making the request. For instance, an HTML page from Domain A (http://domaina.example/) makes a request for an image on Domain B (http://domainb.foo/image.jpg) via the img element. Web pages today very commonly load cross-site resources, including CSS stylesheets, images, scripts, and other resources. CORS allows web developers to control how their site reacts to cross-site requests.

- 
Evolution of HTTP

- 
A brief description of the changes between the early versions of HTTP, to the modern HTTP/2, the emergent HTTP/3 and beyond.

- 
Mozilla web security guidelines

- 
A collection of tips to help operational teams with creating secure web applications.

- 
HTTP Messages

- 
Describes the type and structure of the different kind of messages of HTTP/1.x and HTTP/2.

- 
A typical HTTP session

- 
Shows and explains the flow of a usual HTTP session.

- 
Connection management in HTTP/1.x

- 
Describes the three connection management models available in HTTP/1.x, their strengths, and their weaknesses.

-

+- [Overview of HTTP](/en-US/docs/Web/HTTP/Overview)
+  - : The basic features of the client-server protocol: what it can do and its intended uses.
+- [HTTP Cache](/en-US/docs/Web/HTTP/Caching)
+  - : Caching is very important for fast Web sites. This article describes different methods of caching and how to use HTTP Headers to control them.
+- [HTTP Cookies](/en-US/docs/Web/HTTP/Cookies)
+  - : How cookies work is defined by [RFC 6265](https://datatracker.ietf.org/doc/html/rfc6265). When serving an HTTP request, a server can send a `Set-Cookie` HTTP header with the response. The client then returns the cookie's value with every request to the same server in the form of a `Cookie` request header. The cookie can also be set to expire on a certain date, or restricted to a specific domain and path.
+- [Cross-Origin Resource Sharing (CORS)](/en-US/docs/Web/HTTP/CORS)
+  - : **Cross-site HTTP requests** are HTTP requests for resources from a **different domain** than the domain of the resource making the request. For instance, an HTML page from Domain A (`http://domaina.example/`) makes a request for an image on Domain B (`http://domainb.foo/image.jpg`) via the `img` element. Web pages today very commonly load cross-site resources, including CSS stylesheets, images, scripts, and other resources. CORS allows web developers to control how their site reacts to cross-site requests.
+- [Evolution of HTTP](/en-US/docs/Web/HTTP/Basics_of_HTTP/Evolution_of_HTTP)
+  - : A brief description of the changes between the early versions of HTTP, to the modern HTTP/2, the emergent HTTP/3 and beyond.
+- [Mozilla web security guidelines](https://wiki.mozilla.org/Security/Guidelines/Web_Security)
+  - : A collection of tips to help operational teams with creating secure web applications.
+- [HTTP Messages](/en-US/docs/Web/HTTP/Messages)
+  - : Describes the type and structure of the different kind of messages of HTTP/1.x and HTTP/2.
+- [A typical HTTP session](/en-US/docs/Web/HTTP/Session)
+  - : Shows and explains the flow of a usual HTTP session.
+- [Connection management in HTTP/1.x](/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x)
+  - : Describes the three connection management models available in HTTP/1.x, their strengths, and their weaknesses.
 
-
Reference

+## Reference
 
-
Browse through detailed HTTP reference documentation.

+Browse through detailed HTTP reference documentation.
 
-

- 
HTTP Headers

- 
HTTP message headers are used to describe a resource, or the behavior of the server or the client. Header fields are kept in an IANA registry. IANA also maintains a registry of proposed new HTTP message headers.

- 
HTTP Request Methods

- 
The different operations that can be done with HTTP: {{HTTPMethod("GET")}}, {{HTTPMethod("POST")}}, and also less common requests like {{HTTPMethod("OPTIONS")}}, {{HTTPMethod("DELETE")}}, or {{HTTPMethod("TRACE")}}.

- 
HTTP Status Response Codes

- 
HTTP response codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes: informational responses, successful responses, redirections, client errors, and servers errors.

- 
CSP directives

- 
The {{HTTPHeader("Content-Security-Policy")}} response header fields allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints.

-

+- [HTTP Headers](/en-US/docs/Web/HTTP/Headers)
+  - : HTTP message headers are used to describe a resource, or the behavior of the server or the client. Header fields are kept in an [IANA registry](https://www.iana.org/assignments/message-headers/message-headers.xhtml#perm-headers). IANA also maintains a [registry of proposed new HTTP message headers](https://www.iana.org/assignments/message-headers/message-headers.xhtml#prov-headers).
+- [HTTP Request Methods](/en-US/docs/Web/HTTP/Methods)
+  - : The different operations that can be done with HTTP: {{HTTPMethod("GET")}}, {{HTTPMethod("POST")}}, and also less common requests like {{HTTPMethod("OPTIONS")}}, {{HTTPMethod("DELETE")}}, or {{HTTPMethod("TRACE")}}.
+- [HTTP Status Response Codes](/en-US/docs/Web/HTTP/Status)
+  - : HTTP response codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes: informational responses, successful responses, redirections, client errors, and servers errors.
+- [CSP directives](/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+  - : The {{HTTPHeader("Content-Security-Policy")}} response header fields allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints.
 
-
Tools & resources

+## Tools & resources
 
-
Helpful tools and resources for understanding and debugging HTTP.

+Helpful tools and resources for understanding and debugging HTTP.
 
-

- 
Firefox Developer Tools

- 
Network monitor

- 
Mozilla Observatory

- 

- 
A project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

- 

- 
RedBot

- 
Tools to check your cache-related headers

- 
How Browsers Work

- 
A very comprehensive article on browser internals and request flow through HTTP protocol. A MUST-READ for any web developer.

-

+- [Firefox Developer Tools](/en-US/docs/Tools)
+  - : [Network monitor](/en-US/docs/Tools/Network_Monitor)
+- [Mozilla Observatory](https://observatory.mozilla.org/)
+  - : A project designed to help developers, system administrators, and security professionals configure their sites safely and securely.
+- [RedBot](https://redbot.org/)
+  - : Tools to check your cache-related headers
+- [How Browsers Work](https://www.html5rocks.com/en/tutorials/internals/howbrowserswork/)
+  - : A very comprehensive article on browser internals and request flow through HTTP protocol. A MUST-READ for any web developer.
diff --git a/files/en-us/web/http/index/index.md b/files/en-us/web/http/index/index.md
index 61291d6d7e2aaa8..884c79a1f44ee50 100644
--- a/files/en-us/web/http/index/index.md
+++ b/files/en-us/web/http/index/index.md
@@ -5,8 +5,8 @@ tags:
   - HTTP
   - Index
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
This page lists all MDN HTTP pages along with their summary and tags.

+This page lists all MDN HTTP pages along with their summary and tags.
 
-
{{Index("/en-US/docs/Web/HTTP")}}

+{{Index("/en-US/docs/Web/HTTP")}}
diff --git a/files/en-us/web/http/link_prefetching_faq/index.md b/files/en-us/web/http/link_prefetching_faq/index.md
index a350cbe1f8fd8f2..e31a7366a628c40 100644
--- a/files/en-us/web/http/link_prefetching_faq/index.md
+++ b/files/en-us/web/http/link_prefetching_faq/index.md
@@ -11,114 +11,108 @@ tags:
   - Prefetch
   - Web Development
 ---
-
+### What is link prefetching?
 
-
Link prefetching is a browser mechanism, which utilizes browser idle time to download or prefetch documents that the user might visit in the near future. A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache. When the user visits one of the prefetched documents, it can be served up quickly out of the browser's cache.

+Link prefetching is a browser mechanism, which utilizes browser idle time to download or _prefetch_ documents that the user might visit in the near future. A web page provides a set of prefetching hints to the browser, and after the browser is finished loading the page, it begins silently prefetching specified documents and stores them in its cache. When the user visits one of the prefetched documents, it can be served up quickly out of the browser's cache.
 
-
Does prefetching work with HTTPS?

+### Does prefetching work with HTTPS?
 
-
Starting in Gecko 1.9.1 (Firefox 3.5), HTTPS content can be prefetched.

+Starting in Gecko 1.9.1 (Firefox 3.5), HTTPS content can be prefetched.
 
-
What are the prefetching hints?

+### What are the prefetching hints?
 
-
The browser looks for either an HTML {{ HTMLElement("link") }} or an HTTP Link: header with a relation type of either next or prefetch. An example using the link tag follows:

+The browser looks for either an HTML {{ HTMLElement("link") }} or an [HTTP `Link:` header](/en-US/docs/Web/HTTP/Headers "HTTP headers") with a relation type of either `next` or `prefetch`. An example using the `link` tag follows:
 
-
<link rel="prefetch" href="/images/big.jpeg">
-

+    
 
-
The same prefetching hint using an HTTP Link: header:

+The same prefetching hint using an HTTP `Link:` header:
 
-
Link: </images/big.jpeg>; rel=prefetch
-

+    Link: ; rel=prefetch
 
-
The format for the Link: header is described in RFC 5988 section 5.

+The format for the `Link:` header is described in [RFC 5988](https://datatracker.ietf.org/doc/html/rfc5988) section 5.
 
-
The browser observes all of these hints and queues up each unique request to be prefetched when the browser is idle. There can be multiple hints per page, as it might make sense to prefetch multiple documents. For example, the next document might contain several large images.

+The browser observes all of these hints and queues up each unique request to be prefetched when the browser is idle. There can be multiple hints per page, as it might make sense to prefetch multiple documents. For example, the next document might contain several large images.
 
-
Some more examples follow:

+Some more examples follow:
 
-
<link rel="prefetch alternate stylesheet" title="Designed for Mozilla" href="mozspecific.css">
-<link rel="next" href="2.html">
-

+    
+    
 
-
Are anchor (<a>) tags prefetched?

+### Are anchor (\) tags prefetched?
 
-
No, only <link> tags with a relation type of next or prefetch are prefetched. However, if there is sufficient interest, we may expand link prefetching support to include prefetching <a> tags, which include a relation type of next or prefetch in the future. Doing so would probably help content providers avoid the problem of stale prefetching links.

+No, only `` tags with a relation type of `next` or `prefetch` are prefetched. However, if there is sufficient interest, we may expand link prefetching support to include prefetching \ tags, which include a relation type of `next` or `prefetch` in the future. Doing so would probably help content providers avoid the problem of stale prefetching links.
 
-
+### Is link prefetching standards compliant?
 
-
Yes, link prefetching as outlined in this document does not violate any existing web standards. In fact, the HTML 4.01 specification explicitly allows for the definition of new link relation types (see Section 6.12: Link types). However, the exact mechanism employed by Mozilla is not yet standardized. An Internet-Draft is in the works.

+Yes, link prefetching as outlined in this document does not violate any existing web standards. In fact, the HTML 4.01 specification explicitly allows for the definition of new link relation types ([see Section 6.12: Link types](https://www.w3.org/TR/html4/types.html#type-links)). However, the exact mechanism employed by Mozilla is not yet standardized. An Internet-Draft is in the works.
 
-
Standardization of this technique is part of the scope of HTML 5, see the current working draft, section §5.11.3.13. Link type "prefetch" .

+Standardization of this technique is part of the scope of HTML 5, see the current working draft, [section §5.11.3.13. Link type "prefetch"](https://www.whatwg.org/specs/web-apps/current-work/#link-type-prefetch) .
 
-
How is browser idle time determined?

+### How is browser idle time determined?
 
-
In the current implementation (Mozilla 1.2), idle time is determined using the nsIWebProgressListener API. We attach a listener to the toplevel nsIWebProgress object ("@mozilla.org/docloaderservice;1"). From this, we receive document start & stop notifications, and we approximate idle time as the period between the last document stop and the next document start. The last document stop notification occurs roughly when the onLoad handler would fire for the toplevel document. This is when we kick off prefetch requests. If a subframe contains prefetching hints, prefetching will not begin until the top-most frame and all its "child" frames finish loading.

+In the current implementation (Mozilla 1.2), idle time is determined using the `nsIWebProgressListener` API. We attach a listener to the toplevel `nsIWebProgress` object ("@mozilla.org/docloaderservice;1"). From this, we receive document start & stop notifications, and we approximate idle time as the period between the last document stop and the next document start. The last document stop notification occurs roughly when the onLoad handler would fire for the toplevel document. This is when we kick off prefetch requests. If a subframe contains prefetching hints, prefetching will not begin until the top-most frame and all its "child" frames finish loading.
 
-
+### What happens if I click on a link while something is being prefetched?
 
-
When the user clicks on a link, or initiates any kind of page load, link prefetching will stop and any prefetch hints will be discarded. If a prefetched document is partially downloaded, then the partial document will still be stored in the cache provided the server sent an "Accept-Ranges: bytes" response header. This header is typically generated by webservers when serving up static content. When the user visits a prefetched document for real, the remaining portion of the document will be fetched using a HTTP byte-range request.

+When the user clicks on a link, or initiates any kind of page load, link prefetching will stop and any prefetch hints will be discarded. If a prefetched document is partially downloaded, then the partial document will still be stored in the cache provided the server sent an "Accept-Ranges: bytes" response header. This header is typically generated by webservers when serving up static content. When the user visits a prefetched document for real, the remaining portion of the document will be fetched using a HTTP byte-range request.
 
-
+### What if I'm downloading something in the background? Will link prefetching compete for bandwidth?
 
-
Yes and no. If you are downloading something using Mozilla, link prefetching will be delayed until any background downloads complete. For example, if you load a bookmark group (which opens several tabs), any prefetch requests initiated by one of the bookmarked pages will not begin until all of the tabs finish loading. If you are using another application which uses the network, link prefetching in Mozilla may compete for bandwidth with the other application. This is a problem that we hope to address in the future by leveraging operating system services to monitor network idle time.

+Yes and no. If you are downloading something using Mozilla, link prefetching will be delayed until any background downloads complete. For example, if you load a bookmark group (which opens several tabs), any prefetch requests initiated by one of the bookmarked pages will not begin until all of the tabs finish loading. If you are using another application which uses the network, link prefetching in Mozilla may compete for bandwidth with the other application. This is a problem that we hope to address in the future by leveraging operating system services to monitor network idle time.
 
-
Are there any restrictions on what is prefetched?

+### Are there any restrictions on what is prefetched?
 
-
Yes, only http:// (and, starting in {{ Gecko("1.9.1") }} https://) URLs can be prefetched. Other protocols (such as FTP) do not provide rich enough support for client side caching.

+Yes, only `http://` (and, starting in {{ Gecko("1.9.1") }} `https://`) URLs can be prefetched. Other protocols (such as FTP) do not provide rich enough support for client side caching.
 
-
Will Mozilla prefetch documents from a different host?

+### Will Mozilla prefetch documents from a different host?
 
-
Yes. There is no same-origin restriction for link prefetching. Limiting prefetching to only URLs from the same server would not offer any increased browser security.

+Yes. There is no same-origin restriction for link prefetching. Limiting prefetching to only URLs from the same server would not offer any increased browser security.
 
-
Do prefetched requests contain a Referer: header?

+### Do prefetched requests contain a Referer: header?
 
-
Yes, prefetched requests include a HTTP Referer: header indicating the document from which the prefetching hint was extracted.

+Yes, prefetched requests include a HTTP `Referer:` header indicating the document from which the prefetching hint was extracted.
 
-
This may impact referrer tracking that is commonly used on many sites. For this reason, link prefetching may not be appropriate for all content. However, it is possible to instruct Mozilla to validate a prefetched document when the user follows a href to the prefetched document by specifying the Cache-control: must-revalidate HTTP response header. This header enables caching, but requires an If-Modified-Since or If-None-Match validation request before the serving the document out of the browser's cache.

+This may impact referrer tracking that is commonly used on many sites. For this reason, link prefetching may not be appropriate for all content. However, it is possible to instruct Mozilla to validate a prefetched document when the user follows a href to the prefetched document by specifying the `Cache-control: must-revalidate` HTTP response header. This header enables caching, but requires an `If-Modified-Since` or `If-None-Match` validation request before the serving the document out of the browser's cache.
 
-
As a server admin, can I distinguish prefetch requests from normal requests?

+### As a server admin, can I distinguish prefetch requests from normal requests?
 
-
Yes, we send the following header along with each prefetch request:

+Yes, we send the following header along with each prefetch request:
 
-
X-moz: prefetch

+    X-moz: prefetch
 
-
Of course, this request header is not at all standardized, and it may change in future Mozilla releases. Chrome uses "X-Purpose: prefetch" or "Purpose: prefetch" header.

+Of course, this request header is not at all standardized, and it may change in future Mozilla releases. Chrome uses "X-Purpose: prefetch" or "Purpose: prefetch" [header](https://bugs.webkit.org/show_bug.cgi?id=46529).
 
-
+### Is there a preference to disable link prefetching?
 
-
Yes, there is a hidden preference that you can set to disable link prefetching. Add this line to your prefs.js file located in your profile directory (or make the appropriate change via about:config:

+Yes, there is a hidden preference that you can set to disable link prefetching. Add this line to your prefs.js file located in your profile directory (or make the appropriate change via `about:config`:
 
-
user_pref("network.prefetch-next", false);
-

+    user_pref("network.prefetch-next", false);
 
-
However, the theory is that if link prefetching needs to be disabled then there must be something wrong with the implementation. We would rather improve the implementation if it does not work correctly, than expect users to locate and tweak some obscure preference.

+However, the theory is that if link prefetching needs to be disabled then there must be something wrong with the implementation. We would rather improve the implementation if it does not work correctly, than expect users to locate and tweak some obscure preference.
 
-
What about folks who pay-per-byte for network bandwidth?

+### What about folks who pay-per-byte for network bandwidth?
 
-
Basically, there are two ways of looking at this issue: websites can already cause things to be silently downloaded using JS/DOM hacks. Prefetching is a browser feature; users should be able to disable it easily.

+Basically, there are two ways of looking at this issue: websites can already cause things to be silently downloaded using JS/DOM hacks. Prefetching is a browser feature; users should be able to disable it easily.
 
-
It is important that websites adopt <link> tag based prefetching instead of trying to roll-in silent downloading using various JS/DOM hacks. The <link> tag gives the browser the ability to know what sites are up to, and we can use this information to better prioritize document prefetching. The user preference to disable <link> tag prefetching may encourage websites to stick with JS/DOM hacks, and that would not be good for users. This is one reason why prefetching is enabled by default.

+It is important that websites adopt `` tag based prefetching instead of trying to roll-in silent downloading using various JS/DOM hacks. The `` tag gives the browser the ability to know what sites are up to, and we can use this information to better prioritize document prefetching. The user preference to disable `` tag prefetching may encourage websites to stick with JS/DOM hacks, and that would not be good for users. This is one reason why prefetching is enabled by default.
 
-
+### Which browsers support link prefetching?
 
-
Browsers based on Mozilla 1.2 (or later) as well as browsers based on Mozilla 1.0.2 (or later) support prefetching. This includes Firefox and Netscape 7.01+. Camino builds as of March 2003 are based on Mozilla 1.0.1, and therefore do not support prefetching. Test your browser to see if it supports Link Prefetching.

+Browsers based on Mozilla 1.2 (or later) as well as browsers based on Mozilla 1.0.2 (or later) support prefetching. This includes Firefox and Netscape 7.01+. Camino builds as of March 2003 are based on Mozilla 1.0.1, and therefore do not support prefetching. [Test](https://gemal.dk/browserspy/prefetch.php) your browser to see if it supports Link Prefetching.
 
-
Privacy implications

+### Privacy implications
 
-
Along with the referral and URL-following implications already mentioned above, prefetching will generally cause the cookies of the prefetched site to be accessed. (For example, if you google amazon, the google results page will prefetch www.amazon.com, causing amazon cookies to be sent back and forth. You can block 3rd party cookies in Firefox, see Disabling third party cookies.)

+Along with the referral and URL-following implications already mentioned above, prefetching will generally cause the cookies of the prefetched site to be accessed. (For example, if you google amazon, the google results page will prefetch `www.amazon.com`, causing amazon cookies to be sent back and forth. You can block 3rd party cookies in Firefox, see [Disabling third party cookies](https://support.mozilla.com/en-US/kb/Disabling%20third%20party%20cookies).)
 
-
What about...?

+### What about...?
 
-
If you have any questions or comments about link prefetching, please feel free to send them my way :-)

+If you have any questions or comments about link prefetching, please feel free to send them my way :-)
 
-
See also

+#### See also
 
-
Prefetching Hints

+[Prefetching Hints](https://www.edochan.com/programming/pf.htm)
 
-
Original Document Information

+## Original Document Information
 
-
    
- 
  • Author(s): Darin Fisher (darin at meer dot net)
    • 
- 
  • Last Updated Date: Updated: March 3, 2003
    • 
-

+- Author(s): Darin Fisher (darin at meer dot net)
+- Last Updated Date: Updated: March 3, 2003
diff --git a/files/en-us/web/http/messages/index.md b/files/en-us/web/http/messages/index.md
index 090ab2fe1941808..e8c31e020bb8203 100644
--- a/files/en-us/web/http/messages/index.md
+++ b/files/en-us/web/http/messages/index.md
@@ -6,138 +6,118 @@ tags:
   - HTTP
   - WebMechanics
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
HTTP messages are how data is exchanged between a server and a client. There are two types of messages: requests sent by the client to trigger an action on the server, and responses, the answer from the server.

+HTTP messages are how data is exchanged between a server and a client. There are two types of messages: _requests_ sent by the client to trigger an action on the server, and _responses_, the answer from the server.
 
-
HTTP messages are composed of textual information encoded in ASCII, and span over multiple lines. In HTTP/1.1, and earlier versions of the protocol, these messages were openly sent across the connection. In HTTP/2, the once human-readable message is now divided up into HTTP frames, providing optimization and performance improvements.

+HTTP messages are composed of textual information encoded in ASCII, and span over multiple lines. In HTTP/1.1, and earlier versions of the protocol, these messages were openly sent across the connection. In HTTP/2, the once human-readable message is now divided up into HTTP frames, providing optimization and performance improvements.
 
-
Web developers, or webmasters, rarely craft these textual HTTP messages themselves: software, a Web browser, proxy, or Web server, perform this action. They provide HTTP messages through config files (for proxies or servers), APIs (for browsers), or other interfaces.

+Web developers, or webmasters, rarely craft these textual HTTP messages themselves: software, a Web browser, proxy, or Web server, perform this action. They provide HTTP messages through config files (for proxies or servers), APIs (for browsers), or other interfaces.
 
-
From a user-, script-, or server- generated event, an HTTP/1.x msg is generated, and if HTTP/2 is in use, it is binary framed into an HTTP/2 stream, then sent.

+![From a user-, script-, or server- generated event, an HTTP/1.x msg is generated, and if HTTP/2 is in use, it is binary framed into an HTTP/2 stream, then sent.](httpmsg2.png)
 
-
The HTTP/2 binary framing mechanism has been designed to not require any alteration of the APIs or config files applied: it is broadly transparent to the user.

+The HTTP/2 binary framing mechanism has been designed to not require any alteration of the APIs or config files applied: it is broadly transparent to the user.
 
-
HTTP requests, and responses, share similar structure and are composed of:

+HTTP requests, and responses, share similar structure and are composed of:
 
-
    
- 
  1. A start-line describing the requests to be implemented, or its status of whether successful or a failure. This start-line is always a single line.
    2. 
- 
  2. An optional set of HTTP headers specifying the request, or describing the body included in the message.
    3. 
- 
  3. A blank line indicating all meta-information for the request has been sent.
    4. 
- 
  4. An optional body containing data associated with the request (like content of an HTML form), or the document associated with a response. The presence of the body and its size is specified by the start-line and HTTP headers.
    5. 
-

+1.  A _start-line_ describing the requests to be implemented, or its status of whether successful or a failure. This start-line is always a single line.
+2.  An optional set of _HTTP headers_ specifying the request, or describing the body included in the message.
+3.  A blank line indicating all meta-information for the request has been sent.
+4.  An optional _body_ containing data associated with the request (like content of an HTML form), or the document associated with a response. The presence of the body and its size is specified by the start-line and HTTP headers.
 
-
The start-line and HTTP headers of the HTTP message are collectively known as the head of the requests, whereas its payload is known as the body.

+The start-line and HTTP headers of the HTTP message are collectively known as the _head_ of the requests, whereas its payload is known as the _body_.
 
-
Requests and responses share a common structure in HTTP

+![Requests and responses share a common structure in HTTP](httpmsgstructure2.png)
 
-
HTTP Requests

+## HTTP Requests
 
-
Start line

+### Start line
 
-
HTTP requests are messages sent by the client to initiate an action on the server. Their start-line contain three elements:

+HTTP requests are messages sent by the client to initiate an action on the server. Their _start-line_ contain three elements:
 
-
    
- 
  1. An HTTP method, a verb (like {{HTTPMethod("GET")}}, {{HTTPMethod("PUT")}} or {{HTTPMethod("POST")}}) or a noun (like {{HTTPMethod("HEAD")}} or {{HTTPMethod("OPTIONS")}}), that describes the action to be performed. For example, GET indicates that a resource should be fetched or POST means that data is pushed to the server (creating or modifying a resource, or generating a temporary document to send back).
    2. 
- 
  2. The request target, usually a {{glossary("URL")}}, or the absolute path of the protocol, port, and domain are usually characterized by the request context. The format of this request target varies between different HTTP methods. It can be
-  
      
-   
    • An absolute path, ultimately followed by a '?' and query string. This is the most common form, known as the origin form, and is used with GET, POST, HEAD, and OPTIONS methods.
      
-    POST / HTTP/1.1
      
-    GET /background.png HTTP/1.0
      
-    HEAD /test.html?query=alibaba HTTP/1.1
      
-    OPTIONS /anypage.html HTTP/1.0
      • 
-   
    • A complete URL, known as the absolute form, is mostly used with GET when connected to a proxy.
      
-    GET https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages HTTP/1.1
      • 
-   
    • The authority component of a URL, consisting of the domain name and optionally the port (prefixed by a ':'), is called the authority form. It is only used with CONNECT when setting up an HTTP tunnel.
      
-    CONNECT developer.mozilla.org:80 HTTP/1.1
      • 
-   
    • The asterisk form, a simple asterisk ('*') is used with OPTIONS, representing the server as a whole.
      
-    OPTIONS * HTTP/1.1
      • 
-  
    
- 
    3. 
- 
  3. The HTTP version, which defines the structure of the remaining message, acting as an indicator of the expected version to use for the response.
    4. 
-

+1.  An _[HTTP method](/en-US/docs/Web/HTTP/Methods)_, a verb (like {{HTTPMethod("GET")}}, {{HTTPMethod("PUT")}} or {{HTTPMethod("POST")}}) or a noun (like {{HTTPMethod("HEAD")}} or {{HTTPMethod("OPTIONS")}}), that describes the action to be performed. For example, `GET` indicates that a resource should be fetched or `POST` means that data is pushed to the server (creating or modifying a resource, or generating a temporary document to send back).
+2.  The _request target_, usually a {{glossary("URL")}}, or the absolute path of the protocol, port, and domain are usually characterized by the request context. The format of this request target varies between different HTTP methods. It can be
 
-
Headers

+    - An absolute path, ultimately followed by a `'?'` and query string. This is the most common form, known as the _origin form_, and is used with `GET`, `POST`, `HEAD`, and `OPTIONS` methods.
+      `POST / HTTP/1.1 GET /background.png HTTP/1.0 HEAD /test.html?query=alibaba HTTP/1.1 OPTIONS /anypage.html HTTP/1.0`
+    - A complete URL, known as the _absolute form_, is mostly used with `GET` when connected to a proxy.
+      `GET https://developer.mozilla.org/en-US/docs/Web/HTTP/Messages HTTP/1.1`
+    - The authority component of a URL, consisting of the domain name and optionally the port (prefixed by a `':'`), is called the _authority form_. It is only used with `CONNECT` when setting up an HTTP tunnel.
+      `CONNECT developer.mozilla.org:80 HTTP/1.1`
+    - The _asterisk form_, a simple asterisk (`'*'`) is used with `OPTIONS`, representing the server as a whole.
+      `OPTIONS * HTTP/1.1`
 
-
HTTP headers from a request follow the same basic structure of an HTTP header: a case-insensitive string followed by a colon (':') and a value whose structure depends upon the header. The whole header, including the value, consist of one single line, which can be quite long.

+3.  The _HTTP version_, which defines the structure of the remaining message, acting as an indicator of the expected version to use for the response.
 
-
Many different headers can appear in requests. They can be divided in several groups:

+### Headers
 
-
    
- 
  • {{glossary("General header", "General headers")}}, like {{HTTPHeader("Via")}}, apply to the message as a whole.
    •  
- 
  • {{glossary("Request header", "Request headers")}}, like {{HTTPHeader("User-Agent")}} or {{HTTPHeader("Accept")}}, modify the request by specifying it further (like {{HTTPHeader("Accept-Language")}}), by giving context (like {{HTTPHeader("Referer")}}), or by conditionally restricting it (like {{HTTPHeader("If-None")}}).
    • 
- 
  • {{glossary("Representation header", "Representation headers")}} like {{HTTPHeader("Content-Type")}} that describe the original format of the message data and any encoding applied (only present if the message has a body).
    • 
-

+[HTTP headers](/en-US/docs/Web/HTTP/Headers) from a request follow the same basic structure of an HTTP header: a case-insensitive string followed by a colon (`':'`) and a value whose structure depends upon the header. The whole header, including the value, consist of one single line, which can be quite long.
 
-
Example of headers in an HTTP request

+Many different headers can appear in requests. They can be divided in several groups:
 
-
Body

+- {{glossary("General header", "General headers")}}, like {{HTTPHeader("Via")}}, apply to the message as a whole.
+- {{glossary("Request header", "Request headers")}}, like {{HTTPHeader("User-Agent")}} or {{HTTPHeader("Accept")}}, modify the request by specifying it further (like {{HTTPHeader("Accept-Language")}}), by giving context (like {{HTTPHeader("Referer")}}), or by conditionally restricting it (like {{HTTPHeader("If-None")}}).
+- {{glossary("Representation header", "Representation headers")}} like {{HTTPHeader("Content-Type")}} that describe the original format of the message data and any encoding applied (only present if the message has a body).
 
-
The final part of the request is its body. Not all requests have one: requests fetching resources, like GET, HEAD, DELETE, or OPTIONS, usually don't need one. Some requests send data to the server in order to update it: as often the case with POST requests (containing HTML form data).

+![Example of headers in an HTTP request](http_request_headers3.png)
 
-
Bodies can be broadly divided into two categories:

+### Body
 
-
    
- 
  • Single-resource bodies, consisting of one single file, defined by the two headers: {{HTTPHeader("Content-Type")}} and {{HTTPHeader("Content-Length")}}.
    • 
- 
  • Multiple-resource bodies, consisting of a multipart body, each containing a different bit of information. This is typically associated with HTML Forms.
    • 
-

+The final part of the request is its body. Not all requests have one: requests fetching resources, like `GET`, `HEAD`, `DELETE`, or `OPTIONS`, usually don't need one. Some requests send data to the server in order to update it: as often the case with `POST` requests (containing HTML form data).
 
-
HTTP Responses

+Bodies can be broadly divided into two categories:
 
-
Status line

+- Single-resource bodies, consisting of one single file, defined by the two headers: {{HTTPHeader("Content-Type")}} and {{HTTPHeader("Content-Length")}}.
+- [Multiple-resource bodies](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#multipartform-data), consisting of a multipart body, each containing a different bit of information. This is typically associated with [HTML Forms](/en-US/docs/Learn/Forms).
 
-
The start line of an HTTP response, called the status line, contains the following information:

+## HTTP Responses
 
-
    
- 
  1. The protocol version, usually HTTP/1.1.
    2. 
- 
  2. A status code, indicating success or failure of the request. Common status codes are {{HTTPStatus("200")}}, {{HTTPStatus("404")}}, or {{HTTPStatus("302")}}
    3. 
- 
  3. A status text. A brief, purely informational, textual description of the status code to help a human understand the HTTP message.
    4. 
-

+### Status line
 
-
A typical status line looks like: HTTP/1.1 404 Not Found.

+The start line of an HTTP response, called the _status line_, contains the following information:
 
-
Headers

+1.  The _protocol version_, usually `HTTP/1.1`.
+2.  A _status code_, indicating success or failure of the request. Common status codes are {{HTTPStatus("200")}}, {{HTTPStatus("404")}}, or {{HTTPStatus("302")}}
+3.  A _status text_. A brief, purely informational, textual description of the status code to help a human understand the HTTP message.
 
-
HTTP headers for responses follow the same structure as any other header: a case-insensitive string followed by a colon (':') and a value whose structure depends upon the type of the header. The whole header, including its value, presents as a single line.

+A typical status line looks like: `HTTP/1.1 404 Not Found`.
 
-
Many different headers can appear in responses. These can be divided into several groups:

+### Headers
 
-
    
- 
  • {{glossary("General header", "General headers")}}, like {{HTTPHeader("Via")}}, apply to the whole message.
    •  
- 
  • {{glossary("Response header", "Response headers")}}, like {{HTTPHeader("Vary")}} and {{HTTPHeader("Accept-Ranges")}}, give additional information about the server which doesn't fit in the status line.
    •   
- 
  • {{glossary("Representation header", "Representation headers")}} like {{HTTPHeader("Content-Type")}} that describe the original format of the message data and any encoding applied (only present if the message has a body).
    • 
-

+[HTTP headers](/en-US/docs/Web/HTTP/Headers) for responses follow the same structure as any other header: a case-insensitive string followed by a colon (`':'`) and a value whose structure depends upon the type of the header. The whole header, including its value, presents as a single line.
 
-
Example of headers in an HTTP response

+Many different headers can appear in responses. These can be divided into several groups:
 
-
Body

+- {{glossary("General header", "General headers")}}, like {{HTTPHeader("Via")}}, apply to the whole message.
+- {{glossary("Response header", "Response headers")}}, like {{HTTPHeader("Vary")}} and {{HTTPHeader("Accept-Ranges")}}, give additional information about the server which doesn't fit in the status line.
+- {{glossary("Representation header", "Representation headers")}} like {{HTTPHeader("Content-Type")}} that describe the original format of the message data and any encoding applied (only present if the message has a body).
 
-
The last part of a response is the body. Not all responses have one: responses with a status code that sufficiently answers the request without the need for corresponding payload (like {{HTTPStatus("201")}} Created or {{HTTPStatus("204")}} No Content) usually don't.

+![Example of headers in an HTTP response](http_response_headers3.png)
 
-
Bodies can be broadly divided into three categories:

+### Body
 
-
    
- 
  • Single-resource bodies, consisting of a single file of known length, defined by the two headers: {{HTTPHeader("Content-Type")}} and {{HTTPHeader("Content-Length")}}.
    • 
- 
  • Single-resource bodies, consisting of a single file of unknown length, encoded by chunks with {{HTTPHeader("Transfer-Encoding")}} set to chunked.
    • 
- 
  • Multiple-resource bodies, consisting of a multipart body, each containing a different section of information. These are relatively rare.
    • 
-

+The last part of a response is the body. Not all responses have one: responses with a status code that sufficiently answers the request without the need for corresponding payload (like {{HTTPStatus("201")}} **`Created`** or {{HTTPStatus("204")}} **`No Content`**) usually don't.
 
-
HTTP/2 Frames

+Bodies can be broadly divided into three categories:
 
-
HTTP/1.x messages have a few drawbacks for performance:

+- Single-resource bodies, consisting of a single file of known length, defined by the two headers: {{HTTPHeader("Content-Type")}} and {{HTTPHeader("Content-Length")}}.
+- Single-resource bodies, consisting of a single file of unknown length, encoded by chunks with {{HTTPHeader("Transfer-Encoding")}} set to `chunked`.
+- [Multiple-resource bodies](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#multipartform-data), consisting of a multipart body, each containing a different section of information. These are relatively rare.
 
-
    
- 
  • Headers, unlike bodies, are uncompressed.
    • 
- 
  • Headers are often very similar from one message to the next one, yet still repeated across connections.
    • 
- 
  • No multiplexing can be done. Several connections need opening on the same server: and warm TCP connections are more efficient than cold ones.
    • 
-

+## HTTP/2 Frames
 
-
HTTP/2 introduces an extra step: it divides HTTP/1.x messages into frames which are embedded in a stream. Data and header frames are separated, this allows header compression. Several streams can be combined together, a process called multiplexing, allowing more efficient use of underlying TCP connections.

+HTTP/1.x messages have a few drawbacks for performance:
 
-
HTTP/2 modify the HTTP message to divide them in frames (part of a single stream), allowing for more optimization.

+- Headers, unlike bodies, are uncompressed.
+- Headers are often very similar from one message to the next one, yet still repeated across connections.
+- No multiplexing can be done. Several connections need opening on the same server: and warm TCP connections are more efficient than cold ones.
 
-
HTTP frames are now transparent to Web developers. This is an additional step in HTTP/2, between HTTP/1.1 messages and the underlying transport protocol. No changes are needed in the APIs used by Web developers to utilize HTTP frames; when available in both the browser and the server, HTTP/2 is switched on and used.

+HTTP/2 introduces an extra step: it divides HTTP/1.x messages into frames which are embedded in a stream. Data and header frames are separated, this allows header compression. Several streams can be combined together, a process called _multiplexing_, allowing more efficient use of underlying TCP connections.
 
-
Conclusion

+![HTTP/2 modify the HTTP message to divide them in frames (part of a single stream), allowing for more optimization.](binary_framing2.png)
 
-
HTTP messages are the key in using HTTP; their structure is simple, and they are highly extensible. The HTTP/2 framing mechanism adds a new intermediate layer between the HTTP/1.x syntax and the underlying transport protocol, without fundamentally modifying it: building upon proven mechanisms.

+HTTP frames are now transparent to Web developers. This is an additional step in HTTP/2, between HTTP/1.1 messages and the underlying transport protocol. No changes are needed in the APIs used by Web developers to utilize HTTP frames; when available in both the browser and the server, HTTP/2 is switched on and used.
+
+## Conclusion
+
+HTTP messages are the key in using HTTP; their structure is simple, and they are highly extensible. The HTTP/2 framing mechanism adds a new intermediate layer between the HTTP/1.x syntax and the underlying transport protocol, without fundamentally modifying it: building upon proven mechanisms.
diff --git a/files/en-us/web/http/methods/connect/index.md b/files/en-us/web/http/methods/connect/index.md
index e6a31a1e0d6f5a7..840faee8fa0cfdb 100644
--- a/files/en-us/web/http/methods/connect/index.md
+++ b/files/en-us/web/http/methods/connect/index.md
@@ -7,22 +7,20 @@ tags:
   - Request method
 browser-compat: http.methods.CONNECT
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP CONNECT method starts two-way communications
-  with the requested resource. It can be used to open a tunnel.

+The **HTTP `CONNECT` method** starts two-way communications
+with the requested resource. It can be used to open a tunnel.
 
-
For example, the CONNECT method can be used to access websites that use
-  {{Glossary("SSL")}} ({{Glossary("HTTPS")}}). The client asks an HTTP {{Glossary("Proxy
-  server")}} to tunnel the TCP connection to
-  the desired destination. The server then proceeds to make the connection on behalf of
-  the client. Once the connection has been established by the server, the
-  {{Glossary("Proxy server")}} continues to proxy the TCP stream to and
-  from the client.

+For example, the `CONNECT` method can be used to access websites that use
+{{Glossary("SSL")}} ({{Glossary("HTTPS")}}). The client asks an HTTP {{Glossary("Proxy
+  server")}} to tunnel the [TCP]() connection to
+the desired destination. The server then proceeds to make the connection on behalf of
+the client. Once the connection has been established by the server, the
+{{Glossary("Proxy server")}} continues to proxy the [TCP]() stream to and
+from the client.
 
-
CONNECT is a hop-by-hop method.

+`CONNECT` is a hop-by-hop method.
 
 
@@ -47,38 +45,38 @@ browser-compat: http.methods.CONNECT
       
-      

   
No
     

     
Allowed in HTML forms
+      
+        Allowed in HTML forms
       
       No
     

   
 

 
-
Syntax

+## Syntax
 
-
CONNECT www.example.com:443 HTTP/1.1
-

+```html
+CONNECT www.example.com:443 HTTP/1.1
+```
 
-
Example

+## Example
 
-
Some proxy servers might need authority to create a tunnel. See also the
-  {{HTTPHeader("Proxy-Authorization")}} header.

+Some proxy servers might need authority to create a tunnel. See also the
+{{HTTPHeader("Proxy-Authorization")}} header.
 
-
CONNECT server.example.com:80 HTTP/1.1
-Host: server.example.com:80
-Proxy-Authorization: basic aGVsbG86d29ybGQ=

+    CONNECT server.example.com:80 HTTP/1.1
+    Host: server.example.com:80
+    Proxy-Authorization: basic aGVsbG86d29ybGQ=
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{Glossary("Proxy server")}}
    • 
-  
  • {{HTTPHeader("Proxy-Authorization")}}
    • 
-

+- {{Glossary("Proxy server")}}
+- {{HTTPHeader("Proxy-Authorization")}}
diff --git a/files/en-us/web/http/methods/delete/index.md b/files/en-us/web/http/methods/delete/index.md
index 0c1699b9e295000..562b5552e4baeef 100644
--- a/files/en-us/web/http/methods/delete/index.md
+++ b/files/en-us/web/http/methods/delete/index.md
@@ -7,10 +7,10 @@ tags:
   - Request method
 browser-compat: http.methods.DELETE
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP DELETE request method deletes the specified
-  resource.

+The **HTTP `DELETE` request method** deletes the specified
+resource.
 
 
@@ -35,60 +35,58 @@ browser-compat: http.methods.DELETE
       
-      

   
No
     

     
Allowed in HTML forms
+      
+        Allowed in HTML forms
       
       No
     

   
 

 
-
Syntax

+## Syntax
 
-
DELETE /file.html HTTP/1.1
-

+```html
+DELETE /file.html HTTP/1.1
+```
 
-
Example

+## Example
 
-
Request

+### Request
 
-
DELETE /file.html HTTP/1.1
-Host: example.com
-

+    DELETE /file.html HTTP/1.1
+    Host: example.com
 
-
Responses

+### Responses
 
-
If a DELETE method is successfully applied, there are several response
-  status codes possible:

+If a `DELETE` method is successfully applied, there are several response
+status codes possible:
 
-
    
-  
  • A {{HTTPStatus("202")}} (Accepted) status code if the action will
-    likely succeed but has not yet been enacted.
    • 
-  
  • A {{HTTPStatus("204")}} (No Content) status code if the action has been
-    enacted and no further information is to be supplied.
    • 
-  
  • A {{HTTPStatus("200")}} (OK) status code if the action has been enacted
-    and the response message includes a representation describing the status.
    • 
-

+- A {{HTTPStatus("202")}} (`Accepted`) status code if the action will
+  likely succeed but has not yet been enacted.
+- A {{HTTPStatus("204")}} (`No Content`) status code if the action has been
+  enacted and no further information is to be supplied.
+- A {{HTTPStatus("200")}} (`OK`) status code if the action has been enacted
+  and the response message includes a representation describing the status.
 
-
HTTP/1.1 200 OK
-Date: Wed, 21 Oct 2015 07:28:00 GMT
+
 
-<html>
-  <body>
-    <h1>File deleted.</h1>
-  </body>
-</html>

+    HTTP/1.1 200 OK
+    Date: Wed, 21 Oct 2015 07:28:00 GMT
 
-
Specifications

+    
+      
+        
File deleted.

+      
+    
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • HTTP status: {{HTTPStatus("200")}}, {{HTTPStatus("202")}}, {{HTTPStatus("204")}}
-  
    • 
-

+- HTTP status: {{HTTPStatus("200")}}, {{HTTPStatus("202")}}, {{HTTPStatus("204")}}
diff --git a/files/en-us/web/http/methods/get/index.md b/files/en-us/web/http/methods/get/index.md
index 08869dd90657195..57595de0ec3d730 100644
--- a/files/en-us/web/http/methods/get/index.md
+++ b/files/en-us/web/http/methods/get/index.md
@@ -7,13 +7,11 @@ tags:
   - Request method
 browser-compat: http.methods.GET
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP GET method requests a representation of the specified resource. Requests using GET should only be used to request data (they shouldn't include data).

+The **HTTP `GET` method** requests a representation of the specified resource. Requests using `GET` should only be used to request data (they shouldn't include data).
 
-

-  
Note: Sending body/payload in a GET request may cause some existing implementations to reject the request — while not prohibited by the specification, the semantics are undefined. It is better to just avoid sending payloads in GET requests.

-

+> **Note:** Sending body/payload in a `GET` request may cause some existing implementations to reject the request — while not prohibited by the specification, the semantics are undefined. It is better to just avoid sending payloads in `GET` requests.
 
 
@@ -44,23 +42,22 @@ browser-compat: http.methods.GET
   

   
 

 
-
Syntax

+## Syntax
 
-
GET /index.html
-

+```html
+GET /index.html
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • HTTP Headers
    • 
- 
  • {{HTTPHeader("Range")}}
    • 
- 
  • {{HTTPMethod("POST")}}
    • 
-

+- [HTTP Headers](/en-US/docs/Web/HTTP/Headers)
+- {{HTTPHeader("Range")}}
+- {{HTTPMethod("POST")}}
diff --git a/files/en-us/web/http/methods/head/index.md b/files/en-us/web/http/methods/head/index.md
index 4139d67b49e2323..f4c42fbf6049286 100644
--- a/files/en-us/web/http/methods/head/index.md
+++ b/files/en-us/web/http/methods/head/index.md
@@ -7,15 +7,13 @@ tags:
   - Request method
 browser-compat: http.methods.HEAD
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP HEAD method requests the headers that would be returned if the HEAD request's URL was instead requested with the HTTP {{HTTPMethod("GET")}} method. For example, if a URL might produce a large download, a HEAD request could read its {{HTTPHeader("Content-Length")}} header to check the filesize without actually downloading the file.

+The **HTTP `HEAD` method** requests the [headers](/en-US/docs/Web/HTTP/Headers) that would be returned if the `HEAD` request's URL was instead requested with the HTTP {{HTTPMethod("GET")}} method. For example, if a URL might produce a large download, a `HEAD` request could read its {{HTTPHeader("Content-Length")}} header to check the filesize without actually downloading the file.
 
-

-  
Warning: A response to a HEAD method should not have a body. If it has one anyway, that body must be ignored: any {{glossary("Representation header", "representation headers")}} that might describe the erroneous body are instead assumed to describe the response which a similar GET request would have received.

-

+> **Warning:** A response to a `HEAD` method _should not_ have a body. If it has one anyway, that body **must be** ignored: any {{glossary("Representation header", "representation headers")}} that might describe the erroneous body are instead assumed to describe the response which a similar `GET` request would have received.
 
-
If the response to a HEAD request shows that a cached URL response is now outdated, the cached copy is invalidated even if no GET request was made.

+If the response to a `HEAD` request shows that a cached URL response is now outdated, the cached copy is invalidated even if no `GET` request was made.
 
 
@@ -40,27 +38,28 @@ browser-compat: http.methods.HEAD
       
-      
+      

   
Yes
     

     
Allowed in HTML forms
+        Allowed in HTML forms
+      
       No
     

   
 

 
-
Syntax

+## Syntax
 
-
HEAD /index.html
-

+```html
+HEAD /index.html
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPMethod("GET")}}
    • 
-

+- {{HTTPMethod("GET")}}
diff --git a/files/en-us/web/http/methods/index.md b/files/en-us/web/http/methods/index.md
index d558bde85ad998e..7e1f7dc599573ab 100644
--- a/files/en-us/web/http/methods/index.md
+++ b/files/en-us/web/http/methods/index.md
@@ -7,61 +7,40 @@ tags:
   - Reference
 browser-compat: http.methods
 ---
-
{{HTTPSidebar}}

-
-
HTTP defines a set of request methods to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as HTTP verbs. Each of them implements a different semantic, but some common features are shared by a group of them: e.g. a request method can be {{glossary("Safe/HTTP", "safe")}}, {{glossary("idempotent")}}, or {{glossary("cacheable")}}.

-
-

- 
GET

- 
The GET method requests a representation of the specified resource. Requests using GET should only retrieve data.

- 
HEAD

- 
The HEAD method asks for a response identical to that of a GET request, but without the response body.

- 
POST

- 
The POST method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.

- 
PUT

- 
The PUT method replaces all current representations of the target resource with the request payload.

- 
DELETE

- 
The DELETE method deletes the specified resource.

- 
CONNECT

- 
The CONNECT method establishes a tunnel to the server identified by the target resource.

- 
OPTIONS

- 
The OPTIONS method is used to describe the communication options for the target resource.

- 
TRACE

- 
The TRACE method performs a message loop-back test along the path to the target resource.

- 
PATCH

- 
The PATCH method is used to apply partial modifications to a resource.

-

-
-
Specifications

-
-
- 
-  
-   
-   
-   
-  
- 
- 
-  
-   
-   
-   
-  
-  
-   
-   
-   
-  
- 
-
SpecificationTitleComment
{{RFC("7231", "Request methods", "4")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and ContentSpecifies GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE.
{{RFC("5789", "Patch method", "2")}}PATCH Method for HTTPSpecifies PATCH.

-
-
Browser compatibility

-
-
{{Compat}}

-
-
See also

-
-
+{{HTTPSidebar}}
+
+HTTP defines a set of **request methods** to indicate the desired action to be performed for a given resource. Although they can also be nouns, these request methods are sometimes referred to as _HTTP verbs_. Each of them implements a different semantic, but some common features are shared by a group of them: e.g. a request method can be {{glossary("Safe/HTTP", "safe")}}, {{glossary("idempotent")}}, or {{glossary("cacheable")}}.
+
+- [`GET`](/en-US/docs/Web/HTTP/Methods/GET)
+  - : The `GET` method requests a representation of the specified resource. Requests using `GET` should only retrieve data.
+- [`HEAD`](/en-US/docs/Web/HTTP/Methods/HEAD)
+  - : The `HEAD` method asks for a response identical to that of a `GET` request, but without the response body.
+- [`POST`](/en-US/docs/Web/HTTP/Methods/POST)
+  - : The `POST` method is used to submit an entity to the specified resource, often causing a change in state or side effects on the server.
+- [`PUT`](/en-US/docs/Web/HTTP/Methods/PUT)
+  - : The `PUT` method replaces all current representations of the target resource with the request payload.
+- [`DELETE`](/en-US/docs/Web/HTTP/Methods/DELETE)
+  - : The `DELETE` method deletes the specified resource.
+- [`CONNECT`](/en-US/docs/Web/HTTP/Methods/CONNECT)
+  - : The `CONNECT` method establishes a tunnel to the server identified by the target resource.
+- [`OPTIONS`](/en-US/docs/Web/HTTP/Methods/OPTIONS)
+  - : The `OPTIONS` method is used to describe the communication options for the target resource.
+- [`TRACE`](/en-US/docs/Web/HTTP/Methods/TRACE)
+  - : The `TRACE` method performs a message loop-back test along the path to the target resource.
+- [`PATCH`](/en-US/docs/Web/HTTP/Methods/PATCH)
+  - : The `PATCH` method is used to apply partial modifications to a resource.
+
+## Specifications
+
+| Specification                                        | Title                                                         | Comment                                                          |
+| ---------------------------------------------------- | ------------------------------------------------------------- | ---------------------------------------------------------------- |
+| {{RFC("7231", "Request methods", "4")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content | Specifies GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE. |
+| {{RFC("5789", "Patch method", "2")}}     | PATCH Method for HTTP                                         | Specifies PATCH.                                                 |
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [HTTP headers](/en-US/docs/Web/HTTP/Headers)
diff --git a/files/en-us/web/http/methods/options/index.md b/files/en-us/web/http/methods/options/index.md
index dfac4688be15593..0ba14514819d1d5 100644
--- a/files/en-us/web/http/methods/options/index.md
+++ b/files/en-us/web/http/methods/options/index.md
@@ -7,9 +7,9 @@ tags:
   - Request method
 browser-compat: http.methods.OPTIONS
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP OPTIONS method requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk (*) to refer to the entire server.

+The **HTTP `OPTIONS` method** requests permitted communication options for a given URL or server. A client can specify a URL with this method, or an asterisk (`*`) to refer to the entire server.
 
 
@@ -40,83 +40,83 @@ browser-compat: http.methods.OPTIONS
   

   
 

 
-
Syntax

+## Syntax
 
-
OPTIONS /index.html HTTP/1.1
+```html
+OPTIONS /index.html HTTP/1.1
 OPTIONS * HTTP/1.1
-

-
-
Examples

-
-
Identifying allowed request methods

-
-
To find out which request methods a server supports, one can use the curl command-line program to issue an OPTIONS request:

-
-
curl -X OPTIONS https://example.org -i

-
-
The response then contains an {{HTTPHeader("Allow")}} header that holds the allowed methods:

-
-
HTTP/1.1 204 No Content
-Allow: OPTIONS, GET, HEAD, POST
-Cache-Control: max-age=604800
-Date: Thu, 13 Oct 2016 11:45:00 GMT
-Server: EOS (lax004/2813)
-

-
-
Preflighted requests in CORS

-
-
In CORS, a preflight request is sent with the OPTIONS method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:

-
-
    
- 
  • The {{HTTPHeader("Access-Control-Request-Method")}} header sent in the preflight request tells the server that when the actual request is sent, it will have a {{HTTPMethod("POST")}} request method.
    • 
- 
  • The {{HTTPHeader("Access-Control-Request-Headers")}} header tells the server that when the actual request is sent, it will have the X-PINGOTHER and Content-Type headers.
    • 
-

-
-
OPTIONS /resources/post-here/ HTTP/1.1
-Host: bar.example
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-Accept-Language: en-us,en;q=0.5
-Accept-Encoding: gzip,deflate
-Connection: keep-alive
-Origin: https://foo.example
-Access-Control-Request-Method: POST
-Access-Control-Request-Headers: X-PINGOTHER, Content-Type

-
-
The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:

-
-

- 
{{HTTPHeader("Access-Control-Allow-Origin")}}

- 
The https://foo.example origin is permitted to request the bar.example/resources/post-here/ URL via the following:

- 
{{HTTPHeader("Access-Control-Allow-Methods")}}

- 
{{HTTPMethod("POST")}}, {{HTTPMethod("GET")}}, and OPTIONS are permitted methods for the URL. (This header is similar to the {{HTTPHeader("Allow")}} response header, but used only for CORS.)

- 
{{HTTPHeader("Access-Control-Allow-Headers")}}

- 
Any script inspecting the response is permitted to read the values of the X-PINGOTHER and Content-Type headers.

- 
{{HTTPHeader("Access-Control-Max-Age")}}

- 
The above permissions may be cached for 86,400 seconds (1 day).

-

-
-
HTTP/1.1 204 No Content
-Date: Mon, 01 Dec 2008 01:15:39 GMT
-Server: Apache/2.0.61 (Unix)
-Access-Control-Allow-Origin: https://foo.example
-Access-Control-Allow-Methods: POST, GET, OPTIONS
-Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
-Access-Control-Max-Age: 86400
-Vary: Accept-Encoding, Origin
-Keep-Alive: timeout=2, max=100
-Connection: Keep-Alive

-
-
Specifications

+```
+
+## Examples
+
+### Identifying allowed request methods
+
+To find out which request methods a server supports, one can use the `curl` command-line program to issue an `OPTIONS` request:
+
+```bash
+curl -X OPTIONS https://example.org -i
+```
+
+The response then contains an {{HTTPHeader("Allow")}} header that holds the allowed methods:
+
+    HTTP/1.1 204 No Content
+    Allow: OPTIONS, GET, HEAD, POST
+    Cache-Control: max-age=604800
+    Date: Thu, 13 Oct 2016 11:45:00 GMT
+    Server: EOS (lax004/2813)
+
+### Preflighted requests in CORS
+
+In [CORS](/en-US/docs/Web/HTTP/CORS), a [preflight request](/en-US/docs/Glossary/Preflight_request) is sent with the `OPTIONS` method so that the server can respond if it is acceptable to send the request. In this example, we will request permission for these parameters:
+
+- The {{HTTPHeader("Access-Control-Request-Method")}} header sent in the preflight request tells the server that when the actual request is sent, it will have a {{HTTPMethod("POST")}} request method.
+- The {{HTTPHeader("Access-Control-Request-Headers")}} header tells the server that when the actual request is sent, it will have the `X-PINGOTHER` and `Content-Type` headers.
+
+
+
+    OPTIONS /resources/post-here/ HTTP/1.1
+    Host: bar.example
+    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+    Accept-Language: en-us,en;q=0.5
+    Accept-Encoding: gzip,deflate
+    Connection: keep-alive
+    Origin: https://foo.example
+    Access-Control-Request-Method: POST
+    Access-Control-Request-Headers: X-PINGOTHER, Content-Type
+
+The server now can respond if it will accept a request under these circumstances. In this example, the server response says that:
+
+- {{HTTPHeader("Access-Control-Allow-Origin")}}
+  - : The `https://foo.example` origin is permitted to request the `bar.example/resources/post-here/` URL via the following:
+- {{HTTPHeader("Access-Control-Allow-Methods")}}
+  - : {{HTTPMethod("POST")}}, {{HTTPMethod("GET")}}, and `OPTIONS` are permitted methods for the URL. (This header is similar to the {{HTTPHeader("Allow")}} response header, but used only for [CORS](/en-US/docs/Web/HTTP/CORS).)
+- {{HTTPHeader("Access-Control-Allow-Headers")}}
+  - : Any script inspecting the response is permitted to read the values of the `X-PINGOTHER` and `Content-Type` headers.
+- {{HTTPHeader("Access-Control-Max-Age")}}
+  - : The above permissions may be cached for 86,400 seconds (1 day).
+
+
+
+    HTTP/1.1 204 No Content
+    Date: Mon, 01 Dec 2008 01:15:39 GMT
+    Server: Apache/2.0.61 (Unix)
+    Access-Control-Allow-Origin: https://foo.example
+    Access-Control-Allow-Methods: POST, GET, OPTIONS
+    Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
+    Access-Control-Max-Age: 86400
+    Vary: Accept-Encoding, Origin
+    Keep-Alive: timeout=2, max=100
+    Connection: Keep-Alive
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Allow")}} header
    • 
- 
  • CORS
    • 
-

+- {{HTTPHeader("Allow")}} header
+- [CORS](/en-US/docs/Web/HTTP/CORS)
diff --git a/files/en-us/web/http/methods/patch/index.md b/files/en-us/web/http/methods/patch/index.md
index 91e47c8e8de821e..bef08960d5e2b68 100644
--- a/files/en-us/web/http/methods/patch/index.md
+++ b/files/en-us/web/http/methods/patch/index.md
@@ -6,21 +6,21 @@ tags:
   - Reference
   - Request method
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP PATCH request method applies partial modifications to a resource.

+The **HTTP `PATCH` request method** applies partial modifications to a resource.
 
-
PATCH is somewhat analogous to the "update" concept found in {{Glossary("CRUD")}} (in general, HTTP is different than {{Glossary("CRUD")}}, and the two should not be confused).

+`PATCH` is somewhat analogous to the "update" concept found in {{Glossary("CRUD")}} (in general, HTTP is different than {{Glossary("CRUD")}}, and the two should not be confused).
 
-
A PATCH request is considered a set of instructions on how to modify a resource. Contrast this with {{HTTPMethod("PUT")}}; which is a complete representation of a resource.

+A `PATCH` request is considered a set of instructions on how to modify a resource. Contrast this with {{HTTPMethod("PUT")}}; which is a complete representation of a resource.
 
-
A PATCH is not necessarily idempotent, although it can be. Contrast this with {{HTTPMethod("PUT")}}; which is always idempotent. The word "idempotent" means that any number of repeated, identical requests will leave the resource in the same state. For example if an auto-incrementing counter field is an integral part of the resource, then a {{HTTPMethod("PUT")}} will naturally overwrite it (since it overwrites everything), but not necessarily so for PATCH.

+A `PATCH` is not necessarily idempotent, although it can be. Contrast this with {{HTTPMethod("PUT")}}; which is always idempotent. The word "idempotent" means that any number of repeated, identical requests will leave the resource in the same state. For example if an auto-incrementing counter field is an integral part of the resource, then a {{HTTPMethod("PUT")}} will naturally overwrite it (since it overwrites everything), but not necessarily so for `PATCH`.
 
-
PATCH (like {{HTTPMethod("POST")}}) may have side-effects on other resources.

+`PATCH` (like {{HTTPMethod("POST")}}) _may_ have side-effects on other resources.
 
-
To find out whether a server supports PATCH, a server can advertise its support by adding it to the list in the {{HTTPHeader("Allow")}} or {{HTTPHeader("Access-Control-Allow-Methods")}} (for CORS) response headers.

+To find out whether a server supports `PATCH`, a server can advertise its support by adding it to the list in the {{HTTPHeader("Allow")}} or {{HTTPHeader("Access-Control-Allow-Methods")}} (for [CORS](/en-US/docs/Web/HTTP/CORS)) response headers.
 
-
Another (implicit) indication that PATCH is allowed, is the presence of the {{HTTPHeader("Accept-Patch")}} header, which specifies the patch document formats accepted by the server.

+Another (implicit) indication that `PATCH` is allowed, is the presence of the {{HTTPHeader("Accept-Patch")}} header, which specifies the patch document formats accepted by the server.
 
 
@@ -45,60 +45,50 @@ tags:
       
-      
+      

   
No
     

     
Allowed in HTML forms
+        Allowed in HTML forms
+      
       No
     

   
 

 
-
Syntax

+## Syntax
 
-
PATCH /file.txt HTTP/1.1
-

+```html
+PATCH /file.txt HTTP/1.1
+```
 
-
Example

+## Example
 
-
Request

+### Request
 
-
PATCH /file.txt HTTP/1.1
-Host: www.example.com
-Content-Type: application/example
-If-Match: "e0023aa4e"
-Content-Length: 100
+    PATCH /file.txt HTTP/1.1
+    Host: www.example.com
+    Content-Type: application/example
+    If-Match: "e0023aa4e"
+    Content-Length: 100
 
-[description of changes]

+    [description of changes]
 
-
Response

+### Response
 
-
A successful response is indicated by any 2xx status code.

+A successful response is indicated by any [2xx](https://datatracker.ietf.org/doc/html/rfc7231#section-6.3) status code.
 
-
In the example below a {{HTTPStatus("204")}} response code is used, because the response does not carry a payload body. A {{HTTPStatus("200")}} response could have contained a payload body.

+In the example below a {{HTTPStatus("204")}} response code is used, because the response does not carry a payload body. A {{HTTPStatus("200")}} response could have contained a payload body.
 
-
HTTP/1.1 204 No Content
-Content-Location: /file.txt
-ETag: "e0023aa4f"

+    HTTP/1.1 204 No Content
+    Content-Location: /file.txt
+    ETag: "e0023aa4f"
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("5789", "PATCH")}}PATCH Method for HTTP

+| Specification                    | Title                 |
+| -------------------------------- | --------------------- |
+| {{RFC("5789", "PATCH")}} | PATCH Method for HTTP |
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPStatus("204")}}
    • 
- 
  • {{HTTPHeader("Allow")}}, {{HTTPHeader("Access-Control-Allow-Methods")}}
    • 
- 
  • {{HTTPHeader("Accept-Patch")}} – specifies the patch document formats accepted by the server.
    • 
-

+- {{HTTPStatus("204")}}
+- {{HTTPHeader("Allow")}}, {{HTTPHeader("Access-Control-Allow-Methods")}}
+- {{HTTPHeader("Accept-Patch")}} – specifies the patch document formats accepted by the server.
diff --git a/files/en-us/web/http/methods/post/index.md b/files/en-us/web/http/methods/post/index.md
index e9155a94b1e1dd9..6b6351ee5a91f76 100644
--- a/files/en-us/web/http/methods/post/index.md
+++ b/files/en-us/web/http/methods/post/index.md
@@ -7,29 +7,25 @@ tags:
   - Request method
 browser-compat: http.methods.POST
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP POST method sends data to the server. The type of the body of the request is indicated by the {{HTTPHeader("Content-Type")}} header.

+The **HTTP `POST` method** sends data to the server. The type of the body of the request is indicated by the {{HTTPHeader("Content-Type")}} header.
 
-
The difference between {{HTTPMethod("PUT")}} and POST is that PUT is idempotent: calling it once or several times successively has the same effect (that is no side effect), where successive identical POST may have additional effects, like passing an order several times.

+The difference between {{HTTPMethod("PUT")}} and `POST` is that `PUT` is idempotent: calling it once or several times successively has the same effect (that is no _side_ effect), where successive identical `POST` may have additional effects, like passing an order several times.
 
-
A POST request is typically sent via an HTML form and results in a change on the server. In this case, the content type is selected by putting the adequate string in the {{htmlattrxref("enctype", "form")}} attribute of the {{HTMLElement("form")}} element or the {{htmlattrxref("formenctype", "input")}} attribute of the {{HTMLElement("input") }} or {{HTMLElement("button")}} elements:

+A `POST` request is typically sent via an [HTML form](/en-US/docs/Learn/Forms) and results in a change on the server. In this case, the content type is selected by putting the adequate string in the {{htmlattrxref("enctype", "form")}} attribute of the {{HTMLElement("form")}} element or the {{htmlattrxref("formenctype", "input")}} attribute of the {{HTMLElement("input") }} or {{HTMLElement("button")}} elements:
 
-
    
- 
  • application/x-www-form-urlencoded: the keys and values are encoded in key-value tuples separated by '&', with a '=' between the key and the value. Non-alphanumeric characters in both keys and values are {{glossary("percent-encoding", "percent encoded")}}: this is the reason why this type is not suitable to use with binary data (use multipart/form-data instead)
    • 
- 
  • multipart/form-data: each value is sent as a block of data ("body part"), with a user agent-defined delimiter ("boundary") separating each part. The keys are given in the Content-Disposition header of each part.
    • 
- 
  • text/plain
    • 
-

+- `application/x-www-form-urlencoded`: the keys and values are encoded in key-value tuples separated by `'&'`, with a `'='` between the key and the value. Non-alphanumeric characters in both keys and values are {{glossary("percent-encoding", "percent encoded")}}: this is the reason why this type is not suitable to use with binary data (use `multipart/form-data` instead)
+- `multipart/form-data`: each value is sent as a block of data ("body part"), with a user agent-defined delimiter ("boundary") separating each part. The keys are given in the `Content-Disposition` header of each part.
+- `text/plain`
 
-
When the POST request is sent via a method other than an HTML form — like via an {{domxref("XMLHttpRequest")}} — the body can take any type. As described in the HTTP 1.1 specification, POST is designed to allow a uniform method to cover the following functions:

+When the `POST` request is sent via a method other than an HTML form — like via an {{domxref("XMLHttpRequest")}} — the body can take any type. As described in the HTTP 1.1 specification, `POST` is designed to allow a uniform method to cover the following functions:
 
-
    
- 
  • Annotation of existing resources
    • 
- 
  • Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles;
    • 
- 
  • Adding a new user through a signup modal;
    • 
- 
  • Providing a block of data, such as the result of submitting a form, to a data-handling process;
    • 
- 
  • Extending a database through an append operation.
    • 
-

+- Annotation of existing resources
+- Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles;
+- Adding a new user through a signup modal;
+- Providing a block of data, such as the result of submitting a form, to a data-handling process;
+- Extending a database through an append operation.
 
 
@@ -54,57 +50,57 @@ browser-compat: http.methods.POST
       
-      
+      

   
Only if freshness information is included
     

     
Allowed in HTML forms
+        Allowed in HTML forms
+      
       Yes
     

   
 

 
-
Syntax

+## Syntax
 
-
POST /test
-

+```html
+POST /test
+```
 
-
Example

+## Example
 
-
A simple form using the default application/x-www-form-urlencoded content type:

+A simple form using the default `application/x-www-form-urlencoded` content type:
 
-
POST /test HTTP/1.1
-Host: foo.example
-Content-Type: application/x-www-form-urlencoded
-Content-Length: 27
+    POST /test HTTP/1.1
+    Host: foo.example
+    Content-Type: application/x-www-form-urlencoded
+    Content-Length: 27
 
-field1=value1&field2=value2

+    field1=value1&field2=value2
 
-
A form using the multipart/form-data content type:

+A form using the `multipart/form-data` content type:
 
-
POST /test HTTP/1.1
-Host: foo.example
-Content-Type: multipart/form-data;boundary="boundary"
+    POST /test HTTP/1.1
+    Host: foo.example
+    Content-Type: multipart/form-data;boundary="boundary"
 
---boundary
-Content-Disposition: form-data; name="field1"
+    --boundary
+    Content-Disposition: form-data; name="field1"
 
-value1
---boundary
-Content-Disposition: form-data; name="field2"; filename="example.txt"
+    value1
+    --boundary
+    Content-Disposition: form-data; name="field2"; filename="example.txt"
 
-value2
---boundary--
-

+    value2
+    --boundary--
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Content-Type")}}
    • 
- 
  • {{HTTPHeader("Content-Disposition")}}
    • 
- 
  • {{HTTPMethod("GET")}}
    • 
-

+- {{HTTPHeader("Content-Type")}}
+- {{HTTPHeader("Content-Disposition")}}
+- {{HTTPMethod("GET")}}
diff --git a/files/en-us/web/http/methods/put/index.md b/files/en-us/web/http/methods/put/index.md
index 457e7861b585030..b1b5e8febbf3987 100644
--- a/files/en-us/web/http/methods/put/index.md
+++ b/files/en-us/web/http/methods/put/index.md
@@ -7,11 +7,11 @@ tags:
   - Request method
 browser-compat: http.methods.PUT
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP PUT request method creates a new resource or replaces a representation of the target resource with the request payload.

+The **HTTP `PUT` request method** creates a new resource or replaces a representation of the target resource with the request payload.
 
-
The difference between PUT and {{HTTPMethod("POST")}} is that PUT is idempotent: calling it once or several times successively has the same effect (that is no side effect), whereas successive identical {{HTTPMethod("POST")}} requests may have additional effects, akin to placing an order several times.

+The difference between `PUT` and {{HTTPMethod("POST")}} is that `PUT` is idempotent: calling it once or several times successively has the same effect (that is no _side_ effect), whereas successive identical {{HTTPMethod("POST")}} requests may have additional effects, akin to placing an order several times.
 
 
@@ -36,52 +36,52 @@ browser-compat: http.methods.PUT
       
-      
+      

   
No
     

     
Allowed in HTML forms
+        Allowed in HTML forms
+      
       No
     

   
 

 
-
Syntax

+## Syntax
 
-
PUT /new.html HTTP/1.1
-

+```html
+PUT /new.html HTTP/1.1
+```
 
-
Example

+## Example
 
-
Request

+### Request
 
-
PUT /new.html HTTP/1.1
-Host: example.com
-Content-type: text/html
-Content-length: 16
+    PUT /new.html HTTP/1.1
+    Host: example.com
+    Content-type: text/html
+    Content-length: 16
 
-<p>New File</p>

+    
New File

 
-
Responses

+### Responses
 
-
If the target resource does not have a current representation and the PUT request successfully creates one, then the origin server must inform the user agent by sending a {{HTTPStatus("201")}} (Created) response.

