Date: Timestamp when the message was generated. | Connection: Control connection options like keep-alive. | Transfer-Encoding: Specify transfer encodings such as chunked.

Accept: Media types acceptable for the response. | Accept-Encoding: Supported compression (gzip, br). | Authorization: Credentials for authenticating a user agent.

Content-Type: Media type of the response body. | Set-Cookie: Set a cookie on the client. | Location: Redirect target for 3xx responses.

Cache-Control: Caching directives (max-age, no-store). | ETag: Resource version identifier for validation. | Last-Modified: Last modification date for conditional requests.

Strict-Transport-Security: Enforce HTTPS for future requests. | Content-Security-Policy: Restrict resource loading to reduce XSS. | X-Content-Type-Options: Prevent MIME sniffing (nosniff).

HTTP Headers Reference

A practical guide to common HTTP headers used for auth, caching, security, and content negotiation.

General Headers

Key / Code	Description
Date	Timestamp when the message was generated.
Connection	Control connection options like keep-alive.
Transfer-Encoding	Specify transfer encodings such as chunked.
Upgrade	Request protocol upgrade (e.g., WebSocket).
Via	Track proxies/gateways between client and server.

Request Headers

Key / Code	Description
Accept	Media types acceptable for the response.
Accept-Encoding	Supported compression (gzip, br).
Authorization	Credentials for authenticating a user agent.
Content-Type	Media type of the request body.
User-Agent	Client identifier string.
Origin	Origin of the request (CORS).

Response Headers

Key / Code	Description
Content-Type	Media type of the response body.
Set-Cookie	Set a cookie on the client.
Location	Redirect target for 3xx responses.
WWW-Authenticate	Auth challenge for 401 responses.
Server	Server software identifier.

Caching Headers

Key / Code	Description
Cache-Control	Caching directives (max-age, no-store).
ETag	Resource version identifier for validation.
Last-Modified	Last modification date for conditional requests.
If-None-Match	Validate cache using ETag.
Expires	Absolute expiry time for cache.
Vary	Cache key based on request headers.

Security Headers

Key / Code	Description
Strict-Transport-Security	Enforce HTTPS for future requests.
Content-Security-Policy	Restrict resource loading to reduce XSS.
X-Content-Type-Options	Prevent MIME sniffing (nosniff).
X-Frame-Options	Mitigate clickjacking (DENY/SAMEORIGIN).
Referrer-Policy	Control referrer information in requests.
Permissions-Policy	Enable/disable browser features.

How to Read Headers Quickly

Group headers by responsibility: request context, response metadata, cache behavior, and browser security. In debugging sessions, check Content-Type and Cache-Control first, then look at validators such as ETag and Last-Modified, and finally inspect security headers such as CSP or HSTS when browser behavior looks inconsistent.

Common Header Mistakes

A frequent mistake is setting Cache-Control without Vary, which can cause the wrong response variant to be cached. Another is mixing CORS response headers with the wrong Origin handling. On the security side, partial CSP rules often look valid but still allow unsafe inline behavior because the policy is incomplete.

HTTP Caching Guide

Go deeper on Cache-Control, ETag, Last-Modified, and validator behavior.

CORS Guide

Understand how Origin, preflight requests, and allow headers work together.

HTTP Status Codes

Pair headers with the right status codes when debugging responses.

HTTP Methods Cheat Sheet

Review request semantics alongside request and response headers.

Knowledge is power.