Complete Guide to HTTP Headers: Request & Response Explained
Headers are the invisible metadata layer of every web request and response. Here's a complete, practical tour of what they do.
Request vs Response Headers
Request headers are sent by the client (browser, app, or script) to the server, describing what's being requested and providing context — like which content types are accepted, authentication credentials, or the referring page. Response headers are sent back by the server, describing the returned content and instructing the client how to handle it — caching rules, content type, and security policy among them.
General Headers
| Header | Direction | Purpose |
|---|---|---|
| Host | Request | Specifies which domain is being requested (critical for shared hosting/virtual servers) |
| User-Agent | Request | Identifies the client software making the request |
| Date | Response | Timestamp of when the response was generated |
| Connection | Both | Controls whether the underlying TCP connection stays open for reuse |
Entity (Content) Headers
These describe the actual body content being transferred: Content-Type tells the client what kind of data it's receiving (text/html, application/json, image/png), Content-Length gives the byte size, and Content-Encoding indicates compression (like gzip or brotli) applied before transfer. Getting Content-Type wrong is a surprisingly common bug — a JSON API accidentally returning text/html as its content type can cause client-side parsing failures that are confusing to debug.
Security Headers
A specific category deserving separate attention: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and others instruct the browser to enforce defensive behavior. These are important enough that we cover them in dedicated depth in our Security Headers Explained guide — this article focuses on the broader header landscape beyond just security.
Custom & Non-Standard Headers
Many APIs and services define their own custom headers, conventionally prefixed with X- (though this prefix convention was officially deprecated by RFC 6648 in favor of unprefixed names, it remains extremely common in practice). Examples include rate-limiting headers like X-RateLimit-Remaining, request-tracing headers like X-Request-ID, and CDN-specific headers like Cloudflare's CF-Ray.
How to Inspect Headers Yourself
Browser developer tools (Network tab) show headers for requests your own browser makes, but can't show you what headers a site sends to other visitors or in different contexts. For a quick, no-setup check of any public site's full response headers, use our HTTP Headers Checker, which groups results by category and works from any device without needing developer tools open.