HTTP Headers Reference

Reference common HTTP request and response headers.

Search HTTP headers

Direction

Category

62 headers

Host
Request
The domain name (and optional port) of the server being requested. Required in HTTP/1.1; it lets one server host multiple sites.
Host: example.com
User-Agent
Request
Identifies the client software — browser, version and platform — making the request.
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
Referer
Request
The address of the page that linked to the resource being requested. Misspelled in the original spec and kept that way.
Referer: https://example.com/search
Referrer-Policy
Response
Controls how much of the referring URL is sent in the Referer header on outgoing requests.
Referrer-Policy: strict-origin-when-cross-origin
Date
Both
The date and time at which the message was generated, in HTTP-date format.
Date: Tue, 18 May 2026 09:00:00 GMT
Connection
Both
Controls whether the network connection stays open after the current transaction.
Connection: keep-alive
Server
Response
Names the software the origin server uses to handle the request.
Server: nginx/1.25.3
Location
Response
Used in redirects (3xx) and after creating a resource (201) to point the client at a URL.
Location: https://example.com/new-path
Retry-After
Response
Tells the client how long to wait before retrying, after a 429 or 503 response.
Retry-After: 120
Allow
Response
Lists the HTTP methods supported by the resource. Sent with a 405 Method Not Allowed response.
Allow: GET, POST, HEAD
Upgrade
Both
Asks to switch the connection to a different protocol, such as upgrading HTTP to WebSocket.
Upgrade: websocket
Via
Both
Records the proxies and gateways a message has passed through.
Via: 1.1 cache.example.com
X-Forwarded-For
Request
A de facto standard set by proxies to record the original client IP address.
X-Forwarded-For: 203.0.113.7
X-Request-ID
Both
A non-standard but widely used header carrying a unique identifier to correlate a request across services and logs.
X-Request-ID: 9b2c4f1a-7e3d-4a
Accept
Request
Tells the server which media types the client can handle, so it can pick the best representation.
Accept: text/html, application/json;q=0.9
Accept-Encoding
Request
Lists the content encodings (compression algorithms) the client supports.
Accept-Encoding: gzip, br
Accept-Language
Request
Indicates the natural languages the client prefers for the response.
Accept-Language: en-US, en;q=0.8
Accept-Charset
Request
Historically declared the character sets the client accepts. Largely obsolete — UTF-8 is now assumed.
Accept-Charset: utf-8
Content-Type
Both
States the media type of the message body, and often its character set or boundary.
Content-Type: application/json; charset=utf-8
Content-Length
Both
The size of the message body in bytes. Lets the recipient know when the body is complete.
Content-Length: 3274
Content-Encoding
Response
Names the compression applied to the body, which the client must reverse before use.
Content-Encoding: br
Content-Language
Response
Describes the natural language of the body, helping clients and crawlers.
Content-Language: en-GB
Content-Disposition
Response
Indicates whether the body should be displayed inline or downloaded as an attachment, and suggests a filename.
Content-Disposition: attachment; filename="report.pdf"
Content-Range
Response
Specifies which part of the full resource a 206 Partial Content body represents.
Content-Range: bytes 0-1023/8192
Range
Request
Requests only part of a resource — used for resumable downloads and media seeking.
Range: bytes=0-1023
Accept-Ranges
Response
Advertises whether the server supports range requests for the resource.
Accept-Ranges: bytes
Transfer-Encoding
Both
Specifies the encoding used to safely transfer the body, most commonly chunked.
Transfer-Encoding: chunked
Cache-Control
Both
The primary header for caching directives — max-age, no-cache, no-store, private, public and more.
Cache-Control: public, max-age=3600
ETag
Response
An opaque identifier for a specific version of a resource, used to validate caches.
ETag: "33a64df5"
Expires
Response
A date after which the response is considered stale. Cache-Control max-age takes priority if both are present.
Expires: Wed, 19 May 2026 09:00:00 GMT
Last-Modified
Response
The date the resource was last changed, used by clients for conditional requests.
Last-Modified: Mon, 17 May 2026 12:00:00 GMT
If-None-Match
Request
Sends a stored ETag so the server can reply 304 Not Modified if nothing changed.
If-None-Match: "33a64df5"
If-Modified-Since
Request
