HTTP Headers Reference
Complete reference for HTTP request and response headers — click any header name to copy it.
Credentials to authenticate the client with the server.
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Include in every request requiring authentication — APIs, protected routes.
Credentials to authenticate the client with a proxy server.
Proxy-Authorization: Basic dXNlcjpwYXNzUse when routing through a proxy that requires authentication.
Directives for caching mechanisms in the request.
Cache-Control: no-cacheUse no-cache to revalidate, no-store to prevent caching entirely.
Legacy HTTP/1.0 caching directive — superseded by Cache-Control.
Pragma: no-cacheOnly for backward compatibility with HTTP/1.0 proxies. Prefer Cache-Control.
Makes the request conditional — server returns 304 if not modified since the given date.
If-Modified-Since: Wed, 21 Oct 2024 07:28:00 GMTUse for conditional GETs to save bandwidth when content may not have changed.
Server only performs the action if the resource has not changed since the given date.
If-Unmodified-Since: Sat, 29 Oct 2024 19:43:31 GMTUse with PUT/PATCH to prevent lost updates (optimistic concurrency).
Conditional on ETag — returns 304 Not Modified if unchanged.
If-None-Match: "bfc13a64729c4290ef5b2c2730249c88"Use for efficient cache validation — pair with the ETag response header.
Server performs the action only if the ETag matches the current resource.
If-Match: "bfc13a64729c4290ef5b2c2730249c88"Use with PUT to prevent overwriting concurrent modifications.
Sends a range request conditionally — only if resource is unchanged since last fetch.
If-Range: Wed, 21 Oct 2024 07:28:00 GMTUse when resuming a download to verify the resource hasn't changed.
Controls whether the network connection stays open after the current transaction.
Connection: keep-aliveHTTP/1.1 defaults to keep-alive. Use Connection: close to terminate after response.
Parameters for persistent connections — timeout and max requests.
Keep-Alive: timeout=5, max=1000Use with Connection: keep-alive to tune persistent connection behavior.
Asks the server to switch to a different protocol.
Upgrade: websocketUse when initiating a WebSocket connection upgrade from HTTP.
Transfer encodings the client is willing to accept in the response.
TE: trailers, deflate;q=0.5Use to indicate support for chunked transfer coding with trailers.
Transfer encoding applied to the request body.
Transfer-Encoding: chunkedUse chunked for streaming request bodies of unknown length.
Informs the server about content types the client can process.
Accept: text/html, application/json;q=0.9, */*;q=0.8Set in API clients to declare expected response format (e.g. application/json).
Compression algorithms the client supports.
Accept-Encoding: gzip, deflate, br, zstdSent automatically by browsers. Set in API clients to enable response compression.
Natural languages the client prefers.
Accept-Language: en-US,en;q=0.9,fr;q=0.5Used for i18n — server selects best matching content language.
Character encodings the client understands. Obsolete — UTF-8 is universal.
Accept-Charset: utf-8, iso-8859-1;q=0.5Rarely needed today since UTF-8 is the universal default.
Media type and character encoding of the request body.
Content-Type: application/json; charset=utf-8Required for POST/PUT/PATCH requests. Always specify charset.
Size of the request body in bytes.
Content-Length: 348Required when not using chunked transfer encoding with a request body.
Compression applied to the request body.
Content-Encoding: gzipUse when sending a compressed request body to the server.
Natural language of the request body content.
Content-Language: en-USUse when sending localized content and the server needs to process it by language.
Indicates the origin (scheme, host, port) of the request.
Origin: https://example.comSent automatically by browsers for cross-origin requests. Used in CORS validation.
Used in CORS preflight to tell the server which HTTP method will be used.
Access-Control-Request-Method: POSTSent automatically before non-simple CORS requests as part of the preflight.
Used in CORS preflight to tell the server which headers the actual request will include.
Access-Control-Request-Headers: Content-Type, AuthorizationSent automatically before CORS requests that include custom headers.
Sends previously stored cookies to the server.
Cookie: session=abc123; theme=dark; csrf=xySent automatically by browsers. Used for session management and preferences.
Relationship between request origin and the resource's origin.
Sec-Fetch-Site: cross-siteUsed by servers to distinguish navigation requests from resource fetches.
Fetch mode of the request — navigate, cors, no-cors, same-origin, etc.
Sec-Fetch-Mode: corsEnables server-side security policies based on request fetch mode.
Whether the navigation request was triggered by user activation.
Sec-Fetch-User: ?1Use to distinguish user-initiated navigations from programmatic ones.
Destination of the request — document, image, script, worker, audio, etc.
Sec-Fetch-Dest: documentUse to identify what resource type is being requested for CSP policies.
Do Not Track — user's preference to not be tracked. Not widely honored.
DNT: 1Respect this preference if received, even though it is non-binding.
Requests only a specific part (byte range) of a resource.
Range: bytes=0-1023Use for resumable downloads, video streaming, or large file partial fetches.
Domain name and optional port of the server. Required in HTTP/1.1.
Host: developer.mozilla.org:443Required in all HTTP/1.1 requests. Enables virtual hosting on servers.
Identifies the application, OS, vendor, and version of the requesting client.
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)…Sent automatically by browsers. Avoid relying on it for feature detection.
URL of the previous page that linked to the current request. Intentionally misspelled.
Referer: https://developer.mozilla.org/en-US/Used for analytics and referral tracking. Control with Referrer-Policy.
Controls how much referrer information is included in the Referer header.
Referrer-Policy: strict-origin-when-cross-originSet as a meta tag or response header to control privacy of referrer data.
Email address of the user controlling the requesting user agent.
From: webmaster@example.orgUsed by bots/crawlers to identify the operator for contact purposes.
Proxy or intermediaries through which the request was forwarded.
Via: 1.1 vegurAdded by proxies. Used for debugging multi-hop request routing.
Original client IP address when the request passes through a proxy or load balancer.
X-Forwarded-For: 203.0.113.195, 70.41.3.18Used by load balancers to preserve client IP. Validate carefully — spoofable.
Original Host header when a proxy changes it.
X-Forwarded-Host: en.wikipedia.orgUse to preserve the original host when behind a reverse proxy.
Protocol (http/https) originally used by the client.
X-Forwarded-Proto: httpsUse to detect HTTPS when your app is behind a TLS-terminating proxy.
Standardized header replacing X-Forwarded-* for proxy information.
Forwarded: for=192.0.2.60;proto=https;by=203.0.113.43Prefer over X-Forwarded-* headers in new proxy implementations.
Indicates expectations the server must meet to process the request.
Expect: 100-continueUse with large request bodies to check server acceptance before sending.
Limits the number of times the request can be forwarded by proxies.
Max-Forwards: 10Used with TRACE and OPTIONS methods to limit proxy hops.
Indicates the user's preference to reduce data usage.
Save-Data: onServe lower-quality images and skip non-essential resources when set.
Client Hint providing browser brand and significant version information.
Sec-CH-UA: "Chromium";v="119", "Google Chrome";v="119"Use for analytics. Request via Accept-CH response header.
Approximate amount of device RAM in GiB (Client Hint).
Device-Memory: 4Serve lighter pages and assets on low-memory devices.