HTTP Headers Every Developer Should Know
HTTP headers control caching, security, CORS, content negotiation, and more. This guide covers the 20 most important headers with real-world examples and the common mistakes that cause bugs in production.
What Are HTTP Headers?
HTTP headers are key-value metadata fields attached to every request and response. They travel alongside the body and tell both parties how to handle the exchange: what format the content is in, how long to cache it, who is allowed to read it, and what security policies apply.
Headers are plain text, case-insensitive (by convention lowercase in HTTP/2), and can be inspected in the browser's Network tab or with tools like cURL.
Request Headers
AuthorizationBearer eyJhbGci...Carries credentials for API authentication. Bearer tokens (JWT), Basic auth (Base64 user:pass), API keys.
Content-Typeapplication/jsonTells the server what format the request body is in. Required for POST/PUT requests with a body.
Acceptapplication/json, text/htmlTells the server what response formats the client can handle. Used for content negotiation.
Cookiesession=abc123Sends stored cookies to the server. Automatically added by the browser.
Originhttps://app.example.comIndicates the origin of the request. Added by the browser for cross-origin requests — key to CORS.
User-AgentMozilla/5.0...Identifies the client software making the request. Used for analytics and device detection.
If-None-Match"abc123"Sends a cached ETag back to the server. Server returns 304 Not Modified if unchanged — saves bandwidth.
Response Headers
Cache-Controlmax-age=3600, must-revalidateControls how and for how long responses are cached by browsers and CDNs. One of the most important performance headers.
Content-Typeapplication/json; charset=utf-8Tells the client what format the response body is in. Always include charset for text types.
ETag"33a64df5"A fingerprint of the response content. Client sends it back in If-None-Match for conditional requests.
Locationhttps://example.com/new-urlUsed with 3xx redirects and 201 Created responses to indicate the target URL.
Set-Cookiesession=abc; HttpOnly; Secure; SameSite=StrictSets a cookie on the client. Always set HttpOnly, Secure, and SameSite for auth cookies.
VaryAccept-Encoding, Accept-LanguageTells caches which request headers affect the response. Critical for proper cache invalidation.
Security Headers
Strict-Transport-Securitymax-age=31536000; includeSubDomains; preloadForces browsers to use HTTPS. Once set, the browser refuses to connect over HTTP for the duration of max-age.
Content-Security-Policydefault-src 'self'; script-src 'self' cdn.example.comRestricts which resources the browser can load. The most powerful XSS mitigation available in HTTP.
X-Frame-OptionsDENYPrevents your page from being embedded in iframes. Protects against clickjacking. Superseded by CSP frame-ancestors, but still widely supported.
X-Content-Type-OptionsnosniffPrevents browsers from MIME-sniffing responses. Always set this — it costs nothing and stops a real attack class.
Permissions-Policycamera=(), microphone=(), geolocation=(self)Controls which browser features the page can use. Replaces the older Feature-Policy header.
Referrer-Policystrict-origin-when-cross-originControls how much referrer information is sent with requests. Protects user privacy.
CORS Headers
Access-Control-Allow-Originhttps://app.example.comTells the browser which origins can read the response. Use specific origins in production, never * for credentialed requests.
Access-Control-Allow-MethodsGET, POST, PUT, DELETEWhich HTTP methods are allowed in cross-origin requests. Returned in the preflight response.
Access-Control-Allow-HeadersContent-Type, AuthorizationWhich request headers are allowed. Any custom header must be listed here.
Access-Control-Max-Age86400How long (seconds) the browser can cache the preflight result. Reduces OPTIONS requests.
Cache-Control Deep Dive
Cache-Control is the most impactful performance header and the most frequently misconfigured. These are the directives you need to know:
| Directive | Meaning |
|---|---|
| max-age=N | Cache for N seconds from the request time |
| s-maxage=N | Like max-age but for shared caches (CDNs) only |
| no-cache | Revalidate with server before using cached copy (not 'no caching') |
| no-store | Never cache — use for sensitive data |
| must-revalidate | Once stale, must revalidate — do not serve stale content |
| immutable | Content will never change — skip revalidation entirely (use with content hashes) |
| private | Only the end user's browser may cache — not CDNs |
| public | Any cache (browser, CDN, proxy) may store the response |
| stale-while-revalidate=N | Serve stale content for N seconds while fetching a fresh copy in the background |
// Good cache strategy for static assets with content hashes:
Cache-Control: public, max-age=31536000, immutable
// HTML pages — always revalidate:
Cache-Control: no-cache
// API responses with user data:
Cache-Control: private, no-store
Inspect HTTP headers for any URL
Enter any URL to see the full response headers — security headers, cache directives, CORS config, and more.
Open HTTP Headers Checker →