Skip to main content
HTTP headers are metadata exchanged between a client (e.g., your browser) and a web server. Much like the information on an envelope, headers indicate how to process the payload and which instructions to follow.

Request–Response Flow

When you navigate to a website:
  1. Your browser sends an HTTP request with request headers describing the desired resource.
  2. The server processes the request and replies with an HTTP response, including response headers that describe the returned content.
The image illustrates the concept of HTTP headers, showing a computer sending a request to a server and receiving a response, with questions about website name, request origin, device/software, content type, and caching duration.

Anatomy of an HTTP Header

Each header line follows the format Key: Value. For example: 
GET / HTTP/2
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT) Firefox/103.0
Accept: text/html
Accept-Language: en-US
Connection: keep-alive
Cache-Control: no-cache
  • Host: Specifies the target domain (example.com).
  • User-Agent: Provides details about the client software.
  • Accept: Indicates which content types the client can process.
  • Cache-Control: Instructs caching behavior.
In HTTP/2, pseudo-headers (like :method, :path) precede regular headers and always start with :.

Types of HTTP Headers

HTTP headers are grouped by their roles. Below is a visual overview followed by a summary table.
The image lists types of HTTP headers, categorized into "General Headers" and "Request/Response Headers," which include security, authentication, caching, CORS, proxy, and custom headers.
Header CategoryPurposeCommon Example
GeneralUsed in both requests and responsesConnection, Cache-Control
RequestSent by clients to serversUser-Agent, Accept
ResponseSent by servers back to clientsContent-Type, Server
SecurityMitigate web vulnerabilitiesContent-Security-Policy
AuthenticationVerify client identityAuthorization
CachingControl resource cachingExpires, ETag
CORSEnable cross-origin resource sharingAccess-Control-Allow-Origin
ProxyConvey client info through proxiesX-Forwarded-For, X-Real-IP
CustomApplication-specific metadataX-Custom-Header

General Headers

General headers carry metadata applicable to both requests and responses, such as connection management and caching directives.
The image shows a section of general headers for a web request, including details like the request URL, method, status code, remote address, and referrer policy.

Request Headers

Clients send these headers to the server: 
:authority: kodekloud.com
:method: GET
:path: /
:scheme: https
Accept: text/html,application/xhtml+xml
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cache-Control: max-age=0
Cookie: session=abcd1234
Referer: https://www.google.com/
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7)
  • Accept: Media types the client prefers.
  • User-Agent: Browser and OS identification.
  • Accept-Language: Preferred languages.
  • Cookie: Session data stored by the browser.

Response Headers

Servers include these headers in replies: 
Age: 387887
Cache-Control: max-age=3600
Content-Encoding: br
Content-Type: text/html
Date: Fri, 17 Jan 2025 18:44:46 GMT
Server: cloudflare
Vary: Accept-Encoding
X-Cache: HIT
  • Content-Type: Media type of the response body.
  • Cache-Control: Caching policy instructions.
  • Server: Server software identifier.
  • X-Cache: Indicates cache hits or misses.

Security Headers

Security headers guard against common web threats like XSS, clickjacking, and mixed-content issues. 
alt-svc: clear
cache-control: no-cache, no-store, max-age=0, must-revalidate
content-encoding: gzip
content-security-policy:
  script-src 'nonce-6tCRsH62nR2cX-vHxm5A' 'strict-dynamic'
  https: 'unsafe-eval'; object-src 'none'; base-uri 'self';
  report-uri https://mail.google.com/mail/cspreport
content-type: text/html; charset=utf-8
strict-transport-security: max-age=1088400; includeSubDomains
x-frame-options: SAMEORIGIN
x-xss-protection: 0
Improperly configured security headers can break site functionality or leave vulnerabilities. Always test in staging before deploying.
The image shows a screenshot of HTTP response headers from a GET request to a Gmail URL, including details like status, content type, and security policies. Some headers are highlighted, such as strict-transport-security and x-frame-options.

Authentication Headers

Authenticate requests using credentials or tokens: 
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
  • Basic: Base64-encoded username:password.
  • Bearer: Token-based (e.g., OAuth 2.0, JWT).

Caching Headers

Manage how clients and proxies cache responses: 
Cache-Control: max-age=0, must-revalidate
Expires: Wed, 21 Oct 2025 07:28:00 GMT
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
X-Cache: Miss from cloudfront
  • Cache-Control: Fine-grained caching instructions.
  • Expires: Absolute expiry date/time.
  • ETag: Entity tag for version validation.

CORS Headers

Enable controlled cross-origin requests to protect resources:
The image illustrates how CORS headers control resource requests from different domains, showing data retrieval and inclusion of CORS headers to restrict external website access for data protection.
Access-Control-Allow-Origin: https://petexchangehk-frontend.vercel.app
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: content-type, authorization
Access-Control-Allow-Credentials: true
Browsers enforce CORS; servers must explicitly allow desired origins and methods.

Proxy Headers

When requests pass through load balancers or reverse proxies, these headers preserve client information: 
Host: web:8001
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64)
X-Forwarded-For: 192.168.122.4
X-Forwarded-Host: web.domain.com
X-Forwarded-Proto: https
X-Forwarded-Server: 172.19.0.5
X-Real-IP: 192.168.122.4
  • X-Forwarded-For: Original client IP through multiple proxies.
  • X-Forwarded-Host: Original Host header.
  • X-Forwarded-Proto: Protocol used by the client.
  • X-Real-IP: Direct client IP (single proxy scenario).

Custom Headers

Define your own headers for feature flags, tracing, or legacy integrations: 
GET /api HTTP/1.1
Host: example.com
User-Agent: curl/8.1.2
Accept: */*
X-Custom-Header1: Value1
Custom headers must begin with X- (for legacy) or a vendor namespace.

Nginx Built-in Variables

Nginx uses $-prefixed variables to access request and server data dynamically.
The image lists Nginx built-in variables with descriptions, such as $remote_addr for the client's IP address and $request_uri for the full request including arguments.
Common variables:
  • $remote_addr: Client IP address
  • $host: Host header value
  • $scheme: Protocol (http or https)
  • $request_uri: Full request URI including query string
The image lists Nginx built-in variables with descriptions, such as $http_referer, $status, and $host, explaining their functions in web server requests.
Combine variables to reconstruct the full URL: 
$scheme://$host$request_uri

Example Nginx Configuration

Below is a sample Nginx server block that sets security headers and proxies traffic to an upstream backend: 
server {
    listen       80;
    server_name  honda.cars.com;

    root   /var/www/honda.cars.com/html;
    index  index.html;

    # Security response headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header Content-Security-Policy "default-src 'self'";
    add_header Referrer-Policy "origin";

    location / {
        # Preserve original client headers
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass         http://backend_upstream;
    }
}
  • add_header: Appends headers to outbound responses.
  • proxy_set_header: Customizes headers sent to upstream servers.

Watch Video