HTTP Headers Cheatsheet

Media types the client can handle. Servers use this to pick the best response format. The q parameter sets priority (0-1).

Credentials for authenticating the client. Common schemes: Bearer (JWT/OAuth tokens), Basic (base64 user:pass), Digest, and API key.

Directives for request caching. no-cache forces revalidation, no-store prevents caching, max-age=0 treats cached copy as stale.

Media type of the request body. Required for POST/PUT/PATCH. Common values: application/json, multipart/form-data, application/x-www-form-urlencoded.

Cookies previously set by the server via Set-Cookie. Sent automatically on every request to the matching domain and path.

The domain name (and optional port) of the target server. Required in HTTP/1.1. Enables virtual hosting (multiple sites on one IP).

The origin (scheme + domain + port) initiating a cross-origin request. Used by CORS and CSRF protection. Not sent for same-origin requests.

URL of the page that linked to the current request. Useful for analytics and logging. Referrer-Policy controls what gets sent.

Identifies the client software. Contains browser name, version, OS, and engine. Used for content negotiation and analytics.

Conditional request with ETag values. Server returns 304 Not Modified if the resource matches any listed ETag, saving bandwidth.

Conditional request with a date. Server returns 304 if the resource hasn't changed since this timestamp. Used with Last-Modified.

Compression algorithms the client supports. Server picks one and indicates it via Content-Encoding. Brotli (br) offers best compression for web.

Preferred natural languages for the response. Quality values indicate preference. Used for internationalization and localization.

Indicates AJAX requests (set by jQuery and other libraries). Some servers use this for CSRF detection — not a standard header.

Request only part of a resource. Enables resumable downloads and video seeking. Server responds with 206 Partial Content.

Media type of the response body. Always include charset for text types. Common: text/html, application/json, image/png, application/pdf.

Size of the response body in bytes. Enables the client to show download progress and detect truncated responses.

Compression applied to the response body. Common values: gzip, br (Brotli), deflate, zstd. Client decodes transparently.

Caching directives for the response. public/private controls who can cache, max-age sets TTL in seconds, immutable means it never changes.

Sets a cookie on the client. HttpOnly blocks JS access, Secure requires HTTPS, SameSite prevents CSRF (Strict, Lax, None).

Entity tag — a fingerprint of the resource. W/ prefix means weak (semantically equivalent). Used with If-None-Match for conditional requests.

When the resource was last changed. Less precise than ETag. Used with If-Modified-Since for conditional requests.

Redirect target URL. Used with 301 (permanent), 302 (found), 303 (see other), and 307 (temporary redirect) status codes.

CORS: specifies which origin can access the response. Use * for public APIs, specific origin for credentials. Single origin only per response.

Prevents browsers from MIME-sniffing the Content-Type. Always set to nosniff. Stops attacks that exploit type confusion.

Forces HTTPS for the domain. max-age in seconds, includeSubDomains applies to all subdomains, preload adds to browser preload list.

Unique identifier for the request/response pair. Essential for distributed tracing, debugging, and correlating logs across services.

Seconds (or date) the client should wait before retrying. Used with 429 Too Many Requests and 503 Service Unavailable responses.

Sent with 401 Unauthorized. Tells the client which authentication scheme to use and provides error details for failed auth.

Which origin is allowed. Must match the requesting Origin exactly or be *. Wildcards cannot be used when credentials (cookies) are included.

HTTP methods allowed for cross-origin requests. Sent in preflight (OPTIONS) response. Simple methods (GET, HEAD, POST) don't trigger preflight.

Custom headers the client can send. Simple headers (Accept, Content-Type for simple values, etc.) don't need listing. Sent in preflight response.

Response headers the browser JS can read. By default only safe-listed headers are exposed. Custom headers must be explicitly listed here.

How long (in seconds) the preflight result can be cached. Reduces OPTIONS requests. Browsers cap this (Chrome: 2 hours, Firefox: 24 hours).

Allow cookies, Authorization headers, and TLS client certs in cross-origin requests. When true, Allow-Origin cannot be * — must be a specific origin.

Sent by the browser in preflight (OPTIONS) to indicate which method the actual request will use. Server checks this before allowing.

Sent in preflight to indicate which custom headers the actual request will include. Server responds with Access-Control-Allow-Headers.

Sent automatically by the browser with cross-origin requests and same-origin POST. The server compares this against its allowed origins list.

Tells caches that the response varies by Origin header. Essential when Access-Control-Allow-Origin is not * to prevent cache poisoning.

