HTTP Headers Volledige Lijst en Referentie

HTTP headers are key-value pairs sent between client and server with every HTTP request and response. They carry metadata about the message body, authentication, caching, security policies, and more. This complete HTTP headers list and reference covers every header you need to know as a web developer, with practical examples and best practices.

Look up HTTP status codes with our HTTP Status Code Checker →

Convert curl commands with custom headers using our cURL to Code Converter →

What Are HTTP Headers?

HTTP headers are metadata fields included in HTTP requests and responses. They follow the format Header-Name: value and appear after the request/response line but before the body. Headers control how data is transmitted, cached, authenticated, and rendered.

Headers are grouped into four categories:

General Headers — Apply to both requests and responses (e.g., Connection, Date)
Request Headers — Sent by the client to provide context (e.g., Accept, User-Agent, Authorization)
Response Headers — Sent by the server to describe the response (e.g., Server, Set-Cookie)
Entity Headers — Describe the body of the message (e.g., Content-Type, Content-Length)

GET /api/users HTTP/1.1
Host: example.com
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
User-Agent: Mozilla/5.0
Connection: keep-alive

---

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=3600
X-Request-ID: abc-123-def
Content-Length: 1234

Common Request Headers

Request headers are sent by the client (browser, API client, or curl) to tell the server what kind of response is expected, who is making the request, and how to handle the connection.

Header	Description	Example
`Accept`	Tells the server what content types the client can handle	`application/json`
`Authorization`	Carries authentication credentials (Bearer token, Basic auth, API key)	`Bearer eyJhbGci...`
`Content-Type`	Specifies the media type of the request body	`application/json`
`User-Agent`	Identifies the client software making the request	`Mozilla/5.0 (Windows NT 10.0; Win64; x64)`
`Cookie`	Sends stored cookies back to the server	`session_id=abc123; theme=dark`
`Referer`	URL of the page that linked to the current request	`https://example.com/page`
`Host`	The domain name and port of the server (required in HTTP/1.1)	`api.example.com`
`Origin`	Indicates where the request originated from (used in CORS)	`https://myapp.com`
`If-None-Match`	Conditional request based on ETag; returns 304 if unchanged	`"33a64df5"`
`If-Modified-Since`	Conditional request based on date; returns 304 if unchanged	`Wed, 21 Oct 2025 07:28:00 GMT`

Common Response Headers

Response headers are sent by the server to provide metadata about the response. They control caching, set cookies, specify content types, and direct the client where to redirect.

Header	Description	Example
`Content-Type`	The media type of the response body	`text/html; charset=utf-8`
`Set-Cookie`	Sets a cookie on the client with optional flags (HttpOnly, Secure, SameSite)	`session=abc123; HttpOnly; Secure`
`Cache-Control`	Directives for caching mechanisms in browsers and CDNs	`public, max-age=3600`
`Location`	URL to redirect the client to (used with 3xx status codes)	`https://example.com/new-page`
`Server`	Information about the server software (often hidden for security)	`nginx/1.24.0`
`ETag`	A unique identifier for a specific version of a resource	`"33a64df551425fcc55e"`
`WWW-Authenticate`	Defines the authentication method the client should use (sent with 401)	`Bearer realm="api"`
`Content-Length`	The size of the response body in bytes	`3495`

Content Negotiation Headers

Content negotiation allows clients and servers to agree on the best representation of a resource. The client sends preference headers, and the server responds with the most appropriate version.

# Client sends preferences
GET /api/data HTTP/1.1
Accept: application/json, text/html;q=0.9, */*;q=0.8
Accept-Language: en-US, en;q=0.9, fr;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Charset: utf-8

# Server responds with best match
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Language: en-US
Content-Encoding: gzip
Vary: Accept, Accept-Language, Accept-Encoding

The q parameter (quality value) ranges from 0 to 1 and indicates preference. Default is 1.0 (highest priority). The Vary response header tells caches which request headers affect the response, preventing incorrect cached versions from being served.

Caching Headers

Caching headers are critical for web performance. They tell browsers and CDNs how long to store resources, when to revalidate, and how to handle stale content. Proper caching can reduce page load times by 50% or more.

