HTTP Header Reference

v1.0.0

Browse all HTTP request, response, security, CORS, and caching headers with usage guidance.

47 headers found

Accept

request

Content types the client is willing to receive.

Accept: text/html, application/json, */*

Accept-Encoding

request

Compression algorithms the client supports.

Accept-Encoding: gzip, deflate, br

Accept-Language

request

Natural languages preferred by the client.

Accept-Language: en-US,en;q=0.9,de;q=0.7

Authorization

request

Credentials for authenticating the client with the server.

Authorization: Bearer eyJhbGci...

Cache-Control

request

Directives for caching mechanisms in both requests and responses.

Cache-Control: no-cache

Content-Length

request

Size of the request body in bytes.

Content-Length: 348

Content-Type

request

Media type and encoding of the request body.

Content-Type: application/json; charset=utf-8

Cookie

request

HTTP cookies previously set by the server via Set-Cookie.

Cookie: session_id=abc123; theme=dark

Host

request

Domain name of the server (required in HTTP/1.1).

Host: api.example.com

If-Modified-Since

request

Makes the request conditional — server sends response only if modified after date.

If-Modified-Since: Sat, 29 Oct 2024 18:00:00 GMT

If-None-Match

request

Makes the request conditional based on ETag. Returns 304 if unchanged.

If-None-Match: "686897696a7c876b7e"

Origin

request

Indicates the origin of the request for CORS.

Origin: https://app.example.com

Referer

request

Address of the page that linked to the requested resource.

Referer: https://example.com/page

User-Agent

request

Identifies the client software making the request.

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...

X-Forwarded-For

request

Original client IP when request passes through proxies/load balancers.

X-Forwarded-For: 203.0.113.1, 70.41.3.18

X-Requested-With

request

Identifies Ajax requests. Set by jQuery and other frameworks.

X-Requested-With: XMLHttpRequest

Allow

response

HTTP methods supported by the resource.

Allow: GET, POST, HEAD

Content-Encoding

response

Compression applied to the response body.

Content-Encoding: gzip

Content-Language

response

Language(s) of the response content.

Content-Language: en-US

Content-Type

response

Media type of the response body.

Content-Type: application/json; charset=utf-8

ETag

response

Identifier for a specific version of a resource. Used for caching.

ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

Last-Modified

response

Date and time the resource was last modified.

Last-Modified: Tue, 15 Oct 2024 12:00:00 GMT

Location

response

URL to redirect the client to. Used with 3xx and 201 responses.

Location: https://example.com/new-page

Retry-After

response

How long to wait before making a new request after 429 or 503.

Retry-After: 120

Server

response

Information about the server software handling the request.

Server: nginx/1.24.0

Set-Cookie

response

Sends a cookie from server to client.

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict

Transfer-Encoding

response

Encoding applied to transfer the payload body.

Transfer-Encoding: chunked

Vary

response

Tells caches which request headers affect the cached response.

Vary: Accept-Encoding, Accept-Language

Content-Security-Policy

security

Controls which resources the browser can load. Prevents XSS attacks.

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com

Permissions-Policy

security

Controls which browser features the page can use.

Permissions-Policy: camera=(), microphone=(), geolocation=(self)

Referrer-Policy

security

Controls how much referrer information is sent.

Referrer-Policy: strict-origin-when-cross-origin

Strict-Transport-Security

security

Forces HTTPS connections. Prevents downgrade attacks (HSTS).

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

X-Content-Type-Options

security

Prevents MIME type sniffing. Set to 'nosniff'.

X-Content-Type-Options: nosniff

X-Frame-Options

security

Controls if the page can be embedded in iframes. Prevents clickjacking.

X-Frame-Options: DENY

X-XSS-Protectiondeprecated

security

Deprecated. Browser XSS filter — superseded by CSP.

X-XSS-Protection: 0

Access-Control-Allow-Origin

cors

Specifies which origins can access the resource.

Access-Control-Allow-Origin: https://app.example.com

Access-Control-Allow-Methods

cors

Specifies allowed HTTP methods for CORS.

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Access-Control-Allow-Headers

cors

Specifies allowed request headers for CORS.

Access-Control-Allow-Headers: Authorization, Content-Type

Access-Control-Allow-Credentials

cors

Indicates if credentials can be included in CORS requests.

Access-Control-Allow-Credentials: true

Access-Control-Expose-Headers

cors

Lists response headers that can be exposed to the browser.

Access-Control-Expose-Headers: X-Rate-Limit, X-Request-Id

Access-Control-Max-Age

cors

How long the preflight response can be cached (seconds).

Access-Control-Max-Age: 86400

Access-Control-Request-Headers

cors

Used in preflight requests to indicate which headers will be sent.

Access-Control-Request-Headers: Authorization, Content-Type

Access-Control-Request-Method

cors

Used in preflight requests to indicate which method will be used.

Access-Control-Request-Method: PUT

Age

caching

Time in seconds the object has been in the proxy cache.

Age: 3600

Cache-Control

caching

Directives for caching: max-age, no-cache, no-store, public, private, immutable.

Cache-Control: public, max-age=86400, immutable

Expires

caching

Date/time after which the response is considered stale. Superseded by Cache-Control.

Expires: Tue, 15 Oct 2025 12:00:00 GMT

Pragmadeprecated

caching

Legacy HTTP/1.0 caching directive. Use Cache-Control instead.

Pragma: no-cache