HTTP Headers Reference
Every common HTTP header, searchable. Filter by category and see what each header does.
| Header | Category | What it does |
|---|---|---|
Accept | Request | Tells the server which media types the client can handle, so it can pick a matching Content-Type. |
Accept-Encoding | Request | Lists the compression formats the client accepts, such as gzip, br, or deflate. |
Accept-Language | Request | States the natural languages the client prefers, used for content negotiation. |
Accept-Charset | Request | Indicates which character encodings the client understands (largely obsolete on the modern web). |
Authorization | Request | Carries credentials to authenticate the client, such as a Bearer token or a Basic auth pair. |
Cookie | Request | Sends stored cookies for the current domain back to the server on each request. |
Host | Request | Names the domain and optional port of the server being addressed; required in HTTP/1.1. |
Origin | Request | Identifies the scheme, host, and port a request came from, used by CORS and CSRF checks. |
Referer | Request | Gives the address of the page that linked to the requested resource (note the historical misspelling). |
User-Agent | Request | Identifies the client software, such as the browser, its version, and the operating system. |
If-None-Match | Request | Makes the request conditional on the ETag not matching, enabling cache revalidation. |
If-Modified-Since | Request | Makes the request conditional on the resource changing after the given date. |
If-Match | Request | Makes the request conditional on the ETag matching, often used to prevent lost updates. |
If-Unmodified-Since | Request | Makes the request conditional on the resource staying unchanged since the given date. |
Range | Request | Asks the server for only part of a resource, enabling resumable downloads and media seeking. |
Connection | Request | Controls whether the network connection stays open after the current transaction. |
TE | Request | Lists the transfer encodings the client will accept in the response, such as chunked. |
Content-Type | Response | Declares the media type of the body, such as text/html or application/json, plus its charset. |
Content-Length | Response | Gives the size of the body in bytes so the recipient knows when it has read all of it. |
Content-Encoding | Response | Names the compression applied to the body, which the client must reverse before use. |
Content-Disposition | Response | Signals whether to show the body inline or download it as an attachment, with a filename. |
Content-Language | Response | States the natural language of the body content for the audience it targets. |
Content-Range | Response | Indicates which part of a resource is returned in a 206 Partial Content response. |
Accept-Ranges | Response | Advertises that the server supports range requests, usually with the value bytes. |
Location | Response | Points to another URL, used for redirects (3xx) or to name a newly created resource (201). |
Set-Cookie | Response | Instructs the browser to store a cookie, with attributes such as Path, Expires, and Secure. |
Server | Response | Names the software the origin server runs; often trimmed to avoid leaking version details. |
WWW-Authenticate | Response | Sent with a 401 to tell the client which authentication scheme and realm to use. |
Allow | Response | Lists the HTTP methods a resource supports, commonly returned with a 405 response. |
Retry-After | Response | Tells the client how long to wait before retrying, used with 429 or 503 responses. |
Date | Response | Records the date and time the message was generated, expressed in GMT. |
Cache-Control | Caching | The main caching header; sets rules like max-age, no-store, private, and public. |
Expires | Caching | Gives an absolute date after which the response is considered stale (superseded by max-age). |
ETag | Caching | A version identifier for a resource, used to revalidate caches with If-None-Match. |
Last-Modified | Caching | The date a resource last changed, used to revalidate caches with If-Modified-Since. |
Age | Caching | The time in seconds the response has sat in a proxy cache since it was fetched. |
Vary | Caching | Lists request headers that affect the response, so caches store separate variants per value. |
Pragma | Caching | A legacy HTTP/1.0 header; Pragma: no-cache is kept only for backward compatibility. |
Access-Control-Allow-Origin | CORS | Names which origin (or *) may read the response, the core of CORS permission. |
Access-Control-Allow-Methods | CORS | Lists the HTTP methods allowed for the resource, returned in a preflight response. |
Access-Control-Allow-Headers | CORS | Lists the request headers the client may send, returned in a preflight response. |
Access-Control-Allow-Credentials | CORS | When true, lets the browser expose a credentialed response to the calling script. |
Access-Control-Max-Age | CORS | Says how many seconds a preflight result may be cached to skip repeat checks. |
Access-Control-Expose-Headers | CORS | Lists which response headers scripts may read beyond the safe defaults. |
Access-Control-Request-Method | CORS | Sent by the browser in a preflight to ask whether a given method is allowed. |
Access-Control-Request-Headers | CORS | Sent by the browser in a preflight to ask which custom headers are allowed. |
Strict-Transport-Security | Security | Tells browsers to use HTTPS only for this site for a set period (HSTS). |
Content-Security-Policy | Security | Restricts which sources of scripts, styles, and other content the page may load. |
X-Frame-Options | Security | Controls whether the page may be framed, guarding against clickjacking (DENY or SAMEORIGIN). |
X-Content-Type-Options | Security | The value nosniff stops the browser from guessing a response media type. |
Referrer-Policy | Security | Controls how much referrer information is sent when navigating away from the page. |
Permissions-Policy | Security | Enables or blocks browser features such as camera, microphone, and geolocation per origin. |
Cross-Origin-Opener-Policy | Security | Isolates the browsing context from cross-origin windows, part of a COOP and COEP pair. |
Cross-Origin-Resource-Policy | Security | Limits which origins may embed this resource, blunting side-channel attacks. |
Cross-Origin-Embedder-Policy | Security | Requires embedded resources to opt in via CORS or CORP, enabling powerful features. |
X-XSS-Protection | Security | A legacy header that toggled a browser XSS filter; now deprecated in favor of CSP. |
No headers match your search.