# Aggressive caching for static assets (1 year)
Cache-Control: public, max-age=31536000, immutable

# No caching (API responses with sensitive data)
Cache-Control: no-store, no-cache, must-revalidate, private

# Revalidation caching (HTML pages)
Cache-Control: no-cache
ETag: "abc123"

# Time-based caching with revalidation
Cache-Control: public, max-age=3600, must-revalidate
Last-Modified: Tue, 15 Oct 2025 10:30:00 GMT

# Stale content while revalidating (modern approach)
Cache-Control: public, max-age=300, stale-while-revalidate=60

# Legacy HTTP/1.0 caching
Expires: Thu, 01 Dec 2025 16:00:00 GMT
Pragma: no-cache

Directive	Purpose
`max-age=N`	Cache for N seconds from the time of the request
`s-maxage=N`	Like max-age but only for shared caches (CDNs)
`no-cache`	Cache but revalidate with the server before each use
`no-store`	Do not cache the response at all
`public`	Any cache (browser, CDN, proxy) can store the response
`private`	Only the browser can cache the response (not CDNs)
`must-revalidate`	Once stale, the cache must revalidate before using the cached version
`immutable`	The resource will never change; skip revalidation entirely
`stale-while-revalidate=N`	Serve stale content for N seconds while fetching a fresh version in the background

Security Headers

Security headers protect your application from common web vulnerabilities like XSS, clickjacking, MIME sniffing, and protocol downgrade attacks. Every production website should implement these headers.

# Content Security Policy - prevents XSS
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; connect-src 'self' https://api.example.com

# HTTP Strict Transport Security - force HTTPS
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

# Prevent MIME type sniffing
X-Content-Type-Options: nosniff

# Prevent clickjacking
X-Frame-Options: DENY
# Modern alternative:
Content-Security-Policy: frame-ancestors 'none'

# Control referrer information
Referrer-Policy: strict-origin-when-cross-origin

# Restrict browser features
Permissions-Policy: camera=(), microphone=(), geolocation=(self), payment=()

Header	Protection Against
`Content-Security-Policy`	XSS, code injection, unauthorized resource loading
`Strict-Transport-Security`	Protocol downgrade attacks, cookie hijacking
`X-Content-Type-Options`	MIME sniffing attacks
`X-Frame-Options`	Clickjacking via iframes
`Referrer-Policy`	Information leakage via Referer header
`Permissions-Policy`	Unauthorized access to browser APIs (camera, mic, location)
`Cross-Origin-Opener-Policy`	Cross-origin window attacks (Spectre-like)
`Cross-Origin-Embedder-Policy`	Cross-origin resource loading without explicit permission

CORS Headers

Cross-Origin Resource Sharing (CORS) headers control which origins can access your resources. When a browser makes a cross-origin request, it performs a preflight check to verify the server allows the request.

# Preflight request (sent by browser automatically)
OPTIONS /api/data HTTP/1.1
Origin: https://myapp.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type, Authorization

# Preflight response (server must respond to allow the request)
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
Access-Control-Allow-Credentials: true

# Actual response with CORS headers
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://myapp.com
Access-Control-Expose-Headers: X-Request-ID, X-RateLimit-Remaining
Content-Type: application/json

Header	Purpose
`Access-Control-Allow-Origin`	Specifies which origin(s) can access the resource. Use a specific origin or `*` (not with credentials).
`Access-Control-Allow-Methods`	HTTP methods allowed for cross-origin requests
`Access-Control-Allow-Headers`	Custom headers allowed in cross-origin requests
`Access-Control-Allow-Credentials`	Whether cookies and auth headers can be sent cross-origin
`Access-Control-Max-Age`	How long the preflight result can be cached (in seconds)
`Access-Control-Expose-Headers`	Response headers that JavaScript can access cross-origin

Authentication Headers

Authentication headers carry credentials between the client and server. Understanding the different authentication schemes is essential for building secure APIs.

# Basic Authentication (base64-encoded username:password)
GET /api/protected HTTP/1.1
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
# Decoded: username:password

# Bearer Token (JWT or OAuth2)
GET /api/data HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U

# API Key (custom header)
GET /api/data HTTP/1.1
X-API-Key: sk_live_abc123def456

# Server responds with 401 when authentication fails
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Bearer realm="api", error="invalid_token", error_description="The token has expired"

# Digest Authentication
Authorization: Digest username="admin", realm="api@example.com", nonce="abc123", uri="/api/data", response="def456"

Compression Headers

Compression headers enable the client and server to negotiate compressed transfer of response bodies. Compression typically reduces payload sizes by 60-80%, significantly improving load times.