+If the target resource does not have a current representation and the `PUT` request successfully creates one, then the origin server must inform the user agent by sending a {{HTTPStatus("201")}} (`Created`) response.
 
-
HTTP/1.1 201 Created
-Content-Location: /new.html

+    HTTP/1.1 201 Created
+    Content-Location: /new.html
 
-
If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server must send either a {{HTTPStatus("200")}} (OK) or a {{HTTPStatus("204")}} (No Content) response to indicate successful completion of the request.

+If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server must send either a {{HTTPStatus("200")}} (`OK`) or a {{HTTPStatus("204")}} (`No Content`) response to indicate successful completion of the request.
 
-
HTTP/1.1 204 No Content
-Content-Location: /existing.html
-

+    HTTP/1.1 204 No Content
+    Content-Location: /existing.html
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPStatus("201")}}
    • 
- 
  • {{HTTPStatus("204")}}
    • 
-

+- {{HTTPStatus("201")}}
+- {{HTTPStatus("204")}}
diff --git a/files/en-us/web/http/methods/trace/index.md b/files/en-us/web/http/methods/trace/index.md
index ca9cfc1c9f2dcdf..0af4762aa7cec53 100644
--- a/files/en-us/web/http/methods/trace/index.md
+++ b/files/en-us/web/http/methods/trace/index.md
@@ -7,11 +7,11 @@ tags:
   - Request method
 browser-compat: http.methods.TRACE
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP TRACE method performs a message loop-back test along the path to the target resource, providing a useful debugging mechanism.

+The **HTTP `TRACE` method** performs a message loop-back test along the path to the target resource, providing a useful debugging mechanism.
 
-
The final recipient of the request should reflect the message received, excluding some fields described below, back to the client as the message body of a {{HTTPStatus("200")}} (OK) response with a {{HTTPHeader("Content-Type")}} of message/http. The final recipient is either the origin server or the first server to receive a {{HTTPHeader("Max-Forwards")}} value of 0 in the request.

+The final recipient of the request should reflect the message received, excluding some fields described below, back to the client as the message body of a {{HTTPStatus("200")}} (`OK`) response with a {{HTTPHeader("Content-Type")}} of `message/http`. The final recipient is either the origin server or the first server to receive a {{HTTPHeader("Max-Forwards")}} value of 0 in the request.
 
 
@@ -42,21 +42,20 @@ browser-compat: http.methods.TRACE
   

   
 

 
-
Syntax

+## Syntax
 
-
TRACE /index.html
-

+```html
+TRACE /index.html
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [HTTP methods](/en-US/docs/Web/HTTP/Methods)
diff --git a/files/en-us/web/http/network_error_logging/index.md b/files/en-us/web/http/network_error_logging/index.md
index 07506305e68144b..cfb427df7fbe8bc 100644
--- a/files/en-us/web/http/network_error_logging/index.md
+++ b/files/en-us/web/http/network_error_logging/index.md
@@ -7,55 +7,50 @@ tags:
   - Network Error Logging
   - Reference
 ---
-
{{HTTPSidebar}}{{SeeCompatTable}}

+{{HTTPSidebar}}{{SeeCompatTable}}
 
-
Network Error Logging is a mechanism that can be configured via the {{HTTPHeader("NEL")}} HTTP response header. This experimental header allows web sites and applications to opt-in to receive reports about failed (and, if desired, successful) network fetches from supporting browsers.

+Network Error Logging is a mechanism that can be configured via the {{HTTPHeader("NEL")}} HTTP _[response header](/en-US/docs/Glossary/Response_header)_. This experimental header allows web sites and applications to opt-in to receive reports about failed (and, if desired, successful) network fetches from supporting browsers.
 
-
Reports are sent to a reporting group defined within a {{HTTPHeader("Report-To")}} header.

+Reports are sent to a reporting group defined within a {{HTTPHeader("Report-To")}} header.
 
-
Usage

+## Usage
 
-
Web applications opt in to this behavior with the NEL header, which is a JSON-encoded object:

+Web applications opt in to this behavior with the NEL header, which is a _[JSON-encoded](/en-US/docs/Glossary/Response_header)_ object:
 
-
NEL: { "report_to": "nel",
-       "max_age": 31556952 }
-

+    NEL: { "report_to": "nel",
+           "max_age": 31556952 }
 
-
An origin considered secure by the browser is required.

+An origin considered secure by the browser is required.
 
-
The following object keys can be specified in the NEL header:

+The following object keys can be specified in the NEL header:
 
-

- 
report_to

- 

- 
The reporting API group to send network error reports to (see below).

- 

- 
max_age

- 
Specifies the lifetime of the policy, in seconds (in a similar way to e.g. HSTS policies are time-restricted). The referenced reporting group should have a lifetime at least as long as the NEL policy.

- 
include_subdomains

- 
If true, the policy applies to all subdomains under the origin that the policy header is set. The reporting group should also be set to include subdomains, if this option is to be enabled.

- 
success_fraction

- 
Floating point value between 0 and 1 which specifies the proportion of successful network requests to report. Defaults to 0, so that no successful network requests will be reported if the key is not present in the JSON payload.

- 
failure_fraction

- 
Floating point value between 0 and 1 which specifies the proportion of failed network requests to report. Defaults to 1, so that all failed network requests will be reported if the key is not present in the JSON payload.

-

+- report_to
+  - : The [reporting API](/en-US/docs/Web/API/Reporting_API) group to send network error reports to (see below).
+- max_age
+  - : Specifies the lifetime of the policy, in seconds (in a similar way to e.g. HSTS policies are time-restricted). The referenced reporting group should have a lifetime at least as long as the NEL policy.
+- include_subdomains
+  - : If true, the policy applies to all subdomains under the origin that the policy header is set. The reporting group should also be set to include subdomains, if this option is to be enabled.
+- success_fraction
+  - : Floating point value between 0 and 1 which specifies the proportion of **successful** network requests to report. Defaults to 0, so that no successful network requests will be reported if the key is not present in the JSON payload.
+- failure_fraction
+  - : Floating point value between 0 and 1 which specifies the proportion of **failed** network requests to report. Defaults to 1, so that all failed network requests will be reported if the key is not present in the JSON payload.
 
-
The reporting group referenced above is defined in the usual manner within the {{HTTPHeader("Report-To")}} header, for example:

+The reporting group referenced above is defined in the usual manner within the {{HTTPHeader("Report-To")}} header, for example:
 
-
Report-To: { "group": "nel",
-             "max_age": 31556952,
-             "endpoints": [
-               { "url": "https://example.com/csp-reports" }
-             ] }
-

+    Report-To: { "group": "nel",
+                 "max_age": 31556952,
+                 "endpoints": [
+                   { "url": "https://example.com/csp-reports" }
+                 ] }
 
-
Error reports

+## Error reports
 
-
In these examples, the entire reporting API payload is shown. The top-level "body" key contains the network error report.

+In these examples, the entire reporting API payload is shown. The top-level **`"body"`** key contains the network error report.
 
-
HTTP 400 (Bad Request) response

+### HTTP 400 (Bad Request) response
 
-
{
+```js
+{
   "age": 20,
   "type": "network-error",
   "url": "https://example.com/previous-page",
@@ -72,13 +67,14 @@ tags:
     "url": "https://example.com/bad-request"
   }
 }
-

+```
 
-
DNS name not resolved

+### DNS name not resolved
 
-
Note that the phase is set to dns in this report and no server_ip is available to include.

+Note that the phase is set to `dns` in this report and no `server_ip` is available to include.
 
-
{
+```js
+{
   "age": 20,
   "type": "network-error",
   "url": "https://example.com/previous-page",
@@ -95,60 +91,51 @@ tags:
     "url": "https://example-host.com/"
   }
 }
-

-
-
The type of the network error may be one of the following pre-defined values from the specification, but browsers can add and send their own error types:

-
-

- 
dns.unreachable

- 
The user's DNS server is unreachable

- 
dns.name_not_resolved

- 
The user's DNS server responded but was unable to resolve an IP address for the requested URI.

- 
dns.failed

- 
Request to the DNS server failed due to reasons not covered by previous errors (e.g. SERVFAIL)

- 
dns.address_changed

- 
For security reasons, if the server IP address that delivered the original report is different to the current server IP address at time of error generation, the report data will be downgraded to only include information about this problem and the type set to dns.address_changed.

- 
tcp.timed_out

- 
TCP connection to the server timed out

- 
tcp.closed

- 
The TCP connection was closed by the server

- 
tcp.reset

- 
The TCP connection was reset

- 
tcp.refused

- 
The TCP connection was refused by the server

- 
tcp.aborted

- 
The TCP connection was aborted

- 
tcp.address_invalid

- 
The IP address is invalid

- 
tcp.address_unreachable

- 
The IP address is unreachable

- 
tcp.failed

- 
The TCP connection failed due to reasons not covered by previous errors

- 
http.error

- 
The user agent successfully received a response, but it had a 4xx or 5xx status code

- 
http.protocol.error

- 
The connection was aborted due to an HTTP protocol error

- 
http.response.invalid

- 
Response is empty, has a content-length mismatch, has improper encoding, and/or other conditions that prevent user agent from processing the response

- 
http.response.redirect_loop

- 
The request was aborted due to a detected redirect loop

- 
http.failed

- 
The connection failed due to errors in HTTP protocol not covered by previous errors

-

-
-
Specifications

-
-
- 
-  
-   
-  
-  
-   
-  
- 
-
Specification
Network Error Logging

-
-
Browser compatibility

-
-
{{Compat("http.headers.NEL")}}

+```
+
+The type of the network error may be one of the following pre-defined values from the specification, but browsers can add and send their own error types:
+
+- `dns.unreachable`
+  - : The user's DNS server is unreachable
+- `dns.name_not_resolved`
+  - : The user's DNS server responded but was unable to resolve an IP address for the requested URI.
+- `dns.failed`
+  - : Request to the DNS server failed due to reasons not covered by previous errors (e.g. SERVFAIL)
+- `dns.address_changed`
+  - : For security reasons, if the server IP address that delivered the original report is different to the current server IP address at time of error generation, the report data will be downgraded to only include information about this problem and the type set to `dns.address_changed`.
+- `tcp.timed_out`
+  - : TCP connection to the server timed out
+- `tcp.closed`
+  - : The TCP connection was closed by the server
+- `tcp.reset`
+  - : The TCP connection was reset
+- `tcp.refused`
+  - : The TCP connection was refused by the server
+- `tcp.aborted`
+  - : The TCP connection was aborted
+- `tcp.address_invalid`
+  - : The IP address is invalid
+- `tcp.address_unreachable`
+  - : The IP address is unreachable
+- `tcp.failed`
+  - : The TCP connection failed due to reasons not covered by previous errors
+- `http.error`
+  - : The user agent successfully received a response, but it had a [4xx](https://datatracker.ietf.org/doc/html/rfc7231#section-6.5) or [5xx](https://datatracker.ietf.org/doc/html/rfc7231#section-6.6) status code
+- `http.protocol.error`
+  - : The connection was aborted due to an HTTP protocol error
+- `http.response.invalid`
+  - : Response is empty, has a content-length mismatch, has improper encoding, and/or other conditions that prevent user agent from processing the response
+- `http.response.redirect_loop`
+  - : The request was aborted due to a detected redirect loop
+- `http.failed`
+  - : The connection failed due to errors in HTTP protocol not covered by previous errors
+
+## Specifications
+
+| Specification                                                                      |
+| ---------------------------------------------------------------------------------- |
+| [Network Error Logging](https://w3c.github.io/network-error-logging/#introduction) |
+
+## Browser compatibility
+
+{{Compat("http.headers.NEL")}}
diff --git a/files/en-us/web/http/overview/index.md b/files/en-us/web/http/overview/index.md
index 5493ccba1b339c2..81da186c24a4c8f 100644
--- a/files/en-us/web/http/overview/index.md
+++ b/files/en-us/web/http/overview/index.md
@@ -8,171 +8,163 @@ tags:
   - WebMechanics
   - l10n:priority
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
HTTP is a {{Glossary("protocol")}} which allows the fetching of resources, such as HTML documents. It is the foundation of any data exchange on the Web and it is a client-server protocol, which means requests are initiated by the recipient, usually the Web browser. A complete document is reconstructed from the different sub-documents fetched, for instance text, layout description, images, videos, scripts, and more.

+**HTTP** is a {{Glossary("protocol")}} which allows the fetching of resources, such as HTML documents. It is the foundation of any data exchange on the Web and it is a client-server protocol, which means requests are initiated by the recipient, usually the Web browser. A complete document is reconstructed from the different sub-documents fetched, for instance text, layout description, images, videos, scripts, and more.
 
-
A Web document is the composition of different resources

+![A Web document is the composition of different resources](fetching_a_page.png)
 
-
Clients and servers communicate by exchanging individual messages (as opposed to a stream of data). The messages sent by the client, usually a Web browser, are called requests and the messages sent by the server as an answer are called responses.

+Clients and servers communicate by exchanging individual messages (as opposed to a stream of data). The messages sent by the client, usually a Web browser, are called _requests_ and the messages sent by the server as an answer are called _responses_.
 
-
HTTP as an application layer protocol, on top of TCP (transport layer) and IP (network layer) and below the presentation layer.Designed in the early 1990s, HTTP is an extensible protocol which has evolved over time. It is an application layer protocol that is sent over {{Glossary("TCP")}}, or over a {{Glossary("TLS")}}-encrypted TCP connection, though any reliable transport protocol could theoretically be used. Due to its extensibility, it is used to not only fetch hypertext documents, but also images and videos or to post content to servers, like with HTML form results. HTTP can also be used to fetch parts of documents to update Web pages on demand.

+![HTTP as an application layer protocol, on top of TCP (transport layer) and IP (network layer) and below the presentation layer.](http-layers.png)Designed in the early 1990s, HTTP is an extensible protocol which has evolved over time. It is an application layer protocol that is sent over {{Glossary("TCP")}}, or over a {{Glossary("TLS")}}-encrypted TCP connection, though any reliable transport protocol could theoretically be used. Due to its extensibility, it is used to not only fetch hypertext documents, but also images and videos or to post content to servers, like with HTML form results. HTTP can also be used to fetch parts of documents to update Web pages on demand.
 
-
Components of HTTP-based systems

+## Components of HTTP-based systems
 
-
HTTP is a client-server protocol: requests are sent by one entity, the user-agent (or a proxy on behalf of it). Most of the time the user-agent is a Web browser, but it can be anything, for example a robot that crawls the Web to populate and maintain a search engine index.

+HTTP is a client-server protocol: requests are sent by one entity, the user-agent (or a proxy on behalf of it). Most of the time the user-agent is a Web browser, but it can be anything, for example a robot that crawls the Web to populate and maintain a search engine index.
 
-
Each individual request is sent to a server, which handles it and provides an answer, called the response. Between the client and the server there are numerous entities, collectively called {{Glossary("Proxy_server", "proxies")}}, which perform different operations and act as gateways or {{Glossary("Cache", "caches")}}, for example.

+Each individual request is sent to a server, which handles it and provides an answer, called the _response_. Between the client and the server there are numerous entities, collectively called {{Glossary("Proxy_server", "proxies")}}, which perform different operations and act as gateways or {{Glossary("Cache", "caches")}}, for example.
 
-
Client server chain

+![Client server chain](client-server-chain.png)
 
-
In reality, there are more computers between a browser and the server handling the request: there are routers, modems, and more. Thanks to the layered design of the Web, these are hidden in the network and transport layers. HTTP is on top, at the application layer. Although important to diagnose network problems, the underlying layers are mostly irrelevant to the description of HTTP.

+In reality, there are more computers between a browser and the server handling the request: there are routers, modems, and more. Thanks to the layered design of the Web, these are hidden in the network and transport layers. HTTP is on top, at the application layer. Although important to diagnose network problems, the underlying layers are mostly irrelevant to the description of HTTP.
 
-
Client: the user-agent

+### Client: the user-agent
 
-
The user-agent is any tool that acts on the behalf of the user. This role is primarily performed by the Web browser; other possibilities are programs used by engineers and Web developers to debug their applications.

+The _user-agent_ is any tool that acts on the behalf of the user. This role is primarily performed by the Web browser; other possibilities are programs used by engineers and Web developers to debug their applications.
 
-
The browser is always the entity initiating the request. It is never the server (though some mechanisms have been added over the years to simulate server-initiated messages).

+The browser is **always** the entity initiating the request. It is never the server (though some mechanisms have been added over the years to simulate server-initiated messages).
 
-
To present a Web page, the browser sends an original request to fetch the HTML document that represents the page. It then parses this file, making additional requests corresponding to execution scripts, layout information (CSS) to display, and sub-resources contained within the page (usually images and videos). The Web browser then mixes these resources to present to the user a complete document, the Web page. Scripts executed by the browser can fetch more resources in later phases and the browser updates the Web page accordingly.

+To present a Web page, the browser sends an original request to fetch the HTML document that represents the page. It then parses this file, making additional requests corresponding to execution scripts, layout information (CSS) to display, and sub-resources contained within the page (usually images and videos). The Web browser then mixes these resources to present to the user a complete document, the Web page. Scripts executed by the browser can fetch more resources in later phases and the browser updates the Web page accordingly.
 
-
A Web page is a hypertext document. This means some parts of displayed text are links which can be activated (usually by a click of the mouse) to fetch a new Web page, allowing the user to direct their user-agent and navigate through the Web. The browser translates these directions in HTTP requests, and further interprets the HTTP responses to present the user with a clear response.

+A Web page is a hypertext document. This means some parts of displayed text are links which can be activated (usually by a click of the mouse) to fetch a new Web page, allowing the user to direct their user-agent and navigate through the Web. The browser translates these directions in HTTP requests, and further interprets the HTTP responses to present the user with a clear response.
 
-
The Web server

+### The Web server
 
-
On the opposite side of the communication channel, is the server, which serves the document as requested by the client. A server appears as only a single machine virtually: this is because it may actually be a collection of servers, sharing the load (load balancing) or a complex piece of software interrogating other computers (like cache, a DB server, or e-commerce servers), totally or partially generating the document on demand.

+On the opposite side of the communication channel, is the server, which _serves_ the document as requested by the client. A server appears as only a single machine virtually: this is because it may actually be a collection of servers, sharing the load (load balancing) or a complex piece of software interrogating other computers (like cache, a DB server, or e-commerce servers), totally or partially generating the document on demand.
 
-
A server is not necessarily a single machine, but several server software instances can be hosted on the same machine. With HTTP/1.1 and the {{HTTPHeader("Host")}} header, they may even share the same IP address.

+A server is not necessarily a single machine, but several server software instances can be hosted on the same machine. With HTTP/1.1 and the {{HTTPHeader("Host")}} header, they may even share the same IP address.
 
-
Proxies

+### Proxies
 
-
Between the Web browser and the server, numerous computers and machines relay the HTTP messages. Due to the layered structure of the Web stack, most of these operate at the transport, network or physical levels, becoming transparent at the HTTP layer and potentially making a significant impact on performance. Those operating at the application layers are generally called proxies. These can be transparent, forwarding on the requests they receive without altering them in any way, or non-transparent, in which case they will change the request in some way before passing it along to the server. Proxies may perform numerous functions:

+Between the Web browser and the server, numerous computers and machines relay the HTTP messages. Due to the layered structure of the Web stack, most of these operate at the transport, network or physical levels, becoming transparent at the HTTP layer and potentially making a significant impact on performance. Those operating at the application layers are generally called **proxies**. These can be transparent, forwarding on the requests they receive without altering them in any way, or non-transparent, in which case they will change the request in some way before passing it along to the server. Proxies may perform numerous functions:
 
-
    
- 
  • caching (the cache can be public or private, like the browser cache)
    • 
- 
  • filtering (like an antivirus scan or parental controls)
    • 
- 
  • load balancing (to allow multiple servers to serve the different requests)
    • 
- 
  • authentication (to control access to different resources)
    • 
- 
  • logging (allowing the storage of historical information)
    • 
-

+- caching (the cache can be public or private, like the browser cache)
+- filtering (like an antivirus scan or parental controls)
+- load balancing (to allow multiple servers to serve the different requests)
+- authentication (to control access to different resources)
+- logging (allowing the storage of historical information)
 
-
Basic aspects of HTTP

+## Basic aspects of HTTP
 
-
HTTP is simple

+### HTTP is simple
 
-
HTTP is generally designed to be simple and human readable, even with the added complexity introduced in HTTP/2 by encapsulating HTTP messages into frames. HTTP messages can be read and understood by humans, providing easier testing for developers, and reduced complexity for newcomers.

+HTTP is generally designed to be simple and human readable, even with the added complexity introduced in HTTP/2 by encapsulating HTTP messages into frames. HTTP messages can be read and understood by humans, providing easier testing for developers, and reduced complexity for newcomers.
 
-
HTTP is extensible

+### HTTP is extensible
 
-
Introduced in HTTP/1.0, HTTP headers make this protocol easy to extend and experiment with. New functionality can even be introduced by a simple agreement between a client and a server about a new header's semantics.

+Introduced in HTTP/1.0, [HTTP headers](/en-US/docs/Web/HTTP/Headers) make this protocol easy to extend and experiment with. New functionality can even be introduced by a simple agreement between a client and a server about a new header's semantics.
 
-
HTTP is stateless, but not sessionless

+### HTTP is stateless, but not sessionless
 
-
HTTP is stateless: there is no link between two requests being successively carried out on the same connection. This immediately has the prospect of being problematic for users attempting to interact with certain pages coherently, for example, using e-commerce shopping baskets. But while the core of HTTP itself is stateless, HTTP cookies allow the use of stateful sessions. Using header extensibility, HTTP Cookies are added to the workflow, allowing session creation on each HTTP request to share the same context, or the same state.

+HTTP is stateless: there is no link between two requests being successively carried out on the same connection. This immediately has the prospect of being problematic for users attempting to interact with certain pages coherently, for example, using e-commerce shopping baskets. But while the core of HTTP itself is stateless, HTTP cookies allow the use of stateful sessions. Using header extensibility, HTTP Cookies are added to the workflow, allowing session creation on each HTTP request to share the same context, or the same state.
 
-
HTTP and connections

+### HTTP and connections
 
-
A connection is controlled at the transport layer, and therefore fundamentally out of scope for HTTP. Though HTTP doesn't require the underlying transport protocol to be connection-based; only requiring it to be reliable, or not lose messages (so at minimum presenting an error). Among the two most common transport protocols on the Internet, TCP is reliable and UDP isn't. HTTP therefore relies on the TCP standard, which is connection-based.

+A connection is controlled at the transport layer, and therefore fundamentally out of scope for HTTP. Though HTTP doesn't require the underlying transport protocol to be connection-based; only requiring it to be _reliable_, or not lose messages (so at minimum presenting an error). Among the two most common transport protocols on the Internet, TCP is reliable and UDP isn't. HTTP therefore relies on the TCP standard, which is connection-based.
 
-
Before a client and server can exchange an HTTP request/response pair, they must establish a TCP connection, a process which requires several round-trips. The default behavior of HTTP/1.0 is to open a separate TCP connection for each HTTP request/response pair. This is less efficient than sharing a single TCP connection when multiple requests are sent in close succession.

+Before a client and server can exchange an HTTP request/response pair, they must establish a TCP connection, a process which requires several round-trips. The default behavior of HTTP/1.0 is to open a separate TCP connection for each HTTP request/response pair. This is less efficient than sharing a single TCP connection when multiple requests are sent in close succession.
 
-
In order to mitigate this flaw, HTTP/1.1 introduced pipelining (which proved difficult to implement) and persistent connections: the underlying TCP connection can be partially controlled using the {{HTTPHeader("Connection")}} header. HTTP/2 went a step further by multiplexing messages over a single connection, helping keep the connection warm and more efficient.

+In order to mitigate this flaw, HTTP/1.1 introduced _pipelining_ (which proved difficult to implement) and _persistent connections_: the underlying TCP connection can be partially controlled using the {{HTTPHeader("Connection")}} header. HTTP/2 went a step further by multiplexing messages over a single connection, helping keep the connection warm and more efficient.
 
-
Experiments are in progress to design a better transport protocol more suited to HTTP. For example, Google is experimenting with QUIC which builds on UDP to provide a more reliable and efficient transport protocol.

+Experiments are in progress to design a better transport protocol more suited to HTTP. For example, Google is experimenting with [QUIC](https://en.wikipedia.org/wiki/QUIC) which builds on UDP to provide a more reliable and efficient transport protocol.
 
-
What can be controlled by HTTP

+## What can be controlled by HTTP
 
-
This extensible nature of HTTP has, over time, allowed for more control and functionality of the Web. Cache or authentication methods were functions handled early in HTTP history. The ability to relax the origin constraint, by contrast, has only been added in the 2010s.

+This extensible nature of HTTP has, over time, allowed for more control and functionality of the Web. Cache or authentication methods were functions handled early in HTTP history. The ability to relax the _origin constraint_, by contrast, has only been added in the 2010s.
 
-
Here is a list of common features controllable with HTTP.

+Here is a list of common features controllable with HTTP.
 
-
    
- 
  • Caching
    
-  How documents are cached can be controlled by HTTP. The server can instruct proxies and clients, about what to cache and for how long. The client can instruct intermediate cache proxies to ignore the stored document.
    • 
- 
  • Relaxing the origin constraint
    
-  To prevent snooping and other privacy invasions, Web browsers enforce strict separation between Web sites. Only pages from the same origin can access all the information of a Web page. Though such constraint is a burden to the server, HTTP headers can relax this strict separation on the server side, allowing a document to become a patchwork of information sourced from different domains; there could even be security-related reasons to do so.
    • 
- 
  • Authentication
    
-  Some pages may be protected so that only specific users can access them. Basic authentication may be provided by HTTP, either using the {{HTTPHeader("WWW-Authenticate")}} and similar headers, or by setting a specific session using HTTP cookies.
    • 
- 
  • Proxy and tunneling
    
-  Servers or clients are often located on intranets and hide their true IP address from other computers. HTTP requests then go through proxies to cross this network barrier. Not all proxies are HTTP proxies. The SOCKS protocol, for example, operates at a lower level. Other protocols, like ftp, can be handled by these proxies.
    • 
- 
  • Sessions
    
-  Using HTTP cookies allows you to link requests with the state of the server. This creates sessions, despite basic HTTP being a state-less protocol. This is useful not only for e-commerce shopping baskets, but also for any site allowing user configuration of the output.
    • 
-

+- _[Caching](/en-US/docs/Web/HTTP/Caching)_
+  How documents are cached can be controlled by HTTP. The server can instruct proxies and clients, about what to cache and for how long. The client can instruct intermediate cache proxies to ignore the stored document.
+- _Relaxing the origin constraint_
+  To prevent snooping and other privacy invasions, Web browsers enforce strict separation between Web sites. Only pages from the **same origin** can access all the information of a Web page. Though such constraint is a burden to the server, HTTP headers can relax this strict separation on the server side, allowing a document to become a patchwork of information sourced from different domains; there could even be security-related reasons to do so.
+- _Authentication_
+  Some pages may be protected so that only specific users can access them. Basic authentication may be provided by HTTP, either using the {{HTTPHeader("WWW-Authenticate")}} and similar headers, or by setting a specific session using [HTTP cookies](/en-US/docs/Web/HTTP/Cookies).
+- _[Proxy and tunneling](/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling)_
+  Servers or clients are often located on intranets and hide their true IP address from other computers. HTTP requests then go through proxies to cross this network barrier. Not all proxies are HTTP proxies. The SOCKS protocol, for example, operates at a lower level. Other protocols, like ftp, can be handled by these proxies.
+- _Sessions_
+  Using HTTP cookies allows you to link requests with the state of the server. This creates sessions, despite basic HTTP being a state-less protocol. This is useful not only for e-commerce shopping baskets, but also for any site allowing user configuration of the output.
 
-
HTTP flow

+## HTTP flow
 
-
When a client wants to communicate with a server, either the final server or an intermediate proxy, it performs the following steps:

+When a client wants to communicate with a server, either the final server or an intermediate proxy, it performs the following steps:
 
-
    
- 
  1. Open a TCP connection: The TCP connection is used to send a request, or several, and receive an answer. The client may open a new connection, reuse an existing connection, or open several TCP connections to the servers.
    2. 
- 
  2. Send an HTTP message: HTTP messages (before HTTP/2) are human-readable. With HTTP/2, these simple messages are encapsulated in frames, making them impossible to read directly, but the principle remains the same. For example:
-  
    GET / HTTP/1.1
-Host: developer.mozilla.org
-Accept-Language: fr
    
- 
    3. 
- 
  3. Read the response sent by the server, such as:
-  
    HTTP/1.1 200 OK
-Date: Sat, 09 Oct 2010 14:28:02 GMT
-Server: Apache
-Last-Modified: Tue, 01 Dec 2009 20:18:22 GMT
-ETag: "51142bc1-7449-479b075b2891b"
-Accept-Ranges: bytes
-Content-Length: 29769
-Content-Type: text/html
+1.  Open a TCP connection: The TCP connection is used to send a request, or several, and receive an answer. The client may open a new connection, reuse an existing connection, or open several TCP connections to the servers.
+2.  Send an HTTP message: HTTP messages (before HTTP/2) are human-readable. With HTTP/2, these simple messages are encapsulated in frames, making them impossible to read directly, but the principle remains the same. For example:
 
-<!DOCTYPE html... (here comes the 29769 bytes of the requested web page)
    
- 
    4. 
- 
  4. Close or reuse the connection for further requests.
    5. 
-

+        GET / HTTP/1.1
+        Host: developer.mozilla.org
+        Accept-Language: fr
 
-
If HTTP pipelining is activated, several requests can be sent without waiting for the first response to be fully received. HTTP pipelining has proven difficult to implement in existing networks, where old pieces of software coexist with modern versions. HTTP pipelining has been superseded in HTTP/2 with more robust multiplexing requests within a frame.

+3.  Read the response sent by the server, such as:
 
-
HTTP Messages

+        HTTP/1.1 200 OK
+        Date: Sat, 09 Oct 2010 14:28:02 GMT
+        Server: Apache
+        Last-Modified: Tue, 01 Dec 2009 20:18:22 GMT
+        ETag: "51142bc1-7449-479b075b2891b"
+        Accept-Ranges: bytes
+        Content-Length: 29769
+        Content-Type: text/html
 
-
HTTP messages, as defined in HTTP/1.1 and earlier, are human-readable. In HTTP/2, these messages are embedded into a binary structure, a frame, allowing optimizations like compression of headers and multiplexing. Even if only part of the original HTTP message is sent in this version of HTTP, the semantics of each message is unchanged and the client reconstitutes (virtually) the original HTTP/1.1 request. It is therefore useful to comprehend HTTP/2 messages in the HTTP/1.1 format.

+        There are two types of HTTP messages, requests and responses, each with its own format.

+4.  Close or reuse the connection for further requests.
 
-
Requests

+If HTTP pipelining is activated, several requests can be sent without waiting for the first response to be fully received. HTTP pipelining has proven difficult to implement in existing networks, where old pieces of software coexist with modern versions. HTTP pipelining has been superseded in HTTP/2 with more robust multiplexing requests within a frame.
 
-
An example HTTP request:

+## HTTP Messages
 
-
A basic HTTP request

+HTTP messages, as defined in HTTP/1.1 and earlier, are human-readable. In HTTP/2, these messages are embedded into a binary structure, a _frame_, allowing optimizations like compression of headers and multiplexing. Even if only part of the original HTTP message is sent in this version of HTTP, the semantics of each message is unchanged and the client reconstitutes (virtually) the original HTTP/1.1 request. It is therefore useful to comprehend HTTP/2 messages in the HTTP/1.1 format.
 
-
Requests consists of the following elements:

+There are two types of HTTP messages, requests and responses, each with its own format.
 
-
    
- 
  • An HTTP method, usually a verb like {{HTTPMethod("GET")}}, {{HTTPMethod("POST")}} or a noun like {{HTTPMethod("OPTIONS")}} or {{HTTPMethod("HEAD")}} that defines the operation the client wants to perform. Typically, a client wants to fetch a resource (using GET) or post the value of an HTML form (using POST), though more operations may be needed in other cases.
    • 
- 
  • The path of the resource to fetch; the URL of the resource stripped from elements that are obvious from the context, for example without the {{Glossary("protocol")}} (http://), the {{Glossary("domain")}} (here, developer.mozilla.org), or the TCP {{Glossary("port")}} (here, 80).
    • 
- 
  • The version of the HTTP protocol.
    • 
- 
  • Optional headers that convey additional information for the servers.
    • 
- 
  • Or a body, for some methods like POST, similar to those in responses, which contain the resource sent.
    • 
-

+### Requests
 
-
Responses

+An example HTTP request:
 
-
An example response:

+![A basic HTTP request](http_request.png)
 
-

+Requests consists of the following elements:
 
-
Responses consist of the following elements:

+- An HTTP [method](/en-US/docs/Web/HTTP/Methods), usually a verb like {{HTTPMethod("GET")}}, {{HTTPMethod("POST")}} or a noun like {{HTTPMethod("OPTIONS")}} or {{HTTPMethod("HEAD")}} that defines the operation the client wants to perform. Typically, a client wants to fetch a resource (using `GET`) or post the value of an [HTML form](/en-US/docs/Learn/Forms) (using `POST`), though more operations may be needed in other cases.
+- The path of the resource to fetch; the URL of the resource stripped from elements that are obvious from the context, for example without the {{Glossary("protocol")}} (`http://`), the {{Glossary("domain")}} (here, `developer.mozilla.org`), or the TCP {{Glossary("port")}} (here, `80`).
+- The version of the HTTP protocol.
+- Optional [headers](/en-US/docs/Web/HTTP/Headers) that convey additional information for the servers.
+- Or a body, for some methods like `POST`, similar to those in responses, which contain the resource sent.
 
-
    
- 
  • The version of the HTTP protocol they follow.
    • 
- 
  • A status code, indicating if the request was successful, or not, and why.
    • 
- 
  • A status message, a non-authoritative short description of the status code.
    • 
- 
  • HTTP headers, like those for requests.
    • 
- 
  • Optionally, a body containing the fetched resource.
    • 
-

+### Responses
 
-
APIs based on HTTP

+An example response:
 
-
The most commonly used API based on HTTP is the {{domxref("XMLHttpRequest")}} API, which can be used to exchange data between a {{Glossary("user agent")}} and a server. The modern {{domxref("Fetch API")}} provides the same features with a more powerful and flexible feature set.

+![](http_response.png)
 
-
Another API, server-sent events, is a one-way service that allows a server to send events to the client, using HTTP as a transport mechanism. Using the {{domxref("EventSource")}} interface, the client opens a connection and establishes event handlers. The client browser automatically converts the messages that arrive on the HTTP stream into appropriate {{domxref("Event")}} objects, delivering them to the event handlers that have been registered for the events' {{domxref("Event.type", "type")}} if known, or to the {{domxref("EventSource.onmessage", "onmessage")}} event handler if no type-specific event handler was established.

+Responses consist of the following elements:
 
-
Conclusion

+- The version of the HTTP protocol they follow.
+- A [status code](/en-US/docs/Web/HTTP/Status), indicating if the request was successful, or not, and why.
+- A status message, a non-authoritative short description of the status code.
+- HTTP [headers](/en-US/docs/Web/HTTP/Headers), like those for requests.
+- Optionally, a body containing the fetched resource.
 
-
HTTP is an extensible protocol that is easy to use. The client-server structure, combined with the ability to add headers, allows HTTP to advance along with the extended capabilities of the Web.

+## APIs based on HTTP
 
-
Though HTTP/2 adds some complexity, by embedding HTTP messages in frames to improve performance, the basic structure of messages has stayed the same since HTTP/1.0. Session flow remains simple, allowing it to be investigated, and debugged with a simple HTTP message monitor.

+The most commonly used API based on HTTP is the {{domxref("XMLHttpRequest")}} API, which can be used to exchange data between a {{Glossary("user agent")}} and a server. The modern {{domxref("Fetch API")}} provides the same features with a more powerful and flexible feature set.
+
+Another API, [server-sent events](/en-US/docs/Web/API/Server-sent_events), is a one-way service that allows a server to send events to the client, using HTTP as a transport mechanism. Using the {{domxref("EventSource")}} interface, the client opens a connection and establishes event handlers. The client browser automatically converts the messages that arrive on the HTTP stream into appropriate {{domxref("Event")}} objects, delivering them to the event handlers that have been registered for the events' {{domxref("Event.type", "type")}} if known, or to the {{domxref("EventSource.onmessage", "onmessage")}} event handler if no type-specific event handler was established.
+
+## Conclusion
+
+HTTP is an extensible protocol that is easy to use. The client-server structure, combined with the ability to add headers, allows HTTP to advance along with the extended capabilities of the Web.
+
+Though HTTP/2 adds some complexity, by embedding HTTP messages in frames to improve performance, the basic structure of messages has stayed the same since HTTP/1.0. Session flow remains simple, allowing it to be investigated, and debugged with a simple [HTTP message monitor](/en-US/docs/Tools/Network_Monitor).
diff --git a/files/en-us/web/http/protocol_upgrade_mechanism/index.md b/files/en-us/web/http/protocol_upgrade_mechanism/index.md
index d27b05dd4933436..66b7b9034de7076 100644
--- a/files/en-us/web/http/protocol_upgrade_mechanism/index.md
+++ b/files/en-us/web/http/protocol_upgrade_mechanism/index.md
@@ -11,146 +11,144 @@ tags:
   - WebSocket
   - WebSockets
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP/1.1 protocol provides a special mechanism that can be used to upgrade an already established connection to a different protocol, using the {{HTTPHeader("Upgrade")}} header field.

+The [HTTP/1.1 protocol](/en-US/docs/Web/HTTP) provides a special mechanism that can be used to upgrade an already established connection to a different protocol, using the {{HTTPHeader("Upgrade")}} header field.
 
-
This mechanism is optional; it cannot be used to insist on a protocol change. Implementations can choose not to take advantage of an upgrade even if they support the new protocol, and in practice, this mechanism is used mostly to bootstrap a WebSockets connection.

+This mechanism is optional; it cannot be used to insist on a protocol change. Implementations can choose not to take advantage of an upgrade even if they support the new protocol, and in practice, this mechanism is used mostly to bootstrap a WebSockets connection.
 
-
Note also that HTTP/2 explicitly disallows the use of this mechanism; it is specific to HTTP/1.1.

+Note also that HTTP/2 explicitly disallows the use of this mechanism; it is specific to HTTP/1.1.
 
-
Upgrading HTTP/1.1 Connections

+## Upgrading HTTP/1.1 Connections
 
-
The {{HTTPHeader("Upgrade")}} header field is used by clients to invite the server to switch to one of the listed protocols, in descending preference order.

+The {{HTTPHeader("Upgrade")}} header field is used by clients to invite the server to switch to one of the listed protocols, in descending preference order.
 
-
Because Upgrade is a hop-by-hop header, it also needs to be listed in the {{HTTPHeader("Connection")}} header field. This means that a typical request that includes Upgrade would look something like:

+Because `Upgrade` is a hop-by-hop header, it also needs to be listed in the {{HTTPHeader("Connection")}} header field. This means that a typical request that includes Upgrade would look something like:
 
-
GET /index.html HTTP/1.1
+```html
+GET /index.html HTTP/1.1
 Host: www.example.com
 Connection: upgrade
-Upgrade: example/1, foo/2

+Upgrade: example/1, foo/2
+```
 
-
Other headers may be required depending on the requested protocol; for example, WebSocket upgrades allow additional headers to configure details about the WebSocket connection as well as to offer a degree of security in opening the connection. See {{anch("Upgrading to a WebSocket connection")}} for more details.

+Other headers may be required depending on the requested protocol; for example, [WebSocket](/en-US/docs/Web/API/WebSocket) upgrades allow additional headers to configure details about the WebSocket connection as well as to offer a degree of security in opening the connection. See {{anch("Upgrading to a WebSocket connection")}} for more details.
 
-
If the server decides to upgrade the connection, it sends back a {{HTTPStatus(101, "101 Switching Protocols")}} response status with an Upgrade header that specifies the protocol(s) being switched to. If it does not (or cannot) upgrade the connection, it ignores the Upgrade header and sends back a regular response (for example, a {{HTTPStatus(200, "200 OK")}}).

+If the server decides to upgrade the connection, it sends back a {{HTTPStatus(101, "101 Switching Protocols")}} response status with an Upgrade header that specifies the protocol(s) being switched to. If it does not (or cannot) upgrade the connection, it ignores the `Upgrade` header and sends back a regular response (for example, a {{HTTPStatus(200, "200 OK")}}).
 
-
Right after sending the 101 status code, the server can begin speaking the new protocol, performing any additional protocol-specific handshakes as necessary. Effectively, the connection becomes a two-way pipe as soon as the upgraded response is complete, and the request that initiated the upgrade can be completed over the new protocol.

+Right after sending the `101` status code, the server can begin speaking the new protocol, performing any additional protocol-specific handshakes as necessary. Effectively, the connection becomes a two-way pipe as soon as the upgraded response is complete, and the request that initiated the upgrade can be completed over the new protocol.
 
-
Common uses for this mechanism

+## Common uses for this mechanism
 
-
Here we look at the most common use cases for the {{HTTPHeader("Upgrade")}} header.

+Here we look at the most common use cases for the {{HTTPHeader("Upgrade")}} header.
 
-
Upgrading to a WebSocket connection

+### Upgrading to a WebSocket connection
 
-
By far, the most common use case for upgrading an HTTP connection is to use WebSockets, which are always implemented by upgrading an HTTP or HTTPS connection. Keep in mind that if you're opening a new connection using the WebSocket API, or any library that does WebSockets, most or all of this is done for you. For example, opening a WebSocket connection is as simple as:

+By far, the most common use case for upgrading an HTTP connection is to use WebSockets, which are always implemented by upgrading an HTTP or HTTPS connection. Keep in mind that if you're opening a new connection using the [WebSocket API](/en-US/docs/Web/API/WebSocket), or any library that does WebSockets, most or all of this is done for you. For example, opening a WebSocket connection is as simple as:
 
-
webSocket = new WebSocket("ws://destination.server.ext", "optionalProtocol");

+```js
+webSocket = new WebSocket("ws://destination.server.ext", "optionalProtocol");
+```
 
-
The {{domxref("WebSocket.WebSocket", "WebSocket()")}} constructor does all the work of creating an initial HTTP/1.1 connection then handling the handshaking and upgrade process for you.

+The {{domxref("WebSocket.WebSocket", "WebSocket()")}} constructor does all the work of creating an initial HTTP/1.1 connection then handling the handshaking and upgrade process for you.
 
-

-  
Note: You can also use the "wss://" URL scheme to open a secure WebSocket connection.

-

+> **Note:** You can also use the `"wss://"` URL scheme to open a secure WebSocket connection.
 
-
If you need to create a WebSocket connection from scratch, you'll have to handle the handshaking process yourself. After creating the initial HTTP/1.1 session, you need to request the upgrade by adding to a standard request the {{HTTPHeader("Upgrade")}} and {{HTTPHeader("Connection")}} headers, as follows:

+If you need to create a WebSocket connection from scratch, you'll have to handle the handshaking process yourself. After creating the initial HTTP/1.1 session, you need to request the upgrade by adding to a standard request the {{HTTPHeader("Upgrade")}} and {{HTTPHeader("Connection")}} headers, as follows:
 
-
Connection: Upgrade
-Upgrade: websocket

+    Connection: Upgrade
+    Upgrade: websocket
 
-
WebSocket-specific headers

+### WebSocket-specific headers
 
-
The following headers are involved in the WebSocket upgrade process. Other than the {{HTTPHeader("Upgrade")}} and {{HTTPHeader("Connection")}} headers, the rest are generally optional or handled for you by the browser and server when they're talking to each other.

+The following headers are involved in the WebSocket upgrade process. Other than the {{HTTPHeader("Upgrade")}} and {{HTTPHeader("Connection")}} headers, the rest are generally optional or handled for you by the browser and server when they're talking to each other.
 
-
{{HTTPHeader("Sec-WebSocket-Extensions")}}

+#### {{HTTPHeader("Sec-WebSocket-Extensions")}}
 
-
Specifies one or more protocol-level WebSocket extensions to ask the server to use. Using more than one Sec-WebSocket-Extension header in a request is permitted; the result is the same as if you included all of the listed extensions in one such header.

+Specifies one or more protocol-level WebSocket extensions to ask the server to use. Using more than one `Sec-WebSocket-Extension` header in a request is permitted; the result is the same as if you included all of the listed extensions in one such header.
 
-
Sec-WebSocket-Extensions: extensions

+```html
+Sec-WebSocket-Extensions: extensions
+```
 
-

- 
extensions

- 
A comma-separated list of extensions to request (or agree to support). These should be selected from the IANA WebSocket Extension Name Registry. Extensions which take parameters do so by using semicolon delineation.

-

+- `extensions`
+  - : A comma-separated list of extensions to request (or agree to support). These should be selected from the [IANA WebSocket Extension Name Registry](https://www.iana.org/assignments/websocket/websocket.xml#extension-name). Extensions which take parameters do so by using semicolon delineation.
 
-
For example:

+For example:
 
-
Sec-WebSocket-Extensions: superspeed, colormode; depth=16

+    Sec-WebSocket-Extensions: superspeed, colormode; depth=16
 
-
{{HTTPHeader("Sec-WebSocket-Key")}}

+#### {{HTTPHeader("Sec-WebSocket-Key")}}
 
-
Provides information to the server which is needed in order to confirm that the client is entitled to request an upgrade to WebSocket. This header can be used when insecure (HTTP) clients wish to upgrade, in order to offer some degree of protection against abuse. The value of the key is computed using an algorithm defined in the WebSocket specification, so this does not provide security. Instead, it helps to prevent non-WebSocket clients from inadvertently, or through misuse, requesting a WebSocket connection. In essence, then, this key confirms that "Yes, I really mean to open a WebSocket connection."

+Provides information to the server which is needed in order to confirm that the client is entitled to request an upgrade to WebSocket. This header can be used when insecure (HTTP) clients wish to upgrade, in order to offer some degree of protection against abuse. The value of the key is computed using an algorithm defined in the WebSocket specification, so this _does not provide security_. Instead, it helps to prevent non-WebSocket clients from inadvertently, or through misuse, requesting a WebSocket connection. In essence, then, this key confirms that "Yes, I really mean to open a WebSocket connection."
 
-
This header is automatically added by clients that choose to use it; it cannot be added using the {{domxref("XMLHttpRequest.setRequestHeader()")}} method.

+This header is automatically added by clients that choose to use it; it cannot be added using the {{domxref("XMLHttpRequest.setRequestHeader()")}} method.
 
-
Sec-WebSocket-Key: key

+```html
+Sec-WebSocket-Key: key
+```
 
-

- 
key

- 
The key for this request to upgrade. The client adds this if it wishes to do so, and the server will include in the response a key of its own, which the client will validate before delivering the upgrade response to you.

-

+- `key`
+  - : The key for this request to upgrade. The client adds this if it wishes to do so, and the server will include in the response a key of its own, which the client will validate before delivering the upgrade response to you.
 
-
The server's response's {{HTTPHeader("Sec-WebSocket-Accept")}} header will have a value computed based upon the specified key.

+The server's response's {{HTTPHeader("Sec-WebSocket-Accept")}} header will have a value computed based upon the specified `key`.
 
-
{{HTTPHeader("Sec-WebSocket-Protocol")}}

+#### {{HTTPHeader("Sec-WebSocket-Protocol")}}
 
-
The Sec-WebSocket-Protocol header specifies one or more WebSocket protocols that you wish to use, in order of preference. The first one that is supported by the server will be selected and returned by the server in a Sec-WebSocket-Protocol header included in the response. You can use this more than once in the header, as well; the result is the same as if you used a comma-delineated list of subprotocol identifiers in a single header.

+The `Sec-WebSocket-Protocol` header specifies one or more WebSocket protocols that you wish to use, in order of preference. The first one that is supported by the server will be selected and returned by the server in a `Sec-WebSocket-Protocol` header included in the response. You can use this more than once in the header, as well; the result is the same as if you used a comma-delineated list of subprotocol identifiers in a single header.
 
-
Sec-WebSocket-Protocol: subprotocols

+```html
+Sec-WebSocket-Protocol: subprotocols
+```
 
-

- 
subprotocols

- 
A comma-separated list of subprotocol names, in the order of preference. The subprotocols may be selected from the IANA WebSocket Subprotocol Name Registry or may be a custom name jointly understood by the client and the server.

-

+- `subprotocols`
+  - : A comma-separated list of subprotocol names, in the order of preference. The subprotocols may be selected from the [IANA WebSocket Subprotocol Name Registry](https://www.iana.org/assignments/websocket/websocket.xml#subprotocol-name) or may be a custom name jointly understood by the client and the server.
 
-
{{HTTPHeader("Sec-WebSocket-Version")}}

+#### {{HTTPHeader("Sec-WebSocket-Version")}}
 
-
Request header

+##### Request header
 
-
Specifies the WebSocket protocol version the client wishes to use, so the server can confirm whether or not that version is supported on its end.

+Specifies the WebSocket protocol version the client wishes to use, so the server can confirm whether or not that version is supported on its end.
 
-
Sec-WebSocket-Version: version

+```html
+Sec-WebSocket-Version: version
+```
 
-

- 
version

- 
The WebSocket protocol version the client wishes to use when communicating with the server. This number should be the most recent version possible listed in the IANA WebSocket Version Number Registry. The most recent final version of the WebSocket protocol is version 13.

-

+- `version`
+  - : The WebSocket protocol version the client wishes to use when communicating with the server. This number should be the most recent version possible listed in the [IANA WebSocket Version Number Registry](https://www.iana.org/assignments/websocket/websocket.xml#version-number). The most recent final version of the WebSocket protocol is version 13.
 
-
Response header

+##### Response header
 
-
If the server can't communicate using the specified version of the WebSocket protocol, it will respond with an error (such as 426 Upgrade Required) that includes in its headers a Sec-WebSocket-Version header with a comma-separated list of the supported protocol versions. If the server does support the requested protocol version, no Sec-WebSocket-Version header is included in the response.

+If the server can't communicate using the specified version of the WebSocket protocol, it will respond with an error (such as 426 Upgrade Required) that includes in its headers a `Sec-WebSocket-Version` header with a comma-separated list of the supported protocol versions. If the server does support the requested protocol version, no `Sec-WebSocket-Version` header is included in the response.
 
-
Sec-WebSocket-Version: supportedVersions

+```html
+Sec-WebSocket-Version: supportedVersions
+```
 
-

- 
supportedVersions

- 
A comma-delineated list of the WebSocket protocol versions supported by the server.

-

+- `supportedVersions`
+  - : A comma-delineated list of the WebSocket protocol versions supported by the server.
 
-
Response-only headers

+### Response-only headers
 
-
The response from the server may include these.

+The response from the server may include these.
 
-
{{HTTPHeader("Sec-WebSocket-Accept")}}

+#### {{HTTPHeader("Sec-WebSocket-Accept")}}
 
-
Included in the response message from the server during the opening handshake process when the server is willing to initiate a WebSocket connection. It will appear no more than once in the response headers.

+Included in the response message from the server during the opening handshake process when the server is willing to initiate a WebSocket connection. It will appear no more than once in the response headers.
 
-
Sec-WebSocket-Accept: hash

+```html
+Sec-WebSocket-Accept: hash
+```
 
-

- 
hash

- 
If a {{HTTPHeader("Sec-WebSocket-Key")}} header was provided, the value of this header is computed by taking the value of the key, concatenating the string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" to it, taking the {{interwiki("wikipedia", "SHA-1")}} hash of that concatenated string, resulting in a 20-byte value. That value is then base64 encoded to obtain the value of this property.

-

+- `hash`
+  - : If a {{HTTPHeader("Sec-WebSocket-Key")}} header was provided, the value of this header is computed by taking the value of the key, concatenating the string "258EAFA5-E914-47DA-95CA-C5AB0DC85B11" to it, taking the {{interwiki("wikipedia", "SHA-1")}} hash of that concatenated string, resulting in a 20-byte value. That value is then [base64](/en-US/docs/Glossary/Base64) encoded to obtain the value of this property.
 
-
References

+## References
 
-
    
- 
  • WebSocket API
    • 
- 
  • HTTP
    • 
- 
  • Specifications and RFCs:
-  
      
-   
    • {{RFC(7230)}}
      • 
-   
    • {{RFC(6455)}}
      • 
-   
    • {{RFC(7540)}}
      • 
-  
    
- 
    • 
-

+- [WebSocket API](/en-US/docs/Web/API/WebSocket)
+- [HTTP](/en-US/docs/Web/HTTP)
+- Specifications and RFCs:
+
+  - {{RFC(7230)}}
+  - {{RFC(6455)}}
+  - {{RFC(7540)}}
diff --git a/files/en-us/web/http/proxy_servers_and_tunneling/index.md b/files/en-us/web/http/proxy_servers_and_tunneling/index.md
index f3d065783189435..d46430f190f5b5c 100644
--- a/files/en-us/web/http/proxy_servers_and_tunneling/index.md
+++ b/files/en-us/web/http/proxy_servers_and_tunneling/index.md
@@ -7,91 +7,87 @@ tags:
   - Proxies
   - Proxy
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
When navigating through different networks of the Internet, proxy servers and HTTP tunnels are facilitating access to content on the World Wide Web. A proxy can be on the user's local computer, or anywhere between the user's computer and a destination server on the Internet. This page outlines some basics about proxies and introduces a few configuration options.

+When navigating through different networks of the Internet, proxy servers and HTTP tunnels are facilitating access to content on the World Wide Web. A proxy can be on the user's local computer, or anywhere between the user's computer and a destination server on the Internet. This page outlines some basics about proxies and introduces a few configuration options.
 
-
There are two types of proxies: forward proxies (or tunnel, or gateway) and reverse proxies (used to control and protect access to a server for load-balancing, authentication, decryption or caching).

+There are two types of proxies: **forward proxies** (or tunnel, or gateway) and **reverse proxies** (used to control and protect access to a server for load-balancing, authentication, decryption or caching).
 
-
Forward proxies

+## Forward proxies
 
-
A forward proxy, or gateway, or just "proxy" provides proxy services to a client or a group of clients. There are likely hundreds of thousands of open forward proxies on the Internet. They store and forward Internet services (like the DNS, or web pages) to reduce and control the bandwidth used by the group.

+A forward proxy, or gateway, or just "proxy" provides proxy services to a client or a group of clients. There are likely hundreds of thousands of open forward proxies on the Internet. They store and forward Internet services (like the DNS, or web pages) to reduce and control the bandwidth used by the group.
 
-
Forward proxies can also be anonymous proxies and allow users to hide their IP address while browsing the Web or using other Internet services. TOR (The Onion Router), routes internet traffic through multiple proxies for anonymity.

+Forward proxies can also be anonymous proxies and allow users to hide their IP address while browsing the Web or using other Internet services. [TOR](https://www.torproject.org/) (The Onion Router), routes internet traffic through multiple proxies for anonymity.
 
-
Reverse proxies

+## Reverse proxies
 
-
As the name implies, a reverse proxy does the opposite of what a forward proxy does: A forward proxy acts on behalf of clients (or requesting hosts). Forward proxies can hide the identities of clients whereas reverse proxies can hide the identities of servers. Reverse proxies have several use cases, a few are:

+As the name implies, a reverse proxy does the opposite of what a forward proxy does: A forward proxy acts on behalf of clients (or requesting hosts). Forward proxies can hide the identities of clients whereas reverse proxies can hide the identities of servers. Reverse proxies have several use cases, a few are:
 
-
    
- 
  • Load balancing: distribute the load to several web servers,
    • 
- 
  • Cache static content: offload the web servers by caching static content like pictures,
    • 
- 
  • Compression: compress and optimize content to speed up load time.
    • 
-

+- Load balancing: distribute the load to several web servers,
+- Cache static content: offload the web servers by caching static content like pictures,
+- Compression: compress and optimize content to speed up load time.
 
-
Forwarding client information through proxies

+## Forwarding client information through proxies
 
-
Proxies can make requests appear as if they originated from the proxy's IP address. This can be useful if a proxy is used to provide client anonymity, but in other cases information from the original request is lost. The IP address of the original client is often used for debugging, statistics, or generating location-dependent content. A common way to disclose this information is by using the following HTTP headers:

+Proxies can make requests appear as if they originated from the proxy's IP address. This can be useful if a proxy is used to provide client anonymity, but in other cases information from the original request is lost. The IP address of the original client is often used for debugging, statistics, or generating location-dependent content. A common way to disclose this information is by using the following HTTP headers:
 
-
The standardized header:

+The standardized header:
 
-

- 
{{HTTPHeader("Forwarded")}}

- 
Contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request.

-

+- {{HTTPHeader("Forwarded")}}
+  - : Contains information from the client-facing side of proxy servers that is altered or lost when a proxy is involved in the path of the request.
 
-
Or the de-facto standard versions:

+Or the de-facto standard versions:
 
-

- 
{{HTTPHeader("X-Forwarded-For")}} {{non-standard_inline}}

- 
Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or a load balancer.

- 
{{HTTPHeader("X-Forwarded-Host")}} {{non-standard_inline}}

- 
Identifies the original host requested that a client used to connect to your proxy or load balancer.

- 
{{HTTPHeader("X-Forwarded-Proto")}} {{non-standard_inline}}

- 
identifies the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.

-

+- {{HTTPHeader("X-Forwarded-For")}} {{non-standard_inline}}
+  - : Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or a load balancer.
+- {{HTTPHeader("X-Forwarded-Host")}} {{non-standard_inline}}
+  - : Identifies the original host requested that a client used to connect to your proxy or load balancer.
+- {{HTTPHeader("X-Forwarded-Proto")}} {{non-standard_inline}}
+  - : identifies the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.
 
-
To provide information about the proxy itself (not about the client connecting to it), the Via header can be used.

+To provide information about the proxy itself (not about the client connecting to it), the `Via` header can be used.
 
-

- 
{{HTTPHeader("Via")}}

- 
Added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers.

-

+- {{HTTPHeader("Via")}}
+  - : Added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers.
 
-
HTTP tunneling

+## HTTP tunneling
 
-
Tunneling transmits private network data and protocol information through public network by encapsulating the data. HTTP tunneling is using a protocol of higher level (HTTP) to transport a lower level protocol (TCP).

+Tunneling transmits private network data and protocol information through public network by encapsulating the data. HTTP tunneling is using a protocol of higher level (HTTP) to transport a lower level protocol (TCP).
 
-
The HTTP protocol specifies a request method called {{HTTPMethod("CONNECT")}}. It starts two-way communications with the requested resource and can be used to open a tunnel. This is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS, port 443). Note, however, that not all proxy servers support the CONNECT method or limit it to port 443 only.

+The HTTP protocol specifies a request method called {{HTTPMethod("CONNECT")}}. It starts two-way communications with the requested resource and can be used to open a tunnel. This is how a client behind an HTTP proxy can access websites using SSL (i.e. HTTPS, port 443). Note, however, that not all proxy servers support the `CONNECT` method or limit it to port 443 only.
 
-
See also the HTTP tunnel article on Wikipedia.

+See also the [HTTP tunnel article on Wikipedia](https://en.wikipedia.org/wiki/HTTP_tunnel).
 
-
Proxy Auto-Configuration (PAC)

+## Proxy Auto-Configuration (PAC)
 
-
A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. The JavaScript function contained in the PAC file defines the function:

+A [Proxy Auto-Configuration (PAC)](/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file) file is a [JavaScript](/en-US/docs/Web/JavaScript) function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. The JavaScript function contained in the PAC file defines the function:
 
-
The auto-config file should be saved to a file with a .pac filename extension:

+The auto-config file should be saved to a file with a `.pac` filename extension:
 
-
proxy.pac

+```html
+proxy.pac
+```
 
-
And the MIME type set to:

+And the MIME type set to:
 
-
application/x-ns-proxy-autoconfig

+```html
+application/x-ns-proxy-autoconfig
+```
 
-
The file consists of a function called FindProxyForURL. The example below will work in an environment where the internal DNS server is set up so that it can only resolve internal host names, and the goal is to use a proxy only for hosts that aren't resolvable:

+The file consists of a function called `FindProxyForURL`. The example below will work in an environment where the internal DNS server is set up so that it can only resolve internal host names, and the goal is to use a proxy only for hosts that aren't resolvable:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   if (isResolvable(host))
     return "DIRECT";
   else
     return "PROXY proxy.mydomain.com:8080";
-}

+}
+```
 
-
See Proxy Auto-Configuration (PAC) for more examples.

+See [Proxy Auto-Configuration (PAC)](/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file) for more examples.
 
-
See also

+## See also
 
-
+- {{HTTPMethod("CONNECT")}}
+- [Proxy server on Wikipedia](https://en.wikipedia.org/wiki/Proxy_server)
diff --git a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
index 0f75409bc61c965..a041c51eb72e6ef 100644
--- a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
+++ b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
@@ -7,471 +7,461 @@ tags:
   - PAC
   - Proxy
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
A Proxy Auto-Configuration (PAC) file is a JavaScript function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. The JavaScript function contained in the PAC file defines the function:

+A **Proxy Auto-Configuration (PAC)** file is a JavaScript function that determines whether web browser requests (HTTP, HTTPS, and FTP) go directly to the destination or are forwarded to a web proxy server. The JavaScript function contained in the PAC file defines the function:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   // ...
-}

+}
+```
+
+## Syntax
+
+```js
+function FindProxyForURL(url, host)
+```
+
+### Parameters
+
+- `url`
+  - : The URL being accessed. The path and query components of `https://` URLs are stripped. In Chrome (versions 52 to 73), you can disable this by setting `PacHttpsUrlStrippingEnabled` to `false` in policy or by launching with the `--unsafe-pac-url` command-line flag (in Chrome 74, only the flag works, and from 75 onward, there is no way to disable path-stripping; as of Chrome 81, path-stripping does not apply to HTTP URLs, but there is interest in changing this behavior to match HTTPS); in Firefox, the preference is `network.proxy.autoconfig_url.include_path`.
+- `host`
+  - : The hostname extracted from the URL. This is only for convenience; it is the same string as between `://` and the first `:` or `/` after that. The port number is not included in this parameter. It can be extracted from the URL when necessary.
+
+## Description
+
+Returns a string describing the configuration. The format of this string is defined in **return value format** below.
+
+### Return value format
+
+- The JavaScript function returns a single string
+- If the string is null, no proxies should be used
+- The string can contain any number of the following building blocks, separated by a semicolon:
+
+
+
+- `DIRECT`
+  - : Connections should be made directly, without any proxies
+- `PROXY host:port`
+  - : The specified proxy should be used
+- `SOCKS host:port`
+  - : The specified SOCKS server should be used
+
+Recent versions of Firefox support as well:
+
+- `HTTP host:port`
+  - : The specified proxy should be used
+- `HTTPS host:port`
+  - : The specified HTTPS proxy should be used
+- `SOCKS4 host:port`, `SOCKS5 host:port`
+  - : The specified SOCKS server (with the specified SOCK version) should be used
+
+If there are multiple semicolon-separated settings, the left-most setting will be used, until Firefox fails to establish the connection to the proxy. In that case, the next value will be used, etc.
+
+The browser will automatically retry a previously unresponsive proxy after 30 minutes. Additional attempts will continue beginning at one hour, always adding 30 minutes to the elapsed time between attempts.
+
+If all proxies are down, and there was no DIRECT option specified, the browser will ask if proxies should be temporarily ignored, and direct connections attempted. After 20 minutes, the browser will ask if proxies should be retried, asking again after an additional 40 minutes. Queries will continue, always adding 20 minutes to the elapsed time between queries.
+
+#### Examples
+
+- `PROXY w3proxy.netscape.com:8080; PROXY mozilla.netscape.com:8081`
+  - : Primary proxy is w3proxy:8080; if that goes down start using mozilla:8081 until the primary proxy comes up again.
+- `PROXY w3proxy.netscape.com:8080; PROXY mozilla.netscape.com:8081; DIRECT`
+  - : Same as above, but if both proxies go down, automatically start making direct connections. (In the first example above, Netscape will ask user confirmation about making direct connections; in this case, there is no user intervention.)
+- `PROXY w3proxy.netscape.com:8080; SOCKS socks:1080`
+  - : Use SOCKS if the primary proxy goes down.
+
+The auto-config file should be saved to a file with a .pac filename extension:
+
+```html
+proxy.pac
+```
+
+And the MIME type should be set to:
+
+```html
+application/x-ns-proxy-autoconfig
+```
+
+Next, you should configure your server to map the .pac filename extension to the MIME type.
+
+> **Note:**
+>
+> - The JavaScript function should always be saved to a file by itself but not be embedded in a HTML file or any other file.
+> - The examples at the end of this document are complete. There is no additional syntax needed to save it into a file and use it. (Of course, the JavaScripts must be edited to reflect your site's domain name and/or subnets.)
+
+## Predefined functions and environment
+
+These functions can be used in building the PAC file:
+
+- Hostname based conditions
+
+  - [`isPlainHostName()`](#isplainhostname)
+  - [`dnsDomainIs()`](#dnsdomainis)
+  - [`localHostOrDomainIs()`](#localhostordomainis)
+  - [`isResolvable()`](#isresolvable)
+  - [`isInNet()`](#isinnet)
+
+- Related utility functions
+
+  - [`dnsResolve()`](#dnsresolve)
+  - [`convert_addr()`](#convert_addr)
+  - [`myIpAddress()`](#myipaddress)
+  - [`dnsDomainLevels()`](#dnsdomainlevels)
+
+- URL/hostname based conditions
+
+  - [`shExpMatch()`](#shexpmatch)
+
+- Time based conditions
+
+  - [`weekdayRange()`](#weekdayrange)
+  - [`dateRange()`](#daterange)
+  - [`timeRange()`](#timerange)
+
+- Logging utility
 
-
Syntax

-
-
function FindProxyForURL(url, host)

-
-
Parameters

-
-

- 
url

- 
The URL being accessed. The path and query components of https:// URLs are stripped. In Chrome (versions 52 to 73), you can disable this by setting PacHttpsUrlStrippingEnabled to false in policy or by launching with the --unsafe-pac-url command-line flag (in Chrome 74, only the flag works, and from 75 onward, there is no way to disable path-stripping; as of Chrome 81, path-stripping does not apply to HTTP URLs, but there is interest in changing this behavior to match HTTPS); in Firefox, the preference is network.proxy.autoconfig_url.include_path.

- 
host

- 
The hostname extracted from the URL. This is only for convenience; it is the same string as between :// and the first : or / after that. The port number is not included in this parameter. It can be extracted from the URL when necessary.

-

-
-
Description

-
-
Returns a string describing the configuration. The format of this string is defined in return value format below.

-
-
Return value format

-
-
    
- 
  • The JavaScript function returns a single string
    • 
- 
  • If the string is null, no proxies should be used
    • 
- 
  • The string can contain any number of the following building blocks, separated by a semicolon:
    • 
-

-
-

- 
DIRECT

- 
Connections should be made directly, without any proxies

- 
PROXY host:port

- 
The specified proxy should be used

- 
SOCKS host:port

- 
The specified SOCKS server should be used

-

-
-
Recent versions of Firefox support as well:

-
-

- 
HTTP host:port

- 
The specified proxy should be used

- 
HTTPS host:port

- 
The specified HTTPS proxy should be used

- 
SOCKS4 host:port, SOCKS5 host:port

- 
The specified SOCKS server (with the specified SOCK version) should be used

-

-
-
If there are multiple semicolon-separated settings, the left-most setting will be used, until Firefox fails to establish the connection to the proxy. In that case, the next value will be used, etc.

-
-
The browser will automatically retry a previously unresponsive proxy after 30 minutes. Additional attempts will continue beginning at one hour, always adding 30 minutes to the elapsed time between attempts.

-
-
If all proxies are down, and there was no DIRECT option specified, the browser will ask if proxies should be temporarily ignored, and direct connections attempted. After 20 minutes, the browser will ask if proxies should be retried, asking again after an additional 40 minutes. Queries will continue, always adding 20 minutes to the elapsed time between queries.

-
-
Examples

-
-

- 
PROXY w3proxy.netscape.com:8080; PROXY mozilla.netscape.com:8081

- 
Primary proxy is w3proxy:8080; if that goes down start using mozilla:8081 until the primary proxy comes up again.

- 
PROXY w3proxy.netscape.com:8080; PROXY mozilla.netscape.com:8081; DIRECT

- 
Same as above, but if both proxies go down, automatically start making direct connections. (In the first example above, Netscape will ask user confirmation about making direct connections; in this case, there is no user intervention.)

- 
PROXY w3proxy.netscape.com:8080; SOCKS socks:1080

- 
Use SOCKS if the primary proxy goes down.

-

-
-
The auto-config file should be saved to a file with a .pac filename extension:

-
-
proxy.pac

-
-
And the MIME type should be set to:

-
-
application/x-ns-proxy-autoconfig

-
-
Next, you should configure your server to map the .pac filename extension to the MIME type.

-
-

-  
Note:

-
    
- 
  • The JavaScript function should always be saved to a file by itself but not be embedded in a HTML file or any other file.
    • 
- 
  • The examples at the end of this document are complete. There is no additional syntax needed to save it into a file and use it. (Of course, the JavaScripts must be edited to reflect your site's domain name and/or subnets.)
    • 
-

-

-
-
Predefined functions and environment

-
-
These functions can be used in building the PAC file:

-
-
-
-

-  
Note: pactester (part of the pacparser package) was used to test the following syntax examples.

-  
    
-    
  • The PAC file is named proxy.pac
    • 
-    
  • Command line: pactester -p ~/pacparser-master/tests/proxy.pac -u http://www.mozilla.org (passes the host parameter www.mozilla.org and the url parameter http://www.mozilla.org)
    • 
-  

-

-
-
isPlainHostName()

-
-
Syntax

-
-
isPlainHostName(host)

-
-
Parameters

-
-

- 
host

- 
The hostname from the URL (excluding port number).

-

-
-
Description

-
-
True if and only if there is no domain name in the hostname (no dots).

-
-
Examples

-
-
isPlainHostName("www.mozilla.org") // false
+  - [`alert()`](#alert)
+
+- There was one associative array (object) already defined, because at the time JavaScript code was unable to define it by itself:
+
+  - `ProxyConfig.bindings` {{deprecated_inline}}
+
+> **Note:** pactester (part of the [pacparser ](https://github.com/pacparser/pacparser)package) was used to test the following syntax examples.
+>
+> - The PAC file is named `proxy.pac`
+> - Command line: `pactester -p ~/pacparser-master/tests/proxy.pac -u http://www.mozilla.org` (passes the `host` parameter `www.mozilla.org` and the `url` parameter `http://www.mozilla.org`)
+
+### isPlainHostName()
+
+#### Syntax
+
+```js
+isPlainHostName(host)
+```
+
+#### Parameters
+
+- host
+  - : The hostname from the URL (excluding port number).
+
+#### Description
+
+True if and only if there is no domain name in the hostname (no dots).
+
+#### Examples
+
+```js
+isPlainHostName("www.mozilla.org") // false
 isPlainHostName("www") // true
-

+```
 
-
dnsDomainIs()

+### `dnsDomainIs()`
 
-
Syntax

+#### Syntax
 
-
dnsDomainIs(host, domain)

+```js
+dnsDomainIs(host, domain)
+```
 
-
Parameters

+#### Parameters
 
-

- 
host

- 
Is the hostname from the URL.

