A human-friendly guide to understanding the headers your browser sends when making a request.
HTTP headers are small pieces of information sent between your browser and a web server every time you visit a website, click a link, or submit a form. They help describe the request or response—like what kind of browser you're using, where you came from, or what language you prefer.
Headers have been part of the web since the early days of HTTP in the 1990s. While most users never see them, they play a crucial role in how websites function, personalize content, and maintain security.
AcceptWhat it does: Tells the server what kind of content your browser is willing to receive (like HTML, images, or JSON).
Technical details: MIME type negotiation header defined in RFC 7231. Uses quality values (q-values) to indicate preference order.
Example: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-CharsetWhat it does: Indicates which character encodings the client understands.
Technical details: Character encoding negotiation header, though most modern systems use UTF-8.
Example: utf-8, iso-8859-1;q=0.5
Accept-EncodingWhat it does: Indicates what compression formats your browser supports (like gzip or br).
Technical details: Content-Encoding negotiation header. Modern browsers support gzip, deflate, and Brotli (br) compression.
Example: gzip, deflate, br
Accept-LanguageWhat it does: Specifies your preferred language(s) for content (e.g., en-US, fr).
Technical details: Language negotiation header using RFC 3066 language tags with optional quality values.
Example: en-US,en;q=0.9,es;q=0.8
AuthorizationWhat it does: Used to send credentials (like tokens or passwords) to access protected resources.
Technical details: Authentication header supporting Basic, Bearer, Digest, and custom schemes as defined in RFC 7235.
Example: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Cache-ControlWhat it does: Controls how and when content is cached by the browser or intermediary servers.
Technical details: HTTP/1.1 caching directive header. Supersedes Pragma and Expires headers with more granular control.
Example: no-cache, no-store, must-revalidate
ConnectionWhat it does: Manages whether the connection stays open after the request (e.g., keep-alive).
Technical details: Connection management header. 'keep-alive' enables persistent connections, reducing latency.
Example: keep-alive
Content-LengthWhat it does: Indicates the size of the request or response body in bytes.
Technical details: Entity header specifying the decimal number of octets in the message body.
Example: 348
Content-TypeWhat it does: Describes the format of the data being sent (e.g., text/html, application/json).
Technical details: Entity header indicating the media type of the resource. May include charset parameter.
Example: application/json; charset=utf-8
CookieWhat it does: Sends stored cookies from your browser to the server—used for sessions, preferences, etc.
Technical details: HTTP state management header as defined in RFC 6265. Contains name=value pairs.
Example: sessionId=abc123; theme=dark; lang=en
DNTWhat it does: Stands for 'Do Not Track'—a privacy preference sent by the browser (not always honored).
Technical details: Privacy preference signal header. Value of '1' indicates do not track preference.
Example: 1
ExpectWhat it does: Indicates expectations that need to be fulfilled by the server for the request to be handled successfully.
Technical details: Request expectation header, most commonly used with '100-continue' for large uploads.
Example: 100-continue
HostWhat it does: Specifies the domain name of the server being requested (especially important for shared hosting).
Technical details: Mandatory header in HTTP/1.1 enabling virtual hosting. Contains hostname and optional port.
Example: example.com:8080
If-Modified-SinceWhat it does: Makes the request conditional: only send the resource if it has been modified since the specified date.
Technical details: Conditional request header for efficient caching using HTTP date format.
Example: Wed, 21 Oct 2015 07:28:00 GMT
If-None-MatchWhat it does: Makes the request conditional based on entity tags (ETags) for cache validation.
Technical details: Conditional request header using entity tags for cache revalidation.
Example: "33a64df551425fcc55e4d42a148795d9f25f89d4"
OriginWhat it does: Indicates the origin (protocol + domain) of the request, often used in CORS checks.
Technical details: CORS-related header indicating the origin of the cross-origin request for security validation.
Example: https://example.com
PriorityWhat it does: Indicates the priority and urgency of the request for resource loading optimization.
Technical details: HTTP/3 priority header using structured fields format with urgency (u) and incremental (i) parameters.
