Is HTTP Headers Reference free to use?

Yes, HTTP Headers Reference is completely free to use. No signup or registration required.

Is my data safe when using HTTP Headers Reference?

Yes, all processing happens in your browser. Your data never leaves your device and is not stored on any server.

Can I use HTTP Headers Reference on mobile?

Yes, HTTP Headers Reference is fully responsive and works on all devices including smartphones and tablets.

📋

HTTP Headers Reference

Complete reference for HTTP headers with descriptions, examples, and documentation links. Search and filter by type and category.

Showing 58 of 58 headers

AuthorizationRequestAuthentication

Contains credentials for authenticating the client with a server

Authorization: Bearer eyJhbGc...

MDN →

WWW-AuthenticateResponseAuthentication

Defines the authentication method that should be used to access a resource

WWW-Authenticate: Basic realm="Access"

MDN →

Proxy-AuthorizationRequestAuthentication

Contains credentials for authenticating with a proxy server

Proxy-Authorization: Basic dXNlcjpwYXNz

MDN →

Proxy-AuthenticateResponseAuthentication

Defines the authentication method for a proxy server

Proxy-Authenticate: Basic

MDN →

Cache-ControlBothCaching

Directives for caching mechanisms in requests and responses

Cache-Control: max-age=3600, public

MDN →

ExpiresResponseCaching

Date/time after which the response is considered stale

Expires: Wed, 21 Oct 2025 07:28:00 GMT

MDN →

ETagResponseCaching

Identifier for a specific version of a resource

ETag: "33a64df551425fcc55e4d42a148795d9"

MDN →

If-None-MatchRequestCaching

Makes request conditional; returns 304 if ETag matches

If-None-Match: "33a64df551425fcc55e4d42a148795d9"

MDN →

If-Modified-SinceRequestCaching

Makes request conditional based on modification date

If-Modified-Since: Wed, 21 Oct 2024 07:28:00 GMT

MDN →

Last-ModifiedResponseCaching

Date and time at which the resource was last modified

Last-Modified: Tue, 15 Nov 2024 12:45:26 GMT

MDN →

AgeResponseCaching

Time in seconds the object was in a proxy cache

Age: 24

MDN →

VaryResponseCaching

Determines how to match request headers for cache

Vary: Accept-Encoding, User-Agent

MDN →

AcceptRequestContent Negotiation

Media types acceptable for the response

Accept: application/json, text/html

MDN →

Accept-CharsetRequestContent Negotiation

Character encodings acceptable for the response

Accept-Charset: utf-8, iso-8859-1

MDN →

Accept-EncodingRequestContent Negotiation

Acceptable content encodings (compression)

Accept-Encoding: gzip, deflate, br

MDN →

Accept-LanguageRequestContent Negotiation

Preferred natural languages for the response

Accept-Language: en-US, en;q=0.9, fr;q=0.8

MDN →

Content-TypeBothContent

Media type of the resource/data

Content-Type: application/json; charset=utf-8

MDN →

Content-LengthBothContent

Size of the resource in bytes

Content-Length: 348

MDN →

Content-EncodingResponseContent

Compression algorithm used on the resource

Content-Encoding: gzip

MDN →

Content-LanguageResponseContent

Natural language(s) of the resource

Content-Language: en-US

MDN →

Content-LocationResponseContent

Alternate location for the returned data

Content-Location: /documents/foo.json

MDN →

Content-DispositionResponseContent

How content should be displayed (inline/attachment)

Content-Disposition: attachment; filename="file.pdf"

MDN →

Content-RangeResponseContent

Where a partial message belongs in a full body

Content-Range: bytes 200-1000/67589

MDN →

Access-Control-Allow-OriginResponseCORS

Specifies origins allowed to access the resource

Access-Control-Allow-Origin: https://example.com

MDN →

Access-Control-Allow-MethodsResponseCORS

Methods allowed when accessing the resource

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

MDN →

Access-Control-Allow-HeadersResponseCORS

Headers allowed in the actual request

Access-Control-Allow-Headers: Content-Type, Authorization

MDN →

Access-Control-Allow-CredentialsResponseCORS

Whether credentials can be exposed to the page

Access-Control-Allow-Credentials: true

MDN →

Access-Control-Expose-HeadersResponseCORS

Headers that can be exposed to the browser

Access-Control-Expose-Headers: X-Custom-Header

MDN →

Access-Control-Max-AgeResponseCORS

How long preflight results can be cached

Access-Control-Max-Age: 86400

MDN →

Access-Control-Request-MethodRequestCORS

Method that will be used in the actual request (preflight)

