Showing 80 headers

Request
Media types the client acceptsapplication/json, text/html
Request
Character sets the client acceptsutf-8, iso-8859-1;q=0.5
Request
Compression algorithms the client supportsgzip, deflate, br
Request
Preferred response languagesen-US,en;q=0.9,fr;q=0.8
Request
Authentication credentials for the requestBearer <token>
Request
Caching directives for the requestno-cache
Request
Control options for the current connectionkeep-alive
Request
Size of the request body in bytes348
Request
Media type of the request bodyapplication/json; charset=utf-8
Request
Stored cookies sent to the serversession=abc123; theme=dark
Request
Do Not Track preference of the user1
Request
Expected server behavior before sending the request body100-continue
Request
Proxy information in standardized formatfor=192.0.2.60; proto=http; by=203.0.113.43
Request
Email address of the user making the requestuser@example.com
Request
Domain name of the server (required in HTTP/1.1)api.example.com
Request
Conditional request — only proceed if ETag matches"abc123def456"
Request
Conditional request — return only if resource was modified after dateWed, 21 Oct 2024 07:28:00 GMT
Request
Conditional request — only return if ETag differs"abc123def456"
Request
Conditional request — only proceed if not modified since dateWed, 21 Oct 2024 07:28:00 GMT
Request
Maximum number of times the request can be forwarded10
Request
Origin of the cross-site requesthttps://app.example.com
Request
Legacy cache control directive (HTTP/1.0)no-cache
Request
Request only part of the resource (byte range)bytes=0-1023
Request
URL of the page that made the requesthttps://example.com/page
Request
Transfer encodings the client acceptstrailers, deflate;q=0.5
Request
Request protocol upgrade (e.g., to WebSocket)websocket
Request
Client software identifierMozilla/5.0 (Windows NT 10.0; Win64; x64)
Request
Proxy information added by intermediate nodes1.0 proxy1.example.com
Request
Original client IP address behind a proxy203.0.113.1, 198.51.100.1
Request
Original Host header as received by the proxyexample.com
Request
Protocol used by the client to connect to the proxyhttps
Request
Unique identifier for the request for tracing and loggingf058ebd6-02f7-4d3f-942e-904344e8cde3
Response
Indicates if the server supports range requestsbytes
Response
Time in seconds the response has been in a proxy cache24
Response
HTTP methods allowed on the resource (used with 405)GET, POST, HEAD
Response
Caching directives for the responsemax-age=3600, public
Response
Control options for the current connectionkeep-alive
Response
How the browser should handle the response (inline or attachment)attachment; filename="file.pdf"
Response
Compression applied to the response bodygzip
Response
Natural language(s) of the responseen-US
Response
Size of the response body in bytes1234
Response
Alternate URL for the returned resource/documents/foo.json
Response
Range of bytes included in a partial responsebytes 200-1023/67589
Response
MIME type of the response bodyapplication/json; charset=utf-8
Response
Date and time the response was sentTue, 07 Jun 2026 10:00:00 GMT
Response
Unique identifier for a specific version of the resource"33a64df551425fcc55e4d42a148795d9f25f89d4"
Response
Date/time after which the response is considered stale (legacy)Thu, 01 Jan 2026 00:00:00 GMT
Response
Date/time when the resource was last changedMon, 01 Jan 2026 12:00:00 GMT
Response
Typed relationships to other resources</api/users?page=2>; rel="next"
Response
URL for redirects (3xx) or created resources (201)https://api.example.com/users/123
Response
How long to wait before making a new request (rate limit / 503)120
Response
Software information about the origin servernginx/1.25.3
Response
Set a cookie on the clientsession=abc; HttpOnly; Secure; SameSite=Lax
Response
Encoding used to transfer the response bodychunked
Response
Request headers that affect the response (used for caching)Accept-Encoding, Accept-Language
Response
Proxy information added to the response1.1 proxy.example.com
Response
Authentication scheme required for the resource (401 responses)Bearer realm="api"
Response
Prevent MIME type sniffingnosniff
Response
Control whether the page can be embedded in framesDENY
Response
Technology stack of the server (often disabled for security)Express
CORS
Allow cookies and auth headers in cross-origin requeststrue
CORS
Request headers allowed in cross-origin requestsContent-Type, Authorization
CORS
HTTP methods allowed in cross-origin requestsGET, POST, PUT, DELETE, OPTIONS
CORS
Origins allowed to access the resourcehttps://app.example.com
CORS
Response headers the browser can access in cross-origin reqsX-Request-Id, X-RateLimit-Remaining
CORS
How long the preflight result can be cached (seconds)86400
CORS
Headers the client intends to send in the actual requestContent-Type, Authorization
CORS
HTTP method the client intends to use in the actual requestPOST
CORS
Origin of the cross-site request (sent in preflight)https://app.example.com
Security
Restrict sources of scripts, styles, images, and moredefault-src 'self'; script-src 'self' https://cdn.example.com
Security
Require cross-origin resources to opt in to sharingrequire-corp
Security
Isolate the browsing context from cross-origin documentssame-origin
Security
Prevent other origins from loading the resourcesame-site
Security
Control browser features like camera, mic, and geolocationcamera=(), microphone=(), geolocation=(self)
Security
Control how much referrer information is included in requestsstrict-origin-when-cross-origin
Security
Force HTTPS for future requests (HSTS)max-age=31536000; includeSubDomains
Security
Prevent MIME type sniffing attacksnosniff
Security
Control browser DNS prefetching behavioroff
Security
Protect against clickjacking by controlling frame embeddingSAMEORIGIN
Security
Legacy XSS filter directive (superseded by CSP)1; mode=block

