RUNWEBTOOLS
English

HTTP Headers Reference: Request and Response Headers

HTTP headers are the metadata sent with every request and response — they carry content types, caching rules, authentication, cookies, and security policies. Here are the ones you'll meet most, marked by whether they travel with the request, the response, or both. Pairs well with our HTTP status codes reference.

Updated 2026-07-06

HeaderTypeWhat it does
AcceptRequestMedia types the client can handle (e.g. text/html)
Accept-EncodingRequestCompression the client supports (gzip, br)
Accept-LanguageRequestPreferred languages (e.g. en-US, ko)
AuthorizationRequestCredentials — e.g. Bearer <token> or Basic <base64>
CookieRequestCookies previously set by the server
HostRequestDomain name of the target server (required in HTTP/1.1)
OriginRequestOrigin that initiated the request (used by CORS)
RefererRequestURL of the page that linked to this request
User-AgentRequestClient software making the request (browser, bot)
If-None-MatchRequestConditional request using a stored ETag (for caching)
If-Modified-SinceRequestConditional request based on a last-modified date
RangeRequestRequest only part of a resource (resumable downloads)
Content-TypeBothMedia type of the body (e.g. application/json)
Content-LengthBothSize of the body in bytes
Content-EncodingResponseCompression applied to the body (gzip, br)
Cache-ControlBothCaching rules (e.g. no-cache, max-age=3600)
ETagResponseVersion identifier for a resource (enables 304s)
ExpiresResponseDate after which the response is stale
Last-ModifiedResponseWhen the resource was last changed
LocationResponseTarget URL for a redirect (3xx) or created resource (201)
Set-CookieResponseInstructs the browser to store a cookie
VaryResponseWhich request headers affect the cached response
WWW-AuthenticateResponseAuthentication method required (sent with 401)
Access-Control-Allow-OriginResponseCORS: which origins may read the response
Access-Control-Allow-MethodsResponseCORS: allowed methods for cross-origin requests
Strict-Transport-SecurityResponseForce HTTPS for future requests (HSTS)
Content-Security-PolicyResponseRestrict sources of scripts, styles, images (CSP)
X-Frame-OptionsResponseWhether the page may be embedded in a frame (clickjacking)
X-Content-Type-OptionsResponsenosniff — don't guess the content type
Retry-AfterResponseHow long to wait before retrying (with 429 or 503)

Related tools