HTTP Headers Reference
Common HTTP headers with what they do.
| Header | Direction | Purpose |
|---|---|---|
| Accept | request | Media types the client can handle (e.g., application/json) |
| Accept-Encoding | request | Compression methods (gzip, br, deflate) |
| Accept-Language | request | Preferred languages (en-US, en;q=0.9) |
| Authorization | request | Credentials (Bearer token, Basic, etc.) |
| Cache-Control | both | Caching directives (no-cache, max-age, no-store) |
| Content-Encoding | response | Compression applied (gzip, br) |
| Content-Length | both | Body size in bytes |
| Content-Type | both | Media type of the body |
| Cookie | request | Cookies to send |
| Set-Cookie | response | Cookies to set |
| Date | response | When the message was sent |
| ETag | response | Entity tag for caching |
| Host | request | Domain being requested |
| If-Modified-Since | request | Conditional GET |
| If-None-Match | request | Conditional based on ETag |
| Last-Modified | response | When the resource was last changed |
| Location | response | URL for redirect (3xx) or new resource (201) |
| Origin | request | Where the request came from (CORS) |
| Referer | request | URL the request came from |
| Server | response | Server software identifier |
| User-Agent | request | Client software identifier |
| X-Forwarded-For | request | Original client IP through proxies |
| Access-Control-Allow-Origin | response | CORS - which origins can read the response |
| Access-Control-Allow-Methods | response | CORS - which HTTP methods are allowed |
| Strict-Transport-Security | response | HSTS - require HTTPS |
| Content-Security-Policy | response | CSP - allowed sources of scripts, images, etc. |
| X-Frame-Options | response | Allow / deny embedding in iframes |
| X-Content-Type-Options | response | nosniff prevents MIME type sniffing |
| Vary | response | Headers the response varies on (Accept-Encoding) |
| Connection | both | Keep-alive vs close |
| Upgrade | request | Switch protocols (websocket) |
Reference for common HTTP headers. Headers prefixed with X- are non-standard but widely used. The IETF moved away from X- prefixes in 2012, but they persist in legacy systems.
About
Reference table of 30+ HTTP headers (Accept, Cache-Control, Content-Type, etc.) with their direction (request, response, both) and purpose.
How to use
- Skim for what you need.
FAQ
What about non-standard X- headers?+
X-Forwarded-For and X-Frame-Options are widely used despite the X- prefix. The IETF recommends new headers skip X- per RFC 6648.