What is the difference between a request and a response header?

Request headers are sent by the client to give the server context (such as Accept or Authorization). Response headers are sent back by the server to describe the response (such as Content-Type or Cache-Control).

Which headers improve security?

Common security headers include Content-Security-Policy, Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy.

What do the CORS headers do?

Cross-Origin Resource Sharing headers like Access-Control-Allow-Origin, Access-Control-Allow-Methods and Access-Control-Allow-Headers tell the browser which other origins may read a response, enabling controlled cross-site requests.

What is a preflight request?

For certain cross-origin requests the browser first sends an OPTIONS preflight asking which methods and headers are allowed. The server answers with Access-Control-Allow-* headers before the real request is sent.

What is the difference between Cache-Control and Expires?

Both control caching. Expires gives an absolute date, while Cache-Control gives directives like max-age (seconds), no-cache and private. Cache-Control is newer and takes precedence when both are present.

Is any data sent anywhere?

No — this is a static reference that runs entirely in your browser. Nothing is uploaded.

HTTP Headers Reference

HTTP headers reference

A quick, searchable reference of the HTTP headers you meet most often, split into request, response, security and CORS groups. It is handy for debugging APIs, configuring a server, and hardening a site, with a plain-English meaning and a real example value for each header.

How it works

The reference holds a curated list of common headers grouped by role. Request headers (sent by the client) include Accept, Authorization, User-Agent and Cookie. Response headers (sent by the server) include Content-Type, Cache-Control, Set-Cookie and Location. Security headers include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options and Referrer-Policy. CORS headers cover the Access-Control-* family. Typing in the search box filters all groups at once, matching the header name and its description, so you can search by name or by what it does.

Example

Searching content surfaces content-related headers:

Header	Group	Meaning
`Content-Type`	Response	Media type of the body, e.g. `text/html; charset=utf-8`
`Content-Length`	Response	Size of the body in bytes
`Content-Encoding`	Response	Compression applied, e.g. `gzip`
`Content-Security-Policy`	Security	Restricts which sources may load

Type a header name or what it does — for example cache, cors or authorization — to filter the list. Everything runs in your browser.