ToolBelt

HTTP Header Reference

Searchable reference for common HTTP request and response headers.

Open tool

Overview

A searchable index of HTTP request and response headers - what each one means, which side sends it, and which RFC defines it. Filter by category (caching, content negotiation, security, CORS) or type a partial name to jump to specifics.

It's for developers building APIs, debugging unexpected caching behaviour, or hardening a site's security posture. Reach for it when reading an unfamiliar Sec- header, configuring a CDN's cache-key rules, or auditing whether your CSP, HSTS, and CORS configuration matches modern best practice.

How it works

The reference is keyed against the IANA Message Headers registry and the underlying RFCs - RFC 9110 (semantics), RFC 9111 (caching), RFC 6265 (cookies), RFC 7234, plus W3C documents for CORS and CSP. Each entry includes the canonical name, request vs response, a short description, and notes on common values.

Security headers are grouped together (HSTS, CSP, Permissions-Policy, X-Content-Type-Options, X-Frame-Options) with shorthand on the recommended baseline values. Caching headers note where modern Cache-Control directives have replaced legacy headers like Expires and Pragma.

Examples

  • Cache-Control combinations: 
    Cache-Control: public, max-age=3600
Cache-Control: no-store
Cache-Control: private, max-age=0, must-revalidate
  • Content negotiation: 
    Accept: application/json
Accept-Language: en-GB, en;q=0.9
  • Security headers: 
    Strict-Transport-Security: max-age=63072000; includeSubDomains
Content-Security-Policy: default-src 'self'
  • CORS preflight response: 
    Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type

FAQ

What's the difference between Cache-Control: no-cache and no-store?

no-cache allows caching but requires revalidation before reuse. no-store forbids storing the response at all - use for sensitive data.

Are X-Frame-Options and CSP frame-ancestors interchangeable?

frame-ancestors supersedes X-Frame-Options and is more flexible. Modern browsers ignore X-Frame-Options if frame-ancestors is set.

What's an HSTS preload list?

Browser vendors maintain a baked-in list of HSTS-enforced sites. Submit at hstspreload.org once your Strict-Transport-Security header meets the requirements.

Do I need both Cache-Control and Expires?

No - Cache-Control takes precedence in HTTP/1.1+. Expires is purely a legacy fallback for HTTP/1.0 caches, which are essentially nonexistent today.

Try HTTP Header Reference

An unhandled error has occurred. Reload ×