HTTP Headers: The Complete Guide
HTTP headers are metadata transmitted between a client (browser) and a server with every HTTP request and response. They define how to process data, what content to return, how to cache responses, and much more.
How HTTP Headers Work
Every HTTP request and response consists of three parts: a start line, headers, and body. Headers are name-value pairs separated by line breaks:
GET /api/data HTTP/1.1
Host: example.com
Accept: application/json
Authorization: Bearer eyJhbGci...
User-Agent: Mozilla/5.0The server responds with its own set of headers:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Cache-Control: max-age=3600
X-Request-Id: abc-123Types of HTTP Headers
Request Headers
Sent by the client to the server, containing information about the request and the client:
| Header | Description | Example |
|---|---|---|
Host | Server domain name (required in HTTP/1.1) | Host: example.com |
Accept | Content types the client accepts | Accept: text/html, application/json |
Accept-Language | Preferred response languages | Accept-Language: en, ru;q=0.8 |
Accept-Encoding | Supported compression algorithms | Accept-Encoding: gzip, br |
Authorization | Authentication credentials | Authorization: Bearer token123 |
Cookie | Cookies previously set by the server | Cookie: session=abc; theme=dark |
User-Agent | Client information (browser, OS) | User-Agent: Mozilla/5.0... |
Referer | URL of the page that initiated the request | Referer: https://google.com/ |
If-None-Match | ETag for conditional requests (caching) | If-None-Match: "abc123" |
If-Modified-Since | Date for conditional requests | If-Modified-Since: Mon, 01 Jan 2025... |
Response Headers
Sent by the server to the client, containing information about the resource and processing instructions:
| Header | Description | Example |
|---|---|---|
Content-Type | MIME type of the returned content | Content-Type: text/html; charset=utf-8 |
Content-Length | Response body size in bytes | Content-Length: 3842 |
Content-Encoding | Response body compression algorithm | Content-Encoding: gzip |
Set-Cookie | Set a cookie on the client | Set-Cookie: session=abc; HttpOnly; Secure |
Location | URL for redirect (3xx) or new resource (201) | Location: https://example.com/new |
Server | Web server information | Server: nginx/1.24 |
ETag | Resource version identifier | ETag: "abc123" |
Last-Modified | Date the resource was last modified | Last-Modified: Mon, 01 Jan 2025... |
Caching Headers
Caching is one of the most important performance optimizations. HTTP headers allow precise control over how and where resources are cached:
Cache-Control
The primary cache control header. Supports multiple directives:
max-age=3600— the resource can be cached for 3600 secondsno-cache— caching is allowed but must be validated with the server before useno-store— caching is completely forbidden (for sensitive data)public— can be cached by CDNs and proxy serversprivate— cache only in the user's browsermust-revalidate— must validate with the server after max-age expiresimmutable— the resource will never change (for hashed filenames)
Caching Strategies
Static resources (CSS, JS, images) with a hash in the filename:
Cache-Control: public, max-age=31536000, immutableHTML pages that may be updated:
Cache-Control: no-cache
ETag: "v2.1.0-abc"Sensitive data (dashboards, API документацию responses with personal information):
Cache-Control: no-storeCORS Headers
Cross-Origin Resource Sharing (CORS) allows a server to specify which domains can access its resources from a browser:
| Header | Description |
|---|---|
Access-Control-Allow-Origin | Allowed domain (or * for all) |
Access-Control-Allow-Methods | Allowed HTTP methods |
Access-Control-Allow-Headers | Allowed request headers |
Access-Control-Max-Age | Preflight request cache duration |
Access-Control-Allow-Credentials | Allow sending cookies |
Example configuration for an API:
Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400SEO Headers
Some HTTP headers directly affect indexing and SEO:
X-Robots-Tag: noindex— block indexing via HTTP (similar to meta robots)Link: </page>; rel="canonical"— canonical URL via headerVary: Accept-Encoding— tells CDN that content varies based on compressionContent-Language: en— content language
Common Mistakes
- Missing Content-Type — the browser may misinterpret the content
- Cache-Control without strategy — leads to stale data or unnecessary requests
- CORS: Access-Control-Allow-Origin: * with credentials — forbidden by spec and does not work
- Exposing Server and X-Powered-By — leaks stack information, facilitates attacks
- Missing security headers — vulnerability to XSS, clickjacking, MIME-sniffing
Check your website right now
Check now →