Asks the server to send the resource only if it changed after the given date.
If-Modified-Since: Mon, 17 May 2026 12:00:00 GMT
If-Match
Request
Makes a request conditional on the resource still matching a given ETag — used to prevent lost updates.
If-Match: "33a64df5"
If-Unmodified-Since
Request
Makes the request conditional on the resource not having changed since the given date.
If-Unmodified-Since: Mon, 17 May 2026 12:00:00 GMT
Age
Response
The time in seconds the response has been sitting in a proxy cache.
Age: 84
Vary
Response
Lists request headers a cache must consider, so it does not serve a response negotiated for a different client.
Vary: Accept-Encoding, Accept-Language
Pragma
Request
A legacy HTTP/1.0 caching header. Largely superseded by Cache-Control.
Pragma: no-cache
Origin
Request
Names the origin that initiated a cross-origin request, without the path.
Origin: https://app.example.com
Access-Control-Allow-Origin
Response
States which origin (or * for any) is allowed to read the response in a browser.
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods
Response
Lists the HTTP methods permitted for the resource, returned in answer to a preflight request.
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers
Response
Lists which request headers may be used in the actual cross-origin request.
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials
Response
Indicates whether the browser may expose the response when the request was made with credentials.
Access-Control-Allow-Credentials: true
Access-Control-Max-Age
Response
How long, in seconds, a preflight result may be cached so repeated calls skip the preflight.
Access-Control-Max-Age: 600
Access-Control-Expose-Headers
Response
Lists response headers that JavaScript is allowed to read in a cross-origin response.
Access-Control-Expose-Headers: X-Request-ID
Access-Control-Request-Method
Request
Sent in a preflight request to ask whether a particular method is permitted.
Access-Control-Request-Method: DELETE
Access-Control-Request-Headers
Request
Sent in a preflight request to ask whether particular headers are permitted.
Access-Control-Request-Headers: Authorization
Content-Security-Policy
Response
Defines which sources of scripts, styles, images and other content the browser may load — the main defence against XSS.
Content-Security-Policy: default-src 'self'
Strict-Transport-Security
Response
Tells the browser to use HTTPS only for this site for a set duration (HSTS).
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Frame-Options
Response
Controls whether the page may be embedded in a frame, defending against clickjacking. CSP frame-ancestors is the modern replacement.
X-Frame-Options: DENY
X-Content-Type-Options
Response
Set to nosniff to stop browsers from guessing a response’s content type, which prevents some attacks.
X-Content-Type-Options: nosniff
X-XSS-Protection
Response
A legacy header that toggled a browser XSS filter. Deprecated — rely on Content-Security-Policy instead.
X-XSS-Protection: 0
Cross-Origin-Resource-Policy
Response
Limits which origins may embed a resource, mitigating side-channel attacks.
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Opener-Policy
Response
Isolates the browsing context group so a document does not share one with cross-origin pages.
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy
Response
Requires that all embedded resources opt in via CORS or CORP — needed for powerful features like SharedArrayBuffer.
Cross-Origin-Embedder-Policy: require-corp
Permissions-Policy
Response
Controls which browser features and APIs (camera, geolocation, etc.) a page and its frames may use.
Permissions-Policy: geolocation=(), camera=()
Cookie
Request
Sends previously stored cookies back to the server with each request.
Cookie: session=abc123; theme=dark
Set-Cookie
Response
Instructs the browser to store a cookie, with optional attributes like Secure, HttpOnly and SameSite.
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax
Authorization
Request
Carries credentials to authenticate the client — for example a Bearer token or Basic credentials.
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
WWW-Authenticate
Response
Sent with a 401 response to tell the client which authentication scheme to use.
WWW-Authenticate: Bearer realm="api"
Proxy-Authorization
Request
Carries credentials to authenticate the client with a proxy server.
Proxy-Authorization: Basic dXNlcjpwYXNz
Proxy-Authenticate
Response
Sent with a 407 response to tell the client how to authenticate with the proxy.
Proxy-Authenticate: Basic realm="proxy"

