ITIT Tools
All cheatsheets

Cheatsheets

HTTP headers

HTTP request & response headers for caching, security, and CORS.

33 entries

Request9

Authorization: Bearer <token>

Credentials (Bearer, Basic, …)

Accept: application/json

Media types the client can handle

Accept-Encoding: gzip, br

Compression the client supports

Accept-Language: en, th;q=0.9

Preferred languages (with weights)

Content-Type: application/json

Media type of the request body

Cookie: a=1; b=2

Stored cookies sent back to the server

If-None-Match: "<etag>"

Conditional request using an ETag

Range: bytes=0-1023

Request part of a resource

X-Forwarded-For: <client-ip>

Original client IP through proxies

Response7

Content-Type: text/html; charset=utf-8

Media type of the body

Content-Length: 1234

Body size in bytes

Location: /new-path

Target URL for redirects / created resources

Set-Cookie: a=1; HttpOnly; Secure

Send a cookie to the client

ETag: "abc123"

Version identifier for caching

Retry-After: 120

When to retry (429 / 503)

Content-Disposition: attachment; filename=x.csv

Force a download

Caching6

Cache-Control: no-store

Never cache the response

Cache-Control: max-age=3600

Fresh for 3600 seconds

Cache-Control: public / private

Any cache / browser only

Cache-Control: stale-while-revalidate=60

Serve stale while refreshing

Age: 120

Seconds the object has been cached

Vary: Accept-Encoding

Headers that affect the cached variant

Security6

Strict-Transport-Security: max-age=63072000

Force HTTPS (HSTS)

Content-Security-Policy: default-src 'self'; img-src *; script-src 'self'

Restrict allowed content sources

X-Content-Type-Options: nosniff

Disable MIME sniffing

X-Frame-Options: DENY

Prevent clickjacking via framing

Referrer-Policy: strict-origin

Control how much referrer is sent

Permissions-Policy: camera=()

Disable browser features

CORS5

Access-Control-Allow-Origin: *

Origins allowed to read the response

Access-Control-Allow-Methods: GET, POST

Allowed cross-origin methods

Access-Control-Allow-Headers: Content-Type

Allowed request headers

Access-Control-Allow-Credentials: true

Allow cookies cross-origin

Access-Control-Max-Age: 86400

How long to cache the preflight