What HTTP headers are, why they matter, and how to use them to improve security and performance.
HTTP headers are name-value pairs sent between a client (browser) and a server with every HTTP request and response. They appear before the body of the message, separated from it by a blank line. While the body carries the actual content (HTML, JSON, images), headers carry metadata — instructions, context, and status information that both sides use to handle the communication correctly.
Every time you load a webpage, your browser sends a request with headers, and the server replies with its own set. Most of this happens invisibly, but understanding these headers gives you control over caching, security, content types, and how browsers render your pages.
Request headers are sent by the browser to the server. They tell the server who's asking and what they want:
| Header | Purpose |
|---|---|
Host | The domain name being requested — required in HTTP/1.1 |
User-Agent | Identifies the browser and OS (e.g., Chrome on Windows) |
Accept | Tells the server what content types the client can handle |
Accept-Language | Preferred language (e.g., en-US) |
Authorization | Carries credentials for authenticated requests |
Referer | The URL of the page that linked to the current request |
Response headers come back from the server and tell the browser how to handle the content:
| Header | Purpose |
|---|---|
Content-Type | MIME type of the response body (e.g., text/html; charset=UTF-8) |
Content-Length | Size of the response body in bytes |
Cache-Control | Directives for caching (e.g., max-age=3600) |
Set-Cookie | Sends a cookie to the browser for storage |
Location | URL for redirects (used with 301/302 responses) |
Server | Software running on the server (e.g., nginx, Apache) |
Security headers instruct browsers to enable built-in protections. These are the essentials:
Strict-Transport-Security (HSTS): Forces browsers to only use HTTPS. Set with max-age to specify how long. Prevents protocol downgrade attacks and cookie hijacking.Content-Security-Policy (CSP): Controls which sources can load scripts, styles, images, and other resources. The most powerful header against XSS attacks. A basic policy might only allow scripts from your own domain.X-Frame-Options: Prevents your page from being embedded in iframes on other sites — stops clickjacking attacks. Set to DENY or SAMEORIGIN.X-Content-Type-Options: Set to nosniff to prevent browsers from guessing MIME types. Forces the browser to respect your Content-Type header.Referrer-Policy: Controls how much referrer information is sent when users click links to other sites. strict-origin-when-cross-origin is a good balance of privacy and functionality.Permissions-Policy: Controls which browser features (camera, microphone, geolocation) your site can use. Disable features you don't need.You can check headers in several ways:
curl -I https://example.com to fetch only the response headers without downloading the body.Want to see what headers your website sends? Use our HTTP Header Inspector to check any URL and get a detailed breakdown including security header analysis.
Inspect Headers Now →