What is the difference between a request and a response header?

Request headers are sent by the client (browser, curl, an API client) to the server and describe the client, the desired content or credentials — for example Accept, Authorization and Host. Response headers are sent back by the server and describe the response or instruct the client — for example Content-Type, Cache-Control and Set-Cookie. Some headers, such as Content-Type and Cache-Control, are used in both directions; this reference marks those as Both.

Which HTTP headers are most important for security?

The core security response headers are Content-Security-Policy (limits where scripts, images and other resources can load from to stop XSS), Strict-Transport-Security (forces HTTPS), X-Content-Type-Options nosniff (stops MIME sniffing), X-Frame-Options (prevents clickjacking via framing), Referrer-Policy (limits referrer leakage) and Permissions-Policy (disables risky browser features). Filter the table by the Security category to see all of them with example values.

How do I set the Content-Type header correctly?

Content-Type declares the media type of the body, for example application/json for a JSON API, text/html for a web page, or multipart/form-data for file uploads. For any text format include the character set, such as Content-Type application/json; charset=utf-8. Sending the wrong Content-Type is a common cause of APIs rejecting a request body or browsers rendering raw JSON as plain text.

What do the CORS Access-Control headers do?

CORS headers let a server opt in to cross-origin requests. Access-Control-Allow-Origin names which origins may read the response, Access-Control-Allow-Methods and Access-Control-Allow-Headers are returned in a preflight to whitelist methods and headers, and Access-Control-Allow-Credentials controls whether cookies and auth are exposed. The browser sends Origin and, for non-simple requests, an OPTIONS preflight first. Filter by the CORS category to see the full set.

Is the Referer header really misspelled?

Yes. The Referer header has been misspelled since the original HTTP specification — the correct English word is referrer. The misspelling was kept for backwards compatibility, so the request header stays Referer. Confusingly, the related response header that controls how much referrer data is sent uses the correct spelling: Referrer-Policy. Both appear in this reference.

Does this tool send my data anywhere?

No. This is a static reference table that runs entirely in your browser. It does not make any network request, send any HTTP request, or inspect a live site — it simply lists and filters a built-in catalogue of standard headers. Nothing you type in the search box leaves your device.

HTTP Headers Reference

A fast, searchable HTTP headers reference covering 50+ of the request and response headers you meet every day building and debugging web apps and APIs. Each entry shows the header’s purpose, a realistic example value, the direction it travels (request, response or both) and a category so you can jump straight to caching, security, CORS or content headers. It is built for developers writing fetch calls, configuring a reverse proxy, hardening a site, or trying to remember exactly how Cache-Control or Set-Cookie is formatted.

How it works

Every header lives in a single in-browser catalogue, sorted alphabetically. The search box matches against the header name, its plain-English purpose and the example value, so typing cache, cors or nosniff narrows the list instantly. Two dropdowns refine further: Direction shows only request or response headers (headers used in both directions always remain visible), and Category filters to one of caching, security, CORS, content, authentication, conditional, negotiation, range, cookies, redirect, connection or other. A counter shows how many of the full set currently match.

Each row carries a coloured Request / Response / Both pill, the category, a one-line purpose, and a copyable example formatted exactly as it appears on the wire. The Copy button places the example on your clipboard so you can paste a correctly-formatted header into curl, a config file or your code with no typos. Because the data ships with the page, there is no network call, no live request to a server, and nothing you type ever leaves your browser.

Example

Suppose you are caching a static asset aggressively and want the exact directive. Search cache, and the reference returns Cache-Control, marked Both, in the Caching category, with the example:

Cache-Control: public, max-age=86400, immutable

Copy it, paste it into your server config, and the asset is cacheable for a day and marked immutable so browsers skip revalidation. Switch the Category dropdown to Security and you instantly see the six headers worth adding to any site — Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy — each with a sensible example value ready to copy.

Header	Direction	Category	Example
Authorization	Request	Authentication	`Bearer eyJhbGci...`
Content-Type	Both	Content	`application/json; charset=utf-8`
ETag	Response	Conditional	`"33a64df5..."`
Access-Control-Allow-Origin	Response	CORS	`https://example.com`

Everything is filtered and copied in your browser — no header inspection, no network requests, no tracking.