glunty

HTTP Headers Reference

Every common HTTP header, searchable. Filter by category and see what each header does.

HTTP headers with their category and a one-line description of what each does
Header Category What it does
Accept Request Tells the server which media types the client can handle, so it can pick a matching Content-Type.
Accept-Encoding Request Lists the compression formats the client accepts, such as gzip, br, or deflate.
Accept-Language Request States the natural languages the client prefers, used for content negotiation.
Accept-Charset Request Indicates which character encodings the client understands (largely obsolete on the modern web).
Authorization Request Carries credentials to authenticate the client, such as a Bearer token or a Basic auth pair.
Cookie Request Sends stored cookies for the current domain back to the server on each request.
Host Request Names the domain and optional port of the server being addressed; required in HTTP/1.1.
Origin Request Identifies the scheme, host, and port a request came from, used by CORS and CSRF checks.
Referer Request Gives the address of the page that linked to the requested resource (note the historical misspelling).
User-Agent Request Identifies the client software, such as the browser, its version, and the operating system.
If-None-Match Request Makes the request conditional on the ETag not matching, enabling cache revalidation.
If-Modified-Since Request Makes the request conditional on the resource changing after the given date.
If-Match Request Makes the request conditional on the ETag matching, often used to prevent lost updates.
If-Unmodified-Since Request Makes the request conditional on the resource staying unchanged since the given date.
Range Request Asks the server for only part of a resource, enabling resumable downloads and media seeking.
Connection Request Controls whether the network connection stays open after the current transaction.
TE Request Lists the transfer encodings the client will accept in the response, such as chunked.
Content-Type Response Declares the media type of the body, such as text/html or application/json, plus its charset.
Content-Length Response Gives the size of the body in bytes so the recipient knows when it has read all of it.
Content-Encoding Response Names the compression applied to the body, which the client must reverse before use.
Content-Disposition Response Signals whether to show the body inline or download it as an attachment, with a filename.
Content-Language Response States the natural language of the body content for the audience it targets.
Content-Range Response Indicates which part of a resource is returned in a 206 Partial Content response.
Accept-Ranges Response Advertises that the server supports range requests, usually with the value bytes.
Location Response Points to another URL, used for redirects (3xx) or to name a newly created resource (201).
Set-Cookie Response Instructs the browser to store a cookie, with attributes such as Path, Expires, and Secure.
Server Response Names the software the origin server runs; often trimmed to avoid leaking version details.
WWW-Authenticate Response Sent with a 401 to tell the client which authentication scheme and realm to use.
Allow Response Lists the HTTP methods a resource supports, commonly returned with a 405 response.
Retry-After Response Tells the client how long to wait before retrying, used with 429 or 503 responses.
Date Response Records the date and time the message was generated, expressed in GMT.
Cache-Control Caching The main caching header; sets rules like max-age, no-store, private, and public.
Expires Caching Gives an absolute date after which the response is considered stale (superseded by max-age).
ETag Caching A version identifier for a resource, used to revalidate caches with If-None-Match.
Last-Modified Caching The date a resource last changed, used to revalidate caches with If-Modified-Since.
Age Caching The time in seconds the response has sat in a proxy cache since it was fetched.
Vary Caching Lists request headers that affect the response, so caches store separate variants per value.
Pragma Caching A legacy HTTP/1.0 header; Pragma: no-cache is kept only for backward compatibility.
Access-Control-Allow-Origin CORS Names which origin (or *) may read the response, the core of CORS permission.
Access-Control-Allow-Methods CORS Lists the HTTP methods allowed for the resource, returned in a preflight response.
Access-Control-Allow-Headers CORS Lists the request headers the client may send, returned in a preflight response.
Access-Control-Allow-Credentials CORS When true, lets the browser expose a credentialed response to the calling script.
Access-Control-Max-Age CORS Says how many seconds a preflight result may be cached to skip repeat checks.
Access-Control-Expose-Headers CORS Lists which response headers scripts may read beyond the safe defaults.
Access-Control-Request-Method CORS Sent by the browser in a preflight to ask whether a given method is allowed.
Access-Control-Request-Headers CORS Sent by the browser in a preflight to ask which custom headers are allowed.
Strict-Transport-Security Security Tells browsers to use HTTPS only for this site for a set period (HSTS).
Content-Security-Policy Security Restricts which sources of scripts, styles, and other content the page may load.
X-Frame-Options Security Controls whether the page may be framed, guarding against clickjacking (DENY or SAMEORIGIN).
X-Content-Type-Options Security The value nosniff stops the browser from guessing a response media type.
Referrer-Policy Security Controls how much referrer information is sent when navigating away from the page.
Permissions-Policy Security Enables or blocks browser features such as camera, microphone, and geolocation per origin.
Cross-Origin-Opener-Policy Security Isolates the browsing context from cross-origin windows, part of a COOP and COEP pair.
Cross-Origin-Resource-Policy Security Limits which origins may embed this resource, blunting side-channel attacks.
Cross-Origin-Embedder-Policy Security Requires embedded resources to opt in via CORS or CORP, enabling powerful features.
X-XSS-Protection Security A legacy header that toggled a browser XSS filter; now deprecated in favor of CSP.

