Showing 80 headers
HTTP Headers Reference
What Are HTTP Headers?
HTTP headers are key-value pairs sent between the client and server in HTTP requests and responses. They carry metadata about the request or response, such as content type, caching directives, authentication credentials, and security policies. Understanding HTTP headers is essential for building secure, performant web applications and APIs.
Request Headers
Request headers are sent by the client (browser, API consumer) to provide information about the request and the client's capabilities.
| Header | Type | Description | Example Value |
|---|---|---|---|
| Accept | Request | Media types the client accepts | application/json, text/html |
| Accept-Encoding | Request | Compression algorithms the client supports | gzip, deflate, br |
| Accept-Language | Request | Preferred response languages | en-US,en;q=0.9,fr;q=0.8 |
| Authorization | Request | Authentication credentials for the request | Bearer eyJhbGciOiJIUzI1NiJ9... |
| Cache-Control | Request | Caching directives for the request | no-cache |
| Content-Type | Request | Media type of the request body | application/json; charset=utf-8 |
| Cookie | Request | Stored cookies sent to the server | session=abc123; theme=dark |
| Host | Request | Domain name of the server (required in HTTP/1.1) | api.example.com |
| Origin | Request | Origin of the cross-site request (CORS) | https://app.example.com |
| Referer | Request | URL of the page making the request | https://example.com/page |
| User-Agent | Request | Client software identifier | Mozilla/5.0 (Windows NT 10.0; Win64; x64) |
| X-Requested-With | Request | Identifies AJAX requests | XMLHttpRequest |
| X-Forwarded-For | Request | Original client IP behind a proxy | 203.0.113.1, 198.51.100.1 |
| If-None-Match | Request | Conditional request — only return if ETag differs | "abc123def456" |
| If-Modified-Since | Request | Conditional request — return only if modified | Wed, 21 Oct 2024 07:28:00 GMT |
Response Headers
Response headers are sent by the server to provide information about the response, caching instructions, and other metadata.
| Header | Type | Description | Example Value |
|---|---|---|---|
| Cache-Control | Response | Caching directives for the response | max-age=3600, public |
| Content-Encoding | Response | Compression applied to the response body | gzip |
| Content-Length | Response | Size of the response body in bytes | 1234 |
| Content-Type | Response | Media type of the response body | application/json; charset=utf-8 |
| ETag | Response | Unique identifier for a specific version | "33a64df551425fcc55e4d42a148795d9f25f89d4" |
| Location | Response | URL for redirects (3xx) or created resources (201) | https://api.example.com/users/123 |
| Set-Cookie | Response | Set a cookie on the client | session=abc; HttpOnly; Secure; SameSite=Lax |
| Strict-Transport-Security | Response | Force HTTPS for future requests (HSTS) | max-age=31536000; includeSubDomains |
| WWW-Authenticate | Response | Authentication scheme required (401 responses) | Bearer realm="api" |
| X-Content-Type-Options | Response | Prevent MIME type sniffing | nosniff |
| X-Frame-Options | Response | Control whether page can be embedded in frames | DENY |
| X-XSS-Protection | Response | Legacy XSS filter (superseded by CSP) | 1; mode=block |
CORS Headers
Cross-Origin Resource Sharing (CORS) headers allow servers to specify which cross-origin requests are permitted. They are sent by the server in response to cross-origin requests and OPTIONS preflight requests.
| Header | Type | Description | Example Value |
|---|---|---|---|
| Access-Control-Allow-Origin | Response | Origins allowed to access the resource | https://app.example.com or * |
| Access-Control-Allow-Methods | Response | HTTP methods allowed in cross-origin requests | GET, POST, PUT, DELETE, OPTIONS |
| Access-Control-Allow-Headers | Response | Request headers allowed in cross-origin requests | Content-Type, Authorization |
| Access-Control-Max-Age | Response | How long preflight result can be cached (seconds) | 86400 |
| Access-Control-Allow-Credentials | Response | Allow cookies/auth headers in cross-origin reqs | true |
| Access-Control-Expose-Headers | Response | Headers the browser can access in responses | X-Request-Id, X-RateLimit-Remaining |
// Simple CORS response headers
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
// Preflight request (OPTIONS) response
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-TypeSecurity Headers
Security headers protect your users by instructing browsers to enable or disable certain built-in security mechanisms. Every production web application should set these headers.
| Header | Type | Description | Example Value |
|---|---|---|---|
| Content-Security-Policy | Response | Restrict sources of scripts, styles, images, etc. | default-src 'self'; script-src 'self' https://cdn.example.com |
| Referrer-Policy | Response | Control how much referrer info is included | strict-origin-when-cross-origin |
| Permissions-Policy | Response | Control browser features (camera, mic, geolocation) | camera=(), microphone=(), geolocation=(self) |
| Expect-CT | Response | Require Certificate Transparency for the site | max-age=86400, enforce |
| Cross-Origin-Opener-Policy | Response | Isolate browsing context from cross-origin docs | same-origin |
| Cross-Origin-Embedder-Policy | Response | Require cross-origin resources to opt in to sharing | require-corp |
| Cross-Origin-Resource-Policy | Response | Prevent other origins from loading the resource | same-site |
// Basic CSP — allow resources only from same origin and trusted CDN
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; report-uri /csp-report
// Strict CSP with nonce (recommended for SPAs)
Content-Security-Policy: default-src 'none'; script-src 'nonce-abc123' 'strict-dynamic'; style-src 'nonce-abc123'; img-src 'self'; connect-src 'self'; base-uri 'none'; form-action 'self'Caching Headers Quick Reference
| Directive | Header | Description |
|---|---|---|
| no-store | Cache-Control | Do not cache at all — for sensitive responses |
| no-cache | Cache-Control | Cache but revalidate with server on every request |
| max-age=N | Cache-Control | Cache for N seconds |
| s-maxage=N | Cache-Control | CDN/shared cache max age (overrides max-age for proxies) |
| private | Cache-Control | Only cache in browser, not CDN/proxies |
| public | Cache-Control | Cache in browser and CDN/proxies |
| immutable | Cache-Control | Resource will not change; skip revalidation |
| must-revalidate | Cache-Control | Must revalidate with server after max-age expires |