📖 Guide

HTTP Headers Reference

Complete HTTP headers reference — request headers, response headers, caching, security, CORS, and content negotiation.

104 commands across 6 categories

General Headers Request Headers Response Headers Caching Security Headers Content Headers

General Headers

Command	Description
`Host: example.com`	Domain name of the server (required in HTTP/1.1)
`Host: example.com:8080`	Host with non-standard port
`Connection: keep-alive`	Keep TCP connection open for multiple requests
`Connection: close`	Close connection after this request/response
`Date: Wed, 19 Mar 2026 12:00:00 GMT`	Date and time the message was sent (RFC 7231 format)
`Transfer-Encoding: chunked`	Body sent in chunks (no Content-Length needed)
`Upgrade: websocket`	Request protocol upgrade (e.g., to WebSocket)
`Via: 1.1 proxy.example.com`	Intermediate proxies between client and server
`Trailer: Expires`	Headers that will be sent after the chunked body

Request Headers

Command	Description
`Accept: application/json`	Tell server which content types the client can handle
`Accept: text/html, application/xhtml+xml, /;q=0.8`	Accept with quality values (preference order)
`Accept-Language: en-US,en;q=0.9,de;q=0.8`	Preferred response languages
`Accept-Encoding: gzip, deflate, br`	Accepted compression algorithms
`Accept-Charset: utf-8`	Accepted character sets (largely obsolete)
`Authorization: Bearer eyJhbGci...`	Authentication credentials (Bearer token)
`Authorization: Basic dXNlcjpwYXNz`	Basic authentication (base64 user:pass)
`User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...`	Client software identification
`Cookie: session=abc123; theme=dark`	Send stored cookies to server
`Referer: https://example.com/page`	URL of the page that linked to this request
`Origin: https://example.com`	Origin of the request (scheme + host + port)
`If-None-Match: "etag-value"`	Conditional request — only if ETag doesn't match (caching)
`If-Modified-Since: Wed, 19 Mar 2026 12:00:00 GMT`	Conditional request — only if modified after date
`Range: bytes=0-1023`	Request partial content (first 1024 bytes)
`X-Requested-With: XMLHttpRequest`	Identify AJAX requests (convention, not standard)
`X-Forwarded-For: 203.0.113.50, 70.41.3.18`	Original client IP when behind proxy/load balancer
`X-Forwarded-Proto: https`	Original protocol when behind proxy
`Forwarded: for=192.0.2.60; proto=https; by=203.0.113.43`	Standard alternative to X-Forwarded-* headers

Response Headers

Command	Description
`Content-Type: application/json; charset=utf-8`	MIME type and encoding of the response body
`Content-Type: text/html; charset=utf-8`	HTML response
`Content-Type: multipart/form-data; boundary=----WebKitFormBoundary`	File upload response/request type
`Content-Type: application/octet-stream`	Binary data (generic)
`Set-Cookie: session=abc123; Path=/; HttpOnly; Secure; SameSite=Lax`	Set a cookie with security flags
`Set-Cookie: theme=dark; Max-Age=31536000`	Set a persistent cookie (1 year)
`Set-Cookie: token=xyz; Expires=Thu, 19 Mar 2027 00:00:00 GMT; Domain=.example.com`	Cookie with explicit expiry and domain
`Location: https://example.com/new-page`	Redirect URL (used with 301, 302, 307, 308)
`Location: /api/users/123`	Location of newly created resource (used with 201)
`Server: nginx/1.24.0`	Server software identification (consider hiding in production)
`WWW-Authenticate: Bearer realm="api"`	Authentication method required (sent with 401)
`WWW-Authenticate: Basic realm="Admin Area"`	Request Basic authentication
`Retry-After: 120`	Seconds to wait before retrying (sent with 429 or 503)
`Retry-After: Wed, 19 Mar 2026 12:05:00 GMT`	Retry after a specific date
`Allow: GET, POST, OPTIONS`	Allowed HTTP methods for this resource (sent with 405)

