All cheatsheets

Cheatsheets

HTTP headers

HTTP request & response headers for caching, security, and CORS.

Visualize

HTTP flows

304 revalidation and CORS preflight, step by step.

ClientServer

Press play to watch the exchange.

35 entries

Request9

Authorization: Bearer <token>

Credentials (Bearer, Basic, …)

Accept: application/json

Media types the client can handle

Accept-Encoding: gzip, br

Compression algorithms the client supports

Accept-Language: en, th;q=0.9

Preferred languages (with weights)

Content-Type: application/json

Media type of the request body

Cookie: a=1; b=2

Stored cookies sent back to the server

If-None-Match: "<etag>"

Conditional GET — reuse cached body if ETag matches

Range: bytes=0-1023

Request a byte range of a resource (resumable downloads, video seek)

X-Forwarded-For: <client-ip>

Original client IP through proxies

Response7

Content-Type: text/html; charset=utf-8

Media type and character encoding of the response body

Content-Length: 1234

Body size in bytes

Location: /new-path

Target URL for redirects / created resources

Set-Cookie: id=abc; HttpOnly; Secure; SameSite=Lax

Send a cookie to the client with security attributes

ETag: "abc123"

Version identifier for conditional caching (revalidation)

Content-Disposition: attachment; filename="report.csv"

Force a download (with suggested filename) instead of inline display

Retry-After: 120

When to retry after a 429 or 503 (seconds or HTTP-date)

Caching8

Cache-Control: max-age=31536000, immutable

Cache forever — for content-hashed assets

Cache-Control: no-cache

Always revalidate with the server before serving from cache

Cache-Control: no-store

Never store this response anywhere — not in browser cache, not in CDN

Cache-Control: stale-while-revalidate=60

Serve stale instantly while refreshing in the background

Cache-Control: public, max-age=3600

Cache in browser and CDN for 1 hour

Cache-Control: private, max-age=3600

Cache in browser only (not CDN/proxy) — for personalised responses

Age: 120

Seconds this object has been held in the cache

Vary: Accept-Encoding

Cache variants per Accept-Encoding — prevents serving gzip to a client that only accepts plaintext

Security6

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

Force HTTPS for 2 years across all subdomains (HSTS)

Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'

Restrict which origins/sources may load content — primary XSS mitigation

X-Content-Type-Options: nosniff

Stop browsers from MIME-sniffing the response — serve exactly what Content-Type declares

X-Frame-Options: DENY

Prevent clickjacking — block this page from being embedded in a frame

Referrer-Policy: strict-origin-when-cross-origin

Control how much of the referrer URL is sent to other origins

Permissions-Policy: camera=(), microphone=()

Disable browser features (camera, mic, geolocation, …)

CORS5

Access-Control-Allow-Origin: https://app.example.com

Which origin(s) may read the response cross-site

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Allowed HTTP methods for cross-origin requests (preflight response)

Access-Control-Allow-Headers: Content-Type, Authorization

Allowed request headers for cross-origin requests (preflight response)

Access-Control-Allow-Credentials: true

Permit cookies and Authorization headers on cross-origin requests

Access-Control-Max-Age: 86400

Cache the preflight OPTIONS response for 24 hours — avoid a preflight on every request