HTTP Headers Lookup
Developer UtilitiesComplete reference for HTTP request and response headers with usage examples, RFC references, and common values.. Free, private — all processing in your browser.
This tool is coming soon. Check back later!
The HTTP Headers Lookup is a comprehensive reference for every standard HTTP header, plus common non-standard and security-related headers. Headers carry metadata on every HTTP request and response — content type, caching directives, authentication credentials, CORS rules, security policies, compression hints, cookies, and more. Knowing which header does what is essential for backend developers, security engineers, SEO specialists, and anyone debugging web traffic.
The tool groups headers by category: general (Cache-Control, Connection), request (Accept, Authorization, Referer, User-Agent), response (Set-Cookie, WWW-Authenticate, Location), content (Content-Type, Content-Encoding, Content-Length), caching (ETag, Last-Modified, If-None-Match), security (Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options), CORS (Access-Control-Allow-Origin and related), and vendor-specific (X-Forwarded-For, X-Requested-With). Each entry shows the header name, purpose, example values, direction (request/response/both), security implications where relevant, and RFC link. Search by name or keyword to find the right header fast.
HTTP Headers Lookup — key features
Every standard header
Covers all IANA-registered HTTP headers plus widely used non-standard ones.
Organized by category
General, request, response, content, caching, security, CORS — find the right category quickly.
Example values
Each header shows typical real-world values, not just theoretical syntax.
Security implications
Security-sensitive headers (CSP, HSTS, X-Frame-Options) have specific notes on correct and dangerous usage.
Direction indicator
Shows whether header is request-only, response-only, or both.
RFC references
Each header links to authoritative RFC sections for deep research.
Search by keyword
Find headers by concept — "cache" finds all caching headers, "cors" finds all CORS headers.
Real-world examples
Common header combinations shown in sample request/response snippets.
How to use the HTTP Headers Lookup
- 1
Search by name or keyword
Type "authorization", "cors", or any header name/concept.
- 2
Browse by category
Pick a category (security, caching, content) to see all related headers.
- 3
Read the explanation
Each header shows purpose, direction, example values, and security notes.
- 4
See examples
Real-world request/response snippets show how headers combine in practice.
- 5
Link to RFC for detail
Authoritative RFC links available for every header.
Common use cases for the HTTP Headers Lookup
API development
- →Setting correct Content-Type: Picking the right MIME type for responses: application/json for JSON, application/xml for XML, etc.
- →Implementing authentication: Understanding Authorization header formats for Bearer tokens, Basic auth, and custom schemes.
- →CORS configuration: Setting the right Access-Control-* headers so cross-origin requests work without being too permissive.
Security
- →Hardening web apps: Configuring security headers (CSP, HSTS, X-Frame-Options) to protect against XSS, clickjacking, and other attacks.
- →Security audit: Reviewing response headers of an existing app to find missing or weak security headers.
- →Cookie security: Understanding Set-Cookie flags (Secure, HttpOnly, SameSite) for session and auth cookies.
Performance
- →Caching strategy: Configuring Cache-Control, ETag, and Last-Modified for correct browser and CDN caching.
- →Compression: Enabling Content-Encoding gzip or brotli for reduced bandwidth.
- →Connection reuse: Using Connection: keep-alive correctly for lower request latency.
HTTP Headers Lookup — examples
Content-Type for JSON
Standard JSON API response header.
Content-Type
value: application/json; charset=utf-8 direction: both note: always include charset for text-based types
CORS basic
Allow all origins (use carefully).
Access-Control-Allow-Origin
value: * (any origin) or https://example.com (specific) direction: response warning: never use * with Allow-Credentials: true
HSTS
Force HTTPS for security.
Strict-Transport-Security
value: max-age=31536000; includeSubDomains; preload direction: response purpose: browsers always use HTTPS for future requests duration: at least 1 year for HSTS preload list
Cache-Control
Static asset caching.
Cache-Control
value: public, max-age=31536000, immutable direction: response purpose: tells browsers and CDNs to cache for 1 year immutable: content never changes (use for hashed filenames)
Authorization Bearer
Modern API authentication.
