Your Request Headers
What are HTTP Headers?
HTTP headers are pieces of metadata sent between your browser and web servers with every request and response. Think of them as the envelope information on a letter - while the webpage content is the letter itself, headers contain important details about how the message should be handled, who sent it, and what it contains.
When you visit a website, your browser sends request headers telling the server what kind of content it can handle, what language you prefer, whether it supports compression, and identifying information about your browser and device. The server responds with response headers that specify content type, caching rules, security policies, and other directives. Understanding these headers is crucial for web development, debugging, security analysis, and privacy awareness.
Common HTTP Headers Explained
User-Agent
Identifies your browser, operating system, and device type. Websites use this to deliver optimized content for your platform and track browser usage statistics.
Accept & Content-Type
Accept tells servers what file formats you can handle (HTML, JSON, images). Content-Type specifies the format of data being sent in requests or responses.
Cache-Control
Directs how browsers and proxies should cache content. Proper caching improves performance but can cause issues if not configured correctly.
Authorization
Contains credentials for authenticating with web servers and APIs. Common schemes include Bearer tokens, Basic authentication, and API keys.
Cookies
Store session data and user preferences. The Cookie header sends stored cookies to servers, while Set-Cookie creates new cookies in responses.
Referer
Shows which page linked to the current request. Useful for analytics and security, though it can raise privacy concerns in some contexts.
Why View HTTP Headers?
Debug API Issues
Inspect headers to troubleshoot API authentication problems, content negotiation errors, and CORS issues. See exactly what your browser is sending to servers.
Security Analysis
Check for security headers like Content-Security-Policy, X-Frame-Options, and Strict-Transport-Security to assess website security posture.
Caching Troubleshooting
Examine Cache-Control, ETag, and Last-Modified headers to diagnose why content isn't caching properly or why stale content is being served.
CORS Debugging
Verify Origin, Access-Control-Allow-Origin, and other CORS headers to resolve cross-origin resource sharing problems in web applications.
Performance Optimization
Analyze compression headers (Accept-Encoding, Content-Encoding) and content negotiation to ensure optimal resource delivery and load times.
Privacy Awareness
Understand what information your browser reveals through headers, including tracking cookies, referrer information, and device fingerprinting data.
Frequently Asked Questions
What is the difference between request and response headers?
Request headers are sent by your browser to the server when you visit a website or make an API call. They include information like your User-Agent, accepted content types, cookies, and authentication credentials. Request headers tell the server what you want and how you want it delivered.
Response headers come from the server back to your browser. They specify the content type being returned, caching instructions, security policies, and server information. Response headers control how your browser should handle the content it receives.
Our tool shows request headers - what your browser sends out. To see response headers, you'll need browser developer tools or tools like curl.
Can websites see all my headers?
Yes, web servers can see all HTTP headers your browser sends with each request. This includes:
- User-Agent: Your browser type, version, and operating system
- Accept-Language: Your preferred languages (often revealing your location)
- Referer: Which page you came from
- Cookies: Any cookies previously set by that domain
- Custom headers: Added by browser extensions or applications
This is normal and necessary for websites to function, but it does mean sites can fingerprint your browser and track you across sessions.
What headers reveal my identity?
Several headers can reveal identifying information:
- User-Agent: Reveals your browser, OS, and device, contributing to browser fingerprinting
- Accept-Language: Language preferences often correlate with geographic location
- Referer: Shows your browsing path and which sites you visit
- Cookie: Contains session IDs and tracking identifiers that persist across visits
- Authorization: Contains your credentials when accessing protected resources
Combined with your IP address (not technically a header), these create a unique fingerprint that can track you even without cookies.
How do I modify HTTP headers?
You can modify HTTP headers using several methods:
- Browser extensions: ModHeader (Chrome/Firefox) or similar tools let you add, modify, or remove headers for testing
- Developer tools: Some browsers allow header modification in Network tab settings
- Proxy tools: Burp Suite, Fiddler, or Charles Proxy intercept and modify traffic
- Command-line tools: curl and wget allow custom headers via command-line flags
- Programming: Most HTTP libraries (fetch, axios, requests) let you set custom headers in code
Note that some headers like Host and certain security headers may be protected and cannot be modified by client-side code.
What are security headers?
Security headers are HTTP response headers that tell browsers how to handle security-related aspects of web content:
- Content-Security-Policy (CSP): Prevents XSS attacks by controlling which resources can load
- Strict-Transport-Security (HSTS): Forces HTTPS connections for a specified period
- X-Frame-Options: Prevents clickjacking by controlling if pages can be embedded in frames
- X-Content-Type-Options: Prevents MIME-type sniffing attacks
- Referrer-Policy: Controls how much referrer information is shared
- Permissions-Policy: Controls which browser features and APIs can be used
These are response headers set by servers, not request headers. Well-configured security headers significantly reduce vulnerability to common web attacks.