HTTP Headers Reference — Complete List with Examples
Reference for all common HTTP headers: request, response, security, caching, CORS, content negotiation. With practical examples and modern best practices.
Reference of common HTTP headers grouped by purpose. The full IANA HTTP registry has 200+; this is the practical subset web developers, API designers, and DevOps engineers see daily.
General request headers
| Header | Purpose | Example |
|---|---|---|
Accept | Acceptable response types | Accept: application/json |
Accept-Encoding | Acceptable compression | Accept-Encoding: gzip, br |
Accept-Language | Preferred language | Accept-Language: en-US,en;q=0.9 |
Authorization | Auth credentials | Authorization: Bearer eyJhbGc... |
Cache-Control | Caching directives | Cache-Control: no-cache |
Content-Length | Body size in bytes | Content-Length: 4523 |
Content-Type | Body media type | Content-Type: application/json |
Cookie | Cookies sent to server | Cookie: session=abc123 |
Host | Target hostname (required HTTP/1.1) | Host: api.example.com |
If-Match | Conditional update by ETag | If-Match: "v3" |
If-Modified-Since | Conditional GET by date | If-Modified-Since: Wed, 21 Oct 2025 07:28:00 GMT |
If-None-Match | Conditional GET by ETag | If-None-Match: "abc" |
Origin | Origin of cross-origin request | Origin: https://app.example.com |
Range | Request partial content | Range: bytes=0-1023 |
Referer | URL that triggered request | Referer: https://google.com/ |
User-Agent | Client identifier | User-Agent: Mozilla/5.0... |
General response headers
| Header | Purpose | Example |
|---|---|---|
Cache-Control | Caching directives for client + CDN | Cache-Control: public, max-age=31536000, immutable |
Content-Disposition | Download / inline display | Content-Disposition: attachment; filename="report.pdf" |
Content-Encoding | Compression applied to body | Content-Encoding: gzip |
Content-Language | Body language | Content-Language: en |
Content-Length | Body size in bytes | Content-Length: 1024 |
Content-Type | Body media type | Content-Type: text/html; charset=utf-8 |
ETag | Resource version identifier | ETag: "abc123" |
Expires | Absolute expiration date (legacy) | Expires: Wed, 21 Oct 2025 07:28:00 GMT |
Last-Modified | Resource's last modification date | Last-Modified: Wed, 21 Oct 2025 07:28:00 GMT |
Location | Redirect target / created resource | Location: /users/42 |
Retry-After | When to retry (429/503) | Retry-After: 120 |
Set-Cookie | Set browser cookie | Set-Cookie: session=abc; HttpOnly; Secure |
Server | Server software | Server: nginx/1.25 |
Vary | Headers that affect cached representation | Vary: Accept-Encoding, Accept-Language |
WWW-Authenticate | Auth challenge (401) | WWW-Authenticate: Bearer realm="api" |
Security headers
These should be set on every response from a modern web app:
| Header | Purpose | Recommended value |
|---|---|---|
Strict-Transport-Security | Force HTTPS | max-age=31536000; includeSubDomains; preload |
Content-Security-Policy | Restrict resource origins | default-src 'self'; script-src 'self' 'unsafe-inline' |
X-Content-Type-Options | Prevent MIME-sniffing | nosniff |
X-Frame-Options | Prevent clickjacking | SAMEORIGIN (or use CSP frame-ancestors) |
Referrer-Policy | Control referer leakage | strict-origin-when-cross-origin |
Permissions-Policy | Restrict browser APIs | camera=(), microphone=(), geolocation=() |
Cross-Origin-Embedder-Policy | Required for SharedArrayBuffer | require-corp |
Cross-Origin-Opener-Policy | Isolate browsing context | same-origin |
Cross-Origin-Resource-Policy | Restrict cross-origin loading | same-origin or cross-origin |
CORS headers
Set on responses to cross-origin requests. See the CORS glossary entry for the full mechanism.
| Header | Purpose |
|---|---|
Access-Control-Allow-Origin | Which origin may read the response (* for any) |
Access-Control-Allow-Credentials | Whether cookies may be sent (must be true + specific origin) |
Access-Control-Allow-Methods | Allowed HTTP methods (preflight) |
Access-Control-Allow-Headers | Allowed request headers (preflight) |
Access-Control-Max-Age | Preflight cache duration in seconds |
Access-Control-Expose-Headers | Custom response headers visible to JS |
Conditional / caching headers — quick reference
- Strong validators:
ETag,Last-Modified - Conditional GET:
If-None-Match+If-Modified-Since→ 304 if unchanged - Conditional update (optimistic locking):
If-Matchwith ETag → 412 if changed - Force fresh:
Cache-Control: no-cache(must revalidate) - Don't cache at all:
Cache-Control: no-store - Cache forever (immutable assets):
Cache-Control: public, max-age=31536000, immutable
Related tools
HTTP status code reference: tool + cheat sheet. Decode JWT bearer tokens: JWT decoder. Encode special characters: URL encoder, Base64.
Featured Tools
Try these free tools directly in your browser — no sign-up required.
HTTP Status Codes
Complete HTTP status code reference with explanations, use cases, and examples. Look up any HTTP response code from 1xx informational to 5xx server errors.
JWT Decoder
Decode and inspect JSON Web Tokens (JWTs) instantly. View header, payload, and signature without a secret key. Debug authentication tokens safely.
URL Encoder / Decoder
Encode or decode URLs and query strings instantly. Convert special characters to percent-encoding and back for safe URL transmission and debugging.
Base64 Encoder / Decoder
Encode text or decode Base64 strings instantly online. Convert between plain text and Base64 encoding for data URLs, authentication headers, and API tokens.