HTTP Headers Explained for Developers and DevOps
HTTP headers are key-value pairs sent alongside every request and response. They control caching, authentication, content negotiation, browser security policies, and how load balancers and CDNs route traffic — making them essential knowledge for debugging APIs and deploying production services.
TL;DR
- • HTTP headers are metadata attached to every request and response — they are not part of the body.
- • Request headers describe the client, what it accepts, and how to authenticate.
- • Response headers describe the server's reply: content type, caching rules, security policies, redirects.
- • Missing or incorrect headers cause the most common API debugging headaches: CORS failures, cache misses, auth errors.
- • Security headers (CSP, HSTS, X-Frame-Options) must be set explicitly — they are not added automatically.
- • Use the HTTP Header Analyzer to parse and audit any raw header block in your browser.
What HTTP Headers Are
Every HTTP request and response consists of two parts: a header section and an optional body. Headers are newline-delimited key-value pairs sent before the body. They instruct the client and server how to handle the exchange — without being part of the content itself.
Headers follow the format Header-Name: value. Names are case-insensitive. Multiple headers with the same name are valid in HTTP/1.1 (treated as a comma-separated list for most headers, but handled differently for Set-Cookie).
Request headers are sent by the client (browser, API consumer, CLI tool) to the server. They carry authentication credentials, describe what content formats are acceptable, specify the target host, and provide browser/device information.
Response headers are sent by the server back to the client. They describe the content being returned, set caching rules, instruct the browser to apply security policies, redirect to another URL, or set cookies for subsequent requests.
Example HTTP request (simplified):
GET /api/users HTTP/1.1 Host: api.example.com Authorization: Bearer eyJhbGciOiJIUzI1NiJ9... Accept: application/json User-Agent: Mozilla/5.0 (compatible; MyApp/1.0) Content-Type: application/json
Example HTTP response (simplified):
HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 Cache-Control: no-store Strict-Transport-Security: max-age=31536000; includeSubDomains X-Frame-Options: DENY Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
Common Request Headers
The most important request headers to understand when debugging APIs and HTTP traffic:
| Header | Purpose | Example Value |
|---|---|---|
| Authorization | Carries authentication credentials (Bearer token, Basic auth, API key) | Bearer eyJhbGci... |
| Host | Required in HTTP/1.1 — specifies the target domain (used by virtual hosting and load balancers) | api.example.com |
| User-Agent | Identifies the client software making the request — browser, bot, or app | Mozilla/5.0 (Windows NT 10.0) |
| Accept | Tells the server what response formats the client can handle | application/json, text/html;q=0.9 |
| Content-Type | Describes the format of the request body — required for POST/PUT | application/json; charset=utf-8 |
| Cookie | Sends stored cookies back to the server for session management | session=abc123; pref=dark |
| Origin | Used in CORS — identifies where the request originated | https://app.example.com |
| Referer | The URL of the page that initiated the request (misspelled by design in the HTTP spec) | https://example.com/page |
| If-None-Match | Conditional GET — sends an ETag; server returns 304 if resource unchanged | "33a64df551..." |
| If-Modified-Since | Conditional GET — sends date; server returns 304 if resource unchanged | Wed, 01 Jan 2025 00:00:00 GMT |
Common Response Headers
Response headers sent by the server control how the client (and intermediate proxies) handles the response:
| Header | Purpose | Example Value |
|---|---|---|
| Content-Type | Indicates the media type and encoding of the response body | application/json; charset=utf-8 |
| Cache-Control | Directives for caching: max-age, no-store, private, public, stale-while-revalidate | public, max-age=86400 |
| Location | Used with 3xx redirects — the URL the client should navigate to | https://example.com/new-path |
| Set-Cookie | Sets one cookie per header — multiple headers are allowed | session=abc; HttpOnly; Secure; SameSite=Lax |
| ETag | A fingerprint of the response — used with If-None-Match for conditional requests | "33a64df551..." |
| Vary | Tells caches which request headers affect the response (e.g. Accept-Encoding) | Accept-Encoding, Accept-Language |
| Server | Identifies the server software — often suppressed in production for security | nginx/1.25.0 |
| Access-Control-Allow-Origin | CORS header — specifies allowed origins for cross-origin requests | https://app.example.com |
| Content-Security-Policy | Restricts what resources the browser can load — the most important security header | default-src 'self' |
| Strict-Transport-Security | Tells browsers to use HTTPS only for a period of time (HSTS) | max-age=31536000; includeSubDomains |
Why Headers Matter in DevOps
Debugging APIs
When an API call fails or returns unexpected data, the first step is always to inspect the raw headers. A 401 Unauthorized means the Authorization header is missing, malformed, or expired. A 415 Unsupported Media Type means the Content-Type header is wrong or absent on a POST request. Use HTTP Header Analyzer to parse headers copied from browser DevTools or curl output.
