HTTP Headers Reference
A grouped reference to the HTTP headers you'll meet in practice. Each section focuses on the headers that work together for a specific job.
On this page
General
| Header | Direction | Purpose |
|---|---|---|
Host | Request | Target host and port. Required in HTTP/1.1. |
User-Agent | Request | Identifies the client software. |
Date | Both | Time the message was originated. |
Connection | Both | keep-alive or close. Mostly obsoleted by HTTP/2 framing. |
Server | Response | Identifies the server software. Often omitted for security. |
Content
| Header | Direction | Purpose |
|---|---|---|
Content-Type | Both | The MIME type of the body, e.g. application/json; charset=utf-8. |
Content-Length | Both | Body length in bytes. |
Content-Encoding | Response | Compression applied: gzip, br, zstd. |
Content-Language | Response | Natural language of the content. |
Content-Disposition | Response | attachment; filename="report.pdf" triggers a download dialog. |
Accept | Request | Acceptable response media types. |
Accept-Encoding | Request | Compression algorithms the client supports. |
Accept-Language | Request | Preferred natural languages. |
Caching
| Header | Direction | Purpose |
|---|---|---|
Cache-Control | Both | Directives like no-store, private, max-age=…, immutable. |
ETag | Response | Opaque identifier for the current representation. Use with If-None-Match. |
Last-Modified | Response | Modification timestamp. Use with If-Modified-Since. |
Vary | Response | List of request headers that affect the response — caches use it to vary entries. |
Age | Response | Time in seconds the response has been in a cache. |
Cache-Control: public, max-age=31536000, immutableConditional
| Header | Direction | Purpose |
|---|---|---|
If-Match | Request | Perform the action only if the resource matches an ETag. |
If-None-Match | Request | Perform only if the ETag does not match — used with caches. |
If-Modified-Since | Request | Perform only if modified since a given date. |
If-Unmodified-Since | Request | Perform only if not modified since a given date. |
CORS
| Header | Direction | Purpose |
|---|---|---|
Origin | Request | The origin initiating the cross-site request. |
Access-Control-Allow-Origin | Response | Echo the origin (or *) to permit it. |
Access-Control-Allow-Methods | Response (preflight) | Methods permitted for the resource. |
Access-Control-Allow-Headers | Response (preflight) | Headers the client may send. |
Access-Control-Allow-Credentials | Response | true to allow cookies / Authorization across origins. |
Access-Control-Max-Age | Response (preflight) | Seconds to cache the preflight result. |
See CORS Explained for a walk-through.
Cookies
| Header | Direction | Purpose |
|---|---|---|
Set-Cookie | Response | Set a cookie. Attributes: HttpOnly, Secure, SameSite, Domain, Path, Expires, Max-Age. |
Cookie | Request | Cookies previously set by the server. |
Set-Cookie: session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax; Max-Age=86400Security
| Header | Direction | Purpose |
|---|---|---|
Strict-Transport-Security | Response | Force HTTPS for a duration. max-age=31536000; includeSubDomains; preload. |
Content-Security-Policy | Response | Limit the resources the page can load. See CSP. |
X-Content-Type-Options | Response | nosniff — disable MIME type guessing. |
Referrer-Policy | Response | Control how much of the Referer header is sent on outgoing requests. |
X-Frame-Options | Response | DENY or SAMEORIGIN — clickjacking defense (largely superseded by CSP frame-ancestors). |
Permissions-Policy | Response | Selectively enable or disable browser features. |
Authentication
| Header | Direction | Purpose |
|---|---|---|
Authorization | Request | Bearer <token>, Basic <b64>, or scheme-specific value. |
WWW-Authenticate | Response (401) | Challenge scheme(s) the server accepts. |
Proxy-Authorization | Request | Credentials for an HTTP proxy. |