- 
domain

- 
Is the domain name to test the hostname against.

-

+- host
+  - : Is the hostname from the URL.
+- domain
+  - : Is the domain name to test the hostname against.
 
-
Description

+#### Description
 
-
Returns true if and only if the domain of hostname matches.

+Returns true if and only if the domain of hostname matches.
 
-
Examples

+#### Examples
 
-
dnsDomainIs("www.mozilla.org", ".mozilla.org") // true
+```js
+dnsDomainIs("www.mozilla.org", ".mozilla.org") // true
 dnsDomainIs("www", ".mozilla.org") // false
-

+```
 
-
localHostOrDomainIs()

+### localHostOrDomainIs()
 
-
Syntax

+#### Syntax
 
-
localHostOrDomainIs(host, hostdom)

+```js
+localHostOrDomainIs(host, hostdom)
+```
 
-
Parameters

+#### Parameters
 
-

- 
host

- 
The hostname from the URL.

- 
hostdom

- 
Fully qualified hostname to match against.

-

+- host
+  - : The hostname from the URL.
+- hostdom
+  - : Fully qualified hostname to match against.
 
-
Description

+#### Description
 
-
Is true if the hostname matches exactly the specified hostname, or if there is no domain name part in the hostname, but the unqualified hostname matches.

+Is true if the hostname matches _exactly_ the specified hostname, or if there is no domain name part in the hostname, but the unqualified hostname matches.
 
-
Examples

+#### Examples
 
-
localHostOrDomainIs("www.mozilla.org" , "www.mozilla.org") // true (exact match)
+```js
+localHostOrDomainIs("www.mozilla.org" , "www.mozilla.org") // true (exact match)
 localHostOrDomainIs("www"             , "www.mozilla.org") // true (hostname match, domain not specified)
 localHostOrDomainIs("www.google.com"  , "www.mozilla.org") // false (domain name mismatch)
-localHostOrDomainIs("home.mozilla.org", "www.mozilla.org") // false (hostname mismatch)

+localHostOrDomainIs("home.mozilla.org", "www.mozilla.org") // false (hostname mismatch)
+```
 
-
isResolvable()

+### isResolvable()
 
-
Syntax

+#### Syntax
 
-
isResolvable(host)

+```js
+isResolvable(host)
+```
 
-
Parameters

+#### Parameters
 
-

- 
host

- 
is the hostname from the URL.

-

+- host
+  - : is the hostname from the URL.
 
-
Tries to resolve the hostname. Returns true if succeeds.

+Tries to resolve the hostname. Returns true if succeeds.
 
-
Examples:

+#### Examples:
 
-
isResolvable("www.mozilla.org") // true
-

+```js
+isResolvable("www.mozilla.org") // true
+```
 
-
isInNet()

+### isInNet()
 
-
Syntax

+#### Syntax
 
-
isInNet(host, pattern, mask)

+```js
+isInNet(host, pattern, mask)
+```
 
-
Parameters

+#### Parameters
 
-

- 
host

- 
a DNS hostname, or IP address. If a hostname is passed, it will be resolved into an IP address by this function.

- 
pattern

- 
an IP address pattern in the dot-separated format.

- 
mask

- 
mask for the IP address pattern informing which parts of the IP address should be matched against. 0 means ignore, 255 means match.

-

+- host
+  - : a DNS hostname, or IP address. If a hostname is passed, it will be resolved into an IP address by this function.
+- pattern
+  - : an IP address pattern in the dot-separated format.
+- mask
+  - : mask for the IP address pattern informing which parts of the IP address should be matched against. 0 means ignore, 255 means match.
 
-
True if and only if the IP address of the host matches the specified IP address pattern.

+True if and only if the IP address of the host matches the specified IP address pattern.
 
-
Pattern and mask specification is done the same way as for SOCKS configuration.

+Pattern and mask specification is done the same way as for SOCKS configuration.
 
-
Examples:

+#### Examples:
 
-
function alert_eval(str) { alert(str + ' is ' + eval(str)) }
+```js
+function alert_eval(str) { alert(str + ' is ' + eval(str)) }
 function FindProxyForURL(url, host) {
   alert_eval('isInNet(host, "63.245.213.24", "255.255.255.255")')
   // "PAC-alert: isInNet(host, "63.245.213.24", "255.255.255.255") is true"
 }
-

+```
 
-
dnsResolve()

+### dnsResolve()
 
-
dnsResolve(host)

+```js
+dnsResolve(host)
+```
 
-
Parameters

+#### Parameters
 
-

- 
host

- 
hostname to resolve.

-

+- host
+  - : hostname to resolve.
 
-
Resolves the given DNS hostname into an IP address, and returns it in the dot-separated format as a string.

+Resolves the given DNS hostname into an IP address, and returns it in the dot-separated format as a string.
 
-
Example

+#### Example
 
-
dnsResolve("www.mozilla.org"); // returns the string "104.16.41.2"

+```js
+dnsResolve("www.mozilla.org"); // returns the string "104.16.41.2"
+```
 
-
convert_addr()

+### convert_addr()
 
-
Syntax

+#### Syntax
 
-
convert_addr(ipaddr)

+```js
+convert_addr(ipaddr)
+```
 
-
Parameters

+#### Parameters
 
-

- 
ipaddr

- 
Any dotted address such as an IP address or mask.

-

+- ipaddr
+  - : Any dotted address such as an IP address or mask.
 
-
Concatenates the four dot-separated bytes into one 4-byte word and converts it to decimal.

+Concatenates the four dot-separated bytes into one 4-byte word and converts it to decimal.
 
-
Example

+#### Example
 
-
convert_addr("104.16.41.2"); // returns the decimal number 1745889538

+```js
+convert_addr("104.16.41.2"); // returns the decimal number 1745889538
+```
 
-
myIpAddress()

+### myIpAddress()
 
-
Syntax

+#### Syntax
 
-
myIpAddress()

+```js
+myIpAddress()
+```
 
-
Parameters

+#### Parameters
 
-
(none)

+**(none)**
 
-
Returns the server IP address of the machine Firefox is running on, as a string in the dot-separated integer format.

+Returns the server IP address of the machine Firefox is running on, as a string in the dot-separated integer format.
 
-

-  
Warning: myIpAddress() returns the same IP address as the server address returned by nslookup localhost on a Linux machine. It does not return the public IP address.

-

+> **Warning:** myIpAddress() returns the same IP address as the server address returned by **`nslookup localhost`** on a Linux machine. It does not return the public IP address.
 
-
Example

+#### Example
 
-
myIpAddress() //returns the string "127.0.1.1" if you were running Firefox on that localhost

+```js
+myIpAddress() //returns the string "127.0.1.1" if you were running Firefox on that localhost
+```
 
-
dnsDomainLevels()

+### dnsDomainLevels()
 
-
Syntax

+#### Syntax
 
-
dnsDomainLevels(host)

+```js
+dnsDomainLevels(host)
+```
 
-
Parameters

+#### Parameters
 
-

- 
host

- 
is the hostname from the URL.

-

+- host
+  - : is the hostname from the URL.
 
-
Returns the number (integer) of DNS domain levels (number of dots) in the hostname.

+Returns the number (integer) of DNS domain levels (number of dots) in the hostname.
 
-
Examples:

+#### Examples:
 
-
dnsDomainLevels("www");             // 0
+```js
+dnsDomainLevels("www");             // 0
 dnsDomainLevels("mozilla.org");     // 1
 dnsDomainLevels("www.mozilla.org"); // 2
-

+```
 
-
shExpMatch()

+### shExpMatch()
 
-
Syntax

+#### Syntax
 
-
shExpMatch(str, shexp)

+```js
+shExpMatch(str, shexp)
+```
 
-
Parameters

+#### Parameters
 
-

- 
str

- 
is any string to compare (e.g. the URL, or the hostname).

- 
shexp

- 
is a shell expression to compare against.

-

+- str
+  - : is any string to compare (e.g. the URL, or the hostname).
+- shexp
+  - : is a shell expression to compare against.
 
-
Returns true if the string matches the specified shell glob expression.

+Returns `true` if the string matches the specified shell glob expression.
 
-
Support for particular glob expression syntax varies across browsers:
-  * (match any number of characters) and ? (match one character) are always supported,
-  while [characters] and [^characters] are additionally supported by some implementations (including Firefox).

+Support for particular glob expression syntax varies across browsers:
+`*` (match any number of characters) and `?` (match one character) are always supported,
+while `[characters]` and `[^characters]` are additionally supported by some implementations (including Firefox).
 
-

-  
Note: If supported by the client, JavaScript regular expressions typically provide a more powerful and consistent way to pattern-match URLs (and other strings).

-

+> **Note:** If supported by the client, JavaScript regular expressions typically provide a more powerful and consistent way to pattern-match URLs (and other strings).
 
+#### Examples
 
-
Examples

+```js
+shExpMatch("http://home.netscape.com/people/ari/index.html", "*/ari/*"); // returns true
+shExpMatch("http://home.netscape.com/people/montulli/index.html", "*/ari/*"); // returns false
+```
 
-
shExpMatch("http://home.netscape.com/people/ari/index.html", "*/ari/*"); // returns true
-shExpMatch("http://home.netscape.com/people/montulli/index.html", "*/ari/*"); // returns false

+### weekdayRange()
 
-
weekdayRange()

+#### Syntax
 
-
Syntax

+```js
+weekdayRange(wd1, wd2, [gmt])
+```
 
-
weekdayRange(wd1, wd2, [gmt])

+> **Note:** (Before Firefox 49) wd1 must be less than wd2 if you want the function to evaluate these parameters as a range. See the warning below.
 
-

-  
Note: (Before Firefox 49) wd1 must be less than wd2 if you want the function to evaluate these parameters as a range. See the warning below.

-

+#### Parameters
 
-
Parameters

+- wd1 and wd2
+  - : One of the ordered weekday strings: `"SUN"`, `"MON"`, `"TUE"`, `"WED"`, `"THU"`, `"FRI"`, `"SAT"`
+- gmt
+  - : Is either the string "GMT" or is left out.
 
-

- 
wd1 and wd2

- 
One of the ordered weekday strings: "SUN", "MON", "TUE", "WED", "THU", "FRI", "SAT"
- 
gmt

- 
Is either the string "GMT" or is left out.

-

+Only the first parameter is mandatory. Either the second, the third, or both may be left out.
 
-
Only the first parameter is mandatory. Either the second, the third, or both may be left out.

+If only one parameter is present, the function returns a value of true on the weekday that the parameter represents. If the string "GMT" is specified as a second parameter, times are taken to be in GMT. Otherwise, they are assumed to be in the local timezone.
 
-
If only one parameter is present, the function returns a value of true on the weekday that the parameter represents. If the string "GMT" is specified as a second parameter, times are taken to be in GMT. Otherwise, they are assumed to be in the local timezone.

+If both **wd1** and **wd1** are defined, the condition is true if the current weekday is in between those two _ordered_ weekdays. Bounds are inclusive, _but the bounds are ordered_. If the "GMT" parameter is specified, times are taken to be in GMT. Otherwise, the local timezone is used.
 
-
If both wd1 and wd1 are defined, the condition is true if the current weekday is in between those two ordered weekdays. Bounds are inclusive, but the bounds are ordered. If the "GMT" parameter is specified, times are taken to be in GMT. Otherwise, the local timezone is used.

+> **Warning:** _The order of the days matters_.
+> Before Firefox 49, `weekdayRange("SUN", "SAT")` will always evaluate to `true`.
+> Now `weekdayRange("WED", "SUN")` will only evaluate to `true`
+> if the current day is Wednesday or Sunday.
 
-

-  

-    Warning: The order of the days matters.
-    Before Firefox 49, weekdayRange("SUN", "SAT") will always evaluate to true.
-    Now weekdayRange("WED", "SUN") will only evaluate to true
-    if the current day is Wednesday or Sunday.
-  

-

+#### Examples
 
-
Examples

-
-
weekdayRange("MON", "FRI");        // returns true Monday through Friday (local timezone)
+```js
+weekdayRange("MON", "FRI");        // returns true Monday through Friday (local timezone)
 weekdayRange("MON", "FRI", "GMT"); // returns true Monday through Friday (GMT timezone)
 weekdayRange("SAT");               // returns true on Saturdays local time
 weekdayRange("SAT", "GMT");        // returns true on Saturdays GMT time
-weekdayRange("FRI", "MON");        // returns true Friday and Monday only (note, order does matter!)

+weekdayRange("FRI", "MON");        // returns true Friday and Monday only (note, order does matter!)
+```
 
-
dateRange()

+### dateRange()
 
-
Syntax

+#### Syntax
 
-
dateRange(<day> | <month> | <year>, [gmt])  // ambiguity is resolved by assuming year is greater than 31
-dateRange(<day1>, <day2>, [gmt])
-dateRange(<month1>, <month2>, [gmt])
-dateRange(<year1>, <year2>, [gmt])
-dateRange(<day1>, <month1>, <day2>, <month2>, [gmt])
-dateRange(<month1>, <year1>, <month2>, <year2>, [gmt])
-dateRange(<day1>, <month1>, <year1>, <day2>, <month2>, <year2>, [gmt])

+```js
+dateRange( |  | , [gmt])  // ambiguity is resolved by assuming year is greater than 31
+dateRange(, , [gmt])
+dateRange(, , [gmt])
+dateRange(, , [gmt])
+dateRange(, , , , [gmt])
+dateRange(, , , , [gmt])
+dateRange(, , , , , , [gmt])
+```
 
-

-  
Note: (Before Firefox 49) day1 must be less than day2, month1 must be less than month2, and year1 must be less than year2 if you want the function to evaluate these parameters as a range. See the warning below.

-

+> **Note:** (Before Firefox 49) day1 must be less than day2, month1 must be less than month2, and year1 must be less than year2 if you want the function to evaluate these parameters as a range. See the warning below.
 
-
Parameters

+#### Parameters
 
-

- 
day

- 
Is the ordered day of the month between 1 and 31 (as an integer).

-

+- day
+  - : Is the ordered day of the month between 1 and 31 (as an integer).
 
-
1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31

+```html
+1|2|3|4|5|6|7|8|9|10|11|12|13|14|15|16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31
+```
 
-

- 
month

- 
Is one of the ordered month strings below.

-

+- month
+  - : Is one of the ordered month strings below.
 
-
"JAN"|"FEB"|"MAR"|"APR"|"MAY"|"JUN"|"JUL"|"AUG"|"SEP"|"OCT"|"NOV"|"DEC"

+```html
+"JAN"|"FEB"|"MAR"|"APR"|"MAY"|"JUN"|"JUL"|"AUG"|"SEP"|"OCT"|"NOV"|"DEC"
+```
 
-

- 
year

- 
Is the ordered full year integer number. For example, 2016 (not 16).

- 
gmt

- 
Is either the string "GMT", which makes time comparison occur in GMT timezone, or is left out. If left unspecified, times are taken to be in the local timezone.

-

+- year
+  - : Is the ordered full year integer number. For example, 2016 (**not** 16).
+- gmt
+  - : Is either the string "GMT", which makes time comparison occur in GMT timezone, or is left out. If left unspecified, times are taken to be in the local timezone.
 
-
If only a single value is specified (from each category: day, month, year), the function returns a true value only on days that match that specification. If both values are specified, the result is true between those times, including bounds, but the bounds are ordered.

+If only a single value is specified (from each category: day, month, year), the function returns a true value only on days that match that specification. If both values are specified, the result is true between those times, including bounds, _but the bounds are ordered_.
 
-

-  
Warning: The order of the days, months, and years matter; Before Firefox 49, dateRange("JAN", "DEC") will always evaluate to true. Now dateRange("DEC", "JAN") will only evaluate true if the current month is December or January.

-

+> **Warning:** **The order of the days, months, and years matter**; Before Firefox 49, `dateRange("JAN", "DEC")` will always evaluate to `true`. Now `dateRange("DEC", "JAN")` will only evaluate true if the current month is December or January.
 
-
Examples

+#### Examples
 
-
dateRange(1);            // returns true on the first day of each month, local timezone
+```js
+dateRange(1);            // returns true on the first day of each month, local timezone
 dateRange(1, "GMT")      // returns true on the first day of each month, GMT timezone
 dateRange(1, 15);        // returns true on the first half of each month
 dateRange(24, "DEC");    // returns true on 24th of December each year
@@ -492,131 +482,131 @@ dateRange(1995);
 // returns true during the entire year of 1995
 
 dateRange(1995, 1997);
-// returns true from beginning of year 1995 until the end of year 1997

+// returns true from beginning of year 1995 until the end of year 1997
+```
 
-
timeRange()

+### timeRange()
 
-
Syntax

+#### Syntax
 
-
// The full range of expansions is analogous to dateRange.
-timeRange(<hour1>, <min1>, <sec1>, <hour2>, <min2>, <sec2>, [gmt])

+```html
+// The full range of expansions is analogous to dateRange.
+timeRange(, , , , , , [gmt])
+```
 
-

-  
Note: (Before Firefox 49) the category hour1, min1, sec1 must be less than the category hour2, min2, sec2 if you want the function to evaluate these parameters as a range. See the warning below.

-

+> **Note:** (Before Firefox 49) the category hour1, min1, sec1 must be less than the category hour2, min2, sec2 if you want the function to evaluate these parameters as a range. See the warning below.
 
-
Parameters

+#### Parameters
 
-

- 
hour

- 
Is the hour from 0 to 23. (0 is midnight, 23 is 11 pm.)

- 
min

- 
Minutes from 0 to 59.

- 
sec

- 
Seconds from 0 to 59.

- 
gmt

- 
Either the string "GMT" for GMT timezone, or not specified, for local timezone.

-

+- hour
+  - : Is the hour from 0 to 23. (0 is midnight, 23 is 11 pm.)
+- min
+  - : Minutes from 0 to 59.
+- sec
+  - : Seconds from 0 to 59.
+- gmt
+  - : Either the string "GMT" for GMT timezone, or not specified, for local timezone.
 
-
If only a single value is specified (from each category: hour, minute, second), the function returns a true value only at times that match that specification. If both values are specified, the result is true between those times, including bounds, but the bounds are ordered.

+If only a single value is specified (from each category: hour, minute, second), the function returns a true value only at times that match that specification. If both values are specified, the result is true between those times, including bounds, _but the bounds are ordered_.
 
-

-  
Warning: The order of the hour, minute, second matter; Before Firefox 49, timeRange(0, 23) will always evaluate to true. Now timeRange(23, 0) will only evaluate true if the current hour is 23:00 or midnight.

-

+> **Warning:** **The order of the hour, minute, second matter**; Before Firefox 49, `timeRange(0, 23)` will always evaluate to true. Now `timeRange(23, 0)` will only evaluate true if the current hour is 23:00 or midnight.
 
-
Examples

+#### Examples
 
-
timerange(12);                // returns true from noon to 1pm
+```js
+timerange(12);                // returns true from noon to 1pm
 timerange(12, 13);            // returns true from noon to 1pm
 timerange(12, "GMT");         // returns true from noon to 1pm, in GMT timezone
 timerange(9, 17);             // returns true from 9am to 5pm
 timerange(8, 30, 17, 00);     // returns true from 8:30am to 5:00pm
-timerange(0, 0, 0, 0, 0, 30); // returns true between midnight and 30 seconds past midnight

+timerange(0, 0, 0, 0, 0, 30); // returns true between midnight and 30 seconds past midnight
+```
 
-
alert()

+### alert()
 
-
Syntax

+#### Syntax
 
-
+```html
 alert(message)
-

+```
 
-
Parameters

+#### Parameters
 
-

- 
message

- 
The string to log

-

+- message
+  - : The string to log
 
-
Logs the message in the browser console.

+Logs the message in the browser console.
 
-
Examples

+#### Examples
 
-
alert(host + " = " + dnsResolve(host));            // logs the host name and its IP address
-alert("Error: shouldn't reach this clause.");      // log a simple message

+```js
+alert(host + " = " + dnsResolve(host));            // logs the host name and its IP address
+alert("Error: shouldn't reach this clause.");      // log a simple message
+```
 
-
Example 1

+## Example 1
 
-
Use proxy for everything except local hosts

+### Use proxy for everything except local hosts
 
-

-  
Note: Since all of the examples that follow are very specific, they have not been tested.

-

+> **Note:** Since all of the examples that follow are very specific, they have not been tested.
 
-
All hosts which aren't fully qualified, or the ones that are in local domain, will be connected to directly. Everything else will go through w3proxy.mozilla.org:8080. If the proxy goes down, connections become direct automatically:

+All hosts which aren't fully qualified, or the ones that are in local domain, will be connected to directly. Everything else will go through `w3proxy.mozilla.org:8080`. If the proxy goes down, connections become direct automatically:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   if (isPlainHostName(host) || dnsDomainIs(host, ".mozilla.org")) {
     return "DIRECT";
   } else {
     return "PROXY w3proxy.mozilla.org:8080; DIRECT";
   }
-}

+}
+```
 
-

-  
Note: This is the simplest and most efficient autoconfig file for cases where there's only one proxy.

-

+> **Note:** This is the simplest and most efficient autoconfig file for cases where there's only one proxy.
 
-
Example 2

+## Example 2
 
-
As above, but use proxy for local servers which are outside the firewall

+### As above, but use proxy for local servers which are outside the firewall
 
-
If there are hosts (such as the main Web server) that belong to the local domain but are outside the firewall and are only reachable through the proxy server, those exceptions can be handled using the localHostOrDomainIs() function:

+If there are hosts (such as the main Web server) that belong to the local domain but are outside the firewall and are only reachable through the proxy server, those exceptions can be handled using the `localHostOrDomainIs()` function:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   if (
-    (isPlainHostName(host) || dnsDomainIs(host, ".mozilla.org")) &&
-    !localHostOrDomainIs(host, "www.mozilla.org") &&
+    (isPlainHostName(host) || dnsDomainIs(host, ".mozilla.org")) &&
+    !localHostOrDomainIs(host, "www.mozilla.org") &&
     !localHostOrDomainIs(host, "merchant.mozilla.org")
   ) {
     return "DIRECT";
   } else {
     return "PROXY w3proxy.mozilla.org:8080; DIRECT";
   }
-}

+}
+```
 
-
The above example will use the proxy for everything except local hosts in the mozilla.org domain, with the further exception that hosts www.mozilla.org and merchant.mozilla.org will go through the proxy.

+The above example will use the proxy for everything except local hosts in the mozilla.org domain, with the further exception that hosts `www.mozilla.org` and `merchant.mozilla.org` will go through the proxy.
 
-

-  
Note: The order of the above exceptions for efficiency: localHostOrDomainIs() functions only get executed for URLs that are in local domain, not for every URL. Be careful to note the parentheses around the or expression before the and expression to achieve the above-mentioned efficient behavior.

-

+> **Note:** The order of the above exceptions for efficiency: `localHostOrDomainIs()` functions only get executed for URLs that are in local domain, not for every URL. Be careful to note the parentheses around the _or_ expression before the _and_ expression to achieve the above-mentioned efficient behavior.
 
-
Example 3

+## Example 3
 
-
Use proxy only if cannot resolve host

+### Use proxy only if cannot resolve host
 
-
This example will work in an environment where the internal DNS server is set up so that it can only resolve internal host names, and the goal is to use a proxy only for hosts that aren't resolvable:

+This example will work in an environment where the internal DNS server is set up so that it can only resolve internal host names, and the goal is to use a proxy only for hosts that aren't resolvable:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   if (isResolvable(host))
     return "DIRECT";
   else
     return "PROXY proxy.mydomain.com:8080";
-}

+}
+```
 
-
The above requires consulting the DNS every time; it can be grouped intelligently with other rules so that DNS is consulted only if other rules do not yield a result:

+The above requires consulting the DNS every time; it can be grouped intelligently with other rules so that DNS is consulted only if other rules do not yield a result:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   if (
     isPlainHostName(host) ||
     dnsDomainIs(host, ".mydomain.com") ||
@@ -626,24 +616,28 @@ alert("Error: shouldn't reach this clause.");      // log a simple message

   } else {
     return "PROXY proxy.mydomain.com:8080";
   }
-}

+}
+```
 
-
Example 4

+## Example 4
 
-
Subnet based decisions

+### Subnet based decisions
 
-
In this example all of the hosts in a given subnet are connected-to directly, others are connected through the proxy:

+In this example all of the hosts in a given subnet are connected-to directly, others are connected through the proxy:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   if (isInNet(host, "198.95.0.0", "255.255.0.0"))
     return "DIRECT";
   else
     return "PROXY proxy.mydomain.com:8080";
-}

+}
+```
 
-
Again, use of the DNS server in the above can be minimized by adding redundant rules in the beginning:

+Again, use of the DNS server in the above can be minimized by adding redundant rules in the beginning:
 
-
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
   if (
     isPlainHostName(host) ||
     dnsDomainIs(host, ".mydomain.com") ||
@@ -653,42 +647,26 @@ alert("Error: shouldn't reach this clause.");      // log a simple message

   } else {
     return "PROXY proxy.mydomain.com:8080";
   }
-}
- -

Example 5

- -

Load balancing/routing based on URL patterns

- -

This example is more sophisticated. There are four (4) proxy servers; one of them is a hot stand-by for all of the other ones, so if any of the remaining three goes down the fourth one will take over. Furthermore, the three remaining proxy servers share the load based on URL patterns, which makes their caching more effective (there is only one copy of any document on the three servers - as opposed to one copy on each of them). The load is distributed like this:

- - - - - - - - - - - - - - - - - - - - - - - - -
ProxyPurpose
#1.com domain
#2.edu domain
#3all other domains
#4hot stand-by
- -

All local accesses are desired to be direct. All proxy servers run on the port 8080 (they don't need to, you can just change your port but remember to modify your configuations on both side). Note how strings can be concatenated with the + operator in JavaScript.

- -
function FindProxyForURL(url, host) {
+}
+```
+
+## Example 5
+
+### Load balancing/routing based on URL patterns
+
+This example is more sophisticated. There are four (4) proxy servers; one of them is a hot stand-by for all of the other ones, so if any of the remaining three goes down the fourth one will take over. Furthermore, the three remaining proxy servers share the load based on URL patterns, which makes their caching more effective (there is only one copy of any document on the three servers - as opposed to one copy on each of them). The load is distributed like this:
+
+| Proxy | Purpose           |
+| ----- | ----------------- |
+| #1    | .com domain       |
+| #2    | .edu domain       |
+| #3    | all other domains |
+| #4    | hot stand-by      |
+
+All local accesses are desired to be direct. All proxy servers run on the port 8080 (they don't need to, you can just change your port but remember to modify your configuations on both side). Note how strings can be concatenated with the **`+`** operator in JavaScript.
+
+```js
+function FindProxyForURL(url, host) {
 
   if (isPlainHostName(host) || dnsDomainIs(host, ".mydomain.com"))
     return "DIRECT";
@@ -704,15 +682,17 @@ alert("Error: shouldn't reach this clause.");      // log a simple message
else return "PROXY proxy3.mydomain.com:8080; " + "PROXY proxy4.mydomain.com:8080"; -} +} +``` -

Example 6

+## Example 6 -

Setting a proxy for a specific protocol

+### Setting a proxy for a specific protocol -

Most of the standard JavaScript functionality is available for use in the FindProxyForURL() function. As an example, to set different proxies based on the protocol the {{jsxref("String.prototype.startsWith()", "startsWith()")}} function can be used:

+Most of the standard JavaScript functionality is available for use in the `FindProxyForURL()` function. As an example, to set different proxies based on the protocol the {{jsxref("String.prototype.startsWith()", "startsWith()")}} function can be used: -
function FindProxyForURL(url, host) {
+```js
+function FindProxyForURL(url, host) {
 
   if (url.startsWith("http:"))
     return "PROXY http-proxy.mydomain.com:8080";
@@ -729,29 +709,29 @@ alert("Error: shouldn't reach this clause.");      // log a simple message
else return "DIRECT"; -} +} +``` -
-

Note: The same can be accomplished using the shExpMatch() function described earlier.

-
+> **Note:** The same can be accomplished using the [`shExpMatch()`](#shexpmatch) function described earlier. -

For example:

+For example: -
// ...
+```js
+// ...
 if (shExpMatch(url, "http:*")) {
   return "PROXY http-proxy.mydomain.com:8080";
 }
-// ...
+// ... +``` -
-

Note: The autoconfig file can be output by a CGI script. This is useful, for example, when making the autoconfig file act differently based on the client IP address (the REMOTE_ADDR environment variable in CGI).

-

Usage of isInNet(), isResolvable() and dnsResolve() functions should be carefully considered, as they require the DNS server to be consulted. All the other autoconfig-related functions are mere string-matching functions that don't require the use of a DNS server. If a proxy is used, the proxy will perform its DNS lookup which would double the impact on the DNS server. Most of the time these functions are not necessary to achieve the desired result.

-
+> **Note:** The autoconfig file can be output by a CGI script. This is useful, for example, when making the autoconfig file act differently based on the client IP address (the `REMOTE_ADDR` environment variable in CGI). +> +> Usage of `isInNet()`, `isResolvable()` and `dnsResolve()` functions should be carefully considered, as they require the DNS server to be consulted. All the other autoconfig-related functions are mere string-matching functions that don't require the use of a DNS server. If a proxy is used, the proxy will perform its DNS lookup which would double the impact on the DNS server. Most of the time these functions are not necessary to achieve the desired result. -

History and implementation

+## History and implementation -

Proxy auto-config was introduced into Netscape Navigator 2.0 in the late 1990s, at the same time when JavaScript was introduced. Open-sourcing Netscape eventually lead to Firefox itself.

+Proxy auto-config was introduced into Netscape Navigator 2.0 in the late 1990s, at the same time when JavaScript was introduced. Open-sourcing Netscape eventually lead to Firefox itself. -

The most "original" implementation of PAC and its JavaScript libraries is, therefore, nsProxyAutoConfig.js found in early versions of Firefox. These utilities are found in many other open-source systems including Chromium. Firefox later integrated the file into ProxyAutoConfig.cpp as a C++ string literal. To extract it into its own file, it suffices to copy the chunk into JavaScript with a console.log directive to print it.

+The most "original" implementation of PAC and its JavaScript libraries is, therefore, `nsProxyAutoConfig.js` found in early versions of Firefox. These utilities are found in many other open-source systems including [Chromium](https://cs.chromium.org/chromium/src/services/proxy_resolver/pac_js_library.h). Firefox later integrated the file into [`ProxyAutoConfig.cpp`](https://dxr.mozilla.org/mozilla-central/source/netwerk/base/ProxyAutoConfig.cpp) as a C++ string literal. To extract it into its own file, it suffices to copy the chunk into JavaScript with a `console.log` directive to print it. -

Microsoft in general made its own implementation. There used to be some problems with their libraries, but most are resolved by now. They have defined some new "Ex" suffixed functions around the address handling parts to support IPv6. The feature is supported by Chromium, but not yet by Firefox (bugzilla #558253).

+Microsoft in general made its own implementation. There used to be [some problems with their libraries](https://en.wikipedia.org/wiki/Proxy_auto-config#Old_Microsoft_problems), but most are resolved by now. They have defined [some new "Ex" suffixed functions](https://docs.microsoft.com/en-us/windows/win32/winhttp/ipv6-extensions-to-navigator-auto-config-file-format) around the address handling parts to support IPv6. The feature is supported by Chromium, but not yet by Firefox ([bugzilla #558253](https://bugzilla.mozilla.org/show_bug.cgi?id=558253)). diff --git a/files/en-us/web/http/public_key_pinning/index.md b/files/en-us/web/http/public_key_pinning/index.md index a94f099507f4f1a..58792dbf4cc2630 100644 --- a/files/en-us/web/http/public_key_pinning/index.md +++ b/files/en-us/web/http/public_key_pinning/index.md @@ -9,156 +9,134 @@ tags: - Deprecated - Security --- -

{{HTTPSidebar}}{{deprecated_header}}

+{{HTTPSidebar}}{{deprecated_header}} -
-

Note: Public Key Pinning mechanism was deprecated in favor of Certificate Transparency and {{HTTPHeader("Expect-CT")}} header.

-
+> **Note:** Public Key Pinning mechanism was deprecated in favor of [Certificate Transparency](/en-US/docs/Web/Security/Certificate_Transparency) and {{HTTPHeader("Expect-CT")}} header. -

HTTP Public Key Pinning ({{Glossary("HPKP")}}) was a security feature that used to tell a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates. It has been removed in modern browsers and is no longer supported.

+**HTTP Public Key Pinning** ({{Glossary("HPKP")}}) was a security feature that used to tell a web client to associate a specific cryptographic public key with a certain web server to decrease the risk of {{Glossary("MITM")}} attacks with forged certificates. It has been removed in modern browsers and is no longer supported. -

To ensure the authenticity of a server's public key used in {{Glossary("TLS")}} sessions, this public key is wrapped into a X.509 certificate which is usually signed by a certificate authority ({{Glossary("Certificate_authority", "CA")}}). Web clients such as browsers trust a lot of these CAs, which can all create certificates for arbitrary domain names. If an attacker is able to compromise a single CA, they can perform MITM attacks on various TLS connections. HPKP can circumvent this threat for the {{Glossary("HTTPS")}} protocol by telling the client which public key belongs to a certain web server.

+To ensure the authenticity of a server's public key used in {{Glossary("TLS")}} sessions, this public key is wrapped into a X.509 certificate which is usually signed by a certificate authority ({{Glossary("Certificate_authority", "CA")}}). Web clients such as browsers trust a lot of these CAs, which can all create certificates for arbitrary domain names. If an attacker is able to compromise a single CA, they can perform MITM attacks on various TLS connections. HPKP can circumvent this threat for the {{Glossary("HTTPS")}} protocol by telling the client which public key belongs to a certain web server. -

HPKP is a Trust on First Use ({{Glossary("TOFU")}}) technique. The first time a web server tells a client via a special HTTP header which public keys belong to it, the client stores this information for a given period of time. When the client visits the server again, it expects at least one certificate in the certificate chain to contain a public key whose fingerprint is already known via HPKP. If the server delivers an unknown public key, the client should present a warning to the user.

+HPKP is a _Trust on First Use_ ({{Glossary("TOFU")}}) technique. The first time a web server tells a client via a special HTTP header which public keys belong to it, the client stores this information for a given period of time. When the client visits the server again, it expects at least one certificate in the certificate chain to contain a public key whose fingerprint is already known via HPKP. If the server delivers an unknown public key, the client should present a warning to the user. -
-

Note: Firefox and Chrome disable pin validation for pinned hosts whose validated certificate chain terminates at a user-defined trust anchor (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored.

-
+> **Note:** Firefox and Chrome **disable pin validation** for pinned hosts whose validated certificate chain terminates at a **user-defined trust anchor** (rather than a built-in trust anchor). This means that for users who imported custom root certificates all pinning violations are ignored. -

Enabling HPKP

+## Enabling HPKP -

To enable this feature for your site, you need to return the {{HTTPHeader("Public-Key-Pins")}} HTTP header when your site is accessed over HTTPS:

+To enable this feature for your site, you need to return the {{HTTPHeader("Public-Key-Pins")}} HTTP header when your site is accessed over HTTPS: -
Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"]
+ Public-Key-Pins: pin-sha256="base64=="; max-age=expireTime [; includeSubDomains][; report-uri="reportURI"] -
-
pin-sha256
-
The quoted string is the Base64 encoded Subject Public Key Information ({{Glossary("SPKI")}}) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future. See below on how to extract this information out of a certificate or key file.
-
max-age
-
The time, in seconds, that the browser should remember that this site is only to be accessed using one of the defined keys.
-
includeSubDomains {{optional_inline}}
-
If this optional parameter is specified, this rule applies to all of the site's subdomains as well.
-
report-uri {{optional_inline}}
-
If this optional parameter is specified, pin validation failures are reported to the given URL.
-
+- `pin-sha256` + - : The quoted string is the Base64 encoded _Subject Public Key Information_ ({{Glossary("SPKI")}}) fingerprint. It is possible to specify multiple pins for different public keys. Some browsers might allow other hashing algorithms than SHA-256 in the future. See below on how to extract this information out of a certificate or key file. +- `max-age` + - : The time, in seconds, that the browser should remember that this site is only to be accessed using one of the defined keys. +- `includeSubDomains` {{optional_inline}} + - : If this optional parameter is specified, this rule applies to all of the site's subdomains as well. +- `report-uri` {{optional_inline}} + - : If this optional parameter is specified, pin validation failures are reported to the given URL. -
-

Note: The current specification requires including a second pin for a backup key which isn't yet used in production. This allows for changing the server's public key without breaking accessibility for clients that have already noted the pins. This is important for example when the former key gets compromised.

-
+> **Note:** The current specification requires including a second pin for a backup key which isn't yet used in production. This allows for changing the server's public key without breaking accessibility for clients that have already noted the pins. This is important for example when the former key gets compromised. -

Extracting the Base64 encoded public key information

+### Extracting the Base64 encoded public key information -
-

Note: While the example below shows how to set a pin on a server certificate, it is recommended to place the pin on the intermediate certificate of the CA that issued the server certificate, to ease certificates renewals and rotations.

-
+> **Note:** While the example below shows how to set a pin on a server certificate, it is recommended to place the pin on the intermediate certificate of the CA that issued the server certificate, to ease certificates renewals and rotations. -

First you need to extract the public key information from your certificate or key file and encode them using Base64.

+First you need to extract the public key information from your certificate or key file and encode them using Base64. -

The following commands will help you extract the Base64 encoded information from a key file, a certificate signing request, or a certificate.

+The following commands will help you extract the Base64 encoded information from a key file, a certificate signing request, or a certificate. -
openssl rsa -in my-rsa-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+ openssl rsa -in my-rsa-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 -
openssl ec -in my-ecc-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
+ -
openssl req -in my-signing-request.csr -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+ openssl ec -in my-ecc-key-file.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64 -
openssl x509 -in my-certificate.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+ -

The following command will extract the Base64 encoded information for a website.

+ openssl req -in my-signing-request.csr -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 -
openssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
+ -

Example HPKP Header

+ openssl x509 -in my-certificate.crt -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 -
Public-Key-Pins:
-  pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
-  pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
-  max-age=5184000; includeSubDomains;
-  report-uri="https://www.example.org/hpkp-report"
+The following command will extract the Base64 encoded information for a website. -

In this example, pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=" pins the server's public key used in production. The second pin declaration pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=" also pins the backup key. max-age=5184000 tells the client to store this information for two months, which is a reasonable time limit according to the IETF RFC. This key pinning is also valid for all subdomains, which is told by the includeSubDomains declaration. Finally, report-uri="https://www.example.net/hpkp-report" explains where to report pin validation failures.

+ openssl s_client -servername www.example.com -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64 -

Report-Only header

+### Example HPKP Header -

Instead of using a {{HTTPHeader("Public-Key-Pins")}} header you can also use a {{HTTPHeader("Public-Key-Pins-Report-Only")}} header. This header only sends reports to the report-uri specified in the header and does still allow browsers to connect to the webserver even if the pinning is violated.

+ Public-Key-Pins: + pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; + pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="; + max-age=5184000; includeSubDomains; + report-uri="https://www.example.org/hpkp-report" -

Setting up your webserver to include the HPKP header

+In this example, **pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="** pins the server's public key used in production. The second pin declaration **pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE="** also pins the backup key. **max-age=5184000** tells the client to store this information for two months, which is a reasonable time limit according to the IETF RFC. This key pinning is also valid for all subdomains, which is told by the **includeSubDomains** declaration. Finally, **report-uri="https\://www\.example.net/hpkp-report"** explains where to report pin validation failures. -

The concrete steps necessary to deliver the HPKP header depend on the web server you use.

+### Report-Only header -
-

Note: These examples use a max-age of two months and include all subdomains. It is advised to verify that this setup will work for your server.

-
+Instead of using a {{HTTPHeader("Public-Key-Pins")}} header you can also use a {{HTTPHeader("Public-Key-Pins-Report-Only")}} header. This header only sends reports to the `report-uri` specified in the header and does still allow browsers to connect to the webserver even if the pinning is violated. -
-

Warning: HPKP has the potential to lock out users for a long time if used incorrectly! The use of backup certificates and/or pinning the CA certificate is recommended.

-
+### Setting up your webserver to include the HPKP header -

Apache

+The concrete steps necessary to deliver the HPKP header depend on the web server you use. -

Adding a line similar to the following to your webserver's config will enable HPKP on your Apache. This requires mod_headers enabled.

+> **Note:** These examples use a max-age of two months and include all subdomains. It is advised to verify that this setup will work for your server. -
Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains"
+> **Warning:** HPKP has the potential to lock out users for a long time if used incorrectly! The use of backup certificates and/or pinning the CA certificate is recommended. -

Nginx

+#### Apache -

Adding the following line and inserting the appropriate pin-sha256="..." values will enable HPKP on your nginx. This requires the ngx_http_headers_module.

+Adding a line similar to the following to your webserver's config will enable HPKP on your Apache. This requires `mod_headers` enabled. -
add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains' always;
+ Header always set Public-Key-Pins "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains" -

Lighttpd

+#### Nginx -

The following line with your relevant key information (pin-sha256="..." fields) will enable HPKP on lighttpd.

+Adding the following line and inserting the appropriate `pin-sha256="..."` values will enable HPKP on your nginx. This requires the `ngx_http_headers_module.` -
setenv.add-response-header  = ( "Public-Key-Pins" => "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains")
+ add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains' always; -

Note: This requires the mod_setenv server.module loaded which can be included by the following if not already loaded.

+#### Lighttpd -
server.modules += ( "mod_setenv" )
+The following line with your relevant key information (pin-sha256="..." fields) will enable HPKP on lighttpd. -

IIS

+ setenv.add-response-header = ( "Public-Key-Pins" => "pin-sha256=\"base64+primary==\"; pin-sha256=\"base64+backup==\"; max-age=5184000; includeSubDomains") -

Add the following line to the Web.config file to send the Public-Key-Pins header:

+**Note:** This requires the `mod_setenv` server.module loaded which can be included by the following if not already loaded. -
<system.webServer>
-  ...
+    server.modules += ( "mod_setenv" )
 
-  <httpProtocol>
-    <customHeaders>
-      <add name="Public-Key-Pins" value="pin-sha256=&quot;base64+primary==&quot;; pin-sha256=&quot;base64+backup==&quot;; max-age=5184000; includeSubDomains" />
-    </customHeaders>
-  </httpProtocol>
+#### IIS
 
-  ...
-</system.webServer>
-
+Add the following line to the Web.config file to send the `Public-Key-Pins` header: -

Specifications

+ + ... - - - - - - - - - - - - - -
SpecificationTitle
{{RFC("7469", "Public-Key-Pins", "2.1")}}Public Key Pinning Extension for HTTP
+ + + + + -

Browser compatibility

+ ... + -

{{Compat("http.headers.Public-Key-Pins")}}

+## Specifications -

See also

+| Specification | Title | +| -------------------------------------------------------- | ------------------------------------- | +| {{RFC("7469", "Public-Key-Pins", "2.1")}} | Public Key Pinning Extension for HTTP | -
    -
  • {{HTTPHeader("Public-Key-Pins")}}
    • -
  • {{HTTPHeader("Public-Key-Pins-Report-Only")}}
    • -
  • Browser test site: HSTS and HPKP test
    • -
  • {{HTTPHeader("Expect-CT")}}
    • -
+## Browser compatibility + +{{Compat("http.headers.Public-Key-Pins")}} + +## See also + +- {{HTTPHeader("Public-Key-Pins")}} +- {{HTTPHeader("Public-Key-Pins-Report-Only")}} +- Browser test site: [HSTS and HPKP test](https://projects.dm.id.lv/Public-Key-Pins_test) +- {{HTTPHeader("Expect-CT")}} diff --git a/files/en-us/web/http/range_requests/index.md b/files/en-us/web/http/range_requests/index.md index ef17d43ae195535..34accaa3db68caf 100644 --- a/files/en-us/web/http/range_requests/index.md +++ b/files/en-us/web/http/range_requests/index.md @@ -6,113 +6,106 @@ tags: - HTTP - HTTP range requests --- -
{{HTTPSidebar}}
+{{HTTPSidebar}} -

HTTP range requests allow to send only a portion of an HTTP message from a server to a client. Partial requests are useful for large media or downloading files with pause and resume functions, for example.

+HTTP range requests allow to send only a portion of an HTTP message from a server to a client. Partial requests are useful for large media or downloading files with pause and resume functions, for example. -

Checking if a server supports partial requests

+## Checking if a server supports partial requests -

If the {{HTTPHeader("Accept-Ranges")}} is present in HTTP responses (and its value isn't "none"), the server supports range requests. You can check this by issuing a {{HTTPMethod("HEAD")}} request with cURL, for example.

+If the {{HTTPHeader("Accept-Ranges")}} is present in HTTP responses (and its value isn't "`none`"), the server supports range requests. You can check this by issuing a {{HTTPMethod("HEAD")}} request with cURL, for example. -
curl -I http://i.imgur.com/z4d4kWk.jpg
+    curl -I http://i.imgur.com/z4d4kWk.jpg
 
-HTTP/1.1 200 OK
-...
-Accept-Ranges: bytes
-Content-Length: 146515
-
+ HTTP/1.1 200 OK + ... + Accept-Ranges: bytes + Content-Length: 146515 -

In this response, Accept-Ranges: bytes indicates that bytes can be used as unit to define a range. Here the {{HTTPHeader("Content-Length")}} header is also useful as it indicates the full size of the image to retrieve.

+In this response, `Accept-Ranges: bytes` indicates that bytes can be used as unit to define a range. Here the {{HTTPHeader("Content-Length")}} header is also useful as it indicates the full size of the image to retrieve. -

If sites omit the Accept-Ranges header, they likely don't support partial requests. Some sites also explicitly send "none" as a value, indicating no support. In some apps, download managers disable their pause buttons in that case.

+If sites omit the `Accept-Ranges` header, they likely don't support partial requests. Some sites also explicitly send "`none`" as a value, indicating no support. In some apps, download managers disable their pause buttons in that case. -
curl -I https://www.youtube.com/watch?v=EwTZ2xpQwpA
+    curl -I https://www.youtube.com/watch?v=EwTZ2xpQwpA
 
-HTTP/1.1 200 OK
-...
-Accept-Ranges: none
-
+ HTTP/1.1 200 OK + ... + Accept-Ranges: none -

Requesting a specific range from a server

+## Requesting a specific range from a server -

If the server supports range requests, you can issue such a request by using the {{HTTPHeader("Range")}} header. It indicates the part(s) of a document that the server should return.

+If the server supports range requests, you can issue such a request by using the {{HTTPHeader("Range")}} header. It indicates the part(s) of a document that the server should return. -

Single part ranges

+### Single part ranges -

We can request a single range from a resource. Again, we can test a request by using cURL. The "-H" option will append a header line to the request, which in this case is the Range header requesting the first 1024 bytes.

+We can request a single range from a resource. Again, we can test a request by using cURL. The "`-H`" option will append a header line to the request, which in this case is the `Range` header requesting the first 1024 bytes. -
curl http://i.imgur.com/z4d4kWk.jpg -i -H "Range: bytes=0-1023"
+ curl http://i.imgur.com/z4d4kWk.jpg -i -H "Range: bytes=0-1023" -

The issued request looks like this:

+The issued request looks like this: -
GET /z4d4kWk.jpg HTTP/1.1
-Host: i.imgur.com
-Range: bytes=0-1023
+ GET /z4d4kWk.jpg HTTP/1.1 + Host: i.imgur.com + Range: bytes=0-1023 -

The server responses with the {{HTTPStatus("206")}} Partial Content status:

+The server responses with the {{HTTPStatus("206")}} `Partial Content` status: -
HTTP/1.1 206 Partial Content
-Content-Range: bytes 0-1023/146515
-Content-Length: 1024
-...
-(binary content)
-
+ HTTP/1.1 206 Partial Content + Content-Range: bytes 0-1023/146515 + Content-Length: 1024 + ... + (binary content) -

The {{HTTPHeader("Content-Length")}} header now indicates the size of the requested range (and not the full size of the image). The {{HTTPHeader("Content-Range")}} response header indicates where in the full resource this partial message belongs.

+The {{HTTPHeader("Content-Length")}} header now indicates the size of the requested range (and not the full size of the image). The {{HTTPHeader("Content-Range")}} response header indicates where in the full resource this partial message belongs. -

Multipart ranges

+### Multipart ranges -

The {{HTTPHeader("Range")}} header also allows you to get multiple ranges at once in a multipart document. The ranges are separated by a comma.

+The {{HTTPHeader("Range")}} header also allows you to get multiple ranges at once in a multipart document. The ranges are separated by a comma. -
curl http://www.example.com -i -H "Range: bytes=0-50, 100-150"
+ curl http://www.example.com -i -H "Range: bytes=0-50, 100-150" -

The server responses with the {{HTTPStatus("206")}} Partial Content status and a {{HTTPHeader("Content-Type")}}: multipart/byteranges; boundary=3d6b6a416f9b5 header, indicating that a multipart byterange follows. Each part contains its own Content-Type and Content-Range fields and the required boundary parameter specifies the boundary string used to separate each body-part.

+The server responses with the {{HTTPStatus("206")}} `Partial Content` status and a {{HTTPHeader("Content-Type")}}`: multipart/byteranges; boundary=3d6b6a416f9b5` header, indicating that a multipart byterange follows. Each part contains its own `Content-Type` and `Content-Range` fields and the required boundary parameter specifies the boundary string used to separate each body-part. -
HTTP/1.1 206 Partial Content
-Content-Type: multipart/byteranges; boundary=3d6b6a416f9b5
-Content-Length: 282
+    HTTP/1.1 206 Partial Content
+    Content-Type: multipart/byteranges; boundary=3d6b6a416f9b5
+    Content-Length: 282
 
---3d6b6a416f9b5
-Content-Type: text/html
-Content-Range: bytes 0-50/1270
+    --3d6b6a416f9b5
+    Content-Type: text/html
+    Content-Range: bytes 0-50/1270
 
-<!doctype html>
-<html>
-<head>
-    <title>Example Do
---3d6b6a416f9b5
-Content-Type: text/html
-Content-Range: bytes 100-150/1270
+    
+    
+    
+        Example Do
+    --3d6b6a416f9b5
+    Content-Type: text/html
+    Content-Range: bytes 100-150/1270
 
-eta http-equiv="Content-type" content="text/html; c
---3d6b6a416f9b5--</pre>
+    eta http-equiv="Content-type" content="text/html; c
+    --3d6b6a416f9b5--
 
-<h3 id="Conditional_range_requests">Conditional range requests</h3>
+### Conditional range requests
 
-<p>When resuming to request more parts of a resource, you need to guarantee that the stored resource has not been modified since the last fragment has been received.</p>
+When resuming to request more parts of a resource, you need to guarantee that the stored resource has not been modified since the last fragment has been received.
 
-<p>The {{HTTPHeader("If-Range")}} HTTP request header makes a range request conditional: if the condition is fulfilled, the range request will be issued and the server sends back a {{HTTPStatus("206")}} <code>Partial Content</code> answer with the appropriate body. If the condition is not fulfilled, the full resource is sent back, with a {{HTTPStatus("200")}} <code>OK</code> status. This header can be used either with a {{HTTPHeader("Last-Modified")}} validator, or with an {{HTTPHeader("ETag")}}, but not with both.</p>
+The {{HTTPHeader("If-Range")}} HTTP request header makes a range request conditional: if the condition is fulfilled, the range request will be issued and the server sends back a {{HTTPStatus("206")}} `Partial Content` answer with the appropriate body. If the condition is not fulfilled, the full resource is sent back, with a {{HTTPStatus("200")}} `OK` status. This header can be used either with a {{HTTPHeader("Last-Modified")}} validator, or with an {{HTTPHeader("ETag")}}, but not with both.
 
-<pre>If-Range: Wed, 21 Oct 2015 07:28:00 GMT </pre>
+    If-Range: Wed, 21 Oct 2015 07:28:00 GMT
 
-<h2 id="Partial_request_responses">Partial request responses</h2>
+## Partial request responses
 
-<p>There are three relevant statuses, when working with range requests:</p>
+There are three relevant statuses, when working with range requests:
 
-<ul>
-	<li>In case of a successful range request, the {{HTTPStatus("206")}} <code>Partial Content</code> status is sent back from a server.</li>
-	<li>In case of a range request that is out of bounds (none of the range values overlap the extent of the resource, i.e first-byte-pos of all ranges is greater than the resource length), the server responds with a {{HTTPStatus("416")}} <code>Requested Range Not Satisfiable</code> status.</li>
-	<li>In case of no support of range requests, the {{HTTPStatus("200")}} <code>OK</code> status is sent back from a server.</li>
-</ul>
+- In case of a successful range request, the {{HTTPStatus("206")}} `Partial Content` status is sent back from a server.
+- In case of a range request that is out of bounds (none of the range values overlap the extent of the resource, i.e first-byte-pos of all ranges is greater than the resource length), the server responds with a {{HTTPStatus("416")}} `Requested Range Not Satisfiable` status.
+- In case of no support of range requests, the {{HTTPStatus("200")}} `OK` status is sent back from a server.
 
-<h2 id="Comparison_to_chunked_Transfer-Encoding">Comparison to chunked <code>Transfer-Encoding</code></h2>
+## Comparison to chunked `Transfer-Encoding`
 
-<p>The {{HTTPHeader("Transfer-Encoding")}} header allows chunked encoding, which is useful when larger amounts of data are sent to the client and the total size of the response is not known until the request has been fully processed. The server sends data to the client straight away without buffering the response or determining the exact length, which leads to improved latency. Range requests and chunking are compatible and can be used with or without each other.</p>
+The {{HTTPHeader("Transfer-Encoding")}} header allows chunked encoding, which is useful when larger amounts of data are sent to the client and the total size of the response is not known until the request has been fully processed. The server sends data to the client straight away without buffering the response or determining the exact length, which leads to improved latency. Range requests and chunking are compatible and can be used with or without each other.
 
-<h2 id="See_also">See also</h2>
+## See also
 
-<ul>
-	<li>Related status codes {{HTTPStatus("200")}}, {{HTTPStatus("206")}}, {{HTTPStatus("416")}}.</li>
-	<li>Related headers: {{HTTPHeader("Accept-Ranges")}}, {{HTTPHeader("Range")}}, {{HTTPHeader("Content-Range")}}, {{HTTPHeader("If-Range")}}, {{HTTPHeader("Transfer-Encoding")}}.</li>
-	<li><a href="https://blogs.msdn.microsoft.com/ieinternals/2011/06/03/download-resumption-in-internet-explorer/">Download resumption in Internet Explorer</a></li>
-</ul>
+- Related status codes {{HTTPStatus("200")}}, {{HTTPStatus("206")}}, {{HTTPStatus("416")}}.
+- Related headers: {{HTTPHeader("Accept-Ranges")}}, {{HTTPHeader("Range")}}, {{HTTPHeader("Content-Range")}}, {{HTTPHeader("If-Range")}}, {{HTTPHeader("Transfer-Encoding")}}.
+- [Download resumption in Internet Explorer](https://blogs.msdn.microsoft.com/ieinternals/2011/06/03/download-resumption-in-internet-explorer/)
diff --git a/files/en-us/web/http/redirections/index.md b/files/en-us/web/http/redirections/index.md
index a5515dfd51dadd2..3fcd95c5ade2fc1 100644
--- a/files/en-us/web/http/redirections/index.md
+++ b/files/en-us/web/http/redirections/index.md
@@ -6,282 +6,201 @@ tags:
   - HTTP
   - redirects
 ---
-<div>{{HTTPSidebar}}</div>
-
-<p class="summary"><strong>URL redirection</strong>, also known as <em>URL forwarding</em>, is a technique to give more than one URL address to a page, a form, or a whole Web site/application. HTTP has a special kind of response, called a <strong><em>HTTP redirect</em></strong>, for this operation.</p>
-
-<p>Redirects accomplish numerous goals:</p>
-
-<ul>
- <li>Temporary redirects during site maintenance or downtime</li>
- <li>Permanent redirects to preserve existing links/bookmarks after changing the site's URLs, progress pages when uploading a file, etc.</li>
-</ul>
-
-<h2 id="Principle">Principle</h2>
-
-<p>In HTTP, redirection is triggered by a server sending a special <em>redirect</em> response to a request. Redirect responses have <a href="/en-US/docs/Web/HTTP/Status">status codes</a> that start with <code>3</code>, and a {{ httpheader("Location") }} header holding the URL to redirect to.</p>
-
-<p>When browsers receive a redirect, they immediately load the new URL provided in the <code>Location</code> header. Besides the small performance hit of an additional round-trip, users rarely notice the redirection.</p>
-
-<p><img alt="" src="httpredirect.png"></p>
-
-<p>There are several types of redirects, sorted into three categories:</p>
-
-<ol>
- <li><a href="#permanent_redirections">Permanent redirections</a></li>
- <li><a href="#temporary_redirections">Temporary redirections</a></li>
- <li><a href="#special_redirections">Special redirections</a></li>
-</ol>
-
-<h3 id="Permanent_redirections">Permanent redirections</h3>
-
-<p>These redirections are meant to last forever. They imply that the original URL should no longer be used, and replaced with the new one.Search engine robots, RSS readers, and other crawlers will update the original URL for the resource.</p>
-
-<table>
- <thead>
-  <tr>
-   <th>Code</th>
-   <th>Text</th>
-   <th>Method handling</th>
-   <th>Typical use case</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td><code>301</code></td>
-   <td><code>Moved Permanently</code></td>
-   <td>{{HTTPMethod("GET")}} methods unchanged.<br>
-    Others may or may not be changed to {{HTTPMethod("GET")}}. [1]</td>
-   <td>Reorganization of a Web site.</td>
-  </tr>
-  <tr>
-   <td><code>308</code></td>
-   <td><code>Permanent Redirect</code></td>
-   <td>Method and body not changed.</td>
-   <td>Reorganization of a Web site, with non-GET links/operations.</td>
-  </tr>
- </tbody>
-</table>
-
-<p>[1] The specification did not intend to allow method changes, but there are existing user agents that do change their method. {{HTTPStatus("308")}} was created to remove the ambiguity of the behavior when using non-<code>GET</code> methods.</p>
-
-<h3 id="Temporary_redirections">Temporary redirections</h3>
-
-<p>Sometimes the requested resource can't be accessed from its canonical location, but it can be accessed from another place. In this case, a temporary redirect can be used.</p>
-
-<p>Search engine robots and other crawlers don't memorize the new, temporary URL. Temporary redirections are also used when creating, updating, or deleting resources, to show temporary progress pages.</p>
-
-<table>
- <thead>
-  <tr>
-   <th>Code</th>
-   <th>Text</th>
-   <th>Method handling</th>
-   <th>Typical use case</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td><code>302</code></td>
-   <td><code>Found</code></td>
-   <td>{{HTTPMethod("GET")}} methods unchanged.<br>
-    Others may or may not be changed to {{HTTPMethod("GET")}}. [2]</td>
-   <td>The Web page is temporarily unavailable for unforeseen reasons.</td>
-  </tr>
-  <tr>
-   <td><code>303</code></td>
-   <td><code>See Other</code></td>
-   <td>{{HTTPMethod("GET")}} methods unchanged.<br>
-    Others <em>changed</em> to <code>GET</code> (body lost).</td>
-   <td>Used to redirect after a {{HTTPMethod("PUT")}} or a {{HTTPMethod("POST")}}, so that refreshing the result page doesn't re-trigger the operation.</td>
-  </tr>
-  <tr>
-   <td><code>307</code></td>
-   <td><code>Temporary Redirect</code></td>
-   <td>Method and body not changed</td>
-   <td>The Web page is temporarily unavailable for unforeseen reasons. Better than <code>302</code> when non-<code>GET</code> operations are available on the site.</td>
-  </tr>
- </tbody>
-</table>
-
-<p>[2] The specification did not intend to allow method changes, but there are existing user agents that do change their method. {{HTTPStatus("307")}} was created to remove the ambiguity of the behavior when using non-<code>GET</code> methods.</p>
-
-<h3 id="Special_redirections">Special redirections</h3>
+{{HTTPSidebar}}
 
-<p>{{HTTPStatus("304")}} (Not Modified) redirects a page to the locally cached copy (that was stale), and {{HTTPStatus("300")}} (Multiple Choice) is a manual redirection: the body, presented by the browser as a Web page, lists the possible redirections and the user clicks on one to select it.</p>
+**URL redirection**, also known as _URL forwarding_, is a technique to give more than one URL address to a page, a form, or a whole Web site/application. HTTP has a special kind of response, called a **_HTTP redirect_**, for this operation.
 
-<table>
- <thead>
-  <tr>
-   <th>Code</th>
-   <th>Text</th>
-   <th>Typical use case</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td><code>300</code></td>
-   <td><code>Multiple Choice</code></td>
-   <td>Not many: the choices are listed in an HTML page in the body. Machine-readable choices are encouraged to be sent as {{HTTPHeader("Link")}} headers with <code>rel=alternate</code>.</td>
-  </tr>
-  <tr>
-   <td><code>304</code></td>
-   <td><code>Not Modified</code></td>
-   <td>Sent for revalidated conditional requests. Indicates that the cached response is still fresh and can be used.</td>
-  </tr>
- </tbody>
-</table>
+Redirects accomplish numerous goals:
 
-<h2 id="Alternative_way_of_specifying_redirections">Alternative way of specifying redirections</h2>
+- Temporary redirects during site maintenance or downtime
+- Permanent redirects to preserve existing links/bookmarks after changing the site's URLs, progress pages when uploading a file, etc.
 
-<p>HTTP redirects aren't the only way to define redirections. There are two others:</p>
+## Principle
 
-<ol>
- <li>HTML redirections with the {{HTMLElement("meta")}} element</li>
- <li>JavaScript redirections via the <a href="/en-US/docs/Web/API/Document_Object_Model">DOM</a></li>
-</ol>
+In HTTP, redirection is triggered by a server sending a special _redirect_ response to a request. Redirect responses have [status codes](/en-US/docs/Web/HTTP/Status) that start with `3`, and a {{ httpheader("Location") }} header holding the URL to redirect to.
 
-<h3 id="HTML_redirections">HTML redirections</h3>
+When browsers receive a redirect, they immediately load the new URL provided in the `Location` header. Besides the small performance hit of an additional round-trip, users rarely notice the redirection.
 
-<p>HTTP redirects are the best way to create redirections, but sometimes you don't have control over the server. In that case, try a {{HTMLElement("meta")}} element with its {{htmlattrxref("http-equiv", "meta")}} attribute set to <code>Refresh</code> in the {{HTMLElement("head")}} of the page. When displaying the page, the browser will go to the indicated URL.</p>
+![](httpredirect.png)
 
-<pre class="brush: html"><head>
-  <meta http-equiv="Refresh" content="0; URL=https://example.com/">
-</head>
-</pre>
+There are several types of redirects, sorted into three categories:
 
-<p>The {{htmlattrxref("content")}} attribute should start with a number indicating how many seconds the browser should wait before redirecting to the given URL. Always set it to <code>0</code> for accessibility compliance.</p>
+1.  [Permanent redirections](#permanent_redirections)
+2.  [Temporary redirections](#temporary_redirections)
+3.  [Special redirections](#special_redirections)
 
-<p>Obviously, this method only works with HTML, and cannot be used for images or other types of content.</p>
+### Permanent redirections
 
-<h3 id="JavaScript_redirections">JavaScript redirections</h3>
+These redirections are meant to last forever. They imply that the original URL should no longer be used, and replaced with the new one.Search engine robots, RSS readers, and other crawlers will update the original URL for the resource.
 
-<p>Redirections in JavaScript are performed by setting a URL string to the {{domxref("window.location")}} property, loading the new page:</p>
+| Code  | Text                 | Method handling                                                                                                       | Typical use case                                             |
+| ----- | -------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
+| `301` | `Moved Permanently`  | {{HTTPMethod("GET")}} methods unchanged. Others may or may not be changed to {{HTTPMethod("GET")}}. [1] | Reorganization of a Web site.                                |
+| `308` | `Permanent Redirect` | Method and body not changed.                                                                                          | Reorganization of a Web site, with non-GET links/operations. |
 
-<pre class="brush: js">window.location = "https://example.com/";</pre>
+\[1] The specification did not intend to allow method changes, but there are existing user agents that do change their method. {{HTTPStatus("308")}} was created to remove the ambiguity of the behavior when using non-`GET` methods.
 
-<p>Like HTML redirections, this can't work on all resources, and obviously, this will only work on clients that execute JavaScript. On the other hand, there are more possibilities: for example, you can trigger the redirect only if some conditions are met.</p>
+### Temporary redirections
 
-<h3 id="Order_of_precedence">Order of precedence</h3>
+Sometimes the requested resource can't be accessed from its canonical location, but it can be accessed from another place. In this case, a temporary redirect can be used.
 
-<p>With three ways to trigger redirections, several ways can be used at the same time. But which is applied first?</p>
+Search engine robots and other crawlers don't memorize the new, temporary URL. Temporary redirections are also used when creating, updating, or deleting resources, to show temporary progress pages.
 
-<ol>
- <li>HTTP redirects always execute first — they exist when there is not even a transmitted page.</li>
- <li>HTML redirects ({{HTMLElement("meta")}}) execute if there weren't any HTTP redirects.</li>
- <li>JavaScript redirects execute last, and only if JavaScript is enabled.</li>
-</ol>
+| Code  | Text                 | Method handling                                                                                                       | Typical use case                                                                                                                                              |
+| ----- | -------------------- | --------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `302` | `Found`              | {{HTTPMethod("GET")}} methods unchanged. Others may or may not be changed to {{HTTPMethod("GET")}}. [2] | The Web page is temporarily unavailable for unforeseen reasons.                                                                                               |
+| `303` | `See Other`          | {{HTTPMethod("GET")}} methods unchanged. Others _changed_ to `GET` (body lost).                                | Used to redirect after a {{HTTPMethod("PUT")}} or a {{HTTPMethod("POST")}}, so that refreshing the result page doesn't re-trigger the operation. |
+| `307` | `Temporary Redirect` | Method and body not changed                                                                                           | The Web page is temporarily unavailable for unforeseen reasons. Better than `302` when non-`GET` operations are available on the site.                        |
 
-<p>When possible, use HTTP redirects and don't add {{HTMLElement("meta")}} element redirects. If someone changes the HTTP redirects but forgets to change the HTML redirects, the redirects will no longer be identical, which could cause an infinite loop or other nightmares.</p>
+\[2] The specification did not intend to allow method changes, but there are existing user agents that do change their method. {{HTTPStatus("307")}} was created to remove the ambiguity of the behavior when using non-`GET` methods.
 
-<h2 id="Use_cases">Use cases</h2>
+### Special redirections
 
-<p>There are numerous use cases for redirects, but as performance is impacted with every redirect, their use should be kept to a minimum.</p>
+{{HTTPStatus("304")}} (Not Modified) redirects a page to the locally cached copy (that was stale), and {{HTTPStatus("300")}} (Multiple Choice) is a manual redirection: the body, presented by the browser as a Web page, lists the possible redirections and the user clicks on one to select it.
 
-<h3 id="Domain_aliasing">Domain aliasing</h3>
+| Code  | Text              | Typical use case                                                                                                                                                               |
+| ----- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `300` | `Multiple Choice` | Not many: the choices are listed in an HTML page in the body. Machine-readable choices are encouraged to be sent as {{HTTPHeader("Link")}} headers with `rel=alternate`. |
+| `304` | `Not Modified`    | Sent for revalidated conditional requests. Indicates that the cached response is still fresh and can be used.                                                                  |
 
-<p>Ideally, there is one location, and therefore one URL, for each resource. But there are reasons for alternative names for a resource:</p>
+## Alternative way of specifying redirections
 
-<dl>
- <dt>Expanding the reach of your site</dt>
- <dd>A common case is when a site resides at <code>www.example.com</code>, but accessing it from <code>example.com</code> should also work. Redirections for <code>example.com</code> to <code>www.example.com</code> are thus set up. You might also redirect from common synonyms or frequent typos of your domains.</dd>
- <dt>Moving to a new domain</dt>
- <dd>For example, your company was renamed, but you want existing links or bookmarks to still find you under the new name.</dd>
- <dt>Forcing <a href="/en-US/docs/Glossary/https">HTTPS</a></dt>
- <dd>Requests to the <code>http://</code> version of your site will redirect to the <code>https://</code> version of your site.</dd>
-</dl>
+HTTP redirects aren't the only way to define redirections. There are two others:
 
-<h3 id="Keeping_links_alive">Keeping links alive</h3>
+1.  HTML redirections with the {{HTMLElement("meta")}} element
+2.  JavaScript redirections via the [DOM](/en-US/docs/Web/API/Document_Object_Model)
 
-<p>When you restructure Web sites, URLs change. Even if you update your site's links to match the new URLs, you have no control over the URLs used by external resources.</p>
+### HTML redirections
 
-<p>You don't want to break these links, as they bring valuable users and help your SEO, so you set up redirects from the old URLs to the new ones.</p>
+HTTP redirects are the best way to create redirections, but sometimes you don't have control over the server. In that case, try a {{HTMLElement("meta")}} element with its {{htmlattrxref("http-equiv", "meta")}} attribute set to `Refresh` in the {{HTMLElement("head")}} of the page. When displaying the page, the browser will go to the indicated URL.
 
-<div class="notecard note">
-  <p><strong>Note:</strong> This technique does work for internal links, but try to avoid having internal redirects. A redirect has a significant performance cost (as an extra HTTP request occurs). If you can avoid it by correcting internal links, you should fix those links instead.</p>
-</div>
+```html
+<head>
+  <meta http-equiv="Refresh" content="0; URL=https://example.com/">
+</head>
+```
 
-<h3 id="Temporary_responses_to_unsafe_requests">Temporary responses to unsafe requests</h3>
+The {{htmlattrxref("content")}} attribute should start with a number indicating how many seconds the browser should wait before redirecting to the given URL. Always set it to `0` for accessibility compliance.
 
-<p>{{Glossary("Safe/HTTP", "Unsafe")}} requests modify the state of the server and the user shouldn't resend them unintentionally.</p>
+Obviously, this method only works with HTML, and cannot be used for images or other types of content.
 