HTTP Headers Reference

What Are HTTP Headers?

HTTP headers are key-value pairs sent between the client and server in HTTP requests and responses. They carry metadata about the request or response, such as content type, caching directives, authentication credentials, and security policies. Understanding HTTP headers is essential for building secure, performant web applications and APIs.

Request Headers

Request headers are sent by the client (browser, API consumer) to provide information about the request and the client's capabilities.

HeaderTypeDescriptionExample Value
AcceptRequestMedia types the client acceptsapplication/json, text/html
Accept-EncodingRequestCompression algorithms the client supportsgzip, deflate, br
Accept-LanguageRequestPreferred response languagesen-US,en;q=0.9,fr;q=0.8
AuthorizationRequestAuthentication credentials for the requestBearer eyJhbGciOiJIUzI1NiJ9...
Cache-ControlRequestCaching directives for the requestno-cache
Content-TypeRequestMedia type of the request bodyapplication/json; charset=utf-8
CookieRequestStored cookies sent to the serversession=abc123; theme=dark
HostRequestDomain name of the server (required in HTTP/1.1)api.example.com
OriginRequestOrigin of the cross-site request (CORS)https://app.example.com
RefererRequestURL of the page making the requesthttps://example.com/page
User-AgentRequestClient software identifierMozilla/5.0 (Windows NT 10.0; Win64; x64)
X-Requested-WithRequestIdentifies AJAX requestsXMLHttpRequest
X-Forwarded-ForRequestOriginal client IP behind a proxy203.0.113.1, 198.51.100.1
If-None-MatchRequestConditional request — only return if ETag differs"abc123def456"
If-Modified-SinceRequestConditional request — return only if modifiedWed, 21 Oct 2024 07:28:00 GMT

Response Headers

Response headers are sent by the server to provide information about the response, caching instructions, and other metadata.

HeaderTypeDescriptionExample Value
Cache-ControlResponseCaching directives for the responsemax-age=3600, public
Content-EncodingResponseCompression applied to the response bodygzip
Content-LengthResponseSize of the response body in bytes1234
Content-TypeResponseMedia type of the response bodyapplication/json; charset=utf-8
ETagResponseUnique identifier for a specific version"33a64df551425fcc55e4d42a148795d9f25f89d4"
LocationResponseURL for redirects (3xx) or created resources (201)https://api.example.com/users/123
Set-CookieResponseSet a cookie on the clientsession=abc; HttpOnly; Secure; SameSite=Lax
Strict-Transport-SecurityResponseForce HTTPS for future requests (HSTS)max-age=31536000; includeSubDomains
WWW-AuthenticateResponseAuthentication scheme required (401 responses)Bearer realm="api"
X-Content-Type-OptionsResponsePrevent MIME type sniffingnosniff
X-Frame-OptionsResponseControl whether page can be embedded in framesDENY
X-XSS-ProtectionResponseLegacy XSS filter (superseded by CSP)1; mode=block

CORS Headers

Cross-Origin Resource Sharing (CORS) headers allow servers to specify which cross-origin requests are permitted. They are sent by the server in response to cross-origin requests and OPTIONS preflight requests.

