HTTP Headers Reference

HTTP headers reference — request and response headers explained. Content-Type, Authorization, Cache-Control, CORS, Accept, Set-Cookie. What each header does and when to use it.

6 min read

What it is

A reference for common HTTP headers and their purpose, invaluable for debugging web applications, understanding client-server interactions, and customizing HTTP requests/responses.

Installation

This is a reference document, not a software tool. No installation is required.

Core Concepts

HTTP headers are key-value pairs sent in the request or response messages. They provide metadata about the message body, the client, the server, and the transaction itself.

Commands / Usage

Request Headers (Sent by Client)

General Headers

  • Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Indicates which content types the client can understand. q values specify preference.
  • Accept-Encoding: gzip, deflate, br Indicates which content encoding algorithms the client supports.
  • Accept-Language: en-US,en;q=0.5 Indicates the natural languages that are preferred by the client.
  • Authorization: Basic dXNlcjpwYXNzd29yZA== Contains credentials for authenticating the client with the server. Basic is a common scheme.
  • Cache-Control: no-cache, no-store, must-revalidate Specifies caching directives for both the client and the server.
  • Connection: keep-alive Controls whether the network connection stays open after the current transaction completes.
  • Cookie: sessionid=abcdef123456; csrftoken=zyxwvu987654 Contains previously sent HTTP cookies.
  • DNT: 1 "Do Not Track" signal to indicate that the user does not want to be tracked.
  • Host: www.example.com Specifies the domain name of the server (for virtual hosting).
  • If-Modified-Since: Tue, 15 Nov 1994 12:45:26 GMT Used for conditional requests; the response will only be sent if the resource has changed since this date.
  • Origin: https://www.example.com Indicates that the request originated from a particular web origin.
  • Referer: https://www.example.com/previous-page The address of the previous web page from which a link to the currently requested page was followed.
  • User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 A characteristic string that uniquely identifies the user agent (browser, crawler, etc.).

Request Body Headers

  • Content-Length: 1234 The size of the request message body, in bytes.
  • Content-Type: application/json The media type of the body of the request message.

Response Headers (Sent by Server)

General Headers

  • Access-Control-Allow-Origin: https://www.example.com Indicates whether the response can be shared with the requesting code from a given origin (CORS).
  • Connection: close Indicates that the network connection will be closed after the transaction is complete.
  • Date: Tue, 15 Nov 1994 08:12:31 GMT The date and time at which the message was originated.
  • Server: Apache/2.4.52 (Ubuntu) Contains information about the software used by the origin server to handle the request.
  • Transfer-Encoding: chunked Specifies that the message is being sent in a sequence of chunks.

Response Body Headers

  • Content-Encoding: gzip Indicates that the resource is encoded and that this encoding must be used when decoding the entity body.
  • Content-Length: 5678 The size of the response message body, in bytes.
  • Content-Type: application/json; charset=utf-8 The media type of the body of the response message. charset specifies the character encoding.

Caching Headers

  • ETag: "33a64df551425f054c1469139ab87f11" An identifier for a specific version of a resource, often used for cache validation.
  • Expires: Wed, 21 Oct 2015 07:28:00 GMT A date/time after which the response is considered stale.
  • Last-Modified: Mon, 14 Nov 1994 12:30:00 GMT The date and time at which the server believes the origin server sent the response.
  • Vary: Accept-Encoding, User-Agent Indicates that the selection of a cached response depends on the values of the specified request headers.

Redirection Headers

  • Location: https://www.example.com/new-location Used in responses to requests for resources that have been moved to a different URI.

Client-Side Control Headers

  • Set-Cookie: sessionid=abcdef123456; HttpOnly; Secure; SameSite=Lax Used by the server to send a cookie to the client. HttpOnly, Secure, and SameSite are important security attributes.

Security Headers

  • Content-Security-Policy: default-src 'self'; script-src 'self' https://apis.google.com Defines a set of rules that a browser must follow for content loaded by a page.
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Instructs browsers to only connect to the server using HTTPS.
  • X-Content-Type-Options: nosniff Prevents the browser from trying to MIME-sniff the content type if it’s different from the declared one.
  • X-Frame-Options: DENY Specifies whether the page can be displayed in a <frame>, <iframe>, <embed>, or <object>.
  • X-XSS-Protection: 1; mode=block Enables built-in cross-site scripting (XSS) protection.

Common Patterns

  • Checking a specific header with curl: curl -I https://www.example.com Fetches only the headers from the server’s response.
  • Sending a custom header with curl: curl -H "X-Custom-Header: MyValue" https://api.example.com/data Adds a custom header to the request.
  • Inspecting request headers in a web browser: Open your browser’s developer tools (usually F12), navigate to the "Network" tab, and select a request. The "Headers" section will show both request and response headers.
  • Using curl to simulate a specific User-Agent: curl -A "MyCustomBot/1.0" https://www.example.com/feed.xml Identifies your request as a specific bot.
  • Sending authentication credentials with curl: curl -u "username:password" https://api.example.com/protected Uses Basic Authentication. Equivalent to -H "Authorization: Basic base64(username:password)".
  • Checking cacheability of a resource: curl -I https://www.example.com/static/image.png Look for Cache-Control, Expires, ETag, and Last-Modified headers.

Gotchas

  • Case Insensitivity: While header names are case-insensitive according to RFCs, values are often case-sensitive. It’s best practice to treat header names as case-insensitive and values as case-sensitive.
  • Content-Type vs. Accept: Content-Type describes the body of the message being sent (request or response). Accept describes what the client is willing to receive.
  • Content-Length vs. Transfer-Encoding: If Transfer-Encoding is present, Content-Length must be ignored. chunked is a common value for Transfer-Encoding.
  • CORS (Access-Control-Allow-Origin): If a web page makes a cross-origin request (e.g., from http://localhost:8080 to https://api.example.com), the server must include Access-Control-Allow-Origin in its response headers to permit the request.
  • Set-Cookie Security Attributes:
    • HttpOnly: Prevents JavaScript from accessing the cookie.
    • Secure: Ensures the cookie is only sent over HTTPS.
    • SameSite: Controls when cookies are sent with cross-site requests (e.g., Strict, Lax, None).
  • Referer Header: The Referer header is not always sent for security or privacy reasons (e.g., navigating from HTTPS to HTTP, or if explicitly blocked by browser settings). Its spelling is a historical typo that has become standard.
  • Host Header: Essential for HTTP/1.1 and later, especially with virtual hosting where a single IP address serves multiple websites. Requests without a Host header are often rejected.