-<p>Typically, you don't want your users to resend {{HTTPMethod("PUT")}}, {{HTTPMethod("POST")}} or {{HTTPMethod("DELETE")}} requests. If you serve the response as the result of this request, a simple press of the reload button will resend the request (possibly after a confirmation message).</p>
+### JavaScript redirections
 
-<p>In this case, the server can send back a {{HTTPStatus("303")}} (See Other) response for a URL that will contain the right information. If the reload button is pressed, only that page is redisplayed, without replaying the unsafe requests.</p>
+Redirections in JavaScript are performed by setting a URL string to the {{domxref("window.location")}} property, loading the new page:
 
-<h3 id="Temporary_responses_to_long_requests">Temporary responses to long requests</h3>
+```js
+window.location = "https://example.com/";
+```
 
-<p>Some requests may need more time on the server, like {{HTTPHeader("DELETE")}} requests that are scheduled for later processing. In this case, the response is a {{HTTPStatus("303")}} (See Other) redirect that links to a page indicating that the action has been scheduled, and eventually informs about its progress, or allows to cancel it.</p>
+Like HTML redirections, this can't work on all resources, and obviously, this will only work on clients that execute JavaScript. On the other hand, there are more possibilities: for example, you can trigger the redirect only if some conditions are met.
 
-<h2 id="Configuring_redirects_in_common_servers">Configuring redirects in common servers</h2>
+### Order of precedence
 
-<h3 id="Apache">Apache</h3>
+With three ways to trigger redirections, several ways can be used at the same time. But which is applied first?
 
-<p>Redirects can be set either in the server config file or in the <code>.htaccess</code> of each directory.</p>
+1.  HTTP redirects always execute first — they exist when there is not even a transmitted page.
+2.  HTML redirects ({{HTMLElement("meta")}}) execute if there weren't any HTTP redirects.
+3.  JavaScript redirects execute last, and only if JavaScript is enabled.
 
-<p>The <code><a href="https://httpd.apache.org/docs/current/mod/mod_alias.html">mod_alias</a></code> module has <code>Redirect</code> and <code>RedirectMatch</code> directives that set up {{HTTPStatus("302")}} redirects by default:</p>
+When possible, use HTTP redirects and don't add {{HTMLElement("meta")}} element redirects. If someone changes the HTTP redirects but forgets to change the HTML redirects, the redirects will no longer be identical, which could cause an infinite loop or other nightmares.
 
-<pre><VirtualHost *:443>
-	ServerName example.com
-	Redirect / https://www.example.com
-</VirtualHost>
-</pre>
+## Use cases
 
-<p>The URL <code>https://example.com/</code> will be redirected to <code>https://www.example.com/</code>, as will any files or directories under it (<code>https://example.com/some-page</code> will be redirected to <code>https://www.example.com/some-page</code>)</p>
+There are numerous use cases for redirects, but as performance is impacted with every redirect, their use should be kept to a minimum.
 
-<p><code>RedirectMatch</code> does the same, but takes a {{glossary("regular expression")}} to define a collection of affected URLs:</p>
+### Domain aliasing
 
-<pre>RedirectMatch ^/images/(.*)$ https://images.example.com/$1</pre>
+Ideally, there is one location, and therefore one URL, for each resource. But there are reasons for alternative names for a resource:
 
-<p>All documents in the <code>images/</code> directory will redirect to a different domain.</p>
+- Expanding the reach of your site
+  - : A common case is when a site resides at `www.example.com`, but accessing it from `example.com` should also work. Redirections for `example.com` to `www.example.com` are thus set up. You might also redirect from common synonyms or frequent typos of your domains.
+- Moving to a new domain
+  - : For example, your company was renamed, but you want existing links or bookmarks to still find you under the new name.
+- Forcing [HTTPS](/en-US/docs/Glossary/https)
+  - : Requests to the `http://` version of your site will redirect to the `https://` version of your site.
 
-<p>If you don't want a temporary redirect, an extra parameter (either the HTTP status code to use or the <code>permanent</code> keyword) can be used to set up a different redirect:</p>
+### Keeping links alive
 
-<pre>Redirect permanent / https://www.example.com
-# …acts the same as:
-Redirect 301 / https://www.example.com
-</pre>
+When you restructure Web sites, URLs change. Even if you update your site's links to match the new URLs, you have no control over the URLs used by external resources.
 
-<p>The <code><a href="https://httpd.apache.org/docs/current/mod/mod_rewrite.html">mod_rewrite</a></code> module can also create redirects. It is more flexible, but a bit more complex.</p>
+You don't want to break these links, as they bring valuable users and help your SEO, so you set up redirects from the old URLs to the new ones.
 
-<h3 id="Nginx">Nginx</h3>
+> **Note:** This technique does work for internal links, but try to avoid having internal redirects. A redirect has a significant performance cost (as an extra HTTP request occurs). If you can avoid it by correcting internal links, you should fix those links instead.
 
-<p>In Nginx, you create a specific server block for the content you want to redirect:</p>
+### Temporary responses to unsafe requests
 
-<pre>server {
-	listen 80;
-	server_name example.com;
-	return 301 $scheme://www.example.com$request_uri;
-}</pre>
+{{Glossary("Safe/HTTP", "Unsafe")}} requests modify the state of the server and the user shouldn't resend them unintentionally.
 
-<p>To apply a redirect to a directory or only certain pages, use the <code>rewrite</code> directive:</p>
+Typically, you don't want your users to resend {{HTTPMethod("PUT")}}, {{HTTPMethod("POST")}} or {{HTTPMethod("DELETE")}} requests. If you serve the response as the result of this request, a simple press of the reload button will resend the request (possibly after a confirmation message).
 
-<pre>rewrite ^/images/(.*)$ https://images.example.com/$1 redirect;
-rewrite ^/images/(.*)$ https://images.example.com/$1 permanent;
-</pre>
+In this case, the server can send back a {{HTTPStatus("303")}} (See Other) response for a URL that will contain the right information. If the reload button is pressed, only that page is redisplayed, without replaying the unsafe requests.
 
-<h3 id="IIS">IIS</h3>
+### Temporary responses to long requests
 
-<p>In IIS, you use the <code><a href="https://www.iis.net/configreference/system.webserver/httpredirect"><httpRedirect></a></code> element to configure redirections.</p>
+Some requests may need more time on the server, like {{HTTPHeader("DELETE")}} requests that are scheduled for later processing. In this case, the response is a {{HTTPStatus("303")}} (See Other) redirect that links to a page indicating that the action has been scheduled, and eventually informs about its progress, or allows to cancel it.
 
-<h2 id="Redirection_loops">Redirection loops</h2>
+## Configuring redirects in common servers
 
-<p>Redirection loops happen when additional redirections follow the one that has already been followed. In other words, there is a loop that will never be finished and no page will ever be found.</p>
+### Apache
 
-<p>Most of the time this is a server problem, and if the server can detect it, it will send back a {{HTTPStatus("500")}} <code>Internal Server Error</code>. If you encounter such an error soon after modifying a server configuration, this is likely a redirection loop.</p>
+Redirects can be set either in the server config file or in the `.htaccess` of each directory.
 
-<p>Sometimes, the server won't detect it: a redirection loop can spread over several servers which each don't have the full picture. In this case, browsers will detect it and display an error message. Firefox displays:</p>
+The [`mod_alias`](https://httpd.apache.org/docs/current/mod/mod_alias.html) module has `Redirect` and `RedirectMatch` directives that set up {{HTTPStatus("302")}} redirects by default:
 
-<blockquote>
-<p>Firefox has detected that the server is redirecting the request for this address in a way that will never complete.</p>
-</blockquote>
+    <VirtualHost *:443>
+    	ServerName example.com
+    	Redirect / https://www.example.com
+    </VirtualHost>
 
-<p>…while Chrome displays:</p>
+The URL `https://example.com/` will be redirected to `https://www.example.com/`, as will any files or directories under it (`https://example.com/some-page` will be redirected to `https://www.example.com/some-page`)
 
-<blockquote>
-<p>This Webpage has a redirect loop</p>
-</blockquote>
+`RedirectMatch` does the same, but takes a {{glossary("regular expression")}} to define a collection of affected URLs:
 
-<p>In both cases, the user can't do much (unless a corruption is happening on their side, like a mismatch of cache or cookies).</p>
+    RedirectMatch ^/images/(.*)$ https://images.example.com/$1
 
-<p>It is important to avoid redirection loops, as they completely break the user experience.</p>
+All documents in the `images/` directory will redirect to a different domain.
+
+If you don't want a temporary redirect, an extra parameter (either the HTTP status code to use or the `permanent` keyword) can be used to set up a different redirect:
+
+    Redirect permanent / https://www.example.com
+    # …acts the same as:
+    Redirect 301 / https://www.example.com
+
+The [`mod_rewrite`](https://httpd.apache.org/docs/current/mod/mod_rewrite.html) module can also create redirects. It is more flexible, but a bit more complex.
+
+### Nginx
+
+In Nginx, you create a specific server block for the content you want to redirect:
+
+    server {
+    	listen 80;
+    	server_name example.com;
+    	return 301 $scheme://www.example.com$request_uri;
+    }
+
+To apply a redirect to a directory or only certain pages, use the `rewrite` directive:
+
+    rewrite ^/images/(.*)$ https://images.example.com/$1 redirect;
+    rewrite ^/images/(.*)$ https://images.example.com/$1 permanent;
+
+### IIS
+
+In IIS, you use the [`<httpRedirect>`](https://www.iis.net/configreference/system.webserver/httpredirect) element to configure redirections.
+
+## Redirection loops
+
+Redirection loops happen when additional redirections follow the one that has already been followed. In other words, there is a loop that will never be finished and no page will ever be found.
+
+Most of the time this is a server problem, and if the server can detect it, it will send back a {{HTTPStatus("500")}} `Internal Server Error`. If you encounter such an error soon after modifying a server configuration, this is likely a redirection loop.
+
+Sometimes, the server won't detect it: a redirection loop can spread over several servers which each don't have the full picture. In this case, browsers will detect it and display an error message. Firefox displays:
+
+> Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
+
+…while Chrome displays:
+
+> This Webpage has a redirect loop
+
+In both cases, the user can't do much (unless a corruption is happening on their side, like a mismatch of cache or cookies).
+
+It is important to avoid redirection loops, as they completely break the user experience.
diff --git a/files/en-us/web/http/resources_and_specifications/index.md b/files/en-us/web/http/resources_and_specifications/index.md
index 427dfd8cafe348b..bfa77995ff1c14f 100644
--- a/files/en-us/web/http/resources_and_specifications/index.md
+++ b/files/en-us/web/http/resources_and_specifications/index.md
@@ -5,258 +5,55 @@ tags:
   - Guide
   - HTTP
 ---
-<div>{{HTTPSidebar}}</div>
+{{HTTPSidebar}}
 
-<p>HTTP was first specified in the early 1990s. Designed with extensibility in mind, it has seen numerous additions over the years; this lead to its specification being scattered through numerous specification documents (in the midst of experimental abandoned extensions). This page lists relevant resources about HTTP.</p>
+HTTP was first specified in the early 1990s. Designed with extensibility in mind, it has seen numerous additions over the years; this lead to its specification being scattered through numerous specification documents (in the midst of experimental abandoned extensions). This page lists relevant resources about HTTP.
 
-<table class="standard-table">
- <thead>
-  <tr>
-   <th scope="col">Specification</th>
-   <th scope="col">Title</th>
-   <th scope="col">Status</th>
-  </tr>
- </thead>
- <tbody>
-  <tr>
-   <td>{{rfc(7230)}}</td>
-   <td>Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7231)}}</td>
-   <td>Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7232)}}</td>
-   <td>Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7233)}}</td>
-   <td>Hypertext Transfer Protocol (HTTP/1.1): Range Requests</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7234)}}</td>
-   <td>Hypertext Transfer Protocol (HTTP/1.1): Caching</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(5861)}}</td>
-   <td>HTTP Cache-Control Extensions for Stale Content</td>
-   <td>Informational</td>
-  </tr>
-  <tr>
-   <td>{{rfc(8246)}}</td>
-   <td>HTTP Immutable Responses</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7235)}}</td>
-   <td>Hypertext Transfer Protocol (HTTP/1.1): Authentication</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(6265)}}</td>
-   <td>HTTP State Management Mechanism<br>
-    <em>Defines Cookies</em></td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td><a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00">Draft spec</a></td>
-   <td>Cookie Prefixes</td>
-   <td>IETF Draft</td>
-  </tr>
-  <tr>
-   <td><a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00">Draft spec</a></td>
-   <td>Same-Site Cookies</td>
-   <td>IETF Draft</td>
-  </tr>
-  <tr>
-   <td><a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-alone-01">Draft spec</a></td>
-   <td>Deprecate modification of 'secure' cookies from non-secure origins</td>
-   <td>IETF Draft</td>
-  </tr>
-  <tr>
-   <td>{{rfc(2145)}}</td>
-   <td>Use and Interpretation of HTTP Version Numbers</td>
-   <td>Informational</td>
-  </tr>
-  <tr>
-   <td>{{rfc(6585)}}</td>
-   <td>Additional HTTP Status Codes</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7538)}}</td>
-   <td>The Hypertext Transfer Protocol Status Code 308 (Permanent Redirect)</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7725)}}</td>
-   <td>An HTTP Status Code to Report Legal Obstacles</td>
-   <td>On the standard track</td>
-  </tr>
-  <tr>
-   <td>{{rfc(2397)}}</td>
-   <td>The "data" URL scheme</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(3986)}}</td>
-   <td>Uniform Resource Identifier (URI): Generic Syntax</td>
-   <td>Internet Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(5988)}}</td>
-   <td>Web Linking<br>
-    <em>Defines the {{HTTPHeader("Link")}} header</em></td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td><a href="https://tools.ietf.org/id/draft-thomson-hybi-http-timeout-01.html">Experimental spec</a></td>
-   <td>Hypertext Transfer Protocol (HTTP) Keep-Alive Header</td>
-   <td>Informational (Expired)</td>
-  </tr>
-  <tr>
-   <td><a href="http://httpwg.org/http-extensions/client-hints.html">Draft spec</a></td>
-   <td>HTTP Client Hints</td>
-   <td>IETF Draft</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7578)}}</td>
-   <td>Returning Values from Forms: multipart/form-data</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(6266)}}</td>
-   <td>Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(2183)}}</td>
-   <td>Communicating Presentation Information in Internet Messages: The Content-Disposition Header Field<br>
-    <em>Only a subset of syntax of the {{HTTPHeader("Content-Disposition")}} header can be used in the context of HTTP messages.</em></td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7239)}}</td>
-   <td>Forwarded HTTP Extension</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(6455)}}</td>
-   <td>The WebSocket Protocol</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(5246)}}</td>
-   <td>The Transport Layer Security (TLS) Protocol Version 1.2<br>
-    <em>This specification has been modified by subsequent RFCs, but these modifications have no effect on the HTTP protocol.</em></td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(8446)}}</td>
-   <td>The Transport Layer Security (TLS) Protocol Version 1.3<br>
-    <em>Supersedes TLS 1.2.</em></td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(2817)}}</td>
-   <td>Upgrading to TLS Within HTTP/1.1</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7540)}}</td>
-   <td>Hypertext Transfer Protocol Version 2 (HTTP/2)</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7541)}}</td>
-   <td>HPACK: Header Compression for HTTP/2</td>
-   <td>On the standard track</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7838)}}</td>
-   <td>HTTP Alternative Services</td>
-   <td>On the standard track</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7301)}}</td>
-   <td>Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension<br>
-    <em>Used to negotiate HTTP/2 at the transport to save an extra request/response round trip.</em></td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(6454)}}</td>
-   <td>The Web Origin Concept</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{SpecName('Fetch', '#cors-protocol', 'CORS')}}</td>
-   <td>Cross-Origin Resource Sharing</td>
-   <td>{{Spec2("Fetch")}}</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7034)}}</td>
-   <td>HTTP Header Field X-Frame-Options</td>
-   <td>Informational</td>
-  </tr>
-  <tr>
-   <td>{{rfc(6797)}}</td>
-   <td>HTTP Strict Transport Security (HSTS)</td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{SpecName("Upgrade Insecure Requests")}}</td>
-   <td>Upgrade Insecure Requests</td>
-   <td>{{Spec2("Upgrade Insecure Requests")}}</td>
-  </tr>
-  <tr>
-   <td>{{SpecName("CSP 1.0")}}</td>
-   <td>Content Security Policy 1.0<br>
-    <em>CSP 1.1 and CSP 3.0 doesn't extend the HTTP standard</em></td>
-   <td>{{Spec2("CSP 1.0")}}</td>
-  </tr>
-  <tr>
-   <td><a href="https://msdn.microsoft.com/en-us/library/jj676915(v=vs.85).aspx">Microsoft document</a></td>
-   <td>Specifying legacy document modes*<br>
-    <em>Defines X-UA-Compatible</em></td>
-   <td>Note</td>
-  </tr>
-  <tr>
-   <td>{{rfc(5689)}}</td>
-   <td>HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)<br>
-    <em>These extensions of the Web, as well as CardDAV and CalDAV, are out-of-scope for HTTP on the Web. Modern APIs for application are defines using the RESTful pattern nowadays.</em></td>
-   <td>Proposed Standard</td>
-  </tr>
-  <tr>
-   <td>{{rfc(2324)}}</td>
-   <td>Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)</td>
-   <td>April 1st joke spec</td>
-  </tr>
-  <tr>
-   <td>{{rfc(7168)}}</td>
-   <td>The Hyper Text Coffee Pot Control Protocol for Tea Efflux Appliances (HTCPCP-TEA)</td>
-   <td>April 1st joke spec</td>
-  </tr>
-  <tr>
-   <td>{{SpecName("HTML WHATWG")}}</td>
-   <td>HTML<br>
-    <em>Defines extensions of HTTP for Server-Sent Events</em></td>
-   <td>{{Spec2("HTML WHATWG")}}</td>
-  </tr>
-  <tr>
-   <td><a href="https://wicg.github.io/reporting/">Reporting API</a></td>
-   <td><code>Report-To</code> header</td>
-   <td>Draft</td>
-  </tr>
-  <tr>
-   <td><a href="https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-expect-ct-01">Draft spec</a></td>
-   <td>Expect-CT Extension for HTTP</td>
-   <td>IETF Draft</td>
-  </tr>
- </tbody>
-</table>
+| Specification                                                                              | Title                                                                                                                                                                                                                                                 | Status                                               |
+| ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------- |
+| {{rfc(7230)}}                                                                           | Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing                                                                                                                                                                                    | Proposed Standard                                    |
+| {{rfc(7231)}}                                                                           | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content                                                                                                                                                                                         | Proposed Standard                                    |
+| {{rfc(7232)}}                                                                           | Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests                                                                                                                                                                                          | Proposed Standard                                    |
+| {{rfc(7233)}}                                                                           | Hypertext Transfer Protocol (HTTP/1.1): Range Requests                                                                                                                                                                                                | Proposed Standard                                    |
+| {{rfc(7234)}}                                                                           | Hypertext Transfer Protocol (HTTP/1.1): Caching                                                                                                                                                                                                       | Proposed Standard                                    |
+| {{rfc(5861)}}                                                                           | HTTP Cache-Control Extensions for Stale Content                                                                                                                                                                                                       | Informational                                        |
+| {{rfc(8246)}}                                                                           | HTTP Immutable Responses                                                                                                                                                                                                                              | Proposed Standard                                    |
+| {{rfc(7235)}}                                                                           | Hypertext Transfer Protocol (HTTP/1.1): Authentication                                                                                                                                                                                                | Proposed Standard                                    |
+| {{rfc(6265)}}                                                                           | HTTP State Management Mechanism _Defines Cookies_                                                                                                                                                                                                     | Proposed Standard                                    |
+| [Draft spec](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00)  | Cookie Prefixes                                                                                                                                                                                                                                       | IETF Draft                                           |
+| [Draft spec](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-same-site-00) | Same-Site Cookies                                                                                                                                                                                                                                     | IETF Draft                                           |
+| [Draft spec](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-alone-01)     | Deprecate modification of 'secure' cookies from non-secure origins                                                                                                                                                                                    | IETF Draft                                           |
+| {{rfc(2145)}}                                                                           | Use and Interpretation of HTTP Version Numbers                                                                                                                                                                                                        | Informational                                        |
+| {{rfc(6585)}}                                                                           | Additional HTTP Status Codes                                                                                                                                                                                                                          | Proposed Standard                                    |
+| {{rfc(7538)}}                                                                           | The Hypertext Transfer Protocol Status Code 308 (Permanent Redirect)                                                                                                                                                                                  | Proposed Standard                                    |
+| {{rfc(7725)}}                                                                           | An HTTP Status Code to Report Legal Obstacles                                                                                                                                                                                                         | On the standard track                                |
+| {{rfc(2397)}}                                                                           | The "data" URL scheme                                                                                                                                                                                                                                 | Proposed Standard                                    |
+| {{rfc(3986)}}                                                                           | Uniform Resource Identifier (URI): Generic Syntax                                                                                                                                                                                                     | Internet Standard                                    |
+| {{rfc(5988)}}                                                                           | Web Linking _Defines the {{HTTPHeader("Link")}} header_                                                                                                                                                                                         | Proposed Standard                                    |
+| [Experimental spec](https://tools.ietf.org/id/draft-thomson-hybi-http-timeout-01.html)     | Hypertext Transfer Protocol (HTTP) Keep-Alive Header                                                                                                                                                                                                  | Informational (Expired)                              |
+| [Draft spec](http://httpwg.org/http-extensions/client-hints.html)                          | HTTP Client Hints                                                                                                                                                                                                                                     | IETF Draft                                           |
+| {{rfc(7578)}}                                                                           | Returning Values from Forms: multipart/form-data                                                                                                                                                                                                      | Proposed Standard                                    |
+| {{rfc(6266)}}                                                                           | Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP)                                                                                                                                                                 | Proposed Standard                                    |
+| {{rfc(2183)}}                                                                           | Communicating Presentation Information in Internet Messages: The Content-Disposition Header Field _Only a subset of syntax of the {{HTTPHeader("Content-Disposition")}} header can be used in the context of HTTP messages._               | Proposed Standard                                    |
+| {{rfc(7239)}}                                                                           | Forwarded HTTP Extension                                                                                                                                                                                                                              | Proposed Standard                                    |
+| {{rfc(6455)}}                                                                           | The WebSocket Protocol                                                                                                                                                                                                                                | Proposed Standard                                    |
+| {{rfc(5246)}}                                                                           | The Transport Layer Security (TLS) Protocol Version 1.2 _This specification has been modified by subsequent RFCs, but these modifications have no effect on the HTTP protocol._                                                                       | Proposed Standard                                    |
+| {{rfc(8446)}}                                                                           | The Transport Layer Security (TLS) Protocol Version 1.3 _Supersedes TLS 1.2._                                                                                                                                                                         | Proposed Standard                                    |
+| {{rfc(2817)}}                                                                           | Upgrading to TLS Within HTTP/1.1                                                                                                                                                                                                                      | Proposed Standard                                    |
+| {{rfc(7540)}}                                                                           | Hypertext Transfer Protocol Version 2 (HTTP/2)                                                                                                                                                                                                        | Proposed Standard                                    |
+| {{rfc(7541)}}                                                                           | HPACK: Header Compression for HTTP/2                                                                                                                                                                                                                  | On the standard track                                |
+| {{rfc(7838)}}                                                                           | HTTP Alternative Services                                                                                                                                                                                                                             | On the standard track                                |
+| {{rfc(7301)}}                                                                           | Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension _Used to negotiate HTTP/2 at the transport to save an extra request/response round trip._                                                                             | Proposed Standard                                    |
+| {{rfc(6454)}}                                                                           | The Web Origin Concept                                                                                                                                                                                                                                | Proposed Standard                                    |
+| {{SpecName('Fetch', '#cors-protocol', 'CORS')}}                           | Cross-Origin Resource Sharing                                                                                                                                                                                                                         | {{Spec2("Fetch")}}                             |
+| {{rfc(7034)}}                                                                           | HTTP Header Field X-Frame-Options                                                                                                                                                                                                                     | Informational                                        |
+| {{rfc(6797)}}                                                                           | HTTP Strict Transport Security (HSTS)                                                                                                                                                                                                                 | Proposed Standard                                    |
+| {{SpecName("Upgrade Insecure Requests")}}                                   | Upgrade Insecure Requests                                                                                                                                                                                                                             | {{Spec2("Upgrade Insecure Requests")}} |
+| {{SpecName("CSP 1.0")}}                                                           | Content Security Policy 1.0 _CSP 1.1 and CSP 3.0 doesn't extend the HTTP standard_                                                                                                                                                                    | {{Spec2("CSP 1.0")}}                         |
+| [Microsoft document](<https://msdn.microsoft.com/en-us/library/jj676915(v=vs.85).aspx>)    | Specifying legacy document modes\* _Defines X-UA-Compatible_                                                                                                                                                                                          | Note                                                 |
+| {{rfc(5689)}}                                                                           | HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV) _These extensions of the Web, as well as CardDAV and CalDAV, are out-of-scope for HTTP on the Web. Modern APIs for application are defines using the RESTful pattern nowadays._ | Proposed Standard                                    |
+| {{rfc(2324)}}                                                                           | Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)                                                                                                                                                                                                   | April 1st joke spec                                  |
+| {{rfc(7168)}}                                                                           | The Hyper Text Coffee Pot Control Protocol for Tea Efflux Appliances (HTCPCP-TEA)                                                                                                                                                                     | April 1st joke spec                                  |
+| {{SpecName("HTML WHATWG")}}                                                       | HTML _Defines extensions of HTTP for Server-Sent Events_                                                                                                                                                                                              | {{Spec2("HTML WHATWG")}}                     |
+| [Reporting API](https://wicg.github.io/reporting/)                                         | `Report-To` header                                                                                                                                                                                                                                    | Draft                                                |
+| [Draft spec](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-expect-ct-01)        | Expect-CT Extension for HTTP                                                                                                                                                                                                                          | IETF Draft                                           |
diff --git a/files/en-us/web/http/resources_and_uris/index.md b/files/en-us/web/http/resources_and_uris/index.md
index 6f9ecb64545351a..8db1c4c19a54d70 100644
--- a/files/en-us/web/http/resources_and_uris/index.md
+++ b/files/en-us/web/http/resources_and_uris/index.md
@@ -12,19 +12,17 @@ tags:
   - URL
   - resources
 ---
-<div>{{HTTPSidebar}}</div>
+{{HTTPSidebar}}
 
-<p>HTTP allows a browser, or another {{Glossary("user agent")}}, to communicate with different <em>resources</em> on the Internet: to do this the browser needs both the <em>identity</em> and the <em>location</em> of the resources. These two bits of information are described by a {{glossary("URI")}}.</p>
+HTTP allows a browser, or another {{Glossary("user agent")}}, to communicate with different _resources_ on the Internet: to do this the browser needs both the _identity_ and the _location_ of the resources. These two bits of information are described by a {{glossary("URI")}}.
 
-<dl>
- <dt><a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web">Identifying resources on the Web</a></dt>
- <dd>URIs and how to access resources on the Web.</dd>
- <dt><a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs">Data URIs</a></dt>
- <dd>A specific kind of URIs, data URIs, embed the resource itself inside the identifier.</dd>
- <dt><a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Choosing_between_www_and_non-www_URLs">Choosing between www and non-www URLs</a></dt>
- <dd>Advice on using a www-prefixed domain or not, this article explains the consequences of the choice as well as how to make it.</dd>
- <dt><a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME Types</a></dt>
- <dd>MIME media types define what kind of document a specific resource is. This article presents both the syntax and the most useful MIME types for use on the Web.</dd>
- <dt><a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types">Common MIME types</a></dt>
- <dd>List of common MIME types useful for Web developers.</dd>
-</dl>
+- [Identifying resources on the Web](/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web)
+  - : URIs and how to access resources on the Web.
+- [Data URIs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs)
+  - : A specific kind of URIs, data URIs, embed the resource itself inside the identifier.
+- [Choosing between www and non-www URLs](/en-US/docs/Web/HTTP/Basics_of_HTTP/Choosing_between_www_and_non-www_URLs)
+  - : Advice on using a www-prefixed domain or not, this article explains the consequences of the choice as well as how to make it.
+- [MIME Types](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types)
+  - : MIME media types define what kind of document a specific resource is. This article presents both the syntax and the most useful MIME types for use on the Web.
+- [Common MIME types](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types)
+  - : List of common MIME types useful for Web developers.
diff --git a/files/en-us/web/http/session/index.md b/files/en-us/web/http/session/index.md
index e56efab0d929864..a85ea89139813bd 100644
--- a/files/en-us/web/http/session/index.md
+++ b/files/en-us/web/http/session/index.md
@@ -4,168 +4,148 @@ slug: Web/HTTP/Session
 tags:
   - HTTP
 ---
-<div>{{HTTPSidebar}}</div>
+{{HTTPSidebar}}
 
-<p>In client-server protocols, like HTTP, sessions consist of three phases:</p>
+In client-server protocols, like HTTP, sessions consist of three phases:
 
-<ol>
- <li>The client establishes a TCP connection (or the appropriate connection if the transport layer is not TCP).</li>
- <li>The client sends its request, and waits for the answer.</li>
- <li>The server processes the request, sending back its answer, providing a status code and appropriate data.</li>
-</ol>
+1.  The client establishes a TCP connection (or the appropriate connection if the transport layer is not TCP).
+2.  The client sends its request, and waits for the answer.
+3.  The server processes the request, sending back its answer, providing a status code and appropriate data.
 
-<p>As of HTTP/1.1, the connection is no longer closed after completing the third phase, and the client is now granted a further request: this means the second and third phases can now be performed any number of times.</p>
+As of HTTP/1.1, the connection is no longer closed after completing the third phase, and the client is now granted a further request: this means the second and third phases can now be performed any number of times.
 
-<h2 id="Establishing_a_connection">Establishing a connection</h2>
+## Establishing a connection
 
-<p>In client-server protocols, it is the client which establishes the connection. Opening a connection in HTTP means initiating a connection in the underlying transport layer, usually this is TCP.</p>
+In client-server protocols, it is the client which establishes the connection. Opening a connection in HTTP means initiating a connection in the underlying transport layer, usually this is TCP.
 
-<p>With TCP the default port, for an HTTP server on a computer, is port 80. Other ports can also be used, like 8000 or 8080. The URL of a page to fetch contains both the domain name, and the port number, though the latter can be omitted if it is 80. See <a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web">Identifying resources on the Web</a> for more details.</p>
+With TCP the default port, for an HTTP server on a computer, is port 80. Other ports can also be used, like 8000 or 8080. The URL of a page to fetch contains both the domain name, and the port number, though the latter can be omitted if it is 80. See [Identifying resources on the Web](/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web) for more details.
 
-<div class="notecard note">
-  <p><strong>Note:</strong> The client-server model does not allow the server to send data to the client without an explicit request for it. To work around this problem, web developers use several techniques: ping the server periodically via the {{domxref("XMLHTTPRequest")}}, {{domxref("WindowOrWorkerGlobalScope.fetch")}} APIs, using the <a href="/en-US/docs/Web/API/WebSockets_API">WebSockets API</a>, or similar protocols.</p>
-</div>
-
-<h2 id="Sending_a_client_request">Sending a client request</h2>
-
-<p>Once the connection is established, the user-agent can send the request (a user-agent is typically a web browser, but can be anything else, a crawler, for example). A client request consists of text directives, separated by CRLF (carriage return, followed by line feed), divided into three blocks:</p>
+> **Note:** The client-server model does not allow the server to send data to the client without an explicit request for it. To work around this problem, web developers use several techniques: ping the server periodically via the {{domxref("XMLHTTPRequest")}}, {{domxref("WindowOrWorkerGlobalScope.fetch")}} APIs, using the [WebSockets API](/en-US/docs/Web/API/WebSockets_API), or similar protocols.
 
-<ol>
- <li>The first line contains a request method followed by its parameters:
-  <ul>
-   <li>the path of the document, i.e. an absolute URL without the protocol or domain name</li>
-   <li>the HTTP protocol version</li>
-  </ul>
- </li>
- <li>Subsequent lines represent an HTTP header, giving the server information about what type of data is appropriate (e.g., what language, what MIME types), or other data altering its behavior (e.g., not sending an answer if it is already cached). These HTTP headers form a block which ends with an empty line.</li>
- <li>The final block is an optional data block, which may contain further data mainly used by the POST method.</li>
-</ol>
-
-<h3 id="Example_requests">Example requests</h3>
-
-<p>Fetching the root page of developer.mozilla.org, (<code>https://developer.mozilla.org/</code>), and telling the server that the user-agent would prefer the page in French, if possible:</p>
-
-<pre>GET / HTTP/1.1
-Host: developer.mozilla.org
-Accept-Language: fr
-</pre>
-
-<p>Observe that final empty line, this separates the data block from the header block. As there is no <code>Content-Length</code> provided in an HTTP header, this data block is presented empty, marking the end of the headers, allowing the server to process the request the moment it receives this empty line.</p>
-
-<p>For example, sending the result of a form:</p>
-
-<pre>POST /contact_form.php HTTP/1.1
-Host: developer.mozilla.org
-Content-Length: 64
-Content-Type: application/x-www-form-urlencoded
-
-name=Joe%20User&request=Send%20me%20one%20of%20your%20catalogue
-</pre>
-
-<h3 id="Request_methods">Request methods</h3>
-
-<p>HTTP defines a set of <a href="/en-US/docs/Web/HTTP/Methods">request methods</a> indicating the desired action to be performed upon a resource. Although they can also be nouns, these requests methods are sometimes referred as HTTP verbs. The most common requests are <code>GET</code> and <code>POST</code>:</p>
-
-<ul>
- <li>The {{HTTPMethod("GET")}} method requests a data representation of the specified resource. Requests using <code>GET</code> should only retrieve data.</li>
- <li>The {{HTTPMethod("POST")}} method sends data to a server so it may change its state. This is the method often used for <a href="/en-US/docs/Learn/Forms">HTML Forms</a>.</li>
-</ul>
-
-<h2 id="Structure_of_a_server_response">Structure of a server response</h2>
-
-<p>After the connected agent has sent its request, the web server processes it, and ultimately returns a response. Similar to a client request, a server response is formed of text directives, separated by CRLF, though divided into three blocks:</p>
-
-<ol>
- <li>The first line, the <em>status line</em>, consists of an acknowledgment of the HTTP version used, followed by a response status code (and its brief meaning in human-readable text).</li>
- <li>Subsequent lines represent specific HTTP headers, giving the client information about the data sent (e.g. type, data size, compression algorithm used, hints about caching). Similarly to the block of HTTP headers for a client request, these HTTP headers form a block ending with an empty line.</li>
- <li>The final block is a data block, which contains the optional data.</li>
-</ol>
-
-<h3 id="Example_responses">Example responses</h3>
-
-<p>Successful web page response:</p>
-
-<pre>HTTP/1.1 200 OK
-Content-Type: text/html; charset=utf-8
-Content-Length: 55743
-Connection: keep-alive
-Cache-Control: s-maxage=300, public, max-age=0
-Content-Language: en-US
-Date: Thu, 06 Dec 2018 17:37:18 GMT
-ETag: "2e77ad1dc6ab0b53a2996dfd4653c1c3"
-Server: meinheld/0.6.1
-Strict-Transport-Security: max-age=63072000
-X-Content-Type-Options: nosniff
-X-Frame-Options: DENY
-X-XSS-Protection: 1; mode=block
-Vary: Accept-Encoding,Cookie
-Age: 7
-
-<!DOCTYPE html>
-<html lang="en">
-<head>
-  <meta charset="utf-8">
-  <title>A simple webpage</title>
-</head>
-<body>
-  <h1>Simple HTML5 webpage</h1>
-  <p>Hello, world!</p>
-</body>
-</html>
-</pre>
-
-<p>Notification that the requested resource has permanently moved:</p>
-
-<pre>HTTP/1.1 301 Moved Permanently
-Server: Apache/2.4.37 (Red Hat)
-Content-Type: text/html; charset=utf-8
-Date: Thu, 06 Dec 2018 17:33:08 GMT
-Location: <a class="linkification-ext" href="../../../../" title="Linkification: https://developer.mozilla.org/">https://developer.mozilla.org/</a> <strong><em>(this is the new link to the resource; it is expected that the user-agent will fetch it)</em></strong>
-Keep-Alive: timeout=15, max=98
-Accept-Ranges: bytes
-Via: Moz-Cache-zlb05
-Connection: Keep-Alive
-Content-Length: 325 <em>(<strong>the content contains a default page to display if the user-agent is not able to follow the link)</strong></em>
-
-<!DOCTYPE html... <strong><em>(contains a site-customized page helping the user to find the missing resource)</em></strong>
-</pre>
-
-<p>Notification that the requested resource doesn't exist:</p>
-
-<pre>HTTP/1.1 404 Not Found
-Content-Type: text/html; charset=utf-8
-Content-Length: 38217
-Connection: keep-alive
-Cache-Control: no-cache, no-store, must-revalidate, max-age=0
-Content-Language: en-US
-Date: Thu, 06 Dec 2018 17:35:13 GMT
-Expires: Thu, 06 Dec 2018 17:35:13 GMT
-Server: meinheld/0.6.1
-Strict-Transport-Security: max-age=63072000
-X-Content-Type-Options: nosniff
-X-Frame-Options: DENY
-X-XSS-Protection: 1; mode=block
-Vary: Accept-Encoding,Cookie
-X-Cache: Error from cloudfront
-
-<!DOCTYPE html... <strong><em>(contains a site-customized page helping the user to find the missing resource)</em></strong>
-</pre>
-
-<h3 id="Response_status_codes">Response status codes</h3>
-
-<p><a href="/en-US/docs/Web/HTTP/Status">HTTP response status codes</a> indicate if a specific HTTP request has been successfully completed. Responses are grouped into five classes: informational responses, successful responses, redirects, client errors, and servers errors.</p>
-
-<ul>
- <li>{{HTTPStatus(200)}}: OK. The request has succeeded.</li>
- <li>{{HTTPStatus(301)}}: Moved Permanently. This response code means that the URI of requested resource has been changed.</li>
- <li>{{HTTPStatus(404)}}: Not Found. The server cannot find the requested resource.</li>
-</ul>
-
-<h2 id="See_also">See also</h2>
-
-<ul>
- <li><a href="/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web">Identifying resources on the Web</a></li>
- <li><a href="/en-US/docs/Web/HTTP/Headers">HTTP headers</a></li>
- <li><a href="/en-US/docs/Web/HTTP/Methods">HTTP request methods</a></li>
- <li><a href="/en-US/docs/Web/HTTP/Status">HTTP response status codes </a></li>
-</ul>
+## Sending a client request
+
+Once the connection is established, the user-agent can send the request (a user-agent is typically a web browser, but can be anything else, a crawler, for example). A client request consists of text directives, separated by CRLF (carriage return, followed by line feed), divided into three blocks:
+
+1.  The first line contains a request method followed by its parameters:
+
+    - the path of the document, i.e. an absolute URL without the protocol or domain name
+    - the HTTP protocol version
+
+2.  Subsequent lines represent an HTTP header, giving the server information about what type of data is appropriate (e.g., what language, what MIME types), or other data altering its behavior (e.g., not sending an answer if it is already cached). These HTTP headers form a block which ends with an empty line.
+3.  The final block is an optional data block, which may contain further data mainly used by the POST method.
+
+### Example requests
+
+Fetching the root page of developer.mozilla.org, (`https://developer.mozilla.org/`), and telling the server that the user-agent would prefer the page in French, if possible:
+
+    GET / HTTP/1.1
+    Host: developer.mozilla.org
+    Accept-Language: fr
+
+Observe that final empty line, this separates the data block from the header block. As there is no `Content-Length` provided in an HTTP header, this data block is presented empty, marking the end of the headers, allowing the server to process the request the moment it receives this empty line.
+
+For example, sending the result of a form:
+
+    POST /contact_form.php HTTP/1.1
+    Host: developer.mozilla.org
+    Content-Length: 64
+    Content-Type: application/x-www-form-urlencoded
+
+    name=Joe%20User&request=Send%20me%20one%20of%20your%20catalogue
+
+### Request methods
+
+HTTP defines a set of [request methods](/en-US/docs/Web/HTTP/Methods) indicating the desired action to be performed upon a resource. Although they can also be nouns, these requests methods are sometimes referred as HTTP verbs. The most common requests are `GET` and `POST`:
+
+- The {{HTTPMethod("GET")}} method requests a data representation of the specified resource. Requests using `GET` should only retrieve data.
+- The {{HTTPMethod("POST")}} method sends data to a server so it may change its state. This is the method often used for [HTML Forms](/en-US/docs/Learn/Forms).
+
+## Structure of a server response
+
+After the connected agent has sent its request, the web server processes it, and ultimately returns a response. Similar to a client request, a server response is formed of text directives, separated by CRLF, though divided into three blocks:
+
+1.  The first line, the _status line_, consists of an acknowledgment of the HTTP version used, followed by a response status code (and its brief meaning in human-readable text).
+2.  Subsequent lines represent specific HTTP headers, giving the client information about the data sent (e.g. type, data size, compression algorithm used, hints about caching). Similarly to the block of HTTP headers for a client request, these HTTP headers form a block ending with an empty line.
+3.  The final block is a data block, which contains the optional data.
+
+### Example responses
+
+Successful web page response:
+
+    HTTP/1.1 200 OK
+    Content-Type: text/html; charset=utf-8
+    Content-Length: 55743
+    Connection: keep-alive
+    Cache-Control: s-maxage=300, public, max-age=0
+    Content-Language: en-US
+    Date: Thu, 06 Dec 2018 17:37:18 GMT
+    ETag: "2e77ad1dc6ab0b53a2996dfd4653c1c3"
+    Server: meinheld/0.6.1
+    Strict-Transport-Security: max-age=63072000
+    X-Content-Type-Options: nosniff
+    X-Frame-Options: DENY
+    X-XSS-Protection: 1; mode=block
+    Vary: Accept-Encoding,Cookie
+    Age: 7
+
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+      <meta charset="utf-8">
+      <title>A simple webpage
+    
+    
+      
Simple HTML5 webpage

+      
Hello, world!

+    
+    
+
+Notification that the requested resource has permanently moved:
+
+    HTTP/1.1 301 Moved Permanently
+    Server: Apache/2.4.37 (Red Hat)
+    Content-Type: text/html; charset=utf-8
+    Date: Thu, 06 Dec 2018 17:33:08 GMT
+    Location: https://developer.mozilla.org/ (this is the new link to the resource; it is expected that the user-agent will fetch it)
+    Keep-Alive: timeout=15, max=98
+    Accept-Ranges: bytes
+    Via: Moz-Cache-zlb05
+    Connection: Keep-Alive
+    Content-Length: 325 (the content contains a default page to display if the user-agent is not able to follow the link)
+
+    {{HTTPSidebar}}
+{{HTTPSidebar}}
 
-
The HTTP 100 Continue informational status response code
-  indicates that everything so far is OK and that the client should continue with the
-  request or ignore it if it is already finished.

+The HTTP **`100 Continue`** informational status response code
+indicates that everything so far is OK and that the client should continue with the
+request or ignore it if it is already finished.
 
-
To have a server check the request's headers, a client must send
-  {{HTTPHeader("Expect")}}: 100-continue as a header in its initial request
-  and receive a 100 Continue status code in response before sending the body.
-

+To have a server check the request's headers, a client must send
+{{HTTPHeader("Expect")}}`: 100-continue` as a header in its initial request
+and receive a `100 Continue` status code in response before sending the body.
 
-
Status

+## Status
 
-
100 Continue

+```html
+100 Continue
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Expect")}}
    • 
-  
  • {{HTTPStatus(417)}}
    • 
-

+- {{HTTPHeader("Expect")}}
+- {{HTTPStatus(417)}}
diff --git a/files/en-us/web/http/status/101/index.md b/files/en-us/web/http/status/101/index.md
index 8364c89dcdaf98c..60bbe5e4f242fc1 100644
--- a/files/en-us/web/http/status/101/index.md
+++ b/files/en-us/web/http/status/101/index.md
@@ -2,57 +2,47 @@
 title: 101 Switching Protocols
 slug: Web/HTTP/Status/101
 tags:
-- HTTP
-- HTTP Status Code
-- Informational
-- Reference
-- WebSockets
+  - HTTP
+  - HTTP Status Code
+  - Informational
+  - Reference
+  - WebSockets
 ---
-
{{HTTPSidebar}}

-
-
The HTTP 101 Switching Protocols response code indicates
-  the protocol the server is switching to as requested by a client which sent the message
-  including the {{HTTPHeader("Upgrade")}} request header.

-
-
The server includes in this response an {{HTTPHeader("Upgrade")}} response header to
-  indicate the protocol it switched to. The process is described in detail in the article
-  Protocol upgrade
-    mechanism.

-
-
Status

-
-
101 Switching Protocols

-
-
Examples

-
-
Switching protocols might be used with WebSockets.

-
-
HTTP/1.1 101 Switching Protocols
-Upgrade: websocket
-Connection: Upgrade

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "101 Switching Protocol" , "6.2.2")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
+{{HTTPSidebar}}
+
+The HTTP **`101 Switching Protocols`** response code indicates
+the protocol the server is switching to as requested by a client which sent the message
+including the {{HTTPHeader("Upgrade")}} request header.
+
+The server includes in this response an {{HTTPHeader("Upgrade")}} response header to
+indicate the protocol it switched to. The process is described in detail in the article
+[Protocol upgrade
+mechanism](/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism).
+
+## Status
+
+```html
+101 Switching Protocols
+```
+
+## Examples
+
+Switching protocols might be used with [WebSockets](/en-US/docs/Web/API/WebSockets_API).
+
+    HTTP/1.1 101 Switching Protocols
+    Upgrade: websocket
+    Connection: Upgrade
+
+## Specifications
+
+| Specification                                                        | Title                                                         |
+| -------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "101 Switching Protocol" , "6.2.2")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- [Protocol upgrade
+  mechanism](/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism)
+- [WebSockets](/en-US/docs/Web/API/WebSockets_API)
+- {{HTTPHeader("Upgrade")}}
+- {{HTTPStatus("426")}} `Upgrade Required`
diff --git a/files/en-us/web/http/status/103/index.md b/files/en-us/web/http/status/103/index.md
index 057cc54b7f11748..d967596a0224722 100644
--- a/files/en-us/web/http/status/103/index.md
+++ b/files/en-us/web/http/status/103/index.md
@@ -2,50 +2,36 @@
 title: 103 Early Hints
 slug: Web/HTTP/Status/103
 tags:
-- Draft
-- HTTP
-- Informational
-- NeedsCompatTable
-- NeedsContent
-- Status code
+  - Draft
+  - HTTP
+  - Informational
+  - NeedsCompatTable
+  - NeedsContent
+  - Status code
 browser-compat: http.status.103
 ---
-
{{HTTPSidebar}}{{Draft}}

+{{HTTPSidebar}}{{Draft}}
 
-
The HTTP 103 Early Hints information response status code
-  is primarily intended to be used with the {{HTTPHeader("Link")}} header to allow the
-  user agent to start preloading resources while the server is still preparing a response.
-

+The HTTP **`103 Early Hints`** information response status code
+is primarily intended to be used with the {{HTTPHeader("Link")}} header to allow the
+user agent to start preloading resources while the server is still preparing a response.
 
-
Syntax

+## Syntax
 
-
103 Early Hints

+```html
+103 Early Hints
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-      
-    
-  
-  
-    
-      
-      
-      
-    
-  
-
SpecificationStatusComments
{{RFC(8297, "103 Early Hints")}}IETF RFCInitial definition

+| Specification                                | Status   | Comments           |
+| -------------------------------------------- | -------- | ------------------ |
+| {{RFC(8297, "103 Early Hints")}} | IETF RFC | Initial definition |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Link")}}
    • 
-

+- {{HTTPHeader("Link")}}
diff --git a/files/en-us/web/http/status/200/index.md b/files/en-us/web/http/status/200/index.md
index 8f5e3c24a720cdb..f335e36adf5c4d4 100644
--- a/files/en-us/web/http/status/200/index.md
+++ b/files/en-us/web/http/status/200/index.md
@@ -7,35 +7,33 @@ tags:
   - Success
 browser-compat: http.status.200
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 200 OK success status response code indicates that the request has succeeded. A 200 response is cacheable by default.

+The HTTP **`200 OK`** success status response code indicates that the request has succeeded. A 200 response is cacheable by default.
 
-
The meaning of a success depends on the HTTP request method:

+The meaning of a success depends on the HTTP request method:
 
-
    
- 
  • {{HTTPMethod("GET")}}: The resource has been fetched and is transmitted in the message body.
    • 
- 
  • {{HTTPMethod("HEAD")}}: The representation headers are included in the response without any message body 
    • 
- 
  • {{HTTPMethod("POST")}}: The resource describing the result of the action is transmitted in the message body
    • 
- 
  • {{HTTPMethod("TRACE")}}: The message body contains the request message as received by the server.
    • 
-

+- {{HTTPMethod("GET")}}: The resource has been fetched and is transmitted in the message body.
+- {{HTTPMethod("HEAD")}}: The representation headers are included in the response without any message body
+- {{HTTPMethod("POST")}}: The resource describing the result of the action is transmitted in the message body
+- {{HTTPMethod("TRACE")}}: The message body contains the request message as received by the server.
 
-
The successful result of a {{HTTPMethod("PUT")}} or a {{HTTPMethod("DELETE")}} is often not a 200 OK but a {{HTTPStatus("204")}} No Content (or a {{HTTPStatus("201")}} Created when the resource is uploaded for the first time).

+The successful result of a {{HTTPMethod("PUT")}} or a {{HTTPMethod("DELETE")}} is often not a `200` `OK` but a {{HTTPStatus("204")}} `No Content` (or a {{HTTPStatus("201")}} `Created` when the resource is uploaded for the first time).
 
-
Status

+## Status
 
-
200 OK

+```html
+200 OK
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [HTTP request methods](/en-US/docs/Web/HTTP/Methods)
diff --git a/files/en-us/web/http/status/201/index.md b/files/en-us/web/http/status/201/index.md
index fc391bfb8442e2f..67d8006721146c4 100644
--- a/files/en-us/web/http/status/201/index.md
+++ b/files/en-us/web/http/status/201/index.md
@@ -2,37 +2,37 @@
 title: 201 Created
 slug: Web/HTTP/Status/201
 tags:
-- HTTP
-- Reference
-- Status code
-- Success
+  - HTTP
+  - Reference
+  - Status code
+  - Success
 browser-compat: http.status.201
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 201 Created success status response code
-  indicates that the request has succeeded and has led to the creation of a resource. The
-  new resource is effectively created before this response is sent back and the new
-  resource is returned in the body of the message, its location being either the URL of
-  the request, or the content of the {{HTTPHeader("Location")}} header.

+The HTTP **`201 Created`** success status response code
+indicates that the request has succeeded and has led to the creation of a resource. The
+new resource is effectively created before this response is sent back and the new
+resource is returned in the body of the message, its location being either the URL of
+the request, or the content of the {{HTTPHeader("Location")}} header.
 
-
The common use case of this status code is as the result of a {{HTTPMethod("POST")}}
-  request.

+The common use case of this status code is as the result of a {{HTTPMethod("POST")}}
+request.
 
-
Status

+## Status
 
-
201 Created

+```html
+201 Created
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [HTTP request methods](/en-US/docs/Web/HTTP/Methods)
diff --git a/files/en-us/web/http/status/202/index.md b/files/en-us/web/http/status/202/index.md
index 2aaaaedc8284196..82f9f4ecbf3d886 100644
--- a/files/en-us/web/http/status/202/index.md
+++ b/files/en-us/web/http/status/202/index.md
@@ -2,45 +2,35 @@
 title: 202 Accepted
 slug: Web/HTTP/Status/202
 tags:
-- HTTP
-- Reference
-- Status code
-- Success response
+  - HTTP
+  - Reference
+  - Status code
+  - Success response
 ---
-
{{HTTPSidebar}}

-
-
The HyperText Transfer Protocol (HTTP) 202 Accepted
-  response status code indicates that the request has been accepted for processing, but
-  the processing has not been completed; in fact, processing may not have started yet. The
-  request might or might not eventually be acted upon, as it might be disallowed when
-  processing actually takes place.

-
-
202 is non-committal, meaning that there is no way for the HTTP to later send an
-  asynchronous response indicating the outcome of processing the request. It is intended
-  for cases where another process or server handles the request, or for batch processing.
-

-
-
Status

-
-
202 Accepted

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "202 Accepted" , "6.3.3")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
    
-  
  • {{HTTPHeader("Accept")}}
    • 
-

+{{HTTPSidebar}}
+
+The HyperText Transfer Protocol (HTTP) **`202 Accepted`**
+response status code indicates that the request has been accepted for processing, but
+the processing has not been completed; in fact, processing may not have started yet. The
+request might or might not eventually be acted upon, as it might be disallowed when
+processing actually takes place.
+
+202 is non-committal, meaning that there is no way for the HTTP to later send an
+asynchronous response indicating the outcome of processing the request. It is intended
+for cases where another process or server handles the request, or for batch processing.
+
+## Status
+
+```html
+202 Accepted
+```
+
+## Specifications
+
+| Specification                                            | Title                                                         |
+| -------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "202 Accepted" , "6.3.3")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- {{HTTPHeader("Accept")}}
diff --git a/files/en-us/web/http/status/203/index.md b/files/en-us/web/http/status/203/index.md
index 45a5ac65c9c3c25..f1dd064d47615ad 100644
--- a/files/en-us/web/http/status/203/index.md
+++ b/files/en-us/web/http/status/203/index.md
@@ -8,44 +8,33 @@ tags:
   - Status code
   - Successful response
 ---
-
{{HTTPSidebar}}

-
-
The HTTP 203 Non-Authoritative Information response
-  status indicates that the request was successful but the enclosed payload has been
-  modified by a transforming {{Glossary("Proxy server", "proxy")}} from that of the origin
-  server's {{HTTPStatus("200")}} (OK) response .

-
-
The 203 response is similar to the value
-  214,
-  meaning Transformation Applied, of the {{HTTPHeader("Warning")}} header
-  code, which has the additional advantage of being applicable to responses with any
-  status code.

-
-
Status

-
-
203 Non-Authoritative Information

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-  
-  
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "203 Non-Authoritative Information" , "6.3.4")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
    
-  
  • {{HTTPStatus("200")}}
    • 
-  
  • {{Glossary("Proxy server")}}
    • 
-  
  • {{HTTPHeader("Warning")}}
    • 
-

+{{HTTPSidebar}}
+
+The HTTP **`203 Non-Authoritative Information`** response
+status indicates that the request was successful but the enclosed payload has been
+modified by a transforming {{Glossary("Proxy server", "proxy")}} from that of the origin
+server's {{HTTPStatus("200")}} (`OK`) response .
+
+The `203` response is similar to the value
+[`214`](/en-US/docs/Web/HTTP/Headers/Warning#warning_codes),
+meaning `Transformation Applied`, of the {{HTTPHeader("Warning")}} header
+code, which has the additional advantage of being applicable to responses with any
+status code.
+
+## Status
+
+```html
+203 Non-Authoritative Information
+```
+
+## Specifications
+
+| Specification                                                                        | Title                                                         |
+| ------------------------------------------------------------------------------------ | ------------------------------------------------------------- |
+| {{RFC("7231", "203 Non-Authoritative Information" , "6.3.4")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- {{HTTPStatus("200")}}
+- {{Glossary("Proxy server")}}
+- {{HTTPHeader("Warning")}}
diff --git a/files/en-us/web/http/status/204/index.md b/files/en-us/web/http/status/204/index.md
index b9779bd94dc2afe..3c0cdee6cf7acfe 100644
--- a/files/en-us/web/http/status/204/index.md
+++ b/files/en-us/web/http/status/204/index.md
@@ -2,56 +2,51 @@
 title: 204 No Content
 slug: Web/HTTP/Status/204
 tags:
-- HTTP
-- Reference
-- Status code
-- Success
+  - HTTP
+  - Reference
+  - Status code
+  - Success
 browser-compat: http.status.204
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 204 No Content success status response code
-  indicates that a request has succeeded, but that the client doesn't need to navigate away
-  from its current page.

+The HTTP **`204 No Content`** success status response code
+indicates that a request has succeeded, but that the client doesn't need to navigate away
+from its current page.
 
-
This might be used, for example, when implementing "save and continue editing" functionality for a wiki site.
-  In this case a {{HTTPMethod("PUT")}} request would be used to save the page, and the 204 No Content response
-  would be sent to indicate that the editor should not be replaced by some other page.

+This might be used, for example, when implementing "save and continue editing" functionality for a wiki site.
+In this case a {{HTTPMethod("PUT")}} request would be used to save the page, and the `204 No Content` response
+would be sent to indicate that the editor should not be replaced by some other page.
 
-
A 204 response is cacheable by default (an {{HTTPHeader("ETag")}} header is included in such a response).

+A 204 response is cacheable by default (an {{HTTPHeader("ETag")}} header is included in such a response).
 
+## Status
 
-
Status

+```html
+204 No Content
+```
 
-
204 No Content

-
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
+
+{{Compat}}
 
-
{{Compat}}

+## Compatibility notes
 
-
Compatibility notes

+- Although this status code is intended to describe a response with no body, servers
+  may erroneously include data following the headers. The protocol allows user agents to
+  vary in how they process such responses ([discussion regarding this
+  specification text can be found here](https://github.com/httpwg/http11bis/issues/26)). This is observable in persistent
+  connections, where the invalid body may include a distinct response to a subsequent
+  request.
 
-
    
-  
  • Although this status code is intended to describe a response with no body, servers
-    may erroneously include data following the headers. The protocol allows user agents to
-    vary in how they process such responses (discussion regarding this
-      specification text can be found here). This is observable in persistent
-    connections, where the invalid body may include a distinct response to a subsequent
-    request.
    
-    
    
-    Apple Safari rejects any such data. Google Chrome and Microsoft Edge discard up to
-    four invalid bytes preceding a valid response. Firefox tolerates in excess of a
-    kilobyte of invalid data preceding a valid response.
-  
    • 
-

+  Apple Safari rejects any such data. Google Chrome and Microsoft Edge discard up to
+  four invalid bytes preceding a valid response. Firefox tolerates in excess of a
+  kilobyte of invalid data preceding a valid response.
 
-
See also

+## See also
 
-
+- [HTTP request methods](/en-US/docs/Web/HTTP/Methods)
diff --git a/files/en-us/web/http/status/205/index.md b/files/en-us/web/http/status/205/index.md
index 965c2110d7baf5b..05f3adc5d297d74 100644
--- a/files/en-us/web/http/status/205/index.md
+++ b/files/en-us/web/http/status/205/index.md
@@ -2,46 +2,35 @@
 title: 205 Reset Content
 slug: Web/HTTP/Status/205
 tags:
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 205 Reset Content response status tells the
-  client to reset the document view, so for example to clear the content of a form, reset
-  a canvas state, or to refresh the UI.

+The HTTP **`205 Reset Content`** response status tells the
+client to reset the document view, so for example to clear the content of a form, reset
+a canvas state, or to refresh the UI.
 
-
Status

+## Status
 
-
205 Reset Content

+```html
+205 Reset Content
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "205 Reset Content" , "6.3.6")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

+| Specification                                                | Title                                                         |
+| ------------------------------------------------------------ | ------------------------------------------------------------- |
+| {{RFC("7231", "205 Reset Content" , "6.3.6")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
 
-
Compatibility Notes

+## Compatibility Notes
 
-
    
-  
  • Browser behavior differs if this response erroneously includes a body on persistent
-    connections See 204 No Content for more
-    detail.
    • 
-

+- Browser behavior differs if this response erroneously includes a body on persistent
+  connections See [204 No Content](/en-US/docs/Web/HTTP/Status/204) for more
+  detail.
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus(204)}} No Content
    • 
-

+- {{HTTPStatus(204)}} No Content
diff --git a/files/en-us/web/http/status/206/index.md b/files/en-us/web/http/status/206/index.md
index 5de6f1ea458a374..37c87f8e1e4fcec 100644
--- a/files/en-us/web/http/status/206/index.md
+++ b/files/en-us/web/http/status/206/index.md
@@ -2,75 +2,75 @@
 title: 206 Partial Content
 slug: Web/HTTP/Status/206
 tags:
-- HTTP
-- HTTP Status
-- Range Requests
-- Success
+  - HTTP
+  - HTTP Status
+  - Range Requests
+  - Success
 browser-compat: http.status.206
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 206 Partial Content success status response code
-  indicates that the request has succeeded and the body contains the requested ranges
-  of data, as described in the {{HTTPHeader("Range")}} header of the request.

+The HTTP **`206 Partial Content`** success status response code
+indicates that the request has succeeded and the body contains the requested ranges
+of data, as described in the {{HTTPHeader("Range")}} header of the request.
 
-
If there is only one range, the {{HTTPHeader("Content-Type")}} of the whole response is
-  set to the type of the document, and a {{HTTPHeader("Content-Range")}} is provided.

+If there is only one range, the {{HTTPHeader("Content-Type")}} of the whole response is
+set to the type of the document, and a {{HTTPHeader("Content-Range")}} is provided.
 
-
If several ranges are sent back, the {{HTTPHeader("Content-Type")}} is set to
-  multipart/byteranges and each fragment covers one range, with
-  {{HTTPHeader("Content-Range")}} and {{HTTPHeader("Content-Type")}} describing it.

+If several ranges are sent back, the {{HTTPHeader("Content-Type")}} is set to
+`multipart/byteranges` and each fragment covers one range, with
+{{HTTPHeader("Content-Range")}} and {{HTTPHeader("Content-Type")}} describing it.
 
-
Status

+## Status
 
-
206 Partial Content

+```html
+206 Partial Content
+```
 
-
Examples

+## Examples
 
-
A response containing one single range:

+A response containing one single range:
 
-
HTTP/1.1 206 Partial Content
-Date: Wed, 15 Nov 2015 06:25:24 GMT
-Last-Modified: Wed, 15 Nov 2015 04:58:08 GMT
-Content-Range: bytes 21010-47021/47022
-Content-Length: 26012
-Content-Type: image/gif
+    HTTP/1.1 206 Partial Content
+    Date: Wed, 15 Nov 2015 06:25:24 GMT
+    Last-Modified: Wed, 15 Nov 2015 04:58:08 GMT
+    Content-Range: bytes 21010-47021/47022
+    Content-Length: 26012
+    Content-Type: image/gif
 
-... 26012 bytes of partial image data ...

+    ... 26012 bytes of partial image data ...
 
-
A response containing several ranges:

+A response containing several ranges:
 
-
HTTP/1.1 206 Partial Content
-Date: Wed, 15 Nov 2015 06:25:24 GMT
-Last-Modified: Wed, 15 Nov 2015 04:58:08 GMT
-Content-Length: 1741
-Content-Type: multipart/byteranges; boundary=String_separator
+    HTTP/1.1 206 Partial Content
+    Date: Wed, 15 Nov 2015 06:25:24 GMT
+    Last-Modified: Wed, 15 Nov 2015 04:58:08 GMT
+    Content-Length: 1741
+    Content-Type: multipart/byteranges; boundary=String_separator
 
---String_separator
-Content-Type: application/pdf
-Content-Range: bytes 234-639/8000
+    --String_separator
+    Content-Type: application/pdf
+    Content-Range: bytes 234-639/8000
 
-...the first range...
---String_separator
-Content-Type: application/pdf
-Content-Range: bytes 4590-7999/8000
+    ...the first range...
+    --String_separator
+    Content-Type: application/pdf
+    Content-Range: bytes 4590-7999/8000
 
-...the second range
---String_separator--

+    ...the second range
+    --String_separator--
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("If-Range")}}
    • 
-  
  • {{HTTPHeader("Range")}}
    • 
-  
  • {{HTTPHeader("Content-Range")}}
    • 
-  
  • {{HTTPHeader("Content-Type")}}
    • 
-

+- {{HTTPHeader("If-Range")}}
+- {{HTTPHeader("Range")}}
+- {{HTTPHeader("Content-Range")}}
+- {{HTTPHeader("Content-Type")}}
diff --git a/files/en-us/web/http/status/300/index.md b/files/en-us/web/http/status/300/index.md
index a94e076d2cbbdc3..f7b5c7bf18135b6 100644
--- a/files/en-us/web/http/status/300/index.md
+++ b/files/en-us/web/http/status/300/index.md
@@ -2,45 +2,35 @@
 title: 300 Multiple Choices
 slug: Web/HTTP/Status/300
 tags:
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

-
-
The HTTP 300 Multiple Choices redirect status response
-	code indicates that the request has more than one possible responses. The user-agent
-	or the user should choose one of them. As there is no standardized way of choosing one
-	of the responses, this response code is very rarely used.

-
-
If the server has a preferred choice, it should generate a {{HTTPHeader("Location")}}
-	header.

-
-
Status

-
-
300 Multiple Choices
-

-
-
Specifications

-
-
-	
-		
-			
-			
-		
-		
-			
-			
-		
-	
-
SpecificationTitle
{{RFC("7231", "300 Multiple Choices" , "6.4.1")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
    
-	
  • {{HTTPStatus("301")}} Moved Permanently
    • 
-	
  • {{HTTPStatus("302")}} Found, the temporary redirect
    • 
-	
  • {{HTTPStatus("308")}} Permanent Redirect
    • 
-

+{{HTTPSidebar}}
+
+The HTTP **`300 Multiple Choices`** redirect status response
+code indicates that the request has more than one possible responses. The user-agent
+or the user should choose one of them. As there is no standardized way of choosing one
+of the responses, this response code is very rarely used.
+
+If the server has a preferred choice, it should generate a {{HTTPHeader("Location")}}
+header.
+
+## Status
+
+```html
+300 Multiple Choices
+```
+
+## Specifications
+
+| Specification                                                    | Title                                                         |
+| ---------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "300 Multiple Choices" , "6.4.1")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- {{HTTPStatus("301")}} `Moved Permanently`
+- {{HTTPStatus("302")}} `Found`, the temporary redirect
+- {{HTTPStatus("308")}} `Permanent Redirect`
diff --git a/files/en-us/web/http/status/301/index.md b/files/en-us/web/http/status/301/index.md
index 6083150a161a5d7..6a1fc04a3e8738f 100644
--- a/files/en-us/web/http/status/301/index.md
+++ b/files/en-us/web/http/status/301/index.md
@@ -8,39 +8,39 @@ tags:
   - Status code
 browser-compat: http.status.301
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 301 Moved Permanently redirect status response code indicates that the resource requested has been definitively moved to the URL given by the {{HTTPHeader("Location")}} headers. A browser redirects to this page and search engines update their links to the resource (in 'SEO-speak', it is said that the 'link-juice' is sent to the new URL).

+The HyperText Transfer Protocol (HTTP) **`301 Moved Permanently`** redirect status response code indicates that the resource requested has been definitively moved to the URL given by the {{HTTPHeader("Location")}} headers. A browser redirects to this page and search engines update their links to the resource (in 'SEO-speak', it is said that the 'link-juice' is sent to the new URL).
 
-
Even if the specification requires the method (and the body) not to be altered when the redirection is performed, not all user-agents align with it - you can still find this type of bugged software out there. It is therefore recommended to use the 301 code only as a response for {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} methods and to use the {{HTTPStatus("308", "308 Permanent Redirect")}} for {{HTTPMethod("POST")}} methods instead, as the method change is explicitly prohibited with this status.

+Even if the specification requires the method (and the body) not to be altered when the redirection is performed, not all user-agents align with it - you can still find this type of bugged software out there. It is therefore recommended to use the `301` code only as a response for {{HTTPMethod("GET")}} or {{HTTPMethod("HEAD")}} methods and to use the {{HTTPStatus("308", "308 Permanent Redirect")}} for {{HTTPMethod("POST")}} methods instead, as the method change is explicitly prohibited with this status.
 
-
Status

+## Status
 
-
301 Moved Permanently

+```html
+301 Moved Permanently
+```
 
-
Example

+## Example
 
-
Client request

+### Client request
 
-
GET /index.php HTTP/1.1
-Host: www.example.org

+    GET /index.php HTTP/1.1
+    Host: www.example.org
 
-
Server response

+### Server response
 
-
HTTP/1.1 301 Moved Permanently
-Location: http://www.example.org/index.asp

+    HTTP/1.1 301 Moved Permanently
+    Location: http://www.example.org/index.asp
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPStatus("308", "308 Permanent Redirect")}}
    • 
- 
  • {{HTTPStatus("302", "302 Found")}}, the temporary redirect
    • 
-

+- {{HTTPStatus("308", "308 Permanent Redirect")}}
+- {{HTTPStatus("302", "302 Found")}}, the temporary redirect
diff --git a/files/en-us/web/http/status/302/index.md b/files/en-us/web/http/status/302/index.md
index 6ddd28ed7e58914..f53102f6edfd68d 100644
--- a/files/en-us/web/http/status/302/index.md
+++ b/files/en-us/web/http/status/302/index.md
@@ -2,50 +2,50 @@
 title: 302 Found
 slug: Web/HTTP/Status/302
 tags:
-- HTTP
-- HTTP Status Code
-- Reference
-- redirects
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - redirects
 browser-compat: http.status.302
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 302 Found redirect
-  status response code indicates that the resource requested has been temporarily moved to
-  the URL given by the {{HTTPHeader("Location")}} header. A browser redirects to this page
-  but search engines don't update their links to the resource (in 'SEO-speak', it is said
-  that the 'link-juice' is not sent to the new URL).

+The HyperText Transfer Protocol (HTTP) **`302 Found`** redirect
+status response code indicates that the resource requested has been temporarily moved to
+the URL given by the {{HTTPHeader("Location")}} header. A browser redirects to this page
+but search engines don't update their links to the resource (in 'SEO-speak', it is said
+that the 'link-juice' is not sent to the new URL).
 
-
Even if the specification requires the method (and the body) not to be altered when the
-  redirection is performed, not all user-agents conform here - you can still find this
-  type of bugged software out there. It is therefore recommended to set the
-  302 code only as a response for {{HTTPMethod("GET")}} or
-  {{HTTPMethod("HEAD")}} methods and to use {{HTTPStatus("307", "307 Temporary
-  Redirect")}} instead, as the method change is explicitly prohibited in that case.

+Even if the specification requires the method (and the body) not to be altered when the
+redirection is performed, not all user-agents conform here - you can still find this
+type of bugged software out there. It is therefore recommended to set the
+`302` code only as a response for {{HTTPMethod("GET")}} or
+{{HTTPMethod("HEAD")}} methods and to use {{HTTPStatus("307", "307 Temporary
+  Redirect")}} instead, as the method change is explicitly prohibited in that case.
 
-
In the cases where you want the method used to be changed to {{HTTPMethod("GET")}}, use
-  {{HTTPStatus("303", "303 See Other")}} instead. This is useful when you want to give a
-  response to a {{HTTPMethod("PUT")}} method that is not the uploaded resource but a
-  confirmation message such as: 'you successfully uploaded XYZ'.

+In the cases where you want the method used to be changed to {{HTTPMethod("GET")}}, use
+{{HTTPStatus("303", "303 See Other")}} instead. This is useful when you want to give a
+response to a {{HTTPMethod("PUT")}} method that is not the uploaded resource but a
+confirmation message such as: 'you successfully uploaded XYZ'.
 
