Web

HTTP Headers Reference

Complete reference for HTTP headers including request headers, response headers, caching, security, CORS, and authentication. Quick lookup for web developers.

Quick Reference

Quick reference for HTTP headers used in web development. Organized by category for easy lookup.

Request Headers

Standard Request Headers

Header Description Example
Accept Media types the client can process text/html, application/json
Accept-Charset Character sets the client accepts utf-8, iso-8859-1
Accept-Encoding Compression algorithms supported gzip, deflate, br
Accept-Language Preferred languages en-US, en;q=0.9, fr;q=0.8
Authorization Authentication credentials Bearer <token>
Cache-Control Caching directives no-cache
Connection Connection options keep-alive
Content-Length Size of request body in bytes 348
Content-Type Media type of request body application/json
Cookie Cookies sent to server session=abc123; user=john
Host Target host and port www.example.com:443
If-Modified-Since Conditional request Sat, 24 Jan 2026 12:00:00 GMT
If-None-Match Conditional request (ETag) "abc123"
Origin Origin of request (CORS) https://example.com
Referer Previous page URL https://example.com/page
User-Agent Client software identifier Mozilla/5.0 (Windows...)

Custom/Common Request Headers

Header Description Example
X-Requested-With Indicates AJAX request XMLHttpRequest
X-Forwarded-For Original client IP (proxied) 192.168.1.1, 10.0.0.1
X-Forwarded-Proto Original protocol https
X-Forwarded-Host Original host example.com
X-Real-IP Client IP (single value) 192.168.1.1
X-Request-ID Request tracking ID 550e8400-e29b-41d4
X-Correlation-ID Distributed tracing ID abc-123-def

Response Headers

Standard Response Headers

Header Description Example
Content-Type Media type of response application/json; charset=utf-8
Content-Length Size of response in bytes 1234
Content-Encoding Compression used gzip
Content-Language Language of content en-US
Content-Disposition How to display/download attachment; filename="file.pdf"
Date Response timestamp Sat, 24 Jan 2026 12:00:00 GMT
ETag Resource version identifier "33a64df551425fcc55e4d42a148795d9f25f89d4"
Expires Response expiration date Sat, 24 Jan 2026 13:00:00 GMT
Last-Modified Last modification date Fri, 23 Jan 2026 10:00:00 GMT
Location Redirect URL https://example.com/new-page
Server Server software nginx/1.24.0
Set-Cookie Set cookie on client session=abc123; Path=/; HttpOnly
Vary Headers affecting cache Accept-Encoding, User-Agent

Caching Headers

Header Direction Description Example
Cache-Control Both Caching directives See values below
ETag Response Resource version "abc123"
If-None-Match Request Conditional (ETag) "abc123"
If-Modified-Since Request Conditional (date) Sat, 24 Jan 2026 12:00:00 GMT
Last-Modified Response Last change date Sat, 24 Jan 2026 12:00:00 GMT
Expires Response Expiration date Sat, 24 Jan 2026 13:00:00 GMT
Age Response Time since cached (seconds) 3600

Cache-Control Directives

Directive Description
public Response can be cached by any cache
private Response for single user only
no-cache Must revalidate before using cached copy
no-store Don't store response anywhere
max-age=<seconds> Maximum time to cache (seconds)
s-maxage=<seconds> Maximum time for shared caches
must-revalidate Must revalidate stale responses
proxy-revalidate Like must-revalidate for proxies
immutable Response won't change
stale-while-revalidate=<seconds> Serve stale while fetching fresh
stale-if-error=<seconds> Serve stale on error

Caching Examples

# Cache for 1 hour, revalidate after
Cache-Control: public, max-age=3600, must-revalidate

# Never cache (sensitive data)
Cache-Control: no-store, no-cache, must-revalidate, private

# Immutable static assets (1 year)
Cache-Control: public, max-age=31536000, immutable

# API responses - don't cache
Cache-Control: no-store
Pragma: no-cache

Security Headers

Header Description Example
Content-Security-Policy Allowed content sources See CSP section
Strict-Transport-Security Force HTTPS max-age=31536000; includeSubDomains
X-Content-Type-Options Prevent MIME sniffing nosniff
X-Frame-Options Clickjacking protection DENY or SAMEORIGIN
X-XSS-Protection XSS filter (legacy) 1; mode=block
Referrer-Policy Control Referer header strict-origin-when-cross-origin
Permissions-Policy Browser feature permissions geolocation=(), camera=()

