DevToolsForYou

HTTP Headers Cheatsheet

A quick reference for common HTTP request and response headers — authentication, caching, content negotiation, CORS, and security headers.

Updated Apr 11, 2026
Try the HTTP Request Builder

Sections

  1. Common Request Headers
  2. Common Response Headers
  3. Cache-Control Directives
  4. CORS Headers
  5. Security Headers

Common Request Headers

HeaderExample ValueDescription
Acceptapplication/json, text/htmlMedia types the client can handle
Accept-Languageen-US,en;q=0.9Preferred response language
Accept-Encodinggzip, deflate, brSupported content encodings
AuthorizationBearer <token>Authentication credentials
Content-Typeapplication/jsonMedia type of the request body
Content-Length348Size of the request body in bytes
Cookiesession=abc123Stored cookies sent to the server
Hostapi.example.comTarget host (required in HTTP/1.1)
Originhttps://example.comOrigin of a cross-site request
Refererhttps://example.com/pageURL of the referring page
User-AgentMozilla/5.0 …Client software identifier
X-Requested-WithXMLHttpRequestIdentifies AJAX requests (non-standard)
If-None-Match"abc123"Conditional request — return 304 if ETag matches
If-Modified-SinceMon, 01 Jan 2024 00:00:00 GMTConditional request — return 304 if not modified

Common Response Headers

HeaderExample ValueDescription
Content-Typeapplication/json; charset=utf-8Media type of the response body
Content-Length1234Size of the response body in bytes
Content-EncodinggzipEncoding applied to the response body
Set-Cookiesession=abc; HttpOnly; SecureSet a cookie on the client
Locationhttps://example.com/new-pathRedirect destination (used with 3xx status)
ETag"33a64df5"Identifier for a specific resource version
Last-ModifiedMon, 01 Jan 2024 00:00:00 GMTDate the resource was last changed
VaryAccept-Encoding, Accept-LanguageTells caches which request headers affect the response
WWW-AuthenticateBearer realm="api"Authentication challenge for 401 responses
Retry-After120Seconds to wait before retrying (429 / 503)

Cache-Control Directives

DirectiveUsed InDescription
no-storeRequest / ResponseDo not cache at all — for sensitive data
no-cacheRequest / ResponseRevalidate with server before using cached copy
max-age=<seconds>ResponseCache for up to N seconds
s-maxage=<seconds>ResponseShared cache (CDN) TTL — overrides max-age for proxies
publicResponseMay be cached by any cache (browser, CDN)
privateResponseOnly the user's browser may cache it
must-revalidateResponseOnce stale, must revalidate before use
immutableResponseContent will never change — skip revalidation during max-age
stale-while-revalidate=<s>ResponseServe stale while fetching fresh copy in background

CORS Headers

HeaderDirectionDescription
OriginRequestSent automatically by browser on cross-origin requests
Access-Control-Allow-OriginResponseWhich origins may read the response (* or specific origin)
Access-Control-Allow-MethodsResponseAllowed HTTP methods for the actual request
Access-Control-Allow-HeadersResponseAllowed request headers in the actual request
Access-Control-Allow-CredentialsResponsetrue to allow cookies / auth headers in cross-origin requests
Access-Control-Max-AgeResponseHow long (seconds) to cache preflight response
Access-Control-Expose-HeadersResponseResponse headers the browser JS may access

Security Headers

HeaderExample ValueDescription
Strict-Transport-Securitymax-age=31536000; includeSubDomainsHSTS — force HTTPS for all requests
Content-Security-Policydefault-src 'self'; script-src 'self'CSP — restrict resource origins to prevent XSS
X-Content-Type-OptionsnosniffPrevent MIME-type sniffing
X-Frame-OptionsDENY or SAMEORIGINPrevent clickjacking via iframes
Referrer-Policystrict-origin-when-cross-originControl how much referrer info is sent
Permissions-Policycamera=(), microphone=()Restrict browser feature access
Cross-Origin-Opener-Policysame-originIsolate the browsing context from cross-origin windows
Cross-Origin-Resource-Policysame-originPrevent other origins from loading this resource
Related guidesAll guides →

How to Read HTTP Headers

A practical guide to HTTP headers — request vs response headers, what the most important ones mean, how to inspect them in the browser and curl, and security headers you should be setting.

Read guide →

← All cheatsheets

Try the HTTP Request Builder