HeaderTypeDescriptionExample Value
Access-Control-Allow-OriginResponseOrigins allowed to access the resourcehttps://app.example.com or *
Access-Control-Allow-MethodsResponseHTTP methods allowed in cross-origin requestsGET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-HeadersResponseRequest headers allowed in cross-origin requestsContent-Type, Authorization
Access-Control-Max-AgeResponseHow long preflight result can be cached (seconds)86400
Access-Control-Allow-CredentialsResponseAllow cookies/auth headers in cross-origin reqstrue
Access-Control-Expose-HeadersResponseHeaders the browser can access in responsesX-Request-Id, X-RateLimit-Remaining
http
// Simple CORS response headers
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400

// Preflight request (OPTIONS) response
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type

Security Headers

Security headers protect your users by instructing browsers to enable or disable certain built-in security mechanisms. Every production web application should set these headers.

HeaderTypeDescriptionExample Value
Content-Security-PolicyResponseRestrict sources of scripts, styles, images, etc.default-src 'self'; script-src 'self' https://cdn.example.com
Referrer-PolicyResponseControl how much referrer info is includedstrict-origin-when-cross-origin
Permissions-PolicyResponseControl browser features (camera, mic, geolocation)camera=(), microphone=(), geolocation=(self)
Expect-CTResponseRequire Certificate Transparency for the sitemax-age=86400, enforce
Cross-Origin-Opener-PolicyResponseIsolate browsing context from cross-origin docssame-origin
Cross-Origin-Embedder-PolicyResponseRequire cross-origin resources to opt in to sharingrequire-corp
Cross-Origin-Resource-PolicyResponsePrevent other origins from loading the resourcesame-site
http
// Basic CSP — allow resources only from same origin and trusted CDN
Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com; report-uri /csp-report

// Strict CSP with nonce (recommended for SPAs)
Content-Security-Policy: default-src 'none'; script-src 'nonce-abc123' 'strict-dynamic'; style-src 'nonce-abc123'; img-src 'self'; connect-src 'self'; base-uri 'none'; form-action 'self'

Caching Headers Quick Reference

DirectiveHeaderDescription
no-storeCache-ControlDo not cache at all — for sensitive responses
no-cacheCache-ControlCache but revalidate with server on every request
max-age=NCache-ControlCache for N seconds
s-maxage=NCache-ControlCDN/shared cache max age (overrides max-age for proxies)
privateCache-ControlOnly cache in browser, not CDN/proxies
publicCache-ControlCache in browser and CDN/proxies
immutableCache-ControlResource will not change; skip revalidation
must-revalidateCache-ControlMust revalidate with server after max-age expires

Frequently Asked Questions

Cache-Control is the modern, more powerful header (HTTP/1.1). Expires is a legacy header (HTTP/1.0) that specifies an absolute expiry date. When both are present, Cache-Control takes precedence. Always use Cache-Control for new applications.

The wildcard * does not allow credentials (cookies, Authorization headers). If you use Access-Control-Allow-Credentials: true, you must specify an exact origin instead of *. Also check that Access-Control-Allow-Methods and Access-Control-Allow-Headers include the method and headers you are using.

Both control whether a page can be embedded in frames. X-Frame-Options is the older header with limited options (DENY, SAMEORIGIN). CSP frame-ancestors is more flexible, allows multiple origins, and supersedes X-Frame-Options in modern browsers. Use both for backwards compatibility.

An ETag is an identifier (usually a hash) for a specific version of a resource. The browser stores the ETag and sends it as If-None-Match on the next request. If the resource has not changed, the server returns 304 Not Modified with no body, saving bandwidth.

At minimum: Strict-Transport-Security (force HTTPS), X-Content-Type-Options: nosniff (prevent MIME sniffing), Content-Security-Policy (restrict content sources), Referrer-Policy: strict-origin-when-cross-origin, and X-Frame-Options: DENY or SAMEORIGIN.

Related Tools