An HTTP header is a key-value field sent with a request or response to pass metadata such as content type, caching, authentication and cookies. This reference lists the most common HTTP request and response headers and what they do.
| Header | Type | Purpose |
|---|---|---|
| Accept | Req | Media types the client can handle |
| Accept-Encoding | Req | Compression the client supports (gzip, br) |
| Accept-Language | Req | Preferred languages |
| Authorization | Req | Credentials (e.g. Bearer token) |
| Cache-Control | Both | Caching directives |
| Content-Type | Both | Media type of the body |
| Content-Length | Both | Size of the body in bytes |
| Content-Encoding | Both | Compression applied to the body |
| Cookie | Req | Cookies sent to the server |
| Set-Cookie | Res | Cookies the server stores in the browser |
| Host | Req | Domain name of the server |
| Origin | Req | Origin of a cross-site request |
| Referer | Req | URL of the previous page |
| User-Agent | Req | Client/browser identification |
| Location | Res | Redirect target URL |
| ETag | Res | Version identifier for caching |
| Last-Modified | Res | When the resource last changed |
| Expires | Res | When the response becomes stale |
| Access-Control-Allow-Origin | Res | CORS allowed origin |
| Content-Disposition | Res | Inline display or file download |
| X-Frame-Options | Res | Clickjacking protection |
| Strict-Transport-Security | Res | Force HTTPS (HSTS) |
| Content-Security-Policy | Res | Restrict allowed content sources |
| Retry-After | Res | When to retry after 429/503 |