HTTP Headers List
Complete reference of HTTP request and response headers with example values and descriptions. Covers content negotiation, caching, authentication, CORS, and security headers.
General Headers
These headers can appear in both requests and responses.
| Header | Example Value | Description |
|---|---|---|
Content-Type | application/json; charset=UTF-8 | MIME type and charset of the body |
Content-Length | 1024 | Size of the body in bytes |
Content-Encoding | gzip | Compression applied to the body (gzip, br, deflate) |
Transfer-Encoding | chunked | How the body is transferred (chunked for streaming) |
Connection | keep-alive | Connection persistence (keep-alive or close) |
Date | Mon, 28 Mar 2026 12:00:00 GMT | Timestamp when the message was originated |
Request Headers
| Header | Example Value | Description |
|---|---|---|
Accept | text/html,application/json;q=0.9 | Content types the client accepts, with quality factors |
Accept-Encoding | gzip, deflate, br | Compression algorithms the client supports |
Accept-Language | en-US,en;q=0.9,fr;q=0.8 | Preferred languages in priority order |
Authorization | Bearer eyJhbGci... | Credentials for authenticating with the server |
Cookie | session=abc123; theme=dark | Cookies previously set by the server |
Host | api.example.com | Target host and port (required in HTTP/1.1) |
Origin | https://app.example.com | Origin making the cross-origin request (CORS) |
Referer | https://example.com/page | URL of the page that linked to this resource |
User-Agent | Mozilla/5.0 (Macintosh; ...) | Client browser and OS information |
X-Forwarded-For | 203.0.113.1, 10.0.0.5 | Chain of IPs when request passes through proxies |
X-Requested-With | XMLHttpRequest | Identifies AJAX requests (set by jQuery/Axios) |
Response Headers
| Header | Example Value | Description |
|---|---|---|
Allow | GET, POST, HEAD | HTTP methods allowed for this resource (in 405 responses) |
ETag | "a1b2c3d4e5f6" | Fingerprint of the resource version for conditional requests |
Expires | Mon, 28 Apr 2026 12:00:00 GMT | Expiry date after which cache is stale (superseded by Cache-Control) |
Last-Modified | Mon, 28 Mar 2026 10:00:00 GMT | When the resource was last changed |
Location | https://example.com/new-url | Redirect target URL (used in 3xx responses) |
Retry-After | 120 | Seconds to wait before retrying (used in 429/503) |
Server | nginx/1.25.3 | Server software (consider omitting for security) |
Set-Cookie | id=abc; HttpOnly; Secure; SameSite=Lax | Set a cookie on the client |
Vary | Accept-Encoding, Accept-Language | Request headers that affect the cached response |
WWW-Authenticate | Bearer realm="api" | Authentication challenge sent with 401 responses |
Security Headers
These response headers protect against common web attacks. Every production web app should set them.
| Header | Recommended Value | Protection |
|---|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains | Forces HTTPS (HSTS), prevents protocol downgrade attacks |
Content-Security-Policy | default-src 'self'; script-src 'self' | Restricts resource origins, mitigates XSS |
X-Frame-Options | DENY | Prevents clickjacking via iframes (use CSP frame-ancestors instead) |
X-Content-Type-Options | nosniff | Prevents MIME type sniffing |
Referrer-Policy | strict-origin-when-cross-origin | Controls Referer header information sent with requests |
Permissions-Policy | camera=(), microphone=(), geolocation=() | Restricts browser feature access (formerly Feature-Policy) |
Access-Control-Allow-Origin | https://app.example.com | CORS: allowed origins for cross-origin requests |
Caching Headers
| Header | Example Value | Description |
|---|---|---|
Cache-Control | max-age=86400, public | Caching directives for request/response. max-age in seconds |
Cache-Control | no-store | Never cache (use for sensitive data) |
Cache-Control | immutable, max-age=31536000 | Cache forever — use for content-hashed static assets |
Pragma | no-cache | HTTP/1.0 legacy cache control (use Cache-Control instead) |
Age | 3600 | Seconds since the response was cached by a proxy |
If-Modified-Since | Mon, 28 Mar 2026 10:00:00 GMT | Request: return 304 if unchanged since this date |
If-None-Match | "a1b2c3d4e5f6" | Request: return 304 if ETag still matches |
Frequently Asked Questions
What is the Content-Type header?
The Content-Type header specifies the MIME type and character encoding of the request or response body. Common values include application/json; charset=UTF-8 for JSON APIs, text/html; charset=UTF-8 for web pages, and multipart/form-data for file uploads. In requests, it tells the server how to parse the body. In responses, it tells the browser how to render or interpret the body.
What are security headers?
Security headers are HTTP response headers that instruct the browser to enable or disable built-in security mechanisms. The most important ones are: Strict-Transport-Security (force HTTPS), Content-Security-Policy (prevent XSS by whitelisting script sources), X-Frame-Options (prevent clickjacking), and X-Content-Type-Options (prevent MIME sniffing). All production web apps should set these headers. Tools like securityheaders.com can audit your site's headers.
What is the difference between ETag and Last-Modified?
Both are cache validators used for conditional requests. Last-Modified is a timestamp of when the resource was last changed — the client sends it back as If-Modified-Since, and the server returns 304 if unchanged. ETag is an opaque version fingerprint (hash or version number) — the client sends it as If-None-Match. ETags are more precise: they detect changes even within the same second and work for resources where Last-Modified may not be meaningful. Use both when possible.