Cheatsheets
HTTP headers
HTTP request & response headers for caching, security, and CORS.
Visualize
HTTP flows
304 revalidation and CORS preflight, step by step.
Press play to watch the exchange.
35 entries
Request9
Authorization: Bearer <token>Credentials (Bearer, Basic, …)
Accept: application/jsonMedia types the client can handle
Accept-Encoding: gzip, brCompression algorithms the client supports
Accept-Language: en, th;q=0.9Preferred languages (with weights)
Content-Type: application/jsonMedia type of the request body
Cookie: a=1; b=2Stored cookies sent back to the server
If-None-Match: "<etag>"Conditional GET — reuse cached body if ETag matches
Range: bytes=0-1023Request a byte range of a resource (resumable downloads, video seek)
X-Forwarded-For: <client-ip>Original client IP through proxies
Response7
Content-Type: text/html; charset=utf-8Media type and character encoding of the response body
Content-Length: 1234Body size in bytes
Location: /new-pathTarget URL for redirects / created resources
Set-Cookie: id=abc; HttpOnly; Secure; SameSite=LaxSend a cookie to the client with security attributes
ETag: "abc123"Version identifier for conditional caching (revalidation)
Content-Disposition: attachment; filename="report.csv"Force a download (with suggested filename) instead of inline display
Retry-After: 120When to retry after a 429 or 503 (seconds or HTTP-date)
Caching8
Cache-Control: max-age=31536000, immutableCache forever — for content-hashed assets
Cache-Control: no-cacheAlways revalidate with the server before serving from cache
Cache-Control: no-storeNever store this response anywhere — not in browser cache, not in CDN
Cache-Control: stale-while-revalidate=60Serve stale instantly while refreshing in the background
Cache-Control: public, max-age=3600Cache in browser and CDN for 1 hour
Cache-Control: private, max-age=3600Cache in browser only (not CDN/proxy) — for personalised responses
Age: 120Seconds this object has been held in the cache
Vary: Accept-EncodingCache variants per Accept-Encoding — prevents serving gzip to a client that only accepts plaintext
Security6
Strict-Transport-Security: max-age=63072000; includeSubDomains; preloadForce HTTPS for 2 years across all subdomains (HSTS)
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'Restrict which origins/sources may load content — primary XSS mitigation
X-Content-Type-Options: nosniffStop browsers from MIME-sniffing the response — serve exactly what Content-Type declares
X-Frame-Options: DENYPrevent clickjacking — block this page from being embedded in a frame
Referrer-Policy: strict-origin-when-cross-originControl how much of the referrer URL is sent to other origins
Permissions-Policy: camera=(), microphone=()Disable browser features (camera, mic, geolocation, …)
CORS5
Access-Control-Allow-Origin: https://app.example.comWhich origin(s) may read the response cross-site
Access-Control-Allow-Methods: GET, POST, PUT, DELETEAllowed HTTP methods for cross-origin requests (preflight response)
Access-Control-Allow-Headers: Content-Type, AuthorizationAllowed request headers for cross-origin requests (preflight response)
Access-Control-Allow-Credentials: truePermit cookies and Authorization headers on cross-origin requests
Access-Control-Max-Age: 86400Cache the preflight OPTIONS response for 24 hours — avoid a preflight on every request