How do I view HTTP headers in the browser?

F12 → **Network** tab → click a request → **Headers** tab. You see both what the browser sent (Request Headers) and what the server returned (Response Headers). From the command line: `curl -I url` (headers only) or `curl -v url` (with body).

Why the X- prefix in some headers (X-Forwarded-For)?

Historically **X-** meant "experimental" - nonstandard or unregistered headers. RFC 6648 in 2012 officially banned new X- headers, but the old ones stuck for compatibility. Today, if you invent a new header just name it without X- (e.g. `Request-Id` instead of `X-Request-Id`).

Why are there both Content-Type and Accept?

**Content-Type** describes what IS in the body of this message. **Accept** says what the other side WILL ACCEPT in a response. Example: client POSTs with `Content-Type: application/json` (my body is JSON) and `Accept: application/xml` (please reply XML). This is **content negotiation**.

My responses include X-Powered-By: Express. Should I leave it?

Better to **remove it**. It tells attackers what stack you run. In Express: `app.disable("x-powered-by")`. Generally: do not expose implementation details (Server: nginx/1.27, X-AspNet-Version, etc.). In Nginx: `server_tokens off`.

When do I use Cache-Control: no-cache versus no-store?

Despite the name, **no-cache does NOT mean "do not cache"**. It means "**always revalidate with the server** before serving the cached copy". The browser keeps a cache, but every request includes If-None-Match. **no-store** literally means "never store" - cache is bypassed, used for sensitive data (banking).

Why does Set-Cookie have so many flags (HttpOnly, Secure, SameSite)?

Each defends against a specific attack class. **HttpOnly** = JS cannot read it (stops XSS cookie theft). **Secure** = HTTPS only (stops MITM). **SameSite=Strict/Lax** = the cookie does not ride on third-party requests (stops CSRF). For session cookies **always set all three**.

Why does CORS send an OPTIONS preflight before POST?

Because a POST with a Content-Type other than `application/x-www-form-urlencoded` (typical JSON API calls) is "non-simple" and the browser sends an **OPTIONS preflight** to ask the server for permission. The server replies with Access-Control-Allow-Origin/Methods/Headers. If OK, the actual POST follows.

Why is "Referer" misspelled instead of "Referrer"?

An internet classic. Phillip Hallam-Baker wrote the 1996 spec with a typo, it landed in RFCs, and never got fixed. So **the header is Referer** (one r) but **the policy for it is Referrer-Policy** (two r). Yes, it is confusing.

Does X-XSS-Protection still work?

**No**. Chrome removed support in 2019, other browsers followed. The filter ended up creating new vulnerabilities. **Use Content-Security-Policy instead**. For old browsers, set `X-XSS-Protection: 0` to disable it explicitly - leaving it on can be worse than removing it.

HTTP Headers Reference - free

Showing 65 of 65 headers

Results

Header

Cache-Control

Request + Responsecachingpopular

Description

Caching rules. The most important caching header. Use no-store for sensitive data, max-age for cacheable static assets, private to prevent CDN caching.

Example value

Cache-Control: public, max-age=31536000, immutable

Related headers

↑↓navigate the listEntercopy first hit

What does Cache-Control, Authorization, CORS, and the other HTTP headers mean?

Every HTTP request and response carries a set of HTTP headers telling each side what is going on: which format, which cookies, which cache rules, which permissions. There are dozens of them and most developers remember five and panic at the rest.

Search any header here: by name (Cache-Control), description ("forces HTTPS"), or category (Caching, Security, CORS). Each one has a plain-English explanation, an example value ready to copy, and a list of related headers.

It runs offline because the data is baked in. Instant filter, copy just the name, just the value, or the full `Name: value` line.

How to use it

Type a name (`Cache-Control`), a description (`forces HTTPS`), or a category into the search box. The list filters instantly.

Use the Authentication / Caching / CORS / Security / Cookies / Proxies / Other pills to narrow down.

Direction filter: Request / Response / Both - useful when you specifically want something the server sends back.

Arrow keys ↑↓ move the highlight, Enter copies the name of the first hit.

Click a header to see the detail panel: description, example value, related headers. Copy just the name, just the value, or the full `Name: value`.

When this is useful

Everyday situations with HTTP headers:

CORS configuration - which Access-Control-* headers do you need so frontend X can read API Y? All in one category.
Security hardening - auditing a server. Check: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. All flagged as popular.
Cache and CDN - why does the CDN not cache? Inspect Cache-Control + Vary + Expires + ETag. Understand how they interact.
Debugging 401/403 - you got a 401 but do not know which scheme to advertise. Look up WWW-Authenticate, line up Authorization.
Rate limiting - implementing 429 Too Many Requests. Which header tells the client to back off? Retry-After. Example value right here.
HTTPS migration - how do you enable HSTS? Not just the syntax but the "include preload to be hardcoded into browsers" hint.
Onboarding - a junior asks "what is X-Forwarded-For?". Send them this page instead of explaining.

Related tools: HTTP status codes for the same idea but for response codes. The HTTP headers inspector shows what a real server returns on a live URL.

Questions and answers

They are key-value pairs sent alongside every request and response. Example: `Content-Type: application/json`, `Cache-Control: no-store`, `Authorization: Bearer abc`. Headers are invisible in the browser UI (click a link, you do not see them), but the server and browser read them on every operation. About 100 standard headers exist, and you can invent your own (historically prefixed with `X-`).

What does Cache-Control, Authorization, CORS, and the other HTTP headers mean?

It runs offline because the data is baked in. Instant filter, copy just the name, just the value, or the full `Name: value` line.

How to use it

Type a name (`Cache-Control`), a description (`forces HTTPS`), or a category into the search box. The list filters instantly.

Use the Authentication / Caching / CORS / Security / Cookies / Proxies / Other pills to narrow down.

Direction filter: Request / Response / Both - useful when you specifically want something the server sends back.

Arrow keys ↑↓ move the highlight, Enter copies the name of the first hit.

Click a header to see the detail panel: description, example value, related headers. Copy just the name, just the value, or the full `Name: value`.

When this is useful

Everyday situations with HTTP headers:

CORS configuration - which Access-Control-* headers do you need so frontend X can read API Y? All in one category.
Security hardening - auditing a server. Check: Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. All flagged as popular.
Cache and CDN - why does the CDN not cache? Inspect Cache-Control + Vary + Expires + ETag. Understand how they interact.
Debugging 401/403 - you got a 401 but do not know which scheme to advertise. Look up WWW-Authenticate, line up Authorization.
Rate limiting - implementing 429 Too Many Requests. Which header tells the client to back off? Retry-After. Example value right here.
HTTPS migration - how do you enable HSTS? Not just the syntax but the "include preload to be hardcoded into browsers" hint.
Onboarding - a junior asks "what is X-Forwarded-For?". Send them this page instead of explaining.

Related tools: HTTP status codes for the same idea but for response codes. The HTTP headers inspector shows what a real server returns on a live URL.

Questions and answers

HTTP Headers Reference

What does Cache-Control, Authorization, CORS, and the other HTTP headers mean?

How to use it

When this is useful

Questions and answers

Related tools

HTTP Status Codes

HTTP Headers Inspector

MIME Type Lookup

HTTP request tester

HTTP Headers Reference

What does Cache-Control, Authorization, CORS, and the other HTTP headers mean?

How to use it

When this is useful

Questions and answers

Related tools

HTTP Status Codes

HTTP Headers Inspector

MIME Type Lookup

HTTP request tester