All posts
June 15, 20266 min read

HTTP headers explained: the metadata behind every request

Every HTTP request and response carries headers: key value pairs of metadata that travel alongside the body. The body is what you came for; the headers decide how it is handled. Most caching, security, and content negotiation behavior is controlled entirely through them.

Request headers: what the client wants

When your browser asks for a page, it describes itself and its preferences:

  • Host names the domain, so one server hosting many sites knows which you mean.
  • User-Agent identifies the browser and OS.
  • Accept lists the content types the client can handle, letting the server pick a format.
  • Authorization carries credentials, often a bearer token.
  • Cookie sends back the cookies the server set earlier.

Response headers: how to handle the result

The server replies with headers that often matter more than the body:

  • Content-Type declares what the body is, like application/json or text/html; charset=utf-8. Get this wrong and the browser misinterprets everything.
  • Cache-Control decides caching: how long the response may be stored and by whom. This single header is responsible for most "why am I seeing the old version" confusion.
  • Set-Cookie stores state on the client.
  • Location tells the browser where to go on a redirect.

The security headers worth knowing

A cluster of response headers harden a site, and their absence is a common audit finding:

  • Strict-Transport-Security forces HTTPS for future visits.
  • Content-Security-Policy restricts what scripts and resources may load, the main defense against cross site scripting.
  • X-Content-Type-Options: nosniff stops the browser guessing content types.
  • Access-Control-Allow-Origin is the CORS header that decides which other origins may read the response. If you have fought a CORS error, this header was the verdict.

Inspecting them

Headers are invisible in normal browsing but drive everything. When a response misbehaves, reading the actual headers the server sent is usually faster than guessing. The HTTP Headers tool fetches any URL and shows the full set of response headers, so you can confirm caching, content type, and security headers directly.