Content-Security-Policy Directives

Directive Description
default-src Default policy for all
script-src JavaScript sources
style-src CSS sources
img-src Image sources
font-src Font sources
connect-src XHR, WebSocket, fetch
media-src Audio/video sources
frame-src iframe sources
frame-ancestors Who can embed this page
form-action Form submission targets
base-uri Allowed base URLs
upgrade-insecure-requests Upgrade HTTP to HTTPS

CSP Source Values

Value Description
'self' Same origin only
'none' Block all
'unsafe-inline' Allow inline scripts/styles
'unsafe-eval' Allow eval()
'nonce-<value>' Allow specific nonce
'sha256-<hash>' Allow specific hash
https: HTTPS sources only
data: Data URLs
blob: Blob URLs
*.example.com Wildcard domain

Security Headers Example

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' https://fonts.gstatic.com
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=(), microphone=()

CORS Headers

Response Headers

Header Description Example
Access-Control-Allow-Origin Allowed origin(s) https://example.com or *
Access-Control-Allow-Methods Allowed HTTP methods GET, POST, PUT, DELETE
Access-Control-Allow-Headers Allowed request headers Content-Type, Authorization
Access-Control-Allow-Credentials Allow credentials true
Access-Control-Expose-Headers Headers client can access X-Custom-Header
Access-Control-Max-Age Preflight cache time (seconds) 86400

Request Headers (Preflight)

Header Description
Origin Request origin
Access-Control-Request-Method Intended HTTP method
Access-Control-Request-Headers Intended custom headers

CORS Example

# Simple request response
Access-Control-Allow-Origin: https://example.com

# Preflight response
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400

Authentication Headers

Header Description Example
Authorization Client credentials See schemes below
WWW-Authenticate Auth challenge (401) Bearer realm="api"
Proxy-Authenticate Proxy auth challenge Basic realm="proxy"
Proxy-Authorization Proxy credentials Basic dXNlcjpwYXNz

Authorization Schemes

Scheme Format Use Case
Basic Basic <base64(user:pass)> Simple authentication
Bearer Bearer <token> OAuth 2.0, JWT
Digest Digest username="..." ... Challenge-response
API Key ApiKey <key> API authentication

Examples

# Basic Auth (base64 encoded "user:password")
Authorization: Basic dXNlcjpwYXNzd29yZA==

# Bearer Token (JWT)
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

# API Key
Authorization: ApiKey sk-1234567890abcdef

# X-API-Key header (alternative)
X-API-Key: sk-1234567890abcdef

Content Negotiation

Header Description Example
Accept Acceptable media types application/json, text/html;q=0.9
Accept-Charset Acceptable character sets utf-8, iso-8859-1;q=0.5
Accept-Encoding Acceptable encodings gzip, deflate, br
Accept-Language Preferred languages en-US, en;q=0.9, de;q=0.8

Quality Values (q)

Quality values (0-1) indicate preference:

  • q=1.0 - Most preferred (default)
  • q=0 - Not acceptable
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8
Accept-Language: en-US, en;q=0.9, fr;q=0.8, de;q=0.7
Attribute Description Example
Expires Absolute expiration Expires=Sat, 24 Jan 2026 12:00:00 GMT
Max-Age Seconds until expiration Max-Age=3600
Domain Cookie domain scope Domain=.example.com
Path Cookie path scope Path=/api
Secure HTTPS only Secure
HttpOnly No JavaScript access HttpOnly
SameSite Cross-site behavior SameSite=Strict

SameSite Values

Value Description
Strict Only same-site requests
Lax Same-site + top-level navigation (default)
None All requests (requires Secure) 
# Session cookie (expires when browser closes)
Set-Cookie: session=abc123; Path=/; HttpOnly; Secure; SameSite=Strict

# Persistent cookie (1 hour)
Set-Cookie: remember=token123; Max-Age=3600; Path=/; HttpOnly; Secure; SameSite=Lax

# Cross-site cookie (third-party)
Set-Cookie: tracking=xyz; Path=/; Secure; SameSite=None
Related Topics
http headers request headers response headers cors caching security headers web development
Share this reference
Tweet Share
Try These Tools
Learn More
Related References
All References

More References

Network
Common Port Numbers

Reference list of common TCP and UDP port numbers for web services, databases, email, file transfer, and other network protocols.