Skip to content
Pricing RU Sign In
RU

HTTP Headers Reference

Complete guide to HTTP headers — learn what each header does, how to configure it, and why it matters for security and performance.

Security

Content-Security-Policy
Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.
Cross-Origin-Opener-Policy
Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.
Cross-Origin-Resource-Policy
Restricts which origins can load a resource, preventing unauthorized cross-origin reads.
Permissions-Policy
Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.
Referrer-Policy
Controls how much referrer information is included with requests, balancing privacy with analytics needs.
Strict-Transport-Security
Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.
X-Content-Type-Options
Prevents browsers from MIME-sniffing the content type, reducing the risk of drive-by downloads and XSS attacks.
X-Frame-Options
Controls whether a page can be displayed in a frame or iframe, protecting against clickjacking attacks.
X-XSS-Protection
Legacy header that enabled the browser's built-in XSS filter. Now deprecated in favor of Content-Security-Policy.

Response

Connection
Controls whether the network connection stays open after the current transaction finishes.
Content-Disposition
Indicates whether the response should be displayed inline or downloaded as a file attachment.
Content-Encoding
Specifies the compression algorithm applied to the response body, such as gzip or brotli.
Content-Length
Specifies the size of the response body in bytes.
Content-Type
Indicates the media type of the response body, telling the browser how to interpret and display the content.
Date
Indicates the date and time at which the response was generated by the server.
ETag
Provides a unique identifier for a specific version of a resource, enabling efficient conditional requests.
Last-Modified
Indicates the date and time the resource was last modified, used for cache validation.
Location
Specifies the URL to redirect the client to, used with 3xx redirect status codes.
Retry-After
Tells the client how long to wait before making a new request after being rate-limited or redirected.
Server
Identifies the web server software. Should be minimized for security reasons.
Set-Cookie
Sends a cookie from the server to the browser for session management, tracking, and personalization.
Transfer-Encoding
Specifies the encoding used to transfer the response body, typically chunked.
WWW-Authenticate
Defines the authentication method the server requires to access a protected resource.

Caching

Age
Indicates how long a response has been stored in a cache, in seconds since generation.
Cache-Control
The primary header for controlling caching behavior, defining how and for how long responses can be cached.
Expires
Specifies a date/time after which the response is considered stale. Superseded by Cache-Control max-age.
Pragma
Legacy HTTP/1.0 header for backward-compatible cache control. Replaced by Cache-Control.
Vary
Tells caches which request headers to consider when deciding whether to serve a cached response.

CORS

Access-Control-Allow-Credentials
Indicates whether the response to a credentialed cross-origin request can be exposed to JavaScript.
Access-Control-Allow-Headers
Specifies which HTTP headers can be used in the actual request following a CORS preflight.
Access-Control-Allow-Methods
Specifies which HTTP methods are allowed in a CORS preflight response.
Access-Control-Allow-Origin
Specifies which origins are permitted to read the response, the fundamental CORS header.
Access-Control-Max-Age
Specifies how long the results of a CORS preflight request can be cached.

Request

Accept
Specifies the media types the client can process in the response.
Accept-Encoding
Indicates which content encodings the client can understand.
Accept-Language
Advertises the natural languages the client prefers in the response.
Authorization
Carries credentials to authenticate the client with the server.
Cookie
Sends previously stored cookies from the server back with each request.
Host
Specifies the domain name and port of the server being requested.
If-Modified-Since
Makes the request conditional; server responds with 304 if content hasn't changed since the given date.
If-None-Match
Makes the request conditional based on an ETag value; enables efficient cache validation.
Origin
Indicates the origin (scheme, host, port) from which a cross-origin request is made.
Range
Requests only a specific part of a resource, enabling partial content downloads.
Referer
Contains the URL of the page that linked to the currently requested resource.
User-Agent
Identifies the client application, operating system, and engine making the request.

Check your website's HTTP headers right now

Check headers →
SecurityHSTS, CSP, X-Frame-Options and others protect the site from XSS, clickjacking and MITM attacks.
PerformanceCache-Control, ETag, Vary control caching and reduce server load.
CORSAccess-Control-Allow-Origin defines which domains can make cross-origin requests.
DiagnosticsHeaders reveal server stack, software version and configuration — valuable for auditing.

