What is the fastest way to debug an unfamiliar header?
Figure out three things first: who sent it, whether it changes browser behavior or server behavior, and which decision it affects: caching, auth, redirects, cookies, or security policy.
Reference
HTTP Headers
Use this when you can see a header name in logs, DevTools, or `curl`, but need to know whether it explains the behavior you are seeing.
Tip: press / to focus search.
Accept Header
Learn how the Accept header tells servers which content types (JSON, HTML, XML) your client can handle. Master content negotiation and quality values.
Accept-Encoding Header
Learn how Accept-Encoding tells servers which compression formats (gzip, br, deflate) your client supports to reduce bandwidth and speed up page loads.
Accept-Language Header
Learn how the Accept-Language header tells servers which languages your client prefers for localized content. Understand language tags and quality values.
Accept-Ranges Header
Learn how the Accept-Ranges header tells clients whether your server supports partial content requests (byte ranges) for efficient downloads and streaming.
Access-Control-Allow-Credentials Header
Learn how Access-Control-Allow-Credentials controls whether browsers expose responses when credentials (cookies, auth headers) are included in CORS requests.
Access-Control-Allow-Headers Header
Learn how Access-Control-Allow-Headers specifies which custom HTTP headers can be used during cross-origin requests in CORS preflight responses.
Access-Control-Allow-Methods Header
Learn how Access-Control-Allow-Methods specifies which HTTP methods are permitted for cross-origin requests in CORS preflight responses.
Access-Control-Allow-Origin
Learn how Access-Control-Allow-Origin controls which origins can access resources in CORS. Covers wildcard, specific origin, and credential configurations.
Access-Control-Max-Age Header
Learn how Access-Control-Max-Age specifies how long browsers can cache CORS preflight results. Reduce preflight requests and improve cross-origin performance.
Access-Control-Request-Headers Header
Learn how Access-Control-Request-Headers tells servers which custom headers will be used in CORS requests. Essential for preflight request handling.
Access-Control-Request-Method Header
Learn how Access-Control-Request-Method tells servers which HTTP method will be used in the actual CORS request. Essential for preflight request handling.
Age Header
Learn how the Age header indicates how long a response has been cached in seconds. Understand cache freshness calculations and CDN behavior.
Authentication-Info Header
Learn how Authentication-Info provides additional authentication data in responses to successful requests. Covers digest authentication and session info.
Authorization Header: HTTP Authentication
Learn how the Authorization header works, different authentication schemes (Bearer, Basic, API keys), and security best practices.
Cache-Control Header: Complete HTTP Caching Guide
Master the Cache-Control header. Learn how to control browser and CDN caching with max-age, no-cache, no-store, and other directives.
Connection Header
Learn how the Connection header controls whether HTTP connections stay open (keep-alive) or close after each request. Optimize with persistent connections.
Content-Disposition Header
Learn how the Content-Disposition header controls whether content displays inline or downloads as an attachment. Set custom filenames for file downloads.
Content-Encoding
Learn how Content-Encoding specifies compression algorithms (gzip, br, deflate) used to encode response bodies. Reduce bandwidth and improve load times.
Content-Language Header
Learn how the Content-Language header specifies the natural language(s) of response content. Understand language tags and internationalization best practices.
Content-Length
Learn how Content-Length specifies the body size in bytes. Essential for progress indicators, connection management, and chunked transfer decisions.
Content-Location Header
Learn how Content-Location indicates an alternate URL for returned content. Useful for content negotiation and identifying canonical resource locations.
Content-Range Header
Learn how the Content-Range header indicates which portion of a resource is being sent in partial content (206) responses for range requests and streaming.
Content-Security-Policy Header
Learn how Content-Security-Policy (CSP) defines security policies to prevent XSS, clickjacking, and code injection. Master CSP directives and best practices.
Content-Type Header: Complete Guide to MIME Types
Learn how the Content-Type header works. Understand MIME types, charset encoding, and how to set the correct content type for APIs, forms, and file uploads.
Cookie Header
Learn how the Cookie header sends stored cookies to servers with each request. Understand cookie transmission, session management, and security considerations.
Cross-Origin-Embedder-Policy
Learn how Cross-Origin-Embedder-Policy (COEP) controls cross-origin resource loading. Required for SharedArrayBuffer and high-resolution timer access.
