TLDR reference
HTTP headers
A searchable reference for the request and response headers you actually meet, each with a one-line meaning and example. Type to search, or filter by purpose. Everything runs in your browser.
42 shown
-
Content-Type
BothContent-Type: application/json; charset=utf-8
The media type of the body, so the recipient knows how to parse it. Add charset for text.
-
Content-Length
BothContent-Length: 3495
The size of the body in bytes, letting the recipient know when it has read the whole thing.
-
Content-Encoding
ResponseContent-Encoding: gzip
The compression applied to the body, which the client must reverse before reading it.
-
Content-Disposition
ResponseContent-Disposition: attachment; filename="report.pdf"
Whether to show the body inline or download it as a file, with an optional filename.
-
Accept
RequestAccept: application/json, text/plain
Which media types the client can handle, so the server can pick the best one to return.
-
Accept-Encoding
RequestAccept-Encoding: gzip, br
Which compression algorithms the client supports, letting the server compress the response.
-
Accept-Language
RequestAccept-Language: en-US, en;q=0.8
The languages the client prefers, used for content negotiation of localized responses.
-
Cache-Control
BothCache-Control: public, max-age=3600
The caching policy: how long a response stays fresh and who may store it.
-
Age
ResponseAge: 120
How many seconds ago the response was generated, added by a shared cache that served it.
-
Expires
ResponseExpires: Wed, 21 Oct 2026 07:28:00 GMT
An absolute date after which the response is stale. Older than Cache-Control, which overrides it.
-
Vary
ResponseVary: Accept-Encoding
Which request headers a cache must factor in, so it does not serve the wrong variant.
-
ETag
ResponseETag: "33a64df5"
An opaque version identifier for the resource, used to validate a cached copy.
-
Last-Modified
ResponseLast-Modified: Tue, 15 Nov 2025 12:45:26 GMT
When the resource last changed, a fallback validator when there is no ETag.
-
If-None-Match
RequestIf-None-Match: "33a64df5"
Sends a saved ETag back; the server replies 304 if it still matches, saving the download.
-
If-Modified-Since
RequestIf-Modified-Since: Tue, 15 Nov 2025 12:45:26 GMT
Asks for the body only if it changed after this date, otherwise the server returns 304.
-
If-Match
RequestIf-Match: "33a64df5"
Proceeds only if the resource still has this ETag, preventing a lost update on write.
-
Accept-Ranges
ResponseAccept-Ranges: bytes
Advertises that the server supports range requests, enabling resumable downloads.
-
Range
RequestRange: bytes=0-1023
Asks for only part of the resource, used to resume a download or stream media.
-
Content-Range
ResponseContent-Range: bytes 0-1023/146515
Which byte range this partial body covers, and the total size, in a 206 response.
-
Authorization
RequestAuthorization: Bearer eyJhbGciOi...
Carries the credentials that authenticate the request, such as a bearer token.
-
WWW-Authenticate
ResponseWWW-Authenticate: Bearer realm="api"
Sent with a 401 to tell the client which authentication scheme to use.
-
Proxy-Authorization
RequestProxy-Authorization: Basic dXNlcjpwYXNz
Credentials for an intermediate proxy rather than the origin server.
-
Set-Cookie
ResponseSet-Cookie: session=abc123; HttpOnly; Secure; SameSite=Lax
Asks the browser to store a cookie, with attributes for scope, lifetime, and security.
-
Cookie
RequestCookie: session=abc123; theme=dark
Sends the cookies the browser has stored for this site back to the server.
-
Origin
RequestOrigin: https://app.example.com
The origin the request came from, sent on cross-origin and preflight requests.
-
Access-Control-Allow-Origin
ResponseAccess-Control-Allow-Origin: https://app.example.com
Which origin may read the response. The key CORS header; * allows any origin.
-
Access-Control-Allow-Methods
ResponseAccess-Control-Allow-Methods: GET, POST, PUT
Which HTTP methods are permitted, returned in answer to a preflight request.
-
Access-Control-Allow-Headers
ResponseAccess-Control-Allow-Headers: Content-Type, Authorization
Which request headers the browser may send on the real cross-origin request.
-
Strict-Transport-Security
ResponseStrict-Transport-Security: max-age=63072000; includeSubDomains
Forces HTTPS for future visits for the given duration, defeating downgrade attacks.
-
Content-Security-Policy
ResponseContent-Security-Policy: default-src 'self'
Restricts where scripts, styles, and other resources may load from. The best defence against XSS.
