About HTTP Headers Cheatsheet

Request + response headers and a caching decision tree. Part of the DevTools Surf developer suite. Browse more tools in the Cheatsheets collection.

Use Cases

• Frontend devs debugging CORS and caching issues in the browser
• API developers setting correct Content-Type and Accept headers
• DevOps engineers configuring CDN cache policies with proper headers
• Security engineers hardening responses with CSP and HSTS headers

Tips

• Use the caching decision tree to pick the right Cache-Control value
• Compare request vs response headers in the side-by-side layout
• Search for specific headers like Content-Security-Policy by name

Fun Facts

• HTTP/1.0 (1996) had only 16 defined headers; HTTP/1.1 (1997) expanded this to 46. Today there are over 100 registered IANA HTTP headers.
• The X- prefix for custom headers was officially deprecated in RFC 6648 (2012) because too many 'experimental' headers became permanent standards.
• The Cache-Control header replaced the simpler Expires header from HTTP/1.0 and supports 15+ directives including stale-while-revalidate.

FAQ

Request headers only or response too?

Both. Plus a caching decision tree showing how Cache-Control, Expires, ETag, and Last-Modified interact.

What about CORS headers?

Covered at high level. For deep CORS understanding see the 'CORS Explained' info page.

Does it explain security headers?

CSP, HSTS, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy all included with common starter configs.

What's the caching decision tree?

A flowchart: is it user-specific? → private vs public. Is it versioned? → immutable vs short max-age. When does stale-while-revalidate apply? The tree simplifies the decisions.