# Client tells server what compression it supports
GET /api/large-data HTTP/1.1
Accept-Encoding: gzip, deflate, br

# Server responds with compressed content
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: application/json
Transfer-Encoding: chunked
Vary: Accept-Encoding

Algorithm	Description	Best For
`gzip`	Most widely supported compression. Good compression ratio.	Universal compatibility, text-based content
`br` (Brotli)	Better compression than gzip (15-20% smaller). Requires HTTPS.	Modern browsers, static assets, HTTPS sites
`deflate`	Older algorithm, rarely used alone. Inconsistent implementations.	Legacy systems only
`zstd`	Newest algorithm. Excellent speed and compression ratio.	Emerging support, high-throughput APIs

Custom Headers

Custom headers allow applications to pass additional metadata outside the standard HTTP specification. While the X- prefix convention was common, it has been deprecated by RFC 6648 (2012).

# Common custom headers (still using X- prefix for compatibility)
X-Request-ID: 550e8400-e29b-41d4-a716-446655440000
X-Forwarded-For: 203.0.113.50, 70.41.3.18
X-Forwarded-Proto: https
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1672531200

# Modern naming (no X- prefix, per RFC 6648)
Request-ID: 550e8400-e29b-41d4-a716-446655440000
RateLimit-Limit: 1000
RateLimit-Remaining: 999
RateLimit-Reset: 1672531200

# Application-specific headers
Idempotency-Key: unique-operation-key-123
Retry-After: 120
Deprecation: true
Sunset: Sat, 01 Mar 2025 00:00:00 GMT

Best Practices for Custom Headers:

Use meaningful, descriptive names without the X- prefix for new headers
Keep existing X- prefixed headers for backward compatibility
Document all custom headers in your API documentation
Use Request-ID or X-Request-ID for distributed tracing
Include rate limit information in response headers

HTTP Headers in Code

Here is how to set and read HTTP headers in the most common languages and tools. These examples cover both client-side and server-side usage.

JavaScript (fetch API)

// Setting request headers with fetch
const response = await fetch('https://api.example.com/data', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Authorization': 'Bearer your-token-here',
    'Accept': 'application/json',
    'X-Request-ID': crypto.randomUUID(),
  },
  body: JSON.stringify({ name: 'John' }),
});

// Reading response headers
console.log(response.headers.get('Content-Type'));
console.log(response.headers.get('X-RateLimit-Remaining'));

// Iterating all response headers
for (const [key, value] of response.headers.entries()) {
  console.log(`${key}: ${value}`);
}

JavaScript (axios)

import axios from 'axios';

// Setting request headers with axios
const response = await axios.post('https://api.example.com/data',
  { name: 'John' },
  {
    headers: {
      'Authorization': 'Bearer your-token-here',
      'Content-Type': 'application/json',
      'Accept-Language': 'en-US',
    },
  }
);

// Reading response headers
console.log(response.headers['content-type']);
console.log(response.headers['x-ratelimit-remaining']);

// Setting default headers for all requests
axios.defaults.headers.common['Authorization'] = 'Bearer token';
axios.defaults.headers.post['Content-Type'] = 'application/json';

curl

# Setting custom headers with curl
curl -X POST https://api.example.com/data \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-token-here" \
  -H "Accept: application/json" \
  -H "X-Request-ID: $(uuidgen)" \
  -d '{"name": "John"}'

# View response headers only
curl -I https://example.com

# View both request and response headers (verbose)
curl -v https://example.com

# Save response headers to a file
curl -D headers.txt https://example.com

Node.js (http module)

import http from 'node:http';

// Setting headers in an HTTP server response
const server = http.createServer((req, res) => {
  // Reading request headers
  console.log(req.headers['authorization']);
  console.log(req.headers['content-type']);

  // Setting response headers
  res.setHeader('Content-Type', 'application/json');
  res.setHeader('Cache-Control', 'no-store');
  res.setHeader('X-Request-ID', crypto.randomUUID());
  res.setHeader('Access-Control-Allow-Origin', 'https://myapp.com');

  // Set multiple values for a header
  res.setHeader('Set-Cookie', [
    'session=abc123; HttpOnly; Secure; SameSite=Strict',
    'theme=dark; Path=/; Max-Age=31536000',
  ]);

  res.writeHead(200);
  res.end(JSON.stringify({ message: 'Hello' }));
});

Complete HTTP Headers Reference Table

This table lists all commonly used HTTP headers with their descriptions, example values, and whether they appear in requests, responses, or both.