-
X-Content-Type-Options
ResponseX-Content-Type-Options: nosniff
nosniff stops the browser guessing a content type other than the declared one.
-
X-Frame-Options
ResponseX-Frame-Options: DENY
Controls whether the page may be embedded in a frame, mitigating clickjacking.
-
Referrer-Policy
ResponseReferrer-Policy: strict-origin-when-cross-origin
How much of the referring URL is shared when the user follows a link away.
-
Connection
BothConnection: keep-alive
Whether the TCP connection stays open for reuse. Deprecated in HTTP/2 and later.
-
Upgrade
BothUpgrade: websocket
Requests switching to another protocol on the same connection, such as WebSocket.
-
Transfer-Encoding
ResponseTransfer-Encoding: chunked
How the body is encoded for transfer; chunked streams it without a known length.
-
Host
RequestHost: www.example.com
The domain (and port) being requested. Required in HTTP/1.1 so one server can host many sites.
-
User-Agent
RequestUser-Agent: Mozilla/5.0 (Macintosh; ...)
Identifies the client software making the request - browser, bot, or library.
-
Referer
RequestReferer: https://example.com/search
The page the request came from. Famously misspelled in the original spec.
-
Location
ResponseLocation: https://example.com/articles/42
Where to go next: the new URL for a redirect, or the URL of a freshly created resource.
-
Retry-After
ResponseRetry-After: 120
How long to wait before retrying, sent with a 429 or 503.
-
X-Forwarded-For
RequestX-Forwarded-For: 203.0.113.7
The original client IP, added by a proxy or load balancer in front of the server.
No headers match your search.
How it works
A searchable reference for the HTTP headers you actually meet, each with a one-line meaning and a realistic example value. Headers are the metadata that travels alongside every request and response - they control caching, content negotiation, authentication, CORS, cookies, security policy, and more. Type to search by name or meaning, or use the chips to browse just the request headers, the caching headers, or the security headers.
Each card names the header, says whether it rides on the request, the response, or both, explains what it does in plain language, and shows a sample value so you know the shape to expect. It covers the everyday ones like Content-Type, Authorization, Cache-Control, and Set-Cookie alongside the security headers such as Strict-Transport-Security and Content-Security-Policy that are easy to forget. Everything is static and runs in your browser, so the lookup is instant and works offline once loaded.
Example. Searching "cache" lines up Cache-Control, ETag, and Last-Modified so you can see how the response advertises freshness and how the conditional request headers If-None-Match and If-Modified-Since ask "has this changed?" in return. Filtering by the Security chip groups Strict-Transport-Security, Content-Security-Policy, and X-Content-Type-Options together.
FAQ
What is the difference between a request header and a response header?
Request headers are sent by the client and describe the request or the client itself - Accept says which formats it can handle, Authorization carries credentials, User-Agent identifies the browser. Response headers are sent by the server and describe the response or the server - Content-Type states the format being returned, Set-Cookie stores state, Cache-Control tells the client how long it may reuse the body. Some headers, such as Content-Type and Content-Length, appear in both directions because they describe whichever body they accompany.
How do caching headers actually work together?
Cache-Control sets the policy: max-age says how many seconds a response stays fresh, no-cache forces revalidation, and private or public say who may store it. Once a cached copy goes stale, the validators take over: the client sends back the saved ETag in an If-None-Match header (or the saved date in If-Modified-Since), and if nothing changed the server replies 304 Not Modified with no body, saving the download. Together they let a browser reuse content safely without refetching it every time.
Which headers improve security?
A handful of response headers harden a site. Strict-Transport-Security forces HTTPS for future visits. Content-Security-Policy restricts where scripts, styles, and other resources may load from, which is the strongest defence against cross-site scripting. X-Content-Type-Options: nosniff stops the browser guessing a different content type. The CORS family, led by Access-Control-Allow-Origin, governs which other origins may read a response. Setting these is one of the cheapest ways to reduce a site attack surface.
Are custom headers still prefixed with X-?
Not any more. The old convention of prefixing non-standard headers with X- (as in X-Forwarded-For) was deprecated back in 2012, because a header that becomes popular then either keeps a confusing X- forever or breaks compatibility when the prefix is dropped. New custom headers should simply use a clear, descriptive name without the prefix. Plenty of X- headers survive for historical reasons, so this reference still lists the common ones you will encounter in the wild.