Updated June 29, 2026
Common HTTP headers reference
HTTP headers carry metadata about a request or response. This sheet lists the everyday ones, grouped into request and response headers. For safety-focused headers, see the HTTP security headers reference.
Request headers
| Header | What it does |
|---|---|
Accept | Which response formats the client can handle. |
Accept-Encoding | Compression the client supports, like gzip or br. |
Authorization | Credentials, such as a Bearer token. |
Content-Type | The format of the request body being sent. |
Cookie | Cookies the client is sending back. |
User-Agent | Identifies the client app and version. |
Origin | The origin making a cross-site request. |
Referer | The page the request came from. |
Response headers
| Header | What it does |
|---|---|
Content-Type | The format of the response body, like application/json. |
Content-Length | The size of the response body in bytes. |
Content-Encoding | Compression applied to the body, like gzip. |
Cache-Control | How and how long the response may be cached. |
ETag | A version tag used for cache validation. |
Set-Cookie | Asks the client to store a cookie. |
Location | The target URL for a redirect. |
Access-Control-Allow-Origin | Which origins may read the response (CORS). |
Header names are case-insensitive
Content-Type and content-type are the same header. HTTP/2 and HTTP/3 send header names in lowercase.References
Questions
What is the difference between Content-Type and Accept?
Content-Type describes the format of the body actually being sent. Accept is a request header saying which formats the client would like back. They serve opposite directions.
What does Cache-Control: no-store mean?
It tells caches not to store the response at all, so every request goes to the server. It is used for sensitive or always-fresh data.