What Are HTTP Headers?
HTTP headers are key-value pairs sent at the beginning of every HTTP request and response. They carry metadata about the connection, the content, caching behavior, security policies, and authentication - All invisible to normal users but critical to how the web works. Inspect the headers any website sends to your browser with our HTTP headers checker.
Common Request Headers
| Header | Purpose | Example Value |
|---|---|---|
| Host | Specifies the domain being requested (required in HTTP/1.1) | Host: example.com |
| User-Agent | Identifies the browser, OS, and version | Mozilla/5.0 (Windows NT 10.0; Win64; x64)... |
| Accept | Content types the client can handle | text/html, application/json |
| Accept-Language | Preferred language for the response | en-US,en;q=0.9 |
| Referer | URL of the page that linked to this resource | https://google.com/search?q=... |
| Cookie | Sends stored cookies to the server | session_id=abc123; theme=dark |
| Authorization | Sends credentials for HTTP authentication | Bearer eyJhbGci... |
| X-Forwarded-For | Passes client IP through proxies and load balancers | 203.0.113.5, 10.0.0.1 |
Important Security Response Headers
| Header | Purpose | Recommended Value |
|---|---|---|
| Strict-Transport-Security | Forces HTTPS for future visits (HSTS) | max-age=31536000; includeSubDomains |
| Content-Security-Policy | Controls which resources the browser may load (blocks XSS) | default-src 'self'; script-src 'self' |
| X-Content-Type-Options | Prevents MIME-type sniffing | nosniff |
| X-Frame-Options | Prevents clickjacking via iframes | DENY or SAMEORIGIN |
| Referrer-Policy | Controls how much referrer info is sent | strict-origin-when-cross-origin |
| Permissions-Policy | Controls access to browser APIs (camera, microphone, etc.) | geolocation=(), camera=() |
How Headers Relate to Privacy
- The User-Agent header reveals your browser, OS version, and architecture - A significant fingerprinting signal.
- The Referer header can leak sensitive URLs (including search queries or internal paths) to third-party resources.
- X-Forwarded-For headers added by proxies and VPNs can reveal your original IP to the destination server if the proxy is misconfigured - Run our VPN leak test to verify yours doesn't.
- The Accept-Language header reveals your preferred language - A small but contributing fingerprinting attribute.
How to View HTTP Headers Yourself
| Step | Action |
|---|---|
| 1 | Run any domain through the HTTP headers checker to see exactly what its server sends, including which security headers are missing |
| 2 | In your browser, press F12 (or Cmd+Option+I on Mac) to open DevTools, select the Network tab, and reload the page |
| 3 | Click the first request in the list - The Headers panel shows request headers (what your browser revealed) and response headers (what the server replied) |
| 4 | From a terminal, curl -I https://example.com prints response headers only; add -v to see both directions of the exchange |
HTTP/2 and HTTP/3 changed the format, not the idea
In modern HTTP versions, headers are binary-compressed (HPACK/QPACK) rather than sent as readable text lines, and the old request line became pseudo-headers like :method, :path and :authority. DevTools displays them in the familiar key-value form regardless, so everything in this article applies unchanged - The names are case-insensitive by specification, which is why you'll see content-type and Content-Type used interchangeably.
Caching and Content Negotiation Headers
Beyond security and identity, headers run the web's performance machinery:
| Header | Purpose | Example Value |
|---|---|---|
| Cache-Control | How long browsers and CDNs may reuse the response | max-age=3600, public |
| ETag | Version fingerprint - Lets the browser ask "has this changed?" | "33a64df5" |
| Content-Type | Declares the media type of the body | text/html; charset=utf-8 |
| Content-Encoding | Compression applied to the body | gzip, br (Brotli) |
| Vary | Which request headers change the response (cache correctness) | Accept-Encoding, Accept-Language |
| Location | Where a 301/302 redirect points | https://www.example.com/ |
Headers that carry your IP
When traffic passes through proxies, load balancers, or CDNs, the original client IP would be lost - So intermediaries append it to X-Forwarded-For, the standardised Forwarded header (RFC 7239), or vendor headers like CF-Connecting-IP. This is how a site behind Cloudflare still knows your public IP - And how a misconfigured anonymising proxy can leak the address it was supposed to hide.
What This Means for You
Headers are where your browser quietly negotiates on your behalf, and both sides of that negotiation deserve an occasional audit. On the sending side, your User-Agent, languages, and cookies travel with every request - The raw material of fingerprinting (see the user agent FAQ for what yours says). On the receiving side, the security headers a site sends - Or fails to send - Are a fair proxy for how seriously it takes security: a banking site missing HSTS and CSP is telling you something. Five minutes with the headers checker turns that invisible layer into something you can actually read.
Frequently Asked Questions
Can websites see my IP address in the HTTP headers?
Your IP isn't in the headers you send - It comes from the TCP connection itself. Headers like X-Forwarded-For are added by intermediaries (CDNs, load balancers, proxies) so the origin server still learns the client IP after the connection has been terminated and re-opened by the middlebox.
Can I change or remove the headers my browser sends?
Some of them. Extensions and DevTools can override the User-Agent or strip the Referer, and browsers increasingly trim both by default. But headers are also a fingerprinting surface - Unusual combinations stand out - So aggressive header spoofing can make you more identifiable, not less.
Which security headers should my own website send?
The consensus baseline is Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options: nosniff, a restrictive Referrer-Policy, and X-Frame-Options (or its CSP equivalent, frame-ancestors). Run your domain through a headers checker to see which are present and copy the recommended values from there.