HTTP headers are a core part of the HTTP protocol, allowing clients and servers to pass additional information with an HTTP request or response. This cheat sheet provides a quick reference to the most common and important HTTP headers.
These headers contain more information about the resource to be fetched, or about the client requesting the resource.
| Header | Description | Example |
|---|---|---|
Host | Specifies the domain name of the server (for virtual hosting), and the TCP port number on which the server is listening. | Host: www.example.com |
User-Agent | Contains a characteristic string that allows the network protocol peers to identify the application type, operating system, software vendor or software version of the requesting software user agent. | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) ... |
Accept | Informs the server about the types of data that can be sent back by the server. | Accept: application/json |
Accept-Language | Indicates the natural language and locale that the client prefers. | Accept-Language: en-US |
Accept-Encoding | Informs the server about the encoding algorithm, usually a compression algorithm, that can be used on the resource sent back. | Accept-Encoding: gzip, deflate |
Authorization | Contains the credentials to authenticate a user agent with a server. | Authorization: Bearer <token> |
Referer | Contains the address of the previous web page from which a link to the currently requested page was followed. | Referer: https://www.google.com/ |
If-None-Match | Makes the request conditional and applies the method only if the stored resource doesn't match any of the given ETags. | If-None-Match: "c561c68d0ba92bbeb8b0fff2a9199f722e3a621a" |
These headers contain additional information about the response, like its location or about the server providing it.
| Header | Description | Example |
|---|---|---|
Server | Contains information about the software used by the origin server to handle the request. | Server: Apache/2.4.1 (Unix) |
Date | Contains the date and time at which the message was originated. | Date: Tue, 15 Nov 1994 08:12:31 GMT |
Location | Indicates the URL to redirect a page to. | Location: /new-location |
Set-Cookie | Sends a cookie from the server to the user agent. | Set-Cookie: yummy_cookie=choco; |
WWW-Authenticate | Defines the authentication method that should be used to gain access to a resource. | WWW-Authenticate: Basic realm="Access to staging site" |
ETag | An identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth. | ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4" |
These headers contain information about the body of the resource, like its MIME type, or encoding.
| Header | Description | Example |
|---|---|---|
Content-Type | Indicates the original media type of the resource (prior to any content encoding applied for sending). | Content-Type: application/json; charset=utf-8 |
Content-Length | Indicates the size of the message body, in bytes, sent to the recipient. | Content-Length: 138 |
Content-Encoding | Specifies the compression algorithm used on the resource. | Content-Encoding: gzip |
Content-Language | Describes the human language(s) intended for the audience. | Content-Language: en-US |
Last-Modified | Contains the date and time at which the origin server believes the resource was last modified. | Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT |
These headers help to secure the web application and protect against common attacks.
| Header | Description | Example |
|---|---|---|
Strict-Transport-Security | Forces communication using HTTPS instead of HTTP. | Strict-Transport-Security: max-age=31536000; includeSubDomains |
Content-Security-Policy | Controls resources the user agent is allowed to load for a given page. | Content-Security-Policy: default-src 'self'; |
X-Content-Type-Options | Prevents MIME-sniffing attacks. | X-Content-Type-Options: nosniff |
X-Frame-Options | Indicates whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. | X-Frame-Options: DENY |
Cross-Origin-Resource-Policy | Prevents the browser from loading a resource from a cross-origin domain. | Cross-Origin-Resource-Policy: same-origin |
Understanding HTTP headers is crucial for web developers for debugging, optimizing performance, and securing applications. This cheat sheet serves as a quick reference for the most common headers.
A comprehensive cheat sheet for HTTP status codes. Learn about different HTTP status codes and their meanings with this handy reference guide.
Complete Git commands cheat sheet for developers. Quick reference for setup, branching, merging, and repository management.
Get instant AI-powered summaries of YouTube videos and websites. Save time while enhancing your learning experience.