-
Status

+## Status
 
-
302 Found

+```html
+302 Found
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus("307", "307 Temporary Redirect")}}, the equivalent of this status code
-    where the method used never changes.
    • 
-  
  • {{HTTPStatus("303", "303 See Other")}}, a temporary redirect that changes the method
-    used to {{HTTPMethod("GET")}}.
    • 
-  
  • {{HTTPStatus("301", "301 Moved Permanently")}}, the permanent redirect.
    • 
-

+- {{HTTPStatus("307", "307 Temporary Redirect")}}, the equivalent of this status code
+  where the method used never changes.
+- {{HTTPStatus("303", "303 See Other")}}, a temporary redirect that changes the method
+  used to {{HTTPMethod("GET")}}.
+- {{HTTPStatus("301", "301 Moved Permanently")}}, the permanent redirect.
diff --git a/files/en-us/web/http/status/303/index.md b/files/en-us/web/http/status/303/index.md
index 6c24aff0e049081..eefcc689781510a 100644
--- a/files/en-us/web/http/status/303/index.md
+++ b/files/en-us/web/http/status/303/index.md
@@ -2,37 +2,37 @@
 title: 303 See Other
 slug: Web/HTTP/Status/303
 tags:
-- HTTP
-- HTTP Status Code
-- Reference
-- redirects
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - redirects
 browser-compat: http.status.303
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 303 See Other
-  redirect status response code indicates that the redirects don't link to the newly
-  uploaded resources, but to another page (such as a confirmation page or an upload
-  progress page). This response code is usually sent back as a result of
-  {{HTTPMethod("PUT")}} or {{HTTPMethod("POST")}}. The method used to display this
-  redirected page is always {{HTTPMethod("GET")}}.

+The HyperText Transfer Protocol (HTTP) **`303 See Other`**
+redirect status response code indicates that the redirects don't link to the newly
+uploaded resources, but to another page (such as a confirmation page or an upload
+progress page). This response code is usually sent back as a result of
+{{HTTPMethod("PUT")}} or {{HTTPMethod("POST")}}. The method used to display this
+redirected page is always {{HTTPMethod("GET")}}.
 
-
Status

+## Status
 
-
303 See Other

+```html
+303 See Other
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus("302", "302 Found")}}, the temporary redirect
    • 
-  
  • {{HTTPStatus("307", "307 Temporary Redirect")}}, the equivalent of this status code
-    where the method used never changes.
    • 
-

+- {{HTTPStatus("302", "302 Found")}}, the temporary redirect
+- {{HTTPStatus("307", "307 Temporary Redirect")}}, the equivalent of this status code
+  where the method used never changes.
diff --git a/files/en-us/web/http/status/304/index.md b/files/en-us/web/http/status/304/index.md
index aa1b2d7c584c5ed..214f6ca11bb51be 100644
--- a/files/en-us/web/http/status/304/index.md
+++ b/files/en-us/web/http/status/304/index.md
@@ -2,55 +2,51 @@
 title: 304 Not Modified
 slug: Web/HTTP/Status/304
 tags:
-- HTTP
-- Redirection
-- Reference
-- Status code
+  - HTTP
+  - Redirection
+  - Reference
+  - Status code
 browser-compat: http.status.304
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 304 Not Modified client redirection response
-  code indicates that there is no need to retransmit the requested resources. It is an
-  implicit redirection to a cached resource. This happens when the request method is
-  {{glossary("Safe/HTTP", "safe")}}, like a {{HTTPMethod("GET")}} or a {{HTTPMethod("HEAD")}} request,
-  or when the request is conditional and uses a {{HTTPHeader("If-None-Match")}} or a
-  {{HTTPHeader("If-Modified-Since")}} header.

+The HTTP **`304 Not Modified`** client redirection response
+code indicates that there is no need to retransmit the requested resources. It is an
+implicit redirection to a cached resource. This happens when the request method is
+{{glossary("Safe/HTTP", "safe")}}, like a {{HTTPMethod("GET")}} or a {{HTTPMethod("HEAD")}} request,
+or when the request is conditional and uses a {{HTTPHeader("If-None-Match")}} or a
+{{HTTPHeader("If-Modified-Since")}} header.
 
-
The equivalent {{HTTPStatus("200")}} OK response would have included the
-  headers {{HTTPHeader("Cache-Control")}}, {{HTTPHeader("Content-Location")}},
-  {{HTTPHeader("Date")}}, {{HTTPHeader("ETag")}}, {{HTTPHeader("Expires")}}, and
-  {{HTTPHeader("Vary")}}.

+The equivalent {{HTTPStatus("200")}} `OK` response would have included the
+headers {{HTTPHeader("Cache-Control")}}, {{HTTPHeader("Content-Location")}},
+{{HTTPHeader("Date")}}, {{HTTPHeader("ETag")}}, {{HTTPHeader("Expires")}}, and
+{{HTTPHeader("Vary")}}.
 
-

-  
Note: Many developer tools' network panels
-    of browsers create extraneous requests leading to 304 responses, so that
-    access to the local cache is visible to developers.

-

+> **Note:** Many [developer tools' network panels](/en-US/docs/Tools/Network_Monitor)
+> of browsers create extraneous requests leading to `304` responses, so that
+> access to the local cache is visible to developers.
 
-
Status

+## Status
 
-
304 Not Modified

+```html
+304 Not Modified
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
Compatibility Notes

+## Compatibility Notes
 
-
    
-  
  • Browser behavior differs if this response erroneously includes a body on persistent
-    connections See 204 No Content for more
-    detail.
    • 
-

+- Browser behavior differs if this response erroneously includes a body on persistent
+  connections See [204 No Content](/en-US/docs/Web/HTTP/Status/204) for more
+  detail.
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("If-Modified-Since")}}
    • 
-  
  • {{HTTPHeader("If-None-Match")}}
    • 
-

+- {{HTTPHeader("If-Modified-Since")}}
+- {{HTTPHeader("If-None-Match")}}
diff --git a/files/en-us/web/http/status/307/index.md b/files/en-us/web/http/status/307/index.md
index 4cc645468799281..d2cf2b2116562a9 100644
--- a/files/en-us/web/http/status/307/index.md
+++ b/files/en-us/web/http/status/307/index.md
@@ -2,52 +2,50 @@
 title: 307 Temporary Redirect
 slug: Web/HTTP/Status/307
 tags:
-- HTTP
-- HTTP Status Code
-- Reference
-- redirects
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - redirects
 browser-compat: http.status.307
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
{{Glossary("HTTP")}} 307 Temporary Redirect redirect
-  status response code indicates that the resource requested has been temporarily moved to
-  the URL given by the {{HTTPHeader("Location")}} headers.

+{{Glossary("HTTP")}} **`307 Temporary Redirect`** redirect
+status response code indicates that the resource requested has been temporarily moved to
+the URL given by the {{HTTPHeader("Location")}} headers.
 
-
The method and the body of the original request are reused to perform the redirected
-  request. In the cases where you want the method used to be changed to
-  {{HTTPMethod("GET")}}, use {{HTTPStatus("303", "303 See Other")}} instead. This is
-  useful when you want to give an answer to a {{HTTPMethod("PUT")}} method that is not the
-  uploaded resources, but a confirmation message (like "You successfully uploaded XYZ").
-

+The method and the body of the original request are reused to perform the redirected
+request. In the cases where you want the method used to be changed to
+{{HTTPMethod("GET")}}, use {{HTTPStatus("303", "303 See Other")}} instead. This is
+useful when you want to give an answer to a {{HTTPMethod("PUT")}} method that is not the
+uploaded resources, but a confirmation message (like "You successfully uploaded XYZ").
 
-
The only difference between 307 and {{HTTPStatus("302")}} is that
-  307 guarantees that the method and the body will not be changed when the
-  redirected request is made. With 302, some old clients were incorrectly
-  changing the method to {{HTTPMethod("GET")}}: the behavior with non-GET
-  methods and 302 is then unpredictable on the Web, whereas the behavior with
-  307 is predictable. For GET requests, their behavior is
-  identical.

+The only difference between `307` and {{HTTPStatus("302")}} is that
+`307` guarantees that the method and the body will not be changed when the
+redirected request is made. With `302`, some old clients were incorrectly
+changing the method to {{HTTPMethod("GET")}}: the behavior with non-`GET`
+methods and `302` is then unpredictable on the Web, whereas the behavior with
+`307` is predictable. For `GET` requests, their behavior is
+identical.
 
-
Status

+## Status
 
-
307 Temporary Redirect
-

+```html
+307 Temporary Redirect
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus("302", "302 Found")}}, the equivalent of this status code, but that may
-    change the method used when it is not a {{HTTPMethod("GET")}}.
    • 
-  
  • {{HTTPStatus("303", "303 See Other")}}, a temporary redirect that changes the method
-    used to {{HTTPMethod("GET")}}.
    • 
-  
  • {{HTTPStatus("301", "301 Moved Permanently")}}, a permanent redirect
    • 
-

+- {{HTTPStatus("302", "302 Found")}}, the equivalent of this status code, but that may
+  change the method used when it is not a {{HTTPMethod("GET")}}.
+- {{HTTPStatus("303", "303 See Other")}}, a temporary redirect that changes the method
+  used to {{HTTPMethod("GET")}}.
+- {{HTTPStatus("301", "301 Moved Permanently")}}, a permanent redirect
diff --git a/files/en-us/web/http/status/308/index.md b/files/en-us/web/http/status/308/index.md
index ff8982206a08152..5a31962a44124d7 100644
--- a/files/en-us/web/http/status/308/index.md
+++ b/files/en-us/web/http/status/308/index.md
@@ -2,48 +2,44 @@
 title: 308 Permanent Redirect
 slug: Web/HTTP/Status/308
 tags:
-- HTTP
-- HTTP Status Code
-- Reference
-- redirects
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - redirects
 browser-compat: http.status.308
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP)
-  308 Permanent Redirect redirect status response code
-  indicates that the resource requested has been definitively moved to the URL given by
-  the {{HTTPHeader("Location")}} headers. A browser redirects to this page and search
-  engines update their links to the resource (in 'SEO-speak', it is said that the
-  'link-juice' is sent to the new URL).

+The HyperText Transfer Protocol (HTTP)
+**`308 Permanent Redirect`** redirect status response code
+indicates that the resource requested has been definitively moved to the URL given by
+the {{HTTPHeader("Location")}} headers. A browser redirects to this page and search
+engines update their links to the resource (in 'SEO-speak', it is said that the
+'link-juice' is sent to the new URL).
 
-
The request method and the body will not be altered, whereas {{HTTPStatus("301")}} may
-  incorrectly sometimes be changed to a {{HTTPMethod("GET")}} method.

+The request method and the body will not be altered, whereas {{HTTPStatus("301")}} may
+incorrectly sometimes be changed to a {{HTTPMethod("GET")}} method.
 
-

-  
Note: Some Web applications may use the
-    308 Permanent Redirect in a non-standard way and for other purposes. For
-    example, Google Drive uses a 308 Resume Incomplete response to indicate
-    to the client when an incomplete upload stalled. (See Perform a resumable download on Google Drive documentation.)
-  

-

+> **Note:** Some Web applications may use the
+> `308 Permanent Redirect` in a non-standard way and for other purposes. For
+> example, Google Drive uses a `308 Resume Incomplete` response to indicate
+> to the client when an incomplete upload stalled. (See [Perform a resumable download](https://developers.google.com/drive/v3/web/manage-uploads#resumable) on Google Drive documentation.)
 
-
Status

+## Status
 
-
308 Permanent Redirect

+```html
+308 Permanent Redirect
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus("301", "301 Moved Permanently")}}
    • 
-  
  • {{HTTPStatus("302", "302 Found")}}, the temporary redirect
    • 
-

+- {{HTTPStatus("301", "301 Moved Permanently")}}
+- {{HTTPStatus("302", "302 Found")}}, the temporary redirect
diff --git a/files/en-us/web/http/status/400/index.md b/files/en-us/web/http/status/400/index.md
index ee3c9dd622dce61..c9ee4119fa3ec2a 100644
--- a/files/en-us/web/http/status/400/index.md
+++ b/files/en-us/web/http/status/400/index.md
@@ -8,37 +8,24 @@ tags:
   - Reference
   - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 400 Bad Request response status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

+The HyperText Transfer Protocol (HTTP) **`400 Bad Request`** response status code indicates that the server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
 
-

-  
Warning: The client should not repeat this request without modification.

-

+> **Warning:** The client should not repeat this request without modification.
 
-
Status

+## Status
 
-
400 Bad Request 

+```html
+400 Bad Request 
+```
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("7231", "400 Bad Request" , "6.5.1")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

+| Specification                                                | Title                                                         |
+| ------------------------------------------------------------ | ------------------------------------------------------------- |
+| {{RFC("7231", "400 Bad Request" , "6.5.1")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
 
-
See also

+## See also
 
-
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
diff --git a/files/en-us/web/http/status/401/index.md b/files/en-us/web/http/status/401/index.md
index 40d094a9602e028..e50ff2b02e8d64b 100644
--- a/files/en-us/web/http/status/401/index.md
+++ b/files/en-us/web/http/status/401/index.md
@@ -2,49 +2,49 @@
 title: 401 Unauthorized
 slug: Web/HTTP/Status/401
 tags:
-- Client error
-- HTTP
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - Reference
+  - Status code
 browser-compat: http.status.401
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 401 Unauthorized client error status response
-  code indicates that the request has not been applied because it lacks valid
-  authentication credentials for the target resource.

+The HTTP **`401 Unauthorized`** client error status response
+code indicates that the request has not been applied because it lacks valid
+authentication credentials for the target resource.
 
-
This status is sent with a {{HTTPHeader("WWW-Authenticate")}} header that contains
-  information on how to authorize correctly.

+This status is sent with a {{HTTPHeader("WWW-Authenticate")}} header that contains
+information on how to authorize correctly.
 
-
This status is similar to {{HTTPStatus("403")}}, but in this case, authentication is
-  possible.

+This status is similar to {{HTTPStatus("403")}}, but in this case, authentication is
+possible.
 
-
Status

+## Status
 
-
401 Unauthorized

+```html
+401 Unauthorized
+```
 
-
Example response

+## Example response
 
-
HTTP/1.1 401 Unauthorized
-Date: Wed, 21 Oct 2015 07:28:00 GMT
-WWW-Authenticate: Basic realm="Access to staging site"

+    HTTP/1.1 401 Unauthorized
+    Date: Wed, 21 Oct 2015 07:28:00 GMT
+    WWW-Authenticate: Basic realm="Access to staging site"
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • HTTP authentication
    • 
-  
  • {{HTTPHeader("WWW-Authenticate")}}
    • 
-  
  • {{HTTPHeader("Authorization")}}
    • 
-  
  • {{HTTPHeader("Proxy-Authorization")}}
    • 
-  
  • {{HTTPHeader("Proxy-Authenticate")}}
    • 
-  
  • {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
    • 
-

+- [HTTP authentication](/en-US/docs/Web/HTTP/Authentication)
+- {{HTTPHeader("WWW-Authenticate")}}
+- {{HTTPHeader("Authorization")}}
+- {{HTTPHeader("Proxy-Authorization")}}
+- {{HTTPHeader("Proxy-Authenticate")}}
+- {{HTTPStatus("403")}}, {{HTTPStatus("407")}}
diff --git a/files/en-us/web/http/status/402/index.md b/files/en-us/web/http/status/402/index.md
index c40d14504930269..b01f1b42702cbc8 100644
--- a/files/en-us/web/http/status/402/index.md
+++ b/files/en-us/web/http/status/402/index.md
@@ -8,45 +8,35 @@ tags:
   - Status code
 browser-compat: http.status.402
 ---
-
{{HTTPSidebar}}{{SeeCompatTable}}

+{{HTTPSidebar}}{{SeeCompatTable}}
 
-
The HTTP 402 Payment Required is a nonstandard client error status response code that is reserved for future use.

+The HTTP **`402 Payment Required`** is a nonstandard client error status response code that is reserved for future use.
 
-
Sometimes, this code indicates that the request can not be processed until the client makes a payment. Originally it was created to enable digital cash or (micro) payment systems and would indicate that the requested content is not available until the client makes a payment. However, no standard use convention exists and different entities use it in different contexts.

+Sometimes, this code indicates that the request can not be processed until the client makes a payment. Originally it was created to enable digital cash or (micro) payment systems and would indicate that the requested content is not available until the client makes a payment. However, no standard use convention exists and different entities use it in different contexts.
 
-
Status

+## Status
 
-
402 Payment Required

+```html
+402 Payment Required
+```
 
-
Example response

+## Example response
 
-
HTTP/1.1 402 Payment Required
+```bash
+HTTP/1.1 402 Payment Required
 Date: Wed, 21 Oct 2015 07:28:00 GMT
-

-
-
Specifications

-
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("7231", "402 Payment Required" , "6.5.2")}}HTTP/1.1: Semantics and Content

-
-
Browser compatibility

-
-
{{Compat}}

-
-
See also

-
-
+```
+
+## Specifications
+
+| Specification                                                    | Title                           |
+| ---------------------------------------------------------------- | ------------------------------- |
+| {{RFC("7231", "402 Payment Required" , "6.5.2")}} | HTTP/1.1: Semantics and Content |
+
+## Browser compatibility
+
+{{Compat}}
+
+## See also
+
+- [HTTP authentication](/en-US/docs/Web/HTTP/Authentication)
diff --git a/files/en-us/web/http/status/403/index.md b/files/en-us/web/http/status/403/index.md
index 48a7000f46e38d8..d39281f6a7c8f10 100644
--- a/files/en-us/web/http/status/403/index.md
+++ b/files/en-us/web/http/status/403/index.md
@@ -8,33 +8,32 @@ tags:
   - Status code
 browser-compat: http.status.403
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 403 Forbidden client error status response code indicates that the server understood the request but refuses to authorize it.

+The HTTP **`403 Forbidden`** client error status response code indicates that the server understood the request but refuses to authorize it.
 
-
This status is similar to {{HTTPStatus("401")}}, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.

+This status is similar to {{HTTPStatus("401")}}, but in this case, re-authenticating will make no difference. The access is permanently forbidden and tied to the application logic, such as insufficient rights to a resource.
 
-
Status

+## Status
 
-
403 Forbidden

+```html
+403 Forbidden
+```
 
-
Example response

+## Example response
 
-
HTTP/1.1 403 Forbidden
-Date: Wed, 21 Oct 2015 07:28:00 GMT
-

+    HTTP/1.1 403 Forbidden
+    Date: Wed, 21 Oct 2015 07:28:00 GMT
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPStatus("401")}}
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
diff --git a/files/en-us/web/http/status/404/index.md b/files/en-us/web/http/status/404/index.md
index 27f41439af08ee9..f759173cae7b734 100644
--- a/files/en-us/web/http/status/404/index.md
+++ b/files/en-us/web/http/status/404/index.md
@@ -8,41 +8,39 @@ tags:
   - Status code
 browser-compat: http.status.404
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 404 Not Found client error response code indicates that the server can't find the requested resource. Links that lead to a 404 page are often called broken or dead links and can be subject to link rot.

+The HTTP **`404 Not Found`** client error response code indicates that the server can't find the requested resource. Links that lead to a 404 page are often called broken or dead links and can be subject to [link rot](https://en.wikipedia.org/wiki/Link_rot).
 
-
A 404 status code does not indicate whether the resource is temporarily or permanently missing. But if a resource is permanently removed, a {{HTTPStatus("410")}} (Gone) should be used instead of a 404 status.

+A 404 status code does not indicate whether the resource is temporarily or permanently missing. But if a resource is permanently removed, a {{HTTPStatus("410")}} (Gone) should be used instead of a 404 status.
 
-
Status

+## Status
 
-
404 Not Found

+```html
+404 Not Found
+```
 
-
Custom error pages

+## Custom error pages
 
-
Many web sites customize the look of a 404 page to be more helpful to the user and provide guidance on what to do next. Apache servers can be configured using an .htaccess file and a code snippet like the following example.

+Many web sites customize the look of a 404 page to be more helpful to the user and provide guidance on what to do next. Apache servers can be configured using an `.htaccess` file and a code snippet like the following example.
 
-
ErrorDocument 404 /notfound.html

+```bash
+ErrorDocument 404 /notfound.html
+```
 
-
For an example of a custom 404 page, see MDN's 404 page.

+For an example of a custom 404 page, see [MDN's 404 page](/en-US/404).
 
-

-  
Note: Custom design is a good thing, in moderation. Feel free to make your 404 page humorous and human, but don't confuse your users.

-

+> **Note:** Custom design is a good thing, in moderation. Feel free to make your 404 page humorous and human, but don't confuse your users.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPStatus("410")}}
    • 
- 
  • 
-  
    {{interwiki("wikipedia", "HTTP_404", "Wikipedia: HTTP 404")}}
    
- 
    • 
-

+- {{HTTPStatus("410")}}
+- {{interwiki("wikipedia", "HTTP_404", "Wikipedia: HTTP 404")}}
diff --git a/files/en-us/web/http/status/405/index.md b/files/en-us/web/http/status/405/index.md
index 96c45359e9fad80..fe8473305771523 100644
--- a/files/en-us/web/http/status/405/index.md
+++ b/files/en-us/web/http/status/405/index.md
@@ -8,38 +8,27 @@ tags:
   - Reference
   - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 405 Method Not Allowed response status code indicates that the request method is known by the server but is not supported by the target resource.

+The HyperText Transfer Protocol (HTTP) **`405 Method Not Allowed`** response status code indicates that the request method is known by the server but is not supported by the target resource.
 
-
The server must generate an Allow header field in a 405 response containing a list of the target resource's currently supported methods.

+The server **must** generate an **`Allow`** header field in a 405 response containing a list of the target resource's currently supported methods.
 
-
Status

+## Status
 
-
405 Method Not Allowed

+```html
+405 Method Not Allowed
+```
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("7231", "405 Method Not Allowed" , "6.5.5")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

+| Specification                                                        | Title                                                         |
+| -------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "405 Method Not Allowed" , "6.5.5")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Allow")}}
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
+- [How to Fix 405 Method Not Allowed](https://kinsta.com/blog/405-method-not-allowed-error/)
+- [Troubleshooting HTTP 405](https://docs.microsoft.com/en-us/aspnet/web-api/overview/testing-and-debugging/troubleshooting-http-405-errors-after-publishing-web-api-applications)
diff --git a/files/en-us/web/http/status/406/index.md b/files/en-us/web/http/status/406/index.md
index baf3fdfb87266ef..308015f6f08e924 100644
--- a/files/en-us/web/http/status/406/index.md
+++ b/files/en-us/web/http/status/406/index.md
@@ -2,53 +2,50 @@
 title: 406 Not Acceptable
 slug: Web/HTTP/Status/406
 tags:
-- HTTP
-- Reference
-- Status code
+  - HTTP
+  - Reference
+  - Status code
 browser-compat: http.status.406
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 406 Not Acceptable
-  client error response code indicates that the server cannot produce a response matching
-  the list of acceptable values defined in the request's proactive content negotiation headers, and
-  that the server is unwilling to supply a default representation.

+The HyperText Transfer Protocol (HTTP) **`406 Not Acceptable`**
+client error response code indicates that the server cannot produce a response matching
+the list of acceptable values defined in the request's proactive [content negotiation](/en-US/docs/Web/HTTP/Content_negotiation) headers, and
+that the server is unwilling to supply a default representation.
 
-
Proactive content negotiation headers include:

+Proactive content negotiation headers include:
 
-
    
-  
  • {{HTTPHeader("Accept")}}
    • 
-  
  • {{HTTPHeader("Accept-Encoding")}}
    • 
-  
  • {{HTTPHeader("Accept-Language")}}
    • 
-

+- {{HTTPHeader("Accept")}}
+- {{HTTPHeader("Accept-Encoding")}}
+- {{HTTPHeader("Accept-Language")}}
 
-
In practice, this error is very rarely used. Instead of responding using this error
-  code, which would be cryptic for the end user and difficult to fix, servers ignore the
-  relevant header and serve an actual page to the user. It is assumed that even if the
-  user won't be completely happy, they will prefer this to an error code.

+In practice, this error is very rarely used. Instead of responding using this error
+code, which would be cryptic for the end user and difficult to fix, servers ignore the
+relevant header and serve an actual page to the user. It is assumed that even if the
+user won't be completely happy, they will prefer this to an error code.
 
-
If a server returns such an error status, the body of the message should contain the
-  list of the available representations of the resources, allowing the user to choose
-  among them.

+If a server returns such an error status, the body of the message should contain the
+list of the available representations of the resources, allowing the user to choose
+among them.
 
-
Status

+## Status
 
-
406 Not Acceptable

+```html
+406 Not Acceptable
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Accept")}}
    • 
-  
  • {{HTTPHeader("Accept-Encoding")}}
    • 
-  
  • {{HTTPHeader("Accept-Language")}}
    • 
-  
  • HTTP content negotiation
    • 
-

+- {{HTTPHeader("Accept")}}
+- {{HTTPHeader("Accept-Encoding")}}
+- {{HTTPHeader("Accept-Language")}}
+- HTTP [content negotiation](/en-US/docs/Web/HTTP/Content_negotiation)
diff --git a/files/en-us/web/http/status/407/index.md b/files/en-us/web/http/status/407/index.md
index 80159ee5676d857..f4e7f895dd01b96 100644
--- a/files/en-us/web/http/status/407/index.md
+++ b/files/en-us/web/http/status/407/index.md
@@ -2,47 +2,47 @@
 title: 407 Proxy Authentication Required
 slug: Web/HTTP/Status/407
 tags:
-- Client error
-- HTTP
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - Reference
+  - Status code
 browser-compat: http.status.407
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 407 Proxy Authentication Required  client error
-  status response code indicates that the request has not been applied because it lacks
-  valid authentication credentials for a {{Glossary("proxy server")}} that is between the
-  browser and the server that can access the requested resource.

+The HTTP **`407 Proxy Authentication Required `**client error
+status response code indicates that the request has not been applied because it lacks
+valid authentication credentials for a {{Glossary("proxy server")}} that is between the
+browser and the server that can access the requested resource.
 
-
This status is sent with a {{HTTPHeader("Proxy-Authenticate")}} header that contains
-  information on how to authorize correctly.

+This status is sent with a {{HTTPHeader("Proxy-Authenticate")}} header that contains
+information on how to authorize correctly.
 
-
Status

+## Status
 
-
407 Proxy Authentication Required 

+```html
+407 Proxy Authentication Required 
+```
 
-
Example response

+## Example response
 
-
HTTP/1.1 407 Proxy Authentication Required
-Date: Wed, 21 Oct 2015 07:28:00 GMT
-Proxy-Authenticate: Basic realm="Access to internal site"

+    HTTP/1.1 407 Proxy Authentication Required
+    Date: Wed, 21 Oct 2015 07:28:00 GMT
+    Proxy-Authenticate: Basic realm="Access to internal site"
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • HTTP authentication
    • 
-  
  • {{HTTPHeader("WWW-Authenticate")}}
    • 
-  
  • {{HTTPHeader("Authorization")}}
    • 
-  
  • {{HTTPHeader("Proxy-Authorization")}}
    • 
-  
  • {{HTTPHeader("Proxy-Authenticate")}}
    • 
-  
  • {{HTTPStatus("401")}}, {{HTTPStatus("403")}}
    • 
-

+- [HTTP authentication](/en-US/docs/Web/HTTP/Authentication)
+- {{HTTPHeader("WWW-Authenticate")}}
+- {{HTTPHeader("Authorization")}}
+- {{HTTPHeader("Proxy-Authorization")}}
+- {{HTTPHeader("Proxy-Authenticate")}}
+- {{HTTPStatus("401")}}, {{HTTPStatus("403")}}
diff --git a/files/en-us/web/http/status/408/index.md b/files/en-us/web/http/status/408/index.md
index 178a3d676e4afe0..73f6c2b4008a634 100644
--- a/files/en-us/web/http/status/408/index.md
+++ b/files/en-us/web/http/status/408/index.md
@@ -2,53 +2,42 @@
 title: 408 Request Timeout
 slug: Web/HTTP/Status/408
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

-
-
The HyperText Transfer Protocol (HTTP)
-  408 Request Timeout response status code means that the
-  server would like to shut down this unused connection. It is sent on an idle connection
-  by some servers, even without any previous request by the client.

-
-
A server should send the "close" {{HTTPHeader("Connection")}} header field in the
-  response, since 408 implies that the server has decided to close the
-  connection rather than continue waiting.

-
-
This response is used much more since some browsers, like Chrome, Firefox 27+, and IE9,
-  use HTTP pre-connection mechanisms to speed up surfing.

-
-

-  
Note: some servers merely shut down the connection without sending
-    this message.

-

-
-
Status

-
-
408 Request Timeout

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "408 Request Timeout" , "6.5.7")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
    
-  
  • {{HTTPHeader("Connection")}}
    • 
-  
  • {{HTTPHeader("X-DNS-Prefetch-Control")}}
    • 
-

+{{HTTPSidebar}}
+
+The HyperText Transfer Protocol (HTTP)
+**`408 Request Timeout`** response status code means that the
+server would like to shut down this unused connection. It is sent on an idle connection
+by some servers, _even without any previous request by the client_.
+
+A server should send the "close" {{HTTPHeader("Connection")}} header field in the
+response, since `408` implies that the server has decided to close the
+connection rather than continue waiting.
+
+This response is used much more since some browsers, like Chrome, Firefox 27+, and IE9,
+use HTTP pre-connection mechanisms to speed up surfing.
+
+> **Note:** some servers merely shut down the connection without sending
+> this message.
+
+## Status
+
+```html
+408 Request Timeout
+```
+
+## Specifications
+
+| Specification                                                    | Title                                                         |
+| ---------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "408 Request Timeout" , "6.5.7")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- {{HTTPHeader("Connection")}}
+- {{HTTPHeader("X-DNS-Prefetch-Control")}}
diff --git a/files/en-us/web/http/status/409/index.md b/files/en-us/web/http/status/409/index.md
index 7addb68defa49c1..c90babe56a61a91 100644
--- a/files/en-us/web/http/status/409/index.md
+++ b/files/en-us/web/http/status/409/index.md
@@ -8,26 +8,26 @@ tags:
   - Reference
 browser-compat: http.status.409
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 409 Conflict response status code indicates a request conflict with current state of the target resource.

+The HTTP **`409 Conflict`** response status code indicates a request conflict with current state of the target resource.
 
-
Conflicts are most likely to occur in response to a {{HTTPMethod("PUT")}} request. For example, you may get a 409 response when uploading a file which is older than the one already on the server resulting in a version control conflict.

+Conflicts are most likely to occur in response to a {{HTTPMethod("PUT")}} request. For example, you may get a 409 response when uploading a file which is older than the one already on the server resulting in a version control conflict.
 
-
Status

+## Status
 
-
409 Conflict

+```html
+409 Conflict
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPMethod("PUT")}}
    • 
-

+- {{HTTPMethod("PUT")}}
diff --git a/files/en-us/web/http/status/410/index.md b/files/en-us/web/http/status/410/index.md
index 2453a2ffeccaab2..fdd589b811ba7a2 100644
--- a/files/en-us/web/http/status/410/index.md
+++ b/files/en-us/web/http/status/410/index.md
@@ -8,31 +8,29 @@ tags:
   - Status code
 browser-compat: http.status.410
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 410 Gone client error response code indicates that access to the target resource is no longer available at the origin server and that this condition is likely to be permanent.

+The HyperText Transfer Protocol (HTTP) **`410 Gone`** client error response code indicates that access to the target resource is no longer available at the origin server and that this condition is likely to be permanent.
 
-
If you don't know whether this condition is temporary or permanent, a {{HTTPStatus(404)}} status code should be used instead.

+If you don't know whether this condition is temporary or permanent, a {{HTTPStatus(404)}} status code should be used instead.
 
-

-  
Note: A 410 response is cacheable by default.

-

+> **Note:** A 410 response is cacheable by default.
 
-
Status

+## Status
 
-
410 Gone

+```html
+410 Gone
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPStatus(404)}}
+- [410 gone](https://www.exai.com/blog/410-gone-client-error)
diff --git a/files/en-us/web/http/status/411/index.md b/files/en-us/web/http/status/411/index.md
index fe6bf00ea562d9a..1833ce15fe1decd 100644
--- a/files/en-us/web/http/status/411/index.md
+++ b/files/en-us/web/http/status/411/index.md
@@ -2,48 +2,37 @@
 title: 411 Length Required
 slug: Web/HTTP/Status/411
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

-
-
The HyperText Transfer Protocol (HTTP)
-  411 Length Required client error response code indicates
-  that the server refuses to accept the request without a defined
-  {{HTTPHeader("Content-Length")}} header.

-
-

-  
Note: by specification, when sending data in a series of chunks, the
-    Content-Length header is omitted and at the beginning of each chunk you
-    need to add the length of the current chunk in hexadecimal format. See
-    {{HTTPHeader("Transfer-Encoding")}} for more details.

-

-
-
Status

-
-
411 Length Required

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "411 Length Required" , "6.5.10")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
    
-  
  • {{HTTPHeader("Content-Length")}}
    • 
-  
  • {{HTTPHeader("Transfer-Encoding")}}
    • 
-

+{{HTTPSidebar}}
+
+The HyperText Transfer Protocol (HTTP)
+**`411 Length Required`** client error response code indicates
+that the server refuses to accept the request without a defined
+{{HTTPHeader("Content-Length")}} header.
+
+> **Note:** by specification, when sending data in a series of chunks, the
+> `Content-Length` header is omitted and at the beginning of each chunk you
+> need to add the length of the current chunk in hexadecimal format. See
+> {{HTTPHeader("Transfer-Encoding")}} for more details.
+
+## Status
+
+```html
+411 Length Required
+```
+
+## Specifications
+
+| Specification                                                    | Title                                                         |
+| ---------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "411 Length Required" , "6.5.10")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- {{HTTPHeader("Content-Length")}}
+- {{HTTPHeader("Transfer-Encoding")}}
diff --git a/files/en-us/web/http/status/412/index.md b/files/en-us/web/http/status/412/index.md
index 6565b9a9cc3fa3c..923ac96cec02bf0 100644
--- a/files/en-us/web/http/status/412/index.md
+++ b/files/en-us/web/http/status/412/index.md
@@ -2,68 +2,66 @@
 title: 412 Precondition Failed
 slug: Web/HTTP/Status/412
 tags:
-- Error
-- HTTP
-- Reference
-- Status code
+  - Error
+  - HTTP
+  - Reference
+  - Status code
 browser-compat: http.status.412
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP)
-  412 Precondition Failed client error response code
-  indicates that access to the target resource has been denied. This happens with
-  conditional requests on methods other than {{HTTPMethod("GET")}} or
-  {{HTTPMethod("HEAD")}} when the condition defined by the
-  {{HTTPHeader("If-Unmodified-Since")}} or {{HTTPHeader("If-None-Match")}} headers is not
-  fulfilled. In that case, the request, usually an upload or a modification of a resource,
-  cannot be made and this error response is sent back.

+The HyperText Transfer Protocol (HTTP)
+**`412 Precondition Failed`** client error response code
+indicates that access to the target resource has been denied. This happens with
+conditional requests on methods other than {{HTTPMethod("GET")}} or
+{{HTTPMethod("HEAD")}} when the condition defined by the
+{{HTTPHeader("If-Unmodified-Since")}} or {{HTTPHeader("If-None-Match")}} headers is not
+fulfilled. In that case, the request, usually an upload or a modification of a resource,
+cannot be made and this error response is sent back.
 
-
Status

+## Status
 
-
412 Precondition Failed

+```html
+412 Precondition Failed
+```
 
-
Examples

+## Examples
 
-
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
-ETag: W/"0815"

+    ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
+    ETag: W/"0815"
 
-
Avoiding mid-air collisions

+### Avoiding mid-air collisions
 
-
With the help of the ETag and the {{HTTPHeader("If-Match")}} headers, you
-  can detect mid-air edit collisions.

+With the help of the `ETag` and the {{HTTPHeader("If-Match")}} headers, you
+can detect mid-air edit collisions.
 
-
For example, when editing MDN, the current wiki content is hashed and put into an
-  Etag in the response:

+For example, when editing MDN, the current wiki content is hashed and put into an
+`Etag` in the response:
 
-
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

+    ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
 
-
When saving changes to a wiki page (posting data), the {{HTTPMethod("POST")}} request
-  will contain the {{HTTPHeader("If-Match")}} header containing the ETag
-  values to check freshness against.

+When saving changes to a wiki page (posting data), the {{HTTPMethod("POST")}} request
+will contain the {{HTTPHeader("If-Match")}} header containing the `ETag`
+values to check freshness against.
 
-
If-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"

+    If-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
 
-
If the hashes don't match, it means that the document has been edited in-between and a
-  {{HTTPStatus("412")}} Precondition Failed error is thrown.

+If the hashes don't match, it means that the document has been edited in-between and a
+{{HTTPStatus("412")}} `Precondition Failed` error is thrown.
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
The information below has been pulled from MDN's GitHub (https://github.com/mdn/browser-compat-data).
-

+The information below has been pulled from MDN's GitHub ().
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPStatus("304")}}
    • 
-  
  • {{HTTPHeader("If-Unmodified-Since")}}
    • 
-  
  • {{HTTPHeader("If-None-Match")}}
    • 
-  
  • {{HTTPStatus("428")}}
    • 
-

+- {{HTTPStatus("304")}}
+- {{HTTPHeader("If-Unmodified-Since")}}
+- {{HTTPHeader("If-None-Match")}}
+- {{HTTPStatus("428")}}
diff --git a/files/en-us/web/http/status/413/index.md b/files/en-us/web/http/status/413/index.md
index de0d33fe5414922..4f36cf2570b7d46 100644
--- a/files/en-us/web/http/status/413/index.md
+++ b/files/en-us/web/http/status/413/index.md
@@ -8,34 +8,23 @@ tags:
   - Reference
   - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 413 Payload Too Large response status code indicates that the request entity is larger than limits defined by server; the server might close the connection or return a {{HTTPHeader("Retry-After")}} header field.

+The HTTP **`413 Payload Too Large`** response status code indicates that the request entity is larger than limits defined by server; the server might close the connection or return a {{HTTPHeader("Retry-After")}} header field.
 
-
Status

+## Status
 
-
413 Payload Too Large

+```html
+413 Payload Too Large
+```
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("7231", "413 Payload Too Large" , "6.5.11")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

+| Specification                                                        | Title                                                         |
+| -------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "413 Payload Too Large" , "6.5.11")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPHeader("Connection")}}
    • 
- 
  • {{HTTPHeader("Retry-After")}}
    • 
-

+- {{HTTPHeader("Connection")}}
+- {{HTTPHeader("Retry-After")}}
diff --git a/files/en-us/web/http/status/414/index.md b/files/en-us/web/http/status/414/index.md
index 16b77674d2d58ea..475d378228ebb8f 100644
--- a/files/en-us/web/http/status/414/index.md
+++ b/files/en-us/web/http/status/414/index.md
@@ -2,49 +2,37 @@
 title: 414 URI Too Long
 slug: Web/HTTP/Status/414
 tags:
-- Client error
-- HTTP
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

-
-
The HTTP 414 URI Too Long response status code indicates
-  that the URI requested by the client is longer than the server is willing to interpret.
-

-
-
There are a few rare conditions when this might occur:

-
-
    
-  
  • when a client has improperly converted a {{HTTPMethod("POST")}} request to a
-    {{HTTPMethod("GET")}} request with long query information,
    • 
-  
  • when the client has descended into a loop of redirection (for example, a redirected
-    URI prefix that points to a suffix of itself),
    • 
-  
  • or when the server is under attack by a client attempting to exploit potential
-    security holes.
    • 
-

-
-
Status

-
-
414 URI Too Long

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "414 URI Too Long" , "6.5.12")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
    
-  
  • {{Glossary("URI")}}
    • 
-

+{{HTTPSidebar}}
+
+The HTTP **`414 URI Too Long`** response status code indicates
+that the URI requested by the client is longer than the server is willing to interpret.
+
+There are a few rare conditions when this might occur:
+
+- when a client has improperly converted a {{HTTPMethod("POST")}} request to a
+  {{HTTPMethod("GET")}} request with long query information,
+- when the client has descended into a loop of redirection (for example, a redirected
+  URI prefix that points to a suffix of itself),
+- or when the server is under attack by a client attempting to exploit potential
+  security holes.
+
+## Status
+
+```html
+414 URI Too Long
+```
+
+## Specifications
+
+| Specification                                                | Title                                                         |
+| ------------------------------------------------------------ | ------------------------------------------------------------- |
+| {{RFC("7231", "414 URI Too Long" , "6.5.12")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- {{Glossary("URI")}}
diff --git a/files/en-us/web/http/status/415/index.md b/files/en-us/web/http/status/415/index.md
index 57c75e5fb3bbe26..364d3f3092b127a 100644
--- a/files/en-us/web/http/status/415/index.md
+++ b/files/en-us/web/http/status/415/index.md
@@ -2,45 +2,36 @@
 title: 415 Unsupported Media Type
 slug: Web/HTTP/Status/415
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

-
-
The HTTP 415 Unsupported Media Type client error response
-  code indicates that the server refuses to accept the request because the payload format
-  is in an unsupported format.

-
-
The format problem might be due to the request's indicated
-  {{HTTPHeader("Content-Type")}} or {{HTTPHeader("Content-Encoding")}}, or as a result of
-  inspecting the data directly.

-
-
Status

-
-
415 Unsupported Media Type

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "415 Unsupported Media Type" , "6.5.13")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

-
-
See also

-
-
    
-  
  • {{HTTPHeader("Content-Type")}}
    • 
-  
  • {{HTTPHeader("Content-Encoding")}}
    • 
-  
  • {{HTTPHeader("Accept")}}
    • 
-

+{{HTTPSidebar}}
+
+The HTTP **`415 Unsupported Media Type`** client error response
+code indicates that the server refuses to accept the request because the payload format
+is in an unsupported format.
+
+The format problem might be due to the request's indicated
+{{HTTPHeader("Content-Type")}} or {{HTTPHeader("Content-Encoding")}}, or as a result of
+inspecting the data directly.
+
+## Status
+
+```html
+415 Unsupported Media Type
+```
+
+## Specifications
+
+| Specification                                                                | Title                                                         |
+| ---------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "415 Unsupported Media Type" , "6.5.13")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
+
+## See also
+
+- {{HTTPHeader("Content-Type")}}
+- {{HTTPHeader("Content-Encoding")}}
+- {{HTTPHeader("Accept")}}
diff --git a/files/en-us/web/http/status/416/index.md b/files/en-us/web/http/status/416/index.md
index 3c0106db85c6b3a..beb404de4cafd23 100644
--- a/files/en-us/web/http/status/416/index.md
+++ b/files/en-us/web/http/status/416/index.md
@@ -7,30 +7,30 @@ tags:
   - Status code
 browser-compat: http.status.416
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 416 Range Not Satisfiable error response code indicates that a server cannot serve the requested ranges. The most likely reason is that the document doesn't contain such ranges, or that the {{HTTPHeader("Range")}} header value, though syntactically correct, doesn't make sense.

+The HyperText Transfer Protocol (HTTP) **`416 Range Not Satisfiable`** error response code indicates that a server cannot serve the requested ranges. The most likely reason is that the document doesn't contain such ranges, or that the {{HTTPHeader("Range")}} header value, though syntactically correct, doesn't make sense.
 
-
The 416 response message contains a {{HTTPHeader("Content-Range")}} indicating an unsatisfied range (that is a '*') followed by a '/' and the current length of the resource. E.g. Content-Range: bytes */12777

+The `416` response message contains a {{HTTPHeader("Content-Range")}} indicating an unsatisfied range (that is a `'*'`) followed by a `'/'` and the current length of the resource. E.g. `Content-Range: bytes */12777`
 
-
Faced with this error, browsers usually either abort the operation (for example, a download will be considered as non-resumable) or ask for the whole document again.

+Faced with this error, browsers usually either abort the operation (for example, a download will be considered as non-resumable) or ask for the whole document again.
 
-
Status

+## Status
 
-
416 Range Not Satisfiable

+```html
+416 Range Not Satisfiable
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{HTTPStatus(206)}} Partial Content
    • 
- 
  • {{HTTPHeader("Content-Range")}}
    • 
- 
  • {{HTTPHeader("Range")}}
    • 
-

+- {{HTTPStatus(206)}} `Partial Content`
+- {{HTTPHeader("Content-Range")}}
+- {{HTTPHeader("Range")}}
diff --git a/files/en-us/web/http/status/417/index.md b/files/en-us/web/http/status/417/index.md
index 9a7f88fe4fe85d7..183ec68f8c0fb55 100644
--- a/files/en-us/web/http/status/417/index.md
+++ b/files/en-us/web/http/status/417/index.md
@@ -2,41 +2,32 @@
 title: 417 Expectation Failed
 slug: Web/HTTP/Status/417
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 417 Expectation Failed client error response
-  code indicates that the expectation given in the request's {{HTTPHeader("Expect")}}
-  header could not be met.

+The HTTP **`417 Expectation Failed`** client error response
+code indicates that the expectation given in the request's {{HTTPHeader("Expect")}}
+header could not be met.
 
-
See the {{HTTPHeader("Expect")}} header for more details.

+See the {{HTTPHeader("Expect")}} header for more details.
 
-
Status

+## Status
 
-
417 Expectation Failed

+```html
+417 Expectation Failed
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "417 Expectation Failed" , "6.5.14")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

+| Specification                                                        | Title                                                         |
+| -------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "417 Expectation Failed" , "6.5.14")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Expect")}}
    • 
-

+- {{HTTPHeader("Expect")}}
diff --git a/files/en-us/web/http/status/418/index.md b/files/en-us/web/http/status/418/index.md
index f33efb0c1f3301e..82991f7aa780a73 100644
--- a/files/en-us/web/http/status/418/index.md
+++ b/files/en-us/web/http/status/418/index.md
@@ -7,43 +7,29 @@ tags:
   - Reference
 browser-compat: http.status.418
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 418 I'm a teapot client error response code indicates that the server refuses to brew coffee because it is, permanently, a teapot. A combined coffee/tea pot that is temporarily out of coffee should instead return 503. This error is a reference to Hyper Text Coffee Pot Control Protocol defined in April Fools' jokes in 1998 and 2014.

+The HTTP **`418 I'm a teapot`** client error response code indicates that the server refuses to brew coffee because it is, permanently, a teapot. A combined coffee/tea pot that is temporarily out of coffee should instead return 503. This error is a reference to Hyper Text Coffee Pot Control Protocol defined in April Fools' jokes in 1998 and 2014.
 
-
Some websites use this response for requests they do not wish to handle, such as automated queries.

+Some websites use this response for requests they do not wish to handle, such as automated queries.
 
-
Status

+## Status
 
-
418 I'm a teapot

+```html
+418 I'm a teapot
+```
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("2324", "418 I'm a teapot" , "2.3.2")}}Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0): Semantics and Content
{{RFC("7168", "418 I'm a teapot" , "2.3.3")}}The Hyper Text Coffee Pot Control Protocol for Tea Efflux Appliances (HTCPCP-TEA): Response Codes

+| Specification                                                | Title                                                                                             |
+| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------- |
+| {{RFC("2324", "418 I'm a teapot" , "2.3.2")}} | Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0): Semantics and Content                        |
+| {{RFC("7168", "418 I'm a teapot" , "2.3.3")}} | The Hyper Text Coffee Pot Control Protocol for Tea Efflux Appliances (HTCPCP-TEA): Response Codes |
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{interwiki("wikipedia", "Hyper Text Coffee Pot Control Protocol", "Wikipedia: Hyper Text Coffee Pot Control Protocol")}}
    • 
-

+- {{interwiki("wikipedia", "Hyper Text Coffee Pot Control Protocol", "Wikipedia: Hyper Text Coffee Pot Control Protocol")}}
diff --git a/files/en-us/web/http/status/422/index.md b/files/en-us/web/http/status/422/index.md
index 2e221e1757f4d8f..0cc57e8308cc00c 100644
--- a/files/en-us/web/http/status/422/index.md
+++ b/files/en-us/web/http/status/422/index.md
@@ -2,42 +2,30 @@
 title: 422 Unprocessable Entity
 slug: Web/HTTP/Status/422
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
-- WebDAV
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
+  - WebDAV
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP)
-  422 Unprocessable Entity response status code indicates
-  that the server understands the content type of the request entity, and the syntax of
-  the request entity is correct, but it was unable to process the contained instructions.
-

+The HyperText Transfer Protocol (HTTP)
+**`422 Unprocessable Entity`** response status code indicates
+that the server understands the content type of the request entity, and the syntax of
+the request entity is correct, but it was unable to process the contained instructions.
 
-

-  
Warning: The client should not repeat this request without modification.

-

+> **Warning:** The client should not repeat this request without modification.
 
-
Status

+## Status
 
-
422 Unprocessable Entity

+```html
+422 Unprocessable Entity
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-  
-  
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("4918", "422 Unprocessable Entity" , "11.2")}}HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)

+| Specification                                                        | Title                                                                 |
+| -------------------------------------------------------------------- | --------------------------------------------------------------------- |
+| {{RFC("4918", "422 Unprocessable Entity" , "11.2")}} | HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV) |
diff --git a/files/en-us/web/http/status/425/index.md b/files/en-us/web/http/status/425/index.md
index 7d121c4b368e3c0..45f9b5e29d141bd 100644
--- a/files/en-us/web/http/status/425/index.md
+++ b/files/en-us/web/http/status/425/index.md
@@ -2,26 +2,28 @@
 title: 425 Too Early
 slug: Web/HTTP/Status/425
 tags:
-- Browser
-- Client error
-- HTTP
-- Status code
+  - Browser
+  - Client error
+  - HTTP
+  - Status code
 browser-compat: http.status.425
 ---
-
{{SeeCompatTable}}{{HTTPSidebar}}

+{{SeeCompatTable}}{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 425 Too Early
-  response status code indicates that the server is unwilling to risk processing a request
-  that might be replayed, which creates the potential for a replay attack.

+The HyperText Transfer Protocol (HTTP) **`425 Too Early`**
+response status code indicates that the server is unwilling to risk processing a request
+that might be replayed, which creates the potential for a replay attack.
 
-
Status

+## Status
 
-
425 Too Early

+```html
+425 Too Early
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
diff --git a/files/en-us/web/http/status/426/index.md b/files/en-us/web/http/status/426/index.md
index f17315323e3347e..13479ed92a19607 100644
--- a/files/en-us/web/http/status/426/index.md
+++ b/files/en-us/web/http/status/426/index.md
@@ -2,55 +2,44 @@
 title: 426 Upgrade Required
 slug: Web/HTTP/Status/426
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 426 Upgrade Required client error response code
-  indicates that the server refuses to perform the request using the current protocol but
-  might be willing to do so after the client upgrades to a different protocol.

+The HTTP **`426 Upgrade Required`** client error response code
+indicates that the server refuses to perform the request using the current protocol but
+might be willing to do so after the client upgrades to a different protocol.
 
-
The server sends an {{HTTPHeader("Upgrade")}} header with this response to indicate the
-  required protocol(s).

+The server sends an {{HTTPHeader("Upgrade")}} header with this response to indicate the
+required protocol(s).
 
-
Status

+## Status
 
-
426 Upgrade Required

+```html
+426 Upgrade Required
+```
 
-
Examples

+## Examples
 
-
HTTP/1.1 426 Upgrade Required
-Upgrade: HTTP/2.0
-Connection: Upgrade
-Content-Length: 53
-Content-Type: text/plain
+    HTTP/1.1 426 Upgrade Required
+    Upgrade: HTTP/2.0
+    Connection: Upgrade
+    Content-Length: 53
+    Content-Type: text/plain
 
-This service requires use of the HTTP/2.0 protocol

+    This service requires use of the HTTP/2.0 protocol
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-  
-  
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "426 Upgrade Required" , "6.5.15")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

+| Specification                                                        | Title                                                         |
+| -------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "426 Upgrade Required" , "6.5.15")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Upgrade")}}
    • 
-  
  • {{HTTPStatus("101")}} Switching Protocol
    • 
-

+- {{HTTPHeader("Upgrade")}}
+- {{HTTPStatus("101")}} `Switching Protocol`
diff --git a/files/en-us/web/http/status/428/index.md b/files/en-us/web/http/status/428/index.md
index 19c7e97d22d9e1e..0e9cd6b9cb3275e 100644
--- a/files/en-us/web/http/status/428/index.md
+++ b/files/en-us/web/http/status/428/index.md
@@ -2,48 +2,37 @@
 title: 428 Precondition Required
 slug: Web/HTTP/Status/428
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 428 Precondition Required response status code
-  indicates that the server requires the request to be conditional.

+The HTTP **`428 Precondition Required`** response status code
+indicates that the server requires the request to be [conditional](/en-US/docs/Web/HTTP/Conditional_requests).
 
-
Typically, this means that a required precondition header, such
-  as {{HTTPHeader("If-Match")}}, is missing.

+Typically, this means that a required precondition header, such
+as {{HTTPHeader("If-Match")}}, **is missing**.
 
-
When a precondition header is not matching the server side state, the
-  response should be {{HTTPStatus(412)}} Precondition Failed.

+When a precondition header is **not matching** the server side state, the
+response should be {{HTTPStatus(412)}} `Precondition Failed`.
 
-
Status

+## Status
 
-
428 Precondition Required

+```html
+428 Precondition Required
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("6585", "428 Precondition Required" , "3")}}Additional HTTP Status Codes

+| Specification                                                        | Title                        |
+| -------------------------------------------------------------------- | ---------------------------- |
+| {{RFC("6585", "428 Precondition Required" , "3")}} | Additional HTTP Status Codes |
 
-
See also

+## See also
 
-
+- [HTTP conditional requests](/en-US/docs/Web/HTTP/Conditional_requests)
+- {{HTTPHeader("If-Match")}}
+- {{HTTPStatus(412)}}
diff --git a/files/en-us/web/http/status/429/index.md b/files/en-us/web/http/status/429/index.md
index a770385042397f7..22e7a34ec496c3e 100644
--- a/files/en-us/web/http/status/429/index.md
+++ b/files/en-us/web/http/status/429/index.md
@@ -8,43 +8,32 @@ tags:
   - Reference
   - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 429 Too Many Requests response status code indicates the user has sent too many requests in a given amount of time ("rate limiting").

+The HTTP **`429 Too Many Requests`** response status code indicates the user has sent too many requests in a given amount of time ("rate limiting").
 
-
A {{HTTPHeader("Retry-After")}} header might be included to this response indicating how long to wait before making a new request.

+A {{HTTPHeader("Retry-After")}} header might be included to this response indicating how long to wait before making a new request.
 
-
Status

+## Status
 
-
429 Too Many Requests

+```html
+429 Too Many Requests
+```
 
-
Example

+## Example
 
-
HTTP/1.1 429 Too Many Requests
-Content-Type: text/html
-Retry-After: 3600

+    HTTP/1.1 429 Too Many Requests
+    Content-Type: text/html
+    Retry-After: 3600
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("6585", "429 Too Many Requests" , "4")}}Additional HTTP Status Codes

+| Specification                                                | Title                        |
+| ------------------------------------------------------------ | ---------------------------- |
+| {{RFC("6585", "429 Too Many Requests" , "4")}} | Additional HTTP Status Codes |
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Retry-After")}}
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
+- Python solution: [How to avoid HTTP error 429 python](https://stackoverflow.com/questions/22786068/how-to-avoid-http-error-429-too-many-requests-python)
diff --git a/files/en-us/web/http/status/431/index.md b/files/en-us/web/http/status/431/index.md
index 6caed69ce9230c8..20867db3cf5e6dc 100644
--- a/files/en-us/web/http/status/431/index.md
+++ b/files/en-us/web/http/status/431/index.md
@@ -2,59 +2,44 @@
 title: 431 Request Header Fields Too Large
 slug: Web/HTTP/Status/431
 tags:
-- Client error
-- HTTP
-- HTTP Status Code
-- Reference
-- Status code
+  - Client error
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Status code
 ---
-
{{HTTPSidebar}}

-
-

-  The HTTP 431 Request Header Fields Too Large response status code
-  indicates that the server refuses to process the request because the request's
-  HTTP headers are too long.
-  The request may be resubmitted after reducing the size of the request headers.
-

-
-
431 can be used when the total size of request headers is too large,
-  or when a single header field is too large. To help those running into
-  this error, indicate which of the two is the problem in the response body — ideally,
-  also include which headers are too large. This lets users attempt to fix the problem,
-  such as by clearing their cookies.

-
-
Servers will often produce this status if:

-
-
    
-  
  • The {{ httpheader("Referer") }} URL is too long
    • 
-  
  • There are too many Cookies sent in the
-    request
    • 
-

-
-
Status

-
-
431 Request Header Fields Too Large

-
-
Specifications

-
-
-  
-    
-      
-      
-    
-  
-  
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("6585", "431 Request Header Fields Too Large" , "5")}}Additional HTTP Status Codes

-
-
See also

-
-
    
-  
  • {{HTTPStatus(414, "414 URI Too Long")}}
    • 
-  
  • {{Glossary("Request header")}}
    • 
-

+{{HTTPSidebar}}
+
+The HTTP **`431 Request Header Fields Too Large`** response status code
+indicates that the server refuses to process the request because the request's
+[HTTP headers](/en-US/docs/Web/HTTP/Headers) are too long.
+The request _may_ be resubmitted after reducing the size of the request headers.
+
+431 can be used when the **total size** of request headers is too large,
+or when a **single** header field is too large. To help those running into
+this error, indicate which of the two is the problem in the response body — ideally,
+also include which headers are too large. This lets users attempt to fix the problem,
+such as by clearing their cookies.
+
+Servers will often produce this status if:
+
+- The {{ httpheader("Referer") }} URL is too long
+- There are too many [Cookies](/en-US/docs/Web/HTTP/Cookies) sent in the
+  request
+
+## Status
+
+```html
+431 Request Header Fields Too Large
+```
+
+## Specifications
+
+| Specification                                                                    | Title                        |
+| -------------------------------------------------------------------------------- | ---------------------------- |
+| {{RFC("6585", "431 Request Header Fields Too Large" , "5")}} | Additional HTTP Status Codes |
+
+## See also
+
+- {{HTTPStatus(414, "414 URI Too Long")}}
+- {{Glossary("Request header")}}
diff --git a/files/en-us/web/http/status/451/index.md b/files/en-us/web/http/status/451/index.md
index ef815bab017620d..64c56dff1871a47 100644
--- a/files/en-us/web/http/status/451/index.md
+++ b/files/en-us/web/http/status/451/index.md
@@ -8,48 +8,50 @@ tags:
   - Status code
 browser-compat: http.status.451
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 451 Unavailable For Legal Reasons client error response code indicates that the user requested a resource that is not available due to legal reasons, such as a web page for which a legal action has been issued.

+The HyperText Transfer Protocol (HTTP) **`451 Unavailable For Legal Reasons`** client error response code indicates that the user requested a resource that is not available due to legal reasons, such as a web page for which a legal action has been issued.
 
-
Status

+## Status
 
-
451 Unavailable For Legal Reasons

+```html
+451 Unavailable For Legal Reasons
+```
 
-
Example

+## Example
 
-
This example response is taken from the IETF RFC (see below) and contains a reference to {{interwiki("wikipedia", "Monty_Python's_Life_of_Brian", "Monty Python's Life of Brian")}}.

+This example response is taken from the IETF RFC (see below) and contains a reference to {{interwiki("wikipedia", "Monty_Python's_Life_of_Brian", "Monty Python's Life of Brian")}}.
 
-
Note: the {{HTTPHeader("Link")}} header might also contain a rel="blocked-by" relation identifying the entity and implementing blockage, not any other entity mandating it.

+**Note:** the {{HTTPHeader("Link")}} header might also contain a `rel="blocked-by"` relation identifying the entity and implementing blockage, not any other entity mandating it.
 
-
Any attempt to identify the entity ultimately responsible for the resource being unavailable belongs in the response body, not in the rel="blocked-by" link. This includes the name of the person or organization that made a legal demand resulting in the content's removal.

+Any attempt to identify the entity ultimately responsible for the resource being unavailable belongs in the response body, not in the `rel="blocked-by"` link. This includes the name of the person or organization that made a legal demand resulting in the content's removal.
 
-
HTTP/1.1 451 Unavailable For Legal Reasons
-Link: <https://spqr.example.org/legislatione>; rel="blocked-by"
-Content-Type: text/html

+    HTTP/1.1 451 Unavailable For Legal Reasons
+    Link: ; rel="blocked-by"
+    Content-Type: text/html
 
-
<html>
-      <head><title>Unavailable For Legal Reasons</title></head>
-      <body>
-            <h1>Unavailable For Legal Reasons</h1>
-            <p>This request may not be serviced in the Roman Province
-            of Judea due to the Lex Julia Majestatis, which disallows
-            access to resources hosted on servers deemed to be
-            operated by the People's Front of Judea.</p>
-     </body>
-</html>

+
 
-
Specifications

+    
+          Unavailable For Legal Reasons
+          
+                
Unavailable For Legal Reasons

+                
This request may not be serviced in the Roman Province
+                of Judea due to the Lex Julia Majestatis, which disallows
+                access to resources hosted on servers deemed to be
+                operated by the People's Front of Judea.

+         
+    
+
+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
    
- 
  • {{interwiki("wikipedia", "HTTP_451", "Wikipedia: HTTP 451")}}
    • 
- 
  • {{interwiki("wikipedia", "Fahrenheit_451", "Wikipedia: Fahrenheit 451")}} (which gave this status code its number)
    • 
-

+- {{interwiki("wikipedia", "HTTP_451", "Wikipedia: HTTP 451")}}
+- {{interwiki("wikipedia", "Fahrenheit_451", "Wikipedia: Fahrenheit 451")}} (which gave this status code its number)
diff --git a/files/en-us/web/http/status/500/index.md b/files/en-us/web/http/status/500/index.md
index b76c01fa9601ea6..b8b869c678e3dbe 100644
--- a/files/en-us/web/http/status/500/index.md
+++ b/files/en-us/web/http/status/500/index.md
@@ -7,26 +7,26 @@ tags:
   - Status code
 browser-compat: http.status.500
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 500 Internal Server Error server error response code indicates that the server encountered an unexpected condition that prevented it from fulfilling the request.

+The HyperText Transfer Protocol (HTTP) **`500 Internal Server Error`** server error response code indicates that the server encountered an unexpected condition that prevented it from fulfilling the request.
 
-
This error response is a generic "catch-all" response. Usually, this indicates the server cannot find a better 5xx error code to response. Sometimes, server administrators log error responses like the 500 status code with more details about the request to prevent the error from happening again in the future.

+This error response is a generic "catch-all" response. Usually, this indicates the server cannot find a better 5xx error code to response. Sometimes, server administrators log error responses like the 500 status code with more details about the request to prevent the error from happening again in the future.
 
-
Status

+## Status
 
-
500 Internal Server Error

+```html
+500 Internal Server Error
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
diff --git a/files/en-us/web/http/status/501/index.md b/files/en-us/web/http/status/501/index.md
index a689f70b75c6bb7..c626c1cb515b85c 100644
--- a/files/en-us/web/http/status/501/index.md
+++ b/files/en-us/web/http/status/501/index.md
@@ -7,32 +7,31 @@ tags:
   - Status code
 browser-compat: http.status.501
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 501 Not Implemented server error response code means that the server does not support the functionality required to fulfill the request.

+The HyperText Transfer Protocol (HTTP) **`501 Not Implemented`** server error response code means that **the server does not support the functionality required to fulfill the request**.
 
-
This status can also send a {{HTTPHeader("Retry-After")}} header, telling the requester when to check back to see if the functionality is supported by then.

+This status can also send a {{HTTPHeader("Retry-After")}} header, telling the requester when to check back to see if the functionality is supported by then.
 
-
501 is the appropriate response when the server does not recognize the request method and is incapable of supporting it for any resource. The only methods that servers are required to support (and therefore that must not return 501) are {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}}.

+`501` is the appropriate response when the server does not recognize the request method and is incapable of supporting it for any resource. The only methods that servers are required to support (and therefore that must not return `501`) are {{HTTPMethod("GET")}} and {{HTTPMethod("HEAD")}}.
 
-
If the server does recognize the method, but intentionally does not support it, the appropriate response is {{HTTPStatus(405, "405 Method Not Allowed")}}.

+If the server _does_ recognize the method, but intentionally does not support it, the appropriate response is {{HTTPStatus(405, "405 Method Not Allowed")}}.
 
-

-  
Note: 

-  
    
-    
  • A 501 error is not something you can fix, but requires a fix by the web server you are trying to access.
    • 
-    
  • A 501 response is cacheable by default; that is, unless caching headers instruct otherwise.
    • 
-  

-

+> **Note:**
+>
+> - A 501 error is not something you can fix, but requires a fix by the web server you are trying to access.
+> - A 501 response is cacheable by default; that is, unless caching headers instruct otherwise.
 
-
Status

+## Status
 
-
501 Not Implemented

+```html
+501 Not Implemented
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
diff --git a/files/en-us/web/http/status/502/index.md b/files/en-us/web/http/status/502/index.md
index a36a4037704275c..b1abbbcbf20c7a4 100644
--- a/files/en-us/web/http/status/502/index.md
+++ b/files/en-us/web/http/status/502/index.md
@@ -7,30 +7,27 @@ tags:
   - Status code
 browser-compat: http.status.502
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 502 Bad Gateway server error response code indicates that the server, while acting as a gateway or proxy, received an invalid response from the upstream server.

+The HyperText Transfer Protocol (HTTP) **`502 Bad Gateway`** server error response code indicates that the server, while acting as a gateway or proxy, received an invalid response from the upstream server.
 
-

-  
Note: A {{interwiki("wikipedia", "Gateway_(telecommunications)", "Gateway")}} might refer to different things in networking and a 502 error is usually not something you can fix, but requires a fix by the web server or the proxies you are trying to get access through.

-

+> **Note:** A {{interwiki("wikipedia", "Gateway_(telecommunications)", "Gateway")}} might refer to different things in networking and a 502 error is usually not something you can fix, but requires a fix by the web server or the proxies you are trying to get access through.
 
-
Status

+## Status
 
-
502 Bad Gateway
-

+```html
+502 Bad Gateway
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPStatus(504)}}
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
diff --git a/files/en-us/web/http/status/503/index.md b/files/en-us/web/http/status/503/index.md
index 0d780962f87d3f9..d664b9ebfdade08 100644
--- a/files/en-us/web/http/status/503/index.md
+++ b/files/en-us/web/http/status/503/index.md
@@ -8,33 +8,31 @@ tags:
   - Status code
 browser-compat: http.status.503
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 503 Service Unavailable server error response code indicates that the server is not ready to handle the request.

+The HyperText Transfer Protocol (HTTP) **`503 Service Unavailable`** server error response code indicates that the server is not ready to handle the request.
 
-
Common causes are a server that is down for maintenance or that is overloaded. This response should be used for temporary conditions and the {{HTTPHeader("Retry-After")}} HTTP header should, if possible, contain the estimated time for the recovery of the service.

+Common causes are a server that is down for maintenance or that is overloaded. This response should be used for temporary conditions and the {{HTTPHeader("Retry-After")}} HTTP header should, if possible, contain the estimated time for the recovery of the service.
 
-

-  
Note: together with this response, a user-friendly page explaining the problem should be sent.

-

+> **Note:** together with this response, a user-friendly page explaining the problem should be sent.
 
-
Caching-related headers that are sent along with this response should be taken care of, as a 503 status is often a temporary condition and responses shouldn't usually be cached.

+Caching-related headers that are sent along with this response should be taken care of, as a 503 status is often a temporary condition and responses shouldn't usually be cached.
 
-
Status

+## Status
 
-
503 Service Unavailable

+```html
+503 Service Unavailable
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- {{HTTPHeader("Retry-After")}}
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
diff --git a/files/en-us/web/http/status/504/index.md b/files/en-us/web/http/status/504/index.md
index f2ed612bb14cff7..3b92fb543f1f9cc 100644
--- a/files/en-us/web/http/status/504/index.md
+++ b/files/en-us/web/http/status/504/index.md
@@ -7,29 +7,27 @@ tags:
   - Status code
 browser-compat: http.status.504
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 504 Gateway Timeout server error response code indicates that the server, while acting as a gateway or proxy, did not get a response in time from the upstream server that it needed in order to complete the request.

+The HyperText Transfer Protocol (HTTP) **`504 Gateway Timeout`** server error response code indicates that the server, while acting as a gateway or proxy, did not get a response in time from the upstream server that it needed in order to complete the request.
 
-

-
Note: A {{interwiki("wikipedia", "Gateway_(telecommunications)", "Gateway")}} might refer to different things in networking and a 504 error is usually not something you can fix, but requires a fix by the web server or the proxies you are trying to get access through.

-

+> **Note:** A {{interwiki("wikipedia", "Gateway_(telecommunications)", "Gateway")}} might refer to different things in networking and a 504 error is usually not something you can fix, but requires a fix by the web server or the proxies you are trying to get access through.
 
-
Status

+## Status
 
-
504 Gateway Timeout

+```html
+504 Gateway Timeout
+```
 
-
Specifications

+## Specifications
 
 {{Specifications}}
 
-
Browser compatibility

+## Browser compatibility
 
-
{{Compat}}

+{{Compat}}
 
-
See also

+## See also
 
-
+- [HTTP/1.1: Status Code Definitions](https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html)
+- {{HTTPStatus(502)}}
diff --git a/files/en-us/web/http/status/505/index.md b/files/en-us/web/http/status/505/index.md
index 3a873387d9b7c15..8e7043e9bc2995f 100644
--- a/files/en-us/web/http/status/505/index.md
+++ b/files/en-us/web/http/status/505/index.md
@@ -2,38 +2,29 @@
 title: 505 HTTP Version Not Supported
 slug: Web/HTTP/Status/505
 tags:
-- HTTP
-- Reference
-- Server error
-- Status code
+  - HTTP
+  - Reference
+  - Server error
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP)
-  505 HTTP Version Not Supported response status code
-  indicates that the HTTP version used in the request is not supported by the server.

+The HyperText Transfer Protocol (HTTP)
+**`505 HTTP Version Not Supported`** response status code
+indicates that the HTTP version used in the request is not supported by the server.
 
-
Status

+## Status
 
-
505 HTTP Version Not Supported

+```html
+505 HTTP Version Not Supported
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("7231", "505 HTTP Version Not Supported" , "6.6.6")}}Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content

+| Specification                                                                    | Title                                                         |
+| -------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| {{RFC("7231", "505 HTTP Version Not Supported" , "6.6.6")}} | Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content |
 
-
See also

+## See also
 
-
    
-  
  • {{HTTPHeader("Upgrade")}}
    • 
-

+- {{HTTPHeader("Upgrade")}}
diff --git a/files/en-us/web/http/status/506/index.md b/files/en-us/web/http/status/506/index.md
index 8e40fb025b57673..b36478e3018494e 100644
--- a/files/en-us/web/http/status/506/index.md
+++ b/files/en-us/web/http/status/506/index.md
@@ -6,29 +6,20 @@ tags:
   - Server error
   - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 506 Variant Also Negotiates response status code may be given in the context of Transparent Content Negotiation (see RFC 2295). This protocol enables a client to retrieve the best variant of a given resource, where the server supports multiple variants.