Runs entirely in your browser. Nothing you type is sent anywhere; open DevTools and watch the Network tab to verify zero requests.

What this tool does

This is a searchable reference for the HTTP headers you meet most often when building or debugging web apps and APIs. Every entry lists the header name, its category (request, response, caching, CORS, or security), and a one-sentence plain-English description of what it does. Type in the filter box to narrow the table by header name or meaning, or tap a category button to show just one family. The whole dataset is baked into the page, so it works offline and sends nothing anywhere.

How to use it

Start typing in the Filter box. Entering cache surfaces Cache-Control, Expires, and the revalidation headers; entering cors shows the Access-Control family; entering cookie pulls up Cookie and Set-Cookie. The category buttons (All, Request, Response, Caching, CORS, Security) combine with the text filter, so you can, for example, pick Security and type origin to zero in on the Cross-Origin policies. Clear the box to see every header again. Nothing is submitted and there is no result limit.

Common use cases

  • Looking up what a header from a browser network panel or server log actually means.
  • Deciding which headers to set on your own endpoint, such as Cache-Control or CORS rules.
  • Hardening a site by reviewing the security headers (CSP, HSTS, X-Frame-Options, and more).
  • Debugging a failed cross-origin request by checking the Access-Control response headers.
  • Explaining a header to a teammate or in a ticket with a precise, shared definition.

Common pitfalls

  • Header names are case-insensitive. Content-Type, content-type, and CONTENT-TYPE all name the same field, and HTTP/2 and HTTP/3 send them lowercase on the wire. Do not rely on a specific casing when parsing headers; match them case-insensitively.
  • CORS is enforced by the browser, not the server. The Access-Control response headers do not block anything server-side; they tell the browser whether to let page JavaScript read the response. A tool like curl ignores CORS entirely, so a request that fails in the browser can still succeed from the command line.
  • Set-Cookie attributes decide whether a cookie works. Attributes such as Secure, HttpOnly, SameSite, Path, Domain, and Expires or Max-Age change where and when a cookie is sent. Miss one, for example forgetting SameSite=None; Secure on a cross-site cookie, and the browser may silently drop it.
  • Caching headers interact. Cache-Control overrides the older Expires header, ETag and Last-Modified drive revalidation with If-None-Match and If-Modified-Since, and a missing or overbroad Vary header can make a shared cache serve the wrong variant. Reason about them together, not one at a time.

Frequently asked questions

What is the difference between a request and response header?
A request header is sent by the client to the server and describes the client, its preferences, or the body it is sending, for example Accept, Authorization, or User-Agent. A response header is sent back by the server and describes the response or the server itself, for example Content-Type, Set-Cookie, or Cache-Control. Some header names can appear in both directions, but most belong clearly to one side.
What does Cache-Control do?
Cache-Control is the primary header for controlling how browsers and proxies cache a response. Directives like max-age set how many seconds the response stays fresh, no-store forbids caching entirely, and private limits storage to the end-user cache rather than shared proxies. It is the modern replacement for the older Expires and Pragma headers.
What is CORS and which headers control it?
CORS, or Cross-Origin Resource Sharing, is the browser mechanism that decides whether a web page on one origin may read a response from another origin. The server opts in using response headers, chiefly Access-Control-Allow-Origin, plus Allow-Methods, Allow-Headers, Allow-Credentials, Max-Age, and Expose-Headers for finer control. For certain requests the browser first sends a preflight OPTIONS request to check these permissions.
What does Content-Security-Policy protect against?
Content-Security-Policy limits where a page may load resources from, which is a strong defense against cross-site scripting and data injection. By listing trusted sources for scripts, styles, images, and other content, it can block inline scripts and unexpected third-party code even if an attacker manages to inject markup. It is set as a response header and enforced by the browser.
What is the difference between ETag and Last-Modified?
Both help caches decide whether a stored copy is still valid, but they differ in precision. Last-Modified is a timestamp with one-second resolution, while an ETag is an opaque version token that changes whenever the content changes, even within the same second. When both are present, the ETag with If-None-Match generally takes priority over Last-Modified with If-Modified-Since.
Does this tool send the headers I search to a server?
No. The full list of headers is embedded in the page, and all searching and filtering happens in your browser with JavaScript. You can confirm this by opening DevTools and watching the Network tab: typing in the search box makes zero requests.

Embed this tool

Free for any use; attribution appreciated. Paste this on your site:

The embed runs the same tool that lives at this URL. No tracking; no ads inside the embed. Resize height as needed for your layout.

Cite this tool

For academic, journalistic, or technical references. Pick a format:

Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.

Embedded tool from glunty.com