Learn
Guide
HTTP Headers Explained
Understand what happens behind every web request.
Practice with the tool:
HTTP Headers Inspector →
What are HTTP Headers?
HTTP headers are key-value pairs sent at the start of every HTTP request and response. They carry metadata: content type, authentication, caching rules, security policies, and more — all invisible to the end user.
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: max-age=3600
X-Frame-Options: DENY
Request vs Response Headers
Request headers — sent by the client:
| Header | Purpose |
|---|---|
Authorization |
Bearer token or API key |
Content-Type |
Format of the request body |
Accept |
Formats the client can handle |
User-Agent |
Browser or client identifier |
Response headers — sent by the server:
| Header | Purpose |
|---|---|
Content-Type |
Format of the response body |
Cache-Control |
How long to cache the response |
Set-Cookie |
Creates a cookie on the client |
Location |
Redirect destination (3xx responses) |
Security Headers
| Header | Protection |
|---|---|
Content-Security-Policy |
Restricts allowed sources for scripts, styles |
X-Frame-Options |
Prevents clickjacking via iframes |
Strict-Transport-Security |
Forces HTTPS for future requests |
X-Content-Type-Options |
Prevents MIME-type sniffing |
Referrer-Policy |
Controls the Referer header sent |
Status Code Groups
| Range | Category | Common examples |
|---|---|---|
| 1xx | Informational | 100 Continue |
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirection | 301 Moved Permanently, 302 Found |
| 4xx | Client error | 400 Bad Request, 401 Unauthorized, 404 Not Found |
| 5xx | Server error | 500 Internal Server Error, 503 Service Unavailable |