HTTP Headers Reference

Common request, response, CORS, and security headers with real-world examples.

Request Headers

Media types the client can handle.

Accept: application/json, text/html

Accept-Encoding

Compression algorithms the client supports.

Accept-Encoding: gzip, deflate, br

Accept-Language

Preferred languages for the response.

Accept-Language: en-US,en;q=0.9

Authorization

Credentials for authenticating the client.

Authorization: Bearer eyJhbGci...

Content-Type

Media type of the request body.

Content-Type: application/json; charset=utf-8

Cookies previously sent by the server.

Cookie: session=abc123; theme=dark

Host

Domain name of the server (required in HTTP/1.1).

Host: api.example.com

If-None-Match

Makes request conditional on ETag mismatch.

If-None-Match: "33a64df5"

If-Modified-Since

Makes request conditional on modification date.

If-Modified-Since: Wed, 21 Oct 2024 07:28:00 GMT

Origin

Origin of the request (used in CORS).

Origin: https://app.example.com

Referer

URL of the page that linked to this request.

Referer: https://example.com/page

User-Agent

Identifies the client software.

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

X-Request-ID

Unique identifier for request tracing.

X-Request-ID: 550e8400-e29b-41d4-a716-446655440000

Response Headers

Cache-Control

Directives for caching mechanisms.

Cache-Control: public, max-age=3600, s-maxage=86400

Content-Type

Media type of the response body.

Content-Type: application/json; charset=utf-8

Content-Length

Size of the response body in bytes.

Content-Length: 1234

ETag

Identifier for a specific version of a resource.

ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

Location

URL to redirect the client to.

Location: https://api.example.com/users/42

Retry-After

How long the client should wait before retrying.

Retry-After: 120

Set-Cookie

Send a cookie from the server to the client.

Set-Cookie: session=abc123; Path=/; HttpOnly; Secure

WWW-Authenticate

Authentication method required for 401 responses.

WWW-Authenticate: Bearer realm="api"

X-RateLimit-Limit

Maximum number of requests allowed in a window.

X-RateLimit-Limit: 1000

X-RateLimit-Remaining

Requests remaining in the current window.

X-RateLimit-Remaining: 42

CORS Headers

Access-Control-Allow-Origin

Which origins can access the resource.

Access-Control-Allow-Origin: https://app.example.com

Access-Control-Allow-Methods

Allowed HTTP methods for CORS requests.

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Access-Control-Allow-Headers

Allowed headers in the actual request.

Access-Control-Allow-Headers: Content-Type, Authorization

Access-Control-Max-Age

How long preflight results can be cached (seconds).

Access-Control-Max-Age: 86400

Access-Control-Allow-Credentials

Whether credentials (cookies, auth) are allowed.

Access-Control-Allow-Credentials: true

Access-Control-Expose-Headers

Which headers the browser can access.

Access-Control-Expose-Headers: X-RateLimit-Remaining

Security Headers

Strict-Transport-Security

Forces HTTPS for future requests.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy

Controls which resources the browser can load.

Content-Security-Policy: default-src 'self'; script-src 'self'

X-Content-Type-Options

Prevents MIME type sniffing.

X-Content-Type-Options: nosniff

X-Frame-Options

Controls whether the page can be embedded in frames.

X-Frame-Options: DENY

Permissions-Policy

Controls which browser features can be used.

Permissions-Policy: camera=(), microphone=(), geolocation=()