Access-Control-Request-Method: POST

MDN →

Access-Control-Request-HeadersRequestCORS

Headers that will be used in the actual request (preflight)

Access-Control-Request-Headers: Content-Type

MDN →

OriginRequestCORS

Origin of the request (scheme, host, port)

Origin: https://example.com

MDN →

Content-Security-PolicyResponseSecurity

Controls resources the browser is allowed to load

Content-Security-Policy: default-src 'self'; script-src 'self'

MDN →

Strict-Transport-SecurityResponseSecurity

Forces HTTPS connections (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubDomains

MDN →

X-Content-Type-OptionsResponseSecurity

Prevents MIME type sniffing

X-Content-Type-Options: nosniff

MDN →

X-Frame-OptionsResponseSecurity

Controls whether page can be displayed in iframe

X-Frame-Options: DENY

MDN →

X-XSS-ProtectionResponseSecurity

Enables browser XSS filtering (legacy)

X-XSS-Protection: 1; mode=block

MDN →

Referrer-PolicyResponseSecurity

Controls how much referrer info is sent

Referrer-Policy: strict-origin-when-cross-origin

MDN →

Permissions-PolicyResponseSecurity

Controls which browser features can be used

Permissions-Policy: geolocation=(), microphone=()

MDN →

Cross-Origin-Opener-PolicyResponseSecurity

Isolates browsing context from cross-origin documents

Cross-Origin-Opener-Policy: same-origin

MDN →

Cross-Origin-Embedder-PolicyResponseSecurity

Prevents loading cross-origin resources without permission

Cross-Origin-Embedder-Policy: require-corp

MDN →

Cross-Origin-Resource-PolicyResponseSecurity

Prevents other domains from loading the resource

Cross-Origin-Resource-Policy: same-site

MDN →

ConnectionBothConnection

Controls whether network connection stays open

Connection: keep-alive

MDN →

Keep-AliveBothConnection

Controls how long a persistent connection should stay open

Keep-Alive: timeout=5, max=1000

MDN →

UpgradeBothConnection

Asks to switch to a different protocol (e.g., WebSocket)

Upgrade: websocket

MDN →

HostRequestRequest Context

Domain name of the server and TCP port number

Host: www.example.com:443

MDN →

RefererRequestRequest Context

Address of the previous page that linked to this one

Referer: https://example.com/page

MDN →

User-AgentRequestRequest Context

Identifies the client software making the request

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...

MDN →

FromRequestRequest Context

Email address of the user making the request

From: webmaster@example.com

MDN →

ServerResponseResponse Context

Information about the software used by the origin server

Server: nginx/1.18.0

MDN →

LocationResponseResponse Context

URL to redirect a page to

Location: https://example.com/new-page

MDN →

DateResponseResponse Context

Date and time the message was sent

Date: Wed, 21 Oct 2024 07:28:00 GMT

MDN →

Retry-AfterResponseResponse Context

How long to wait before making a new request

Retry-After: 120

MDN →

CookieRequestCookies

HTTP cookies previously sent by the server

Cookie: sessionId=abc123; theme=dark

MDN →

Set-CookieResponseCookies

Send a cookie from server to client

Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2024 07:28:00 GMT; Secure; HttpOnly

MDN →

RangeRequestRange Requests

Request only part of a resource

Range: bytes=200-1000

MDN →

Accept-RangesResponseRange Requests

Whether server supports range requests

Accept-Ranges: bytes

MDN →

If-RangeRequestRange Requests

Create conditional range request

If-Range: "67ab43"

MDN →

📚 Quick Reference

Common Security Headers:

• Content-Security-Policy - XSS protection
• Strict-Transport-Security - Force HTTPS
• X-Content-Type-Options - Prevent MIME sniffing
• X-Frame-Options - Clickjacking protection

Common Caching Headers:

• Cache-Control - Full cache control
• ETag - Resource versioning
• Last-Modified - Modification date
• Vary - Cache key variations