HTTP headers are key-value pairs sent at the start of every HTTP request and response. They carry metadata that controls authentication, caching, content negotiation, CORS policies, and security. Every web developer, DevOps engineer, and API designer needs a reliable HTTP headers reference to get these details right.
No headers match your search.
How to Use the HTTP Headers Reference
This HTTP headers reference gives you instant access to every common request and response header — with descriptions, example values, allowed values, and security notes. Use the search box or category tabs to quickly find the header you need.
Step 1: Search or filter by category
Type a header name or keyword into the search box to filter the list in real time. Alternatively, click one of the category tabs — Request, Response, Caching, Security, CORS, or Content — to browse headers by type. You can combine search and category filter for faster lookup.
Step 2: Expand a header card for full details
Click any header card to expand it and see: a full description of what the header does, the direction (request from client, response from server, or both), a usage example with a real value, a list of common values or directives, and any security notes you should be aware of. Click again to collapse.
Step 3: Copy example values
Each expanded card shows a code snippet with an example header value. Click the copy button to copy the example to your clipboard — useful when configuring nginx, Apache, Express.js, or any server that accepts raw HTTP headers.
Understanding header categories
Request headers are sent by the browser or API client to the server. They carry authentication tokens, accepted content formats, cookies, and caching hints. Response headers travel from server to client and control caching, CORS, security policies, and content encoding. Many headers can appear in both directions.
Security headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options should be included in every production web application. CORS headers like Access-Control-Allow-Origin are essential for APIs consumed by browser-based frontends. Caching headers like Cache-Control and ETag are critical for performance.
Minimum recommended security headers
For any production website, always include at minimum: Strict-Transport-Security to enforce HTTPS, Content-Security-Policy to prevent XSS attacks, X-Content-Type-Options: nosniff to prevent MIME sniffing, X-Frame-Options to block clickjacking, and Referrer-Policy to control referrer leakage. Use this reference to copy exact header values for your server configuration.
Frequently Asked Questions
Is this HTTP headers reference free to use?
Yes, completely free. The reference runs entirely in your browser with no signup, no account, and no usage limits. You can search and filter all HTTP headers as many times as you need.
Is my data safe when using this tool?
Yes. Everything runs locally in your browser using JavaScript. No data is sent to any server. Your searches and browsing activity stay entirely on your device.
What is the difference between request headers and response headers?
Request headers are sent by the client (browser) to the server and provide context about the request — such as the accepted content type, cookies, or authentication tokens. Response headers are sent by the server back to the client and control how the client should handle the response, such as caching rules, content encoding, and security policies.
Which HTTP security headers should every website have?
At minimum, every website should send: Content-Security-Policy (to prevent XSS), Strict-Transport-Security (to enforce HTTPS), X-Content-Type-Options: nosniff (to prevent MIME sniffing), X-Frame-Options: DENY (to prevent clickjacking), and Referrer-Policy (to control referrer leakage). Run your site through securityheaders.com for a quick audit.
What is the difference between Cache-Control and Expires?
Cache-Control is the modern, preferred header for controlling caching behavior and supports directives like max-age, no-cache, and no-store. Expires is an older HTTP/1.0 header that specifies an absolute date/time after which the response is stale. When both are present, Cache-Control takes precedence. Use Cache-Control for new implementations.
What does the Authorization header contain?
The Authorization header carries credentials to authenticate a request with a server. The most common schemes are Bearer (used with JWT tokens in APIs), Basic (base64-encoded username:password), and Digest. Example: Authorization: Bearer eyJhbGciOiJIUzI1NiJ9... For cookie-based auth, credentials are typically passed via the Cookie header instead.
What is Content-Type and why does it matter?
Content-Type tells the recipient what media type the body contains. In requests it describes the format of the data being sent (e.g., application/json for JSON payloads). In responses it tells the browser how to interpret the body (e.g., text/html renders as a webpage, application/pdf triggers download). Setting the wrong Content-Type can cause parsing errors, broken downloads, or security vulnerabilities.
What is the Vary header used for?
The Vary header tells caches which request headers affect the response content. For example, Vary: Accept-Encoding means the cache should store separate copies for compressed and uncompressed responses. Vary: Accept-Language means responses differ by language. This prevents caches from serving the wrong cached version to different clients.