HTTP Request and Response Headers

Using the Hypertext Transfer Protocol (HTTP), browsers can communicate with web servers to get information to load web pages. When an HTTP request is made, and an HTTP response is given by a web server, the request or response is usually accompanied by additional information, contained in an HTTP header.

HTTP headers contain metadata in key-value pairs that are sent along with HTTP requests and responses. These headers play a crucial role in server and client behavior throughout the request and response cycle.

Request headers are sent by the client to the server and contain information and instructions related to the requested resource, while response headers are sent by the server to the client and provide metadata, instructions, and additional information about the response itself.

1. Request Headers


The Accept header defines the type of content that the client is able to accept from the server.

For example, Accept: application/json, text/html indicates that the client prefers JSON or HTML responses. This information allows the server to send a resource representation that meets the client's needs.


The User-Agent header identifies the web browser or client application that is making the request, which enables the server to tailor its response to the client.


The Authorization header is used to send the client’s credentials to the server when the client is attempting to access a protected resource.


The Content-Type request header identifies the media type of the content in the request body.

For example, Content-Type: application/json indicates that the request body contains JSON data. This information helps the server successfully interpret and process the payload.


The client can use the Cookie header to send previously stored cookies back to the server. The server then uses these cookies to associate the request with a specific user or session.

2. Response Headers


The Content-Type response header indicates the MIME type of data that the server is sending to the client. The MIME type tells the browser or other client how to interpret the content.

For example, if the Content-Type is set to "text/html", the browser knows to display the response as an HTML document. Other common MIME types include "application/json" for JSON data and "image/png" for PNG images.


The Cache-Control header controls caching behavior in the client’s browser or intermediate caches. It defines how the response can be cached, when it expires, and how it should be revalidated.

The value can include directives such as "public" to allow caching by any client, "private" to limit caching to the browser or other client, "no-cache" to indicate that the response should not be cached, and "max-age" to specify how long the response can be cached.

For example, Cache-Control: max-age=3600, public instructs the client to cache the response for a maximum of 3600 seconds (1 hour) and allows caching by public caches.


The Server header includes the name and version of the server software that generated the response.


The Set-Cookie header instructs the client to store a cookie with the specified name, value, and additional attributes, such as expiration, domain, path, and security flags. The client will then include the cookie in subsequent requests.


The Content-Length header, which specifies the size of the response body in bytes, can help the client anticipate how much data it is going to receive. This improves performance by allowing the client to plan in advance for more efficient memory allocation and data processing.

When you are downloading a file from internet, the broweser looks at this header to determine how big the file is.


This header is used to redirect the client to a different URL. The client should automatically follow the URL in the Location header. This is commonly used for HTTP redirects, such as when a user submits a form and is redirected to a confirmation page.


This header specifies the date and time after which the response should be considered stale. If a client requests the same resource before the expiration date has passed, the server can return a cached copy of the resource.


This header is used to specify which domains are allowed to access the resource being requested, in the case of cross-origin requests. This can help prevent malicious scripts from accessing resources that they should not have access to.


This header is used to prevent clickjacking attacks by restricting which sites are allowed to embed the page in an iframe. The value of the header can include “deny” to prevent embedding on any site, "sameorigin" to allow embedding only on the same domain, or a specific domain to allow embedding on that domain only.

Recommended value is "X-Frame-Options: SAMEORIGIN".


This header is used to control how much information is sent in the referrer header when a user clicks on a link. The value of the header can include “no-referrer” to send no referrer information, "same-origin" to send referrer information only for same-origin requests, or "strict-origin" to send referrer information only for requests to the same domain.


HTTP Strict Transport Security strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

Recommended value is "Strict-Transport-Security: max-age=31536000; includeSubDomains".