Authorization
value: Bearer eyJhbGciOiJIUzI1NiIs... direction: request purpose: authenticate via JWT or OAuth token security: always send over HTTPS
Technical details
HTTP headers are name-value pairs sent in every HTTP request and response. Names are case-insensitive per RFC 9110 but conventionally Title-Case (Content-Type, not content-type, though lowercase is accepted by every implementation).
Categories and key headers:
General (applies to both requests and responses):
- Cache-Control: caching directives (max-age, no-cache, no-store, public, private)
- Connection: keep-alive or close
- Date: RFC 1123 timestamp of message origination
Request headers:
- Accept: content types client accepts (text/html, application/json)
- Accept-Encoding: compression formats (gzip, br, deflate)
- Accept-Language: preferred languages (en-US, fr;q=0.8)
- Authorization: credentials (Bearer, Basic, Digest)
- Cookie: session and tracking cookies from client
- Host: target host (required in HTTP/1.1)
- Referer: URL of referring page (HTTP misspelling preserved)
- User-Agent: client identifier string
Response headers:
- Set-Cookie: create or update cookies
- WWW-Authenticate: challenge with 401 responses
- Location: redirect target (with 3xx) or new resource URL (with 201)
- Server: server identification (often suppressed for security)
Content headers (entity metadata):
- Content-Type: MIME type and charset (application/json; charset=utf-8)
- Content-Length: body size in bytes
- Content-Encoding: compression applied (gzip, br)
- Content-Language: natural language
Caching headers:
- ETag: unique identifier for current version
- Last-Modified: timestamp of last change
- If-None-Match: conditional request based on ETag
- If-Modified-Since: conditional request based on timestamp
- Age: seconds since cached
Security headers:
- Strict-Transport-Security: force HTTPS (HSTS)
- Content-Security-Policy: allowed sources for scripts, images, etc.
- X-Frame-Options: prevent framing (DENY, SAMEORIGIN) — mostly superseded by CSP frame-ancestors
- X-Content-Type-Options: nosniff prevents MIME type confusion
- Referrer-Policy: control Referer leakage
- Permissions-Policy: control browser APIs (geolocation, camera)
CORS headers:
- Access-Control-Allow-Origin: allowed origins for cross-origin requests
- Access-Control-Allow-Methods: allowed HTTP methods
- Access-Control-Allow-Headers: allowed headers in requests
- Access-Control-Allow-Credentials: whether cookies/auth allowed
- Access-Control-Expose-Headers: headers JS can read
- Access-Control-Max-Age: preflight cache duration
Common non-standard:
- X-Forwarded-For: original client IP behind proxy
- X-Forwarded-Proto: original scheme (http/https) behind proxy
- X-Requested-With: identifies XHR requests
- X-CSRF-Token: anti-CSRF token
Common problems and solutions
⚠Wrong Content-Type breaks parsing
Returning Content-Type: text/html for a JSON response can cause parsers to fail silently or render as HTML. Always match Content-Type to actual body format.
⚠Over-permissive CORS
Access-Control-Allow-Origin: * allows any site to make cross-origin requests. Never combine with Allow-Credentials: true (browsers reject it). For authenticated APIs, specify exact origins.
⚠Missing security headers
Lacking HSTS, CSP, and X-Content-Type-Options leaves apps vulnerable to downgrade attacks, XSS, and MIME confusion. Always set the standard security headers for HTTPS apps.
⚠Cookies missing SameSite
Without SameSite=Lax or Strict, cookies are vulnerable to CSRF attacks. Modern browsers default to Lax but explicit is safer.
⚠Caching overly aggressive
Setting Cache-Control: max-age=86400 on dynamic API responses means stale data is served. Use no-store or max-age=0 for content that must be fresh.
⚠Referer leakage
Default Referer sends full URL to external sites, leaking private paths. Set Referrer-Policy: strict-origin-when-cross-origin or stricter to limit leakage.
⚠User-Agent sniffing for features
Browser detection via User-Agent is brittle — always use feature detection in JavaScript instead. User-Agent is for logging and analytics, not functional decisions.
