All Tools VerseHTTP headers are name and value pairs sent with every request and response. They carry metadata such as content type, caching rules, authentication, cookies, and security policy. This reference lists the headers you meet most, split into request and response headers.
Request headers
| Header | Meaning | Example |
|---|---|---|
Accept |
Which content types the client can handle | Accept: text/html |
Accept-Encoding |
Which compression the client supports | Accept-Encoding: gzip, br |
Accept-Language |
Preferred languages | Accept-Language: en-US |
Authorization |
Credentials for authentication | Authorization: Bearer TOKEN |
Cache-Control |
Caching rules for the request | Cache-Control: no-cache |
Content-Type |
The media type of the request body | Content-Type: application/json |
Cookie |
Cookies stored for the site | Cookie: id=abc |
Host |
The domain of the server | Host: example.com |
Origin |
The origin that made the request | Origin: https://example.com |
Referer |
The page that linked to this request | Referer: https://example.com/ |
User-Agent |
The client app and version | User-Agent: Mozilla/5.0 |
If-None-Match |
Conditional request using an ETag | If-None-Match: "abc123" |
Range |
Request only part of a resource | Range: bytes=0-1023 |
Response headers
| Header | Meaning | Example |
|---|---|---|
Content-Type |
The media type of the response body | Content-Type: text/html; charset=UTF-8 |
Content-Length |
The size of the body in bytes | Content-Length: 3495 |
Content-Encoding |
How the body is compressed | Content-Encoding: gzip |
Cache-Control |
How the response may be cached | Cache-Control: max-age=3600 |
ETag |
A version identifier for caching | ETag: "abc123" |
Last-Modified |
When the resource last changed | Last-Modified: Wed, 21 Oct 2026 07:28:00 GMT |
Location |
Where a redirect points | Location: https://example.com/new |
Set-Cookie |
Sets a cookie on the client | Set-Cookie: id=abc; HttpOnly |
Access-Control-Allow-Origin |
Which origins may read the response (CORS) | Access-Control-Allow-Origin: * |
Strict-Transport-Security |
Forces HTTPS for future visits | Strict-Transport-Security: max-age=31536000 |
Content-Security-Policy |
Restricts what the page may load | Content-Security-Policy: default-src self |
X-Frame-Options |
Controls framing to prevent clickjacking | X-Frame-Options: DENY |
WWW-Authenticate |
Tells the client how to authenticate | WWW-Authenticate: Basic |
Retry-After |
When to retry after a 429 or 503 | Retry-After: 120 |
Frequently Asked Questions
What is an HTTP header?
It is a name and value pair sent with a request or response that carries metadata, such as the content type or caching rules.
What is the difference between request and response headers?
Request headers are sent by the client to describe what it wants. Response headers are sent by the server to describe what it returns.
What does Content-Type do?
It tells the other side the media type of the body, such as JSON or HTML, so it can be parsed correctly.
What are security headers?
Headers like Strict-Transport-Security, Content-Security-Policy, and X-Frame-Options harden a site against common attacks.
See also our HTTP Status Codes cheat sheet and our free developer tools.