HTTP Headers

Introduction: What Are HTTP Headers?

HTTP headers are metadata sent between a client (like a browser or app) and a server when making HTTP requests or responses. They provide essential information about the communication, such as content type, authentication credentials, caching rules, and user-agent details.

Think of HTTP headers as the envelopes around your web messages—they don’t contain the main content, but they describe how that content should be interpreted, processed, or handled.

Every time you visit a webpage, click a button in a web app, or call an API, HTTP headers are silently at work behind the scenes, enabling the correct behavior of everything from security to speed to personalization.

The Role of Headers in HTTP Communication

When a client sends a request to a server—whether it’s fetching a webpage, submitting a form, or making an AJAX call—it sends a request header. The server then responds with a response header.

There are three main types of headers:

1. Request Headers – Sent by the client to provide context about the request
2. Response Headers – Sent by the server to describe the response
3. Entity Headers – Describe the body of the request or response (if present)

Anatomy of an HTTP Header

Each header is a key-value pair in the format:

Header-Name: Header-Value

Multiple headers are sent one per line, and they are case-insensitive.

Example Request Header:

GET /index.html HTTP/1.1  
Host: www.example.com  
User-Agent: Mozilla/5.0  
Accept-Language: en-US

Example Response Header:

HTTP/1.1 200 OK  
Content-Type: text/html; charset=UTF-8  
Content-Length: 3480  
Cache-Control: no-cache

Common Request Headers

These are some of the most frequently used headers sent by clients (like browsers or HTTP clients).

Host

Indicates the domain name of the server.

Host: api.example.com

User-Agent

Identifies the client making the request (browser, app, bot).

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Used for analytics, feature detection, and content optimization.

Accept

Specifies the media types the client can handle.

Accept: text/html,application/json

Authorization

Carries credentials (like tokens or API keys).

Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Critical for API authentication and secure sessions.

Content-Type

Indicates the format of the request body, especially for POST/PUT.

Content-Type: application/json

Accept-Encoding

Declares which compression formats the client can handle.

Accept-Encoding: gzip, deflate

Often used for reducing data transfer size.

Referer (yes, with one “r”)

Indicates the URL of the page that made the request.

Referer: https://example.com/products

Used for analytics, but can leak sensitive information if not handled properly.

Cookie

Sends cookies previously set by the server.

Cookie: session_id=abc123; theme=dark

Enables session tracking and user preferences.

Common Response Headers

Servers use response headers to instruct clients on how to interpret the content, handle caching, manage security, and more.

Content-Type

Tells the client what type of content is being returned.

Content-Type: application/json

Examples include:

• text/html for webpages
• application/xml for XML data
• application/octet-stream for binary files

Content-Length

Specifies the size of the response body in bytes.

Content-Length: 4592

Helpful for buffering and content streaming.

Cache-Control

Controls how and for how long content is cached.

Cache-Control: no-cache, no-store, must-revalidate

Other options include:

• public, private, max-age=3600, s-maxage, immutable

ETag

An identifier for a specific version of a resource. Used in conditional requests to avoid downloading unchanged files.

ETag: "e9c4d3f5b1ce6"

Set-Cookie

Instructs the browser to store a cookie.

Set-Cookie: theme=dark; Path=/; HttpOnly; Secure

Cookies can persist sessions, preferences, or login states.

Location

Used in redirects to tell the client where to go next.

Location: https://example.com/newpage

Usually returned with a 3xx status code.

Access-Control-Allow-Origin

Defines which origins are allowed to access the resource, enabling Cross-Origin Resource Sharing (CORS).

Access-Control-Allow-Origin: *

Restrictive values can improve API security.

Security-Related HTTP Headers

Security headers help protect against common attacks like XSS, clickjacking, and protocol downgrade.

Content-Security-Policy (CSP)

Specifies which sources of content are allowed.

Content-Security-Policy: default-src 'self'; img-src https://cdn.example.com

Mitigates cross-site scripting and content injection.

Strict-Transport-Security (HSTS)

Forces the browser to only use HTTPS for a given site.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Prevents protocol downgrade attacks.

X-Frame-Options

Prevents the page from being embedded in a <frame> or <iframe>, defending against clickjacking.

X-Frame-Options: DENY

X-Content-Type-Options

Stops the browser from trying to guess the content type, which can prevent MIME-type sniffing attacks.

X-Content-Type-Options: nosniff

Referrer-Policy

Controls how much referrer information is included in outbound requests.

Referrer-Policy: no-referrer-when-downgrade

Useful for maintaining privacy and securing sensitive data.

