Ganesh Joshi

Back to Cheatsheets

HTTP headers reference

Updated 2026-02-14

Common HTTP request and response headers with meanings and use cases. CORS, caching, auth, content types.

Request headers

```
Accept
```
Content types the client understands.
```
Accept-Encoding
```
Encodings (gzip, br).
```
Accept-Language
```
Preferred languages.
```
Authorization
```
Credentials (e.g. Bearer token).
```
Content-Type
```
MIME type of body (e.g. application/json).
```
Cookie
```
Cookies sent by client.
```
Host
```
Domain and optional port.
```
Origin
```
Origin (CORS).
```
User-Agent
```
Client identifier.
```
If-None-Match
```
ETag for conditional request (304).
```
Range
```
Partial content (bytes=0-1023).

Response headers

```
Access-Control-Allow-Origin
```
CORS: allowed origins.
```
Content-Disposition
```
Inline or attachment; filename.
```
Content-Encoding
```
Body encoding (gzip, br).
```
Content-Security-Policy
```
CSP: script/style sources.
```
ETag
```
Cache validator.
```
Location
```
Redirect URL (3xx).
```
Set-Cookie
```
Send cookie to client.
```
Strict-Transport-Security
```
HSTS: enforce HTTPS.
```
WWW-Authenticate
```
Challenge for 401.
```
X-Content-Type-Options
```
nosniff.
```
X-Frame-Options
```
DENY or SAMEORIGIN.

Request and response

Cache-Control (max-age, no-cache). Connection. Content-Length. Vary (e.g. Accept-Encoding).

HTTP headers reference | Cheatsheet | Ganesh Joshi