HTTP headers

Client

Quick reference for frequently used HTTP header fields: typical direction (request, response, or both), and a short explanation—pair with MIME types, methods, and status codes when debugging APIs or proxies.

Headers in debugging workflows

Request headers carry auth, content negotiation, and caching hints; response headers carry cookies, cache policy, and security directives. Filter this list when you compare a working curl request to a failing browser call or when you tune CDN behavior.

For payload typing, cross-check names with the MIME type lookup; for verb semantics, use HTTP methods and status codes so the full exchange is consistent.

Reference

?

Names follow common spelling; custom X- and vendor headers are common in the wild—always read your framework and API docs.

68 headers

Try examples

HeaderSummary
AcceptAdvertises which content types the client can process (MIME types with q weights).Direction: request
Accept-CHAsks the client to send Client Hints (viewport, DPR, etc.) on later requests.Direction: response
Accept-EncodingLists encodings the client understands (gzip, br, zstd)—enables compression.Direction: request
Accept-LanguagePreferred natural languages for the response (locale negotiation).Direction: request
Accept-RangesIndicates the server supports range requests (often bytes) for partial content.Direction: response
Access-Control-Allow-OriginCORS: which origins may read the response in browsers (* or a single origin).Direction: response
AgeSeconds the response has been in a cache (shared caches).Direction: response
AllowLists methods allowed on the resource (often with 405 Method Not Allowed).Direction: response
Alt-SvcAlternative services (HTTP/3, alternate host:port) the client may use.Direction: response
AuthorizationCredentials for the target resource (Bearer, Basic, Digest schemes).Direction: request
Cache-ControlDirectives for caches and intermediaries (max-age, no-store, private, immutable, …).Direction: both
ConnectionControls persistence (keep-alive, close) and hop-by-hop header names.Direction: both
Content-DispositionHints filename for downloads (attachment) or inline display; multipart boundaries.Direction: both
Content-EncodingTransformations applied to the body (gzip, br)—distinct from Transfer-Encoding.Direction: both
Content-LanguageLanguage(s) of the intended audience for the enclosed representation.Direction: both
Content-LengthByte length of the message body (when known; not used with chunked encoding).Direction: both
Content-LocationURI of the specific variant returned (may differ from the request URI).Direction: both
Content-RangeByte range of a partial body (206 responses, multipart ranges).Direction: both
Content-Security-PolicyRestricts script, style, and resource loads to mitigate XSS and injection.Direction: response
Content-TypeMIME type and optional charset/parameters of the body (JSON, HTML, multipart).Direction: both
CookiePreviously stored cookies the client sends to the origin (name=value pairs).Direction: request
Cross-Origin-Opener-PolicyIsolates the browsing context from cross-origin documents (Spectre-related).Direction: response
Cross-Origin-Resource-PolicyLimits which sites may embed the resource (same-site, same-origin, cross-origin).Direction: response
DateWhen the message originated (HTTP-date); required on responses in HTTP/1.1.Direction: both
ETagOpaque validator for caching and conditional requests (If-None-Match).Direction: response
ExpectExpects a 100 Continue before sending a large body (rare with modern clients).Direction: request
ExpiresLegacy expiration time; prefer Cache-Control in modern apps.Direction: response
ForwardedProxies add client-facing host/proto (RFC 7239)—similar role to X-Forwarded-*.Direction: request
FromHuman-readable email of the user agent (rare; not for authentication).Direction: request
HostAuthority (hostname[:port])—required in HTTP/1.1; drives virtual hosting.Direction: request
If-MatchPerform the method only if the ETag still matches (optimistic concurrency).Direction: request
If-Modified-SinceReturn body only if changed after this date—else often 304 Not Modified.Direction: request
If-None-MatchReturn 304 if ETag still matches (GET) or fail if it matches (other methods).Direction: request
If-RangeFor range requests: send ranges only if the validator still matches.Direction: request
If-Unmodified-SincePerform only if the resource has not changed since the given date.Direction: request
Last-ModifiedLast modification time of the representation—used with If-Modified-Since.Direction: response
