35 of the headers you'll meet most often — what each one means, an example value, and the gotcha you'll wish someone had told you.
AuthorizationHow the client identifies itself — usually a Bearer token, Basic credentials, or an API key.
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...💡 Despite the name, this often carries authentication, not authorisation. Server checks who you are, then decides what you can do.
AcceptWhat response formats the client can handle. Server picks one in Content-Type.
Accept: application/json, text/html;q=0.9Accept-LanguageWhat human languages the client prefers, with weights. Used for content negotiation.
Accept-Language: en-US,en;q=0.9,uk;q=0.8Accept-EncodingWhich compression algorithms the client supports for the response body.
Accept-Encoding: gzip, brContent-TypeThe media type of the request body. Required when sending a body.
Content-Type: application/json; charset=utf-8💡 Also used in responses to describe the body format.
User-AgentString identifying the client software. Browsers, libraries, bots all send one.
User-Agent: Mozilla/5.0 (...) Chrome/120 Safari/537.36CookieCookies the browser is sending back to the server for this domain.
Cookie: session=abc123; theme=darkRefererThe URL of the page that initiated the request. (Note the historic misspelling — it is "Referer", not "Referrer".)
Referer: https://example.com/products/OriginThe scheme + host + port of the page making the request. Sent on cross-origin requests for CORS checks.
Origin: https://app.example.comRangeRequest only a byte range of the resource — used for video streaming, resumable downloads.
Range: bytes=0-1023If-None-MatchSend the request only if the resource's ETag is NOT what the client already has. Triggers 304 Not Modified if unchanged.
If-None-Match: "abc123"If-Modified-SinceSend the request only if the resource was modified after the given date. Older alternative to ETag.
If-Modified-Since: Wed, 15 May 2026 12:00:00 GMTIf-MatchSend the request only if the current ETag MATCHES. Used for optimistic concurrency in PUT/PATCH.
If-Match: "abc123"💡 Returns 412 Precondition Failed if the ETag has changed since you last fetched — someone else has updated the resource.
Content-LengthSize of the response body in bytes. Lets the client know how much to read.
Content-Length: 4823Set-CookieServer tells the browser to store a cookie. Can include flags like HttpOnly, Secure, SameSite.
Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Lax; Path=/LocationWhere the client should redirect (3xx) or find a newly-created resource (201).
Location: /api/users/42WWW-AuthenticateSent with 401 Unauthorized — tells the client what auth scheme is required.
WWW-Authenticate: Bearer realm="api", error="invalid_token"Retry-AfterHow long to wait before retrying. Sent with 429 (rate limit) or 503 (service unavailable).
Retry-After: 120💡 Value is seconds or an HTTP-date.
X-Rate-Limit-*Custom headers reporting rate-limit state. Conventional but not standardised — X-Rate-Limit-Limit, X-Rate-Limit-Remaining, X-Rate-Limit-Reset.
X-Rate-Limit-Remaining: 47
X-Rate-Limit-Reset: 1735689600Cache-ControlThe dominant caching directive. Controls how/whether responses are cached by browsers, CDNs, and proxies.
Cache-Control: public, max-age=31536000, immutable💡 Common values: no-store (never cache), no-cache (cache but revalidate), max-age=N (cache N seconds), public (any cache), private (browser only).
ETagAn opaque token identifying the resource version. Used with If-None-Match for conditional GETs.
ETag: "abc123"Last-ModifiedWhen the resource last changed. Older alternative to ETag, paired with If-Modified-Since.
Last-Modified: Wed, 15 May 2026 12:00:00 GMTExpiresAbsolute date when the response becomes stale. Cache-Control max-age is preferred.
Expires: Thu, 16 May 2026 12:00:00 GMTVaryTells caches which request headers affect the response. Without it, a cache might serve the wrong variant.
Vary: Accept-Encoding, Accept-LanguageStrict-Transport-SecurityHSTS — tells the browser to use HTTPS for this domain for the given number of seconds, even if the user typed http://.
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadContent-Security-PolicyCSP — controls what resources (scripts, styles, images) the browser is allowed to load. Strongest XSS defence in depth.
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-abc123'X-Content-Type-OptionsSet to "nosniff" to prevent the browser from guessing a different content type than the server declared.
X-Content-Type-Options: nosniffX-Frame-OptionsWhether your page can be embedded in an iframe. Defends against clickjacking. Use DENY or SAMEORIGIN.
X-Frame-Options: DENY💡 Superseded by CSP frame-ancestors, but many tools still set both.
Referrer-PolicyControls how much of the referrer URL is sent on outbound links and requests.
Referrer-Policy: strict-origin-when-cross-originPermissions-PolicyControls which browser APIs (camera, microphone, geolocation, etc.) your page can use, and on which origins.
Permissions-Policy: camera=(), microphone=(), geolocation=(self)Access-Control-Allow-OriginServer's answer to cross-origin requests: which origins may read this response. The most-asked-about HTTP header on Stack Overflow.
Access-Control-Allow-Origin: https://app.example.com💡 * allows any origin but disables credentials. Echo back the request Origin to allow specific origins with credentials.
Access-Control-Allow-MethodsSent in preflight responses (200 OPTIONS) listing which HTTP methods are allowed cross-origin.
Access-Control-Allow-Methods: GET, POST, PUT, DELETEAccess-Control-Allow-HeadersSent in preflight responses listing which request headers are allowed cross-origin.
Access-Control-Allow-Headers: Content-Type, AuthorizationAccess-Control-Allow-CredentialsWhether the response may be exposed to JS when the request was made with credentials (cookies, Authorization).
Access-Control-Allow-Credentials: trueAccess-Control-Max-AgeHow long the browser may cache the preflight response. Avoids OPTIONS round trips.
Access-Control-Max-Age: 600If-None-Match matched the ETag."