+The HyperText Transfer Protocol (HTTP) **`506 Variant Also Negotiates`** response status code may be given in the context of Transparent Content Negotiation (see [RFC 2295](https://datatracker.ietf.org/doc/html/rfc2295)). This protocol enables a client to retrieve the best variant of a given resource, where the server supports multiple variants.
 
-
The Variant Also Negotiates status code indicates an internal server configuration error in which the chosen variant is itself configured to engage in content negotiation, so is not a proper negotiation endpoint.

+The **`Variant Also Negotiates`** status code indicates an internal server configuration error in which the chosen variant is itself configured to engage in content negotiation, so is not a proper negotiation endpoint.
 
-
Status

+## Status
 
-
506 Variant Also Negotiates

+```html
+506 Variant Also Negotiates
+```
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("2295", "506 Variant Also Negotiates" , "8.1")}}Transparent Content Negotiation in HTTP

+| Specification                                                            | Title                                   |
+| ------------------------------------------------------------------------ | --------------------------------------- |
+| {{RFC("2295", "506 Variant Also Negotiates" , "8.1")}} | Transparent Content Negotiation in HTTP |
diff --git a/files/en-us/web/http/status/507/index.md b/files/en-us/web/http/status/507/index.md
index 14ce8ee0c50a6ad..952fe820cd2a617 100644
--- a/files/en-us/web/http/status/507/index.md
+++ b/files/en-us/web/http/status/507/index.md
@@ -6,29 +6,20 @@ tags:
   - Server error
   - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 507 Insufficient Storage response status code may be given in the context of the Web Distributed Authoring and Versioning (WebDAV) protocol (see RFC 4918).

+The HyperText Transfer Protocol (HTTP) **`507 Insufficient Storage`** response status code may be given in the context of the Web Distributed Authoring and Versioning (WebDAV) protocol (see [RFC 4918](https://datatracker.ietf.org/doc/html/rfc4918)).
 
-
It indicates that a method could not be performed because the server cannot store the representation needed to successfully complete the request.

+It indicates that a method could not be performed because the server cannot store the representation needed to successfully complete the request.
 
-
Status

+## Status
 
-
507 Insufficient Storage

+```html
+507 Insufficient Storage
+```
 
-
Specifications

+## Specifications
 
-
- 
-  
-   
-   
-  
- 
- 
-  
-   
-   
-  
- 
-
SpecificationTitle
{{RFC("4918", "507 Insufficient Storage" , "11.5")}}Web Distributed Authoring and Versioning

+| Specification                                                        | Title                                    |
+| -------------------------------------------------------------------- | ---------------------------------------- |
+| {{RFC("4918", "507 Insufficient Storage" , "11.5")}} | Web Distributed Authoring and Versioning |
diff --git a/files/en-us/web/http/status/508/index.md b/files/en-us/web/http/status/508/index.md
index 379d852bcd7cb63..ea234e5f7477f37 100644
--- a/files/en-us/web/http/status/508/index.md
+++ b/files/en-us/web/http/status/508/index.md
@@ -2,38 +2,29 @@
 title: 508 Loop Detected
 slug: Web/HTTP/Status/508
 tags:
-- '508'
-- HTTP
-- Server error
-- Status code
+  - '508'
+  - HTTP
+  - Server error
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP) 508 Loop Detected
-  response status code may be given in the context of the Web Distributed Authoring and
-  Versioning (WebDAV) protocol.

+The HyperText Transfer Protocol (HTTP) **`508 Loop Detected`**
+response status code may be given in the context of the Web Distributed Authoring and
+Versioning (WebDAV) protocol.
 
-
It indicates that the server terminated an operation because it encountered an infinite
-  loop while processing a request with "Depth: infinity". This status indicates that the
-  entire operation failed.

+It indicates that the server terminated an operation because it encountered an infinite
+loop while processing a request with "Depth: infinity". This status indicates that the
+entire operation failed.
 
-
Status

+## Status
 
-
508 Loop Detected

+```html
+508 Loop Detected
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-  
-  
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("5842", "508 Loop Detected" , "7.2")}}Web Distributed Authoring and Versioning

+| Specification                                                | Title                                    |
+| ------------------------------------------------------------ | ---------------------------------------- |
+| {{RFC("5842", "508 Loop Detected" , "7.2")}} | Web Distributed Authoring and Versioning |
diff --git a/files/en-us/web/http/status/510/index.md b/files/en-us/web/http/status/510/index.md
index cfd5a5abd18286c..14ebc3c6228b178 100644
--- a/files/en-us/web/http/status/510/index.md
+++ b/files/en-us/web/http/status/510/index.md
@@ -2,36 +2,29 @@
 title: 510 Not Extended
 slug: Web/HTTP/Status/510
 tags:
-- HTTP
-- Server error
-- Status code
+  - HTTP
+  - Server error
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HyperText Transfer Protocol (HTTP)  510 Not Extended
-  response status code is sent in the context of the HTTP Extension Framework, defined in
-  RFC 2774.

+The HyperText Transfer Protocol (HTTP)  **`510 Not Extended`**
+response status code is sent in the context of the HTTP Extension Framework, defined in
+[RFC 2774](https://datatracker.ietf.org/doc/html/rfc2774).
 
-
In that specification a client may send a request that contains an extension
-  declaration, that describes the extension to be used. If the server receives such a
-  request, but any described extensions are not supported for the request, then the server
-  responds with the 510 status code.

+In that specification a client may send a request that contains an extension
+declaration, that describes the extension to be used. If the server receives such a
+request, but any described extensions are not supported for the request, then the server
+responds with the 510 status code.
 
-
Status

+## Status
 
-
510 Not Extended

+```html
+510 Not Extended
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("2774", "510 Not Extended" , "7")}}An HTTP Extension Framework

+| Specification                                            | Title                       |
+| -------------------------------------------------------- | --------------------------- |
+| {{RFC("2774", "510 Not Extended" , "7")}} | An HTTP Extension Framework |
diff --git a/files/en-us/web/http/status/511/index.md b/files/en-us/web/http/status/511/index.md
index 7595ca01c43719d..4c2637f5b4272a0 100644
--- a/files/en-us/web/http/status/511/index.md
+++ b/files/en-us/web/http/status/511/index.md
@@ -2,46 +2,37 @@
 title: 511 Network Authentication Required
 slug: Web/HTTP/Status/511
 tags:
-- HTTP
-- HTTP Status Code
-- Reference
-- Server error
-- Status code
+  - HTTP
+  - HTTP Status Code
+  - Reference
+  - Server error
+  - Status code
 ---
-
{{HTTPSidebar}}

+{{HTTPSidebar}}
 
-
The HTTP 511 Network Authentication Required response
-  status code indicates that the client needs to authenticate to gain network access.

+The HTTP **`511 Network Authentication Required`** response
+status code indicates that the client needs to authenticate to gain network access.
 
-
This status is not generated by origin servers, but by intercepting proxies that
-  control access to the network.

+This status is not generated by origin servers, but by intercepting proxies that
+control access to the network.
 
-
Network operators sometimes require some authentication, acceptance of terms, or other
-  user interaction before granting access (for example in an internet café or at an
-  airport). They often identify clients who have not done so using their Media Access
-  Control ({{Glossary("MAC")}}) addresses.

+Network operators sometimes require some authentication, acceptance of terms, or other
+user interaction before granting access (for example in an internet café or at an
+airport). They often identify clients who have not done so using their Media Access
+Control ({{Glossary("MAC")}}) addresses.
 
-
Status

+## Status
 
-
511 Network Authentication Required

+```html
+511 Network Authentication Required
+```
 
-
Specifications

+## Specifications
 
-
-  
-    
-      
-      
-    
-    
-      
-      
-    
-  
-
SpecificationTitle
{{RFC("6585", "511 Network Authentication Required" , "6")}}Additional HTTP Status Codes

+| Specification                                                                    | Title                        |
+| -------------------------------------------------------------------------------- | ---------------------------- |
+| {{RFC("6585", "511 Network Authentication Required" , "6")}} | Additional HTTP Status Codes |
 
-
See also

+## See also
 
-
    
-  
  • {{Glossary("Proxy server")}}
    • 
-

+- {{Glossary("Proxy server")}}
diff --git a/files/en-us/web/http/status/index.md b/files/en-us/web/http/status/index.md
index 319b13aab3c3abf..19969445a7e25fe 100644
--- a/files/en-us/web/http/status/index.md
+++ b/files/en-us/web/http/status/index.md
@@ -9,189 +9,173 @@ tags:
   - Status code
   - Web
 ---
-
{{HTTPSidebar}}

-
-
HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes:

-
-
    
- 
  1. Informational responses (100199)
    2. 
- 
  2. Successful responses (200299)
    3. 
- 
  3. Redirects (300399)
    4. 
- 
  4. Client errors (400499)
    5. 
- 
  5. Server errors (500599)
    6. 
-

-
-
The below status codes are defined by section 10 of RFC 2616. You can find an updated specification in RFC 7231.

-
-

-  
Note: If you receive a response that is not in this list, it is a non-standard response, possibly custom to the server's software.

-

-
-
Information responses

-
-

- 
{{HTTPStatus(100, "100 Continue")}}

- 
This interim response indicates that everything so far is OK and that the client should continue the request, or ignore the response if the request is already finished.

- 
{{HTTPStatus(101, "101 Switching Protocol")}}

- 
This code is sent in response to an {{HTTPHeader("Upgrade")}} request header from the client, and indicates the protocol the server is switching to.

- 
{{HTTPStatus(102, "102 Processing")}} ({{Glossary("WebDAV")}})

- 
This code indicates that the server has received and is processing the request, but no response is available yet.

- 
{{HTTPStatus(103, "103 Early Hints")}}

- 
This status code is primarily intended to be used with the {{HTTPHeader("Link")}} header, letting the user agent start preloading resources while the server prepares a response.

-

-
-
Successful responses

-
-

- 
{{HTTPStatus(200, "200 OK")}}

- 
The request has succeeded. The meaning of the success depends on the HTTP method:
- 
    
-  
  • GET: The resource has been fetched and is transmitted in the message body.
    • 
-  
  • HEAD: The representation headers are included in the response without any message body.
    • 
-  
  • PUT or POST: The resource describing the result of the action is transmitted in the message body.
    • 
-  
  • TRACE: The message body contains the request message as received by the server.
    • 
- 

- 

- 
{{HTTPStatus(201, "201 Created")}}

- 
The request has succeeded and a new resource has been created as a result. This is typically the response sent after POST requests, or some PUT requests.

- 
{{HTTPStatus(202, "202 Accepted")}}

- 
The request has been received but not yet acted upon. It is noncommittal, since there is no way in HTTP to later send an asynchronous response indicating the outcome of the request. It is intended for cases where another process or server handles the request, or for batch processing.

- 
{{HTTPStatus(203, "203 Non-Authoritative Information")}}

- 
This response code means the returned meta-information is not exactly the same as is available from the origin server, but is collected from a local or a third-party copy. This is mostly used for mirrors or backups of another resource. Except for that specific case, the "200 OK" response is preferred to this status.

- 
{{HTTPStatus(204, "204 No Content")}}

- 
There is no content to send for this request, but the headers may be useful. The user-agent may update its cached headers for this resource with the new ones.

- 
{{HTTPStatus(205, "205 Reset Content")}}

- 
Tells the user-agent to reset the document which sent this request.

- 
{{HTTPStatus(206, "206 Partial Content")}}

- 
This response code is used when the {{HTTPHeader("Range")}} header is sent from the client to request only part of a resource.

- 
{{HTTPStatus(207, "207 Multi-Status")}} ({{Glossary("WebDAV")}})

- 
Conveys information about multiple resources, for situations where multiple status codes might be appropriate.

- 
{{HTTPStatus(208, "208 Already Reported")}} ({{Glossary("WebDAV")}})

- 
Used inside a <dav:propstat> response element to avoid repeatedly enumerating the internal members of multiple bindings to the same collection.

- 
{{HTTPStatus(226, "226 IM Used")}} (HTTP Delta encoding)

- 
The server has fulfilled a GET request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.

-

-
-
Redirection messages

-
-

- 
{{HTTPStatus(300, "300 Multiple Choice")}}

- 
The request has more than one possible response. The user-agent or user should choose one of them. (There is no standardized way of choosing one of the responses, but HTML links to the possibilities are recommended so the user can pick.)

- 
{{HTTPStatus(301, "301 Moved Permanently")}}

- 
The URL of the requested resource has been changed permanently. The new URL is given in the response.

- 
{{HTTPStatus(302, "302 Found")}}

- 
This response code means that the URI of requested resource has been changed temporarily. Further changes in the URI might be made in the future. Therefore, this same URI should be used by the client in future requests.

- 
{{HTTPStatus(303, "303 See Other")}}

- 
The server sent this response to direct the client to get the requested resource at another URI with a GET request.

- 
{{HTTPStatus(304, "304 Not Modified")}}

- 
This is used for caching purposes. It tells the client that the response has not been modified, so the client can continue to use the same cached version of the response.

- 
305 Use Proxy {{deprecated_inline}}

- 
Defined in a previous version of the HTTP specification to indicate that a requested response must be accessed by a proxy. It has been deprecated due to security concerns regarding in-band configuration of a proxy.

- 
306 unused

- 
This response code is no longer used; it is just reserved. It was used in a previous version of the HTTP/1.1 specification.

- 
{{HTTPStatus(307, "307 Temporary Redirect")}}

- 
The server sends this response to direct the client to get the requested resource at another URI with same method that was used in the prior request. This has the same semantics as the 302 Found HTTP response code, with the exception that the user agent must not change the HTTP method used: If a POST was used in the first request, a POST must be used in the second request.

- 
{{HTTPStatus(308, "308 Permanent Redirect")}}

- 
This means that the resource is now permanently located at another URI, specified by the Location: HTTP Response header. This has the same semantics as the 301 Moved Permanently HTTP response code, with the exception that the user agent must not change the HTTP method used: If a POST was used in the first request, a POST must be used in the second request.

-

-
-
Client error responses

-
-

- 
{{HTTPStatus(400, "400 Bad Request")}}

- 
The server could not understand the request due to invalid syntax.

- 
{{HTTPStatus(401, "401 Unauthorized")}}

- 
Although the HTTP standard specifies "unauthorized", semantically this response means "unauthenticated". That is, the client must authenticate itself to get the requested response.

- 
{{HTTPStatus(402, "402 Payment Required")}} {{experimental_inline}}

- 
This response code is reserved for future use. The initial aim for creating this code was using it for digital payment systems, however this status code is used very rarely and no standard convention exists.

- 
{{HTTPStatus(403, "403 Forbidden")}}

- 
The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.

- 
{{HTTPStatus(404, "404 Not Found")}}

- 
The server can not find the requested resource. In the browser, this means the URL is not recognized. In an API, this can also mean that the endpoint is valid but the resource itself does not exist. Servers may also send this response instead of 403 to hide the existence of a resource from an unauthorized client. This response code is probably the most famous one due to its frequent occurrence on the web.

- 
{{HTTPStatus(405, "405 Method Not Allowed")}}

- 
The request method is known by the server but is not supported by the target resource. For example, an API may forbid DELETE-ing a resource.

- 
{{HTTPStatus(406, "406 Not Acceptable")}}

- 
This response is sent when the web server, after performing server-driven content negotiation, doesn't find any content that conforms to the criteria given by the user agent.

- 
{{HTTPStatus(407, "407 Proxy Authentication Required")}}

- 
This is similar to 401 but authentication is needed to be done by a proxy.

- 
{{HTTPStatus(408, "408 Request Timeout")}}

- 
This response is sent on an idle connection by some servers, even without any previous request by the client. It means that the server would like to shut down this unused connection. This response is used much more since some browsers, like Chrome, Firefox 27+, or IE9, use HTTP pre-connection mechanisms to speed up surfing. Also note that some servers merely shut down the connection without sending this message.

- 
{{HTTPStatus(409, "409 Conflict")}}

- 
This response is sent when a request conflicts with the current state of the server.

- 
{{HTTPStatus(410, "410 Gone")}}

- 
This response is sent when the requested content has been permanently deleted from server, with no forwarding address. Clients are expected to remove their caches and links to the resource. The HTTP specification intends this status code to be used for "limited-time, promotional services". APIs should not feel compelled to indicate resources that have been deleted with this status code.

- 
{{HTTPStatus(411, "411 Length Required")}}

- 
Server rejected the request because the Content-Length header field is not defined and the server requires it.

- 
{{HTTPStatus(412, "412 Precondition Failed")}}

- 
The client has indicated preconditions in its headers which the server does not meet.

- 
{{HTTPStatus(413, "413 Payload Too Large")}}

- 
Request entity is larger than limits defined by server; the server might close the connection or return an Retry-After header field.

- 
{{HTTPStatus(414, "414 URI Too Long")}}

- 
The URI requested by the client is longer than the server is willing to interpret.

- 
{{HTTPStatus(415, "415 Unsupported Media Type")}}

- 
The media format of the requested data is not supported by the server, so the server is rejecting the request.

- 
{{HTTPStatus(416, "416 Range Not Satisfiable")}}

- 
The range specified by the Range header field in the request can't be fulfilled; it's possible that the range is outside the size of the target URI's data.

- 
{{HTTPStatus(417, "417 Expectation Failed")}}

- 
This response code means the expectation indicated by the Expect request header field can't be met by the server.

- 
{{HTTPStatus(418, "418 I'm a teapot")}}

- 
The server refuses the attempt to brew coffee with a teapot.

- 
{{HTTPStatus(421, "421 Misdirected Request")}}

- 
The request was directed at a server that is not able to produce a response. This can be sent by a server that is not configured to produce responses for the combination of scheme and authority that are included in the request URI.

- 
{{HTTPStatus(422, "422 Unprocessable Entity")}} ({{Glossary("WebDAV")}})

- 
The request was well-formed but was unable to be followed due to semantic errors.

- 
{{HTTPStatus(423, "423 Locked")}} ({{Glossary("WebDAV")}})

- 
The resource that is being accessed is locked.

- 
{{HTTPStatus(424, "424 Failed Dependency")}} ({{Glossary("WebDAV")}})

- 
The request failed due to failure of a previous request.

- 
{{HTTPStatus(425, "425 Too Early")}} {{experimental_inline}}

- 
Indicates that the server is unwilling to risk processing a request that might be replayed.

- 
{{HTTPStatus(426, "426 Upgrade Required")}}

- 
The server refuses to perform the request using the current protocol but might be willing to do so after the client upgrades to a different protocol. The server sends an {{HTTPHeader("Upgrade")}} header in a 426 response to indicate the required protocol(s).

- 
{{HTTPStatus(428, "428 Precondition Required")}}

- 
The origin server requires the request to be conditional. This response is intended to prevent the 'lost update' problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict.

- 
{{HTTPStatus(429, "429 Too Many Requests")}}

- 
The user has sent too many requests in a given amount of time ("rate limiting").

- 
{{HTTPStatus(431, "431 Request Header Fields Too Large")}}

- 
The server is unwilling to process the request because its header fields are too large. The request may be resubmitted after reducing the size of the request header fields.

- 
{{HTTPStatus(451, "451 Unavailable For Legal Reasons")}}

- 
The user-agent requested a resource that cannot legally be provided, such as a web page censored by a government.

-

-
-
Server error responses

-
-

- 
{{HTTPStatus(500, "500 Internal Server Error")}}

- 
The server has encountered a situation it doesn't know how to handle.

- 
{{HTTPStatus(501, "501 Not Implemented")}}

- 
The request method is not supported by the server and cannot be handled. The only methods that servers are required to support (and therefore that must not return this code) are GET and HEAD.

- 
{{HTTPStatus(502, "502 Bad Gateway")}}

- 
This error response means that the server, while working as a gateway to get a response needed to handle the request, got an invalid response.

- 
{{HTTPStatus(503, "503 Service Unavailable")}}

- 
The server is not ready to handle the request. Common causes are a server that is down for maintenance or that is overloaded. Note that together with this response, a user-friendly page explaining the problem should be sent. This response should be used for temporary conditions and the Retry-After: HTTP header should, if possible, contain the estimated time before the recovery of the service. The webmaster must also take care about the caching-related headers that are sent along with this response, as these temporary condition responses should usually not be cached.

- 
{{HTTPStatus(504, "504 Gateway Timeout")}}

- 
This error response is given when the server is acting as a gateway and cannot get a response in time.

- 
{{HTTPStatus(505, "505 HTTP Version Not Supported")}}

- 
The HTTP version used in the request is not supported by the server.

- 
{{HTTPStatus(506, "506 Variant Also Negotiates")}}

- 
The server has an internal configuration error: the chosen variant resource is configured to engage in transparent content negotiation itself, and is therefore not a proper end point in the negotiation process.

- 
{{HTTPStatus(507, "507 Insufficient Storage")}} ({{Glossary("WebDAV")}})

- 
The method could not be performed on the resource because the server is unable to store the representation needed to successfully complete the request.

- 
{{HTTPStatus(508, "508 Loop Detected")}} ({{Glossary("WebDAV")}})

- 
The server detected an infinite loop while processing the request.

- 
{{HTTPStatus(510, "510 Not Extended")}}

- 
Further extensions to the request are required for the server to fulfill it.

- 
{{HTTPStatus(511, "511 Network Authentication Required")}}

- 
The 511 status code indicates that the client needs to authenticate to gain network access.

-

-
-
Browser compatibility

-
-
{{Compat("http.status")}}

-
-
See also

-
-
+{{HTTPSidebar}}
+
+HTTP response status codes indicate whether a specific [HTTP](/en-US/docs/Web/HTTP) request has been successfully completed. Responses are grouped in five classes:
+
+1.  [Informational responses](#information_responses) (`100`–`199`)
+2.  [Successful responses](#successful_responses) (`200`–`299`)
+3.  [Redirects](#redirection_messages) (`300`–`399`)
+4.  [Client errors](#client_error_responses) (`400`–`499`)
+5.  [Server errors](#server_error_responses) (`500`–`599`)
+
+The below status codes are defined by [section 10 of RFC 2616](https://datatracker.ietf.org/doc/html/rfc2616#section-10). You can find an updated specification in [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.1).
+
+> **Note:** If you receive a response that is not in this list, it is a non-standard response, possibly custom to the server's software.
+
+## Information responses
+
+- {{HTTPStatus(100, "100 Continue")}}
+  - : This interim response indicates that everything so far is OK and that the client should continue the request, or ignore the response if the request is already finished.
+- {{HTTPStatus(101, "101 Switching Protocol")}}
+  - : This code is sent in response to an {{HTTPHeader("Upgrade")}} request header from the client, and indicates the protocol the server is switching to.
+- {{HTTPStatus(102, "102 Processing")}} ({{Glossary("WebDAV")}})
+  - : This code indicates that the server has received and is processing the request, but no response is available yet.
+- {{HTTPStatus(103, "103 Early Hints")}}
+  - : This status code is primarily intended to be used with the {{HTTPHeader("Link")}} header, letting the user agent start [preloading](/en-US/docs/Web/HTML/Link_types/preload) resources while the server prepares a response.
+
+## Successful responses
+
+- {{HTTPStatus(200, "200 OK")}}
+
+  - : The request has succeeded. The meaning of the success depends on the HTTP method:
+
+    - `GET`: The resource has been fetched and is transmitted in the message body.
+    - `HEAD`: The representation headers are included in the response without any message body.
+    - `PUT` or `POST`: The resource describing the result of the action is transmitted in the message body.
+    - `TRACE`: The message body contains the request message as received by the server.
+
+- {{HTTPStatus(201, "201 Created")}}
+  - : The request has succeeded and a new resource has been created as a result. This is typically the response sent after `POST` requests, or some `PUT` requests.
+- {{HTTPStatus(202, "202 Accepted")}}
+  - : The request has been received but not yet acted upon. It is noncommittal, since there is no way in HTTP to later send an asynchronous response indicating the outcome of the request. It is intended for cases where another process or server handles the request, or for batch processing.
+- {{HTTPStatus(203, "203 Non-Authoritative Information")}}
+  - : This response code means the returned meta-information is not exactly the same as is available from the origin server, but is collected from a local or a third-party copy. This is mostly used for mirrors or backups of another resource. Except for that specific case, the "200 OK" response is preferred to this status.
+- {{HTTPStatus(204, "204 No Content")}}
+  - : There is no content to send for this request, but the headers may be useful. The user-agent may update its cached headers for this resource with the new ones.
+- {{HTTPStatus(205, "205 Reset Content")}}
+  - : Tells the user-agent to reset the document which sent this request.
+- {{HTTPStatus(206, "206 Partial Content")}}
+  - : This response code is used when the {{HTTPHeader("Range")}} header is sent from the client to request only part of a resource.
+- {{HTTPStatus(207, "207 Multi-Status")}} ({{Glossary("WebDAV")}})
+  - : Conveys information about multiple resources, for situations where multiple status codes might be appropriate.
+- {{HTTPStatus(208, "208 Already Reported")}} ({{Glossary("WebDAV")}})
+  - : Used inside a `` response element to avoid repeatedly enumerating the internal members of multiple bindings to the same collection.
+- {{HTTPStatus(226, "226 IM Used")}} ([HTTP Delta encoding](https://datatracker.ietf.org/doc/html/rfc3229))
+  - : The server has fulfilled a `GET` request for the resource, and the response is a representation of the result of one or more instance-manipulations applied to the current instance.
+
+## Redirection messages
+
+- {{HTTPStatus(300, "300 Multiple Choice")}}
+  - : The request has more than one possible response. The user-agent or user should choose one of them. (There is no standardized way of choosing one of the responses, but HTML links to the possibilities are recommended so the user can pick.)
+- {{HTTPStatus(301, "301 Moved Permanently")}}
+  - : The URL of the requested resource has been changed permanently. The new URL is given in the response.
+- {{HTTPStatus(302, "302 Found")}}
+  - : This response code means that the URI of requested resource has been changed _temporarily_. Further changes in the URI might be made in the future. Therefore, this same URI should be used by the client in future requests.
+- {{HTTPStatus(303, "303 See Other")}}
+  - : The server sent this response to direct the client to get the requested resource at another URI with a GET request.
+- {{HTTPStatus(304, "304 Not Modified")}}
+  - : This is used for caching purposes. It tells the client that the response has not been modified, so the client can continue to use the same cached version of the response.
+- `305 Use Proxy` {{deprecated_inline}}
+  - : Defined in a previous version of the HTTP specification to indicate that a requested response must be accessed by a proxy. It has been deprecated due to security concerns regarding in-band configuration of a proxy.
+- `306 unused`
+  - : This response code is no longer used; it is just reserved. It was used in a previous version of the HTTP/1.1 specification.
+- {{HTTPStatus(307, "307 Temporary Redirect")}}
+  - : The server sends this response to direct the client to get the requested resource at another URI with same method that was used in the prior request. This has the same semantics as the `302 Found` HTTP response code, with the exception that the user agent _must not_ change the HTTP method used: If a `POST` was used in the first request, a `POST` must be used in the second request.
+- {{HTTPStatus(308, "308 Permanent Redirect")}}
+  - : This means that the resource is now permanently located at another URI, specified by the `Location:` HTTP Response header. This has the same semantics as the `301 Moved Permanently` HTTP response code, with the exception that the user agent _must not_ change the HTTP method used: If a `POST` was used in the first request, a `POST` must be used in the second request.
+
+## Client error responses
+
+- {{HTTPStatus(400, "400 Bad Request")}}
+  - : The server could not understand the request due to invalid syntax.
+- {{HTTPStatus(401, "401 Unauthorized")}}
+  - : Although the HTTP standard specifies "unauthorized", semantically this response means "unauthenticated". That is, the client must authenticate itself to get the requested response.
+- {{HTTPStatus(402, "402 Payment Required")}} {{experimental_inline}}
+  - : This response code is reserved for future use. The initial aim for creating this code was using it for digital payment systems, however this status code is used very rarely and no standard convention exists.
+- {{HTTPStatus(403, "403 Forbidden")}}
+  - : The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401, the client's identity is known to the server.
+- {{HTTPStatus(404, "404 Not Found")}}
+  - : The server can not find the requested resource. In the browser, this means the URL is not recognized. In an API, this can also mean that the endpoint is valid but the resource itself does not exist. Servers may also send this response instead of 403 to hide the existence of a resource from an unauthorized client. This response code is probably the most famous one due to its frequent occurrence on the web.
+- {{HTTPStatus(405, "405 Method Not Allowed")}}
+  - : The request method is known by the server but is not supported by the target resource. For example, an API may forbid DELETE-ing a resource.
+- {{HTTPStatus(406, "406 Not Acceptable")}}
+  - : This response is sent when the web server, after performing [server-driven content negotiation](/en-US/docs/Web/HTTP/Content_negotiation#server-driven_negotiation), doesn't find any content that conforms to the criteria given by the user agent.
+- {{HTTPStatus(407, "407 Proxy Authentication Required")}}
+  - : This is similar to 401 but authentication is needed to be done by a proxy.
+- {{HTTPStatus(408, "408 Request Timeout")}}
+  - : This response is sent on an idle connection by some servers, even without any previous request by the client. It means that the server would like to shut down this unused connection. This response is used much more since some browsers, like Chrome, Firefox 27+, or IE9, use HTTP pre-connection mechanisms to speed up surfing. Also note that some servers merely shut down the connection without sending this message.
+- {{HTTPStatus(409, "409 Conflict")}}
+  - : This response is sent when a request conflicts with the current state of the server.
+- {{HTTPStatus(410, "410 Gone")}}
+  - : This response is sent when the requested content has been permanently deleted from server, with no forwarding address. Clients are expected to remove their caches and links to the resource. The HTTP specification intends this status code to be used for "limited-time, promotional services". APIs should not feel compelled to indicate resources that have been deleted with this status code.
+- {{HTTPStatus(411, "411 Length Required")}}
+  - : Server rejected the request because the `Content-Length` header field is not defined and the server requires it.
+- {{HTTPStatus(412, "412 Precondition Failed")}}
+  - : The client has indicated preconditions in its headers which the server does not meet.
+- {{HTTPStatus(413, "413 Payload Too Large")}}
+  - : Request entity is larger than limits defined by server; the server might close the connection or return an `Retry-After` header field.
+- {{HTTPStatus(414, "414 URI Too Long")}}
+  - : The URI requested by the client is longer than the server is willing to interpret.
+- {{HTTPStatus(415, "415 Unsupported Media Type")}}
+  - : The media format of the requested data is not supported by the server, so the server is rejecting the request.
+- {{HTTPStatus(416, "416 Range Not Satisfiable")}}
+  - : The range specified by the `Range` header field in the request can't be fulfilled; it's possible that the range is outside the size of the target URI's data.
+- {{HTTPStatus(417, "417 Expectation Failed")}}
+  - : This response code means the expectation indicated by the `Expect` request header field can't be met by the server.
+- {{HTTPStatus(418, "418 I'm a teapot")}}
+  - : The server refuses the attempt to brew coffee with a teapot.
+- {{HTTPStatus(421, "421 Misdirected Request")}}
+  - : The request was directed at a server that is not able to produce a response. This can be sent by a server that is not configured to produce responses for the combination of scheme and authority that are included in the request URI.
+- {{HTTPStatus(422, "422 Unprocessable Entity")}} ({{Glossary("WebDAV")}})
+  - : The request was well-formed but was unable to be followed due to semantic errors.
+- {{HTTPStatus(423, "423 Locked")}} ({{Glossary("WebDAV")}})
+  - : The resource that is being accessed is locked.
+- {{HTTPStatus(424, "424 Failed Dependency")}} ({{Glossary("WebDAV")}})
+  - : The request failed due to failure of a previous request.
+- {{HTTPStatus(425, "425 Too Early")}} {{experimental_inline}}
+  - : Indicates that the server is unwilling to risk processing a request that might be replayed.
+- {{HTTPStatus(426, "426 Upgrade Required")}}
+  - : The server refuses to perform the request using the current protocol but might be willing to do so after the client upgrades to a different protocol. The server sends an {{HTTPHeader("Upgrade")}} header in a 426 response to indicate the required protocol(s).
+- {{HTTPStatus(428, "428 Precondition Required")}}
+  - : The origin server requires the request to be conditional. This response is intended to prevent the 'lost update' problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict.
+- {{HTTPStatus(429, "429 Too Many Requests")}}
+  - : The user has sent too many requests in a given amount of time ("rate limiting").
+- {{HTTPStatus(431, "431 Request Header Fields Too Large")}}
+  - : The server is unwilling to process the request because its header fields are too large. The request may be resubmitted after reducing the size of the request header fields.
+- {{HTTPStatus(451, "451 Unavailable For Legal Reasons")}}
+  - : The user-agent requested a resource that cannot legally be provided, such as a web page censored by a government.
+
+## Server error responses
+
+- {{HTTPStatus(500, "500 Internal Server Error")}}
+  - : The server has encountered a situation it doesn't know how to handle.
+- {{HTTPStatus(501, "501 Not Implemented")}}
+  - : The request method is not supported by the server and cannot be handled. The only methods that servers are required to support (and therefore that must not return this code) are `GET` and `HEAD`.
+- {{HTTPStatus(502, "502 Bad Gateway")}}
+  - : This error response means that the server, while working as a gateway to get a response needed to handle the request, got an invalid response.
+- {{HTTPStatus(503, "503 Service Unavailable")}}
+  - : The server is not ready to handle the request. Common causes are a server that is down for maintenance or that is overloaded. Note that together with this response, a user-friendly page explaining the problem should be sent. This response should be used for temporary conditions and the `Retry-After:` HTTP header should, if possible, contain the estimated time before the recovery of the service. The webmaster must also take care about the caching-related headers that are sent along with this response, as these temporary condition responses should usually not be cached.
+- {{HTTPStatus(504, "504 Gateway Timeout")}}
+  - : This error response is given when the server is acting as a gateway and cannot get a response in time.
+- {{HTTPStatus(505, "505 HTTP Version Not Supported")}}
+  - : The HTTP version used in the request is not supported by the server.
+- {{HTTPStatus(506, "506 Variant Also Negotiates")}}
+  - : The server has an internal configuration error: the chosen variant resource is configured to engage in transparent content negotiation itself, and is therefore not a proper end point in the negotiation process.
+- {{HTTPStatus(507, "507 Insufficient Storage")}} ({{Glossary("WebDAV")}})
+  - : The method could not be performed on the resource because the server is unable to store the representation needed to successfully complete the request.
+- {{HTTPStatus(508, "508 Loop Detected")}} ({{Glossary("WebDAV")}})
+  - : The server detected an infinite loop while processing the request.
+- {{HTTPStatus(510, "510 Not Extended")}}
+  - : Further extensions to the request are required for the server to fulfill it.
+- {{HTTPStatus(511, "511 Network Authentication Required")}}
+  - : The 511 status code indicates that the client needs to authenticate to gain network access.
+
+## Browser compatibility
+
+{{Compat("http.status")}}
+
+## See also
+
+- [List of HTTP status codes on Wikipedia](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes)
+- [IANA official registry of HTTP status codes](https://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml)

From ca2362f5e24e3d5e91d928ad4f7f2d904c064169 Mon Sep 17 00:00:00 2001
From: "Michael[tm] Smith" 
Date: Fri, 13 Aug 2021 02:18:48 +0900
Subject: [PATCH 3/9] Fix some character-styling conversion failures

---
 .../http/headers/content-security-policy/navigate-to/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md b/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md
index 0e178e413807712..004d3b4c26abda3 100644
--- a/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md
@@ -14,11 +14,11 @@ browser-compat: http.headers.csp.Content-Security-Policy.navigate-to
 {{HTTPSidebar}}
 
 The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP)
-**`navigate`\*\***`-to`** directive
+**`navigate-to`** directive
 restricts the URLs to which a document can initiate navigations by any means including
 {{HTMLElement("form")}} (if {{CSP("form-action")}} is not specified),
 {{HTMLElement("a")}}, {{DOMxRef("window.location")}}, {{DOMxRef("window.open")}}, etc.
-This is an enforcement on what navigations this document initiates **not\*\*
+This is an enforcement on what navigations this document initiates, **not**
 on what this document is allowed to navigate to.
 
 > **Note:** If the {{CSP("form-action")}} directive is present,

From ad861b0e9d5e4210e7efd1b4b629527f2db7488a Mon Sep 17 00:00:00 2001
From: "Michael[tm] Smith" 
Date: Fri, 13 Aug 2021 02:49:41 +0900
Subject: [PATCH 4/9] Normalize list spacing

---
 files/en-us/web/http/authentication/index.md  |  6 +++---
 .../index.md                                  |  6 +++---
 files/en-us/web/http/cors/errors/index.md     |  4 ++--
 files/en-us/web/http/cors/index.md            |  4 ++--
 .../web/http/headers/set-cookie/index.md      |  4 ++--
 files/en-us/web/http/headers/upgrade/index.md |  4 ++--
 .../web/http/headers/user-agent/index.md      | 10 +++++-----
 files/en-us/web/http/messages/index.md        | 20 +++++++++----------
 files/en-us/web/http/overview/index.md        |  8 ++++----
 files/en-us/web/http/redirections/index.md    | 16 +++++++--------
 files/en-us/web/http/session/index.md         | 18 ++++++++---------
 files/en-us/web/http/status/index.md          | 10 +++++-----
 12 files changed, 55 insertions(+), 55 deletions(-)

diff --git a/files/en-us/web/http/authentication/index.md b/files/en-us/web/http/authentication/index.md
index 6eb3adb27cad06c..1683831a4718293 100644
--- a/files/en-us/web/http/authentication/index.md
+++ b/files/en-us/web/http/authentication/index.md
@@ -18,9 +18,9 @@ HTTP provides a general framework for access control and authentication. This pa
 
 The challenge and response flow works like this:
 
-1.  The server responds to a client with a {{HTTPStatus("401")}} (Unauthorized) response status and provides information on how to authorize with a {{HTTPHeader("WWW-Authenticate")}} response header containing at least one challenge.
-2.  A client that wants to authenticate itself with the server can then do so by including an {{HTTPHeader("Authorization")}} request header with the credentials.
-3.  Usually a client will present a password prompt to the user and will then issue the request including the correct `Authorization` header.
+1. The server responds to a client with a {{HTTPStatus("401")}} (Unauthorized) response status and provides information on how to authorize with a {{HTTPHeader("WWW-Authenticate")}} response header containing at least one challenge.
+2. A client that wants to authenticate itself with the server can then do so by including an {{HTTPHeader("Authorization")}} request header with the credentials.
+3. Usually a client will present a password prompt to the user and will then issue the request including the correct `Authorization` header.
 
 ![A sequence diagram illustrating HTTP messages between a client and a server lifeline.](httpauth.png "Sequence Diagram of Client-server HTTP Authentication")
 
diff --git a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
index 8291ad6272a2891..28032714f7eb6a5 100644
--- a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
+++ b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
@@ -33,9 +33,9 @@ In this case, you need to configure the server receiving the HTTP requests (whic
 
 Example:
 
-1.  A server receives a request for `http://www.example.org/whaddup` (when the canonical domain is example.org)
-2.  The server answers with a code {{HTTPStatus(301)}} with the header `{{HTTPHeader("Location")}}: http://example.org/whaddup`.
-3.  The client issues a request to the canonical domain: `http://example.org/whatddup`
+1. A server receives a request for `http://www.example.org/whaddup` (when the canonical domain is example.org)
+2. The server answers with a code {{HTTPStatus(301)}} with the header `{{HTTPHeader("Location")}}: http://example.org/whaddup`.
+3. The client issues a request to the canonical domain: `http://example.org/whatddup`
 
 The[ HTML5 boilerplate project](https://github.com/h5bp/html5-boilerplate) has an example on [how to configure an Apache server to redirect one domain to the other](https://github.com/h5bp/html5-boilerplate/blob/7a22a33d4041c479d0962499e853501073811887/.htaccess#L219-L258).
 
diff --git a/files/en-us/web/http/cors/errors/index.md b/files/en-us/web/http/cors/errors/index.md
index b5cbf7342a21eba..64e127f3740b4b0 100644
--- a/files/en-us/web/http/cors/errors/index.md
+++ b/files/en-us/web/http/cors/errors/index.md
@@ -22,8 +22,8 @@ If the CORS configuration isn't setup correctly, the browser console will presen
 
 To understand the underlying issue with the CORS configuration, you need to find out which request is at fault and why. These steps may help you do so:
 
-1.  Navigate to the web site or web app in question and open the [Developer Tools](/en-US/docs/Tools).
-2.  Now try to reproduce the failing transaction and check the [console](/en-US/docs/Tools/Web_Console) if you are seeing a CORS violation error message. It will probably look like this:
+1. Navigate to the web site or web app in question and open the [Developer Tools](/en-US/docs/Tools).
+2. Now try to reproduce the failing transaction and check the [console](/en-US/docs/Tools/Web_Console) if you are seeing a CORS violation error message. It will probably look like this:
 
 ![Firefox console showing CORS error](cors-error2.png)
 
diff --git a/files/en-us/web/http/cors/index.md b/files/en-us/web/http/cors/index.md
index 1edccc762f88e34..8c1afd6e6f3833e 100644
--- a/files/en-us/web/http/cors/index.md
+++ b/files/en-us/web/http/cors/index.md
@@ -255,8 +255,8 @@ Until browsers catch up with the spec, you may be able to work around this limit
 
 If that's not possible, then another way is to:
 
-1.  Make a [simple request](#simple_requests) (using {{domxref("Response.url")}} for the Fetch API, or {{domxref("XMLHttpRequest.responseURL")}}) to determine what URL the real preflighted request would end up at.
-2.  Make another request (the _real_ request) using the URL you obtained from `Response.url` or `XMLHttpRequest.responseURL` in the first step.
+1. Make a [simple request](#simple_requests) (using {{domxref("Response.url")}} for the Fetch API, or {{domxref("XMLHttpRequest.responseURL")}}) to determine what URL the real preflighted request would end up at.
+2. Make another request (the _real_ request) using the URL you obtained from `Response.url` or `XMLHttpRequest.responseURL` in the first step.
 
 However, if the request is one that triggers a preflight due to the presence of the `Authorization` header in the request, you won't be able to work around the limitation using the steps above. And you won't be able to work around it at all unless you have control over the server the request is being made to.
 
diff --git a/files/en-us/web/http/headers/set-cookie/index.md b/files/en-us/web/http/headers/set-cookie/index.md
index 93762426aae4c57..19c859721e10e1a 100644
--- a/files/en-us/web/http/headers/set-cookie/index.md
+++ b/files/en-us/web/http/headers/set-cookie/index.md
@@ -140,8 +140,8 @@ Set-Cookie: =; Domain=; Secure; HttpOnl
 
     > **Note:** Standards related to the [SameSite Cookies](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) recently changed such that:
     >
-    > 1.  The cookie-sending behavior if `SameSite` is not specified is `SameSite=Lax`. Previously the default was that cookies were sent for all requests.
-    > 2.  Cookies with `SameSite=None` must now
+    > 1. The cookie-sending behavior if `SameSite` is not specified is `SameSite=Lax`. Previously the default was that cookies were sent for all requests.
+    > 2. Cookies with `SameSite=None` must now
     >     also specify the `Secure` attribute (i.e. they require a secure context).
     >
     > The options below covers the new behavior. See the [Browser compatibility](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility) table for information about specific browser implementation (rows: "`SameSite`: Defaults to `Lax`" and "`SameSite`: Secure context required").
diff --git a/files/en-us/web/http/headers/upgrade/index.md b/files/en-us/web/http/headers/upgrade/index.md
index a2c28aed398e203..d0d2fe513d9df9e 100644
--- a/files/en-us/web/http/headers/upgrade/index.md
+++ b/files/en-us/web/http/headers/upgrade/index.md
@@ -48,13 +48,13 @@ The server can choose to ignore the request, for any reason, in which case it sh
 
 If the server decides to upgrade the connection, it must:
 
-1.  Send back a {{HTTPStatus(101, "101 Switching Protocols")}} response status with an `Upgrade` header that specifies the protocol(s) being switched to. For example:
+1. Send back a {{HTTPStatus(101, "101 Switching Protocols")}} response status with an `Upgrade` header that specifies the protocol(s) being switched to. For example:
 
         HTTP/1.1 101 Switching Protocols
         Upgrade: foo/2
         Connection: Upgrade
 
-2.  Send a response to the original request *using the new protocol* (the server may only switch to a protocol with which it can complete the original request).
+2. Send a response to the original request *using the new protocol* (the server may only switch to a protocol with which it can complete the original request).
 
 A server may also send the header as part of a {{HTTPStatus("426")}} `Upgrade Required` response, to indicate that the server won't perform the request using the current protocol, but might do so if the protocol is changed. The client can then request a protocol change using the process above.
 
diff --git a/files/en-us/web/http/headers/user-agent/index.md b/files/en-us/web/http/headers/user-agent/index.md
index 9452f5ce9a790f5..dc652c6f6009dc2 100644
--- a/files/en-us/web/http/headers/user-agent/index.md
+++ b/files/en-us/web/http/headers/user-agent/index.md
@@ -54,11 +54,11 @@ For more on Firefox- and Gecko-based user agent strings, see the [Firefox user a
 
     Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion
 
-1.  `Mozilla/5.0` is the general token that says the browser is Mozilla-compatible. For historical reasons, almost every browser today sends it.
-2.  **_platform_** describes the native platform the browser is running on (Windows, Mac, Linux, Android, etc.), and if it's a mobile phone. {{Glossary("Firefox OS")}} phones say `Mobile` — the web is the platform. Note that **_platform_** can consist of multiple "`; `"-separated tokens. See below for further details and examples.
-3.  **rv:_geckoversion_** indicates the release version of Gecko (such as "_17.0_"). In recent browsers, **_geckoversion_** is the same as **_firefoxversion_**.
-4.  **_Gecko/geckotrail_** indicates that the browser is based on Gecko. (On Desktop, **_geckotrail_** is always the fixed string `20100101`.)
-5.  **_Firefox/firefoxversion_** indicates the browser is Firefox, and provides the version (such as "_17.0"_).
+1. `Mozilla/5.0` is the general token that says the browser is Mozilla-compatible. For historical reasons, almost every browser today sends it.
+2. **_platform_** describes the native platform the browser is running on (Windows, Mac, Linux, Android, etc.), and if it's a mobile phone. {{Glossary("Firefox OS")}} phones say `Mobile` — the web is the platform. Note that **_platform_** can consist of multiple "`;`"-separated tokens. See below for further details and examples.
+3. **rv:_geckoversion_** indicates the release version of Gecko (such as "_17.0_"). In recent browsers, **_geckoversion_** is the same as **_firefoxversion_**.
+4. **_Gecko/geckotrail_** indicates that the browser is based on Gecko. (On Desktop, **_geckotrail_** is always the fixed string `20100101`.)
+5. **_Firefox/firefoxversion_** indicates the browser is Firefox, and provides the version (such as "_17.0"_).
 
 ### Examples
 
diff --git a/files/en-us/web/http/messages/index.md b/files/en-us/web/http/messages/index.md
index e8c31e020bb8203..d0e45124702e90b 100644
--- a/files/en-us/web/http/messages/index.md
+++ b/files/en-us/web/http/messages/index.md
@@ -20,10 +20,10 @@ The HTTP/2 binary framing mechanism has been designed to not require any alterat
 
 HTTP requests, and responses, share similar structure and are composed of:
 
-1.  A _start-line_ describing the requests to be implemented, or its status of whether successful or a failure. This start-line is always a single line.
-2.  An optional set of _HTTP headers_ specifying the request, or describing the body included in the message.
-3.  A blank line indicating all meta-information for the request has been sent.
-4.  An optional _body_ containing data associated with the request (like content of an HTML form), or the document associated with a response. The presence of the body and its size is specified by the start-line and HTTP headers.
+1. A _start-line_ describing the requests to be implemented, or its status of whether successful or a failure. This start-line is always a single line.
+2. An optional set of _HTTP headers_ specifying the request, or describing the body included in the message.
+3. A blank line indicating all meta-information for the request has been sent.
+4. An optional _body_ containing data associated with the request (like content of an HTML form), or the document associated with a response. The presence of the body and its size is specified by the start-line and HTTP headers.
 
 The start-line and HTTP headers of the HTTP message are collectively known as the _head_ of the requests, whereas its payload is known as the _body_.
 
@@ -35,8 +35,8 @@ The start-line and HTTP headers of the HTTP message are collectively known as th
 
 HTTP requests are messages sent by the client to initiate an action on the server. Their _start-line_ contain three elements:
 
-1.  An _[HTTP method](/en-US/docs/Web/HTTP/Methods)_, a verb (like {{HTTPMethod("GET")}}, {{HTTPMethod("PUT")}} or {{HTTPMethod("POST")}}) or a noun (like {{HTTPMethod("HEAD")}} or {{HTTPMethod("OPTIONS")}}), that describes the action to be performed. For example, `GET` indicates that a resource should be fetched or `POST` means that data is pushed to the server (creating or modifying a resource, or generating a temporary document to send back).
-2.  The _request target_, usually a {{glossary("URL")}}, or the absolute path of the protocol, port, and domain are usually characterized by the request context. The format of this request target varies between different HTTP methods. It can be
+1. An _[HTTP method](/en-US/docs/Web/HTTP/Methods)_, a verb (like {{HTTPMethod("GET")}}, {{HTTPMethod("PUT")}} or {{HTTPMethod("POST")}}) or a noun (like {{HTTPMethod("HEAD")}} or {{HTTPMethod("OPTIONS")}}), that describes the action to be performed. For example, `GET` indicates that a resource should be fetched or `POST` means that data is pushed to the server (creating or modifying a resource, or generating a temporary document to send back).
+2. The _request target_, usually a {{glossary("URL")}}, or the absolute path of the protocol, port, and domain are usually characterized by the request context. The format of this request target varies between different HTTP methods. It can be
 
     - An absolute path, ultimately followed by a `'?'` and query string. This is the most common form, known as the _origin form_, and is used with `GET`, `POST`, `HEAD`, and `OPTIONS` methods.
       `POST / HTTP/1.1 GET /background.png HTTP/1.0 HEAD /test.html?query=alibaba HTTP/1.1 OPTIONS /anypage.html HTTP/1.0`
@@ -47,7 +47,7 @@ HTTP requests are messages sent by the client to initiate an action on the serve
     - The _asterisk form_, a simple asterisk (`'*'`) is used with `OPTIONS`, representing the server as a whole.
       `OPTIONS * HTTP/1.1`
 
-3.  The _HTTP version_, which defines the structure of the remaining message, acting as an indicator of the expected version to use for the response.
+3. The _HTTP version_, which defines the structure of the remaining message, acting as an indicator of the expected version to use for the response.
 
 ### Headers
 
@@ -76,9 +76,9 @@ Bodies can be broadly divided into two categories:
 
 The start line of an HTTP response, called the _status line_, contains the following information:
 
-1.  The _protocol version_, usually `HTTP/1.1`.
-2.  A _status code_, indicating success or failure of the request. Common status codes are {{HTTPStatus("200")}}, {{HTTPStatus("404")}}, or {{HTTPStatus("302")}}
-3.  A _status text_. A brief, purely informational, textual description of the status code to help a human understand the HTTP message.
+1. The _protocol version_, usually `HTTP/1.1`.
+2. A _status code_, indicating success or failure of the request. Common status codes are {{HTTPStatus("200")}}, {{HTTPStatus("404")}}, or {{HTTPStatus("302")}}
+3. A _status text_. A brief, purely informational, textual description of the status code to help a human understand the HTTP message.
 
 A typical status line looks like: `HTTP/1.1 404 Not Found`.
 
diff --git a/files/en-us/web/http/overview/index.md b/files/en-us/web/http/overview/index.md
index 81da186c24a4c8f..dbca02c49765fd6 100644
--- a/files/en-us/web/http/overview/index.md
+++ b/files/en-us/web/http/overview/index.md
@@ -99,14 +99,14 @@ Here is a list of common features controllable with HTTP.
 
 When a client wants to communicate with a server, either the final server or an intermediate proxy, it performs the following steps:
 
-1.  Open a TCP connection: The TCP connection is used to send a request, or several, and receive an answer. The client may open a new connection, reuse an existing connection, or open several TCP connections to the servers.
-2.  Send an HTTP message: HTTP messages (before HTTP/2) are human-readable. With HTTP/2, these simple messages are encapsulated in frames, making them impossible to read directly, but the principle remains the same. For example:
+1. Open a TCP connection: The TCP connection is used to send a request, or several, and receive an answer. The client may open a new connection, reuse an existing connection, or open several TCP connections to the servers.
+2. Send an HTTP message: HTTP messages (before HTTP/2) are human-readable. With HTTP/2, these simple messages are encapsulated in frames, making them impossible to read directly, but the principle remains the same. For example:
 
         GET / HTTP/1.1
         Host: developer.mozilla.org
         Accept-Language: fr
 
-3.  Read the response sent by the server, such as:
+3. Read the response sent by the server, such as:
 
         HTTP/1.1 200 OK
         Date: Sat, 09 Oct 2010 14:28:02 GMT
@@ -119,7 +119,7 @@ When a client wants to communicate with a server, either the final server or an
 
         
Date: Fri, 13 Aug 2021 02:56:00 +0900
Subject: [PATCH 5/9] Fix space-in-wrong-place issues

---
 .../choosing_between_www_and_non-www_urls/index.md            | 2 +-
 .../web/http/basics_of_http/mime_types/common_types/index.md  | 2 +-
 files/en-us/web/http/cookies/index.md                         | 2 +-
 files/en-us/web/http/cors/index.md                            | 2 +-
 .../web/http/headers/public-key-pins-report-only/index.md     | 2 +-
 files/en-us/web/http/headers/public-key-pins/index.md         | 2 +-
 files/en-us/web/http/headers/set-cookie/index.md              | 4 ++--
 .../proxy_auto-configuration_pac_file/index.md                | 2 +-
 files/en-us/web/http/status/407/index.md                      | 2 +-
 9 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
index 28032714f7eb6a5..2b19e0098cfbc71 100644
--- a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
+++ b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
@@ -37,7 +37,7 @@ Example:
 2. The server answers with a code {{HTTPStatus(301)}} with the header `{{HTTPHeader("Location")}}: http://example.org/whaddup`.
 3. The client issues a request to the canonical domain: `http://example.org/whatddup`
 
-The[ HTML5 boilerplate project](https://github.com/h5bp/html5-boilerplate) has an example on [how to configure an Apache server to redirect one domain to the other](https://github.com/h5bp/html5-boilerplate/blob/7a22a33d4041c479d0962499e853501073811887/.htaccess#L219-L258).
+The [HTML5 boilerplate project](https://github.com/h5bp/html5-boilerplate) has an example on [how to configure an Apache server to redirect one domain to the other](https://github.com/h5bp/html5-boilerplate/blob/7a22a33d4041c479d0962499e853501073811887/.htaccess#L219-L258).
 
 ### Using _``_
 
diff --git a/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md b/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md
index 6c7ec40b477f93d..db93902d1a5445d 100644
--- a/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md
+++ b/files/en-us/web/http/basics_of_http/mime_types/common_types/index.md
@@ -93,7 +93,7 @@ IANA is the official registry of MIME media types and maintains a [list of all t
 | `.xhtml`       | XHTML                                                                                                  | `application/xhtml+xml`                                                                                                                                                                                                                                                              |
 | `.xls`         | Microsoft Excel                                                                                        | `application/vnd.ms-excel`                                                                                                                                                                                                                                                           |
 | `.xlsx`        | Microsoft Excel (OpenXML)                                                                              | `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet`                                                                                                                                                                                                                  |
-| `.xml`         | `XML`                                                                                                  | `application/xml `if _not_ readable from casual users ([RFC 3023](https://datatracker.ietf.org/doc/html/rfc3023#section-3), section 3) `text/xml` if readable from casual users ([RFC 3023](https://datatracker.ietf.org/doc/html/rfc3023#section-3), section 3)                     |
+| `.xml`         | `XML`                                                                                                  | `application/xml` if _not_ readable from casual users ([RFC 3023](https://datatracker.ietf.org/doc/html/rfc3023#section-3), section 3) `text/xml` if readable from casual users ([RFC 3023](https://datatracker.ietf.org/doc/html/rfc3023#section-3), section 3)                     |
 | `.xul`         | XUL                                                                                                    | `application/vnd.mozilla.xul+xml`                                                                                                                                                                                                                                                    |
 | `.zip`         | ZIP archive                                                                                            | `application/zip`                                                                                                                                                                                                                                                                    |
 | `.3gp`         | [3GPP](https://en.wikipedia.org/wiki/3GP_and_3G2) audio/video container                                | `video/3gpp` `audio/3gpp` if it doesn't contain video                                                                                                                                                                                                                                |
diff --git a/files/en-us/web/http/cookies/index.md b/files/en-us/web/http/cookies/index.md
index d6b9da05dddbb94..882e3179c6bd177 100644
--- a/files/en-us/web/http/cookies/index.md
+++ b/files/en-us/web/http/cookies/index.md
@@ -120,7 +120,7 @@ For example, if `Path=/docs` is set, these paths match:
 
 #### SameSite attribute
 
-The [`SameSite` ](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite)attribute lets servers specify whether/when cookies are sent with cross-site requests (where {{Glossary("Site")}} is defined by the registrable domain), which provides some protection against cross-site request forgery attacks ({{Glossary("CSRF")}}).
+The [`SameSite`](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) attribute lets servers specify whether/when cookies are sent with cross-site requests (where {{Glossary("Site")}} is defined by the registrable domain), which provides some protection against cross-site request forgery attacks ({{Glossary("CSRF")}}).
 
 It takes three possible values: `Strict`, `Lax`, and `None`. With `Strict`, the cookie is sent only to the same site as the one that originated it; `Lax` is similar, except that cookies are sent when the user _navigates_ to the cookie's origin site, for example, by following a link from an external site; `None` specifies that cookies are sent on both originating and cross-site requests, but *only in secure contexts* (i.e. if `SameSite=None` then the `Secure` attribute must also be set). If no `SameSite` attribute is set then the cookie is treated as `Lax`.
 
diff --git a/files/en-us/web/http/cors/index.md b/files/en-us/web/http/cors/index.md
index 8c1afd6e6f3833e..031b6535f4cae78 100644
--- a/files/en-us/web/http/cors/index.md
+++ b/files/en-us/web/http/cors/index.md
@@ -143,7 +143,7 @@ This pattern of the {{HTTPHeader("Origin")}} and {{HTTPHeader("Access-Control-
 
 ### Preflighted requests
 
-Unlike [_simple requests_ ](#simple_requests), for "preflighted" requests the browser first sends an HTTP request using the {{HTTPMethod("OPTIONS")}} method to the resource on the other origin, in order to determine if the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data.
+Unlike [_simple requests_](#simple_requests), for "preflighted" requests the browser first sends an HTTP request using the {{HTTPMethod("OPTIONS")}} method to the resource on the other origin, in order to determine if the actual request is safe to send. Cross-site requests are preflighted like this since they may have implications to user data.
 
 The following is an example of a request that will be preflighted:
 
diff --git a/files/en-us/web/http/headers/public-key-pins-report-only/index.md b/files/en-us/web/http/headers/public-key-pins-report-only/index.md
index 061308cd1fba957..37a525f4c438a8f 100644
--- a/files/en-us/web/http/headers/public-key-pins-report-only/index.md
+++ b/files/en-us/web/http/headers/public-key-pins-report-only/index.md
@@ -59,7 +59,7 @@ Public-Key-Pins-Report-Only: pin-sha256="";
 - max-age=\
   - : This directive is meaningless for the Public-Key-Pins-Report-Only header, it will be
     ignored by user agents and the header will not be cached.
-- `includeSubDomains `{{optional_inline}}
+- `includeSubDomains` {{optional_inline}}
   - : If this optional parameter is specified, this rule applies to all of the site's
     subdomains as well.
 - `report-uri=""`
diff --git a/files/en-us/web/http/headers/public-key-pins/index.md b/files/en-us/web/http/headers/public-key-pins/index.md
index 04ce2160452d5c3..49fc6f36f00a9f7 100644
--- a/files/en-us/web/http/headers/public-key-pins/index.md
+++ b/files/en-us/web/http/headers/public-key-pins/index.md
@@ -58,7 +58,7 @@ Public-Key-Pins: pin-sha256="";
 - `max-age=`
   - : The time, in seconds, that the browser should remember that this site is only to be
     accessed using one of the defined keys.
-- `includeSubDomains `{{optional_inline}}
+- `includeSubDomains` {{optional_inline}}
   - : If this optional parameter is specified, this rule applies to all of the site's
     subdomains as well.
 - `report-uri=""` {{optional_inline}}
diff --git a/files/en-us/web/http/headers/set-cookie/index.md b/files/en-us/web/http/headers/set-cookie/index.md
index 19c859721e10e1a..2a8b1609f1ecf5f 100644
--- a/files/en-us/web/http/headers/set-cookie/index.md
+++ b/files/en-us/web/http/headers/set-cookie/index.md
@@ -79,7 +79,7 @@ Set-Cookie: =; Domain=; Secure; HttpOnl
     > **Note:** Some `>` have a specific semantic:
     >
     > **`__Secure-` prefix**:
-    > Cookies names starting with` __Secure-`
+    > Cookies names starting with `__Secure-`
     > (dash is part of the prefix)
     > must be set with the `secure` flag from a secure page (HTTPS).
     >
@@ -98,7 +98,7 @@ Set-Cookie: =; Domain=; Secure; HttpOnl
 
     When an `Expires` date is set, the deadline is relative to the _client_ the cookie is being set on, not the server.
 
-- `Max-Age= `{{optional_inline}}
+- `Max-Age=` {{optional_inline}}
   - : Number of seconds until the cookie expires. A zero or negative number will expire the cookie immediately. If both `Expires` and `Max-Age` are set, `Max-Age` has precedence.
 - `Domain=` {{optional_inline}}
 
diff --git a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
index a041c51eb72e6ef..26b44bc0ba9843d 100644
--- a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
+++ b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
@@ -129,7 +129,7 @@ These functions can be used in building the PAC file:
 
   - `ProxyConfig.bindings` {{deprecated_inline}}
 
-> **Note:** pactester (part of the [pacparser ](https://github.com/pacparser/pacparser)package) was used to test the following syntax examples.
+> **Note:** pactester (part of the [pacparser](https://github.com/pacparser/pacparser) package) was used to test the following syntax examples.
 >
 > - The PAC file is named `proxy.pac`
 > - Command line: `pactester -p ~/pacparser-master/tests/proxy.pac -u http://www.mozilla.org` (passes the `host` parameter `www.mozilla.org` and the `url` parameter `http://www.mozilla.org`)
diff --git a/files/en-us/web/http/status/407/index.md b/files/en-us/web/http/status/407/index.md
index f4e7f895dd01b96..e13aecf47b389b3 100644
--- a/files/en-us/web/http/status/407/index.md
+++ b/files/en-us/web/http/status/407/index.md
@@ -10,7 +10,7 @@ browser-compat: http.status.407
 ---
 {{HTTPSidebar}}
 
-The HTTP **`407 Proxy Authentication Required `**client error
+The HTTP **`407 Proxy Authentication Required`** client error
 status response code indicates that the request has not been applied because it lacks
 valid authentication credentials for a {{Glossary("proxy server")}} that is between the
 browser and the server that can access the requested resource.

From 19a8be2c8863ddbc10d6d8767f433445c6a87d20 Mon Sep 17 00:00:00 2001
From: "Michael[tm] Smith" 
Date: Fri, 13 Aug 2021 02:58:09 +0900
Subject: [PATCH 6/9] Fix oddly-formatted HTTPStatus macro calls

---
 files/en-us/web/http/basics_of_http/mime_types/index.md   | 2 +-
 files/en-us/web/http/conditional_requests/index.md        | 2 +-
 files/en-us/web/http/headers/etag/index.md                | 7 +++----
 files/en-us/web/http/headers/expect/index.md              | 4 ++--
 files/en-us/web/http/headers/if-match/index.md            | 4 ++--
 files/en-us/web/http/headers/if-modified-since/index.md   | 2 +-
 files/en-us/web/http/headers/if-none-match/index.md       | 4 ++--
 files/en-us/web/http/headers/if-range/index.md            | 2 +-
 files/en-us/web/http/headers/if-unmodified-since/index.md | 2 +-
 files/en-us/web/http/headers/range/index.md               | 6 +++---
 10 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/files/en-us/web/http/basics_of_http/mime_types/index.md b/files/en-us/web/http/basics_of_http/mime_types/index.md
index 089f930113c2c69..910725acf3b3b24 100644
--- a/files/en-us/web/http/basics_of_http/mime_types/index.md
+++ b/files/en-us/web/http/basics_of_http/mime_types/index.md
@@ -361,7 +361,7 @@ will send this message:
 The `multipart/byteranges` MIME type is used to send partial responses to
 the browser.
 
-When the {{HTTPStatus("206")}}` Partial Content` status code is sent, this
+When the {{HTTPStatus("206", "206 Partial Content")}} status code is sent, this
 MIME type indicates that the document is composed of several parts, one for each of the
 requested ranges. Like other multipart types, the {{HTTPHeader("Content-Type")}} uses a
 `boundary` to separate the pieces. Each piece has a
diff --git a/files/en-us/web/http/conditional_requests/index.md b/files/en-us/web/http/conditional_requests/index.md
index e02423768c11579..b795966c3c5222c 100644
--- a/files/en-us/web/http/conditional_requests/index.md
+++ b/files/en-us/web/http/conditional_requests/index.md
@@ -74,7 +74,7 @@ If the resource has not changed, the server sends back a {{HTTPStatus("304")}} `
 
 ![With a stale cache, the conditional request is sent. The server can determine if the resource changed, and, as in this case, decide not to send it again as it is the same.](httpcache2.png)
 
-If the resource has changed, the server just sends back a {{HTTPStatus("200")}}` OK` response, with the new version of the resource, like if the request wasn't conditional and the client uses this new resource (and caches it).
+If the resource has changed, the server just sends back a {{HTTPStatus("200", "200 OK")}} response, with the new version of the resource, like if the request wasn't conditional and the client uses this new resource (and caches it).
 
 ![In the case where the resource was changed, it is sent back as if the request wasn't conditional.](httpcache3.png)
 
diff --git a/files/en-us/web/http/headers/etag/index.md b/files/en-us/web/http/headers/etag/index.md
index 6e9bdbd813bdf54..02d702dfedd3fb9 100644
--- a/files/en-us/web/http/headers/etag/index.md
+++ b/files/en-us/web/http/headers/etag/index.md
@@ -111,7 +111,6 @@ which tells the client that the cached version of the response is still good to
 
 - {{HTTPHeader("If-Match")}}
 - {{HTTPHeader("If-None-Match")}}
-- {{HTTPStatus("304")}}` Not Modified`
-- {{HTTPStatus("412")}}` Precondition Failed`
-- [W3C Note: Editing the Web – Detecting
-  the Lost Update Problem Using Unreserved Checkout](https://www.w3.org/1999/04/Editing/)
+- {{HTTPStatus("304", "304 Not Modified")}}
+- {{HTTPStatus("412", "Precondition Failed")}}
+- [W3C Note: Editing the Web – Detecting the Lost Update Problem Using Unreserved Checkout](https://www.w3.org/1999/04/Editing/)
diff --git a/files/en-us/web/http/headers/expect/index.md b/files/en-us/web/http/headers/expect/index.md
index b29c40331a6e3d1..2dbc95d64467fdc 100644
--- a/files/en-us/web/http/headers/expect/index.md
+++ b/files/en-us/web/http/headers/expect/index.md
@@ -83,5 +83,5 @@ cannot be met.
 
 ## See also
 
-- {{HTTPStatus("417")}}` Expectation Failed`
-- {{HTTPStatus("100")}}` Continue`
+- {{HTTPStatus("417", "417 Expectation Failed")}}
+- {{HTTPStatus("100", "100 Continue")}}
diff --git a/files/en-us/web/http/headers/if-match/index.md b/files/en-us/web/http/headers/if-match/index.md
index 08774efe5a83580..2e4b6b46721260e 100644
--- a/files/en-us/web/http/headers/if-match/index.md
+++ b/files/en-us/web/http/headers/if-match/index.md
@@ -88,5 +88,5 @@ If-Match: , , …
 - {{HTTPHeader("If-Unmodified-Since")}}
 - {{HTTPHeader("If-Modified-Since")}}
 - {{HTTPHeader("If-None-Match")}}
-- {{HTTPStatus("416")}}` Range Not Satisfiable`
-- {{HTTPStatus("412")}}` Precondition Failed`
+- {{HTTPStatus("416", "416 Range Not Satisfiable")}}
+- {{HTTPStatus("412", "412 Precondition Failed")}}
diff --git a/files/en-us/web/http/headers/if-modified-since/index.md b/files/en-us/web/http/headers/if-modified-since/index.md
index 221489264ff5b24..6ba58bb5bdd50c1 100644
--- a/files/en-us/web/http/headers/if-modified-since/index.md
+++ b/files/en-us/web/http/headers/if-modified-since/index.md
@@ -83,4 +83,4 @@ If-Modified-Since: ,    :: GMT
 - {{HTTPHeader("If-Unmodified-since")}}
 - {{HTTPHeader("If-Match")}}
 - {{HTTPHeader("If-None-Match")}}
-- {{HTTPStatus("304")}}` Not Modified`
+- {{HTTPStatus("304", "304 Not Modified")}}
diff --git a/files/en-us/web/http/headers/if-none-match/index.md b/files/en-us/web/http/headers/if-none-match/index.md
index bdef9f56a31e8b1..c0d953ca493610d 100644
--- a/files/en-us/web/http/headers/if-none-match/index.md
+++ b/files/en-us/web/http/headers/if-none-match/index.md
@@ -74,5 +74,5 @@ If-None-Match: *
 - {{HTTPHeader("If-Unmodified-Since")}}
 - {{HTTPHeader("If-Modified-Since")}}
 - {{HTTPHeader("If-Match")}}
-- {{HTTPStatus("304")}}` Not Modified`
-- {{HTTPStatus("412")}}` Precondition Failed`
+- {{HTTPStatus("304", "304 Not Modified")}}
+- {{HTTPStatus("412", "412 Precondition Failed")}}
diff --git a/files/en-us/web/http/headers/if-range/index.md b/files/en-us/web/http/headers/if-range/index.md
index 3405a39e1fd2350..065e22add39519e 100644
--- a/files/en-us/web/http/headers/if-range/index.md
+++ b/files/en-us/web/http/headers/if-range/index.md
@@ -89,5 +89,5 @@ If-Range: 
 - {{HTTPHeader("If-Unmodified-Since")}}
 - {{HTTPHeader("If-Match")}}
 - {{HTTPHeader("If-None-Match")}}
-- {{HTTPStatus("206")}}` Partial Content`
+- {{HTTPStatus("206", "206 Partial Content")}}
 - [HTTP Conditional Requests](/en-US/docs/Web/HTTP/Conditional_requests)
diff --git a/files/en-us/web/http/headers/if-unmodified-since/index.md b/files/en-us/web/http/headers/if-unmodified-since/index.md
index 9fb66f9076cef6c..388e4df4f34a034 100644
--- a/files/en-us/web/http/headers/if-unmodified-since/index.md
+++ b/files/en-us/web/http/headers/if-unmodified-since/index.md
@@ -84,4 +84,4 @@ If-Unmodified-Since: ,    :: G
 - {{HTTPHeader("If-Match")}}
 - {{HTTPHeader("If-None-Match")}}
 - {{HTTPHeader("If-Range")}}
-- {{HTTPStatus("412")}}` Precondition Failed`
+- {{HTTPStatus("412", "412 Precondition Failed")}}
diff --git a/files/en-us/web/http/headers/range/index.md b/files/en-us/web/http/headers/range/index.md
index b020b61530039c1..ff079235962dc53 100644
--- a/files/en-us/web/http/headers/range/index.md
+++ b/files/en-us/web/http/headers/range/index.md
@@ -11,7 +11,7 @@ browser-compat: http.headers.Range
 ---
 {{HTTPSidebar}}
 
-The **`Range`** HTTP request header indicates the part of a document that the server should return. Several parts can be requested with one `Range` header at once, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the {{HTTPStatus("206")}}` Partial Content` for the response. If the ranges are invalid, the server returns the {{HTTPStatus("416")}}` Range Not Satisfiable` error. The server can also ignore the `Range` header and return the whole document with a {{HTTPStatus("200")}} status code.
+The **`Range`** HTTP request header indicates the part of a document that the server should return. Several parts can be requested with one `Range` header at once, and the server may send back these ranges in a multipart document. If the server sends back ranges, it uses the {{HTTPStatus("206", "206 Partial Content")}} for the response. If the ranges are invalid, the server returns the {{HTTPStatus("416", "416 Range Not Satisfiable")}} error. The server can also ignore the `Range` header and return the whole document with a {{HTTPStatus("200")}} status code.
 