LinkTyped links (RFC 8288)—pagination, preconnect, alternate formats.Direction: response
LocationURI for redirects (3xx) or created resources (201)—clients follow Location.Direction: response
OriginScheme + host + port of the initiating page—sent with CORS and POST semantics.Direction: request
Permissions-PolicyControls powerful features (camera, geolocation, payment) in embedded frames.Direction: response
PragmaLegacy cache directive (no-cache); prefer Cache-Control for HTTP/1.1 caches.Direction: both
Proxy-AuthenticateAuthentication scheme the proxy requires (407 Proxy Authentication Required).Direction: response
Proxy-AuthorizationCredentials for a proxy that asked for authentication.Direction: request
RangeRequests a sub-range of the representation (bytes=…)—206 Partial Content.Direction: request
RefererURI of the previous page (misspelling is historical); privacy-sensitive.Direction: request
Referrer-PolicyControls how much referrer information is sent on navigations and subrequests.Direction: both
Retry-AfterHow long to wait before retrying (429, 503) or after a redirect.Direction: response
Sec-Fetch-DestFetch metadata: destination (document, image, empty)—browser security signals.Direction: request
Sec-Fetch-ModeFetch metadata: mode (cors, no-cors, navigate, same-origin).Direction: request
Sec-Fetch-SiteFetch metadata: relationship to initiator (same-origin, cross-site, none).Direction: request
ServerSoftware information about the origin server (often minimized for security).Direction: response
Server-TimingServer processing metrics (database, cache) for performance insight.Direction: response
Set-CookieInstructs the client to store a cookie (HttpOnly, Secure, SameSite, …).Direction: response
Strict-Transport-SecurityHSTS: require HTTPS for a period (includeSubDomains, preload cautiously).Direction: response
TETransfer encodings acceptable in the response (trailers).Direction: request
TrailerNames headers that will appear after the chunked body (trailers).Direction: both
Transfer-EncodingHop-by-hop encodings (chunked)—distinct from Content-Encoding.Direction: both
UpgradeRequests a protocol switch (WebSocket, HTTP/2 upgrade—context-dependent).Direction: both
User-AgentClient software token string—often parsed for compatibility; can be spoofed.Direction: request
VaryTells caches which request headers affect the selected representation.Direction: response
ViaTrace of intermediaries (proxies, gateways) the message passed through.Direction: both
WWW-AuthenticateAuthentication scheme and realm for the resource (401 Unauthorized).Direction: response
X-Content-Type-Optionsnosniff reduces MIME sniffing attacks—keep with explicit Content-Type.Direction: response
X-Forwarded-ForDe-facto chain of client IPs through proxies—**not** authenticated; validate at the edge.Direction: request
X-Forwarded-HostOriginal Host the client used—set by reverse proxies for routing.Direction: request
X-Forwarded-ProtoOriginal scheme (http/https) as seen by the edge—used behind TLS terminators.Direction: request
X-Frame-OptionsLegacy clickjacking mitigation (DENY, SAMEORIGIN); prefer CSP frame-ancestors.Direction: response
X-Request-IDCorrelation id for tracing a single request across services (format not standardized).Direction: both

Common use cases

  • Look up what Cache-Control or Vary imply before tuning CDN or browser caching.
  • See which headers are request-only versus response-only when reading raw HTTP logs.
  • Cross-check Set-Cookie attributes and CORS-related headers next to status codes and methods.

Common mistakes to avoid

  • Trusting X-Forwarded-* as proof of client identity

    Clients can forge headers unless your edge proxy strips and replaces them—validate at the trusted boundary.

  • Assuming header names are case-sensitive on the wire

    HTTP field names are case-insensitive; this table uses conventional Title-Case for readability.

  • Mixing Content-Encoding and Transfer-Encoding

    Content-Encoding applies to the payload bytes; Transfer-Encoding is hop-by-hop (e.g. chunked).

FAQ

Is my filter text sent to Toolcore?

No. Search and display run entirely in your browser.

Why is some spelling “Referer”?

The Referer header’s name is the historical misspelling from the HTTP specification—servers expect that exact spelling.

Where are HTTP/2 and HTTP/3 pseudo-headers?

:method, :path, and :status are pseudo-headers on those protocols—this page focuses on common HTTP/1.1-style named fields you still see in APIs and logs.

More tools

Related utilities you can open in another tab—mostly client-side.