HTTP Headers Reference

Reference table for common HTTP request and response headers.

Back to all tools on ToolForge

More in Developer Tools

Request Headers

HeaderDescriptionExample

Response Headers

HeaderDescriptionExample

General Headers

HeaderDescriptionExample

About HTTP Headers Reference

This reference lists common HTTP request and response headers used in web development and API work. Headers are categorized by their typical usage direction, though many can appear in both requests and responses.

It is useful for debugging network issues, configuring CORS, implementing caching strategies, setting security headers, and understanding HTTP communication between clients and servers.

Header Format and Rules

HTTP Header Format:
  Header-Name: value

Rules:
  - Header names are case-insensitive
  - Values can span multiple lines (start continuation with space/tab)
  - Multiple values: comma-separated or repeat header
  - Order doesn't matter (except for Set-Cookie)
  - Empty value is valid: Header-Name:

Example Request:
  GET /api/users HTTP/1.1
  Host: api.example.com
  Authorization: Bearer eyJhbGc...
  Accept: application/json
  Content-Type: application/json
  User-Agent: MyApp/1.0

Example Response:
  HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: max-age=3600
  X-Frame-Options: DENY
  Set-Cookie: session=abc123; HttpOnly

Common Header Categories

CategoryPurposeCommon Headers
GeneralApply to both request/responseCache-Control, Connection, Date
RequestClient sends to serverAccept, Authorization, Content-Type
ResponseServer sends to clientSet-Cookie, Location, Server
EntityDescribe body contentContent-Length, Content-Type, Content-Encoding
CORSCross-origin access controlAccess-Control-Allow-Origin, Access-Control-Allow-Methods
SecurityProtect against attacksStrict-Transport-Security, X-Frame-Options, CSP
CachingControl cache behaviorCache-Control, ETag, Last-Modified, Expires

CORS Headers Reference

Simple Request (server response):
  Access-Control-Allow-Origin: https://example.com
  Access-Control-Allow-Methods: GET, POST, PUT
  Access-Control-Allow-Headers: Content-Type, Authorization

Preflight Request (OPTIONS):
  Client sends:
    Origin: https://example.com
    Access-Control-Request-Method: POST
    Access-Control-Request-Headers: Authorization

  Server responds:
    Access-Control-Allow-Origin: https://example.com
    Access-Control-Allow-Methods: GET, POST, PUT, DELETE
    Access-Control-Allow-Headers: Content-Type, Authorization
    Access-Control-Max-Age: 86400

Credentials:
  Client: fetch(url, {credentials: 'include'})
  Server: Access-Control-Allow-Credentials: true
  Note: Cannot use * with credentials, must specify origin

Security Headers Reference

Strict-Transport-Security: max-age=31536000; includeSubDomains
  Force HTTPS for 1 year, including subdomains

X-Content-Type-Options: nosniff
  Prevent MIME type sniffing

X-Frame-Options: DENY
  Prevent clickjacking (DENY, SAMEORIGIN, ALLOW-FROM)

Content-Security-Policy: default-src 'self'
  Control resource loading (scripts, styles, images)

X-XSS-Protection: 1; mode=block
  Enable XSS filter (legacy, modern browsers use CSP)

Referrer-Policy: strict-origin-when-cross-origin
  Control referrer information sent

Permissions-Policy: geolocation=(), microphone=()
  Control browser features

Cross-Origin-Embedder-Policy: require-corp
  Isolate browsing context (COOP/COEP headers)

Caching Headers Reference

Cache-Control directives:
  max-age=3600     - Cache for 1 hour
  s-maxage=3600    - Shared cache (CDN) only
  no-store         - Don't cache anything
  no-cache         - Validate before using cached
  private          - Browser cache only
  public           - Any cache (browser, CDN)
  must-revalidate  - Must validate when stale
  stale-while-revalidate=60 - Serve stale for 60s while revalidating

Validation:
  ETag: "abc123"           - Resource version identifier
  Last-Modified: Mon, 01 Jan 2024 00:00:00 GMT

Client validation headers:
  If-None-Match: "abc123"  - Get if ETag changed
  If-Modified-Since: ...   - Get if modified after date

Expires: Wed, 21 Oct 2024 07:28:00 GMT
  HTTP/1.0 fallback (use Cache-Control instead)

Frequently Asked Questions

What are HTTP headers?
HTTP headers are key-value pairs sent at the start of HTTP requests and responses. They convey information about the request body, client capabilities, server capabilities, authentication, caching, and more. Headers are case-insensitive and follow the format: Header-Name: value.
What is the Content-Type header?
Content-Type specifies the media type of the resource or request body. Common values: application/json, text/html, image/png, multipart/form-data. In requests, it tells the server what format the body is in. In responses, it tells the client how to interpret the content.
What are CORS headers?
CORS (Cross-Origin Resource Sharing) headers control access to resources from different origins. Key headers: Access-Control-Allow-Origin (which domains can access), Access-Control-Allow-Methods (allowed HTTP methods), Access-Control-Allow-Headers (allowed request headers). Server must include these for cross-origin requests.
What is the Authorization header?
Authorization contains credentials for authentication. Common formats: Basic base64(username:password), Bearer <token> (JWT/OAuth), APIKey <key>. Never send credentials over HTTP (use HTTPS). The server validates these credentials to authorize the request.
How do caching headers work?
Cache-Control controls browser/proxy caching. Common directives: max-age=3600 (cache for 1 hour), no-store (don't cache), no-cache (validate before using), private (browser only), public (any cache). ETag provides resource version for validation. Last-Modified gives date-based validation.
What are security headers?
Security headers protect against common attacks: Strict-Transport-Security (force HTTPS), X-Content-Type-Options (prevent MIME sniffing), X-Frame-Options (prevent clickjacking), Content-Security-Policy (control resource loading), X-XSS-Protection (XSS filter). Essential for secure web applications.