Skip to main content
Toolsbase Logo

HTTP Headers Reference

Searchable HTTP headers reference organized by category. Covers request, response, caching, security, and CORS headers with syntax and examples.

Last updated:

How to Use

Expand how to use
  1. 1

    Search or filter headers

    Enter a header name in the search field, or filter by category (Request, Response, etc.) to find the header you need.

  2. 2

    Review syntax and examples

    Check the header description, syntax format, and practical usage examples.

  3. 3

    Copy the header

    Click the copy icon to copy the header name to your clipboard for immediate use.

Content-Type
Indicates the media type of the resource or request body

Syntax

Content-Type: <media-type>[; charset=<charset>][; boundary=<boundary>]

Examples

Content-Type: application/json
JSON request or response body
Content-Type: text/html; charset=utf-8
HTML document with UTF-8 encoding
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
File upload form data

Content-Length
Indicates the size of the message body in bytes

Syntax

Content-Length: <length>

Examples

Content-Length: 348
Response body is 348 bytes
Content-Length: 0
Empty body (e.g., DELETE response)

Date
Contains the date and time at which the message was originated

Syntax

Date: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT

Examples

Date: Wed, 21 Oct 2015 07:28:00 GMT
Timestamp of the response

Connection
Controls whether the network connection stays open after the current transaction

Syntax

Connection: keep-alive | close

Examples

Connection: keep-alive
Persist the connection for further requests
Connection: close
Close the connection after the response

Accept
Informs the server about the types of data the client can process

Syntax

Accept: <MIME_type>/<MIME_subtype>[;q=<weight>], ...

Examples

Accept: application/json
Accept only JSON responses
Accept: text/html, application/xhtml+xml, */*;q=0.8
Prefer HTML, accept anything
Accept: image/webp, image/png, */*
Prefer WebP, then PNG images

Authorization
Contains credentials to authenticate the client with the server

Syntax

Authorization: <auth-scheme> <credentials>

Examples

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
JWT Bearer token authentication
Authorization: Basic dXNlcjpwYXNzd29yZA==
HTTP Basic authentication (base64 encoded)
Authorization: ApiKey my-api-key-here
Custom API key authentication

Cookie
Contains stored HTTP cookies previously sent by the server with Set-Cookie

Syntax

Cookie: <cookie-list>

Examples

Cookie: session_id=abc123
Single session cookie
Cookie: theme=dark; lang=en; session=xyz
Multiple cookies in one header

User-Agent
A characteristic string identifying the browser and operating system

Syntax

User-Agent: <product>/<version> (<system-info>) <extensions>

Examples

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Chrome on Windows 10
User-Agent: curl/7.68.0
curl HTTP client

Referer
Contains the address of the previous web page from which the current request was made

Syntax

Referer: <url>

Examples

Referer: https://example.com/page1
User navigated from this page
Referer: https://www.google.com/search?q=example
User came from a search engine

Host
Specifies the host and port number of the server to which the request is being sent

Syntax

Host: <host>[:<port>]

Examples

Host: example.com
Standard hostname (port 80/443 implied)
Host: api.example.com:8080
Hostname with non-standard port

Set-Cookie
Sends cookies from the server to the client for storage

Syntax

Set-Cookie: <cookie-name>=<cookie-value>[; <attributes>]

Examples

Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
Secure session cookie
Set-Cookie: theme=dark; Max-Age=31536000; Path=/
Persistent preference cookie (1 year)
Set-Cookie: token=xyz; Domain=.example.com; Secure
Domain-wide secure cookie

Location
Indicates the URL to redirect the client to for redirection responses

Syntax

Location: <url>

Examples

Location: https://example.com/new-page
Absolute URL redirect (301/302)
Location: /dashboard
Relative path redirect after login

Server
Describes the software used by the origin server to handle the request

Syntax

Server: <product>

Examples

Server: nginx/1.18.0
nginx web server version
Server: Apache/2.4.41 (Ubuntu)
Apache web server on Ubuntu

WWW-Authenticate
Defines the authentication method used to access a resource

Syntax

WWW-Authenticate: <type> realm=<realm>[, <params>]

Examples

WWW-Authenticate: Basic realm="My Site"
HTTP Basic authentication prompt
WWW-Authenticate: Bearer realm="api", error="invalid_token"
Bearer token authentication with error

Cache-Control
Directives for caching mechanisms in both requests and responses

Syntax

Cache-Control: <directive>[, <directive>]...

Examples

Cache-Control: no-cache, no-store, must-revalidate
Disable all caching
Cache-Control: public, max-age=31536000
Cache publicly for 1 year (static assets)
Cache-Control: private, max-age=600
Cache privately for 10 minutes

ETag
Identifier for a specific version of a resource, used for cache validation

Syntax

ETag: [W/]"<etag_value>"

Examples

ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Strong ETag (exact match required)
ETag: W/"0815"
Weak ETag (semantically equivalent)

If-None-Match
Makes the request conditional on the resource not matching given ETags

Syntax

If-None-Match: [W/]"<etag_value>"[, [W/]"<etag_value>"]*

Examples

If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Return 304 if ETag matches (cache hit)
If-None-Match: *
Succeed only if no existing resource

Expires
Specifies the date and time after which the response is considered stale

Syntax

Expires: <http-date>

Examples

Expires: Wed, 21 Oct 2025 07:28:00 GMT
Cache expires at this specific date
Expires: 0
Resource already expired (no cache)

Last-Modified
The date and time at which the resource was last modified on the server

Syntax

Last-Modified: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMT

Examples

Last-Modified: Wed, 21 Oct 2015 07:28:00 GMT
File was last changed at this time

Content-Security-Policy
Controls resources the browser is allowed to load for a given page

Syntax

Content-Security-Policy: <policy-directive>; ...