CDN Caching
CDNs like Cloudflare, Fastly, and CloudFront cache responses based on the Cache-Control and Vary headers. If Cache-Control: no-store is set, the CDN never caches the response. If it is missing, the CDN may cache responses indefinitely. The Vary: Accept-Encoding header ensures separate cache entries for compressed and uncompressed responses.
Authentication and Sessions
Every authentication mechanism flows through headers. Bearer tokens arrive in Authorization: Bearer <token>. Session cookies set via Set-Cookie are returned by the browser on every subsequent request in the Cookie header. API keys are commonly passed in X-API-Key or as part of Authorization.
Browser Security Policies
Security headers apply policies that the browser enforces on behalf of the server. These must be explicitly set — they are never applied by default:
- •
Content-Security-Policy— restricts sources for scripts, images, fonts, and frames (prevents XSS) - •
Strict-Transport-Security— forces HTTPS for future visits within the max-age window (HSTS) - •
X-Frame-Options— prevents your page from being loaded in an iframe (clickjacking protection) - •
X-Content-Type-Options: nosniff— prevents MIME-type sniffing on script and stylesheet responses - •
Permissions-Policy— controls access to browser APIs (camera, geolocation, clipboard)
Load Balancers and Reverse Proxies
Load balancers and reverse proxies inspect and modify headers to route traffic and forward client information downstream. The X-Forwarded-For header carries the original client IP address through a chain of proxies. X-Forwarded-Proto preserves whether the original request was HTTP or HTTPS. Without these headers, your application server cannot see the real client IP — it only sees the proxy's IP. See Reverse Proxy vs Load Balancer for how these roles differ.
Common Header Problems
Browser blocks cross-origin requests when Access-Control-Allow-Origin is absent. The request reaches the server and returns a response — but the browser refuses to deliver it to the script.
Fix: set Access-Control-Allow-Origin: https://yourapp.com (or * for public APIs).
Sending JSON without Content-Type: application/json causes the server to reject the body or parse it incorrectly. Form submissions require application/x-www-form-urlencoded.
Fix: always set Content-Type explicitly on requests with a body.
Setting Cache-Control: max-age=86400 on a login page causes browsers to show a cached version instead of the current one. Missing Vary on content-negotiated responses causes the wrong variant to be served from cache.
Fix: use no-store for sensitive pages; add Vary for negotiated responses.
Multiple Content-Type headers (from both the origin server and a proxy adding its own) cause undefined behaviour. Set-Cookie is the only header that intentionally appears multiple times.
Fix: audit header output at each layer — origin, proxy, CDN — to detect duplicates.
Debugging Workflows
API Request Debugging
- Open browser DevTools → Network tab → click the failing request.
- Copy the request headers. Paste into HTTP Header Analyzer to categorize and audit them.
- Check
Authorization— is the token present? Has it expired? - Check
Content-Typeon POST/PUT — does it match what the server expects? - Check the response
Access-Control-Allow-Origin— does it match your origin?
Inspecting Cookies from Headers
Copy the raw Cookie or Set-Cookie header value and paste it into the Cookie Parser to see each name-value pair decoded, with duplicate and encoding detection.
Checking User-Agent Strings
When server-side logic branches on the User-Agent header (bot detection, device-specific responses), paste the header value into the User Agent Parser to decode browser, OS, device, and bot status.
Query String and URL Debugging
When URL-encoded query parameters arrive garbled or truncated, copy the full URL or query string into the Query String Parser to see each parameter decoded, with duplicate and encoding detection.
Typical API debugging workflow
Try the Tools
All tools run entirely in your browser. No header data is uploaded. Browse all DevOps tools →
Frequently Asked Questions
Related Reading
DevOps Configuration & Deployment Basics
Full guide covering YAML, DNS, SSL, cron schedules, HTTP headers, and validation workflows.
HTTP vs HTTPS: What's the Difference?
How TLS wraps HTTP, what HTTPS protects, and migration trade-offs.
Reverse Proxy vs Load Balancer
How reverse proxies and load balancers differ in purpose, layer, and header manipulation.
DevOps & Infrastructure Tools
Browse all browser-based DevOps tools: DNS, SSL, YAML, cron, HTTP, and more.