HTTP Headers

Introduction: What Are HTTP Headers?

HTTP headers are metadata sent between a client (like a browser or app) and a server when making HTTP requests or responses. They provide essential information about the communication, such as content type, authentication credentials, caching rules, and user-agent details.

Think of HTTP headers as the envelopes around your web messages—they don’t contain the main content, but they describe how that content should be interpreted, processed, or handled.

Every time you visit a webpage, click a button in a web app, or call an API, HTTP headers are silently at work behind the scenes, enabling the correct behavior of everything from security to speed to personalization.

The Role of Headers in HTTP Communication

When a client sends a request to a server—whether it’s fetching a webpage, submitting a form, or making an AJAX call—it sends a request header. The server then responds with a response header.

There are three main types of headers:

1. Request Headers – Sent by the client to provide context about the request
2. Response Headers – Sent by the server to describe the response
3. Entity Headers – Describe the body of the request or response (if present)

Anatomy of an HTTP Header

Each header is a key-value pair in the format:

Header-Name: Header-Value

Multiple headers are sent one per line, and they are case-insensitive.

Example Request Header:

GET /index.html HTTP/1.1  
Host: www.example.com  
User-Agent: Mozilla/5.0  
Accept-Language: en-US

Example Response Header:

HTTP/1.1 200 OK  
Content-Type: text/html; charset=UTF-8  
Content-Length: 3480  
Cache-Control: no-cache

Common Request Headers

These are some of the most frequently used headers sent by clients (like browsers or HTTP clients).

Host

Indicates the domain name of the server.

Host: api.example.com

User-Agent

Identifies the client making the request (browser, app, bot).

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Used for analytics, feature detection, and content optimization.

Accept

Specifies the media types the client can handle.

Accept: text/html,application/json

Authorization

Carries credentials (like tokens or API keys).

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Critical for API authentication and secure sessions.

Content-Type

Indicates the format of the request body, especially for POST/PUT.

Content-Type: application/json

Accept-Encoding

Declares which compression formats the client can handle.

Accept-Encoding: gzip, deflate

Often used for reducing data transfer size.

Referer (yes, with one “r”)

Indicates the URL of the page that made the request.

Referer: https://example.com/products

Used for analytics, but can leak sensitive information if not handled properly.

Cookie

Sends cookies previously set by the server.

Cookie: session_id=abc123; theme=dark

Enables session tracking and user preferences.

Common Response Headers

Servers use response headers to instruct clients on how to interpret the content, handle caching, manage security, and more.

Content-Type

Tells the client what type of content is being returned.

Content-Type: application/json

Examples include:

• text/html for webpages
• application/xml for XML data
• application/octet-stream for binary files

Content-Length

Specifies the size of the response body in bytes.

Content-Length: 4592

Helpful for buffering and content streaming.

Cache-Control

Controls how and for how long content is cached.

Cache-Control: no-cache, no-store, must-revalidate

Other options include:

• public, private, max-age=3600, s-maxage, immutable

ETag

An identifier for a specific version of a resource. Used in conditional requests to avoid downloading unchanged files.

ETag: "e9c4d3f5b1ce6"

Set-Cookie

Instructs the browser to store a cookie.

Set-Cookie: theme=dark; Path=/; HttpOnly; Secure

Cookies can persist sessions, preferences, or login states.

Location

Used in redirects to tell the client where to go next.

Location: https://example.com/newpage

Usually returned with a 3xx status code.

Access-Control-Allow-Origin

Defines which origins are allowed to access the resource, enabling Cross-Origin Resource Sharing (CORS).

Access-Control-Allow-Origin: *

Restrictive values can improve API security.

Security-Related HTTP Headers

Security headers help protect against common attacks like XSS, clickjacking, and protocol downgrade.

Content-Security-Policy (CSP)

Specifies which sources of content are allowed.

Content-Security-Policy: default-src 'self'; img-src https://cdn.example.com

Mitigates cross-site scripting and content injection.

Strict-Transport-Security (HSTS)

Forces the browser to only use HTTPS for a given site.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Prevents protocol downgrade attacks.

X-Frame-Options

Prevents the page from being embedded in a or