Examples

Content-Security-Policy: default-src 'self'
Allow resources only from same origin
Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com
Allow scripts from self and CDN
Content-Security-Policy: default-src 'none'; img-src 'self' data:; style-src 'self'
Strict policy allowing only self images and styles

X-Frame-Options
Indicates whether a browser should be allowed to render a page in a frame

Syntax

X-Frame-Options: DENY | SAMEORIGIN

Examples

X-Frame-Options: DENY
Never allow framing (clickjacking protection)
X-Frame-Options: SAMEORIGIN
Allow framing only from the same origin

Strict-Transport-Security
Forces browsers to connect over HTTPS for a specified duration

Syntax

Strict-Transport-Security: max-age=<expire-time>[; includeSubDomains][; preload]

Examples

Strict-Transport-Security: max-age=31536000
Enforce HTTPS for 1 year
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
2 years, including subdomains, HSTS preload eligible

X-Content-Type-Options
Prevents MIME type sniffing by forcing browsers to respect the declared Content-Type

Syntax

X-Content-Type-Options: nosniff

Examples

X-Content-Type-Options: nosniff
Disable MIME type sniffing

X-XSS-Protection
Enables XSS filtering in older browsers (largely replaced by CSP)

Syntax

X-XSS-Protection: 0 | 1[; mode=block | report=<reporting-uri>]

Examples

X-XSS-Protection: 1; mode=block
Enable XSS filter and block page if attack detected
X-XSS-Protection: 0
Disable XSS filter (use with strict CSP)

Permissions-Policy
Controls which browser features and APIs can be used in the document

Syntax

Permissions-Policy: <feature>=(<allowlist>)[, ...]

Examples

Permissions-Policy: camera=(), microphone=(), geolocation=()
Disable camera, microphone, and geolocation
Permissions-Policy: geolocation=(self "https://trusted.example.com")
Allow geolocation from self and trusted origin

Access-Control-Allow-Origin
Indicates which origins are allowed to access the resource in cross-origin requests

Syntax

Access-Control-Allow-Origin: * | <origin>

Examples

Access-Control-Allow-Origin: *
Allow any origin (public API)
Access-Control-Allow-Origin: https://example.com
Allow only this specific origin

Access-Control-Allow-Methods
Specifies the HTTP methods allowed when accessing the resource in a CORS preflight response

Syntax

Access-Control-Allow-Methods: <method>[, <method>]*

Examples

Access-Control-Allow-Methods: GET, POST, OPTIONS
Allow GET, POST, and preflight OPTIONS
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Allow all common REST methods

Access-Control-Allow-Headers
Indicates which HTTP headers can be used when making the actual CORS request

Syntax

Access-Control-Allow-Headers: <header-name>[, <header-name>]*

Examples

Access-Control-Allow-Headers: Content-Type, Authorization
Allow Content-Type and Authorization headers
Access-Control-Allow-Headers: *
Allow any request headers

Access-Control-Max-Age
Indicates how long the results of a preflight request can be cached

Syntax

Access-Control-Max-Age: <delta-seconds>

Examples

Access-Control-Max-Age: 86400
Cache preflight response for 1 day
Access-Control-Max-Age: 3600
Cache preflight response for 1 hour

About HTTP Headers Reference

HTTP Headers Reference is a comprehensive cheat sheet covering frequently used HTTP request and response headers. Organized by category — general, request, response, caching, security, and CORS — each header includes a clear description, syntax format, and practical examples to help you implement them correctly.

Key Features

  • 29 essential HTTP headers across 6 categories
  • Syntax format and usage examples for each header
  • Category filtering (Request, Response, Caching, Security, CORS)
  • Real-time search by header name or description
  • One-click copy of header names

Use Cases

  • Implementing security headers (CSP, HSTS, X-Frame-Options) in an Express or Next.js app
  • Setting up CORS headers to allow cross-origin requests from a React or Vue frontend
  • Configuring Cache-Control headers to optimize browser caching for a CDN
  • Debugging unexpected 403 or CORS errors by checking request and response headers
  • Looking up the correct syntax for Authorization, Content-Type, or Accept headers in an API
  • Reference during a security audit or code review of an HTTP API or web application

FAQ

What is the difference between Cache-Control and Expires?

Cache-Control is the modern standard and takes precedence when both are present. It provides fine-grained control with directives like max-age, no-cache, and no-store. Expires specifies an absolute date/time and is considered a legacy header, but is still useful for HTTP/1.0 compatibility.

What is the difference between ETag and Last-Modified?

ETag is an opaque identifier based on the content, while Last-Modified is a timestamp. ETags are more reliable because they change even if a file is regenerated with the same content at a different time. Last-Modified has 1-second precision, which can miss rapid updates.

Why should I add security headers to my site?

Security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security protect against common attacks such as XSS, clickjacking, and protocol downgrade attacks. They are a critical part of defence-in-depth security and are easy to add at the server or CDN level.

What is the difference between CORS preflight and simple requests?

Simple requests (GET/POST with standard headers) are sent directly. Preflight requests (OPTIONS) are automatically sent by the browser for complex requests — those using PUT/DELETE, custom headers, or certain Content-Type values — to verify the server allows the cross-origin access before sending the actual request.

Should I use X-XSS-Protection?

X-XSS-Protection is a legacy header targeting old browsers. Modern browsers have deprecated their XSS auditors. Instead, implement a strict Content-Security-Policy header, which provides far better protection. It is generally recommended to set X-XSS-Protection: 0 when using a strong CSP.

Related Tools

CSS Cheat SheetRegex Cheat SheetMarkdown Cheat SheetDocker Commands