What Are HTTP Headers?
HTTP headers are key-value pairs sent at the beginning of every HTTP request and response. They carry metadata about the connection, the content, caching behavior, security policies, and authentication - All invisible to normal users but critical to how the web works. Inspect the headers any website sends to your browser with our HTTP headers checker.
Common Request Headers
| Header | Purpose | Example Value |
|---|---|---|
| Host | Specifies the domain being requested (required in HTTP/1.1) | Host: example.com |
| User-Agent | Identifies the browser, OS, and version | Mozilla/5.0 (Windows NT 10.0; Win64; x64)... |
| Accept | Content types the client can handle | text/html, application/json |
| Accept-Language | Preferred language for the response | en-US,en;q=0.9 |
| Referer | URL of the page that linked to this resource | https://google.com/search?q=... |
| Cookie | Sends stored cookies to the server | session_id=abc123; theme=dark |
| Authorization | Sends credentials for HTTP authentication | Bearer eyJhbGci... |
| X-Forwarded-For | Passes client IP through proxies and load balancers | 203.0.113.5, 10.0.0.1 |
Important Security Response Headers
| Header | Purpose | Recommended Value |
|---|---|---|
| Strict-Transport-Security | Forces HTTPS for future visits (HSTS) | max-age=31536000; includeSubDomains |
| Content-Security-Policy | Controls which resources the browser may load (blocks XSS) | default-src 'self'; script-src 'self' |
| X-Content-Type-Options | Prevents MIME-type sniffing | nosniff |
| X-Frame-Options | Prevents clickjacking via iframes | DENY or SAMEORIGIN |
| Referrer-Policy | Controls how much referrer info is sent | strict-origin-when-cross-origin |
| Permissions-Policy | Controls access to browser APIs (camera, microphone, etc.) | geolocation=(), camera=() |
How Headers Relate to Privacy
- The User-Agent header reveals your browser, OS version, and architecture - A significant fingerprinting signal.
- The Referer header can leak sensitive URLs (including search queries or internal paths) to third-party resources.
- X-Forwarded-For headers added by proxies and VPNs can reveal your original IP to the destination server if the proxy is misconfigured - Run our VPN leak test to verify yours doesn't.
- The Accept-Language header reveals your preferred language - A small but contributing fingerprinting attribute.