HTTP Headers Reference

Complete guide to HTTP headers — learn what each header does, how to configure it, and why it matters for security and performance.

Security

Content-Security-Policy

Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.

Cross-Origin-Opener-Policy

Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.

Cross-Origin-Resource-Policy

Restricts which origins can load a resource, preventing unauthorized cross-origin reads.

Permissions-Policy

Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.

Referrer-Policy

Controls how much referrer information is included with requests, balancing privacy with analytics needs.

Strict-Transport-Security

Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

X-Content-Type-Options

Prevents browsers from MIME-sniffing the content type, reducing the risk of drive-by downloads and XSS attacks.

X-Frame-Options

Controls whether a page can be displayed in a frame or iframe, protecting against clickjacking attacks.

X-XSS-Protection

Legacy header that enabled the browser's built-in XSS filter. Now deprecated in favor of Content-Security-Policy.

Response

Controls whether the network connection stays open after the current transaction finishes.

Content-Disposition

Indicates whether the response should be displayed inline or downloaded as a file attachment.

Content-Encoding

Specifies the compression algorithm applied to the response body, such as gzip or brotli.

Content-Length

Specifies the size of the response body in bytes.

Indicates the media type of the response body, telling the browser how to interpret and display the content.

Indicates the date and time at which the response was generated by the server.

Provides a unique identifier for a specific version of a resource, enabling efficient conditional requests.

Last-Modified

Indicates the date and time the resource was last modified, used for cache validation.

Specifies the URL to redirect the client to, used with 3xx redirect status codes.

Tells the client how long to wait before making a new request after being rate-limited or redirected.

Identifies the web server software. Should be minimized for security reasons.

Sends a cookie from the server to the browser for session management, tracking, and personalization.

Transfer-Encoding

Specifies the encoding used to transfer the response body, typically chunked.

WWW-Authenticate

Defines the authentication method the server requires to access a protected resource.

Caching

Indicates how long a response has been stored in a cache, in seconds since generation.

Cache-Control

The primary header for controlling caching behavior, defining how and for how long responses can be cached.

Specifies a date/time after which the response is considered stale. Superseded by Cache-Control max-age.

Legacy HTTP/1.0 header for backward-compatible cache control. Replaced by Cache-Control.

Tells caches which request headers to consider when deciding whether to serve a cached response.

CORS

Access-Control-Allow-Credentials

Indicates whether the response to a credentialed cross-origin request can be exposed to JavaScript.

Access-Control-Allow-Headers

Specifies which HTTP headers can be used in the actual request following a CORS preflight.

Access-Control-Allow-Methods

Specifies which HTTP methods are allowed in a CORS preflight response.

Access-Control-Allow-Origin

Specifies which origins are permitted to read the response, the fundamental CORS header.

Access-Control-Max-Age

Specifies how long the results of a CORS preflight request can be cached.

Request

Specifies the media types the client can process in the response.

Accept-Encoding

Indicates which content encodings the client can understand.

Accept-Language

Advertises the natural languages the client prefers in the response.

Authorization

Carries credentials to authenticate the client with the server.

Sends previously stored cookies from the server back with each request.

Specifies the domain name and port of the server being requested.

If-Modified-Since

Makes the request conditional; server responds with 304 if content hasn't changed since the given date.

If-None-Match

Makes the request conditional based on an ETag value; enables efficient cache validation.

Indicates the origin (scheme, host, port) from which a cross-origin request is made.

Requests only a specific part of a resource, enabling partial content downloads.

Contains the URL of the page that linked to the currently requested resource.

Identifies the client application, operating system, and engine making the request.

Check your website's HTTP headers right now

Check headers →

Frequently Asked Questions

What are HTTP headers?

HTTP headers are metadata sent with every request and response. They control caching, security, content type, CORS, authentication, and other aspects of HTTP communication.

What categories of HTTP headers exist?

Main categories: security headers (CSP, HSTS, X-Frame-Options), caching (Cache-Control, ETag), CORS (Access-Control-*), response (Content-Type, Content-Length), request (Accept, User-Agent, Authorization).

Which security headers are mandatory?

Minimum set: Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options. Recommended: Content-Security-Policy, Permissions-Policy, Referrer-Policy. Check your headers with our HTTP checker.

How does caching work through headers?

Cache-Control defines caching policy: max-age (lifetime), no-cache (check freshness), no-store (do not cache). ETag and Last-Modified allow the browser to check if a resource has changed without re-downloading it.

What are CORS headers?

CORS (Cross-Origin Resource Sharing) is a mechanism that allows web pages to request resources from other domains. Key headers: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers.