Request and response headers by category — syntax, directives, security notes, and related headers/codes.
AuthorizationAuthorization is the request header a client uses to present its credentials to the server. It carries a scheme (Basic, Bearer, Digest, ...) plus matching credentials and is the primary means of accessing protected resources.WWW-AuthenticateWWW-Authenticate rides on a 401 Unauthorized response to tell the client which authentication scheme it must use to present credentials. It acts as the server's authentication challenge.Access-Control-Allow-CredentialsAccess-Control-Allow-Credentials is the CORS header that specifies whether the browser may hand a response to scripts when a cross-origin request carries credentials such as cookies, HTTP auth, or client certificates.Access-Control-Allow-HeadersAccess-Control-Allow-Headers is the CORS preflight-response header that declares which custom or non-simple request headers a cross-origin actual request may send. Including a header not permitted here in the real request gets blocked by the browser.Access-Control-Allow-MethodsAccess-Control-Allow-Methods is the header in a CORS preflight (OPTIONS) response that tells the browser which HTTP methods a cross-origin request may actually use. Sending a real request with a method not listed here is blocked by the browser.Access-Control-Allow-OriginAccess-Control-Allow-Origin (ACAO) is the core CORS header specifying which origin may read this response beyond the browser's Same-Origin Policy (SOP). If it's absent or doesn't match the request origin, the browser blocks access to the response body.OriginOrigin is the request header that tells the server the origin (scheme + host + port) that initiated the request. Unlike Referer it omits path and query, making it more privacy-friendly, and it is central to CORS and CSRF checks.AgeAge is a header stating, in seconds, how long a response has been sitting in a cache since it was generated at the origin. It is typically added when a shared cache like a CDN or proxy serves a stored response.Cache-ControlCache-Control carries a list of directives that dictate caching behavior on both requests and responses. On a response it tells browsers, CDNs, and proxies how long and how to store and reuse the response. It is the de facto standard for HTTP caching policy.ExpiresExpires is a caching header that specifies the absolute time at which a response becomes stale. Until that time, a cache may reuse the stored response without re-asking the server.VaryVary tells caches which request-header values this response depends on. Even for the same URL, a cache treats differing values of the listed headers as separate cache entries, preventing the wrong representation from being served to the wrong user.ETagAn ETag (Entity Tag) is an opaque string identifying a specific version of a resource representation. When the content changes, the ETag changes, so client and server compare it to decide whether a cache is still valid or to perform optimistic concurrency control.If-MatchIf-Match is a conditional request header that lets the request proceed only if the client's ETag matches the server's current ETag. It is mainly used on writes (PUT, DELETE) as optimistic locking to prevent concurrent-edit conflicts.If-Modified-SinceIf-Modified-Since is a conditional request header where the client sends the last-modified time of its cached copy, asking the server to return the body only if the resource changed after that time. It provides date-based cache revalidation.If-None-MatchIf-None-Match is a conditional request header where the client sends the ETag of its cached representation, asking the server to return the body only if it differs from that ETag. It is the most precise means of cache revalidation.If-Unmodified-SinceIf-Unmodified-Since is a conditional request header that lets the request proceed only if the resource has not changed since the given time. It is used for time-based concurrent-edit protection and is the opposite of If-Modified-Since.Last-ModifiedLast-Modified is a response header telling the client when the server believes the resource last changed. The client stores this timestamp and uses it in conditional requests to reuse its cache if nothing changed since.ConnectionConnection controls how the current transport connection is handled: whether to keep it open for reuse (keep-alive), close it after the response (close), or switch protocols (upgrade). It is central to persistent-connection management in HTTP/1.1.Transfer-EncodingTransfer-Encoding is a hop-by-hop header specifying the encoding applied to safely transfer the message body over the network. Its main value, `chunked`, splits the body into size-prefixed pieces and enables streaming when the total size isn't known in advance.AcceptAccept tells the server which media (MIME) types the client is willing to receive in the response body, kicking off content negotiation. The server picks the most suitable representation according to these preferences.Accept-EncodingAccept-Encoding tells the server which content compression schemes the client can decode. The server picks one, compresses the body, and reports the scheme actually used in the Content-Encoding header.Accept-LanguageAccept-Language tells the server the natural languages (Korean, English, etc.) the user prefers, with priorities. Multilingual sites use it to decide which language of content to serve.Content-DispositionContent-Disposition tells the browser whether to display the response body inline in the page or handle it as a download (attachment). For downloads it can also suggest a filename for the save dialog.Content-EncodingContent-Encoding states the compression/transformation actually applied to the body. The receiver reads it, restores (decodes) the body to its original form, then interprets it per Content-Type.Content-LengthContent-Length states the size of the message body as a decimal number of bytes. The receiver uses it to know exactly how far to read the body — that is, the message boundary.Content-TypeContent-Type indicates the media (MIME) type of the message body. In a request it declares the format being sent; in a response it declares the format being received, so the other side interprets the data correctly.CookieCookie is the request header a browser uses to send back the cookies a server previously planted via Set-Cookie. It is the core mechanism for keeping session, login, and personalization state on top of stateless HTTP.Set-CookieSet-Cookie is a response header that instructs the client to store a cookie. The browser saves it and sends it back on subsequent requests to the same site via the Cookie header, enabling session management, keeping auth state, and personalization.Retry-AfterRetry-After is a response header telling the client when it may retry. It is used during overload/maintenance (503) or rate-limit overruns (429) to prevent reckless retries and give the server time to recover.User-AgentUser-Agent tells the server the type and version of the client software (browser, bot, library) that sent the request. Servers use it to tailor content, gather analytics, block clients, or apply compatibility workarounds.Accept-RangesAccept-Ranges is a response header telling the client whether the server supports range requests (Range) for this resource. A value of bytes means the client can attempt partial fetches for resuming or seeking.Content-RangeContent-Range tells the client, in a partial response (206 Partial Content), where the bytes being sent fit within the full resource. The client uses this to stitch multiple chunks together in the right place.RangeRange requests only a portion of a resource (usually a byte range) rather than the whole thing. It is essential for resuming large downloads, seeking in media streams, and parallel segmented downloads.AllowAllow is a response header listing the HTTP methods a specific resource supports. It lets clients learn which operations (GET, POST, DELETE, etc.) they may perform on that resource.HostHost carries the domain name (and optional port) of the server the request targets, and it is the only mandatory request header in HTTP/1.1. In virtual hosting, where many domains share one IP address, the server reads this value to decide which site to serve.LocationLocation is a response header that points to a redirect target or the URL of a newly created resource. On 3xx responses the browser auto-navigates to it; on 201 Created it tells you where the just-created resource lives.Content-Security-PolicyContent-Security-Policy (CSP) is a security header that finely controls, via directives, which sources of scripts, styles, images, frames, and more the browser may load or execute on a page. By blocking untrusted resources it strongly mitigates XSS, data exfiltration, and clickjacking.RefererReferer is the request header that names the URL of the previous page — the page whose link or resource led the user to this request. It is used for traffic-source analytics, referral stats, and basic access control.Referrer-PolicyReferrer-Policy is a security/privacy header controlling how much origin information the browser includes in the Referer header when navigating to another page or requesting a resource. You can choose between the full URL, origin only, or nothing.Strict-Transport-SecurityStrict-Transport-Security (HSTS) is a security header telling the browser to only ever connect to this site over HTTPS. Once received, for the duration of max-age the browser auto-upgrades any http:// attempt to https:// and won't let the user click through certificate errors.X-Content-Type-OptionsX-Content-Type-Options: nosniff is a security header that turns off the browser's habit of inspecting a response's actual bytes and guessing its Content-Type (MIME sniffing). It makes the browser trust the server-declared Content-Type verbatim.X-Frame-OptionsX-Frame-Options is a security header that controls whether this page may be embedded inside another page's <iframe>, <frame>, or <object>. Its main purpose is clickjacking defense — stopping an attacker from overlaying your page as a transparent frame to hijack the user's clicks.