Caching

Command	Description
`Cache-Control: no-cache`	Must revalidate with server before using cached copy
`Cache-Control: no-store`	Don't cache at all — not even on disk
`Cache-Control: public, max-age=31536000`	Cache publicly for 1 year (immutable assets)
`Cache-Control: private, max-age=3600`	Cache in browser only (not CDN/proxy) for 1 hour
`Cache-Control: public, max-age=0, must-revalidate`	Always revalidate — used with ETags for conditional requests
`Cache-Control: no-cache, no-store, must-revalidate`	Nuclear no-cache — prevent all caching
`Cache-Control: immutable`	Content will never change — skip revalidation (used with hashed filenames)
`Cache-Control: stale-while-revalidate=60`	Serve stale while fetching fresh copy (up to 60s)
`Cache-Control: stale-if-error=86400`	Serve stale copy if origin server errors (up to 1 day)
`Cache-Control: s-maxage=3600`	Max age for shared caches (CDN) — overrides max-age
`ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"`	Entity tag — unique identifier for this version of the resource
`ETag: W/"0815"`	Weak ETag — semantically equivalent (allows minor differences)
`Last-Modified: Wed, 19 Mar 2026 12:00:00 GMT`	When the resource was last modified
`Expires: Wed, 19 Mar 2027 12:00:00 GMT`	Expiry date (legacy — prefer Cache-Control max-age)
`Expires: 0`	Already expired (legacy way to prevent caching)
`Vary: Accept-Encoding`	Cache key includes this header — different cache per encoding
`Vary: Accept-Encoding, Accept-Language`	Vary on multiple headers
`Vary: *`	Every request is unique — effectively disables caching
`Age: 3600`	Time in seconds the response has been in proxy cache
`Pragma: no-cache`	HTTP/1.0 backward compatibility for no-cache

Security Headers

Command	Description
`Access-Control-Allow-Origin: *`	CORS: allow requests from any origin
`Access-Control-Allow-Origin: https://example.com`	CORS: allow requests from specific origin only
`Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS`	CORS: allowed HTTP methods for preflight
`Access-Control-Allow-Headers: Content-Type, Authorization`	CORS: allowed request headers
`Access-Control-Allow-Credentials: true`	CORS: allow cookies/credentials in cross-origin requests
`Access-Control-Max-Age: 86400`	CORS: cache preflight response for 24 hours
`Access-Control-Expose-Headers: X-Custom-Header`	CORS: make custom headers readable by client
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`	HSTS: force HTTPS for 1 year, all subdomains, eligible for preload list
`Strict-Transport-Security: max-age=63072000`	HSTS: force HTTPS for 2 years
`Content-Security-Policy: default-src 'self'`	CSP: only allow resources from same origin
`Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src *`	CSP: common permissive policy
`Content-Security-Policy: upgrade-insecure-requests`	CSP: automatically upgrade HTTP to HTTPS
`Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report`	CSP in report-only mode (doesn't block, just reports)
`X-Frame-Options: DENY`	Prevent page from being embedded in iframe
`X-Frame-Options: SAMEORIGIN`	Allow iframe embedding only from same origin
`X-Content-Type-Options: nosniff`	Prevent MIME type sniffing — trust Content-Type header
`X-XSS-Protection: 0`	Disable browser XSS filter (modern CSP is better)
`Referrer-Policy: strict-origin-when-cross-origin`	Send full URL for same-origin, only origin for cross-origin
`Referrer-Policy: no-referrer`	Never send Referer header
`Permissions-Policy: camera=(), microphone=(), geolocation=()`	Disable specific browser features
`Permissions-Policy: camera=(self), fullscreen=*`	Allow camera for same origin, fullscreen for all
`Cross-Origin-Opener-Policy: same-origin`	COOP: isolate browsing context from cross-origin popups
`Cross-Origin-Embedder-Policy: require-corp`	COEP: require CORS or CORP for all subresources
`Cross-Origin-Resource-Policy: same-origin`	CORP: prevent resource from being loaded cross-origin

Content Headers

Command	Description
`Content-Length: 1234`	Size of response body in bytes
`Content-Encoding: gzip`	Compression algorithm used on the body
`Content-Encoding: br`	Brotli compression (better than gzip for text)
`Content-Encoding: deflate`	Deflate compression
`Content-Language: en-US`	Language of the content
`Content-Disposition: attachment; filename="report.pdf"`	Force download with filename
`Content-Disposition: inline`	Display content in browser (default)
`Content-Disposition: inline; filename="image.png"`	Display inline with suggested filename
`Content-Range: bytes 0-1023/5000`	Partial content range (bytes 0-1023 of 5000 total)
`Transfer-Encoding: chunked`	Body sent in chunks — size unknown ahead of time
`Content-Type: application/json`	JSON content
`Content-Type: text/plain; charset=utf-8`	Plain text content
`Content-Type: application/x-www-form-urlencoded`	HTML form data (default)
`Content-Type: multipart/form-data`	Form data with file uploads
`Content-Type: text/event-stream`	Server-Sent Events (SSE) stream
`Content-Type: application/pdf`	PDF document
`Link: </style.css>; rel=preload; as=style`	Preload hint — tell browser to fetch resource early
`Link: </api/data>; rel=preconnect`	Preconnect — establish connection to origin early