HTTP Headers Cheatsheet

Specifies the media types the client can process in the response

Accept: application/json, text/html;q=0.9, */*;q=0.8

Contains credentials to authenticate the client with the server

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Indicates the media type of the request body being sent

Content-Type: application/json; charset=utf-8

Sends stored cookies from the client to the server

Cookie: sessionId=abc123; theme=dark; lang=en

Identifies the client application, operating system, and version

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0

Makes request conditional; returns 304 if resource unchanged since date

If-Modified-Since: Wed, 21 Oct 2024 07:28:00 GMT

Makes request conditional; returns 304 if ETag matches cached version

If-None-Match: "33a64df551425fcc55e4d42a148795d9"

Indicates the origin of the request; used for CORS and security

Origin: https://www.example.com

Contains the URL of the page that linked to the current request

Referer: https://www.google.com/search?q=http+headers

Indicates the media type of the response body

Content-Type: text/html; charset=UTF-8

Indicates the size of the response body in bytes

Content-Length: 3495

Specifies caching directives for both requests and responses

Cache-Control: public, max-age=31536000, immutable

Unique identifier for a specific version of a resource

ETag: "33a64df551425fcc55e4d42a148795d9f8f"

Date and time the resource was last modified on the server

Last-Modified: Tue, 15 Nov 2024 12:45:26 GMT

Indicates the URL to redirect a page to; used with 3xx or 201 status

Location: https://www.example.com/new-page

Sends a cookie from the server to be stored on the client

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=86400

Indicates which request headers affect the response content for caching

Vary: Accept-Encoding, Accept-Language, Origin

Controls resources the browser is allowed to load for the page

Content-Security-Policy: default-src 'self'; script-src 'self' https://cdn.example.com; style-src 'self' 'unsafe-inline'

Prevents the page from being embedded in iframes to stop clickjacking

X-Frame-Options: DENY

Prevents browsers from MIME-sniffing a response from declared content-type

X-Content-Type-Options: nosniff

Forces browsers to use HTTPS for all future requests to the domain

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Controls how much referrer information is sent with requests

Referrer-Policy: strict-origin-when-cross-origin

Controls which browser features and APIs can be used on the page

Permissions-Policy: geolocation=(self), camera=(), microphone=()

Specifies which origins are allowed to access the resource

Access-Control-Allow-Origin: https://www.example.com

Specifies allowed HTTP methods when accessing the resource

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Specifies allowed request headers for cross-origin requests

Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With

Indicates whether the response can be shared when credentials are included

Access-Control-Allow-Credentials: true

Indicates how long preflight request results can be cached

Access-Control-Max-Age: 86400

Specifies which headers can be exposed to JavaScript in the browser

Access-Control-Expose-Headers: X-Custom-Header, Content-Length

Maximum time a resource is considered fresh in seconds

Cache-Control: max-age=3600

Must revalidate with server before using cached response

Cache-Control: no-cache

Response must not be stored in any cache; always fetch fresh

Cache-Control: no-store

Response can be cached by any cache including CDNs and proxies

Cache-Control: public, max-age=86400

Response is intended for a single user and must not be cached by shared caches

Cache-Control: private, max-age=3600

Indicates the response body will not change over time

Cache-Control: public, max-age=31536000, immutable

Serve stale content while revalidating in the background

Cache-Control: max-age=3600, stale-while-revalidate=86400

Fallback policy for all resource types not explicitly defined

Content-Security-Policy: default-src 'self'

Controls valid sources for JavaScript execution

Content-Security-Policy: script-src 'self' 'unsafe-inline' https://cdn.example.com

Controls valid sources for stylesheets

Content-Security-Policy: style-src 'self' 'unsafe-inline'

Controls valid sources for images and favicons

Content-Security-Policy: img-src 'self' data: https:

Controls URLs that can be loaded using fetch, XHR, and WebSocket

Content-Security-Policy: connect-src 'self' https://api.example.com wss://ws.example.com

Specifies valid parents that may embed the page in frames

Content-Security-Policy: frame-ancestors 'self' https://trusted.com

Instructs browsers to upgrade HTTP requests to HTTPS

Content-Security-Policy: upgrade-insecure-requests