Skip to content

HTTP Headers Cheat Sheet

HTTP headers are key-value pairs sent between the client and server that provide metadata about the request or response. They control authentication, caching, content negotiation, security, and connection behavior.

Request Headers

Host

Specifies the domain name of the server being requested.

Host: api.example.com

GET /users HTTP/1.1
Host: api.example.com

User-Agent

Identifies the client making the request.

User-Agent: Mozilla/5.0

GET / HTTP/1.1
User-Agent: curl/8.0

Accept

Indicates which content types the client can process.

Accept: application/json

GET /users HTTP/1.1
Accept: application/json

Authorization

Carries authentication credentials.

Authorization: Bearer <token>

GET /profile HTTP/1.1
Authorization: Bearer eyJhbGciOi...

Content-Type

Specifies the media type of the request body.

Content-Type: application/json

POST /users HTTP/1.1
Content-Type: application/json

Content-Length

Indicates the size of the request body in bytes.

Content-Length: 348

POST /upload HTTP/1.1
Content-Length: 348

Sends stored cookies to the server.

Cookie: session_id=abc123

GET /dashboard HTTP/1.1
Cookie: session_id=abc123

Response Headers

Server

Identifies the server software.

Server: nginx

HTTP/1.1 200 OK
Server: nginx

Sends cookies from the server to the client.

Set-Cookie: session_id=abc123; HttpOnly

HTTP/1.1 200 OK
Set-Cookie: session_id=abc123

Content-Type

Indicates the media type of the response body.

Content-Type: application/json

HTTP/1.1 200 OK
Content-Type: application/json

Content-Length

Specifies the size of the response body.

Content-Length: 512

HTTP/1.1 200 OK
Content-Length: 512

Cache-Control

Controls caching behavior.

Cache-Control: no-cache

HTTP/1.1 200 OK
Cache-Control: no-store

Location

Specifies the URL to redirect to.

Location: /new-endpoint

HTTP/1.1 301 Moved Permanently
Location: /new-endpoint

Caching Headers

Expires

Defines when a response is considered stale.

Expires: Wed, 21 Oct 2025 07:28:00 GMT

HTTP/1.1 200 OK
Expires: Wed, 21 Oct 2025 07:28:00 GMT

ETag

Provides a unique identifier for a resource version.

ETag: "686897696a7c876b7e"

GET /style.css HTTP/1.1
If-None-Match: "686897696a7c876b7e"

Last-Modified

Indicates the last modification time of the resource.

Last-Modified: Tue, 15 Nov 2024 12:45:26 GMT

GET /index.html HTTP/1.1
If-Modified-Since: Tue, 15 Nov 2024 12:45:26 GMT

Security Headers

CORS (Access-Control-Allow-Origin)

Controls cross-origin resource sharing.

Access-Control-Allow-Origin: *

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *

Strict-Transport-Security

Enforces HTTPS usage.

Strict-Transport-Security: max-age=31536000

HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000

X-Content-Type-Options

Prevents MIME type sniffing.

X-Content-Type-Options: nosniff

HTTP/1.1 200 OK
X-Content-Type-Options: nosniff

Content-Security-Policy

Defines allowed content sources.

Content-Security-Policy: default-src 'self'

HTTP/1.1 200 OK
Content-Security-Policy: default-src 'self'