Was sind HTTP-Header und warum sind sie wichtig?

HTTP-Header sind Schlüssel-Wert-Paare, die mit jeder HTTP-Anfrage und -Antwort gesendet werden. Sie übertragen Metadaten über die Kommunikation: Authentifizierungsdaten, Inhaltstyp, Caching-Anweisungen, CORS-Richtlinien, Cookies und mehr. Header ermöglichen Servern und Clients die Verhandlung über Datenaustausch, ohne alles in URL oder Body zu kodieren.

Was ist der Unterschied zwischen Anfrage- und Antwort-Headern?

Anfrage-Header werden vom Client (Browser/App) an den Server gesendet — Beispiele: Accept, Authorization, Content-Type, Cookie. Antwort-Header werden vom Server zurück an den Client gesendet — Beispiele: Set-Cookie, Cache-Control, Content-Encoding, Location. Einige Header (wie Content-Type) sind in beiden Richtungen gültig.

Wofür wird der Content-Type-Header verwendet?

Content-Type deklariert den Medientyp des Anfrage- oder Antwort-Bodys. Zum Beispiel `application/json` für JSON-Daten, `text/html` für HTML-Seiten, `multipart/form-data` für Datei-Uploads. Server verwenden es zum korrekten Parsen des Bodys; Browser zum angemessenen Rendern des Inhalts. Ein falscher Content-Type ist eine häufige Quelle von API-Fehlern.

Was sind CORS-Header und warum sind sie wichtig?

CORS-Header (Cross-Origin Resource Sharing) steuern, ob Webseiten Anfragen an eine andere Domain senden können. Wichtige Header: `Access-Control-Allow-Origin` (welche Origins zugreifen dürfen), `Access-Control-Allow-Methods` (erlaubte HTTP-Methoden), `Access-Control-Allow-Headers` (erlaubte benutzerdefinierte Header). Ohne ordnungsgemäße CORS-Header blockieren Browser Cross-Origin-Anfragen aus Sicherheitsgründen.

Was ist der Authorization-Header und wie ist er aufgebaut?

Der Authorization-Header trägt Anmeldedaten für die HTTP-Authentifizierung. Gängige Schemas: `Basic base64(user:password)` für Basic Auth, `Bearer ` für OAuth 2.0/JWT-Tokens, `Digest` für Digest-Authentifizierung. Das Format ist immer `Authorization: `. Dieser Header wird typischerweise bei jeder API-Anfrage gesetzt, die Authentifizierung erfordert.

HTTP-Header-Referenz

Durchsuchbare Referenztabelle für HTTP-Anfrage- und Antwort-Header.

