HTTP headers carry metadata between clients and servers in requests and responses. This guide covers the most common headers including authentication, caching, content negotiation, CORS, security, and more. Use the search box to quickly find a specific header and copy examples with one click.
What are HTTP headers?
HTTP headers are key-value pairs sent in HTTP requests and responses that carry metadata about the request or response. They convey information such as the content type, authentication credentials, caching instructions, security policies, and more. Headers are not visible in the browser by default but can be seen in developer tools.
What is the difference between request and response headers?
Request headers are sent by the client (browser) to the server with information about the client, the request, and the client's preferences. Response headers are sent by the server back to the client with information about the server's response, such as content type, caching instructions, and security policies. Some headers like Content-Type can appear in both.
What is CORS and which headers control it?
CORS (Cross-Origin Resource Sharing) is a security mechanism that controls how web pages can request resources from a different domain. The main CORS headers are Access-Control-Allow-Origin (which origins are allowed), Access-Control-Allow-Methods (which HTTP methods are allowed), Access-Control-Allow-Headers (which request headers are allowed), and Access-Control-Max-Age (how long the preflight response can be cached).
How do caching headers work?
Caching headers control how long browsers and proxies can cache a response. Cache-Control is the primary header, with directives like max-age (seconds to cache), no-cache (validate with server before using cache), no-store (never cache), and public/private (whether shared caches can store the response). ETag and Last-Modified enable conditional requests to check if content has changed.
What are security headers and why are they important?
Security headers protect websites from common attacks. Strict-Transport-Security (HSTS) forces HTTPS connections. Content-Security-Policy (CSP) prevents XSS and injection attacks. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME type sniffing. Referrer-Policy controls what referrer information is sent. These should be configured on all production web applications.