 
@@ -70,5 +70,5 @@ Requesting the first 500 and last 500 bytes of the file. The request may be reje
 - {{HTTPHeader("If-Range")}}
 - {{HTTPHeader("Content-Range")}}
 - {{HTTPHeader("Content-Type")}}
-- {{HTTPStatus("206")}}` Partial Content`
-- {{HTTPStatus("416")}}` Range Not Satisfiable`
+- {{HTTPStatus("206", "206 Partial Content")}}
+- {{HTTPStatus("416", "416 Range Not Satisfiable")}}

From e28ae3e1c02493b2fa6a2c450766611ed63641be Mon Sep 17 00:00:00 2001
From: "Michael[tm] Smith" 
Date: Fri, 13 Aug 2021 02:59:12 +0900
Subject: [PATCH 7/9] Fix a couple miscellaneous issues

---
 files/en-us/web/http/cookies/index.md                         | 2 +-
 files/en-us/web/http/csp/errors/cspviolation/index.md         | 4 ----
 .../proxy_auto-configuration_pac_file/index.md                | 4 +++-
 3 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/files/en-us/web/http/cookies/index.md b/files/en-us/web/http/cookies/index.md
index 882e3179c6bd177..6ddc8eb296466ab 100644
--- a/files/en-us/web/http/cookies/index.md
+++ b/files/en-us/web/http/cookies/index.md
@@ -174,7 +174,7 @@ Please note the security issues in the [Security](#security) section below. Cook
 Ways to mitigate attacks involving cookies:
 
 - Use the `HttpOnly` attribute to prevent access to cookie values via JavaScript.
-- Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the `SameSite` attribute set to `Strict` or `Lax`. (See [SameSite cookies](#), above.) In [browsers that support SameSite](/en-US/docs/Web/HTTP/Headers/Set-Cookie#browser_compatibility), this has the effect of ensuring that the authentication cookie is not sent with cross-site requests, so such a request is effectively unauthenticated to the application server.
+- Cookies that are used for sensitive information (such as indicating authentication) should have a short lifetime, with the `SameSite` attribute set to `Strict` or `Lax`. (See [SameSite attribute](#samesite_attribute), above.) In [browsers that support SameSite](/en-US/docs/Web/HTTP/Headers/Set-Cookie#browser_compatibility), this has the effect of ensuring that the authentication cookie is not sent with cross-site requests, so such a request is effectively unauthenticated to the application server.
 
 ## Tracking and privacy
 
diff --git a/files/en-us/web/http/csp/errors/cspviolation/index.md b/files/en-us/web/http/csp/errors/cspviolation/index.md
index 39915eeb5827720..79d2fa799d0e2f7 100644
--- a/files/en-us/web/http/csp/errors/cspviolation/index.md
+++ b/files/en-us/web/http/csp/errors/cspviolation/index.md
@@ -47,14 +47,10 @@ with:
 - `uvw`
   - : Text that provides information that may help you resolve the problem, potentially including specific changes you might make to the CSP configuration.
 
-**<<<--- The Chrome information above may be incomplete; we need to investigate that when we resume work on this content --->>>**
-
 ## What went wrong?
 
 This warning message means that due to the existence of a particular CSP directive, a resource wasn't loaded.
 
-**<<<--- add details and suggested fixes --->>>**
-
 ## See also
 
 - [CSP errors and warnings](/en-US/docs/Web/HTTP/CSP/Errors)
diff --git a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
index 26b44bc0ba9843d..01fe225f0f696b3 100644
--- a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
+++ b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
@@ -314,7 +314,9 @@ myIpAddress()
 
 #### Parameters
 
-**(none)**
+(none)
+
+#### Return value
 
 Returns the server IP address of the machine Firefox is running on, as a string in the dot-separated integer format.
 

From 5542fb81a9663a74d69d7408e878fd901b3d7914 Mon Sep 17 00:00:00 2001
From: "Michael[tm] Smith" 
Date: Fri, 13 Aug 2021 03:01:46 +0900
Subject: [PATCH 8/9] Fix trailing-punctuation-in-headings

---
 files/en-us/web/http/headers/set-cookie/samesite/index.md   | 2 +-
 .../proxy_auto-configuration_pac_file/index.md              | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/files/en-us/web/http/headers/set-cookie/samesite/index.md b/files/en-us/web/http/headers/set-cookie/samesite/index.md
index 676e92c282fcedf..54fee20d5659da6 100644
--- a/files/en-us/web/http/headers/set-cookie/samesite/index.md
+++ b/files/en-us/web/http/headers/set-cookie/samesite/index.md
@@ -91,7 +91,7 @@ You should explicitly communicate the intended `SameSite` policy for your cook
 Set-Cookie: flavor=choco; SameSite=Lax
 ```
 
-## Example:
+## Example
 
     RewriteEngine on
     RewriteBase "/"
diff --git a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
index 01fe225f0f696b3..91df4aeedb5d694 100644
--- a/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
+++ b/files/en-us/web/http/proxy_servers_and_tunneling/proxy_auto-configuration_pac_file/index.md
@@ -227,7 +227,7 @@ isResolvable(host)
 
 Tries to resolve the hostname. Returns true if succeeds.
 
-#### Examples:
+#### Examples
 
 ```js
 isResolvable("www.mozilla.org") // true
@@ -254,7 +254,7 @@ True if and only if the IP address of the host matches the specified IP address
 
 Pattern and mask specification is done the same way as for SOCKS configuration.
 
-#### Examples:
+#### Examples
 
 ```js
 function alert_eval(str) { alert(str + ' is ' + eval(str)) }
@@ -343,7 +343,7 @@ dnsDomainLevels(host)
 
 Returns the number (integer) of DNS domain levels (number of dots) in the hostname.
 
-#### Examples:
+#### Examples
 
 ```js
 dnsDomainLevels("www");             // 0

From ea42eef892934074ad3d41bfa0e79daa426fb141 Mon Sep 17 00:00:00 2001
From: Jean-Yves Perrier 
Date: Fri, 13 Aug 2021 13:15:21 +0200
Subject: [PATCH 9/9] Fix triple dots for 
 in Web/HTTP

---
 files/en-us/web/http/authentication/index.md  |  32 ++-
 .../index.md                                  |   4 +-
 .../http/basics_of_http/data_uris/index.md    |  14 +-
 .../basics_of_http/evolution_of_http/index.md | 134 +++++----
 .../identifying_resources_on_the_web/index.md |  34 ++-
 .../http/basics_of_http/mime_types/index.md   | 100 +++----
 .../basics_of_http/resource_urls/index.md     |  22 +-
 files/en-us/web/http/caching/index.md         |  56 ++--
 .../index.md                                  |  50 ++--
 files/en-us/web/http/cookies/index.md         |  31 +-
 .../corsalloworiginnotmatchingorigin/index.md |  16 +-
 .../cors/errors/corsdidnotsucceed/index.md    |   2 +-
 .../http/cors/errors/corsdisabled/index.md    |   2 +-
 .../corsexternalredirectnotallowed/index.md   |   2 +-
 .../errors/corsinvalidallowheader/index.md    |   4 +-
 .../errors/corsinvalidallowmethod/index.md    |   4 +-
 .../cors/errors/corsmethodnotfound/index.md   |   4 +-
 .../corsmissingallowcredentials/index.md      |   4 +-
 .../index.md                                  |   4 +-
 .../errors/corsmissingalloworigin/index.md    |  18 +-
 .../index.md                                  |   4 +-
 .../corsnotsupportingcredentials/index.md     |   4 +-
 .../errors/corsoriginheadernotadded/index.md  |   4 +-
 .../corspreflightdidnotsucceed/index.md       |   4 +-
 .../cors/errors/corsrequestnothttp/index.md   |   2 +-
 files/en-us/web/http/cors/errors/index.md     |  10 +-
 files/en-us/web/http/cors/index.md            | 270 ++++++++++--------
 .../index.md                                  |   6 +-
 files/en-us/web/http/csp/index.md             |  58 ++--
 .../http/headers/accept-ch-lifetime/index.md  |   8 +-
 .../web/http/headers/accept-encoding/index.md |  10 +-
 .../web/http/headers/accept-patch/index.md    |   4 +-
 .../web/http/headers/accept-post/index.md     |  10 +-
 .../web/http/headers/accept-ranges/index.md   |   6 +-
 files/en-us/web/http/headers/accept/index.md  |  16 +-
 .../access-control-allow-credentials/index.md |   6 +-
 .../access-control-allow-headers/index.md     |  40 ++-
 .../access-control-allow-methods/index.md     |   8 +-
 .../access-control-allow-origin/index.md      |  16 +-
 .../access-control-expose-headers/index.md    |  18 +-
 .../headers/access-control-max-age/index.md   |   6 +-
 .../access-control-request-headers/index.md   |   6 +-
 .../access-control-request-method/index.md    |   6 +-
 files/en-us/web/http/headers/age/index.md     |   6 +-
 files/en-us/web/http/headers/allow/index.md   |   6 +-
 files/en-us/web/http/headers/alt-svc/index.md |  12 +-
 .../web/http/headers/authorization/index.md   |   6 +-
 .../web/http/headers/cache-control/index.md   |  66 +++--
 .../web/http/headers/clear-site-data/index.md |  22 +-
 .../web/http/headers/connection/index.md      |   2 +-
 .../http/headers/content-disposition/index.md |  38 +--
 .../web/http/headers/content-dpr/index.md     |   4 +-
 .../http/headers/content-encoding/index.md    |  10 +-
 .../http/headers/content-language/index.md    |   6 +-
 .../web/http/headers/content-length/index.md  |   2 +-
 .../http/headers/content-location/index.md    |  40 +--
 .../web/http/headers/content-range/index.md   |   6 +-
 .../index.md                                  |  14 +-
 .../content-security-policy/base-uri/index.md |   6 +-
 .../block-all-mixed-content/index.md          |  12 +-
 .../child-src/index.md                        |   4 +-
 .../connect-src/index.md                      |   4 +-
 .../default-src/index.md                      |   6 +-
 .../content-security-policy/font-src/index.md |   4 +-
 .../form-action/index.md                      |   6 +-
 .../frame-ancestors/index.md                  |   4 +-
 .../frame-src/index.md                        |   4 +-
 .../content-security-policy/img-src/index.md  |   4 +-
 .../headers/content-security-policy/index.md  |  40 ++-
 .../manifest-src/index.md                     |   4 +-
 .../media-src/index.md                        |   4 +-
 .../navigate-to/index.md                      |   2 +-
 .../object-src/index.md                       |   4 +-
 .../plugin-types/index.md                     |   6 +-
 .../prefetch-src/index.md                     |   8 +-
 .../content-security-policy/referrer/index.md |   6 +-
 .../report-uri/index.md                       |   8 +-
 .../require-sri-for/index.md                  |   6 +-
 .../require-trusted-types-for/index.md        |  16 +-
 .../content-security-policy/sandbox/index.md  |   4 +-
 .../script-src-attr/index.md                  |   4 +-
 .../script-src/index.md                       |  30 +-
 .../style-src-attr/index.md                   |   8 +-
 .../style-src-elem/index.md                   |   2 +-
 .../style-src/index.md                        |  10 +-
 .../upgrade-insecure-requests/index.md        |  22 +-
 .../worker-src/index.md                       |   7 +-
 .../web/http/headers/content-type/index.md    |  26 +-
 files/en-us/web/http/headers/cookie/index.md  |   6 +-
 files/en-us/web/http/headers/cookie2/index.md |   4 +-
 .../cross-origin-embedder-policy/index.md     |  12 +-
 .../cross-origin-opener-policy/index.md       |  16 +-
 .../cross-origin-resource-policy/index.md     |  12 +-
 files/en-us/web/http/headers/date/index.md    |   6 +-
 .../web/http/headers/device-memory/index.md   |  12 +-
 files/en-us/web/http/headers/digest/index.md  |  12 +-
 files/en-us/web/http/headers/dnt/index.md     |   6 +-
 .../en-us/web/http/headers/downlink/index.md  |  12 +-
 files/en-us/web/http/headers/dpr/index.md     |  16 +-
 .../web/http/headers/early-data/index.md      |  13 +-
 files/en-us/web/http/headers/ect/index.md     |  12 +-
 files/en-us/web/http/headers/etag/index.md    |  20 +-
 .../en-us/web/http/headers/expect-ct/index.md |  12 +-
 files/en-us/web/http/headers/expect/index.md  |  16 +-
 files/en-us/web/http/headers/expires/index.md |   6 +-
 .../feature-policy/accelerometer/index.md     |   4 +-
 .../ambient-light-sensor/index.md             |   4 +-
 .../headers/feature-policy/autoplay/index.md  |   4 +-
 .../headers/feature-policy/battery/index.md   |   4 +-
 .../headers/feature-policy/camera/index.md    |   4 +-
 .../feature-policy/display-capture/index.md   |   4 +-
 .../feature-policy/document-domain/index.md   |   4 +-
 .../feature-policy/encrypted-media/index.md   |   4 +-
 .../feature-policy/fullscreen/index.md        |   8 +-
 .../headers/feature-policy/gamepad/index.md   |  12 +-
 .../feature-policy/geolocation/index.md       |  14 +-
 .../headers/feature-policy/gyroscope/index.md |   4 +-
 .../web/http/headers/feature-policy/index.md  |   8 +-
 .../feature-policy/layout-animations/index.md |   4 +-
 .../legacy-image-formats/index.md             |   4 +-
 .../feature-policy/magnetometer/index.md      |   4 +-
 .../feature-policy/microphone/index.md        |   4 +-
 .../http/headers/feature-policy/midi/index.md |   4 +-
 .../feature-policy/oversized-images/index.md  |   4 +-
 .../headers/feature-policy/payment/index.md   |   4 +-
 .../picture-in-picture/index.md               |   4 +-
 .../publickey-credentials-get/index.md        |   4 +-
 .../feature-policy/screen-wake-lock/index.md  |   4 +-
 .../headers/feature-policy/sync-xhr/index.md  |   4 +-
 .../unoptimized-images/index.md               |   4 +-
 .../feature-policy/unsized-media/index.md     |   4 +-
 .../http/headers/feature-policy/usb/index.md  |   4 +-
 .../headers/feature-policy/vibrate/index.md   |   4 +-
 .../http/headers/feature-policy/vr/index.md   |   4 +-
 .../headers/feature-policy/web-share/index.md |   4 +-
 .../xr-spatial-tracking/index.md              |   4 +-
 .../en-us/web/http/headers/forwarded/index.md |  28 +-
 files/en-us/web/http/headers/from/index.md    |   6 +-
 files/en-us/web/http/headers/host/index.md    |   6 +-
 .../en-us/web/http/headers/if-match/index.md  |   4 +-
 .../http/headers/if-modified-since/index.md   |   6 +-
 .../web/http/headers/if-none-match/index.md   |   4 +-
 .../en-us/web/http/headers/if-range/index.md  |   6 +-
 .../http/headers/if-unmodified-since/index.md |   6 +-
 .../web/http/headers/keep-alive/index.md      |  24 +-
 .../http/headers/large-allocation/index.md    |   8 +-
 .../web/http/headers/last-modified/index.md   |   6 +-
 files/en-us/web/http/headers/link/index.md    |  12 +-
 .../en-us/web/http/headers/location/index.md  |   6 +-
 files/en-us/web/http/headers/nel/index.md     |   2 +-
 files/en-us/web/http/headers/origin/index.md  |   6 +-
 files/en-us/web/http/headers/pragma/index.md  |   6 +-
 .../http/headers/proxy-authenticate/index.md  |   8 +-
 .../http/headers/proxy-authorization/index.md |   6 +-
 .../public-key-pins-report-only/index.md      |  14 +-
 .../web/http/headers/public-key-pins/index.md |  14 +-
 files/en-us/web/http/headers/range/index.md   |  10 +-
 files/en-us/web/http/headers/referer/index.md |  10 +-
 .../web/http/headers/referrer-policy/index.md |   8 +-
 .../web/http/headers/retry-after/index.md     |  11 +-
 files/en-us/web/http/headers/rtt/index.md     |  12 +-
 .../en-us/web/http/headers/save-data/index.md |  45 +--
 .../web/http/headers/sec-fetch-dest/index.md  |  52 ++--
 .../web/http/headers/sec-fetch-mode/index.md  |  30 +-
 .../web/http/headers/sec-fetch-site/index.md  |  30 +-
 .../web/http/headers/sec-fetch-user/index.md  |  14 +-
 .../headers/sec-websocket-accept/index.md     |   6 +-
 .../web/http/headers/server-timing/index.md   |  26 +-
 files/en-us/web/http/headers/server/index.md  |   8 +-
 .../web/http/headers/set-cookie/index.md      |  47 +--
 .../http/headers/set-cookie/samesite/index.md |  36 +--
 .../web/http/headers/set-cookie2/index.md     |   2 +-
 .../en-us/web/http/headers/sourcemap/index.md |   8 +-
 .../strict-transport-security/index.md        |  10 +-
 files/en-us/web/http/headers/te/index.md      |   5 +-
 .../http/headers/timing-allow-origin/index.md |  12 +-
 files/en-us/web/http/headers/tk/index.md      |   6 +-
 files/en-us/web/http/headers/trailer/index.md |  32 ++-
 .../http/headers/transfer-encoding/index.md   |  29 +-
 .../upgrade-insecure-requests/index.md        |  18 +-
 files/en-us/web/http/headers/upgrade/index.md |  46 +--
 .../http/headers/user-agent/firefox/index.md  |  26 +-
 .../web/http/headers/user-agent/index.md      |  68 +++--
 files/en-us/web/http/headers/vary/index.md    |  18 +-
 files/en-us/web/http/headers/via/index.md     |  11 +-
 .../web/http/headers/viewport-width/index.md  |  14 +-
 .../web/http/headers/want-digest/index.md     |  56 ++--
 files/en-us/web/http/headers/warning/index.md |  13 +-
 files/en-us/web/http/headers/width/index.md   |  14 +-
 .../http/headers/www-authenticate/index.md    |   6 +-
 .../headers/x-content-type-options/index.md   |  11 +-
 .../headers/x-dns-prefetch-control/index.md   |   2 +-
 .../web/http/headers/x-forwarded-for/index.md |  16 +-
 .../http/headers/x-forwarded-host/index.md    |   6 +-
 .../http/headers/x-forwarded-proto/index.md   |  18 +-
 .../web/http/headers/x-frame-options/index.md |  42 ++-
 .../http/headers/x-xss-protection/index.md    |  12 +-
 .../web/http/link_prefetching_faq/index.md    |  22 +-
 files/en-us/web/http/methods/connect/index.md |  10 +-
 files/en-us/web/http/methods/delete/index.md  |  28 +-
 files/en-us/web/http/methods/get/index.md     |   2 +-
 files/en-us/web/http/methods/head/index.md    |   2 +-
 files/en-us/web/http/methods/options/index.md |  60 ++--
 files/en-us/web/http/methods/patch/index.md   |  24 +-
 files/en-us/web/http/methods/post/index.md    |  36 +--
 files/en-us/web/http/methods/put/index.md     |  14 +-
 files/en-us/web/http/methods/trace/index.md   |   2 +-
 .../web/http/network_error_logging/index.md   |  19 +-
 files/en-us/web/http/overview/index.md        |  30 +-
 .../http/protocol_upgrade_mechanism/index.md  |  24 +-
 .../web/http/public_key_pinning/index.md      |  72 +++--
 files/en-us/web/http/range_requests/index.md  |  86 +++---
 files/en-us/web/http/redirections/index.md    |  40 ++-
 files/en-us/web/http/session/index.md         | 138 ++++-----
 files/en-us/web/http/status/100/index.md      |   2 +-
 files/en-us/web/http/status/101/index.md      |  10 +-
 files/en-us/web/http/status/103/index.md      |   2 +-
 files/en-us/web/http/status/200/index.md      |   2 +-
 files/en-us/web/http/status/201/index.md      |   2 +-
 files/en-us/web/http/status/202/index.md      |   2 +-
 files/en-us/web/http/status/203/index.md      |   2 +-
 files/en-us/web/http/status/204/index.md      |   2 +-
 files/en-us/web/http/status/205/index.md      |   2 +-
 files/en-us/web/http/status/206/index.md      |   2 +-
 files/en-us/web/http/status/300/index.md      |   2 +-
 files/en-us/web/http/status/301/index.md      |  14 +-
 files/en-us/web/http/status/302/index.md      |   2 +-
 files/en-us/web/http/status/303/index.md      |   2 +-
 files/en-us/web/http/status/304/index.md      |   2 +-
 files/en-us/web/http/status/307/index.md      |   2 +-
 files/en-us/web/http/status/308/index.md      |   2 +-
 files/en-us/web/http/status/400/index.md      |   4 +-
 files/en-us/web/http/status/401/index.md      |  10 +-
 files/en-us/web/http/status/402/index.md      |   4 +-
 files/en-us/web/http/status/403/index.md      |   8 +-
 files/en-us/web/http/status/404/index.md      |   4 +-
 files/en-us/web/http/status/405/index.md      |   2 +-
 files/en-us/web/http/status/406/index.md      |   2 +-
 files/en-us/web/http/status/407/index.md      |  12 +-
 files/en-us/web/http/status/408/index.md      |   2 +-
 files/en-us/web/http/status/409/index.md      |   2 +-
 files/en-us/web/http/status/410/index.md      |   2 +-
 files/en-us/web/http/status/411/index.md      |   2 +-
 files/en-us/web/http/status/412/index.md      |   2 +-
 files/en-us/web/http/status/413/index.md      |   2 +-
 files/en-us/web/http/status/414/index.md      |   2 +-
 files/en-us/web/http/status/415/index.md      |   2 +-
 files/en-us/web/http/status/416/index.md      |   2 +-
 files/en-us/web/http/status/417/index.md      |   2 +-
 files/en-us/web/http/status/418/index.md      |   2 +-
 files/en-us/web/http/status/422/index.md      |   2 +-
 files/en-us/web/http/status/425/index.md      |   2 +-
 files/en-us/web/http/status/426/index.md      |   2 +-
 files/en-us/web/http/status/428/index.md      |   2 +-
 files/en-us/web/http/status/429/index.md      |  10 +-
 files/en-us/web/http/status/431/index.md      |   2 +-
 files/en-us/web/http/status/451/index.md      |   2 +-
 files/en-us/web/http/status/500/index.md      |   2 +-
 files/en-us/web/http/status/501/index.md      |   2 +-
 files/en-us/web/http/status/502/index.md      |   2 +-
 files/en-us/web/http/status/503/index.md      |   2 +-
 files/en-us/web/http/status/504/index.md      |   2 +-
 files/en-us/web/http/status/505/index.md      |   2 +-
 files/en-us/web/http/status/506/index.md      |   2 +-
 files/en-us/web/http/status/507/index.md      |   2 +-
 files/en-us/web/http/status/508/index.md      |   2 +-
 files/en-us/web/http/status/510/index.md      |   2 +-
 files/en-us/web/http/status/511/index.md      |   2 +-
 268 files changed, 2207 insertions(+), 1505 deletions(-)

diff --git a/files/en-us/web/http/authentication/index.md b/files/en-us/web/http/authentication/index.md
index 1683831a4718293..2b1971e5dc0d5b2 100644
--- a/files/en-us/web/http/authentication/index.md
+++ b/files/en-us/web/http/authentication/index.md
@@ -54,7 +54,7 @@ The {{HTTPHeader("WWW-Authenticate")}} and {{HTTPHeader("Proxy-Authenticate")}}
 
 The syntax for these headers is the following:
 
-```html
+```
 WWW-Authenticate:  realm=
 Proxy-Authenticate:  realm=
 ```
@@ -65,7 +65,7 @@ Here, `` is the authentication scheme ("Basic" is the most common scheme a
 
 The {{HTTPHeader("Authorization")}} and {{HTTPHeader("Proxy-Authorization")}} request headers contain the credentials to authenticate a user agent with a (proxy) server. Here, the `` is needed again followed by the credentials, which can be encoded or encrypted depending on which authentication scheme is used.
 
-```html
+```
 Authorization:  
 Proxy-Authorization:  
 ```
@@ -103,30 +103,36 @@ To password-protect a directory on an Apache server, you will need a `.htaccess`
 
 The `.htaccess` file typically looks like this:
 
-    AuthType Basic
-    AuthName "Access to the staging site"
-    AuthUserFile /path/to/.htpasswd
-    Require valid-user
+```
+AuthType Basic
+AuthName "Access to the staging site"
+AuthUserFile /path/to/.htpasswd
+Require valid-user
+```
 
 The `.htaccess` file references a `.htpasswd` file in which each line consists of a username and a password separated by a colon (`:`). You cannot see the actual passwords as they are [hashed](https://httpd.apache.org/docs/2.4/misc/password_encryptions.html) (using MD5-based hashing, in this case). Note that you can name your `.htpasswd` file differently if you like, but keep in mind this file shouldn't be accessible to anyone. (Apache is usually configured to prevent access to `.ht*` files).
 
-    aladdin:$apr1$ZjTqBB3f$IF9gdYAGlMrs2fuINjHsz.
-    user2:$apr1$O04r.y2H$/vEkesPhVInBByJUkXitA/
+```
+aladdin:$apr1$ZjTqBB3f$IF9gdYAGlMrs2fuINjHsz.
+user2:$apr1$O04r.y2H$/vEkesPhVInBByJUkXitA/
+```
 
 ### Restricting access with nginx and basic authentication
 
 For nginx, you will need to specify a location that you are going to protect and the `auth_basic` directive that provides the name to the password-protected area. The `auth_basic_user_file` directive then points to a `.htpasswd` file containing the encrypted user credentials, just like in the Apache example above.
 
-    location /status {
-        auth_basic           "Access to the staging site";
-        auth_basic_user_file /etc/apache2/.htpasswd;
-    }
+```
+location /status {
+    auth_basic           "Access to the staging site";
+    auth_basic_user_file /etc/apache2/.htpasswd;
+}
+```
 
 ### Access using credentials in the URL
 
 Many clients also let you avoid the login prompt by using an encoded URL containing the username and the password like this:
 
-```plain example-bad
+```example-bad
 https://username:password@www.example.com/
 ```
 
diff --git a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
index 2b19e0098cfbc71..1aaae573690977a 100644
--- a/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
+++ b/files/en-us/web/http/basics_of_http/choosing_between_www_and_non-www_urls/index.md
@@ -45,7 +45,9 @@ It is possible to add a special HTML {{HTMLElement("link")}} element to a page t
 
 When adding such a tag, you serve the same content for both domains, telling search engines which URL is canonical. In the previous example, `http://www.example.org/whaddup` would serve the same content as `http://example.org/whaddup`, but with an additional {{htmlelement("link")}} element in the head:
 
-``
+```html
+
+``
 
 Unlike the previous case, browser history will consider non-www and www URLs as independent entries.
 
diff --git a/files/en-us/web/http/basics_of_http/data_uris/index.md b/files/en-us/web/http/basics_of_http/data_uris/index.md
index 73557779563b11e..0d577fce46a1d33 100644
--- a/files/en-us/web/http/basics_of_http/data_uris/index.md
+++ b/files/en-us/web/http/basics_of_http/data_uris/index.md
@@ -68,14 +68,14 @@ base64 a.txt>b.txt
 
 On Windows, [Convert.ToBase64String](https://docs.microsoft.com/en-us/dotnet/api/system.convert.tobase64string?view=net-5.0) from PowerShell can be used to perform the Base64 encoding:
 
-```html
+```bash
 [convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("hello"))
 # outputs to console: aGVsbG8=
 ```
 
 Alternatively, a GNU/Linux shell (such as [WSL](https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux)) provides the utility `base64`:
 
-```html
+```bash
 bash$ echo -n hello | base64
 # outputs to console: aGVsbG8=
 ```
@@ -84,11 +84,15 @@ bash$ echo -n hello | base64
 
 This section describes problems that commonly occur when creating and using `data` URLs.
 
-    data:text/html,lots of text...
bottom?arg=val
+```
+data:text/html,lots of text...
bottom?arg=val
+```
 
 This represents an HTML resource whose contents are:
 
-    lots of text...
bottom?arg=val
+```html
+lots of text...
bottom?arg=val
+```
 
 - Syntax
   - : The format for `data` URLs is very simple, but it's easy to forget to put a comma before the "data" segment, or to incorrectly encode the data into base64 format.
@@ -119,5 +123,5 @@ This represents an HTML resource whose contents are:
 - [Percent encoding](/en-US/docs/Glossary/percent-encoding)
 - {{domxref("WindowOrWorkerGlobalScope/atob","atob()")}}
 - {{domxref("WindowOrWorkerGlobalScope/btoa","btoa()")}}
-- [CSS `url()`]()
+- [CSS `url()`](/en-US/docs/Web/CSS/url())
 - [URI](/en-US/docs/Glossary/URI)
diff --git a/files/en-us/web/http/basics_of_http/evolution_of_http/index.md b/files/en-us/web/http/basics_of_http/evolution_of_http/index.md
index 761dd79b290937d..e1e3f02429e96f7 100644
--- a/files/en-us/web/http/basics_of_http/evolution_of_http/index.md
+++ b/files/en-us/web/http/basics_of_http/evolution_of_http/index.md
@@ -28,13 +28,17 @@ The HTTP protocol used in those early phases was very simple, later dubbed HTTP/
 
 The initial version of HTTP had no version number; it has been later called 0.9 to differentiate it from the later versions. HTTP/0.9 is extremely simple: requests consist of a single line and start with the only possible method {{HTTPMethod("GET")}} followed by the path to the resource (not the URL as both the protocol, server, and port are unnecessary once connected to the server).
 
-    GET /mypage.html
+```
+GET /mypage.html
+```
 
 The response is extremely simple too: it only consisted of the file itself.
 
-    
-    A very simple HTML page
-    
+```html
+
+A very simple HTML page
+
+```
 
 Unlike subsequent evolutions, there were no HTTP headers, meaning that only HTML files could be transmitted, but no other type of documents. There were no status or error codes: in case of a problem, a specific HTML file was sent back with the description of the problem contained in it, for human consumption.
 
@@ -49,28 +53,32 @@ HTTP/0.9 was very limited and both browsers and servers quickly extended it to b
 
 At this point, a typical request and response looked like this:
 
-    GET /mypage.html HTTP/1.0
-    User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
+```
+GET /mypage.html HTTP/1.0
+User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
 
-    200 OK
-    Date: Tue, 15 Nov 1994 08:12:31 GMT
-    Server: CERN/3.0 libwww/2.17
-    Content-Type: text/html
-    
-    A page with an image
-      
-    
+200 OK
+Date: Tue, 15 Nov 1994 08:12:31 GMT
+Server: CERN/3.0 libwww/2.17
+Content-Type: text/html
+
+A page with an image
+  
+
+```
 
 Followed by a second connection and request to fetch the image (followed by a response to that request):
 
-    GET /myimage.gif HTTP/1.0
-    User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
+```
+  GET /myimage.gif HTTP/1.0
+  User-Agent: NCSA_Mosaic/2.0 (Windows 3.1)
 
-    200 OK
-    Date: Tue, 15 Nov 1994 08:12:32 GMT
-    Server: CERN/3.0 libwww/2.17
-    Content-Type: text/gif
-    (image content)
+  200 OK
+  Date: Tue, 15 Nov 1994 08:12:32 GMT
+  Server: CERN/3.0 libwww/2.17
+  Content-Type: text/gif
+  (image content)
+```
 
 These novelties have not been introduced as concerted effort, but as a try-and-see approach over the 1991-1995 period: a server and a browser added one feature and it saw if it got traction. A lot of interoperability problems were common. In November 1996, in order to solve these annoyances, an informational document describing the common practices has been published, {{RFC(1945)}}. This is the definition of HTTP/1.0 and it is notable that, in the narrow sense of the term, it isn't an official standard.
 
@@ -89,47 +97,49 @@ HTTP/1.1 clarified ambiguities and introduced numerous improvements:
 
 A typical flow of requests, all through one single connection is now looking like this:
 
-    GET /en-US/docs/Glossary/Simple_header HTTP/1.1
-    Host: developer.mozilla.org
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
-    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-    Accept-Language: en-US,en;q=0.5
-    Accept-Encoding: gzip, deflate, br
-    Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
-
-    200 OK
-    Connection: Keep-Alive
-    Content-Encoding: gzip
-    Content-Type: text/html; charset=utf-8
-    Date: Wed, 20 Jul 2016 10:55:30 GMT
-    Etag: "547fa7e369ef56031dd3bff2ace9fc0832eb251a"
-    Keep-Alive: timeout=5, max=1000
-    Last-Modified: Tue, 19 Jul 2016 00:59:33 GMT
-    Server: Apache
-    Transfer-Encoding: chunked
-    Vary: Cookie, Accept-Encoding
-
-    (content)
-
-    GET /static/img/header-background.png HTTP/1.1
-    Host: developer.mozilla.org
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
-    Accept: */*
-    Accept-Language: en-US,en;q=0.5
-    Accept-Encoding: gzip, deflate, br
-    Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
-
-    200 OK
-    Age: 9578461
-    Cache-Control: public, max-age=315360000
-    Connection: keep-alive
-    Content-Length: 3077
-    Content-Type: image/png
-    Date: Thu, 31 Mar 2016 13:34:46 GMT
-    Last-Modified: Wed, 21 Oct 2015 18:27:50 GMT
-    Server: Apache
-
-    (image content of 3077 bytes)
+```
+GET /en-US/docs/Glossary/Simple_header HTTP/1.1
+Host: developer.mozilla.org
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
+
+200 OK
+Connection: Keep-Alive
+Content-Encoding: gzip
+Content-Type: text/html; charset=utf-8
+Date: Wed, 20 Jul 2016 10:55:30 GMT
+Etag: "547fa7e369ef56031dd3bff2ace9fc0832eb251a"
+Keep-Alive: timeout=5, max=1000
+Last-Modified: Tue, 19 Jul 2016 00:59:33 GMT
+Server: Apache
+Transfer-Encoding: chunked
+Vary: Cookie, Accept-Encoding
+
+(content)
+
+GET /static/img/header-background.png HTTP/1.1
+Host: developer.mozilla.org
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: https://developer.mozilla.org/en-US/docs/Glossary/Simple_header
+
+200 OK
+Age: 9578461
+Cache-Control: public, max-age=315360000
+Connection: keep-alive
+Content-Length: 3077
+Content-Type: image/png
+Date: Thu, 31 Mar 2016 13:34:46 GMT
+Last-Modified: Wed, 21 Oct 2015 18:27:50 GMT
+Server: Apache
+
+(image content of 3077 bytes)
+```
 
 HTTP/1.1 was first published as {{rfc(2068)}} in January 1997.
 
diff --git a/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md b/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md
index 4f08d9c99833995..1ee1ed9904f0e3c 100644
--- a/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md
+++ b/files/en-us/web/http/basics_of_http/identifying_resources_on_the_web/index.md
@@ -26,22 +26,28 @@ The target of an HTTP request is called a "resource", whose nature isn't defined
 
 The most common form of URI is the Uniform Resource Locator ({{Glossary("URL")}}), which is known as the _web address_.
 
-    https://developer.mozilla.org
-    https://developer.mozilla.org/en-US/docs/Learn/
-    https://developer.mozilla.org/en-US/search?q=URL
+```
+https://developer.mozilla.org
+https://developer.mozilla.org/en-US/docs/Learn/
+https://developer.mozilla.org/en-US/search?q=URL
+```
 
 Any of those URLs can be typed into your browser's address bar to tell it to load the associated page (resource).
 
 A URL is composed of different parts, some mandatory and others are optional. A more complex example might look like this:
 
-    http://www.example.com:80/path/to/myfile.html?key1=value1&key2=value2#SomewhereInTheDocument
+```
+http://www.example.com:80/path/to/myfile.html?key1=value1&key2=value2#SomewhereInTheDocument
+```
 
 ### URNs
 
-A Uniform Resource Name (URN) is a URI that identifies a resource by name in a particular namespace.
+A Uniform Resource Name (URN) is a URI that identifies a resource by name in a particular namespace.
 
-    urn:isbn:9780141036144
-    urn:ietf:rfc:7230
+```
+urn:isbn:9780141036144
+urn:ietf:rfc:7230
+```
 
 The two URNs correspond to
 
@@ -102,12 +108,14 @@ FTP is still acceptable at the top level (such as typed directly into the browse
 
 ## Examples
 
-    https://developer.mozilla.org/en-US/docs/Learn
-    tel:+1-816-555-1212
-    git@github.com:mdn/browser-compat-data.git
-    ftp://example.org/resource.txt
-    urn:isbn:9780141036144
-    mailto:help@supercyberhelpdesk.info
+```
+https://developer.mozilla.org/en-US/docs/Learn
+tel:+1-816-555-1212
+git@github.com:mdn/browser-compat-data.git
+ftp://example.org/resource.txt
+urn:isbn:9780141036144
+mailto:help@supercyberhelpdesk.info
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/basics_of_http/mime_types/index.md b/files/en-us/web/http/basics_of_http/mime_types/index.md
index 910725acf3b3b24..2b3cee70ce4c468 100644
--- a/files/en-us/web/http/basics_of_http/mime_types/index.md
+++ b/files/en-us/web/http/basics_of_http/mime_types/index.md
@@ -41,7 +41,7 @@ The simplest MIME type consists of a _type_ and a _subtype_; these
 are each strings which, when concatenated with a slash (`/`) between them,
 comprise a MIME type. No whitespace is allowed in a MIME type:
 
-```html
+```
 type/subtype
 ```
 
@@ -58,7 +58,7 @@ and a subtype, never just one or the other.
 
 An optional **parameter** can be added to provide additional details:
 
-```html
+```
 type/subtype;parameter=value
 ```
 
@@ -299,7 +299,7 @@ As a multipart document format, it consists of different parts, delimited by a b
 its own HTTP headers, {{HTTPHeader("Content-Disposition")}}, and
 {{HTTPHeader("Content-Type")}} for file uploading fields.
 
-```html
+```
 Content-Type: multipart/form-data; boundary=aBoundaryString
 (other headers associated with the multipart document as a whole)
 
@@ -330,31 +330,33 @@ The following `
`:
 
 will send this message:
 
-    POST / HTTP/1.1
-    Host: localhost:8000
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
-    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-    Accept-Language: en-US,en;q=0.5
-    Accept-Encoding: gzip, deflate
-    Connection: keep-alive
-    Upgrade-Insecure-Requests: 1
-    Content-Type: multipart/form-data; boundary=---------------------------8721656041911415653955004498
-    Content-Length: 465
-
-    -----------------------------8721656041911415653955004498
-    Content-Disposition: form-data; name="myTextField"
-
-    Test
-    -----------------------------8721656041911415653955004498
-    Content-Disposition: form-data; name="myCheckBox"
-
-    on
-    -----------------------------8721656041911415653955004498
-    Content-Disposition: form-data; name="myFile"; filename="test.txt"
-    Content-Type: text/plain
-
-    Simple file.
-    -----------------------------8721656041911415653955004498--
+```
+POST / HTTP/1.1
+Host: localhost:8000
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Connection: keep-alive
+Upgrade-Insecure-Requests: 1
+Content-Type: multipart/form-data; boundary=---------------------------8721656041911415653955004498
+Content-Length: 465
+
+-----------------------------8721656041911415653955004498
+Content-Disposition: form-data; name="myTextField"
+
+Test
+-----------------------------8721656041911415653955004498
+Content-Disposition: form-data; name="myCheckBox"
+
+on
+-----------------------------8721656041911415653955004498
+Content-Disposition: form-data; name="myFile"; filename="test.txt"
+Content-Type: text/plain
+
+Simple file.
+-----------------------------8721656041911415653955004498--
+```
 
 ### multipart/byteranges
 
@@ -368,26 +370,28 @@ requested ranges. Like other multipart types, the {{HTTPHeader("Content-Type")}}
 {{HTTPHeader("Content-Type")}} header with its actual type and a
 {{HTTPHeader("Content-Range")}} of the range it represents.
 
-    HTTP/1.1 206 Partial Content
-    Accept-Ranges: bytes
-    Content-Type: multipart/byteranges; boundary=3d6b6a416f9b5
-    Content-Length: 385
-
-    --3d6b6a416f9b5
-    Content-Type: text/html
-    Content-Range: bytes 100-200/1270
-
-    eta http-equiv="Content-type" content="text/html; charset=utf-8" />
-        
+    
 ```
 
 An example:
 
-    resource://gre/res/svg.css
+```
+resource://gre/res/svg.css
+```
 
 When arrows are found in the resource URL's ('->'), it means that the first file
 loaded the next one:
 
-    resource:// -> 
+```
+resource:// -> 
+```
 
 Please refer to [Identifying
 resources on the web](/en-US/docs/Web/HTTP/Basics_of_HTTP/Identifying_resources_on_the_Web) for more general details.
@@ -51,7 +55,9 @@ running on the site (you can find the code in  **Note:** It is recommended that web and extension developers don't try
diff --git a/files/en-us/web/http/caching/index.md b/files/en-us/web/http/caching/index.md
index 2dc9d3da2a1dfe0..53cb1a5b2d4215b 100644
--- a/files/en-us/web/http/caching/index.md
+++ b/files/en-us/web/http/caching/index.md
@@ -50,13 +50,17 @@ The {{HTTPHeader("Cache-Control")}} HTTP/1.1 general-header field is used to spe
 
 The cache should not store anything about the client request or server response. A request is sent to the server and a full response is downloaded each and every time.
 
-    Cache-Control: no-store
+```
+Cache-Control: no-store
+```
 
 #### Cache but revalidate
 
 A cache will send the request to the origin server for validation before releasing a cached copy.
 
-    Cache-Control: no-cache
+```
+Cache-Control: no-cache
+```
 
 #### Private and public caches
 
@@ -64,8 +68,10 @@ The "public" directive indicates that the response may be cached by any cache. T
 
 On the other hand, "private" indicates that the response is intended for a single user only and must not be stored by a shared cache. A private browser cache may store the response in this case.
 
-    Cache-Control: private
-    Cache-Control: public
+```
+Cache-Control: private
+Cache-Control: public
+```
 
 #### Expiration
 
@@ -73,13 +79,17 @@ The most important directive here is `max-age=`, which is the maximum a
 
 For more details, see also the [Freshness](#freshness) section below.
 
-    Cache-Control: max-age=31536000
+```
+Cache-Control: max-age=31536000
+```
 
 #### Validation
 
 When using the "`must-revalidate`" directive, the cache must verify the status of the stale resources before using it and expired ones should not be used. For more details, see the [Validation](#cache_validation) section below.
 
-    Cache-Control: must-revalidate
+```
+Cache-Control: must-revalidate
+```
 
 ### The `Pragma` header
 
@@ -103,7 +113,9 @@ If an origin server does not explicitly specify freshness (e.g. using {{HTTPHea
 
 In this case look for a {{HTTPHeader("Last-Modified")}} header. If this header is present, then the cache's freshness lifetime is equal to the value of the `Date` header minus the value of the `Last-modified` header divided by 10. The expiration time is computed as follows:
 
-    expirationTime = responseTime + freshnessLifetime - currentAge
+```
+expirationTime = responseTime + freshnessLifetime - currentAge
+```
 
 where `responseTime` is the time at which the response was received according to the browser. For more information see [RFC 7234: Hypertext Transfer Protocol (HTTP/1.1): 4.2.2.  Calculating Heuristic Freshness](https://datatracker.ietf.org/doc/html/rfc7234#section-4.2.2).
 
@@ -143,13 +155,17 @@ When a cache receives a request that has a `Vary` header field, it must not use
 
 ![The Vary header leads cache to use more HTTP headers as key for the cache.](http_vary.png)This feature is commonly used to allow a resource to be cached in uncompressed and (various) compressed forms, and served appropriately to user agents based on the encodings that they support. For example, a server can set `Vary: Accept-Encoding` to ensure that a separate version of a resource is cached for all requests that specify support for a particular set of encodings, e.g. `Accept-Encoding: gzip,deflate,sdch`.
 
-    Vary: Accept-Encoding
+```
+Vary: Accept-Encoding
+```
 
 > **Note:** Use `Vary` with care—it can easily reduce the effectiveness of caching! A caching server should use [normalization](#normalization) to reduce duplicated cache entries and unnecessary requests to the origin server. This is particularly true when using `Vary` with headers and header values that can have many values.
 
 The `Vary` header can also be useful for serving different content to desktop and mobile users, or to allow search engines to discover the mobile version of a page (and perhaps also tell them that no [Cloaking](https://en.wikipedia.org/wiki/Cloaking) is intended). This is usually achieved with the `Vary: User-Agent` header, and works because the {{HTTPHeader("User-Agent")}} header value is different for mobile and desktop clients.
 
-    Vary: User-Agent
+```
+Vary: User-Agent
+```
 
 ### Normalization
 
@@ -159,16 +175,18 @@ For example, by default all of the following result in a separate request to the
 
 To avoid unnecessary requests and duplicated cache entries, caching servers should use **normalization** to pre-process the request and cache only files that are needed. For example, in the case of `Accept-Encoding` you could check for `gzip` and other compression types in the header before doing further processing, and otherwise unset the header. In "pseudo code" this might look like:
 
-    // Normalize Accept-Encoding
-    if (req.http.Accept-Encoding) {
-      if (req.http.Accept-Encoding ~ "gzip") {
-        set req.http.Accept-Encoding = "gzip";
-      }
-      // elsif other encoding types to check
-      else {
-        unset req.http.Accept-Encoding;
-      }
-    }
+```
+// Normalize Accept-Encoding
+if (req.http.Accept-Encoding) {
+  if (req.http.Accept-Encoding ~ "gzip") {
+    set req.http.Accept-Encoding = "gzip";
+  }
+  // elsif other encoding types to check
+  else {
+    unset req.http.Accept-Encoding;
+  }
+}
+```
 
 `User-Agent` has even more variation than `Accept-Encoding`. So if using `Vary: User-Agent` for caching mobile/desktop variants of files you'd similarly check for the presence of `"mobile"` and `"desktop"` in the request `User-Agent` header, and then clear it.
 
diff --git a/files/en-us/web/http/configuring_servers_for_ogg_media/index.md b/files/en-us/web/http/configuring_servers_for_ogg_media/index.md
index ea9d1d65ad3bbc5..4c1617efbe667ac 100644
--- a/files/en-us/web/http/configuring_servers_for_ogg_media/index.md
+++ b/files/en-us/web/http/configuring_servers_for_ogg_media/index.md
@@ -24,9 +24,11 @@ Most servers don't by default serve Ogg media with the correct MIME types, so y
 
 For Apache, you can add the following to your configuration:
 
-    AddType audio/ogg .oga
-    AddType video/ogg .ogv
-    AddType application/ogg .ogg
+```
+AddType audio/ogg .oga
+AddType video/ogg .ogv
+AddType application/ogg .ogg
+```
 
 You can find specific information about possible media file types and the codecs used within them in our comprehensive [guide to media types and formats on the web](/en-US/docs/Web/Media/Formats). In particular, the article on [media container formats](/en-US/docs/Web/Media/Formats/Containers) will be especially helpful when configuring servers to host media properly.
 
@@ -64,7 +66,9 @@ There are two ways Gecko can do this. The best way is to offer an `X-Content-Dur
 
 For example, if the video is 1 minute and 32.6 seconds long, this header would be:
 
-    X-Content-Duration: 92.6
+```
+X-Content-Duration: 92.6
+```
 
 If your server provides the `X-Content-Duration` header when serving Ogg media, Gecko doesn't have to do any extra HTTP requests to seek to the end of the file to calculate its duration. This makes the entire process much more efficient as well as more accurate.
 
@@ -82,24 +86,26 @@ Another probelm with allowing HTTP compression for media streaming: Apache serve
 
 You can use the `oggz-info` tool to get the media duration; this tool is included with the [`oggz-tools`](https://www.xiph.org/oggz/) package. The output from `oggz-info` looks like this:
 
-     $ oggz-info /g/media/bruce_vs_ironman.ogv
-     Content-Duration: 00:01:00.046
-
-     Skeleton: serialno 1976223438
-             4 packets in 3 pages, 1.3 packets/page, 27.508% Ogg overhead
-             Presentation-Time: 0.000
-             Basetime: 0.000
-
-     Theora: serialno 0170995062
-             1790 packets in 1068 pages, 1.7 packets/page, 1.049% Ogg overhead
-             Video-Framerate: 29.983 fps
-             Video-Width: 640
-             Video-Height: 360
-
-     Vorbis: serialno 0708996688
-             4531 packets in 167 pages, 27.1 packets/page, 1.408% Ogg overhead
-             Audio-Samplerate: 44100 Hz
-             Audio-Channels: 2
+```
+$ oggz-info /g/media/bruce_vs_ironman.ogv
+Content-Duration: 00:01:00.046
+
+Skeleton: serialno 1976223438
+        4 packets in 3 pages, 1.3 packets/page, 27.508% Ogg overhead
+        Presentation-Time: 0.000
+        Basetime: 0.000
+
+Theora: serialno 0170995062
+        1790 packets in 1068 pages, 1.7 packets/page, 1.049% Ogg overhead
+        Video-Framerate: 29.983 fps
+        Video-Width: 640
+        Video-Height: 360
+
+Vorbis: serialno 0708996688
+        4531 packets in 167 pages, 27.1 packets/page, 1.408% Ogg overhead
+        Audio-Samplerate: 44100 Hz
+        Audio-Channels: 2
+```
 
 Note that you can't serve up the reported Content-Duration line reported by `oggz-info`, because it's reported in HH:MM:SS format. You'll need to convert it to seconds only, then serve that as your `X-Content-Duration` value. Just parse out the HH, MM, and SS into numbers, then do (HH\*3600)+(MM\*60)+SS to get the value you should report.
 
diff --git a/files/en-us/web/http/cookies/index.md b/files/en-us/web/http/cookies/index.md
index 6ddc8eb296466ab..0ae8e67e5f200b1 100644
--- a/files/en-us/web/http/cookies/index.md
+++ b/files/en-us/web/http/cookies/index.md
@@ -51,18 +51,21 @@ Set-Cookie: =
 
 This shows the server sending headers to tell the client to store a pair of cookies:
 
-    HTTP/2.0 200 OK
-    Content-Type: text/html
-    Set-Cookie: yummy_cookie=choco
-    Set-Cookie: tasty_cookie=strawberry
+```
+HTTP/2.0 200 OK
+Content-Type: text/html
+Set-Cookie: yummy_cookie=choco
+Set-Cookie: tasty_cookie=strawberry
 
-    [page content]
+[page content]
+```
 
 Then, with every subsequent request to the server, the browser sends back all previously stored cookies to the server using the {{HTTPHeader("Cookie")}} header.
 
-    GET /sample_page.html HTTP/2.0
-    Host: www.example.org
-    Cookie: yummy_cookie=choco; tasty_cookie=strawberry
+```GET /sample_page.html HTTP/2.0
+Host: www.example.org
+Cookie: yummy_cookie=choco; tasty_cookie=strawberry
+```
 
 > **Note:** Here's how to use the `Set-Cookie` header in various server-side applications:
 >
@@ -80,7 +83,9 @@ The lifetime of a cookie can be defined in two ways:
 
 For example:
 
-    Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
+```
+Set-Cookie: id=a3fWa; Expires=Thu, 31 Oct 2021 07:28:00 GMT;
+```
 
 > **Note:** When an `Expires` date is set, the time and date set is relative to the client the cookie is being set on, not the server.
 
@@ -96,7 +101,9 @@ A cookie with the `HttpOnly` attribute is inaccessible to the JavaScript {{domxr
 
 Here is an example:
 
-    Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
+```
+Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly
+```
 
 ### Define where cookies are sent
 
@@ -126,7 +133,9 @@ It takes three possible values: `Strict`, `Lax`, and `None`. With `Strict`, the
 
 Here is an example:
 
-    Set-Cookie: mykey=myvalue; SameSite=Strict
+```
+Set-Cookie: mykey=myvalue; SameSite=Strict
+```
 
 > **Note:** Standard related to `SameSite` recently changed (MDN documents the new behavior above). See the cookies [Browser compatibility](/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility) table for information about how the attribute is handled in specific browser versions:
 >
diff --git a/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md b/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md
index ff21cb90ef6e559..7c0e4afbdac03a5 100644
--- a/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md
+++ b/files/en-us/web/http/cors/errors/corsalloworiginnotmatchingorigin/index.md
@@ -18,18 +18,16 @@ tags:
 
 ## Reason
 
-```html
+```
 Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
 ```
 
 ## What went wrong?
 
-The origin making the request does not match the origin permitted by the {{HTTPHeader("Access-Control-Allow-Origin")}} header. This error can also occur if the response includes more than one
-`Access-Control-Allow-Origin` header.
+The origin making the request does not match the origin permitted by the {{HTTPHeader("Access-Control-Allow-Origin")}} header. This error can also occur if the response includes more than one `Access-Control-Allow-Origin` header.
 
 If the service your code is accessing uses a CORS request under your control, make
-sure it is configured to include your origin in its
-`Access-Control-Allow-Origin` header. In addition, confirm that only one such header is
+sure it is configured to include your origin in its `Access-Control-Allow-Origin` header. In addition, confirm that only one such header is
 included in responses, and that it includes only a single origin.
 
 For example, in Apache, add a line such as the following to the server's configuration
@@ -39,11 +37,15 @@ configuration is typically found in a `.conf` file (`httpd.conf`
 and `apache.conf` are common names for these), or in an
 `.htaccess` file.
 
-    Header set Access-Control-Allow-Origin 'origin'
+```
+Header set Access-Control-Allow-Origin 'origin'
+```
 
 For Nginx, the command to set up this header is:
 
-    add_header 'Access-Control-Allow-Origin' 'origin'
+```
+add_header 'Access-Control-Allow-Origin' 'origin'
+```
 
 ## See also
 
diff --git a/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md b/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md
index dcd7936cb29e19a..f412fe0eaee36bd 100644
--- a/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md
+++ b/files/en-us/web/http/cors/errors/corsdidnotsucceed/index.md
@@ -18,7 +18,7 @@ tags:
 
 ## Reason
 
-```html
+```
 Reason: CORS request did not succeed
 ```
 
diff --git a/files/en-us/web/http/cors/errors/corsdisabled/index.md b/files/en-us/web/http/cors/errors/corsdisabled/index.md
index 4dfb9f11608b7ad..e412b4e66d634fd 100644
--- a/files/en-us/web/http/cors/errors/corsdisabled/index.md
+++ b/files/en-us/web/http/cors/errors/corsdisabled/index.md
@@ -24,7 +24,7 @@ tags:
 
 ## Reason
 
-```html
+```
 Reason: CORS disabled
 ```
 
diff --git a/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md b/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md
index 80d2d22daf8d6b5..be7b138da1f501f 100644
--- a/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md
+++ b/files/en-us/web/http/cors/errors/corsexternalredirectnotallowed/index.md
@@ -18,7 +18,7 @@ tags:
 
 ## Reason
 
-```html
+```
 Reason: CORS request external redirect not allowed
 ```
 
diff --git a/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md b/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md
index f18f17cc9988eb1..f86500997858dc9 100644
--- a/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md
+++ b/files/en-us/web/http/cors/errors/corsinvalidallowheader/index.md
@@ -18,8 +18,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’
+```
+Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md b/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md
index 4e10d3b19dcad9f..e27ed6c6e8f3f71 100644
--- a/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md
+++ b/files/en-us/web/http/cors/errors/corsinvalidallowmethod/index.md
@@ -18,8 +18,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: invalid token ‘xyz’ in CORS header ‘Access-Control-Allow-Methods’
+```
+Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md b/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md
index 1717761cdebfb44..dfb87c901f59f42 100644
--- a/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md
+++ b/files/en-us/web/http/cors/errors/corsmethodnotfound/index.md
@@ -18,8 +18,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: Did not find method in CORS header ‘Access-Control-Allow-Methods’
+```
+Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md b/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md
index 6f89fe8c4984670..812cf20163db036 100644
--- a/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md
+++ b/files/en-us/web/http/cors/errors/corsmissingallowcredentials/index.md
@@ -18,8 +18,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’
+```
+Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md b/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md
index 35324bd84f68cbc..1e42209430616e5 100644
--- a/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md
+++ b/files/en-us/web/http/cors/errors/corsmissingallowheaderfrompreflight/index.md
@@ -20,8 +20,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: missing token ‘xyz’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel
+```
+Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md b/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md
index 71c7911c33b401f..8ffef8dd4b16715 100644
--- a/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md
+++ b/files/en-us/web/http/cors/errors/corsmissingalloworigin/index.md
@@ -18,7 +18,7 @@ tags:
 
 ## Reason
 
-```html
+```
 Reason: CORS header 'Access-Control-Allow-Origin' missing
 ```
 
@@ -35,7 +35,9 @@ header's value.
 For example, to allow a site at https\://amazing.site to access the resource using CORS,
 the header should be:
 
-    Access-Control-Allow-Origin: https://amazing.site
+```
+Access-Control-Allow-Origin: https://amazing.site
+```
 
 You can also configure a site to allow any site to access it by using the
 `*` wildcard. You should only use this for public APIs. Private APIs should
@@ -44,7 +46,9 @@ addition, the wildcard only works for requests made with the
 {{htmlattrxref("crossorigin")}} attribute set to `anonymous`, and it prevents
 sending credentials like cookies in requests.
 
-    Access-Control-Allow-Origin: *
+```
+Access-Control-Allow-Origin: *
+```
 
 > **Warning:** Using the wildcard to allow all sites to access a private
 > API is a bad idea.
@@ -63,11 +67,15 @@ configuration is typically found in a `.conf` file (`httpd.conf`
 and `apache.conf` are common names for these), or in an
 `.htaccess` file.
 
-    Header set Access-Control-Allow-Origin 'origin-list'
+```
+Header set Access-Control-Allow-Origin 'origin-list'
+```
 
 For Nginx, the command to set up this header is:
 
-    add_header 'Access-Control-Allow-Origin' 'origin-list';
+```
+add_header 'Access-Control-Allow-Origin' 'origin-list';
+```
 
 ## See also
 
diff --git a/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md b/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md
index 530d6b73e7b98ca..10df2a15fde3683 100644
--- a/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md
+++ b/files/en-us/web/http/cors/errors/corsmultiplealloworiginnotallowed/index.md
@@ -18,8 +18,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: Multiple CORS header ‘Access-Control-Allow-Origin’ not allowed
+```
+Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md b/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md
index 835a1fed02fd3fa..f9d3febcb2804ca 100644
--- a/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md
+++ b/files/en-us/web/http/cors/errors/corsnotsupportingcredentials/index.md
@@ -20,8 +20,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is ‘*’
+```
+Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md b/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md
index f86ad85b15f6ae9..3416f99f64be374 100644
--- a/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md
+++ b/files/en-us/web/http/cors/errors/corsoriginheadernotadded/index.md
@@ -18,8 +18,8 @@ tags:
 
 ## Reason
 
-```html
-Reason: CORS header ‘Origin’ cannot be added
+```
+Reason: CORS header 'Origin' cannot be added
 ```
 
 ## What went wrong?
diff --git a/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md b/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md
index aa24b1187925652..c23239369200c26 100644
--- a/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md
+++ b/files/en-us/web/http/cors/errors/corspreflightdidnotsucceed/index.md
@@ -18,13 +18,13 @@ tags:
 
 ## Reason
 
-```html
+```
 Reason: CORS preflight channel did not succeed
 ```
 
 ## What went wrong?
 
-The {{Glossary("CORS")}} request requires  preflight, preflighting could not be
+The {{Glossary("CORS")}} request requires preflight, preflighting could not be
 performed. There are a couple of reasons why preflighting might fail:
 
 - A cross-site request has previously been performed that already did a preflight, and
diff --git a/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md b/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md
index 3f608973724c1f4..d05def3fdbea140 100644
--- a/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md
+++ b/files/en-us/web/http/cors/errors/corsrequestnothttp/index.md
@@ -18,7 +18,7 @@ tags:
 
 ## Reason
 
-```html
+```
 Reason: CORS request not HTTP
 ```
 
diff --git a/files/en-us/web/http/cors/errors/index.md b/files/en-us/web/http/cors/errors/index.md
index 64e127f3740b4b0..21816e6618b85e4 100644
--- a/files/en-us/web/http/cors/errors/index.md
+++ b/files/en-us/web/http/cors/errors/index.md
@@ -29,15 +29,17 @@ To understand the underlying issue with the CORS configuration, you need to find
 
 The text of the error message will be something similar to the following:
 
-    Cross-Origin Request Blocked: The Same Origin Policy disallows
-    reading the remote resource at https://some-url-here. (Reason:
-    additional information here).
+```
+Cross-Origin Request Blocked: The Same Origin Policy disallows
+reading the remote resource at https://some-url-here. (Reason:
+additional information here).
+````
 
 > **Note:** For security reasons, specifics about what went wrong with a CORS request _are not available to JavaScript code_. All the code knows is that an error occurred. The only way to determine what specifically went wrong is to look at the browser's console for details.
 
 ## CORS error messages
 
-Firefox's console displays messages in its console when requests fail due to CORS. Part of the error text is a "reason" message that provides added insight into what went wrong.  The reason messages are listed below; click the message to open an article explaining the error in more detail and offering possible solutions.
+Firefox's console displays messages in its console when requests fail due to CORS. Part of the error text is a "reason" message that provides added insight into what went wrong. The reason messages are listed below; click the message to open an article explaining the error in more detail and offering possible solutions.
 
 - [Reason: CORS disabled](/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled)
 - [Reason: CORS request did not succeed](/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed)
diff --git a/files/en-us/web/http/cors/index.md b/files/en-us/web/http/cors/index.md
index 031b6535f4cae78..2d69dd383e555fd 100644
--- a/files/en-us/web/http/cors/index.md
+++ b/files/en-us/web/http/cors/index.md
@@ -58,7 +58,7 @@ We present three scenarios that demonstrate how Cross-Origin Resource Sharing wo
 
 ### Simple requests
 
-Some requests don't trigger a {{Glossary("Preflight_request","CORS preflight")}}. Those are called _simple requests_, though the {{SpecName('Fetch')}} spec (which defines CORS) doesn't use that term. A _simple request_ is one that **meets all the following conditions**:
+Some requests don't trigger a {{Glossary("Preflight_request","CORS preflight")}}. Those are called _simple requests_, though the {{SpecName("Fetch")}} spec (which defines CORS) doesn't use that term. A _simple request_ is one that **meets all the following conditions**:
 
 - One of the allowed methods:
 
@@ -107,31 +107,35 @@ This performs a simple exchange between the client and the server, using CORS he
 
 Let's look at what the browser will send to the server in this case, and let's see how the server responds:
 
-    GET /resources/public-data/ HTTP/1.1
-    Host: bar.other
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-    Accept-Language: en-us,en;q=0.5
-    Accept-Encoding: gzip,deflate
-    Connection: keep-alive
-    Origin: https://foo.example
+```
+GET /resources/public-data/ HTTP/1.1
+Host: bar.other
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Connection: keep-alive
+Origin: https://foo.example
+```
 
 The request header of note is {{HTTPHeader("Origin")}}, which shows that the invocation is coming from `https://foo.example`.
 
-    HTTP/1.1 200 OK
-    Date: Mon, 01 Dec 2008 00:23:53 GMT
-    Server: Apache/2
-    Access-Control-Allow-Origin: *
-    Keep-Alive: timeout=2, max=100
-    Connection: Keep-Alive
-    Transfer-Encoding: chunked
-    Content-Type: application/xml
+```
+HTTP/1.1 200 OK
+Date: Mon, 01 Dec 2008 00:23:53 GMT
+Server: Apache/2
+Access-Control-Allow-Origin: *
+Keep-Alive: timeout=2, max=100
+Connection: Keep-Alive
+Transfer-Encoding: chunked
+Content-Type: application/xml
 
-    […XML Data…]
+[…XML Data…]
+```
 
 In response, the server sends back an {{HTTPHeader("Access-Control-Allow-Origin")}} header with `Access-Control-Allow-Origin: *`, which means that the resource can be accessed by **any** origin.
 
