Complete Guide to HTTP Headers: Request & Response Explained

Headers are the invisible metadata layer of every web request and response. Here's a complete, practical tour of what they do.

📅 Published July 2026· ⏳ 10 min read· ✍️ ToolsNovaHub Editorial Team
Every HTTP exchange between a browser and a server carries far more than just the visible page content — a set of headers travel alongside, carrying metadata about caching, content type, authentication, security policy, and connection behavior. Understanding this layer is essential for debugging, performance tuning, and security hardening.

Request vs Response Headers

Request headers are sent by the client (browser, app, or script) to the server, describing what's being requested and providing context — like which content types are accepted, authentication credentials, or the referring page. Response headers are sent back by the server, describing the returned content and instructing the client how to handle it — caching rules, content type, and security policy among them.

General Headers

HeaderDirectionPurpose
HostRequestSpecifies which domain is being requested (critical for shared hosting/virtual servers)
User-AgentRequestIdentifies the client software making the request
DateResponseTimestamp of when the response was generated
ConnectionBothControls whether the underlying TCP connection stays open for reuse

Entity (Content) Headers

These describe the actual body content being transferred: Content-Type tells the client what kind of data it's receiving (text/html, application/json, image/png), Content-Length gives the byte size, and Content-Encoding indicates compression (like gzip or brotli) applied before transfer. Getting Content-Type wrong is a surprisingly common bug — a JSON API accidentally returning text/html as its content type can cause client-side parsing failures that are confusing to debug.

Security Headers

A specific category deserving separate attention: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, and others instruct the browser to enforce defensive behavior. These are important enough that we cover them in dedicated depth in our Security Headers Explained guide — this article focuses on the broader header landscape beyond just security.

Custom & Non-Standard Headers

Many APIs and services define their own custom headers, conventionally prefixed with X- (though this prefix convention was officially deprecated by RFC 6648 in favor of unprefixed names, it remains extremely common in practice). Examples include rate-limiting headers like X-RateLimit-Remaining, request-tracing headers like X-Request-ID, and CDN-specific headers like Cloudflare's CF-Ray.

How to Inspect Headers Yourself

Browser developer tools (Network tab) show headers for requests your own browser makes, but can't show you what headers a site sends to other visitors or in different contexts. For a quick, no-setup check of any public site's full response headers, use our HTTP Headers Checker, which groups results by category and works from any device without needing developer tools open.

FAQs

What is the difference between HTTP request and response headers? +
Request headers are sent by the client describing what's being requested and providing context; response headers are sent back by the server describing the returned content and how to handle it.
What does the Content-Type header actually control? +
It tells the client what kind of data is in the response body — text/html, application/json, image/png, etc — so the client knows how to parse and render it correctly.
Why is the X- prefix used for custom headers if it's deprecated? +
RFC 6648 officially discouraged the X- prefix convention in 2012, but it remains widely used in practice simply out of established habit and backward compatibility across countless existing APIs.
What is the Host header used for? +
It specifies which domain is being requested, essential for shared hosting and virtual server setups where one IP address serves multiple domains.
Can I see headers a website sends to other visitors, not just me? +
Browser DevTools only shows your own browser's requests. To see what any public site returns generally, use a dedicated tool like our HTTP Headers Checker that performs an independent check.
What is Content-Encoding used for? +
Indicates what compression algorithm (like gzip or brotli) was applied to the response body before transfer, letting the client know how to decompress it correctly.
Are security headers different from other HTTP headers? +
Not structurally — they're a specific functional category (HSTS, CSP, X-Frame-Options, etc) focused on instructing browser defensive behavior, covered in depth in our dedicated Security Headers guide.
What happens if Content-Length doesn't match the actual response size? +
Behavior varies by client, but mismatches can cause truncated content, hanging connections, or parsing errors — it's a header that should always accurately reflect the actual body size.
What is the User-Agent header used for? +
Identifies the client software (browser, app, bot) making the request, commonly used for analytics, compatibility handling, and bot detection, though it's easily spoofed and shouldn't be relied on for security.
Do all websites send the same set of headers? +
No — the specific headers present vary significantly based on server software, CDN, framework, and deliberate configuration choices made by each site's operators.
What is a request-tracing header like X-Request-ID used for? +
Assigns a unique identifier to a specific request, useful for correlating logs across multiple services in a distributed system when debugging an issue.
Can headers reveal what technology stack a website uses? +
Sometimes — Server and X-Powered-By headers, when present, can reveal the underlying web server software or framework, though many sites deliberately suppress or genericize these for hardening.
Is it normal for headers to differ slightly between requests? +
Yes — load balancer routing, CDN edge location, A/B testing, and caching state can all cause minor header variation between individual requests to the same URL.
What tool can I use to see all headers a site returns without opening DevTools? +
Our free HTTP Headers Checker performs an independent server-side check and displays the full grouped header set instantly from any device.
Why do APIs commonly include rate-limit headers? +
Headers like X-RateLimit-Remaining let API consumers programmatically monitor their usage against limits without needing to guess or hit the limit unexpectedly.
Explore All ToolsNovaHub Tools
🏠 Go to Homepage

🔗 More Guides