HTTP Headers Cheatsheet
Common request + response headers, what they do, and when they matter.
1 credit
Request headers
9 itemsAccept
Media type client wants back (`application/json`)Accept-Language
Preferred languages (`en-US,en;q=0.9`)Authorization
`Bearer <token>` or `Basic base64(user:pass)`Content-Type
Body media type (needed for POST/PUT JSON)Content-Length
Bytes in body (set automatically)Cookie
`k1=v1; k2=v2`If-None-Match
ETag from prior response — enables 304 Not ModifiedUser-Agent
Client string (don't parse in business logic)X-Forwarded-For
Client IP chain behind proxies — trust carefullyResponse headers
10 itemsContent-Type
Body media type; charset for textCache-Control
`public, max-age=31536000, immutable` for hashed staticETag
Opaque version token for conditional requestsLast-Modified
Fallback for ETag — weakerLocation
Where redirects go (for 3xx) or created resource (201)Set-Cookie
`name=v; Path=/; HttpOnly; Secure; SameSite=Lax`Access-Control-Allow-Origin
CORS — `*` or specific originStrict-Transport-Security
`max-age=31536000; includeSubDomains` — forces HTTPSContent-Security-Policy
Allowed sources for scripts/styles/mediaX-Frame-Options
`DENY` or `SAMEORIGIN` to block clickjackingCaching decision tree
- HTML pages: `Cache-Control: no-cache` + ETag — always revalidate, cheap 304.
- Hashed assets (`app.abc123.js`): `Cache-Control: public, max-age=31536000, immutable` — cache forever.
- User-specific data: `Cache-Control: private, no-store` — never cache on CDN.
- API reads rarely changing: `Cache-Control: public, max-age=60, stale-while-revalidate=300`.