HTTP Headers Reference: Request and Response Headers
HTTP headers are the metadata sent with every request and response — they carry content types, caching rules, authentication, cookies, and security policies. Here are the ones you'll meet most, marked by whether they travel with the request, the response, or both. Pairs well with our HTTP status codes reference.
Updated 2026-07-06
| Header | Type | What it does |
|---|---|---|
| Accept | Request | Media types the client can handle (e.g. text/html) |
| Accept-Encoding | Request | Compression the client supports (gzip, br) |
| Accept-Language | Request | Preferred languages (e.g. en-US, ko) |
| Authorization | Request | Credentials — e.g. Bearer <token> or Basic <base64> |
| Cookie | Request | Cookies previously set by the server |
| Host | Request | Domain name of the target server (required in HTTP/1.1) |
| Origin | Request | Origin that initiated the request (used by CORS) |
| Referer | Request | URL of the page that linked to this request |
| User-Agent | Request | Client software making the request (browser, bot) |
| If-None-Match | Request | Conditional request using a stored ETag (for caching) |
| If-Modified-Since | Request | Conditional request based on a last-modified date |
| Range | Request | Request only part of a resource (resumable downloads) |
| Content-Type | Both | Media type of the body (e.g. application/json) |
| Content-Length | Both | Size of the body in bytes |
| Content-Encoding | Response | Compression applied to the body (gzip, br) |
| Cache-Control | Both | Caching rules (e.g. no-cache, max-age=3600) |
| ETag | Response | Version identifier for a resource (enables 304s) |
| Expires | Response | Date after which the response is stale |
| Last-Modified | Response | When the resource was last changed |
| Location | Response | Target URL for a redirect (3xx) or created resource (201) |
| Set-Cookie | Response | Instructs the browser to store a cookie |
| Vary | Response | Which request headers affect the cached response |
| WWW-Authenticate | Response | Authentication method required (sent with 401) |
| Access-Control-Allow-Origin | Response | CORS: which origins may read the response |
| Access-Control-Allow-Methods | Response | CORS: allowed methods for cross-origin requests |
| Strict-Transport-Security | Response | Force HTTPS for future requests (HSTS) |
| Content-Security-Policy | Response | Restrict sources of scripts, styles, images (CSP) |
| X-Frame-Options | Response | Whether the page may be embedded in a frame (clickjacking) |
| X-Content-Type-Options | Response | nosniff — don't guess the content type |
| Retry-After | Response | How long to wait before retrying (with 429 or 503) |
Related tools