No Login Data Private Local Save

HTTP Headers Reference - Online Search & Descriptions

5
0
0
0

HTTP Headers Reference

Search, browse, and learn about HTTP headers β€” request, response, security, CORS, cache & more

Press / to focus search · Esc to clear
0 headers total 0 showing

No headers found

Try a different search term or category filter.

Frequently Asked Questions

HTTP headers are key-value pairs sent between a client (browser) and a server in an HTTP request or response. They carry essential metadata β€” such as content type, caching directives, authentication credentials, security policies, and more. Headers enable the web to function efficiently by providing context that the core HTTP methods alone cannot convey.

Request headers are sent by the client to the server, describing the resource being requested, the client's capabilities, and any conditions (e.g., Accept, Authorization, User-Agent, Cookie).

Response headers are sent by the server back to the client, providing information about the response β€” its status, caching rules, content metadata, and server info (e.g., Content-Type, Set-Cookie, Cache-Control, ETag).

The most critical security headers include:

Strict-Transport-Security (HSTS) β€” forces HTTPS connections.
Content-Security-Policy (CSP) β€” prevents XSS and data injection attacks.
X-Frame-Options β€” protects against clickjacking.
X-Content-Type-Options β€” stops MIME type sniffing.
Referrer-Policy β€” controls referrer information leakage.
Permissions-Policy β€” restricts browser features and APIs.

Implementing these headers significantly improves your site's security posture.

CORS (Cross-Origin Resource Sharing) headers control how browsers handle cross-origin requests. Key headers include Access-Control-Allow-Origin (specifies allowed origins), Access-Control-Allow-Methods (allowed HTTP methods), Access-Control-Allow-Headers (allowed request headers), and Access-Control-Allow-Credentials (whether credentials like cookies are allowed). The browser sends a preflight OPTIONS request before the actual cross-origin request to verify permissions.

Cache-Control is the primary HTTP header for controlling caching behavior. Common directives:

public β€” can be cached by any cache.
private β€” only cached by the browser.
max-age=3600 β€” cache for 1 hour.
no-cache β€” must revalidate before use.
no-store β€” never cache the response.
must-revalidate β€” stale content must be revalidated.

For static assets, use long max-age with versioned URLs. For dynamic content, use no-cache or short max-age.

An ETag (Entity Tag) is a unique identifier assigned by the server to a specific version of a resource. When the resource changes, the ETag changes. Clients send the ETag back in If-None-Match or If-Match headers for conditional requests. If the ETag matches, the server returns a 304 Not Modified response, saving bandwidth. This is more precise than date-based validation with Last-Modified.

Custom HTTP headers allow you to pass application-specific metadata. Historically, custom headers used the X- prefix (e.g., X-Request-ID), but this convention has been deprecated by the IETF. Modern best practice is to use a descriptive name without the X- prefix, or namespace it with your organization's domain (e.g., Acme-Custom-Header). Avoid overriding standard headers and document your custom headers clearly.

Open your browser's Developer Tools (F12 or Ctrl+Shift+I), go to the Network tab, reload the page, click any request, and look under the Headers section. You'll see Request Headers, Response Headers, and sometimes General Headers. You can also use curl -I https://example.com in the terminal to see response headers, or use online tools to inspect headers from any URL.

The Content-Type header tells the browser how to interpret the response body. Common values include text/html, application/json, image/png, and application/octet-stream. Without the correct Content-Type, browsers may misinterpret content (e.g., rendering JSON as text), APIs may fail, and files may not download properly. Always set the correct MIME type and optionally include the charset parameter (e.g., text/html; charset=utf-8).

Set-Cookie is a response header sent by the server to instruct the browser to store a cookie. It includes attributes like HttpOnly, Secure, SameSite, Max-Age, and Domain.

Cookie is a request header sent by the browser back to the server, containing the cookie name-value pairs that match the domain, path, and security attributes. The browser automatically manages cookie inclusion based on the attributes set by the server.

The method depends on your server:

Apache: Use Header set in .htaccess or configuration files.
Nginx: Use add_header directive.
Node.js/Express: Use res.setHeader() or res.set().
PHP: Use header() function.
Cloudflare/Netlify: Configure via _headers file or dashboard.
Python/Flask: Return headers in the response object.

For security headers, many platforms also offer one-click configuration or plugins.

No β€” according to the HTTP specification (RFC 7230), HTTP header names are case-insensitive. Content-Type, content-type, and CONTENT-TYPE are all treated identically. However, the conventional practice is to use Pascal-Case with hyphens (e.g., Content-Type, If-Modified-Since) for readability. Header values may be case-sensitive depending on the specific header (e.g., Authorization: Bearer token123 β€” the token is case-sensitive).
πŸ”§ Related Tools