Skip to content
TypeParser
All tools

HTTP Header Reference

Searchable HTTP request and response headers.

beats developer.mozilla.org edge: CORS + cache + security filters
filter
28 headers
Acceptrequest · negotiation

Media types that are acceptable for the response.

Accept-Encodingrequest · negotiation

List of acceptable encodings (gzip, br, deflate).

Accept-Languagerequest · negotiation

Preferred natural languages for the response.

Authorizationrequest · auth

Credentials for authenticating the user agent (Basic, Bearer, etc).

Cache-Controlboth · cache

Directives for caching mechanisms in requests and responses.

Content-Typeboth · payload

Media type of the resource or the data being sent.

Content-Lengthboth · payload

The size in bytes of the message body.

Cookierequest · state

Cookies previously sent by server with Set-Cookie.

Set-Cookieresponse · state

Send cookies from the server to the user agent.

Hostrequest · routing

Host and port number of the server.

Originrequest · cors

Initiates a CORS request — origin of the request.

Access-Control-Allow-Originresponse · cors

Allowed origin for cross-origin requests.

Access-Control-Allow-Methodsresponse · cors

Allowed methods for CORS preflight.

Access-Control-Allow-Headersresponse · cors

Allowed headers for CORS preflight.

Access-Control-Allow-Credentialsresponse · cors

Whether to expose response when credentials flag is true.

User-Agentrequest · identity

String identifying the user agent making the request.

Refererrequest · routing

Address of the previous web page (note: misspelled in spec).

Locationresponse · routing

URL to redirect to (with 3xx) or new resource (with 201).

ETagresponse · cache

Validator for cached representations.

If-None-Matchrequest · cache

Make request conditional on no ETag match.

If-Modified-Sincerequest · cache

Make request conditional on modification time.

Last-Modifiedresponse · cache

Date the resource was last modified.

Strict-Transport-Securityresponse · security

Force HTTPS for future requests (HSTS).

Content-Security-Policyresponse · security

Restrict resources the page can load (CSP).

X-Frame-Optionsresponse · security

Whether the page can be rendered in an iframe.

X-Content-Type-Optionsresponse · security

nosniff — disable MIME type sniffing.

Referrer-Policyresponse · security

How much referrer info should be sent on requests.

Permissions-Policyresponse · security

Allow or deny browser features (camera, mic, etc).

Guide

About HTTP Header Reference

Searchable reference of HTTP request and response headers (security, CORS, caching, content negotiation, authentication) with descriptions, examples, and RFC references. Filters by category. Useful when reading dev tools network traffic or configuring a server.

Headers you should know cold

CategoryHeaders worth memorizing
SecurityStrict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
CORSAccess-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Max-Age
CachingCache-Control, ETag, Last-Modified, Vary
AuthAuthorization, WWW-Authenticate, Cookie, Set-Cookie
ContentContent-Type, Content-Encoding, Content-Length, Accept, Accept-Language
RoutingHost, User-Agent, Referer, Origin

The reference holds the rest — RFC 9110 plus the practical ones the spec is silent on.

Common workflows

Audit response headers. DevTools → Network → response. Compare against this reference. Spot weak security posture, missing cache directives, broken CORS.

Configure CORS for an API. Look up which Access-Control-* headers are needed, structure the response.

Triage a caching bug. Vary mismatches and missing Cache-Control are the usual suspects. The tool surfaces canonical examples.

Build a webhook receiver. Need Idempotency-Key, Authorization, signature header. Reference shows precedent patterns.

Frequently asked questions

What is the most important security header?
Strict-Transport-Security (HSTS) — forces browsers to use HTTPS. Followed by Content-Security-Policy (CSP), X-Content-Type-Options: nosniff, and Referrer-Policy.
Cache-Control vs Expires?
Cache-Control is the modern way (relative, seconds-based directives). Expires is the HTTP/1.0 absolute timestamp form. Cache-Control wins if both present.
What does <code>Vary: Accept-Encoding</code> do?
Tells caches that the response varies based on the Accept-Encoding request header. Without it, a gzipped cached response might be served to a client that does not accept gzip.
CORS in one sentence?
Browsers block cross-origin AJAX by default; Access-Control-Allow-Origin on the response from the target origin opts in.
Custom headers?
The X- prefix is deprecated (RFC 6648). Use hyphenated names without prefix — Request-Id, Correlation-Id, Idempotency-Key.
ETag vs Last-Modified?
ETag is a content fingerprint (precise). Last-Modified is a timestamp (cheap). Modern servers send both; clients use If-None-Match (ETag) over If-Modified-Since.

Related tools

Last updated: 2025-01-15