HTTP Headers

Reference for common HTTP request and response headers.

HTTP Headers

Reference for common HTTP request and response headers

Request Headers

Accept

Media types acceptable for response

Accept: application/json

Accept-Encoding

Acceptable encoding methods

Accept-Encoding: gzip, deflate, br

Accept-Language

Preferred languages

Accept-Language: en-US,en;q=0.9

Authorization

Credentials for authentication

Authorization: Bearer eyJhbGciOiJIUzI1...

Cache-Control

Caching directives

Cache-Control: no-cache

Content-Type

Media type of request body

Content-Type: application/json; charset=utf-8

Cookie

HTTP cookies sent to server

Cookie: sessionid=abc123; theme=dark

Host

Domain name of server

Host: api.example.com

If-Modified-Since

Conditional request based on modification time

If-Modified-Since: Wed, 21 Oct 2023 07:28:00 GMT

If-None-Match

Conditional request based on ETag

If-None-Match: "686897696a7c876b7e"

Origin

Origin of request (CORS)

Origin: https://example.com

Referer

URL of referring page

Referer: https://example.com/page

User-Agent

Client software identifier

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Response Headers

Access-Control-Allow-Origin

CORS allowed origins

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods

CORS allowed HTTP methods

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Access-Control-Allow-Headers

CORS allowed headers

Access-Control-Allow-Headers: Content-Type, Authorization

Cache-Control

Caching directives for client

Cache-Control: public, max-age=3600

Content-Encoding

Compression method used

Content-Encoding: gzip

Content-Length

Size of response body in bytes

Content-Length: 348

Content-Type

Media type of response body

Content-Type: text/html; charset=UTF-8

ETag

Identifier for resource version

ETag: "686897696a7c876b7e"

Expires

Date/time when response expires

Expires: Wed, 21 Oct 2023 07:28:00 GMT

Last-Modified

Last modification date of resource

Last-Modified: Tue, 15 Nov 2023 12:45:26 GMT

Location

URL for redirect or created resource

Location: https://example.com/new-page

Server

Web server software

Server: nginx/1.18.0

Set-Cookie

Send cookie to client

Set-Cookie: sessionid=abc123; Path=/; HttpOnly; Secure

Strict-Transport-Security

Force HTTPS (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options

Prevent MIME sniffing

X-Content-Type-Options: nosniff

X-Frame-Options

Clickjacking protection

X-Frame-Options: DENY

X-XSS-Protection

XSS filter for older browsers

X-XSS-Protection: 1; mode=block

Security Headers

Content-Security-Policy

Control resource loading (CSP)

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-Content-Type-Options

Prevent MIME type sniffing

X-Content-Type-Options: nosniff

X-Frame-Options

Control frame embedding

X-Frame-Options: SAMEORIGIN

X-XSS-Protection

Enable XSS filtering

X-XSS-Protection: 1; mode=block

Strict-Transport-Security

Enforce HTTPS connections

Strict-Transport-Security: max-age=31536000

Referrer-Policy

Control referrer information

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy

Control browser features

Permissions-Policy: geolocation=(), camera=()

Custom & API Headers

X-API-Key

API authentication key

X-API-Key: abc123xyz789

X-Request-ID

Unique request identifier

X-Request-ID: 550e8400-e29b-41d4-a716-446655440000

X-Rate-Limit-Limit

Rate limit total requests

X-Rate-Limit-Limit: 100

X-Rate-Limit-Remaining

Rate limit remaining requests

X-Rate-Limit-Remaining: 95

X-Rate-Limit-Reset

Rate limit reset timestamp

X-Rate-Limit-Reset: 1609459200

X-Forwarded-For

Original client IP (proxy)

X-Forwarded-For: 203.0.113.195, 70.41.3.18

X-Forwarded-Proto

Original protocol (proxy)

X-Forwarded-Proto: https