What is the HttpFixer glossary?

A set of concise definitions for CSP, CORS, HSTS, OAuth, caching, and Core Web Vitals, each linked to interactive HttpFixer tools.

How do I suggest a new term?

Open an issue on the HttpFixer GitHub repository with the term and primary sources (RFC, WHATWG, web.dev).

HttpFixer glossary

Plain-language definitions for the headers, browser policies, auth flows, cache directives, and performance metrics you touch in production—each with examples and a link to the HttpFixer tool that automates fixes.

Content Security Policy (CSP)

A browser security mechanism that restricts which resources a page can load.

HTTP Strict Transport Security (HSTS)

Tells browsers to only connect to your site over HTTPS for a set period.

Cross-Origin Resource Sharing (CORS)

The browser mechanism that controls which origins can call your API.

CORS Preflight Request

An OPTIONS request the browser sends before a cross-origin request to check permissions.

CSP Nonce

A random value that allows a specific inline script to run despite a strict CSP.

unsafe-inline (CSP)

A CSP keyword that allows all inline scripts or styles — effectively disabling XSS protection.

X-Frame-Options

A header that controls whether your page can be embedded in an iframe.

Referrer-Policy

Controls how much URL information is sent in the Referer header to other sites.

Permissions-Policy

Restricts which browser features (camera, microphone, geolocation) a page can use.

Proof Key for Code Exchange (PKCE)

An OAuth extension that prevents authorization code interception attacks.

OAuth 2.0 Grant Types

The different flows OAuth supports for obtaining access tokens.

Cache-Control

An HTTP header that tells browsers and CDNs how long to cache a response.

Vary Header

Tells CDNs which request headers affect the response, so they cache separate versions.

ETag

A fingerprint of a response that lets browsers check if their cached copy is still valid.

Core Web Vitals

Google's three user-experience metrics: LCP, INP, and CLS.

Largest Contentful Paint (LCP)

How long it takes for the largest visible element to load.

Cumulative Layout Shift (CLS)

Measures how much page elements move around while loading.

Interaction to Next Paint (INP)

Measures how long the browser takes to visually respond to user interactions.

Time to First Byte (TTFB)

How long it takes for the browser to receive the first byte from the server.

COOP and COEP

Two headers that enable cross-origin isolation, required for SharedArrayBuffer and high-resolution timers.

Audit headers with HeadersFixer →