HTTP Headers Lookup — comparisons and alternatives
Compared to the IANA header registry, this tool provides explanations, examples, and practical guidance. IANA is terse; this tool is the practitioner\u2019s reference on top.
Compared to MDN\u2019s header reference, this tool is more compact and focused on the most common use cases. MDN has excellent detail; this tool has faster lookup.
Compared to reading RFCs directly, this tool is vastly more readable while still linking to authoritative sources. RFCs are the specification; this tool is the summary.
Frequently asked questions about the HTTP Headers Lookup
▶What is the difference between request and response headers?
Request headers are sent by the client to the server (Accept, Authorization, Cookie, User-Agent). Response headers are sent by the server back to the client (Content-Type, Set-Cookie, WWW-Authenticate). Some headers work in both directions (Cache-Control, Content-Type).
▶Which security headers are essential?
At minimum: Strict-Transport-Security (force HTTPS), Content-Security-Policy (control script sources), X-Content-Type-Options: nosniff, Referrer-Policy. For older browsers: X-Frame-Options: DENY or SAMEORIGIN (though CSP frame-ancestors is the modern replacement).
▶What does Cache-Control: no-cache actually do?
Confusingly, no-cache does NOT mean "do not cache". It means "cache may store but must revalidate with origin before using". To truly prevent caching, use no-store. The names are historical and widely misunderstood.
▶How do CORS preflight requests work?
For non-simple cross-origin requests (any with custom headers, or methods other than GET/POST/HEAD), the browser sends an OPTIONS preflight request first. The server responds with Access-Control-Allow-* headers indicating what is permitted. If the preflight passes, the actual request proceeds. Access-Control-Max-Age caches preflight results to reduce round-trips.
▶What is the difference between ETag and Last-Modified?
ETag is a version identifier (usually a hash) that changes whenever content changes. Last-Modified is a timestamp of the last change. ETag is more precise (detects content change even if timestamp is the same) but harder to generate; Last-Modified is simpler but less accurate. Use either with If-None-Match or If-Modified-Since for conditional requests.
▶Are header names case-sensitive?
No. HTTP header names are case-insensitive per RFC 9110. Content-Type, content-type, and CONTENT-TYPE all mean the same thing. By convention, Title-Case is used (Content-Type). HTTP/2 requires lowercase in binary frames, but HTTP/1.1 text frames accept any case.
▶What is the User-Agent string for?
User-Agent identifies the client software (browser, version, OS) making the request. Useful for analytics and logging. Avoid using User-Agent for feature detection in JavaScript — use feature detection APIs instead. User-Agent strings are also easily spoofed, so never rely on them for security decisions.
▶Can I add custom headers?
Yes. Custom headers conventionally start with X- (X-Forwarded-For, X-CSRF-Token) though this prefix is deprecated in favor of registered names. For production APIs, consider registering new header names with IANA if they will be widely adopted.
Additional resources
- IANA HTTP Headers Registry — Official registry of HTTP header field names.
- RFC 9110 HTTP Semantics — Current authoritative specification covering HTTP header semantics.
- MDN HTTP Headers — Comprehensive reference with browser compatibility notes.
- OWASP Secure Headers — Open Web Application Security Project guidance on security headers.
- securityheaders.com — Online scanner for evaluating security headers on any URL.
Related tools
All Developer UtilitiesAPI Request Builder
Build and test HTTP API requests with method, headers, body, authentication, and query parameters — inspect full response in your browser.
cURL to Code Converter
Convert cURL commands to equivalent code in Python (requests), JavaScript (fetch), PHP, Go, Ruby, Node, and other languages.
Hash Generator
Generate MD5, SHA-1, SHA-256, SHA-512 hashes for text and files
HTTP Status Code Reference
Complete reference for every HTTP status code with meaning, usage guidelines, and examples for REST API design.
HTTP Status Code Lookup
Quick lookup tool for HTTP status codes — enter any status number and get the meaning, category, and usage guidelines instantly.
JSON Formatter
Format, validate, and beautify JSON instantly in your browser
Learn more
Explore more tools
200+ free tools that run in your browser.
Browse all tools →