Cross-Origin-Opener-Policy
Learn how Cross-Origin-Opener-Policy (COOP) isolates your browsing context from cross-origin documents. Required for SharedArrayBuffer and enhanced security.
Cross-Origin-Resource-Policy
Learn how Cross-Origin-Resource-Policy (CORP) blocks no-cors cross-origin requests to protect resources from Spectre attacks and data leaks.
Date Header
Learn how the Date header specifies when the HTTP message was originated by the server. Understand date formats and its role in caching and logging.
Early-Hints
Learn how 103 Early Hints allows servers to send preload hints while preparing the main response. Improve page load performance with early resource loading.
ETag
Learn how the ETag header provides a unique identifier for resource versions, enabling efficient cache validation and conditional requests to reduce bandwidth.
Expires Header
Learn how the Expires header specifies when cached responses become stale. Understand date formats and when to use Expires vs Cache-Control for caching.
Forwarded
Learn how the Forwarded header preserves original client information (IP, protocol, host) that would otherwise be lost when requests pass through proxies.
Host Header
Learn how the Host header specifies the target server domain name and port for HTTP requests. Essential for virtual hosting and routing on shared servers.
If-Match Header
Learn how the If-Match header makes requests conditional based on ETag matching. Prevent conflicts and lost updates in concurrent editing scenarios.
If-Modified-Since Header
Learn how the If-Modified-Since header requests resources only if modified since a specific date. Reduce bandwidth with efficient conditional caching.
If-None-Match Header
Learn how the If-None-Match header makes conditional requests using ETags. Avoid downloading unchanged resources and reduce bandwidth with cache validation.
If-Range Header
Learn how the If-Range header requests partial content only if the resource is unchanged. Efficiently resume downloads without re-fetching entire files.
If-Unmodified-Since Header
Learn how the If-Unmodified-Since header makes requests conditional on resources not being modified. Prevent conflicts in concurrent update scenarios.
Keep-Alive Header
Learn how the Keep-Alive header controls HTTP connection persistence and reuse. Reduce latency and improve performance by avoiding repeated TCP handshakes.
Last-Modified
Learn how the Last-Modified header indicates when a resource was last changed. Enable efficient cache validation with If-Modified-Since conditional requests.
Link Header
Learn how the Link header provides resource hints and enables preloading of CSS, fonts, and scripts to improve page load performance and user experience.
Location
Learn how the Location header specifies redirect URLs or the location of newly created resources. Essential for 201, 301, 302, and other redirect responses.
Origin Header
Learn how the Origin header identifies where cross-origin requests come from. Essential for CORS security policies and preventing cross-site request forgery.
Performance-Timing
Learn about Performance-Timing, a non-standard header for exposing server-side performance metrics to clients. Understand its use cases and alternatives.
Permissions-Policy Header
Learn how the Permissions-Policy header controls which browser features and APIs can be used in your site and embedded iframes. Enhance security and privacy.
Proxy-Authenticate Header
Learn how the Proxy-Authenticate header challenges clients for credentials when accessing resources through a proxy. Understand proxy authentication schemes.
Proxy-Authorization Header
Learn how Proxy-Authorization provides credentials to access resources through a proxy server. Understand proxy authentication schemes and security.
Range Header
Learn how the Range header requests partial content from servers to enable resumable downloads, video streaming, and efficient large file transfers.
Referer Header
Learn how the Referer header tells servers which page led to the current request. Understand its use in analytics, security, and privacy implications.
Referrer-Policy Header
Learn how Referrer-Policy controls how much referrer information is sent with requests. Protect user privacy while maintaining analytics functionality.
Refresh Header
Learn how the Refresh header instructs browsers to reload or redirect after a delay. Understand its use cases, limitations, and better alternatives.
Retry-After
Learn how the Retry-After header tells clients how long to wait before retrying a request. Understand its use with 503, 429, and 301 status codes.
Sec-WebSocket-Accept
Learn how the Sec-WebSocket-Accept header indicates server acceptance of a WebSocket connection upgrade. Understand the handshake process and key validation.
Sec-WebSocket-Key
Learn how the Sec-WebSocket-Key header provides a random key for WebSocket handshake validation. Understand the upgrade process and security implications.
Server-Timing Header
Learn how the Server-Timing header communicates server-side performance metrics to browsers. Analyze backend timing, database queries, and optimize performance.
