HTTP Request Headers Generator

How to Use the HTTP Request Headers Generator:

1. Enable Header Categories: Use the toggle switches on each section to turn categories on or off. The tool starts with Authentication and Content-Type enabled by default. Each toggle instantly adds or removes those headers from the output without losing your configuration.

2. Configure Authentication: With the Authentication section enabled, choose your auth style — Bearer Token (JWT or OAuth 2.0), API Key (sends as X-API-Key header), or Basic Auth (username:password pair). Enter your token or credentials in the input field. Basic Auth values are automatically Base64-encoded as required by the HTTP specification.

3. Set Content-Type and Accept: Choose from common content types: JSON (application/json), Form URL-Encoded, Multipart Form, XML, Plain Text, HTML, or Binary. Enable the Accept header checkbox to also include the Accept header, specifying what response format your client expects. The Accept value defaults to the same as Content-Type but can be customized.

4. Configure Cache-Control: Enable the Cache-Control section and choose a caching strategy: No Cache (revalidate every request), No Store (never cache — use for sensitive data), Max Age (cache for N seconds), Private (browser-only, excludes CDN), Public (cache at CDN and browser), or Immutable (for hashed static assets that never change). For time-based strategies, enter the max age in seconds.

5. Add Security Headers: Enable the Security Headers section to include hardened HTTP security headers. Each header has a checkbox with a description — select the ones relevant to your use case. Common selections include X-Content-Type-Options (prevent MIME sniffing), X-Frame-Options (block clickjacking), Strict-Transport-Security (force HTTPS), and Content-Security-Policy. These are typically used in API responses, not requests, but useful for documenting full header sets.

6. Add Custom Headers: Use the Custom Headers section to add any non-standard or proprietary headers your API requires, such as X-Request-ID, X-Correlation-ID, X-Tenant-ID, or X-API-Version. Click "Add Custom Header" to add a key-value row, and the × button to remove any row.

7. Review Generated Headers: The Generated Headers panel on the right shows a color-coded list of all active headers grouped by category (blue for auth, green for content, amber for cache, red for security). This gives a live preview of exactly which headers will be output.

8. Choose Output Format and Copy: Select the format that matches your use case using the format tabs: Raw (plain key: value pairs), JSON (JavaScript object), fetch() (wrapped in a fetch call), cURL (-H flags), or axios (wrapped in an axios call). Click Copy to copy the formatted output to your clipboard.

Common Use Cases:

• API development: Generate consistent auth headers to paste into Postman, Insomnia, or Bruno collections.
• Code snippets: Copy fetch() or axios formatted headers directly into frontend JavaScript code.
• cURL testing: Generate -H flags for terminal-based API testing.
• Documentation: Produce ready-to-paste header tables for API reference docs.
• Security auditing: Verify which security headers your API should require or return.
• Onboarding: Help new team members understand which headers are required for each API call.
• Multiple auth strategies: Quickly switch between Bearer, API Key, and Basic to test different auth flows.

Tips and Best Practices:

• Never expose real API tokens or passwords in shared documentation — use placeholders like YOUR_TOKEN.
• Basic Auth base64-encoding is NOT encryption — always use HTTPS when sending credentials.
• For REST APIs, application/json is the most common Content-Type for both request and response.
• Cache-Control: no-store is the correct directive for sensitive endpoints like login or payment flows.
• Security headers like X-Frame-Options and HSTS are response headers — include them when documenting what your server returns, not what clients send.
• For browser-based apps making cross-origin requests, the Origin header is added automatically by the browser.
• X-Request-ID and X-Correlation-ID custom headers are useful for distributed tracing and log correlation.
• The Immutable cache strategy is best for hashed static assets (CSS, JS with content hash in filename).