Why teams trust us

45+
HTTP headers
Cache
caching analysis
<2s
result
HSTS
& security headers

How it works

1

Enter URL

2

HTTP response fetched

3

All headers parsed

HTTP Headers: server diagnostics and security

HTTP headers are metadata of every server response. They control security, caching, CORS and compression. Correct header configuration is critical for protection against attacks and optimal performance.

Security Headers

Instant check for HSTS, CSP, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.

Cache Headers

Analysis of Cache-Control, Expires, ETag and Vary for diagnosing caching issues.

Server Fingerprint

Detection of Server, X-Powered-By and other headers revealing the technology stack.

Configuration Score

Overall security score for headers with specific recommendations for improvement.

Who uses this

Developers

HTTP response debugging

DevOps

cache & CDN verification

Security

security header audit

SEO

redirects & canonical

Common Mistakes

Missing HSTSWithout Strict-Transport-Security the browser may load the site over HTTP. Use max-age=31536000; includeSubDomains.
Server version disclosureThe header Server: Apache/2.4.51 helps attackers find vulnerable versions. Hide version in config.
Overly broad CORSAccess-Control-Allow-Origin: * is acceptable only for public APIs. For authenticated resources — use a whitelist.
Missing X-Frame-OptionsWithout this header, a site can be embedded in an iframe by an attacker for clickjacking attacks.

Best Practices

Implement the minimum security header setHSTS, X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, Referrer-Policy: strict-origin-when-cross-origin.
Configure Cache-Control for static assetsCSS, JS, images: max-age=31536000, immutable. HTML: no-cache or short max-age.
Check headers after every deployUpdating nginx/Apache config can reset security headers. Include a header check in your CI/CD pipeline.
Use CSP in report-only mode firstContent-Security-Policy-Report-Only lets you debug policy without blocking legitimate resources.

Get more with a free account

HTTP header check history and API access for automation.

Sign up free

Complete HTTP Headers Reference for Developers

HTTP headers are key-value pairs sent with every request and response. They control caching behaviour, security policies, content negotiation, authentication, and redirects. Security headers — Content-Security-Policy, Strict-Transport-Security, X-Frame-Options — protect users from XSS, clickjacking, and protocol downgrade attacks. Caching headers such as Cache-Control and ETag reduce bandwidth and improve page load performance. This reference covers all standard and commonly used HTTP headers with their syntax and recommended values.

Frequently Asked Questions

What are HTTP headers?

HTTP headers are metadata sent with every request and response. They control caching, security, content type, CORS, authentication, and other aspects of HTTP communication.

What categories of HTTP headers exist?

Main categories: security headers (CSP, HSTS, X-Frame-Options), caching (Cache-Control, ETag), CORS (Access-Control-*), response (Content-Type, Content-Length), request (Accept, User-Agent, Authorization).

Which security headers are mandatory?

Minimum set: Strict-Transport-Security (HSTS), X-Content-Type-Options: nosniff, X-Frame-Options. Recommended: Content-Security-Policy, Permissions-Policy, Referrer-Policy. Check your headers with our HTTP checker.

How does caching work through headers?

Cache-Control defines caching policy: max-age (lifetime), no-cache (check freshness), no-store (do not cache). ETag and Last-Modified allow the browser to check if a resource has changed without re-downloading it.

What are CORS headers?

CORS (Cross-Origin Resource Sharing) is a mechanism that allows web pages to request resources from other domains. Key headers: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers.

Related Articles

HTTP

Server-Sent Events vs WebSockets: Choosing Real-Time Communication

9 min · Read → HTTP

HTTP 404 Not Found Error: 7 Causes and How to Fix

8 min · Read → HTTP

The Complete HTTP Request Lifecycle: From URL to Rendered Page

10 min · Read →
All articles →

Start monitoring for free

Sign up and get access to API, monitoring and notifications

Create Account API Documentation