Encryption & Secure Communication

HTTP Header

About 5 min read

Last updated: 2026-04-18

What Is an HTTP Header

An HTTP header is metadata exchanged between a client (browser) and server during HTTP communication, separate from the message body. Request headers travel from client to server, while response headers travel from server to client.

Headers follow a "name: value" format and convey information about content type, caching behavior, authentication credentials, and security policies. Understanding HTTP headers is essential for web developers, and properly configuring security headers forms the foundation of site defense.

Request Headers vs Response Headers

HTTP headers are broadly divided into two categories based on direction.

Request Headers
Sent from client to server. Include User-Agent (browser type), Accept (acceptable content types), Authorization (authentication tokens), and Cookie (stored cookie data). The server uses this information to optimize its response.
Response Headers
Returned from server to client. Include Content-Type (MIME type), Set-Cookie (cookie instructions), Cache-Control (caching policy), and various security headers.

Additionally, general headers (Date, Connection) are used in both directions, and entity headers (Content-Length, Content-Encoding) describe body attributes.

Security Headers

Among response headers, security headers that control browser security features are critical for web site defense.

  • Content-Security-Policy (CSP): Controls which sources a page can load resources from. The most powerful security header for mitigating XSS attacks.
  • Strict-Transport-Security (HSTS): Instructs browsers to use HTTPS exclusively for future visits. Prevents HTTP downgrade attacks.
  • X-Frame-Options: Controls whether a page can be embedded in an <iframe>. Defends against clickjacking. Set to DENY or SAMEORIGIN. CSP's frame-ancestors directive is the successor, but both are recommended for backward compatibility.
  • X-Content-Type-Options: Setting nosniff disables browser MIME-type sniffing, preventing the browser from interpreting content differently than the server-specified Content-Type.

These headers work individually and in combination to build defense in depth. If one header is bypassed, others can still block the attack.

Cache Control Headers

Cache control headers specify how long browsers and CDNs should retain responses. Proper configuration affects both performance and security.

  • Cache-Control: The most important caching header. Combines directives like max-age=3600 (cache for 1 hour), no-cache (revalidate with server each time), and no-store (never cache). Pages containing authentication data should use no-store, private.
  • ETag: A hash identifying a specific resource version. On subsequent requests, the browser sends the ETag via If-None-Match, and the server returns 304 Not Modified if unchanged, saving bandwidth.
  • Last-Modified / If-Modified-Since: Conditional requests based on last modification time. Similar bandwidth savings to ETag but with only second-level precision, so using both together is recommended.

A common strategy uses long max-age with content-hashed filenames for static assets, and no-cache with ETag validation for HTML pages.

Privacy Headers

With growing privacy awareness, headers controlling user tracking and data collection have become increasingly important.

  • Referrer-Policy: Controls the Referer header content sent during navigation. strict-origin-when-cross-origin (send only origin for cross-origin requests) is the recommended setting. Prevents browsing history from leaking to external sites.
  • Permissions-Policy: Controls access to browser features such as camera, microphone, geolocation, and accelerometer. Explicitly disabling unused features prevents malicious scripts from exploiting device capabilities. Formerly known as Feature-Policy.
  • Cross-Origin headers: Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), and Cross-Origin-Resource-Policy (CORP) control cross-origin resource sharing and window references. Introduced as mitigations against Spectre attacks.

Combining security and privacy headers appropriately protects user data while minimizing the attack surface.

Common Misconceptions

HTTP headers are only relevant to server administrators
Frontend developers also need to understand HTTP headers. Debugging CORS errors, designing caching strategies, and implementing CSP all require header knowledge. Building a habit of inspecting headers in browser developer tools is essential.
Setting security headers eliminates all vulnerabilities
Security headers are one layer of defense in depth. They cannot replace fixing application-level vulnerabilities such as input validation flaws or authentication defects. Headers control browser behavior to reduce attack impact and are most effective when combined with proper vulnerability remediation.
Share

Related Terms

CSP (Content Security Policy) An HTTP response header that provides a powerful mechanism for restricting the s… HSTS (HTTP Strict Transport Security) A security mechanism where a web server sends a response header instructing the … CORS (Cross-Origin Resource Sharing) A browser security mechanism that controls HTTP requests between different origi… HTTP The foundational protocol for data exchange between web browsers and servers. HT… Security Header HTTP response headers sent by a web server that instruct the browser to enforce … Clickjacking An attack technique that overlays a transparent or disguised iframe containing a…

Related Articles

HTTP Security Headers: 5 Essential Headers to Protect Your Website An introduction to important HTTP security headers including Content-Security-Policy, Strict-Transpo… How to Read Email Headers - The Hidden Travel Log in Every Email Learn to trace email routes via Received headers, read SPF/DKIM/DMARC authentication results, detect… How Websites Detect Your Language - Accept-Language and GeoIP Discover how websites automatically determine your preferred language using Accept-Language headers,…
← Glossary