content
Content-Disposition
In responses, controls whether the browser renders the body inline or offers it as a download, and suggests a filename. In multipart/form-data request parts, names the form field and optionally the upload filename.
Content-Disposition: <disposition-type>[; filename="..."] [; filename*=UTF-8''<pct-encoded>] (inline | attachment | form-data; name=...) Common directives / values
| Directive | Purpose |
|---|---|
| inline | Render in the browser if it can (default for most types). |
| attachment | Force a download prompt with the suggested filename. |
| filename="..." | ASCII-safe filename hint for the download dialog. |
| filename*=UTF-8''<pct-encoded> | RFC 5987 encoding for non-ASCII filenames (e.g. Unicode). |
| form-data; name="field" | Names a part inside a multipart/form-data body. |
Examples
Content-Disposition: attachment; filename="report.pdf" Force a download named report.pdf regardless of Content-Type.
Content-Disposition: attachment; filename="resume.pdf"; filename*=UTF-8''r%C3%A9sum%C3%A9.pdf Legacy filename plus RFC 5987 UTF-8 filename for accented characters.
Content-Disposition: inline; filename="invoice.pdf" Render inline in a PDF-capable browser; filename used if the user saves.
Content-Disposition: form-data; name="avatar"; filename="me.png" One part of a multipart upload — field 'avatar', file me.png.
Gotcha
For non-ASCII filenames use BOTH filename= (ASCII fallback) and filename*=UTF-8''... — older Safari misparses lone filename*. To read this header from cross-origin JS you must add it to Access-Control-Expose-Headers.
Related headers
Content-Type
Declares the media type of the body in both requests and responses, and often carries additional parameters like charset or boundary. Governs how the recipient parses or renders the payload.
Content-Length
Number of octets in the message body, letting the recipient know exactly where the message ends. Required for most requests with bodies unless Transfer-Encoding: chunked is used.
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.
Content-Encoding
Indicates that the body has been transformed with one or more compressions and must be decoded in reverse order to recover the original payload. Negotiated via the client's Accept-Encoding.
Accept-Encoding
Client advertisement of which content codings it can decode, letting the server compress the response accordingly. Absence means 'identity only'; an explicit identity;q=0 forbids uncompressed responses.