HTTP Headers Reference
Every HTTP header you configure or debug — Cache-Control, CSP, CORS, Cookies, Authorization — with the exact directive syntax, real examples, and the gotchas that actually matter in production.
Caching & Validation
Cache-Control
Directs caching behavior in both requests and responses per RFC 9111, controlling freshness, revalidation, and where the response may be stored. Directives can be combined and are respected by browsers, CDNs, and intermediate proxies.
ETag
An opaque identifier for a specific version of a resource, used by clients in conditional requests to avoid re-downloading unchanged bodies. The server compares the ETag against If-None-Match (or If-Match) and returns 304 Not Modified when they match.
Last-Modified
Timestamp of when the origin server believes the resource was last modified, used as a weak validator for conditional requests. Clients echo it back in If-Modified-Since to receive a 304 when unchanged.
If-None-Match
Request header that makes the request conditional: the server returns 200 with the body only if none of the listed ETags match the current representation, otherwise 304 Not Modified. In write requests it protects against creating a duplicate resource.
Vary
Tells caches which request headers were used for content negotiation, so they know to store and serve separate variants keyed by those headers. Missing or wrong Vary causes users to see cached content meant for someone else (wrong language, encoding, or device).
Security
Strict-Transport-Security
HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.
Content-Security-Policy
Restricts which sources of scripts, styles, images, frames, and other resources a page may load, mitigating XSS and data injection. Policies are a semicolon-separated list of directives, each with a source list ('self', 'none', hostnames, schemes, nonces, or hashes).
X-Frame-Options
Controls whether the page may be rendered inside a <frame>, <iframe>, <embed>, or <object>, defending against clickjacking. Superseded by CSP frame-ancestors but still widely honored for legacy clients.
X-Content-Type-Options
Disables MIME-type sniffing in browsers, forcing them to trust the declared Content-Type. Blocks a class of attacks where user-uploaded files or HTML masquerading as another type would be executed as script.
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.
Permissions-Policy
Allow-lists or blocks powerful browser features (camera, mic, geolocation, payment, etc.) at the document and per-iframe level. Replaces the older Feature-Policy header with a structured-fields syntax.
CORS
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.
Access-Control-Allow-Methods
Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.
Access-Control-Allow-Headers
Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.
Access-Control-Max-Age
How long (in seconds) the browser may cache the preflight response, avoiding an OPTIONS round-trip before subsequent identical requests. Browsers cap this at their own maximum (Chrome ~7200s, Firefox ~86400s).
Authentication
Authorization
Carries client credentials to the server per the scheme announced in a prior WWW-Authenticate challenge (or agreed out of band). The scheme names the auth mechanism; the credentials are its scheme-specific payload.
WWW-Authenticate
Sent in a 401 response to challenge the client for credentials using the named scheme(s). May appear multiple times to offer alternatives; each carries scheme-specific parameters like realm and error codes.
Content Negotiation
Content-Type
Declares the media type of the body in both requests and responses, and often carries additional parameters like charset or boundary. Governs how the recipient parses or renders the payload.
Content-Length
Number of octets in the message body, letting the recipient know exactly where the message ends. Required for most requests with bodies unless Transfer-Encoding: chunked is used.
Content-Encoding
Indicates that the body has been transformed with one or more compressions and must be decoded in reverse order to recover the original payload. Negotiated via the client's Accept-Encoding.
Content-Disposition
In responses, controls whether the browser renders the body inline or offers it as a download, and suggests a filename. In multipart/form-data request parts, names the form field and optionally the upload filename.
Accept-Encoding
Client advertisement of which content codings it can decode, letting the server compress the response accordingly. Absence means 'identity only'; an explicit identity;q=0 forbids uncompressed responses.
Cookies
Cookie
Client sends previously stored cookies that match the request's origin, path, and Secure/SameSite constraints. All applicable name=value pairs are concatenated into a single header.
Set-Cookie
Server instructs the client to store a cookie with attributes governing lifetime, scope, and security. Each cookie needs its own Set-Cookie header — they are the one HTTP header that MUST NOT be comma-folded.
General
Host
Identifies the target host and optional port of the request, so a single IP can serve many virtual hosts. Missing Host in an HTTP/1.1 request MUST yield 400 Bad Request.
User-Agent
Free-form identifier of the client software, historically used for content negotiation and now largely for analytics and abuse detection. Modern browsers are freezing/reducing this string in favor of the Client Hints (Sec-CH-UA-*) family.
Origin
Identifies the origin that caused the request without exposing path or query, sent on CORS requests and on all POST-like navigations. Central to CSRF defense and CORS policy decisions.
Location
In 3xx redirects, tells the client where to go next; in 201 Created, points at the newly created resource. Per RFC 9110 the value may be a relative reference resolved against the request URL.