← Back to home
HTTP Headers
Browse common HTTP headers with explanations, syntax examples, use cases, and related headers used in web APIs and browsers.
47 results — select a header to view details
Content-Type
Specifies the media type of the resource being sent to the client or server.
Authorization
Carries authentication credentials for accessing a protected resource.
Accept
Indicates which media types the client can understand in the response.
Cache-Control
Defines caching rules for browsers, CDNs, and other intermediaries.
ETag
Provides a unique identifier for a specific version of a resource.
User-Agent
Identifies the client software making the request.
Referer
Indicates the address of the previous web page from which the current request originated.
Origin
Indicates the origin that initiated the request, mainly used in CORS and security contexts.
Content-Length
Specifies the size of the message body in bytes.
Host
Specifies the domain name of the server and optional port number.
Accept-Language
Indicates which natural languages the client prefers in the response.
Accept-Encoding
Indicates which content encodings the client can understand.
Content-Encoding
Indicates what additional encoding has been applied to the response body.
Cookie
Sends previously stored cookies from the client to the server.
Set-Cookie
Instructs the client to store a cookie.
Location
Indicates the URL to redirect to or the URL of a newly created resource.
Content-Disposition
Specifies whether content should be displayed inline or downloaded as an attachment.
If-None-Match
Makes the request conditional based on an ETag value.
If-Match
Makes the request conditional on the resource matching the given ETag value.
Last-Modified
Indicates the date and time at which the origin server believes the resource was last modified.
If-Modified-Since
Makes the request conditional on the resource being modified after the given date.
Expires
Specifies a date/time after which the response is considered stale.
Vary
Indicates which request headers influence the selected response representation.
Range
Requests only part of a resource rather than the entire body.
Content-Range
Describes which part of the resource is included in the response body.
Accept-Ranges
Indicates that the server supports range requests for the resource.
Transfer-Encoding
Specifies the form of encoding used to safely transfer the message body.
WWW-Authenticate
Defines the authentication method that should be used to access a protected resource.
Strict-Transport-Security
Instructs browsers to only access the site over HTTPS for a specified period.
Content-Security-Policy
Controls which sources of content are allowed to load in the browser.
X-Frame-Options
Controls whether the page can be embedded inside a frame, iframe, embed, or object.
X-Content-Type-Options
Tells browsers not to MIME-sniff a response away from the declared Content-Type.
Referrer-Policy
Controls how much referrer information should be sent with requests.
Permissions-Policy
Controls which browser features can be used in the current document or its embedded frames.
Access-Control-Allow-Origin
Specifies which origin is allowed to access the resource in cross-origin requests.
Access-Control-Allow-Methods
Specifies which HTTP methods are allowed when accessing the resource cross-origin.
Access-Control-Allow-Headers
Specifies which request headers can be used in a cross-origin request.
Access-Control-Allow-Credentials
Indicates whether credentials such as cookies or authorization headers can be included in cross-origin requests.
Access-Control-Expose-Headers
Specifies which response headers are safe to expose to frontend JavaScript in cross-origin responses.
Access-Control-Max-Age
Specifies how long the result of a CORS preflight request can be cached.
Access-Control-Request-Method
Indicates which HTTP method will be used in the actual cross-origin request during a preflight request.
Access-Control-Request-Headers
Lists which request headers will be used in the actual cross-origin request during a preflight request.
X-Forwarded-For
Carries the original client IP address when requests pass through proxies or load balancers.
X-Forwarded-Proto
Indicates the original protocol used by the client before the request passed through a proxy.
X-Forwarded-Host
Indicates the original Host requested by the client before proxy forwarding.
X-Request-Id
Carries a unique identifier for a request so it can be traced across systems.
Server
Identifies the software handling the request on the server side.