Set-Cookie
Learn how the Set-Cookie header instructs browsers to store cookies with attributes like HttpOnly, Secure, SameSite, and expiration settings.
Strict-Transport-Security Header
Learn how Strict-Transport-Security (HSTS) forces browsers to only communicate over HTTPS, preventing protocol downgrade and man-in-the-middle attacks.
Timing-Allow-Origin
Learn how the Timing-Allow-Origin header specifies which origins can access Resource Timing API data. Enable cross-origin performance monitoring securely.
Transfer-Encoding Header
Learn how the Transfer-Encoding header specifies encoding formats like chunked transfer for streaming responses when content length is unknown beforehand.
Upgrade Header
Learn how the Upgrade header requests protocol upgrades to WebSocket, HTTP/2, or other protocols on the same TCP connection. Understand upgrade negotiation.
User-Agent Header
Learn how the User-Agent header identifies the client software, browser, or application making HTTP requests. Understand user agent strings and best practices.
Vary
Learn how the Vary header specifies which request headers affect the response. Essential for proper cache differentiation and content negotiation.
Via Header
Learn how the Via header tracks the path of HTTP requests through proxies and gateways. Debug routing issues and understand your network infrastructure.
Warning Header
Learn about the deprecated Warning header that provided additional status information about message transformations. Understand why it was removed from HTTP.
WWW-Authenticate
Learn how the WWW-Authenticate header specifies authentication methods required to access protected resources. Understand Basic, Bearer, and Digest schemes.
X-Cache Header
Learn how the X-Cache header indicates cache hit or miss status from CDNs and proxies. Debug caching issues and verify CDN configuration with this header.
X-Content-Type-Options Header
Learn how X-Content-Type-Options with nosniff prevents browsers from MIME-sniffing responses. Protect against XSS attacks from content type confusion.
X-Forwarded-For
Learn how X-Forwarded-For identifies the original client IP when requests pass through proxies or load balancers. Essential for logging and security.
X-Forwarded-Proto
Learn how the X-Forwarded-Proto header identifies the original protocol (HTTP/HTTPS) used by clients connecting through proxies or load balancers.
X-Frame-Options Header
Learn how X-Frame-Options prevents clickjacking attacks by controlling whether your site can be embedded in frames, iframes, or objects on other domains.
X-RateLimit Headers
Learn how X-RateLimit headers inform API clients about rate limits, remaining requests, and reset times. Implement proper rate limiting in your applications.
X-Response-Time
Learn how the X-Response-Time header indicates server processing time in milliseconds. Useful for performance monitoring and debugging slow requests.
X-XSS-Protection Header
Deprecated header that enabled browser XSS filters to detect and block reflected cross-site scripting attacks.
What HTTP Headers Tell You
If you are staring at a response in DevTools or `curl`, headers are often the fastest explanation for what happened. They tell you what the client asked for, what the server decided, and which intermediaries changed the rules along the way.
- Request headers
- These explain what the client wants or already knows, like accepted formats, cached versions, auth credentials, or origin context.
- Response headers
- These explain the server decision: content type, cache policy, redirect target, cookie instructions, or a challenge the client must answer.
- General and hop-by-hop headers
- Some fields are really about the trip, not the resource. They show up most often when proxies, gateways, and connection behavior are involved.
- Policy headers
- Headers like CSP, HSTS, and Permissions-Policy are not passive metadata. Browsers enforce them, and small mistakes have visible consequences.
Fast Ways To Narrow The Problem
When you do not know the header name yet, start from the behavior you are trying to explain.
- For caching bugs, start with Cache-Control, ETag, Expires, Vary, and Last-Modified.
- For auth or CORS bugs, look at Authorization, WWW-Authenticate, Origin, and the Access-Control-* fields together.
- For browser security behavior, check CSP, HSTS, Referrer-Policy, Permissions-Policy, and cookie-related headers in one pass.
Questions From Debugging Sessions
Which headers should I check first for a caching problem?
Usually Cache-Control, ETag, Expires, Last-Modified, Age, and Vary. Those six explain most “why did I get stale or uncached content?” investigations.
Do proxies and CDNs change how headers behave?
Yes. Proxies and CDNs can add, strip, normalize, or reinterpret headers, especially around forwarding, compression, caching, and security controls.
No headers match this filter.