HTTP Headers Reference
Searchable reference table of HTTP request and response headers.
| Header | Type | Category | Description |
|---|---|---|---|
| Accept | Request | Content Negotiation | Media types acceptable for the response (e.g. text/html, application/json). |
| Accept-Charset | Request | Content Negotiation | Character sets acceptable for the response. |
| Accept-Encoding | Request | Content Negotiation | Encoding algorithms the client supports (e.g. gzip, deflate, br). |
| Accept-Language | Request | Content Negotiation | Natural languages preferred for the response (e.g. en-US, fr). |
| Authorization | Request | Authentication | Credentials for authenticating the client with the server (e.g. Bearer token). |
| Cookie | Request | State | HTTP cookies previously set by the server, sent back with each request. |
| Expect | Request | Request Control | Indicates that particular server behaviors are required by the client (e.g. 100-continue). |
| Host | Request | Request Target | Domain name and port number of the server being addressed. Required in HTTP/1.1. |
| If-Match | Request | Conditional | Makes the request conditional based on matching ETag values. |
| If-Modified-Since | Request | Conditional | Makes the request conditional based on modification date. |
| If-None-Match | Request | Conditional | Makes the request conditional based on non-matching ETag values. |
| If-Unmodified-Since | Request | Conditional | Makes the request conditional on the resource not being modified since the given date. |
| Origin | Request | CORS | Indicates the origin from which the cross-site request is initiated. |
| Proxy-Authorization | Request | Authentication | Credentials for authenticating with a proxy server. |
| Range | Request | Partial Requests | Requests only part of a resource (e.g. bytes=0-1023 for the first 1 KB). |
| Referer | Request | Request Context | URL of the page from which the request originated. |
| TE | Request | Transfer Encoding | Specifies transfer encodings the client is willing to accept. |
| User-Agent | Request | Request Context | Contains information about the client software making the request. |
| X-Forwarded-For | Request | Proxies | Identifies the originating IP address when the request passes through proxies. |
| X-Requested-With | Request | Custom | Commonly used to identify Ajax requests (value: XMLHttpRequest). |
| Accept-Ranges | Response | Partial Requests | Indicates if the server supports range requests (bytes or none). |
| Age | Response | Caching | Time in seconds the object has been stored in a proxy cache. |
| Allow | Response | Request Methods | HTTP methods allowed for the requested resource (used in 405 responses). |
| Content-Disposition | Response | Response Body | Indicates whether content should be displayed inline or as a file download. |
| Content-Encoding | Response | Response Body | Encoding applied to the response body (e.g. gzip, br). |
| Content-Language | Response | Content Negotiation | Natural language(s) of the response body. |
| Content-Length | Response | Response Body | Size of the response body in bytes. |
| Content-Range | Response | Partial Requests | Indicates the range of bytes sent in a partial content response (206). |
| ETag | Response | Caching | Unique identifier for the specific version of a resource; used for cache validation. |
| Expires | Response | Caching | Date/time after which the response is considered stale. |
| Last-Modified | Response | Caching | Date and time the resource was last modified on the server. |
| Location | Response | Redirects | URL to redirect the client to in 3xx or 201 responses. |
| Proxy-Authenticate | Response | Authentication | Defines the authentication method to use for a proxy (407 response). |
| Retry-After | Response | Request Control | How long to wait before making a new request after a 429 or 503 response. |
| Server | Response | Server Info | Software information about the origin server. |
| Set-Cookie | Response | State | Sends a cookie from the server to the client for storage. |
| Strict-Transport-Security | Response | Security | HSTS: forces browsers to use HTTPS for subsequent requests. |
| Vary | Response | Caching | Tells caches which request headers to use as cache keys. |
| WWW-Authenticate | Response | Authentication | Defines the authentication method for accessing the resource (401 response). |
| X-Content-Type-Options | Response | Security | Prevents MIME sniffing. Use value: nosniff. |
| X-Frame-Options | Response | Security | Controls whether the page can be embedded in an iframe (DENY, SAMEORIGIN). |
| X-XSS-Protection | Response | Security | Enables XSS filtering in older browsers (legacy, mostly deprecated). |
| Cache-Control | Both | Caching | Directives for caching in requests and responses (e.g. no-cache, max-age=3600). |
| Connection | Both | Connection Management | Controls whether the network connection stays open (keep-alive or close). |
| Content-Type | Both | Response Body | Media type of the request or response body (e.g. application/json). |
| Date | Both | Timestamps | Date and time the message was sent. |
| Pragma | Both | Caching | Legacy cache control directive (no-cache). Superseded by Cache-Control. |
| Trailer | Both | Transfer Encoding | Indicates which headers will be present in the trailer of a chunked response. |
| Transfer-Encoding | Both | Transfer Encoding | Encoding applied to the message body for transfer (e.g. chunked). |
| Via | Both | Proxies | Added by proxies to indicate intermediate protocols and recipients. |
| Warning | Both | Request Control | General warnings about possible problems with the message (deprecated in RFC 9110). |
| Access-Control-Allow-Origin | Response | CORS | Specifies which origins are allowed for CORS requests. |
| Access-Control-Allow-Methods | Response | CORS | HTTP methods allowed for CORS preflight responses. |
| Access-Control-Allow-Headers | Response | CORS | HTTP headers allowed in CORS preflight responses. |
| Access-Control-Allow-Credentials | Response | CORS | Indicates if the response can be shared when credentials are included. |
| Access-Control-Max-Age | Response | CORS | How long the preflight response can be cached (in seconds). |
| Cross-Origin-Opener-Policy | Response | Security | Controls the browsing context group for cross-origin documents. |
| Cross-Origin-Resource-Policy | Response | Security | Prevents cross-origin reads of the response in certain contexts. |
| Content-Security-Policy | Response | Security | Specifies allowed sources for content types to prevent XSS and injection attacks. |
| Referrer-Policy | Response | Security | Controls how much referrer information is sent with requests. |
| Permissions-Policy | Response | Security | Controls browser features and APIs that are allowed to be used (formerly Feature-Policy). |
About this tool
HTTP headers are metadata fields that travel with every web request and response, controlling everything from caching behavior to authentication and content negotiation. The HTTP Headers Reference is a searchable guide to the most common and important headers used in modern web development, helping developers quickly understand what each header does, what values it accepts, and when to use it.
Simply search for a header name or browse the categorized list to find detailed information about its purpose, syntax, and typical use cases. Whether you're debugging a CORS error, configuring cache control, setting security policies, or understanding redirect behavior, this reference cuts through the noise and gives you the exact information you need without leaving your page.
This tool is essential for backend developers, frontend engineers, DevOps professionals, and anyone managing HTTP infrastructure. It works entirely in your browser with no server calls, making it fast and private for offline reference while building APIs, configuring web servers, or troubleshooting request headers in production.
Frequently Asked Questions
Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.