Runs entirely in your browser. Nothing you type is sent anywhere; open DevTools and watch the Network tab to verify zero requests.
What this tool does
This is a searchable reference for the HTTP headers you meet most often when building or debugging web apps and APIs. Every entry lists the header name, its category (request, response, caching, CORS, or security), and a one-sentence plain-English description of what it does. Type in the filter box to narrow the table by header name or meaning, or tap a category button to show just one family. The whole dataset is baked into the page, so it works offline and sends nothing anywhere.
How to use it
Start typing in the Filter box. Entering cache surfaces
Cache-Control, Expires, and the revalidation headers; entering cors shows
the Access-Control family; entering cookie pulls up Cookie and Set-Cookie.
The category buttons (All, Request, Response, Caching, CORS, Security)
combine with the text filter, so you can, for example, pick Security and
type origin to zero in on the Cross-Origin policies. Clear the box to see
every header again. Nothing is submitted and there is no result limit.
Common use cases
- Looking up what a header from a browser network panel or server log actually means.
- Deciding which headers to set on your own endpoint, such as Cache-Control or CORS rules.
- Hardening a site by reviewing the security headers (CSP, HSTS, X-Frame-Options, and more).
- Debugging a failed cross-origin request by checking the Access-Control response headers.
- Explaining a header to a teammate or in a ticket with a precise, shared definition.
Common pitfalls
- Header names are case-insensitive.
Content-Type,content-type, andCONTENT-TYPEall name the same field, and HTTP/2 and HTTP/3 send them lowercase on the wire. Do not rely on a specific casing when parsing headers; match them case-insensitively. - CORS is enforced by the browser, not the server. The Access-Control response headers do not block anything server-side; they tell the browser whether to let page JavaScript read the response. A tool like curl ignores CORS entirely, so a request that fails in the browser can still succeed from the command line.
- Set-Cookie attributes decide whether a cookie works. Attributes such as Secure, HttpOnly, SameSite, Path, Domain, and Expires or Max-Age change where and when a cookie is sent. Miss one, for example forgetting SameSite=None; Secure on a cross-site cookie, and the browser may silently drop it.
- Caching headers interact. Cache-Control overrides the older Expires header, ETag and Last-Modified drive revalidation with If-None-Match and If-Modified-Since, and a missing or overbroad Vary header can make a shared cache serve the wrong variant. Reason about them together, not one at a time.
Frequently asked questions
- What is the difference between a request and response header?
- A request header is sent by the client to the server and describes the client, its preferences, or the body it is sending, for example Accept, Authorization, or User-Agent. A response header is sent back by the server and describes the response or the server itself, for example Content-Type, Set-Cookie, or Cache-Control. Some header names can appear in both directions, but most belong clearly to one side.
- What does Cache-Control do?
- Cache-Control is the primary header for controlling how browsers and proxies cache a response. Directives like max-age set how many seconds the response stays fresh, no-store forbids caching entirely, and private limits storage to the end-user cache rather than shared proxies. It is the modern replacement for the older Expires and Pragma headers.
- What is CORS and which headers control it?
- CORS, or Cross-Origin Resource Sharing, is the browser mechanism that decides whether a web page on one origin may read a response from another origin. The server opts in using response headers, chiefly Access-Control-Allow-Origin, plus Allow-Methods, Allow-Headers, Allow-Credentials, Max-Age, and Expose-Headers for finer control. For certain requests the browser first sends a preflight OPTIONS request to check these permissions.
- What does Content-Security-Policy protect against?
- Content-Security-Policy limits where a page may load resources from, which is a strong defense against cross-site scripting and data injection. By listing trusted sources for scripts, styles, images, and other content, it can block inline scripts and unexpected third-party code even if an attacker manages to inject markup. It is set as a response header and enforced by the browser.
- What is the difference between ETag and Last-Modified?
- Both help caches decide whether a stored copy is still valid, but they differ in precision. Last-Modified is a timestamp with one-second resolution, while an ETag is an opaque version token that changes whenever the content changes, even within the same second. When both are present, the ETag with If-None-Match generally takes priority over Last-Modified with If-Modified-Since.
- Does this tool send the headers I search to a server?
- No. The full list of headers is embedded in the page, and all searching and filtering happens in your browser with JavaScript. You can confirm this by opening DevTools and watching the Network tab: typing in the search box makes zero requests.
Cite this tool
For academic, journalistic, or technical references. Pick a format:
Citations use 2026 as the publication year. Access date is left as a fillable placeholder where the citation style expects one.