Only a subset of the HTTP headers are supported ashttp-equiv values.These include:

content-languageDeprecated

Sets a default language for the document used by assistive technologies or styling by the browser.Similar to theContent-Language HTTP header.Use thelang attribute instead.

content-type

Declares the document'smedia type (MIME type) and character encoding.Thecontent attribute must be"text/html; charset=utf-8" if specified.This is equivalent to a<meta> element with thecharset attribute specified and carries the same restriction on placement within the document.Can only be used in documents served with atext/html media type — not in documents served with an XML (application/xml orapplication/xhtml+xml) type.See theContent-Type HTTP header.

content-security-policy

Allows page authors to define a content security policy (CSP) for the current page, typically to specify allowed origins and script endpoints to guard against cross-site scripting attacks.See theContent-Security-Policy HTTP header.

default-style

Sets the name of the defaultCSS style sheet set.

refresh

Equivalent to theRefresh HTTP header.This instruction specifies:

• The number of seconds until the page should be reloaded if thecontent attribute is a non-negative integer.
• The number of seconds until the page should redirect to another URL if thecontent attribute is a non-negative integer followed by;url= and a valid URL.

The timer starts when the page iscompletely loaded, which is after theload andpageshow events have both fired.SeeAccessibility concerns for more information.

set-cookieDeprecated

Sets a cookie for the document.Browsers now ignore this pragma; use theSet-Cookie HTTP response header ordocument.cookie instead.

x-ua-compatibleDeprecated

Used by legacy versions of the now-retiredMicrosoft Internet Explorer so that it more closely followed specified behavior.If specified, thecontent attribute must have the value"IE=edge".User agents now ignore this pragma.The name derives from theX-UA-Compatible HTTP header.

Pages set with ahttp-equiv="Refresh" value run the risk of having the refresh interval being too short.People navigating with the aid of assistive technology such as a screen reader may be unable to read through and understand the page's content before being automatically redirected.Abrupt, unannounced page updates may also be disorienting for people experiencing low vision conditions.

• MDN Understanding WCAG, Guideline 2.2 explanations
• MDN Understanding WCAG, Guideline 3.2 explanations
• Understanding Success Criterion 2.2.1 | W3C Understanding WCAG 2.0
• Understanding Success Criterion 2.2.4 | W3C Understanding WCAG 2.0
• Understanding Success Criterion 3.2.5 | W3C Understanding WCAG 2.0

This HTML<meta> element sets the default CSP to only allow resource loading (images, fonts, scripts, etc.) over HTTPS.Because theunsafe-inline andunsafe-eval directives are not set, inline scripts will be blocked:

<meta http-equiv="Content-Security-Policy" content="default-src https:" />

The same restrictions can be applied using the HTTPContent-Security-Policy header:

Content-Security-Policy: default-src https:

The following example useshttp-equiv="refresh" to direct the browser to perform a redirect.Thecontent="3;url=https://www.mozilla.org" attribute will redirect page tohttps://www.mozilla.org after 3 seconds:

<meta http-equiv="refresh" content="3;url=https://www.mozilla.org" />

• <meta name="referrer">
• Metadata: the<meta> element
• Preventing attacks using<meta> httparchive.org (2022)