tool / 44

HTTP Headers

The headers you reach for daily — request, response and both — with real examples.

All local

25/25

Request10

Media types the client can handle.

Accept: application/json, text/html;q=0.9

Accept-Encoding

Compression algorithms supported.

Accept-Encoding: gzip, deflate, br

Authorization

Credentials for HTTP authentication.

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI...

Stored cookies sent to the server.

Cookie: session=abc123; theme=dark

Host

Domain name of the server.

Host: api.example.com

If-None-Match

Conditional request based on ETag.

If-None-Match: "33a64df5"

Origin

Where the request originated (used by CORS).

Origin: https://example.com

Referer

Address of the previous page.

Referer: https://example.com/page

User-Agent

Client software identification.

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)

X-Forwarded-For

Originating IP through a proxy chain.

X-Forwarded-For: 203.0.113.1, 198.51.100.5

Response12

Access-Control-Allow-Origin

CORS — origins allowed to access the resource.

Access-Control-Allow-Origin: *

Access-Control-Allow-Credentials

CORS — whether credentials may be sent.

Access-Control-Allow-Credentials: true

Content-Disposition

Whether to display inline or as attachment.

Content-Disposition: attachment; filename="report.pdf"

Content-Security-Policy

Restricts which resources can load.

Content-Security-Policy: default-src 'self'

ETag

Unique version identifier for caching.

ETag: "33a64df5"

Last-Modified

When the resource was last changed.

Last-Modified: Wed, 21 Oct 2026 07:28:00 GMT

Location

URL to redirect to (with 3xx) or new resource (201).

Location: /users/42

Retry-After

How long the client should wait before retrying.

Retry-After: 120

Set-Cookie

Sends a cookie to the client.

Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Strict

Strict-Transport-Security

Force HTTPS for future requests (HSTS).

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options

Prevent MIME-sniffing.

X-Content-Type-Options: nosniff

X-Frame-Options

Restrict embedding in iframes.

X-Frame-Options: DENY

Both3

Cache-Control

Caching directives for both requests and responses.

Cache-Control: max-age=3600, s-maxage=86400

Content-Type

Media type of the body.

Content-Type: application/json; charset=utf-8

Content-Length

Size of the body in octets.

Content-Length: 348