HTTP Headers Reference
Complete HTTP headers reference. Request headers, response headers, security headers, and CORS configuration for web development.
Request Headers
Accept: Content types client accepts
Accept: text/html, application/json
Accept-Encoding: Compression methods supported
Accept-Encoding: gzip, deflate, br
Accept-Language: Preferred languages
Accept-Language: en-US, en;q=0.9
Authorization: Authentication credentials
Authorization: Bearer token123
Cache-Control: Cache directives
Cache-Control: no-cache
Content-Type: Request body media type
Content-Type: application/json
Cookie: Send stored cookies
Cookie: session=abc123
Host: Target server domain
Host: example.com
Origin: Request origin for CORS
Origin: https://client.com
Referer: Previous page URL
Referer: https://example.com/page
User-Agent: Client software info
User-Agent: Mozilla/5.0...
Response Headers
Access-Control-Allow-Origin: CORS allowed origins
Access-Control-Allow-Origin: *
Cache-Control: Response caching rules
Cache-Control: max-age=3600
Content-Encoding: Compression applied
Content-Encoding: gzip
Content-Length: Response body size
Content-Length: 1234
Content-Type: Response media type
Content-Type: application/json
ETag: Resource version identifier
ETag: "abc123"
Location: Redirect URL
Location: https://example.com/new
Set-Cookie: Send cookie to client
Set-Cookie: session=xyz; Path=/
Status: Response status
Status: 200 OK
Strict-Transport-Security: HTTPS enforcement
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: MIME type sniffing block
X-Content-Type-Options: nosniff
X-Frame-Options: iframe embedding control
X-Frame-Options: DENY
Security Headers
Content-Security-Policy: Restrict resource sources
Content-Security-Policy: default-src self
Strict-Transport-Security: Force HTTPS
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: Block MIME sniffing
X-Content-Type-Options: nosniff
X-Frame-Options: Block iframe embedding
X-Frame-Options: DENY
X-XSS-Protection: XSS filter (deprecated)
X-XSS-Protection: 0
CORS Headers
Access-Control-Allow-Origin: allowed origins (* or specific). Access-Control-Allow-Methods: allowed HTTP methods. Access-Control-Allow-Headers: allowed request headers. Access-Control-Allow-Credentials: allow cookies. Access-Control-Max-Age: preflight cache duration. Preflight OPTIONS request checks CORS permissions.
Cache Headers
Cache-Control: max-age=seconds, no-cache, no-store, public, private. Expires: absolute expiration date. ETag: version identifier for validation. Last-Modified: resource modification time. Cache validation: If-None-Match, If-Modified-Since. Freshness vs validation: max-age for freshness, ETag for validation.
Content Types
text/html - HTML pagesapplication/json - JSON datatext/css - CSS filesapplication/javascript - JS filesimage/png - PNG imagesapplication/pdf - PDF filestext/plain - Plain textmultipart/form-data - File uploads