Controls which resources the browser can load. Mitigates XSS, clickjacking, and data injection. Use nonces or hashes instead of unsafe-inline for scripts.

Controls if the page can be embedded in frames. DENY blocks all framing, SAMEORIGIN allows same-origin only. Being replaced by CSP frame-ancestors.

Legacy XSS filter. Set to 0 to disable (recommended) — the built-in filter can introduce vulnerabilities. Rely on Content-Security-Policy instead.

Enforces HTTPS. After first visit, browser upgrades all HTTP to HTTPS for max-age seconds. preload submits to browser preload lists for zero-trust-on-first-use.

Controls browser feature access. () disables entirely, (self) allows same-origin, specific origins can be listed. Replaces Feature-Policy.

Controls how much referrer info is sent. strict-origin-when-cross-origin sends full URL for same-origin, origin-only cross-origin, nothing on downgrade.

Stops browsers from guessing the MIME type. Always use nosniff. Prevents attacks where a disguised file is interpreted as an executable type.

Ensures all cross-origin resources explicitly grant permission. Required (with COOP) to enable SharedArrayBuffer and high-resolution timers.

Isolates the browsing context. same-origin prevents cross-origin windows from accessing window.opener. Enables cross-origin isolation with COEP.

Controls who can load a resource. same-origin, same-site, or cross-origin. Protects resources from being embedded by untrusted sites.

Controls browser DNS prefetching. Set to off for privacy-sensitive pages to prevent DNS lookups revealing which links are on the page.

Controls Flash and PDF cross-domain policy files. Set to none to prevent Adobe products from loading data from your domain.

Primary caching directive. public: any cache can store. private: browser only. no-store: never cache. no-cache: must revalidate. stale-while-revalidate: serve stale while fetching.

Prevent all caching — for sensitive data. Combine all four directives for maximum compatibility across browsers and proxies.

Serve stale content for up to 86400s while revalidating in background. Eliminates latency for cache refresh — great for semi-dynamic content.

Legacy cache expiration date. Superseded by Cache-Control max-age. If both present, max-age wins. Use HTTP date format only.

Fingerprint of the resource content. Strong ETags must change on any byte change. Used with If-None-Match for conditional requests (304 responses).

Client sends previous ETag. If it matches, server responds 304 with no body — saves bandwidth. Supports multiple ETags and wildcard *.

Client sends previous Last-Modified date. If unchanged, server responds 304. Less precise than ETag (1-second resolution). Used as fallback.

Lists request headers that cause the response to vary. Caches store separate copies for each combination. Critical for correct CDN behavior.

Seconds since the response was generated by the origin server. Set by caches/CDNs. Helps clients calculate remaining freshness from max-age.

HTTP/1.0 backward compatibility. Equivalent to Cache-Control: no-cache. Include both for legacy proxy support. Only meaningful value: no-cache.

CDN-specific caching directive (Cloudflare, Fastly). Overrides Cache-Control for the CDN layer while letting browsers use different TTLs.

Caching directive for reverse proxies and CDNs (Varnish, Fastly). Stripped before reaching the client. Takes precedence over Cache-Control for the proxy.

Client's preferred media types. Server picks the best match. Quality values (q=0-1) indicate priority. Used for format negotiation (HTML vs JSON).

Compression algorithms the client supports. Server picks one and sets Content-Encoding. Brotli (br) has best ratio for text, zstd for general use.

Client's preferred languages. Server uses this for i18n content selection. Quality values set priority. Falls back to server default if no match.

Compression applied to the response body. Must match one of the client's Accept-Encoding values. Transparent to the application layer.

The natural language of the response content. Helps screen readers and translation tools. Can be a comma-separated list for multilingual content.

The media type and character encoding of the body. Tells the client how to parse the response. Always include charset for text types.

How the message body is transferred. chunked sends data in pieces without knowing total size upfront. Mutually exclusive with Content-Length.

Indicates the server supports partial requests. bytes enables Range requests for resumable downloads and video seeking. none disables.

How the browser should handle the body. attachment triggers download, inline renders in browser. filename suggests the download name.

Indicates which part of the full resource is included in the response. Sent with 206 Partial Content. Format: unit start-end/total.

Tells caches which request headers affect the response. A response for Accept: text/html differs from Accept: application/json — caches must store both.

Servers can return 406 Not Acceptable when they cannot produce a response matching any of the client's Accept values. Include available types in the response.