Example: u=0, i
RangeWhat it does: Requests only a specific part of a resource (used for resumable downloads or streaming).
Technical details: Partial content request header enabling efficient large file transfers.
Example: bytes=200-1023
RefererWhat it does: Tells the server what page you came from when clicking a link or loading a resource.
Technical details: Referrer information header (note: misspelled in HTTP spec). May be blocked by privacy settings.
Example: https://google.com/search?q=example
Sec-CH-UAWhat it does: Provides the browser's brand and version information (Client Hints).
Technical details: User-Agent Client Hint providing structured browser identification data.
Example: "Chrome";v="91", "Chromium";v="91"
Sec-CH-UA-MobileWhat it does: Indicates whether the browser is on a mobile device (Client Hints).
Technical details: User-Agent Client Hint indicating mobile device status as boolean.
Example: ?0
Sec-CH-UA-PlatformWhat it does: Identifies the operating system platform (Client Hints).
Technical details: User-Agent Client Hint providing platform information.
Example: "Windows"
Sec-Fetch-DestWhat it does: Indicates the destination for the request (document, image, script, etc.).
Technical details: Fetch metadata header helping servers implement security policies by understanding request context.
Example: document
Sec-Fetch-ModeWhat it does: Describes the mode of the request (navigate, cors, no-cors, same-origin).
Technical details: Fetch metadata header indicating the request mode for CORS and security policy decisions.
Example: navigate
Sec-Fetch-SiteWhat it does: Indicates the relationship between the request origin and the target (same-origin, cross-site, etc.).
Technical details: Fetch metadata header helping prevent CSRF attacks by indicating origin relationship.
Example: cross-site
Sec-Fetch-UserWhat it does: Indicates whether the request was triggered by user activation (clicking a link, etc.).
Technical details: Fetch metadata header present only when request is due to user activation.
Example: ?1
Sec-WebSocket-KeyWhat it does: Used in WebSocket handshake to ensure the server supports WebSocket protocol.
Technical details: WebSocket protocol handshake header containing base64-encoded random value.
Example: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-VersionWhat it does: Indicates the WebSocket protocol version the client wants to use.
Technical details: WebSocket protocol version negotiation header.
Example: 13
TEWhat it does: Specifies transfer encodings the client is willing to accept.
Technical details: Transfer-Encoding negotiation header, commonly used for chunked encoding.
Example: trailers, deflate
Upgrade-Insecure-RequestsWhat it does: Signals that the browser prefers secure (HTTPS) content when available.
Technical details: Client hint indicating preference for encrypted and authenticated responses.
Example: 1
User-AgentWhat it does: Identifies your browser, operating system, and device to the server.
Technical details: Client identification string containing browser engine, version, and platform information.
Example: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
X-CSRF-TokenWhat it does: Contains a token to prevent Cross-Site Request Forgery attacks.
Technical details: Security header containing anti-CSRF token for state-changing requests.
Example: abc123def456ghi789
X-Forwarded-ForWhat it does: Used by proxies to pass along the original IP address of the client.
Technical details: De facto standard header for identifying originating IP through proxy chains.
Example: 192.168.1.1, 10.0.0.1
X-Forwarded-HostWhat it does: Contains the original host requested by the client in the Host header.
Technical details: Proxy header preserving original Host header value through proxy chains.
Example: example.com
X-Forwarded-ProtoWhat it does: Indicates the protocol (HTTP or HTTPS) used by the client to connect to the proxy.
Technical details: Proxy header indicating original protocol, important for proper redirect handling.
Example: https
X-HttpsWhat it does: Indicates that the original request was made over HTTPS, often added by reverse proxies.
Technical details: Non-standard header used by some proxies and load balancers to indicate HTTPS termination.
Example: 1
X-Real-IPWhat it does: Alternative to X-Forwarded-For, contains the real IP address of the client.
Technical details: Nginx-style header for passing real client IP address through reverse proxies.
Example: 192.168.1.100
X-Requested-WithWhat it does: Often used to identify AJAX requests (e.g., XMLHttpRequest).
Technical details: Non-standard header commonly used to distinguish AJAX requests from regular navigation.
Example: XMLHttpRequest