Back to Blog
HTTPHeadersWeb

HTTP Headers Developers Should Know

April 11, 2026 · 8 min read

HTTP headers carry metadata about requests and responses. They control caching, authentication, content negotiation, security policies, and more. This guide covers the headers you will encounter most often as a backend or frontend developer.

Content Headers

Content-Type

Tells the receiver what format the body is in. Always set this on responses with a body.

Content-Type: application/json; charset=utf-8
Content-Type: text/html; charset=utf-8
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
Content-Type: application/x-www-form-urlencoded

Content-Length and Transfer-Encoding

Content-Length: 348           /* body size in bytes */
Transfer-Encoding: chunked    /* streaming; omit Content-Length */

Accept

Sent by clients to tell the server what content types they can handle:

Accept: application/json
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Authentication Headers

/* Request */
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...
Authorization: Basic dXNlcjpwYXNz          /* base64(user:pass) */
Authorization: Digest username="admin", ...

/* Response — tells client how to authenticate */
WWW-Authenticate: Bearer realm="api"
WWW-Authenticate: Basic realm="Admin Area"

Never use Basic auth without HTTPS — the credentials are only Base64-encoded, not encrypted. See the JWT guide for token-based authentication.

Caching Headers

Cache-Control

The primary caching header. Controls who can cache and for how long.

/* Common response directives */
Cache-Control: no-store               /* never cache (sensitive data) */
Cache-Control: no-cache               /* revalidate every time */
Cache-Control: max-age=3600           /* cache for 1 hour */
Cache-Control: public, max-age=86400  /* CDNs can cache for 1 day */
Cache-Control: private, max-age=300   /* only browser cache, 5 min */
Cache-Control: immutable              /* never revalidate (hashed assets) */

ETag and Last-Modified

/* Server sends */
ETag: "abc123"
Last-Modified: Mon, 28 Apr 2025 12:00:00 GMT

/* Client sends on next request */
If-None-Match: "abc123"
If-Modified-Since: Mon, 28 Apr 2025 12:00:00 GMT

/* Server responds with 304 Not Modified if nothing changed */

CORS Headers

Cross-Origin Resource Sharing headers control which origins can access your API from a browser.

/* Server response headers */
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Origin: *          /* any origin (avoid for auth APIs) */
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true  /* required if using cookies */
Access-Control-Max-Age: 86400           /* preflight cache duration in seconds */

CORS is a browser security feature, not a server security feature. It does not protect your API from server-to-server requests or curl. Always validate authorization on the server regardless of CORS settings.

Security Headers

Strict-Transport-Security (HSTS)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
/* Tells browsers to always use HTTPS for this domain */

Content-Security-Policy (CSP)

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com; style-src 'self' 'unsafe-inline'
/* Controls which resources the page can load — primary XSS mitigation */

X-Frame-Options

X-Frame-Options: DENY          /* cannot be framed at all */
X-Frame-Options: SAMEORIGIN   /* only same-origin frames allowed */
/* Prevents clickjacking attacks */

X-Content-Type-Options

X-Content-Type-Options: nosniff
/* Prevents browsers from guessing content type (MIME sniffing attacks) */

Referrer-Policy

Referrer-Policy: no-referrer
Referrer-Policy: strict-origin-when-cross-origin  /* recommended default */

Request Information Headers

Host: api.example.com              /* required in HTTP/1.1 */
User-Agent: Mozilla/5.0 (...)
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Origin: https://app.example.com    /* set by browser on cross-origin requests */
Referer: https://example.com/page  /* note: intentional typo in the spec */

Forwarding and Proxy Headers

/* Set by proxies and load balancers */
X-Forwarded-For: 203.0.113.1, 70.41.3.18
X-Forwarded-Proto: https
X-Real-IP: 203.0.113.1
Forwarded: for=203.0.113.1;proto=https  /* standardised version */

When reading client IP addresses from proxy headers, only trust them if you control the proxy. An attacker can spoof X-Forwarded-For if you accept requests from any IP.

Use the HTTP Status Codes article alongside this guide to understand both halves of every HTTP response.