What is the common way to say "no javascript" in the request header?

The HTTP protocol doesn't define any such header. So you could use a custom one. Like:

X-JAVASCRIPT-ENABLED: false

But of course you could have as well used any other header you liked. And by the way may I ask why would the server would care whether the client supports javascript or not? I mean that's the client responsibility. The <noscript> tag is a good way to provide an alternative contents to clients not supporting javascript.


@Darin's answer used to be correct, today one would use Content-Security-Policy: sandbox (...)

i would recommend just Content-Security-Policy: sandbox; as the safest option, but that will disallow much more than just scripts; to allow "everything except scripts", it would probably be:

Content-Security-Policy: sandbox allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-by-user-activation;

with the only missing value being allow-scripts

(but again, i recommend just enabling all the sandboxing features, eg Content-Security-Policy: sandbox;)