Custom Headers and X-Headers

Custom headers allow developers to include application-specific data in requests or responses.

X-Request-ID

Used to trace individual requests through logs and distributed systems.

X-Request-ID: 8a9d9c3f-f1a2-45d6-b7f6-b9c12a8e7b65

X-RateLimit-Limit / Remaining / Reset

Provide rate-limiting info to clients.

X-RateLimit-Limit: 1000  
X-RateLimit-Remaining: 798  
X-RateLimit-Reset: 1623456000

Useful for APIs and usage enforcement.

Deprecated “X-” Prefix

Although still widely used, the IETF no longer recommends “X-” for custom headers. Instead, developers should name headers in a way that clearly identifies their application or purpose.

HTTP Headers in Authentication

HTTP headers play a crucial role in enabling authentication mechanisms across web applications and APIs.

Authorization

Carries credentials like tokens, API keys, or Basic Auth strings.

Authorization: Bearer eyJhbGciOiJIUzI1NiIsIn...

Used in:

• OAuth 2.0
• JWT
• HMAC-based systems
• Basic and Digest Auth

WWW-Authenticate

Sent by the server in a 401 response to indicate what kind of authentication is required.

WWW-Authenticate: Basic realm="Restricted Area"

Initiates authentication dialog in browsers or challenges API clients.

Cookie

Often used for session-based authentication.

Cookie: session_id=9as8d7as8d7as8

Must be protected with attributes like HttpOnly, Secure, and SameSite.

Caching and Performance Headers

Headers are instrumental in determining how responses are stored and reused, affecting performance and scalability.

Cache-Control

Tells clients and proxies how to cache the response.

Cache-Control: public, max-age=600

Directives include:

• no-cache: must revalidate before use
• no-store: must not be cached
• max-age: how long to cache in seconds
• immutable: signals that the response won’t change

ETag

Acts as a version tag for a resource.

• Client sends If-None-Match with stored ETag
• Server responds with 304 Not Modified if unchanged

Saves bandwidth and speeds up load times.

Expires

Legacy header that provides a timestamp when the resource becomes stale.

Expires: Wed, 21 Oct 2025 07:28:00 GMT

Used in conjunction with or overridden by Cache-Control.

Vary

Specifies which request headers affect the cache.

Vary: Accept-Encoding

Tells caches to store different versions based on encoding.

Header Injection and Security Risks

HTTP headers can be manipulated or exploited if not handled carefully.

HTTP Response Splitting

Occurs when attackers inject newline characters into headers to forge additional responses.

Example vulnerability:

Location: /dashboard\nSet-Cookie: admin=true

Can lead to XSS or cache poisoning.

Prevention:

• Validate and sanitize all input
• Disallow carriage return (CR) and line feed (LF) in header values

Information Leakage

Over-sharing through headers can expose server internals.

Risky headers:

• Server: Apache/2.4.46 (Ubuntu)
• X-Powered-By: PHP/7.4.12

Best practice: Strip or override these headers unless required for debugging.

Best Practices for Using HTTP Headers

1. Use Standard Headers When Possible
   Rely on established headers like Authorization, Content-Type, Cache-Control to ensure compatibility.
2. Secure Cookies with Flags
   Always include HttpOnly, Secure, and SameSite=Strict or Lax when using cookies for authentication.
3. Enforce HTTPS with HSTS
   Send Strict-Transport-Security to prevent downgrade attacks.
4. Define Clear Caching Rules
   Use Cache-Control and ETag effectively to improve performance and control resource freshness.
5. Limit CORS Exposure
   Avoid wildcard * in Access-Control-Allow-Origin unless strictly necessary.
6. Log and Monitor Headers
   Track headers like X-Request-ID, User-Agent, and Referer for observability and anomaly detection.
7. Set Security Headers by Default
   Headers like X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy should be part of your standard header set.

Final Thoughts

HTTP headers may seem like background noise compared to HTML or JavaScript, but they are the backbone of secure, performant, and intelligent web communication. From authentication and content negotiation to caching and security enforcement, headers determine how servers and clients interact—and ultimately, how end-users experience the web.

Whether you’re building APIs, optimizing websites, hardening security, or troubleshooting requests, understanding HTTP headers is an essential skill for any developer, DevOps engineer, or system architect.

Related Keywords

Authorization Header
Cache Control
CORS
Content Security Policy
Content Type
ETag
HTTP Request
HTTP Response
HTTPS
Referrer Policy
Request Header
Response Header
Set Cookie
Strict Transport Security
User Agent