HTTP headers are invisible metadata that control how web requests work. They're essential for performance, security, and functionality. Here's the complete guide.

What Are HTTP Headers?

Headers are key-value pairs sent with HTTP requests and responses. They carry metadata about the data being transmitted.

Request Headers (Client → Server)

Host

Domain being requested. Required in HTTP/1.1.

Host: example.com

User-Agent

Information about the client (browser, device, etc.).

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Accept

Content types the client wants to receive.

Accept: text/html, application/json

Accept-Language

Preferred languages.

Accept-Language: en-US, en;q=0.9

Accept-Encoding

Compression methods the client accepts.

Accept-Encoding: gzip, deflate, br

Cookie

Stored cookies to send to server.

Cookie: sessionId=abc123; userId=999

Authorization

Auth credentials (API key, bearer token, etc.).

Authorization: Bearer eyJhbGc...

Content-Type

Type of data being sent in POST/PUT body.

Content-Type: application/json

Content-Length

Size of request body in bytes.

Content-Length: 256

Referer

Page that linked to this resource.

Referer: https://google.com

Response Headers (Server → Client)

Content-Type

Type of data being returned.

Content-Type: text/html; charset=utf-8

Content-Length

Size of response body.

Content-Length: 1024

Content-Encoding

Compression applied to response.

Content-Encoding: gzip

Cache-Control

How long to cache the response.

Cache-Control: max-age=3600, public

ETag

Unique identifier for this version of resource.

ETag: "123abc"

Last-Modified

When resource was last updated.

Last-Modified: Wed, 15 Jan 2026 10:00:00 GMT

Set-Cookie

Instruct client to store a cookie.

Set-Cookie: sessionId=abc123; Path=/; HttpOnly

Location

URL for redirects (3xx status codes).

Location: https://example.com/new-page

Server

Information about the web server (usually hidden for security).

Server: nginx/1.18.0

Security Headers

Strict-Transport-Security (HSTS)

Force HTTPS, prevent downgrade attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains

X-Content-Type-Options

Prevent MIME type sniffing.

X-Content-Type-Options: nosniff

X-Frame-Options

Prevent clickjacking attacks.

X-Frame-Options: DENY

Content-Security-Policy (CSP)

Control where scripts, styles, etc. can load from.

Content-Security-Policy: default-src 'self'

Access-Control-Allow-Origin

Allow cross-origin requests from specified domains.

Access-Control-Allow-Origin: https://myapp.com

Checking HTTP Headers

Browser DevTools

Open DevTools → Network → Click request → Headers

Using Our HTTP Header Inspector

Use our HTTP Header Inspector:

  1. Enter a URL
  2. See all request and response headers
  3. Understand each header's purpose
  4. Check security headers

Command Line

curl -i https://example.com
curl -v https://example.com  # More verbose

Performance Optimization with Headers

Caching

Cache-Control: max-age=86400, public  # Cache 1 day
Cache-Control: no-cache, no-store  # Don't cache

Compression

Content-Encoding: gzip
Accept-Encoding: gzip, deflate, br

Connection Reuse

Keep-Alive: timeout=5, max=100

Common Mistakes

1. Not Setting Cache Headers

Browser re-downloads static assets every time. Use Cache-Control.

2. Missing Security Headers

HSTS, CSP, X-Frame-Options prevent attacks. Add them.

3. Exposing Server Info

Remove Server header to avoid leaking version info.

4. Not Handling Compression

Send gzip-compressed responses for text. Saves 70-80% bandwidth.

Pro Tips

  • Always set Content-Type correctly
  • Implement caching for static assets
  • Add security headers (HSTS, CSP, etc.)
  • Enable gzip compression
  • Monitor headers in production

Conclusion

HTTP headers control web fundamentals: performance, security, caching, and more. Understanding them is essential for building fast, secure websites. Start with the critical ones (Cache-Control, Content-Type, security headers) and expand from there.