ページを読み込んでいます
Searchable HTTP headers reference organized by category. Covers request, response, caching, security, and CORS headers with syntax and examples.
Enter a header name in the search field, or filter by category (Request, Response, etc.) to find the header you need.
Check the header description, syntax format, and practical usage examples.
Click the copy icon to copy the header name to your clipboard for immediate use.
Content-Type: <media-type>[; charset=<charset>][; boundary=<boundary>]Content-Type: application/jsonContent-Type: text/html; charset=utf-8Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryContent-Length: <length>Content-Length: 348Content-Length: 0Date: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMTDate: Wed, 21 Oct 2015 07:28:00 GMTConnection: keep-alive | closeConnection: keep-aliveConnection: closeAccept: <MIME_type>/<MIME_subtype>[;q=<weight>], ...Accept: application/jsonAccept: text/html, application/xhtml+xml, */*;q=0.8Accept: image/webp, image/png, */*Authorization: <auth-scheme> <credentials>Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Authorization: Basic dXNlcjpwYXNzd29yZA==Authorization: ApiKey my-api-key-hereCookie: <cookie-list>Cookie: session_id=abc123Cookie: theme=dark; lang=en; session=xyzUser-Agent: <product>/<version> (<system-info>) <extensions>User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36User-Agent: curl/7.68.0Referer: <url>Referer: https://example.com/page1Referer: https://www.google.com/search?q=exampleHost: <host>[:<port>]Host: example.comHost: api.example.com:8080Set-Cookie: <cookie-name>=<cookie-value>[; <attributes>]Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=StrictSet-Cookie: theme=dark; Max-Age=31536000; Path=/Set-Cookie: token=xyz; Domain=.example.com; SecureLocation: <url>Location: https://example.com/new-pageLocation: /dashboardServer: <product>Server: nginx/1.18.0Server: Apache/2.4.41 (Ubuntu)WWW-Authenticate: <type> realm=<realm>[, <params>]WWW-Authenticate: Basic realm="My Site"WWW-Authenticate: Bearer realm="api", error="invalid_token"Cache-Control: <directive>[, <directive>]...Cache-Control: no-cache, no-store, must-revalidateCache-Control: public, max-age=31536000Cache-Control: private, max-age=600ETag: [W/]"<etag_value>"ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"ETag: W/"0815"If-None-Match: [W/]"<etag_value>"[, [W/]"<etag_value>"]*If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"If-None-Match: *Expires: <http-date>Expires: Wed, 21 Oct 2025 07:28:00 GMTExpires: 0Last-Modified: <day-name>, <day> <month> <year> <hour>:<minute>:<second> GMTLast-Modified: Wed, 21 Oct 2015 07:28:00 GMTContent-Security-Policy: <policy-directive>; ...Content-Security-Policy: default-src 'self'Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.comContent-Security-Policy: default-src 'none'; img-src 'self' data:; style-src 'self'X-Frame-Options: DENY | SAMEORIGINX-Frame-Options: DENYX-Frame-Options: SAMEORIGINStrict-Transport-Security: max-age=<expire-time>[; includeSubDomains][; preload]Strict-Transport-Security: max-age=31536000Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Content-Type-Options: nosniffX-XSS-Protection: 0 | 1[; mode=block | report=<reporting-uri>]X-XSS-Protection: 1; mode=blockX-XSS-Protection: 0Permissions-Policy: <feature>=(<allowlist>)[, ...]Permissions-Policy: camera=(), microphone=(), geolocation=()Permissions-Policy: geolocation=(self "https://trusted.example.com")Access-Control-Allow-Origin: * | <origin>Access-Control-Allow-Origin: *Access-Control-Allow-Origin: https://example.comAccess-Control-Allow-Methods: <method>[, <method>]*Access-Control-Allow-Methods: GET, POST, OPTIONSAccess-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONSAccess-Control-Allow-Headers: <header-name>[, <header-name>]*Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-Headers: *Access-Control-Max-Age: <delta-seconds>Access-Control-Max-Age: 86400Access-Control-Max-Age: 3600HTTP Headers Reference is a comprehensive cheat sheet covering frequently used HTTP request and response headers. Organized by category — general, request, response, caching, security, and CORS — each header includes a clear description, syntax format, and practical examples to help you implement them correctly.
Cache-Control is the modern standard and takes precedence when both are present. It provides fine-grained control with directives like max-age, no-cache, and no-store. Expires specifies an absolute date/time and is considered a legacy header, but is still useful for HTTP/1.0 compatibility.
ETag is an opaque identifier based on the content, while Last-Modified is a timestamp. ETags are more reliable because they change even if a file is regenerated with the same content at a different time. Last-Modified has 1-second precision, which can miss rapid updates.
Security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security protect against common attacks such as XSS, clickjacking, and protocol downgrade attacks. They are a critical part of defence-in-depth security and are easy to add at the server or CDN level.
Simple requests (GET/POST with standard headers) are sent directly. Preflight requests (OPTIONS) are automatically sent by the browser for complex requests — those using PUT/DELETE, custom headers, or certain Content-Type values — to verify the server allows the cross-origin access before sending the actual request.
X-XSS-Protection is a legacy header targeting old browsers. Modern browsers have deprecated their XSS auditors. Instead, implement a strict Content-Security-Policy header, which provides far better protection. It is generally recommended to set X-XSS-Protection: 0 when using a strong CSP.