-```html
+```
 Access-Control-Allow-Origin: *
 ```
 
@@ -164,41 +168,47 @@ The example above creates an XML body to send with the `POST` request. Also, a n
 
 Let's look at the full exchange between client and server. The first exchange is the _preflight request/response_:
 
-    OPTIONS /doc HTTP/1.1
-    Host: bar.other
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-    Accept-Language: en-us,en;q=0.5
-    Accept-Encoding: gzip,deflate
-    Connection: keep-alive
-    Origin: https://foo.example
-    Access-Control-Request-Method: POST
-    Access-Control-Request-Headers: X-PINGOTHER, Content-Type
-
-    HTTP/1.1 204 No Content
-    Date: Mon, 01 Dec 2008 01:15:39 GMT
-    Server: Apache/2
-    Access-Control-Allow-Origin: https://foo.example
-    Access-Control-Allow-Methods: POST, GET, OPTIONS
-    Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
-    Access-Control-Max-Age: 86400
-    Vary: Accept-Encoding, Origin
-    Keep-Alive: timeout=2, max=100
-    Connection: Keep-Alive
+```plain
+OPTIONS /doc HTTP/1.1
+Host: bar.other
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Connection: keep-alive
+Origin: https://foo.example
+Access-Control-Request-Method: POST
+Access-Control-Request-Headers: X-PINGOTHER, Content-Type
+
+HTTP/1.1 204 No Content
+Date: Mon, 01 Dec 2008 01:15:39 GMT
+Server: Apache/2
+Access-Control-Allow-Origin: https://foo.example
+Access-Control-Allow-Methods: POST, GET, OPTIONS
+Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
+Access-Control-Max-Age: 86400
+Vary: Accept-Encoding, Origin
+Keep-Alive: timeout=2, max=100
+Connection: Keep-Alive
+```
 
 Lines 1 - 10 above represent the preflight request with the {{HTTPMethod("OPTIONS")}} method. The browser determines that it needs to send this based on the request parameters that the JavaScript code snippet above was using, so that the server can respond whether it is acceptable to send the request with the actual request parameters. OPTIONS is an HTTP/1.1 method that is used to determine further information from servers, and is a {{Glossary("Safe/HTTP", "safe")}} method, meaning that it can't be used to change the resource. Note that along with the OPTIONS request, two other request headers are sent (lines 9 and 10 respectively):
 
-    Access-Control-Request-Method: POST
-    Access-Control-Request-Headers: X-PINGOTHER, Content-Type
+```
+Access-Control-Request-Method: POST
+Access-Control-Request-Headers: X-PINGOTHER, Content-Type
+```
 
 The {{HTTPHeader("Access-Control-Request-Method")}} header notifies the server as part of a preflight request that when the actual request is sent, it will be sent with a `POST` request method. The {{HTTPHeader("Access-Control-Request-Headers")}} header notifies the server that when the actual request is sent, it will be sent with a `X-PINGOTHER` and `Content-Type` custom headers. The server now has an opportunity to determine whether it wishes to accept a request under these circumstances.
 
 Lines 13 - 22 above are the response that the server sends back, which indicate that the request method (`POST`) and request headers (`X-PINGOTHER`) are acceptable. In particular, let's look at lines 16-19:
 
-    Access-Control-Allow-Origin: https://foo.example
-    Access-Control-Allow-Methods: POST, GET, OPTIONS
-    Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
-    Access-Control-Max-Age: 86400
+```
+Access-Control-Allow-Origin: https://foo.example
+Access-Control-Allow-Methods: POST, GET, OPTIONS
+Access-Control-Allow-Headers: X-PINGOTHER, Content-Type
+Access-Control-Max-Age: 86400
+```
 
 The server responds with `Access-Control-Allow-Origin: https://foo.example`, restricting access to just the requesting origin domain. It also responds with `Access-Control-Allow-Methods`, which says that `POST` and `GET` are viable methods to query the resource in question (this header is similar to the {{HTTPHeader("Allow")}} response header, but used strictly within the context of access control).
 
@@ -208,43 +218,44 @@ Finally, {{HTTPHeader("Access-Control-Max-Age")}} gives the value in seconds for
 
 Once the preflight request is complete, the real request is sent:
 
-    POST /doc HTTP/1.1
-    Host: bar.other
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-    Accept-Language: en-us,en;q=0.5
-    Accept-Encoding: gzip,deflate
-    Connection: keep-alive
-    X-PINGOTHER: pingpong
-    Content-Type: text/xml; charset=UTF-8
-    Referer: https://foo.example/examples/preflightInvocation.html
-    Content-Length: 55
-    Origin: https://foo.example
-    Pragma: no-cache
-    Cache-Control: no-cache
-
-    Arun
-
-    HTTP/1.1 200 OK
-    Date: Mon, 01 Dec 2008 01:15:40 GMT
-    Server: Apache/2
-    Access-Control-Allow-Origin: https://foo.example
-    Vary: Accept-Encoding, Origin
-    Content-Encoding: gzip
-    Content-Length: 235
-    Keep-Alive: timeout=2, max=99
-    Connection: Keep-Alive
-    Content-Type: text/plain
-
-    [Some XML payload]
+```plain
+POST /doc HTTP/1.1
+Host: bar.other
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Connection: keep-alive
+X-PINGOTHER: pingpong
+Content-Type: text/xml; charset=UTF-8
+Referer: https://foo.example/examples/preflightInvocation.html
+Content-Length: 55
+Origin: https://foo.example
+Pragma: no-cache
+Cache-Control: no-cache
+
+Arun
+
+HTTP/1.1 200 OK
+Date: Mon, 01 Dec 2008 01:15:40 GMT
+Server: Apache/2
+Access-Control-Allow-Origin: https://foo.example
+Vary: Accept-Encoding, Origin
+Content-Encoding: gzip
+Content-Length: 235
+Keep-Alive: timeout=2, max=99
+Connection: Keep-Alive
+Content-Type: text/plain
+
+[Some XML payload]
+```
 
 #### Preflighted requests and redirects
 
 Not all browsers currently support following redirects after a preflighted request. If a redirect occurs after a preflighted request, some browsers currently will report an error message such as the following.
 
-> The request was redirected to 'https\://example.com/foo', which is disallowed for cross-origin requests that require preflight
-
-> Request requires preflight, which is disallowed to follow cross-origin redirect
+> The request was redirected to 'https\://example.com/foo', which is disallowed for cross-origin requests that require preflight.
+> Request requires preflight, which is disallowed to follow cross-origin redirect.
 
 The CORS protocol originally required that behavior but [was subsequently changed to no longer require it](https://github.com/whatwg/fetch/commit/0d9a4db8bc02251cc9e391543bb3c1322fb882f2). However, not all browsers have implemented the change, and so still exhibit the behavior that was originally required.
 
@@ -288,33 +299,35 @@ Line 7 shows the flag on {{domxref("XMLHttpRequest")}} that has to be set in ord
 
 Here is a sample exchange between client and server:
 
-    GET /resources/credentialed-content/ HTTP/1.1
-    Host: bar.other
-    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
-    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
-    Accept-Language: en-us,en;q=0.5
-    Accept-Encoding: gzip,deflate
-    Connection: keep-alive
-    Referer: https://foo.example/examples/credential.html
-    Origin: https://foo.example
-    Cookie: pageAccess=2
-
-    HTTP/1.1 200 OK
-    Date: Mon, 01 Dec 2008 01:34:52 GMT
-    Server: Apache/2
-    Access-Control-Allow-Origin: https://foo.example
-    Access-Control-Allow-Credentials: true
-    Cache-Control: no-cache
-    Pragma: no-cache
-    Set-Cookie: pageAccess=3; expires=Wed, 31-Dec-2008 01:34:53 GMT
-    Vary: Accept-Encoding, Origin
-    Content-Encoding: gzip
-    Content-Length: 106
-    Keep-Alive: timeout=2, max=100
-    Connection: Keep-Alive
-    Content-Type: text/plain
-
-    [text/plain payload]
+```plain
+GET /resources/credentialed-content/ HTTP/1.1
+Host: bar.other
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip,deflate
+Connection: keep-alive
+Referer: https://foo.example/examples/credential.html
+Origin: https://foo.example
+Cookie: pageAccess=2
+
+HTTP/1.1 200 OK
+Date: Mon, 01 Dec 2008 01:34:52 GMT
+Server: Apache/2
+Access-Control-Allow-Origin: https://foo.example
+Access-Control-Allow-Credentials: true
+Cache-Control: no-cache
+Pragma: no-cache
+Set-Cookie: pageAccess=3; expires=Wed, 31-Dec-2008 01:34:53 GMT
+Vary: Accept-Encoding, Origin
+Content-Encoding: gzip
+Content-Length: 106
+Keep-Alive: timeout=2, max=100
+Connection: Keep-Alive
+Content-Type: text/plain
+
+[text/plain payload]
+```
 
 Although line 10 contains the Cookie destined for the content on `https://bar.other`, if bar.other did not respond with an {{HTTPHeader("Access-Control-Allow-Credentials")}}`: true` (line 17) the response would be ignored and not made available to web content.
 
@@ -350,14 +363,18 @@ This section lists the HTTP response headers that servers send back for access c
 
 A returned resource may have one {{HTTPHeader("Access-Control-Allow-Origin")}} header, with the following syntax:
 
-    Access-Control-Allow-Origin:  | *
+```
+Access-Control-Allow-Origin:  | *
+```
 
 `Access-Control-Allow-Origin` specifies either a single origin, which tells browsers to allow that origin to access the resource; or else — for requests **without** credentials — the "`*`" wildcard, to tell browsers to allow any origin to access the resource.
 
 For example, to allow code from the origin `https://mozilla.org` to access the resource, you can specify:
 
-    Access-Control-Allow-Origin: https://mozilla.org
-    Vary: Origin
+```
+Access-Control-Allow-Origin: https://mozilla.org
+Vary: Origin
+```
 
 If the server specifies a single origin (that may dynamically change based on the requesting origin as part of a allowlist) rather than the "`*`" wildcard, then the server should also include `Origin` in the {{HTTPHeader("Vary")}} response header — to indicate to clients that server responses will differ based on the value of the {{HTTPHeader("Origin")}} request header.
 
@@ -365,19 +382,24 @@ If the server specifies a single origin (that may dynamically change based on th
 
 The {{HTTPHeader("Access-Control-Expose-Headers")}} header adds the specified headers to the allowlist that JavaScript (such as {{domxref("XMLHttpRequest.getResponseHeader()","getResponseHeader()")}}) in browsers is allowed to access.
 
-    Access-Control-Expose-Headers: [, ]*
+```
+Access-Control-Expose-Headers: [, ]*
+```
 
 For example, the following:
 
-    Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header
+```
+Access-Control-Expose-Headers: X-My-Custom-Header, X-Another-Custom-Header
+```
 
 …would allow the `X-My-Custom-Header` and `X-Another-Custom-Header` headers to be exposed to the browser.
 
 ### Access-Control-Max-Age
 
 The {{HTTPHeader("Access-Control-Max-Age")}} header indicates how long the results of a preflight request can be cached. For an example of a preflight request, see the above examples.
-
-    Access-Control-Max-Age: 
+```
+Access-Control-Max-Age: 
+```
 
 The `delta-seconds` parameter indicates the number of seconds the results can be cached.
 
@@ -385,7 +407,9 @@ The `delta-seconds` parameter indicates the number of seconds the results can be
 
 The {{HTTPHeader("Access-Control-Allow-Credentials")}} header indicates whether or not the response to the request can be exposed when the `credentials` flag is true. When used as part of a response to a preflight request, this indicates whether or not the actual request can be made using credentials. Note that simple `GET` requests are not preflighted, and so if a request is made for a resource with credentials, if this header is not returned with the resource, the response is ignored by the browser and not returned to web content.
 
-    Access-Control-Allow-Credentials: true
+```
+Access-Control-Allow-Credentials: true
+```
 
 [Credentialed requests](#requests_with_credentials) are discussed above.
 
@@ -393,7 +417,9 @@ The {{HTTPHeader("Access-Control-Allow-Credentials")}} header indicates whether
 
 The {{HTTPHeader("Access-Control-Allow-Methods")}} header specifies the method or methods allowed when accessing the resource. This is used in response to a preflight request. The conditions under which a request is preflighted are discussed above.
 
-    Access-Control-Allow-Methods: [, ]*
+```
+Access-Control-Allow-Methods: [, ]*
+```
 
 An example of a {{Glossary("preflight request")}} is given above, including an example which sends this header to the browser.
 
@@ -401,7 +427,9 @@ An example of a {{Glossary("preflight request")}} is given above, including an e
 
 The {{HTTPHeader("Access-Control-Allow-Headers")}} header is used in response to a {{Glossary("preflight request")}} to indicate which HTTP headers can be used when making the actual request. This header is the server side response to the browser's {{HTTPHeader("Access-Control-Request-Headers")}} header.
 
-    Access-Control-Allow-Headers: [, ]*
+```
+Access-Control-Allow-Headers: [, ]*
+```
 
 ## The HTTP request headers
 
@@ -411,7 +439,9 @@ This section lists headers that clients may use when issuing HTTP requests in or
 
 The {{HTTPHeader("Origin")}} header indicates the origin of the cross-site access request or preflight request.
 
-    Origin: 
+```
+Origin: 
+```
 
 The origin is a URL indicating the server from which the request initiated. It does not include any path information, but only the server name.
 
@@ -423,7 +453,9 @@ Note that in any access control request, the {{HTTPHeader("Origin")}} header is
 
 The {{HTTPHeader("Access-Control-Request-Method")}} is used when issuing a preflight request to let the server know what HTTP method will be used when the actual request is made.
 
-    Access-Control-Request-Method: 
+```
+Access-Control-Request-Method: 
+```
 
 Examples of this usage can be [found above.](#preflighted_requests)
 
@@ -431,7 +463,9 @@ Examples of this usage can be [found above.](#preflighted_requests)
 
 The {{HTTPHeader("Access-Control-Request-Headers")}} header is used when issuing a preflight request to let the server know what HTTP headers will be used when the actual request is made (such as with {{domxref("XMLHttpRequest.setRequestHeader()","setRequestHeader()")}}). This browser side header will be answered by the complementary server side header of {{HTTPHeader("Access-Control-Allow-Headers")}}.
 
-    Access-Control-Request-Headers: [, ]*
+```
+Access-Control-Request-Headers: [, ]*
+```
 
 Examples of this usage can be [found above](#preflighted_requests).
 
diff --git a/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md b/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md
index 4cc3f1d8d0fcda7..6a36f1437eed145 100644
--- a/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md
+++ b/files/en-us/web/http/cross-origin_resource_policy_(corp)/index.md
@@ -43,9 +43,9 @@ Web applications set a Cross-Origin Resource Policy via the {{HTTPHeader("Cross-
 - `cross-origin`
   - : Requests from any _{{Glossary("origin")}}_ (both same-site and cross-site) can read the resource.
 
-
-
-    Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
+```
+Cross-Origin-Resource-Policy: same-site | same-origin | cross-origin
+```
 
 During a cross-origin resource policy check, if the header is set, the browser will deny `no-cors` requests issued from a different origin/site.
 
diff --git a/files/en-us/web/http/csp/index.md b/files/en-us/web/http/csp/index.md
index bd71a9859ddefb7..b7faf5300ac4483 100644
--- a/files/en-us/web/http/csp/index.md
+++ b/files/en-us/web/http/csp/index.md
@@ -11,19 +11,17 @@ tags:
 ---
 {{HTTPSidebar}}
 
-**Content Security Policy** ({{Glossary("CSP")}}) is an
-added layer of security that helps to detect and mitigate certain types of attacks,
-including Cross Site Scripting ({{Glossary("Cross-site_scripting", "XSS")}}) and data injection attacks. These
-attacks are used for everything from data theft to site defacement to distribution of
-malware.
+**Content Security Policy** ({{Glossary("CSP")}}) is an added layer of security
+that helps to detect and mitigate certain types of attacks,
+including Cross Site Scripting ({{Glossary("Cross-site_scripting", "XSS")}}) and data injection attacks.
+These attacks are used for everything from data theft to site defacement to distribution of malware.
 
 CSP is designed to be fully backward compatible (except CSP version 2 where there are
 some explicitly-mentioned inconsistencies in backward compatibility; more details [here](https://www.w3.org/TR/CSP2) section 1.1). Browsers that don't support
 it still work with servers that implement it, and vice-versa: browsers that don't
 support CSP ignore it, functioning as usual, defaulting to the standard same-origin
 policy for web content. If the site doesn't offer the CSP header, browsers likewise use
-the standard [same-origin
-policy](/en-US/docs/Web/Security/Same-origin_policy).
+the standard [same-origin policy](/en-US/docs/Web/Security/Same-origin_policy).
 
 To enable CSP, you need to configure your web server to return the
 {{HTTPHeader("Content-Security-Policy")}} HTTP header. (Sometimes you may see mentions
@@ -32,7 +30,11 @@ you don't need to specify it anymore.)
 
 Alternatively, the {{HTMLElement("meta")}} element can be used to configure a policy,
 for example:
-``
+
+```html
+
+```
 
 ## Threats
 
@@ -79,7 +81,7 @@ construct such headers properly, and provides examples.
 You can use the {{HTTPHeader("Content-Security-Policy")}} HTTP header to specify your
 policy, like this:
 
-```html
+```
 Content-Security-Policy: policy
 ```
 
@@ -110,7 +112,7 @@ This section provides examples of some common security policy scenarios.
 A web site administrator wants all content to come from the site's own origin (this
 excludes subdomains.)
 
-```html
+```
 Content-Security-Policy: default-src 'self'
 ```
 
@@ -119,7 +121,7 @@ Content-Security-Policy: default-src 'self'
 A web site administrator wants to allow content from a trusted domain and all its
 subdomains (it doesn't have to be the same domain that the CSP is set on.)
 
-```html
+```
 Content-Security-Policy: default-src 'self' trusted.com *.trusted.com
 ```
 
@@ -129,7 +131,7 @@ A web site administrator wants to allow users of a web application to include im
 from any origin in their own content, but to restrict audio or video media to trusted
 providers, and all scripts only to a specific server that hosts trusted code.
 
-```html
+```
 Content-Security-Policy: default-src 'self'; img-src *; media-src media1.com media2.com; script-src userscripts.example.com
 ```
 
@@ -147,7 +149,7 @@ A web site administrator for an online banking site wants to ensure that all its
 content is loaded using TLS, in order to prevent attackers from eavesdropping on
 requests.
 
-```html
+```
 Content-Security-Policy: default-src https://onlinebanking.jumbobank.com
 ```
 
@@ -159,7 +161,7 @@ through the single origin onlinebanking.jumbobank.com.
 A web site administrator of a web mail site wants to allow HTML in email, as well as
 images loaded from anywhere, but not JavaScript or other potentially dangerous content.
 
-```html
+```
 Content-Security-Policy: default-src 'self' *.mailsite.com; img-src *
 ```
 
@@ -176,8 +178,8 @@ header can be used to test a future revision to a policy without actually deploy
 You can use the {{HTTPHeader("Content-Security-Policy-Report-Only")}} HTTP header to
 specify your policy, like this:
 
-```html
-Content-Security-Policy-Report-Only: policy 
+```
+Content-Security-Policy-Report-Only: policy
 ```
 
 If both a {{HTTPHeader("Content-Security-Policy-Report-Only")}} header and a
@@ -192,7 +194,7 @@ By default, violation reports aren't sent. To enable violation reporting, you ne
 specify the {{CSP("report-uri")}} policy directive, providing at least one URI to which
 to deliver the reports:
 
-```html
+```
 Content-Security-Policy: default-src 'self'; report-uri http://reportcollector.example.com/collector.cgi
 ```
 
@@ -235,7 +237,7 @@ Let's consider a page located at `http://example.com/signup.html`. It uses
 the following policy, disallowing everything but stylesheets from
 `cdn.example.com`.
 
-```html
+```
 Content-Security-Policy: default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports
 ```
 
@@ -260,15 +262,17 @@ Can you spot the mistake? Stylesheets are allowed to be loaded only from
 following violation report as a POST request to
 `http://example.com/_/csp-reports`, when the document is visited:
 
-    {
-      "csp-report": {
-        "document-uri": "http://example.com/signup.html",
-        "referrer": "",
-        "blocked-uri": "http://example.com/css/style.css",
-        "violated-directive": "style-src cdn.example.com",
-        "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"
-      }
-    }
+```js
+{
+  "csp-report": {
+    "document-uri": "http://example.com/signup.html",
+    "referrer": "",
+    "blocked-uri": "http://example.com/css/style.css",
+    "violated-directive": "style-src cdn.example.com",
+    "original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports"
+  }
+}
+```
 
 As you can see, the report includes the full path to the violating resource in
 `blocked-uri`. This is not always the case. For example, if the
diff --git a/files/en-us/web/http/headers/accept-ch-lifetime/index.md b/files/en-us/web/http/headers/accept-ch-lifetime/index.md
index 82eb46c587d33d0..8a4926ee0467170 100644
--- a/files/en-us/web/http/headers/accept-ch-lifetime/index.md
+++ b/files/en-us/web/http/headers/accept-ch-lifetime/index.md
@@ -45,14 +45,16 @@ include in subsequent requests.
 
 ## Syntax
 
-```html
+```
 Accept-CH-Lifetime: 
 ```
 
 ## Examples
 
-    Accept-CH: Viewport-Width
-    Accept-CH-Lifetime: 86400
+```
+Accept-CH: Viewport-Width
+Accept-CH-Lifetime: 86400
+```
 
 ## Browser compatibility
 
diff --git a/files/en-us/web/http/headers/accept-encoding/index.md b/files/en-us/web/http/headers/accept-encoding/index.md
index 4c8b4d155a9efe1..c3c0e57980f4874 100644
--- a/files/en-us/web/http/headers/accept-encoding/index.md
+++ b/files/en-us/web/http/headers/accept-encoding/index.md
@@ -40,7 +40,7 @@ As long as the `identity` value, meaning no encoding, is not explicitly forbidde
 
 ## Syntax
 
-```html
+```
 Accept-Encoding: gzip
 Accept-Encoding: compress
 Accept-Encoding: deflate
@@ -71,11 +71,13 @@ Accept-Encoding: deflate, gzip;q=1.0, *;q=0.5
 
 ## Examples
 
-    Accept-Encoding: gzip
+```
+Accept-Encoding: gzip
 
-    Accept-Encoding: gzip, compress, br
+Accept-Encoding: gzip, compress, br
 
-    Accept-Encoding: br;q=1.0, gzip;q=0.8, *;q=0.1
+Accept-Encoding: br;q=1.0, gzip;q=0.8, *;q=0.1
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/accept-patch/index.md b/files/en-us/web/http/headers/accept-patch/index.md
index 231e2a0eac7a14f..4a59f44b91b8266 100644
--- a/files/en-us/web/http/headers/accept-patch/index.md
+++ b/files/en-us/web/http/headers/accept-patch/index.md
@@ -33,7 +33,7 @@ A server receiving a PATCH request with an unsupported media type could reply wi
 
 ## Syntax
 
-```html
+```
 Accept-Patch: application/example, text/example
 Accept-Patch: text/example;charset=utf-8
 Accept-Patch: application/merge-patch+json
@@ -45,7 +45,7 @@ None
 
 ## Examples
 
-```html
+```
 Accept-Patch: application/example, text/example
 
 Accept-Patch: text/example;charset=utf-8
diff --git a/files/en-us/web/http/headers/accept-post/index.md b/files/en-us/web/http/headers/accept-post/index.md
index ab7eb00b85c7c7f..bddbff43e555456 100644
--- a/files/en-us/web/http/headers/accept-post/index.md
+++ b/files/en-us/web/http/headers/accept-post/index.md
@@ -32,9 +32,11 @@ For example, a server receiving a `POST` request with an unsupported media type
 
 ## Syntax
 
-    Accept: /
-    Accept: /*
-    Accept: */*
+```
+Accept: /
+Accept: /*
+Accept: */*
+```
 
 > **Note:** The `Accept-Post` header specifies a media range in the same way as {{HTTPHeader("Accept-Language")}}, except that it has no notion of preference (i.e. "accept-params" or "q" arguments are not significant).
 
@@ -44,7 +46,7 @@ None.
 
 ## Examples
 
-```html
+```
 Accept-Post: application/example, text/example
 Accept-Post: image/webp
 Accept-Post: */*
diff --git a/files/en-us/web/http/headers/accept-ranges/index.md b/files/en-us/web/http/headers/accept-ranges/index.md
index 4e61fe856ca3b8a..4c6783422b0a6d6 100644
--- a/files/en-us/web/http/headers/accept-ranges/index.md
+++ b/files/en-us/web/http/headers/accept-ranges/index.md
@@ -33,7 +33,7 @@ _resume_ an interrupted download, rather than to start it from the start again.
 
 ## Syntax
 
-```html
+```
 Accept-Ranges: 
 Accept-Ranges: none
 ```
@@ -52,7 +52,9 @@ Accept-Ranges: none
 
 ## Examples
 
-    Accept-Ranges: bytes
+```
+Accept-Ranges: bytes
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/accept/index.md b/files/en-us/web/http/headers/accept/index.md
index 19f5acdacd42dcc..3763506a078202d 100644
--- a/files/en-us/web/http/headers/accept/index.md
+++ b/files/en-us/web/http/headers/accept/index.md
@@ -37,7 +37,7 @@ The **`Accept`** request HTTP header advertises which content types, expressed a
 
 ## Syntax
 
-```html
+```
 Accept: /
 Accept: /*
 Accept: */*
@@ -59,15 +59,17 @@ Accept: text/html, application/xhtml+xml, application/xml;q=0.9, image/webp, */*
 
 ## Examples
 
-    Accept: text/html
+```
+Accept: text/html
 
-    Accept: image/*
+Accept: image/*
 
-    // General default
-    Accept: */*
+// General default
+Accept: */*
 
-    // Default for navigation requests
-    Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
+// Default for navigation requests
+Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/access-control-allow-credentials/index.md b/files/en-us/web/http/headers/access-control-allow-credentials/index.md
index 1674480ddd7f6ec..a2c560bbf5b9d5c 100644
--- a/files/en-us/web/http/headers/access-control-allow-credentials/index.md
+++ b/files/en-us/web/http/headers/access-control-allow-credentials/index.md
@@ -52,7 +52,7 @@ in to including credentials.
 
 ## Syntax
 
-```html
+```
 Access-Control-Allow-Credentials: true
 ```
 
@@ -67,7 +67,9 @@ Access-Control-Allow-Credentials: true
 
 Allow credentials:
 
-    Access-Control-Allow-Credentials: true
+```
+Access-Control-Allow-Credentials: true
+```
 
 Using [XHR](/en-US/docs/Web/API/XMLHttpRequest) with credentials:
 
diff --git a/files/en-us/web/http/headers/access-control-allow-headers/index.md b/files/en-us/web/http/headers/access-control-allow-headers/index.md
index 31c0a912a1b86a8..af8b0984014d91c 100644
--- a/files/en-us/web/http/headers/access-control-allow-headers/index.md
+++ b/files/en-us/web/http/headers/access-control-allow-headers/index.md
@@ -32,7 +32,7 @@ This header is required if the request has an {{HTTPHeader("Access-Control-Reque
 
 ## Syntax
 
-```html
+```
 Access-Control-Allow-Headers: [[, ]*]
 Access-Control-Allow-Headers: *
 ```
@@ -50,19 +50,25 @@ Access-Control-Allow-Headers: *
 
 Here's an example of what an `Access-Control-Allow-Headers` header might look like. It indicates that a custom header named `X-Custom-Header` is supported by CORS requests to the server (in addition to the {{glossary("CORS-safelisted_request_header", "CORS-safelisted request headers")}}).
 
-    Access-Control-Allow-Headers: X-Custom-Header
+```
+Access-Control-Allow-Headers: X-Custom-Header
+```
 
 ### Multiple headers
 
 This example shows `Access-Control-Allow-Headers` when it specifies support for multiple headers.
 
-    Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests
+```
+Access-Control-Allow-Headers: X-Custom-Header, Upgrade-Insecure-Requests
+```
 
 ### Bypassing additional restrictions
 
 Although {{glossary("CORS-safelisted_request_header", "CORS-safelisted request headers")}} are always allowed and don't usually need to be listed in `Access-Control-Allow-Headers`, listing them anyway will circumvent the [additional restrictions](/en-US/docs/Glossary/CORS-safelisted_request_header#additional_restrictions) that apply.
 
-    Access-Control-Allow-Headers: Accept
+```
+Access-Control-Allow-Headers: Accept
+```
 
 ### Example preflight request
 
@@ -74,22 +80,26 @@ First, the request. The preflight request is an {{HTTPMethod("OPTIONS")}} reque
 
 The preflight request below tells the server that we want to send a CORS `GET` request that has the headers listed in {{HTTPHeader("Access-Control-Request-Headers")}} ({{HTTPHeader("Content-Type")}} and `x-requested-with`).
 
-    OPTIONS /resource/foo
-    Access-Control-Request-Method: GET
-    Access-Control-Request-Headers: Content-Type, x-requested-with
-    Origin: https://foo.bar.org
+```
+OPTIONS /resource/foo
+Access-Control-Request-Method: GET
+Access-Control-Request-Headers: Content-Type, x-requested-with
+Origin: https://foo.bar.org
+```
 
 #### Response
 
 If the CORS request indicated by the preflight request is authorized, the server will respond to the preflight request with a message that indicates the allowed origin, methods and headers. Below we see that {{HTTPHeader("Access-Control-Allow-Headers")}} includes the headers that were requested.
 
-    HTTP/1.1 200 OK
-    Content-Length: 0
-    Connection: keep-alive
-    Access-Control-Allow-Origin: https://foo.bar.org
-    Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
-    Access-Control-Allow-Headers: Content-Type, x-requested-with
-    Access-Control-Max-Age: 86400
+```
+HTTP/1.1 200 OK
+Content-Length: 0
+Connection: keep-alive
+Access-Control-Allow-Origin: https://foo.bar.org
+Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE
+Access-Control-Allow-Headers: Content-Type, x-requested-with
+Access-Control-Max-Age: 86400
+```
 
 If the requested method isn't supported, the server will respond with an error.
 
diff --git a/files/en-us/web/http/headers/access-control-allow-methods/index.md b/files/en-us/web/http/headers/access-control-allow-methods/index.md
index c7f620205f77ff8..c5a672583fa29e7 100644
--- a/files/en-us/web/http/headers/access-control-allow-methods/index.md
+++ b/files/en-us/web/http/headers/access-control-allow-methods/index.md
@@ -29,7 +29,7 @@ specifies the method or methods allowed when accessing the resource in response
 
 ## Syntax
 
-```html
+```
 Access-Control-Allow-Methods: , , ...
 Access-Control-Allow-Methods: *
 ```
@@ -47,8 +47,10 @@ Access-Control-Allow-Methods: *
 
 ## Examples
 
-    Access-Control-Allow-Methods: POST, GET, OPTIONS
-    Access-Control-Allow-Methods: *
+```
+Access-Control-Allow-Methods: POST, GET, OPTIONS
+Access-Control-Allow-Methods: *
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/access-control-allow-origin/index.md b/files/en-us/web/http/headers/access-control-allow-origin/index.md
index ad74641282489a9..b8be1ebd97548b1 100644
--- a/files/en-us/web/http/headers/access-control-allow-origin/index.md
+++ b/files/en-us/web/http/headers/access-control-allow-origin/index.md
@@ -35,7 +35,7 @@ The **`Access-Control-Allow-Origin`** response header indicates whether the resp
 
 ## Syntax
 
-```html
+```
 Access-Control-Allow-Origin: *
 Access-Control-Allow-Origin: 
 Access-Control-Allow-Origin: null
@@ -57,11 +57,15 @@ Access-Control-Allow-Origin: null
 
 A response that tells the browser to allow code from any origin to access a resource will include the following:
 
-    Access-Control-Allow-Origin: *
+```
+Access-Control-Allow-Origin: *
+```
 
 A response that tells the browser to allow requesting code from the origin `https://developer.mozilla.org` to access a resource will include the following:
 
-    Access-Control-Allow-Origin: https://developer.mozilla.org
+```
+Access-Control-Allow-Origin: https://developer.mozilla.org
+```
 
 Limiting the possible `Access-Control-Allow-Origin` values to a set of allowed origins requires code on the server side to check the value of the {{HTTPHeader("Origin")}} request header, compare that to a list of allowed origins, and then if the {{HTTPHeader("Origin")}} value is in the list, to set the `Access-Control-Allow-Origin` value to the same value as the {{HTTPHeader("Origin")}} value.
 
@@ -69,8 +73,10 @@ Limiting the possible `Access-Control-Allow-Origin` values to a set of allowed o
 
 If the server sends a response with an `Access-Control-Allow-Origin` value that is an explicit origin (rather than the "`*`" wildcard), then the response should also include a {{HTTPHeader("Vary")}} response header with the value `Origin` — to indicate to browsers that server responses can differ based on the value of the `Origin` request header.
 
-    Access-Control-Allow-Origin: https://developer.mozilla.org
-    Vary: Origin
+```
+Access-Control-Allow-Origin: https://developer.mozilla.org
+Vary: Origin
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/access-control-expose-headers/index.md b/files/en-us/web/http/headers/access-control-expose-headers/index.md
index b722dab1b290075..ae459064af19e4b 100644
--- a/files/en-us/web/http/headers/access-control-expose-headers/index.md
+++ b/files/en-us/web/http/headers/access-control-expose-headers/index.md
@@ -29,7 +29,7 @@ Only the {{Glossary("CORS-safelisted response header", "CORS-safelisted response
 
 ## Syntax
 
-```html
+```
 Access-Control-Expose-Headers: [[, ]*]
 Access-Control-Expose-Headers: *
 ```
@@ -46,19 +46,27 @@ Access-Control-Expose-Headers: *
 
 The {{Glossary("CORS-safelisted response header", "CORS-safelisted response headers")}} are: {{HTTPHeader("Cache-Control")}}, {{HTTPHeader("Content-Language")}}, {{HTTPHeader("Content-Length")}}, {{HTTPHeader("Content-Type")}}, {{HTTPHeader("Expires")}}, {{HTTPHeader("Last-Modified")}}, {{HTTPHeader("Pragma")}}. To expose a non-CORS-safelisted response header, you can specify:
 
-    Access-Control-Expose-Headers: Content-Encoding
+```
+Access-Control-Expose-Headers: Content-Encoding
+```
 
 To additionally expose a custom header, like `X-Kuma-Revision`, you can specify multiple headers separated by a comma:
 
-    Access-Control-Expose-Headers: Content-Encoding, X-Kuma-Revision
+```
+Access-Control-Expose-Headers: Content-Encoding, X-Kuma-Revision
+```
 
 For requests without credentials, a server can also respond with a wildcard value:
 
-    Access-Control-Expose-Headers: *
+```
+Access-Control-Expose-Headers: *
+```
 
 However, this won't wildcard the {{HTTPHeader("Authorization")}} header, so if you need to expose that, you will need to list it explicitly:
 
-    Access-Control-Expose-Headers: *, Authorization
+```
+Access-Control-Expose-Headers: *, Authorization
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/access-control-max-age/index.md b/files/en-us/web/http/headers/access-control-max-age/index.md
index 041652984632041..9e1c427edfbe490 100644
--- a/files/en-us/web/http/headers/access-control-max-age/index.md
+++ b/files/en-us/web/http/headers/access-control-max-age/index.md
@@ -27,7 +27,7 @@ The **`Access-Control-Max-Age`** response header indicates how long the results
 
 ## Syntax
 
-```html
+```
 Access-Control-Max-Age: 
 ```
 
@@ -45,7 +45,9 @@ Access-Control-Max-Age: 
 
 Cache results of a preflight request for 10 minutes:
 
-    Access-Control-Max-Age: 600
+```
+Access-Control-Max-Age: 600
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/access-control-request-headers/index.md b/files/en-us/web/http/headers/access-control-request-headers/index.md
index 3ab9dfc53b559d0..cdcbe833f6c990b 100644
--- a/files/en-us/web/http/headers/access-control-request-headers/index.md
+++ b/files/en-us/web/http/headers/access-control-request-headers/index.md
@@ -27,7 +27,7 @@ The **`Access-Control-Request-Headers`** request header is used by browsers when
 
 ## Syntax
 
-```html
+```
 Access-Control-Request-Headers: , , ...
 ```
 
@@ -38,7 +38,9 @@ Access-Control-Request-Headers: , , ...
 
 ## Examples
 
-    Access-Control-Request-Headers: X-PINGOTHER, Content-Type
+```
+Access-Control-Request-Headers: X-PINGOTHER, Content-Type
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/access-control-request-method/index.md b/files/en-us/web/http/headers/access-control-request-method/index.md
index 2d7d92ed54bb51a..1845ddfbfff65c3 100644
--- a/files/en-us/web/http/headers/access-control-request-method/index.md
+++ b/files/en-us/web/http/headers/access-control-request-method/index.md
@@ -31,7 +31,7 @@ actual request is made. This header is necessary as the preflight request is alw
 
 ## Syntax
 
-```html
+```
 Access-Control-Request-Method: 
 ```
 
@@ -43,7 +43,9 @@ Access-Control-Request-Method: 
 
 ## Examples
 
-    Access-Control-Request-Method: POST
+```
+Access-Control-Request-Method: POST
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/age/index.md b/files/en-us/web/http/headers/age/index.md
index ea16135e240f7f3..089384009560f72 100644
--- a/files/en-us/web/http/headers/age/index.md
+++ b/files/en-us/web/http/headers/age/index.md
@@ -33,7 +33,7 @@ header included in the HTTP response.
 
 ## Syntax
 
-```html
+```
 Age: 
 ```
 
@@ -45,7 +45,9 @@ Age: 
 
 ## Examples
 
-    Age: 24
+```
+Age: 24
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/allow/index.md b/files/en-us/web/http/headers/allow/index.md
index f52086fa2a4057e..f0ce64e269832da 100644
--- a/files/en-us/web/http/headers/allow/index.md
+++ b/files/en-us/web/http/headers/allow/index.md
@@ -28,7 +28,7 @@ This header must be sent if the server responds with a {{HTTPStatus("405")}} `Me
 
 ## Syntax
 
-```html
+```
 Allow: 
 ```
 
@@ -39,7 +39,9 @@ Allow: 
 
 ## Examples
 
-    Allow: GET, POST, HEAD
+```
+Allow: GET, POST, HEAD
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/alt-svc/index.md b/files/en-us/web/http/headers/alt-svc/index.md
index 8d0ca5313bb0543..392ef532f3ca0fa 100644
--- a/files/en-us/web/http/headers/alt-svc/index.md
+++ b/files/en-us/web/http/headers/alt-svc/index.md
@@ -14,7 +14,7 @@ The {{HTTPHeader("Alt-Svc")}} HTTP header allows a server to indicate that a par
 
 ## Syntax
 
-```html
+```
 Alt-Svc: clear
 Alt-Svc: =; ma=
 Alt-Svc: =; ma=; persist=1
@@ -45,10 +45,12 @@ as separator. In that case, early entries are considered more preferable.
 
 ## Example
 
-    Alt-Svc: h2=":443"; ma=2592000;
-    Alt-Svc: h2=":443"; ma=2592000; persist=1
-    Alt-Svc: h2="alt.example.com:443", h2=":443"
-    Alt-Svc: h3-25=":443"; ma=3600, h2=":443"; ma=3600
+```
+Alt-Svc: h2=":443"; ma=2592000;
+Alt-Svc: h2=":443"; ma=2592000; persist=1
+Alt-Svc: h2="alt.example.com:443", h2=":443"
+Alt-Svc: h3-25=":443"; ma=3600, h2=":443"; ma=3600
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/authorization/index.md b/files/en-us/web/http/headers/authorization/index.md
index dc8cb2850ce23b9..4beb6605db8be01 100644
--- a/files/en-us/web/http/headers/authorization/index.md
+++ b/files/en-us/web/http/headers/authorization/index.md
@@ -30,7 +30,7 @@ necessarily, after the server has responded with a {{HTTPStatus("401")}}
 
 ## Syntax
 
-```html
+```
 Authorization:  
 ```
 
@@ -60,7 +60,9 @@ Authorization:  
 
 ## Examples
 
-    Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
+```
+Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l
+```
 
 See also [HTTP authentication](/en-US/docs/Web/HTTP/Authentication) for
 examples on how to configure Apache or nginx servers to password protect your site with
diff --git a/files/en-us/web/http/headers/cache-control/index.md b/files/en-us/web/http/headers/cache-control/index.md
index 45b6f8f155d3cfe..b616d47a568f04e 100644
--- a/files/en-us/web/http/headers/cache-control/index.md
+++ b/files/en-us/web/http/headers/cache-control/index.md
@@ -48,35 +48,41 @@ Caching directives have the following rules to be valid:
 
 Standard `Cache-Control` directives that can be used by the client in an HTTP request.
 
-    Cache-Control: max-age=
-    Cache-Control: max-stale[=]
-    Cache-Control: min-fresh=
-    Cache-Control: no-cache
-    Cache-Control: no-store
-    Cache-Control: no-transform
-    Cache-Control: only-if-cached
+```
+Cache-Control: max-age=
+Cache-Control: max-stale[=]
+Cache-Control: min-fresh=
+Cache-Control: no-cache
+Cache-Control: no-store
+Cache-Control: no-transform
+Cache-Control: only-if-cached
+```
 
 ### Cache response directives
 
 Standard `Cache-Control` directives that can be used by the server in an HTTP response.
 
-    Cache-Control: must-revalidate
-    Cache-Control: no-cache
-    Cache-Control: no-store
-    Cache-Control: no-transform
-    Cache-Control: public
-    Cache-Control: private
-    Cache-Control: proxy-revalidate
-    Cache-Control: max-age=
-    Cache-Control: s-maxage=
+```
+Cache-Control: must-revalidate
+Cache-Control: no-cache
+Cache-Control: no-store
+Cache-Control: no-transform
+Cache-Control: public
+Cache-Control: private
+Cache-Control: proxy-revalidate
+Cache-Control: max-age=
+Cache-Control: s-maxage=
+```
 
 ### Extension Cache-Control directives
 
 Extension `Cache-Control` directives are not part of the core HTTP caching standards document. Check the [compatibility table](#browser_compatibility) for their support; user-agents that don't recognize them should ignore them.
 
-    Cache-Control: immutable
-    Cache-Control: stale-while-revalidate=
-    Cache-Control: stale-if-error=
+```
+Cache-Control: immutable
+Cache-Control: stale-while-revalidate=
+Cache-Control: stale-if-error=
+```
 
 ## Directives
 
@@ -138,7 +144,7 @@ Cache-Control: no-store
 > but it will not prevent the cache from responding with a non-stale resource that was cached as the result of an earlier request.
 > Setting `max-age=0` as well forces the cache to revalidate (clears the cache).
 >
->     Cache-Control: no-store, max-age=0
+> `Cache-Control: no-store, max-age=0`
 
 On the opposite, this is a bad way to achieve this:
 
@@ -150,22 +156,26 @@ Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate,pre-check=0,p
 
 For the files in the application that will not change, you can usually add aggressive caching by sending the response header below. This includes static files that are served by the application such as images, CSS files and JavaScript files, for example. In addition, see also the `Expires` header.
 
-    Cache-Control: public, max-age=604800, immutable
+```
+Cache-Control: public, max-age=604800, immutable
+```
 
 ### Requiring revalidation
 
-`no-cache` and `max-age=0, must-revalidate` indicates same meaning.
+`no-cache` and `max-age=0, must-revalidate` have the same meaning.
 Clients can cache a resource but must revalidate each time before using it. This means HTTP request occurs each time though, it can skip downloading HTTP body if the content is valid.
 
-    Cache-Control: no-cache
-
-
+```
+Cache-Control: no-cache
 
-    Cache-Control: max-age=0, must-revalidate
+Cache-Control: max-age=0, must-revalidate
+```
 
-**Note**: Following may serve stale resource if server is down or lose connectivity.
+**Note**: The following header may serve a stale resource, if server is down or loses connectivity.
 
-    Cache-Control: max-age=0
+```
+Cache-Control: max-age=0
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/clear-site-data/index.md b/files/en-us/web/http/headers/clear-site-data/index.md
index 30315bf5c1560e9..42ae0b2ee837247 100644
--- a/files/en-us/web/http/headers/clear-site-data/index.md
+++ b/files/en-us/web/http/headers/clear-site-data/index.md
@@ -30,14 +30,16 @@ The **`Clear-Site-Data`** header clears browsing data (cookies, storage, cache)
 
 The `Clear-Site-Data` header accepts one or more directives. If all types of data should be cleared, the wildcard directive (`"*"`) can be used.
 
-    // Single directive
-    Clear-Site-Data: "cache"
+```
+// Single directive
+Clear-Site-Data: "cache"
 
-    // Multiple directives (comma separated)
-    Clear-Site-Data: "cache", "cookies"
+// Multiple directives (comma separated)
+Clear-Site-Data: "cache", "cookies"
 
-    // Wild card
-    Clear-Site-Data: "*"
+// Wild card
+Clear-Site-Data: "*"
+```
 
 ## Directives
 
@@ -71,13 +73,17 @@ The `Clear-Site-Data` header accepts one or more directives. If all types of dat
 
 If a user signs out of your website or service, you might want to remove locally stored data. You can achieve that by adding the `Clear-Site-Data` header when sending the page confirming that logging out from the site has been accomplished successfully (https\://example.com/logout, for example):
 
-    Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
+```
+Clear-Site-Data: "cache", "cookies", "storage", "executionContexts"
+```
 
 ### Clearing cookies
 
 If this header is delivered with the response at https\://example.com/clear-cookies, all cookies on the same domain https\://example.com and any subdomains (like https\://stage.example.com, etc), will be cleared out.
 
-    Clear-Site-Data: "cookies"
+```
+Clear-Site-Data: "cookies"
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/connection/index.md b/files/en-us/web/http/headers/connection/index.md
index 55ab377bf1e4017..71d73bb375f3324 100644
--- a/files/en-us/web/http/headers/connection/index.md
+++ b/files/en-us/web/http/headers/connection/index.md
@@ -49,7 +49,7 @@ further. Standard hop-by-hop headers are also required to be listed.
 
 ## Syntax
 
-```html
+```
 Connection: keep-alive
 Connection: close
 ```
diff --git a/files/en-us/web/http/headers/content-disposition/index.md b/files/en-us/web/http/headers/content-disposition/index.md
index 713f0513f95bf84..310229c54391526 100644
--- a/files/en-us/web/http/headers/content-disposition/index.md
+++ b/files/en-us/web/http/headers/content-disposition/index.md
@@ -40,7 +40,7 @@ The `Content-Disposition` header is defined in the larger context of MIME messag
 
 The first parameter in the HTTP context is either `inline` (default value, indicating it can be displayed inside the Web page, or as the Web page) or `attachment` (indicating it should be downloaded; most browsers presenting a 'Save as' dialog, prefilled with the value of the `filename` parameters if present).
 
-```html
+```
 Content-Disposition: inline
 Content-Disposition: attachment
 Content-Disposition: attachment; filename="filename.jpg"
@@ -52,7 +52,7 @@ Content-Disposition: attachment; filename="filename.jpg"
 
 A `multipart/form-data` body requires a `Content-Disposition` header to provide information for each subpart of the form (e.g. for every form field and any files that are part of field data). The first directive is always `form-data`, and the header _must_ also include a `name` parameter to identify the relevant field. Additional directives are case-insensitive and have arguments that use quoted-string syntax after the `'='` sign. Multiple parameters are separated by a semi-colon (`';'`).
 
-```html
+```
 Content-Disposition: form-data; name="fieldName"
 Content-Disposition: form-data; name="fieldName"; filename="filename.jpg"
 ```
@@ -83,30 +83,34 @@ Content-Disposition: form-data; name="fieldName"; filename="filename.jpg"
 
 A response triggering the "Save As" dialog:
 
-    200 OK
-    Content-Type: text/html; charset=utf-8
-    Content-Disposition: attachment; filename="cool.html"
-    Content-Length: 21
+```
+200 OK
+Content-Type: text/html; charset=utf-8
+Content-Disposition: attachment; filename="cool.html"
+Content-Length: 21
 
-    Save me!
+Save me!
+```
 
 This simple HTML file will be saved as a regular download rather than displayed in the browser. Most browsers will propose to save it under the `cool.html` filename (by default).
 
 An example of an HTML form posted using the `multipart/form-data` format that makes use of the `Content-Disposition` header:
 
-    POST /test.html HTTP/1.1
-    Host: example.org
-    Content-Type: multipart/form-data;boundary="boundary"
+```
+POST /test.html HTTP/1.1
+Host: example.org
+Content-Type: multipart/form-data;boundary="boundary"
 
-    --boundary
-    Content-Disposition: form-data; name="field1"
+--boundary
+Content-Disposition: form-data; name="field1"
 
-    value1
-    --boundary
-    Content-Disposition: form-data; name="field2"; filename="example.txt"
+value1
+--boundary
+Content-Disposition: form-data; name="field2"; filename="example.txt"
 
-    value2
-    --boundary--
+value2
+--boundary--
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/content-dpr/index.md b/files/en-us/web/http/headers/content-dpr/index.md
index d4a1e01ffa410fb..5d340d0bfdfc202 100644
--- a/files/en-us/web/http/headers/content-dpr/index.md
+++ b/files/en-us/web/http/headers/content-dpr/index.md
@@ -48,7 +48,9 @@ If the `Content-DPR` header appears more than once in a message the last occurre
 
 ## Syntax
 
-    Content-DPR: 
+```
+Content-DPR: 
+```
 
 ## Directives
 
diff --git a/files/en-us/web/http/headers/content-encoding/index.md b/files/en-us/web/http/headers/content-encoding/index.md
index a8b9ec635abdc5b..d7bb35293b2685c 100644
--- a/files/en-us/web/http/headers/content-encoding/index.md
+++ b/files/en-us/web/http/headers/content-encoding/index.md
@@ -32,7 +32,7 @@ Servers are encouraged to compress data as much as possible, and should use cont
 
 ## Syntax
 
-```html
+```
 Content-Encoding: gzip
 Content-Encoding: compress
 Content-Encoding: deflate
@@ -72,12 +72,16 @@ On the client side, you can advertise a list of compression schemes that will be
 along in an HTTP request. The {{HTTPHeader("Accept-Encoding")}} header is used for
 negotiating content encoding.
 
-    Accept-Encoding: gzip, deflate
+```
+Accept-Encoding: gzip, deflate
+```
 
 The server responds with the scheme used, indicated by the
 `Content-Encoding` response header.
 
-    Content-Encoding: gzip
+```
+Content-Encoding: gzip
+```
 
 Note that the server is not obligated to use any compression method. Compression highly
 depends on server settings and used server modules.
diff --git a/files/en-us/web/http/headers/content-language/index.md b/files/en-us/web/http/headers/content-language/index.md
index b0adb5c3a172f3c..4d2193b2d3eb2d5 100644
--- a/files/en-us/web/http/headers/content-language/index.md
+++ b/files/en-us/web/http/headers/content-language/index.md
@@ -46,7 +46,7 @@ If no `Content-Language` is specified, the default is that the content is intend
 
 ## Syntax
 
-```html
+```
 Content-Language: de-DE
 Content-Language: en-US
 Content-Language: de-DE, en-CA
@@ -80,7 +80,9 @@ Do **not** use this meta element like this for stating a document language:
 
 The `Content-Language` header is used to specify the **intended audience of the page**, and can indicate that this is more than one language.
 
-    Content-Language: de, en
+```
+Content-Language: de, en
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/content-length/index.md b/files/en-us/web/http/headers/content-length/index.md
index af0cc616e46b80f..b7b3212bb02c012 100644
--- a/files/en-us/web/http/headers/content-length/index.md
+++ b/files/en-us/web/http/headers/content-length/index.md
@@ -40,7 +40,7 @@ The **`Content-Length`** header indicates the size of the message body, in byte
 
 ## Syntax
 
-```html
+```
 Content-Length: 
 ```
 
diff --git a/files/en-us/web/http/headers/content-location/index.md b/files/en-us/web/http/headers/content-location/index.md
index 979e1e5958a653f..f283585802081e8 100644
--- a/files/en-us/web/http/headers/content-location/index.md
+++ b/files/en-us/web/http/headers/content-location/index.md
@@ -36,7 +36,7 @@ data returned. This distinction may seem abstract without [examples](#examples).
 
 ## Syntax
 
-```html
+```
 Content-Location: 
 ```
 
@@ -78,22 +78,26 @@ as {{HTTPHeader("Accept-Language")}}.
 
 Say you're creating a new blog post through a site's API:
 
-    PUT /new/post
-    Host: example.com
-    Content-Type: text/markdown
+```
+PUT /new/post
+Host: example.com
+Content-Type: text/markdown
 
-    # My first blog post!
+# My first blog post!
 
-    I made this through `example.com`'s API. I hope it worked.
+I made this through `example.com`'s API. I hope it worked.
+```
 
 The site returns a generic success message confirming the post was published. The
 server specifies _where_ the new post is with `Content-Location`:
 
-    HTTP/1.1 201 Created
-    Content-Type: text/plain; charset=utf-8
-    Content-Location: /my-first-blog-post
+```
+HTTP/1.1 201 Created
+Content-Type: text/plain; charset=utf-8
+Content-Location: /my-first-blog-post
 
-    ✅ Success!
+✅ Success!
+```
 
 ### Indicating the URL of a transaction's result
 
@@ -123,16 +127,18 @@ When the form is submitted, the site generates a receipt for the transaction. Th
 server could use `Content-Location` to indicate that receipt's URL for future
 access.
 
-    HTTP/1.1 200 OK
-    Content-Type: text/html; charset=utf-8
-    Content-Location: /my-receipts/38
+```
+HTTP/1.1 200 OK
+Content-Type: text/html; charset=utf-8
+Content-Location: /my-receipts/38
 
-    
-    (Lots of HTML…)
+
+(Lots of HTML…)
 
-    
You sent $38.00 to ExampleUser.

+
You sent $38.00 to ExampleUser.

 
-    (Lots more HTML…)
+(Lots more HTML…)
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/content-range/index.md b/files/en-us/web/http/headers/content-range/index.md
index 38df63077b12218..cce1417cb6d00d8 100644
--- a/files/en-us/web/http/headers/content-range/index.md
+++ b/files/en-us/web/http/headers/content-range/index.md
@@ -40,7 +40,7 @@ a full body message a partial message belongs.
 
 ## Syntax
 
-```html
+```
 Content-Range:  -/
 Content-Range:  -/*
 Content-Range:  */
@@ -59,7 +59,9 @@ Content-Range:  */
 
 ## Examples
 
-    Content-Range: bytes 200-1000/67589
+```
+Content-Range: bytes 200-1000/67589
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/content-security-policy-report-only/index.md b/files/en-us/web/http/headers/content-security-policy-report-only/index.md
index e96c37fca7ef1db..d78e844effa6369 100644
--- a/files/en-us/web/http/headers/content-security-policy-report-only/index.md
+++ b/files/en-us/web/http/headers/content-security-policy-report-only/index.md
@@ -37,7 +37,7 @@ For more information, see also this article on [Content Security Policy (CSP)](/
 
 ## Syntax
 
-```html
+```
 Content-Security-Policy-Report-Only: ; 
 ```
 
@@ -51,11 +51,15 @@ The CSP {{CSP("report-uri")}} directive should be used with this header, otherwi
 
 This header reports violations that would have occurred. You can use this to iteratively work on your content security policy. You observe how your site behaves, watching for violation reports, or [malware redirects](https://secure.wphackedhelp.com/blog/wordpress-malware-redirect-hack-cleanup/), then choose the desired policy enforced by the {{HTTPHeader("Content-Security-Policy")}} header.
 
-    Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
+```
+Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
+```
 
 If you still want to receive reporting, but also want to enforce a policy, use the {{HTTPHeader("Content-Security-Policy")}} header with the {{CSP("report-uri")}} directive.
 
-    Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
+```
+Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
+```
 
 ## Violation report syntax
 
@@ -84,7 +88,9 @@ The report JSON object contains the following data:
 
 Let's consider a page located at `http://example.com/signup.html`. It uses the following policy, disallowing everything but stylesheets from `cdn.example.com`.
 
-    Content-Security-Policy-Report-Only: default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports
+```
+Content-Security-Policy-Report-Only: default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports
+```
 
 The HTML of `signup.html` looks like this:
 
diff --git a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md
index 7f1b5806a46e46e..c7b83f6fb8cd392 100644
--- a/files/en-us/web/http/headers/content-security-policy/base-uri/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/base-uri/index.md
@@ -34,7 +34,7 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} **`base-uri`** directive rest
 
 One or more*sources* can be allowed for the base-uri policy:
 
-```html
+```
 Content-Security-Policy: base-uri ;
 Content-Security-Policy: base-uri  ;
 ```
@@ -55,7 +55,7 @@ While this directive uses the same arguments as other CSP directives, some of th
 
 ### Apache configuration
 
-```bash
+```html
 
 Header set Content-Security-Policy "base-uri 'self'";
 
@@ -63,7 +63,7 @@ Header set Content-Security-Policy "base-uri 'self'";
 
 ### Nginx configuration
 
-```bash
+```
 add_header Content-Security-Policy "base-uri 'self';"
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.md b/files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.md
index 5b206e397857637..c7a2e33768ce4cc 100644
--- a/files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/block-all-mixed-content/index.md
@@ -22,19 +22,23 @@ All [mixed content](/en-US/docs/Web/Security/Mixed_content) resource requests ar
 
 ## Syntax
 
-```html
+```
 Content-Security-Policy: block-all-mixed-content;
 ```
 
 ## Examples
 
-    Content-Security-Policy: block-all-mixed-content;
+```
+Content-Security-Policy: block-all-mixed-content;
 
-    
+
+```
 
 To disallow http assets on a more granular level, you can also set individual directives to `https:`. For example, to disallow nonsecure HTTP images:
 
-    Content-Security-Policy: img-src https:
+```
+Content-Security-Policy: img-src https:
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/content-security-policy/child-src/index.md b/files/en-us/web/http/headers/content-security-policy/child-src/index.md
index 9e4ae7e06964d3f..30531d6d114e00c 100644
--- a/files/en-us/web/http/headers/content-security-policy/child-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/child-src/index.md
@@ -45,7 +45,7 @@ network errors by the user agent.
 
 One or more sources can be allowed for the child-src policy:
 
-```html
+```
 Content-Security-Policy: child-src ;
 Content-Security-Policy: child-src  ;
 ```
@@ -60,7 +60,7 @@ Content-Security-Policy: child-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: child-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md
index 73d70aee977242d..02b57dc48d2f06c 100644
--- a/files/en-us/web/http/headers/content-security-policy/connect-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/connect-src/index.md
@@ -52,7 +52,7 @@ loaded using script interfaces. The APIs that are restricted are:
 
 One or more sources can be allowed for the connect-src policy:
 
-```html
+```
 Content-Security-Policy: connect-src ;
 Content-Security-Policy: connect-src  ;
 ```
@@ -68,7 +68,7 @@ Content-Security-Policy: connect-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: connect-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/default-src/index.md b/files/en-us/web/http/headers/content-security-policy/default-src/index.md
index 5fe31de924def41..71b31cf105aa8f3 100644
--- a/files/en-us/web/http/headers/content-security-policy/default-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/default-src/index.md
@@ -51,7 +51,7 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`default-src`** direc
 
 One or more sources can be allowed for the `default-src` policy:
 
-```html
+```
 Content-Security-Policy: default-src ;
 Content-Security-Policy: default-src  ;
 ```
@@ -108,13 +108,13 @@ Content-Security-Policy: default-src  ;
 
 If there are other directives specified, `default-src` does not influence them. The following header:
 
-```bash
+```
 Content-Security-Policy: default-src 'self'; script-src https://example.com
 ```
 
 is the same as:
 
-```bash
+```
 Content-Security-Policy: connect-src 'self';
                          font-src 'self';
                          frame-src 'self';
diff --git a/files/en-us/web/http/headers/content-security-policy/font-src/index.md b/files/en-us/web/http/headers/content-security-policy/font-src/index.md
index ab7eb11fc2ba71c..22d4ac020085b4f 100644
--- a/files/en-us/web/http/headers/content-security-policy/font-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/font-src/index.md
@@ -42,7 +42,7 @@ valid sources for fonts loaded using {{cssxref("@font-face")}}.
 
 One or more sources can be allowed for the `font-src` policy:
 
-```html
+```
 Content-Security-Policy: font-src ;
 Content-Security-Policy: font-src  ;
 ```
@@ -57,7 +57,7 @@ Content-Security-Policy: font-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: font-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/form-action/index.md b/files/en-us/web/http/headers/content-security-policy/form-action/index.md
index 19bbddc89b204f2..20f85dcfbbf2ac5 100644
--- a/files/en-us/web/http/headers/content-security-policy/form-action/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/form-action/index.md
@@ -39,7 +39,7 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`form`\*\***`-action`
 
 One or more sources can be set for the `form-action` policy:
 
-```html
+```
 Content-Security-Policy: form-action ;
 Content-Security-Policy: form-action  ;
 ```
@@ -58,7 +58,7 @@ Content-Security-Policy: form-action  ;
 
 ### Apache configuration
 
-```bash
+```html
 
 Header set Content-Security-Policy "form-action 'none';"
 
@@ -66,7 +66,7 @@ Header set Content-Security-Policy "form-action 'none';"
 
 ### Nginx configuration
 
-```bash
+```
 add_header Content-Security-Policy "form-action 'none';"
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.md b/files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.md
index 643ac0e0d907234..80cdcd86d07e6ac 100644
--- a/files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/frame-ancestors/index.md
@@ -45,7 +45,7 @@ Setting this directive to `'none'` is similar to {{HTTPHeader("X-Frame-Options")
 
 One or more sources can be set for the `frame-ancestors` policy:
 
-```html
+```
 Content-Security-Policy: frame-ancestors ;
 Content-Security-Policy: frame-ancestors  ;
 ```
@@ -83,7 +83,7 @@ Content-Security-Policy: frame-ancestors  ;
 
 ## Examples
 
-```bash
+```
 Content-Security-Policy: frame-ancestors 'none';
 
 Content-Security-Policy: frame-ancestors 'self' https://www.example.org;
diff --git a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md
index befed4c47ed3301..bcbf328c3120cf2 100644
--- a/files/en-us/web/http/headers/content-security-policy/frame-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/frame-src/index.md
@@ -45,7 +45,7 @@ browsing contexts loading using elements such as {{HTMLElement("frame")}} and
 
 One or more sources can be allowed for the `frame-src` policy:
 
-```html
+```
 Content-Security-Policy: frame-src ;
 Content-Security-Policy: frame-src  ;
 ```
@@ -60,7 +60,7 @@ Content-Security-Policy: frame-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: frame-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/img-src/index.md b/files/en-us/web/http/headers/content-security-policy/img-src/index.md
index 2507f4c0accc6ba..acdbd8f59ac4466 100644
--- a/files/en-us/web/http/headers/content-security-policy/img-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/img-src/index.md
@@ -43,7 +43,7 @@ favicons.
 
 One or more sources can be allowed for the `img-src` policy:
 
-```html
+```
 Content-Security-Policy: img-src ;
 Content-Security-Policy: img-src  ;
 ```
@@ -58,7 +58,7 @@ Content-Security-Policy: img-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: img-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/index.md b/files/en-us/web/http/headers/content-security-policy/index.md
index e4f2489cd2a5f96..45306cf7b4ae17e 100644
--- a/files/en-us/web/http/headers/content-security-policy/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/index.md
@@ -35,7 +35,7 @@ For more information, see the introductory article on [Content Security Policy (
 
 ## Syntax
 
-```html
+```
 Content-Security-Policy: ; 
 ```
 
@@ -256,31 +256,43 @@ restrict_ the capabilities of the protected resource, which means that there wil
 be no connection allowed and, as the strictest policy, `connect-src 'none'`
 is enforced.
 
-    Content-Security-Policy: default-src 'self' http://example.com;
-                             connect-src 'none';
-    Content-Security-Policy: connect-src http://example.com/;
-                             script-src http://example.com/
+```
+Content-Security-Policy: default-src 'self' http://example.com;
+                          connect-src 'none';
+Content-Security-Policy: connect-src http://example.com/;
+                          script-src http://example.com/
+```
 
 ## Examples
 
 Example: Disable unsafe inline/eval, only allow loading of resources (images, fonts,
 scripts, etc.) over https:
 
-    // header
-    Content-Security-Policy: default-src https:
+### Using the HTTP header
 
-    // meta tag
-    
+```
+Content-Security-Policy: default-src https:
+```
+
+### Using the HTML meta element
+
+```
+
+```
 
 Example: Pre-existing site that uses too much inline code to fix but wants to ensure
 resources are loaded only over HTTPS and to disable plugins:
 
-    Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'
+```
+Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'
+```
 
 Example: Do not implement the above policy yet; instead just report violations that
 would have occurred:
 
-    Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
+```
+Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/
+```
 
 See [Mozilla
 Web Security Guidelines](https://infosec.mozilla.org/guidelines/web_security#Examples_5) for more examples.
@@ -297,9 +309,7 @@ Web Security Guidelines](https://infosec.mozilla.org/guidelines/web_security#Exa
 
 - {{HTTPHeader("Content-Security-Policy-Report-Only")}}
 - [Learn about: Content Security Policy](/en-US/docs/Web/HTTP/CSP)
-- [Content
-  Security in WebExtensions](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy)
-- [Adopting a strict
-  policy](https://csp.withgoogle.com/docs/strict-csp.html)
+- [Content Security in WebExtensions](/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_Security_Policy)
+- [Adopting a strict policy](https://csp.withgoogle.com/docs/strict-csp.html)
 - [CSP Evaluator](https://github.com/google/csp-evaluator) - Evaluate your
   Content Security Policy
diff --git a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md
index ec83d757718b069..202fe39d49fcbc7 100644
--- a/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/manifest-src/index.md
@@ -44,7 +44,7 @@ to the resource.
 
 One or more sources can be allowed for the `manifest-src` policy:
 
-```html
+```
 Content-Security-Policy: manifest-src ;
 Content-Security-Policy: manifest-src  ;
 ```
@@ -59,7 +59,7 @@ Content-Security-Policy: manifest-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: manifest-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/media-src/index.md b/files/en-us/web/http/headers/content-security-policy/media-src/index.md
index 32f61a51db97c24..66c7050616f612a 100644
--- a/files/en-us/web/http/headers/content-security-policy/media-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/media-src/index.md
@@ -43,7 +43,7 @@ media using the {{HTMLElement("audio")}} and {{HTMLElement("video")}} elements.
 
 One or more sources can be allowed for the `media-src` policy:
 
-```html
+```
 Content-Security-Policy: media-src ;
 Content-Security-Policy: media-src  ;
 ```
@@ -58,7 +58,7 @@ Content-Security-Policy: media-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: media-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md b/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md
index 004d3b4c26abda3..22d2649973f9166 100644
--- a/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/navigate-to/index.md
@@ -46,7 +46,7 @@ on what this document is allowed to navigate to.
 
 One or more sources can be set for the `navigate-to` policy:
 
-```html
+```
 Content-Security-Policy: navigate-to ;
 Content-Security-Policy: navigate-to  ;
 ```
diff --git a/files/en-us/web/http/headers/content-security-policy/object-src/index.md b/files/en-us/web/http/headers/content-security-policy/object-src/index.md
index 3336fcfe5bce12a..1baf4c43a6cd847 100644
--- a/files/en-us/web/http/headers/content-security-policy/object-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/object-src/index.md
@@ -53,7 +53,7 @@ To set allowed types for {{HTMLElement("object")}}, {{HTMLElement("embed")}}, an
 
 One or more sources can be allowed for the object-src policy:
 
-```html
+```
 Content-Security-Policy: object-src ;
 Content-Security-Policy: object-src  ;
 ```
@@ -68,7 +68,7 @@ Content-Security-Policy: object-src  ;
 
 Given this CSP header:
 
-```bash
+```
 Content-Security-Policy: object-src https://example.com/
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/plugin-types/index.md b/files/en-us/web/http/headers/content-security-policy/plugin-types/index.md
index 4d328ca785bc47f..ff368008a61aaca 100644
--- a/files/en-us/web/http/headers/content-security-policy/plugin-types/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/plugin-types/index.md
@@ -49,7 +49,7 @@ Instantiation of an {{HTMLElement("embed")}}, {{HTMLElement("object")}} or
 One or more [MIME types](/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) can
 be set for the `plugin-types` policy:
 
-```html
+```
 Content-Security-Policy: plugin-types /;
 Content-Security-Policy: plugin-types / /;
 ```
@@ -74,7 +74,7 @@ is only used if you are allowing plugins with `object-src` at all.
 
 The content security policy
 
-```bash
+```
 Content-Security-Policy: plugin-types application/x-shockwave-flash
 ```
 
@@ -89,7 +89,7 @@ will allow to load flash objects:
 To load an {{HTMLElement("applet")}} you must specify
 `application/x-java-applet`:
 
-```bash
+```
 Content-Security-Policy: plugin-types application/x-java-applet
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md
index 169caec4f284457..0d25548269d99ba 100644
--- a/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/prefetch-src/index.md
@@ -40,7 +40,7 @@ be prefetched or prerendered.
 
 One or more sources can be allowed for the `prefetch-src` policy:
 
-```html
+```
 Content-Security-Policy: prefetch-src ;
 Content-Security-Policy: prefetch-src  ;
 ```
@@ -56,13 +56,17 @@ Content-Security-Policy: prefetch-src  ;
 
 Given a page with the following Content Security Policy:
 
-    Content-Security-Policy: prefetch-src https://example.com/
+```
+Content-Security-Policy: prefetch-src https://example.com/
+```
 
 Fetches for the following code will return network errors, as the URLs provided do not
 match `prefetch-src`'s source list:
 
+```html
     
     
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/content-security-policy/referrer/index.md b/files/en-us/web/http/headers/content-security-policy/referrer/index.md
index 958d3f6c71c4c43..2324aeeaa2962b9 100644
--- a/files/en-us/web/http/headers/content-security-policy/referrer/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/referrer/index.md
@@ -24,7 +24,7 @@ browsers.
 
 ## Syntax
 
-```html
+```
 Content-Security-Policy: referrer ;
 ```
 
@@ -51,7 +51,9 @@ where `` can be one of the following values:
 
 ## Examples
 
-    Content-Security-Policy: referrer "none";
+```
+Content-Security-Policy: referrer "none";
+```
 
 ## Specifications
 
diff --git a/files/en-us/web/http/headers/content-security-policy/report-uri/index.md b/files/en-us/web/http/headers/content-security-policy/report-uri/index.md
index 2b24117da4d3891..f689788cd04de0a 100644
--- a/files/en-us/web/http/headers/content-security-policy/report-uri/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/report-uri/index.md
@@ -53,7 +53,7 @@ with other directives.
 
 ## Syntax
 
-```html
+```
 Content-Security-Policy: report-uri ;
 Content-Security-Policy: report-uri  ;
 ```
@@ -66,12 +66,15 @@ Content-Security-Policy: report-uri  ;
 See {{HTTPHeader("Content-Security-Policy-Report-Only")}} for more information and
 examples.
 
-    Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
+```
+Content-Security-Policy: default-src https:; report-uri /csp-violation-report-endpoint/
+```
 
 `/csp-violation-report-endpoint/` could for example run a PHP something like
 the following that logs the JSON detailing the violation and, if the violation is the
 first one added to the log file, sends an email to an administrator:
 
+```php
     ';
 const el = document.createElement('div');
 
 if (typeof trustedTypes !== 'undefined') {
-  // Create a policy that can create TrustedHTML values
+  // Create a policy that can create TrustedHTML values
   // after sanitizing the input strings with DOMPurify library.
-  const sanitizer = trustedTypes.createPolicy('foo', {
-    createHTML: (input) => DOMPurify.sanitize(input)
-  });
+  const sanitizer = trustedTypes.createPolicy('foo', {
+    createHTML: (input) => DOMPurify.sanitize(input)
+  });
 
-  el.innerHTML = sanitizer.createHTML(attackerInput);  // Puts the sanitized value into the DOM.
-  el.innerHTML = attackerInput;                        // Rejects a string value; throws a TypeError.
+  el.innerHTML = sanitizer.createHTML(attackerInput);  // Puts the sanitized value into the DOM.
+  el.innerHTML = attackerInput;                        // Rejects a string value; throws a TypeError.
 }
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/sandbox/index.md b/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
index e7a303e80ccfc1c..58313fe947e11f8 100644
--- a/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/sandbox/index.md
@@ -41,7 +41,7 @@ preventing the execution of plugins and scripts, and enforcing a same-origin pol
 
 ## Syntax
 
-```html
+```
 Content-Security-Policy: sandbox;
 Content-Security-Policy: sandbox ;
 ```
@@ -90,7 +90,7 @@ where `` can optionally be one of the following values:
 
 ## Examples
 
-```bash
+```
 Content-Security-Policy: sandbox allow-scripts;
 ```
 
diff --git a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md
index 3ef35bcf560703a..77bf32187701643 100644
--- a/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/script-src-attr/index.md
@@ -47,14 +47,14 @@ elements.
 
 One or more sources can be allowed for the `script-src-attr` policy:
 
-```html
+```
 Content-Security-Policy: script-src-attr ;
 Content-Security-Policy: script-src-attr  ;
 ```
 
 `script-src-attr` can be used in conjunction with {{CSP("script-src")}}:
 
-```html
+```
 Content-Security-Policy: script-src ;
 Content-Security-Policy: script-src-attr ;
 ```
diff --git a/files/en-us/web/http/headers/content-security-policy/script-src/index.md b/files/en-us/web/http/headers/content-security-policy/script-src/index.md
index 81c26a839a2f7d4..b0d82c0e8c4bef9 100644
--- a/files/en-us/web/http/headers/content-security-policy/script-src/index.md
+++ b/files/en-us/web/http/headers/content-security-policy/script-src/index.md
@@ -42,7 +42,7 @@ The HTTP {{HTTPHeader("Content-Security-Policy")}} (CSP) **`script-src`** direct
 
 One or more sources can be allowed for the `script-src` policy:
 
-```html
+```
 Content-Security-Policy: script-src ;
 Content-Security-Policy: script-src  ;
 ```
@@ -97,7 +97,9 @@ Content-Security-Policy: script-src  ;
 
 Given this CSP header:
 
-    Content-Security-Policy: script-src https://example.com/
+```
+Content-Security-Policy: script-src https://example.com/
+```
 
 the following script is blocked and won't be loaded or executed:
 
@@ -123,7 +125,9 @@ document.getElementById("btn").addEventListener('click', doSomething);
 
 To allow inline scripts and inline event handlers, `'unsafe-inline'`, a nonce-source or a hash-source that matches the inline block can be specified.
 
-    Content-Security-Policy: script-src 'unsafe-inline';
+```
+Content-Security-Policy: script-src 'unsafe-inline';
+```
 
 The above Content Security Policy will allow inline {{HTMLElement("script")}} elements
 
@@ -135,7 +139,9 @@ The above Content Security Policy will allow inline {{HTMLElement("script")}} el
 
 You can use a nonce-source to only allow specific inline script blocks:
 
-    Content-Security-Policy: script-src 'nonce-2726c7f26c'
+```
+Content-Security-Policy: script-src 'nonce-2726c7f26c'
+```
 
 You will have to set the same nonce on the {{HTMLElement("script")}} element:
 
@@ -147,7 +153,9 @@ You will have to set the same nonce on the {{HTMLElement("script")}} element:
 
 Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384 and sha512.
 
-    Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='
+```
+Content-Security-Policy: script-src 'sha256-B2yPHKaXnvFWtRChIbabYmUBFZdVfKKXHbWtWidDVF8='
+```
 
 When generating the hash, don't include the {{HTMLElement("script")}} tags and note that capitalization and whitespace matter, including leading or trailing whitespace.
 
@@ -173,16 +181,22 @@ The `'unsafe-eval'` source expression controls several script execution methods
 
 The `'strict-dynamic'` source expression specifies that the trust explicitly given to a script present in the markup, by accompanying it with a nonce or a hash, shall be propagated to all the scripts loaded by that root script. At the same time, any whitelist or source expressions such as `'self'` or `'unsafe-inline'` will be ignored. For example, a policy such as `script-src 'strict-dynamic' 'nonce-R4nd0m' https://whitelisted.com/` would allow loading of a root script with `