Header	Type	Description	Example Value
`Cache-Control`	Both	Caching directives for request and response	`max-age=3600, public`
`Connection`	Both	Control whether the connection stays open	`keep-alive`
`Date`	Both	Date and time of the message	`Tue, 15 Oct 2025 10:30:00 GMT`
`Accept`	Request	Acceptable content types	`application/json, text/html`
`Accept-Encoding`	Request	Acceptable compression algorithms	`gzip, deflate, br`
`Accept-Language`	Request	Preferred response language	`en-US, en;q=0.9`
`Authorization`	Request	Authentication credentials	`Bearer eyJhbGci...`
`Cookie`	Request	Cookies sent to the server	`session=abc123`
`Host`	Request	Server domain name	`api.example.com`
`If-Modified-Since`	Request	Conditional request by date	`Wed, 21 Oct 2025 07:28:00 GMT`
`If-None-Match`	Request	Conditional request by ETag	`"33a64df5"`
`Origin`	Request	Origin of the request (for CORS)	`https://myapp.com`
`Referer`	Request	URL of the referring page	`https://example.com/page`
`User-Agent`	Request	Client software identification	`Mozilla/5.0...`
`Access-Control-Allow-Origin`	Response	Allowed CORS origin(s)	`https://myapp.com`
`Content-Encoding`	Response	Compression algorithm used	`gzip`
`Content-Length`	Both	Size of the body in bytes	`3495`
`Content-Security-Policy`	Response	CSP rules to prevent XSS	`default-src 'self'`
`Content-Type`	Both	Media type of the body	`application/json; charset=utf-8`
`ETag`	Response	Resource version identifier	`"33a64df551425fcc55e"`
`Expires`	Response	Date/time after which response is stale	`Thu, 01 Dec 2025 16:00:00 GMT`
`Last-Modified`	Response	Date the resource was last modified	`Tue, 15 Oct 2025 10:30:00 GMT`
`Location`	Response	Redirect target URL	`https://example.com/new`
`Permissions-Policy`	Response	Restrict browser features	`camera=(), microphone=()`
`Referrer-Policy`	Response	Controls Referer header behavior	`strict-origin-when-cross-origin`
`Retry-After`	Response	Seconds to wait before retrying	`120`
`Server`	Response	Server software information	`nginx/1.24.0`
`Set-Cookie`	Response	Set a cookie on the client	`session=abc; HttpOnly; Secure`
`Strict-Transport-Security`	Response	Force HTTPS connections	`max-age=63072000; includeSubDomains`
`Vary`	Response	Headers that affect cached response selection	`Accept, Accept-Encoding`
`WWW-Authenticate`	Response	Authentication scheme required	`Bearer realm="api"`
`X-Content-Type-Options`	Response	Prevent MIME sniffing	`nosniff`
`X-Frame-Options`	Response	Prevent clickjacking	`DENY`
`X-Request-ID`	Both	Unique request identifier for tracing	`550e8400-e29b-41d4...`

Frequently Asked Questions

What is the difference between request headers and response headers?

Request headers are sent by the client (browser or API client) to the server, providing context about the request — such as accepted content types, authentication tokens, and user agent information. Response headers are sent by the server back to the client, providing metadata about the response — such as content type, caching rules, and security policies. Some headers like Content-Type can appear in both.

What are the most important security headers to implement?

The essential security headers are: Content-Security-Policy (CSP) to prevent XSS attacks, Strict-Transport-Security (HSTS) to enforce HTTPS, X-Content-Type-Options: nosniff to prevent MIME sniffing, X-Frame-Options to prevent clickjacking, and Referrer-Policy to control information leakage. Modern applications should also implement Permissions-Policy to restrict browser features.

Why was the X- prefix for custom headers deprecated?

RFC 6648 (published in 2012) deprecated the X- prefix convention because removing the prefix when a custom header became standardized caused compatibility issues. The recommendation is to choose a meaningful, unique header name without any prefix. However, many existing headers like X-Forwarded-For and X-Request-ID remain widely used for backward compatibility.

How does Cache-Control differ from Expires?

Cache-Control is the modern, more powerful caching header that uses relative time directives (e.g., max-age=3600 means "cache for 1 hour from now"). Expires uses an absolute date/time and is the older HTTP/1.0 approach. When both are present, Cache-Control takes precedence. Use Cache-Control in modern applications — it offers granular control with directives like no-cache, no-store, must-revalidate, public, and private.

What is a CORS preflight request and when does it happen?

A CORS preflight is an automatic OPTIONS request sent by the browser before certain cross-origin requests. It happens when the request uses methods other than GET, HEAD, or POST, or includes custom headers, or sends a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. The server must respond with appropriate Access-Control-Allow-* headers. The browser caches preflight results based on the Access-Control-Max-Age header.

Understanding HTTP headers is essential for building performant, secure, and well-architected web applications. Bookmark this reference for quick access to header names, values, and usage patterns.

Check HTTP status codes with our HTTP Status Code Tool →

Convert curl commands to any language with our cURL to Code Converter →