// IT TOOLS & CALCULATORS
| 50+ TOOLS
ADVERTISEMENT
[ ADSENSE 728×90 — REPLACE WITH YOUR AD UNIT ]
📨 HTTP HEADER REFERENCE
// Complete reference for all common HTTP request and response headers with descriptions
ADVERTISEMENT
[ ADSENSE IN-CONTENT AD — INSERT YOUR AD UNIT ]

HTTP Header Reference — Complete Guide to Request and Response Headers

This comprehensive HTTP header reference covers every common HTTP request and response header with clear descriptions, correct usage and security implications. Use this guide when debugging APIs with Postman or curl, configuring nginx or Apache, implementing CORS, hardening web application security headers or studying for web development certifications.

Essential Security Headers Every Website Should Have

  • Strict-Transport-Security (HSTS) — Forces browsers to always use HTTPS for your domain. Prevents SSL stripping attacks. Use: max-age=31536000; includeSubDomains; preload
  • Content-Security-Policy (CSP) — Controls which resources the browser can load. Prevents XSS attacks by blocking inline scripts and unauthorised external scripts.
  • X-Content-Type-Options — Prevents MIME sniffing. Always set to nosniff.
  • X-Frame-Options — Prevents clickjacking by blocking your page from being framed. Use DENY or SAMEORIGIN.
  • Referrer-Policy — Controls how much referrer information is sent with requests. Use strict-origin-when-cross-origin.
  • Permissions-Policy — Restricts which browser features (camera, microphone, geolocation) can be used.

Caching Headers Explained

Correct caching headers are critical for performance. Cache-Control: max-age=31536000, immutable tells browsers to cache static assets for one year without revalidation — use with content-hashed filenames. Cache-Control: no-store prevents any caching — use for sensitive data (bank statements, health records). ETag and If-None-Match enable conditional requests — the browser asks "has this changed?" and the server returns either the new content or 304 Not Modified (no body, bandwidth saved).

CORS Headers for API Development

CORS (Cross-Origin Resource Sharing) controls which origins can access your API from browser JavaScript. Access-Control-Allow-Origin: * allows any website — only use for public read-only APIs. For authenticated APIs, specify exact origins and include Access-Control-Allow-Credentials: true. Preflight OPTIONS requests are automatically sent by browsers before cross-origin POST/PUT/DELETE requests — your API must handle these and return appropriate CORS headers.