What is the difference between request headers and response headers?

Request headers are sent by the client (browser) to the server — they communicate what the client accepts, its identity, and any credentials. Response headers are sent back by the server — they describe the content, caching rules, and security policies.

What is Cache-Control?

Cache-Control is a response header that tells browsers and CDNs how long to cache the response. 'Cache-Control: max-age=86400' caches the resource for 24 hours. 'Cache-Control: no-store' prevents any caching.

What are HTTP Headers?

Q: What are HTTP headers?

HTTP headers are key-value pairs sent at the start of every HTTP request and response. They carry metadata about the connection, the content being transferred, caching rules, authentication, and more. Example: 'Content-Type: application/json' tells the recipient the body contains JSON.

HTTP headers are key-value pairs sent with every request and response. They carry metadata about the content, connection, caching, authentication, and security policies.

Common Request Headers

Host — the domain being requested (required in HTTP/1.1)
User-Agent — identifies the browser or client
Accept — content types the client can handle
Authorization — credentials, e.g. Bearer <token>
Content-Type — the format of the request body (e.g. application/json)
Cookie — cookies sent to the server

Common Response Headers

Content-Type — format of the response body
Cache-Control — caching rules (e.g. max-age=86400)
Location — redirect target URL (used with 301/302 status codes)
Set-Cookie — sets a cookie in the browser
Strict-Transport-Security — forces HTTPS for future visits
X-Frame-Options — prevents clickjacking by controlling iframe embedding
Content-Security-Policy — restricts what resources the page can load

Inspect the HTTP headers returned by any URL: Open HTTP Headers Checker →

Frequently Asked Questions

What is Content-Type?

Content-Type tells the recipient what format the body is in — application/json for JSON, text/html for HTML, multipart/form-data for file uploads.

What is CORS and how do headers enable it?

Cross-Origin Resource Sharing (CORS) allows or restricts cross-origin requests. The server controls it with the Access-Control-Allow-Origin response header. Without it, browsers block cross-origin API calls by default.

Related Terms

HTTP Redirects — Use the Location header to send browsers to a new URL.
SSL/TLS — Headers like HSTS enforce HTTPS connections.