HTTP Headers Reference
Search and filter 45+ HTTP headers across request, response, and security categories. Click any header name to copy it.
Showing 45 of 45 headers — click header name to copy
Media types the client can process.
application/json, text/htmlSupported compression algorithms.
gzip, deflate, brPreferred languages.
en-US,en;q=0.9Authentication credentials.
Bearer eyJhbGc...Caching directives.
no-cacheConnection persistence.
keep-aliveSize of request body in bytes.
348Media type of the request body.
application/jsonHTTP cookies for the server.
session=abc123; theme=darkTarget host and port.
api.example.com:443Conditional GET timestamp.
Wed, 21 Oct 2015 07:28:00 GMTConditional GET with ETag.
"686897696a7c876b7e"Origin of a cross-site request.
https://example.comURL of referring page.
https://example.com/pageClient software identifier.
Mozilla/5.0 (Macintosh; ...)Identifies AJAX requests.
XMLHttpRequestOriginating IP through proxies.
203.0.113.1, 10.0.0.1CORS allowed origins.
* or https://example.comCORS allowed methods.
GET, POST, OPTIONSTime in seconds object was in cache.
2397HTTP methods supported by resource.
GET, POST, HEADCaching directives for response.
max-age=3600, publicAttachment or inline.
attachment; filename="report.pdf"Applied encoding.
gzipLanguage of content.
en-USResponse body size in bytes.
1234Media type of response.
application/json; charset=utf-8Entity tag for caching.
"33a64df5"Date/time after which response is stale.
Thu, 01 Dec 2030 16:00:00 GMTLast modification date.
Tue, 15 Nov 2024 12:45:26 GMTURL for redirects.
https://example.com/new-pageTime to wait before retry.
120Server software info.
nginx/1.18.0Set a cookie.
id=a3fWa; Max-Age=2592000; Secure; HttpOnlyFields that affect response caching.
Accept-Encoding, Accept-LanguageAuthentication challenge.
Bearer realm="api"Prevent MIME sniffing.
nosniffClickjacking protection.
DENY or SAMEORIGINMax requests per window.
100Remaining requests.
74Unique request identifier.
f058ebd6-02f7-4d3f-942e-904344e8cde3Controls resource loading.
default-src 'self'Force HTTPS.
max-age=31536000; includeSubDomainsBrowser feature policy.
geolocation=(), microphone=()Controls referrer info.
strict-origin-when-cross-originFrequently Asked Questions
What are HTTP headers?
HTTP headers are key-value pairs sent at the start of every HTTP request and response. They carry metadata about the message — such as the content type, encoding, authentication credentials, caching rules, and security policies — without being part of the body. Both the client (browser or API consumer) and the server use headers to communicate how the data should be handled.
What do CORS headers do?
CORS (Cross-Origin Resource Sharing) headers allow servers to declare which external origins are permitted to read their responses in a browser. When a browser makes a cross-origin request, it checks the Access-Control-Allow-Origin response header. If the requesting origin is listed (or the value is *), the browser allows the response to be read by JavaScript. Without CORS headers, browsers block cross-origin responses by default to prevent malicious sites from reading sensitive data.
What is the difference between request headers and response headers?
Request headers are sent by the client (browser, mobile app, or API consumer) to the server and describe the request — for example, what content types the client accepts, what credentials it holds, or caching preferences. Response headers are sent back by the server and describe the response — for example, the content type returned, caching rules, cookies to set, or CORS permissions. Some header names (like Cache-Control and Content-Type) can appear in both directions with slightly different meanings.
Which security headers matter most?
The four most impactful security headers are: Content-Security-Policy (CSP), which restricts what resources a page can load and is the strongest defense against XSS attacks; Strict-Transport-Security (HSTS), which forces browsers to use HTTPS for your domain; X-Frame-Options or the frame-ancestors CSP directive, which prevents clickjacking by blocking your page from being embedded in iframes; and Referrer-Policy, which controls how much referrer information is sent to other origins. X-Content-Type-Options: nosniff is also worth adding to prevent MIME-type sniffing attacks.