HTTP Headers Reference
A practical guide to common HTTP headers used for auth, caching, security, and content negotiation.
General Headers
| Key / Code | Description |
|---|---|
| Date | Timestamp when the message was generated. |
| Connection | Control connection options like keep-alive. |
| Transfer-Encoding | Specify transfer encodings such as chunked. |
| Upgrade | Request protocol upgrade (e.g., WebSocket). |
| Via | Track proxies/gateways between client and server. |
Request Headers
| Key / Code | Description |
|---|---|
| Accept | Media types acceptable for the response. |
| Accept-Encoding | Supported compression (gzip, br). |
| Authorization | Credentials for authenticating a user agent. |
| Content-Type | Media type of the request body. |
| User-Agent | Client identifier string. |
| Origin | Origin of the request (CORS). |
Response Headers
| Key / Code | Description |
|---|---|
| Content-Type | Media type of the response body. |
| Set-Cookie | Set a cookie on the client. |
| Location | Redirect target for 3xx responses. |
| WWW-Authenticate | Auth challenge for 401 responses. |
| Server | Server software identifier. |
Caching Headers
| Key / Code | Description |
|---|---|
| Cache-Control | Caching directives (max-age, no-store). |
| ETag | Resource version identifier for validation. |
| Last-Modified | Last modification date for conditional requests. |
| If-None-Match | Validate cache using ETag. |
| Expires | Absolute expiry time for cache. |
| Vary | Cache key based on request headers. |
Security Headers
| Key / Code | Description |
|---|---|
| Strict-Transport-Security | Enforce HTTPS for future requests. |
| Content-Security-Policy | Restrict resource loading to reduce XSS. |
| X-Content-Type-Options | Prevent MIME sniffing (nosniff). |
| X-Frame-Options | Mitigate clickjacking (DENY/SAMEORIGIN). |
| Referrer-Policy | Control referrer information in requests. |
| Permissions-Policy | Enable/disable browser features. |
Knowledge is power.