HTTP headers are key-value pairs exchanged between a client and a server with every HTTP request and response. They carry metadata about the message, the content, the connection, security policies, caching rules, and more. Understanding headers is fundamental to web development, API design, and debugging network issues.
Structure of HTTP Headers
Every header follows the format: Header-Name: value. Header names are case-insensitive. Values follow rules specific to each header. Multiple values for the same header may be combined with commas or sent as separate header fields depending on the header type.
Request Headers
Request headers are sent by the client (browser or application) to the server.
Accept: tells the server what content types the client can process. For example, Accept: application/json tells the server to respond with JSON if possible.
Accept-Language: indicates the client's preferred languages for the response content.
Authorization: carries credentials for authentication. Common values include Bearer tokens for OAuth and Basic credentials encoded in base64.
Content-Type: when the request has a body (POST, PUT, PATCH), this header identifies the format of that body. Common values are application/json and application/x-www-form-urlencoded.
Content-Length: the size of the request body in bytes.
Cookie: sends stored cookies to the server.
Host: required in HTTP 1.1, specifies the domain name and port of the server being contacted.
Origin: sent in CORS requests, identifies the origin (scheme, hostname, port) of the requesting page.
Referer: the URL of the page that linked to the current request (note: the header name is a historical misspelling of "referrer").
User-Agent: identifies the client software making the request, including browser, version, and platform.
Response Headers
Response headers are sent by the server back to the client.
Access-Control-Allow-Origin: the most important CORS header. Tells the browser which origins are allowed to access the response. A value of asterisk allows all origins.
Cache-Control: instructs both browsers and intermediate caches on caching behavior. Values like no-store, no-cache, max-age=3600, and public control whether and how long responses are cached.
Content-Encoding: indicates compression applied to the response body. Common values are gzip and br (Brotli).
Content-Type: identifies the format of the response body. Includes a charset parameter for text formats.
ETag: a validator token that represents a specific version of a resource. Clients send it in subsequent requests with If-None-Match to check if the resource has changed.
Last-Modified: the date and time the resource was last changed. Clients use it with If-Modified-Since for conditional requests.
Location: used with redirect responses (3xx) to specify the URL the client should navigate to.
Set-Cookie: instructs the browser to store a cookie. Attributes include Expires, HttpOnly, Secure, SameSite, and Domain.
Strict-Transport-Security (HSTS): tells browsers to only access the site over HTTPS for a specified duration, preventing protocol downgrade attacks.
X-Content-Type-Options: when set to nosniff, prevents browsers from guessing the content type and forces them to respect the declared Content-Type.
X-Frame-Options: controls whether the page can be embedded in an iframe. Values are DENY, SAMEORIGIN, and ALLOW-FROM.
Content-Security-Policy (CSP): a powerful security header that controls which resources (scripts, styles, images, frames) are permitted to load on a page, mitigating XSS and injection attacks.
Security-Critical Headers
A minimal set of security headers for any web application includes: Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy. These four together address the most common browser-level attack vectors.
Using the DevHexLab HTTP Headers Reference
Open the tool at /tools/reference/http-headers-reference. Browse or search the complete header list with descriptions, allowed values, and usage examples. Use it as a quick lookup when building APIs, configuring servers, or debugging network behavior.