Processed on your device. We never see your files.

How to use HTTP Headers Reference

What this tool does

This is a searchable reference for the HTTP headers you meet every day. It covers more than sixty common request and response headers across the areas that matter most: content negotiation (Accept, Content-Type and the rest of the Content-* family), caching (Cache-Control, ETag, Expires, Last-Modified), CORS (the full Access-Control-* set plus Origin), security (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options and more), cookies, and authentication. For each header you see its name, its direction — Request, Response or Both — a plain description of what it does, and a realistic example value you can copy.

Why you might need it

HTTP headers are where a surprising amount of web behaviour is decided, yet they are easy to get subtly wrong. A missing Vary header makes a cache serve the wrong language to half your users. A Cache-Control directive that is too aggressive freezes a stale asset for a year. A CORS call fails and the browser console only hints at which Access-Control-* header is absent. Security headers are their own minefield: Content-Security-Policy has a dense syntax, and Strict-Transport-Security is effectively irreversible once a browser has seen it. Whether you are configuring a server, debugging a fetch in DevTools, or reviewing an API, having every header’s purpose and a correct example one search away saves real time.

How to use it

Type into the search box to filter by header name or by a keyword in the description — cors, cache, or auth all narrow the list.
Use the Direction buttons to show only request or only response headers; headers valid in both directions always remain visible.
Use the Category buttons — General, Content, Caching, CORS, Security, Cookies, Auth — to jump straight to one area.
Read the description to confirm the header fits your case.
Copy the example value from any card with one click, then adapt it for your own configuration.
Click Clear filters to reset the search, direction and category together.

Common pitfalls

The most frequent mistake is treating * in Access-Control-Allow-Origin as a blanket fix. A wildcard origin cannot be combined with credentialed requests — if you also need Access-Control-Allow-Credentials: true, you must echo the specific origin instead. Caching trips people up too: setting only Expires without Cache-Control leaves behaviour to chance, and forgetting Vary causes a CDN to mix up compressed and uncompressed, or differently negotiated, responses. On the security side, remember that Strict-Transport-Security with a long max-age is hard to undo, so test with a short value first. And X-XSS-Protection is deprecated — setting it to anything other than 0 can introduce bugs; rely on Content-Security-Policy instead.

Tips and advanced use

Treat security headers as a baseline for every site, not an afterthought: Content-Security-Policy, X-Content-Type-Options: nosniff, Strict-Transport-Security, and a sensible Referrer-Policy cost nothing and close whole classes of attack. For performance, pair ETag or Last-Modified with conditional requests so unchanged resources return a tiny 304 instead of a full body, and use Cache-Control: immutable on fingerprinted assets. When a cross-origin call misbehaves, open the Network tab and inspect the OPTIONS preflight first — the Access-Control-Allow-* headers on that response tell you exactly what the server permits. Because this whole reference is rendered and filtered inside your browser, you can keep it open beside your editor: it loads once, needs no connection afterward, and never transmits anything you type.

Frequently asked questions

What does the direction label on each header mean?

Request means the header is sent by the client to the server, Response means it is sent by the server back to the client, and Both means it can legitimately appear in either. Filtering by direction helps you find only the headers relevant to the side you are working on.

What is the difference between Cache-Control and Expires?

Both control how long a response can be cached, but Cache-Control is the modern, more flexible header and uses a relative max-age in seconds. Expires gives an absolute date. When both are present, Cache-Control max-age wins, so Expires is mainly a fallback for very old clients.

Which headers matter most for security?

Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options and X-Frame-Options are the core defensive headers. CSP limits where scripts and other content can load from, HSTS forces HTTPS, nosniff stops content-type guessing, and X-Frame-Options blocks clickjacking. The Cross-Origin-* trio adds modern isolation.

Why do CORS requests sometimes send a preflight?

Browsers send an OPTIONS preflight before certain cross-origin requests — those using methods beyond GET, POST or HEAD, or custom headers. The server answers with Access-Control-Allow-Methods and Access-Control-Allow-Headers, and the browser only proceeds if the actual request is permitted.

Is anything I search here sent to a server?

No. The full header reference is bundled into the page and filtered entirely in your browser. The search box, direction and category filters all run locally, so the tool keeps working even with no network connection.

Related tools

MIME Type Lookup

Look up MIME types by file extension.

EyeDropper Color Picker

Pick any color on screen with the EyeDropper API.

CSS Gradient to Image

Render a CSS gradient as a downloadable image.

SVG to PNG

Convert SVG files into raster PNG images.

SVG Optimizer

Optimise and shrink SVG file size.

HEX to CSS Filter

Convert a HEX color into a CSS filter for recoloring SVGs.