Header	Typ	Kategorie	Beschreibung
Accept	Request	Content Negotiation	Media types acceptable for the response (e.g. text/html, application/json).
Accept-Charset	Request	Content Negotiation	Character sets acceptable for the response.
Accept-Encoding	Request	Content Negotiation	Encoding algorithms the client supports (e.g. gzip, deflate, br).
Accept-Language	Request	Content Negotiation	Natural languages preferred for the response (e.g. en-US, fr).
Authorization	Request	Authentication	Credentials for authenticating the client with the server (e.g. Bearer token).
Cookie	Request	State	HTTP cookies previously set by the server, sent back with each request.
Expect	Request	Request Control	Indicates that particular server behaviors are required by the client (e.g. 100-continue).
Host	Request	Request Target	Domain name and port number of the server being addressed. Required in HTTP/1.1.
If-Match	Request	Conditional	Makes the request conditional based on matching ETag values.
If-Modified-Since	Request	Conditional	Makes the request conditional based on modification date.
If-None-Match	Request	Conditional	Makes the request conditional based on non-matching ETag values.
If-Unmodified-Since	Request	Conditional	Makes the request conditional on the resource not being modified since the given date.
Origin	Request	CORS	Indicates the origin from which the cross-site request is initiated.
Proxy-Authorization	Request	Authentication	Credentials for authenticating with a proxy server.
Range	Request	Partial Requests	Requests only part of a resource (e.g. bytes=0-1023 for the first 1 KB).
Referer	Request	Request Context	URL of the page from which the request originated.
TE	Request	Transfer Encoding	Specifies transfer encodings the client is willing to accept.
User-Agent	Request	Request Context	Contains information about the client software making the request.
X-Forwarded-For	Request	Proxies	Identifies the originating IP address when the request passes through proxies.
X-Requested-With	Request	Custom	Commonly used to identify Ajax requests (value: XMLHttpRequest).
Accept-Ranges	Response	Partial Requests	Indicates if the server supports range requests (bytes or none).
Age	Response	Caching	Time in seconds the object has been stored in a proxy cache.
Allow	Response	Request Methods	HTTP methods allowed for the requested resource (used in 405 responses).
Content-Disposition	Response	Response Body	Indicates whether content should be displayed inline or as a file download.
Content-Encoding	Response	Response Body	Encoding applied to the response body (e.g. gzip, br).
Content-Language	Response	Content Negotiation	Natural language(s) of the response body.
Content-Length	Response	Response Body	Size of the response body in bytes.
Content-Range	Response	Partial Requests	Indicates the range of bytes sent in a partial content response (206).
ETag	Response	Caching	Unique identifier for the specific version of a resource; used for cache validation.
Expires	Response	Caching	Date/time after which the response is considered stale.
Last-Modified	Response	Caching	Date and time the resource was last modified on the server.
Location	Response	Redirects	URL to redirect the client to in 3xx or 201 responses.
Proxy-Authenticate	Response	Authentication	Defines the authentication method to use for a proxy (407 response).
Retry-After	Response	Request Control	How long to wait before making a new request after a 429 or 503 response.
Server	Response	Server Info	Software information about the origin server.
Set-Cookie	Response	State	Sends a cookie from the server to the client for storage.
Strict-Transport-Security	Response	Security	HSTS: forces browsers to use HTTPS for subsequent requests.
Vary	Response	Caching	Tells caches which request headers to use as cache keys.
WWW-Authenticate	Response	Authentication	Defines the authentication method for accessing the resource (401 response).
X-Content-Type-Options	Response	Security	Prevents MIME sniffing. Use value: nosniff.
X-Frame-Options	Response	Security	Controls whether the page can be embedded in an iframe (DENY, SAMEORIGIN).
X-XSS-Protection	Response	Security	Enables XSS filtering in older browsers (legacy, mostly deprecated).
Cache-Control	Both	Caching	Directives for caching in requests and responses (e.g. no-cache, max-age=3600).
Connection	Both	Connection Management	Controls whether the network connection stays open (keep-alive or close).
Content-Type	Both	Response Body	Media type of the request or response body (e.g. application/json).
Date	Both	Timestamps	Date and time the message was sent.
Pragma	Both	Caching	Legacy cache control directive (no-cache). Superseded by Cache-Control.
Trailer	Both	Transfer Encoding	Indicates which headers will be present in the trailer of a chunked response.
Transfer-Encoding	Both	Transfer Encoding	Encoding applied to the message body for transfer (e.g. chunked).
Via	Both	Proxies	Added by proxies to indicate intermediate protocols and recipients.
Warning	Both	Request Control	General warnings about possible problems with the message (deprecated in RFC 9110).
Access-Control-Allow-Origin	Response	CORS	Specifies which origins are allowed for CORS requests.
Access-Control-Allow-Methods	Response	CORS	HTTP methods allowed for CORS preflight responses.
Access-Control-Allow-Headers	Response	CORS	HTTP headers allowed in CORS preflight responses.
Access-Control-Allow-Credentials	Response	CORS	Indicates if the response can be shared when credentials are included.
Access-Control-Max-Age	Response	CORS	How long the preflight response can be cached (in seconds).
Cross-Origin-Opener-Policy	Response	Security	Controls the browsing context group for cross-origin documents.
Cross-Origin-Resource-Policy	Response	Security	Prevents cross-origin reads of the response in certain contexts.
Content-Security-Policy	Response	Security	Specifies allowed sources for content types to prevent XSS and injection attacks.
Referrer-Policy	Response	Security	Controls how much referrer information is sent with requests.
Permissions-Policy	Response	Security	Controls browser features and APIs that are allowed to be used (formerly Feature-Policy).

Über dieses Tool

HTTP-Header sind Metadaten-Felder, die jede Webanfrage und -antwort begleiten und alles von Caching-Verhalten über Authentifizierung bis zur Content-Aushandlung steuern. Die HTTP-Header-Referenz ist ein durchsuchbarer Leitfaden zu den häufigsten und wichtigsten Headern, die in der modernen Webentwicklung verwendet werden, und hilft Entwicklern, schnell zu verstehen, was jeder Header tut, welche Werte er akzeptiert und wann man ihn verwendet.

Durchsuchen Sie einfach einen Headernamen oder durchsuchen Sie die kategorisierte Liste, um detaillierte Informationen über seinen Zweck, seine Syntax und typische Anwendungsfälle zu finden. Ob Sie einen CORS-Fehler debuggen, Cache-Control konfigurieren, Sicherheitsrichtlinien festlegen oder Umleitungsverhalten verstehen – diese Referenz bietet Ihnen die genauen Informationen, die Sie benötigen, ohne die Seite verlassen zu müssen.

Dieses Tool ist für Backend-Entwickler, Frontend-Ingenieure, DevOps-Profis und alle, die HTTP-Infrastruktur verwalten, unverzichtbar. Es läuft vollständig in Ihrem Browser ohne Serveraufrufe ab und ist daher schnell und privat als Offline-Referenz beim Erstellen von APIs, Konfigurieren von Webservern oder Beheben von Anfrage-Header-Problemen in der Produktion.

Häufig gestellte Fragen

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.