Referencia de Cabeceras HTTP
Desarrollo
Búsqueda rápida de las cabeceras HTTP del día a día — qué hacen, si fluyen en petición, respuesta o ambas, y cómo encajan en CORS, caché, seguridad y cookies. Filtra por categoría o busca por nombre y descripción.
—
| Cabecera | Descripción | ||
|---|---|---|---|
| Date | ↔ | Timestamp when the message was originated, in IMF-fixdate format. | |
| Connection | ↔ | Whether the network connection stays open after the current exchange (keep-alive / close). | |
| Transfer-Encoding | ↔ | How the message body is encoded for transfer — chunked, compress, deflate, gzip, identity. | |
| Content-Type | ↔ | Media type of the body (e.g. application/json; charset=utf-8). | |
| Content-Length | ↔ | Size of the body in bytes. | |
| Content-Encoding | ↔ | Compression applied to the body (gzip, br, zstd). | |
| Content-Language | ↔ | Natural language of the body (e.g. ko-KR). | |
| Content-Disposition | ↔ | Whether the body is displayed inline or treated as an attachment to be downloaded. | |
| Host | → | Domain name of the server (required for HTTP/1.1). | |
| User-Agent | → | Identifies the client software (browser, bot, library). | |
| Accept | → | Media types the client can handle (e.g. text/html, application/json). | |
| Accept-Encoding | → | Content encodings the client can decode (gzip, br). | |
| Accept-Language | → | Preferred languages of the client (e.g. ko, en;q=0.8). | |
| Referer | → | URL of the page that triggered the request — yes, misspelled in the spec. | |
| Authorization | → | Credentials — Basic, Bearer, Digest, etc. | |
| Range | → | Request only a portion of the resource (e.g. bytes=0-1023). Triggers a 206 response. | |
| If-None-Match | → | Conditional request — only return the resource if its ETag does not match. | |
| If-Modified-Since | → | Conditional request — only return the resource if changed since the given date. | |
| Origin | → | Scheme + host + port of the page that initiated a CORS or fetch request. | |
| Server | ← | Identifies the server software handling the request. | |
| Location | ← | Target URL for redirects (3xx) or location of a newly created resource (201). | |
| ETag | ← | Opaque identifier for a specific version of the resource — used with If-None-Match. | |
| Last-Modified | ← | When the resource was last changed — used with If-Modified-Since. | |
| Retry-After | ← | How long to wait before retrying — used with 429 and 503. | |
| WWW-Authenticate | ← | Challenges the client to authenticate — sent with 401 responses. | |
| Vary | ← | Lists request headers that affect this response — caches use it to key entries. | |
| Allow | ← | HTTP methods allowed on the resource — sent with 405 responses. | |
| Access-Control-Allow-Origin | ← | Which origin(s) may read the response — exact origin or `*`. Cannot be `*` with credentials. | |
| Access-Control-Allow-Methods | ← | Methods allowed on the resource for cross-origin requests — sent in the preflight response. | |
| Access-Control-Allow-Headers | ← | Custom request headers the client may include — sent in the preflight response. | |
| Access-Control-Allow-Credentials | ← | Whether the response can be shared when credentials (cookies, basic auth) are sent. | |
| Access-Control-Max-Age | ← | How long the browser may cache the preflight response, in seconds. | |
| Access-Control-Expose-Headers | ← | Response headers JavaScript may read (beyond the default safelist). | |
| Access-Control-Request-Method | → | In a preflight, the method the actual request will use. | |
| Access-Control-Request-Headers | → | In a preflight, the custom headers the actual request will include. | |
| Cache-Control | ↔ | Caching directives — max-age, no-store, public, private, immutable, etc. | |
| Expires | ← | Absolute date after which the response is stale — Cache-Control: max-age takes precedence. | |
| Pragma | → | Legacy caching control — `Pragma: no-cache` for HTTP/1.0 compatibility. | |
| Age | ← | How long ago (seconds) the response was generated by the origin, per the proxy. | |
| Strict-Transport-Security | ← | HSTS — forces future visits to use HTTPS, optionally including subdomains and preload. | |
| Content-Security-Policy | ← | CSP — restricts which sources of scripts, styles, frames, etc. the browser may load. | |
| X-Frame-Options | ← | Whether the page may be embedded in a frame — DENY, SAMEORIGIN. Superseded by CSP frame-ancestors. | |
| X-Content-Type-Options | ← | `nosniff` disables MIME sniffing — the browser must trust the declared Content-Type. | |
| Referrer-Policy | ← | Controls how much of the Referer URL is sent with outgoing requests. | |
| Permissions-Policy | ← | Opts in/out of browser features (camera, microphone, geolocation, etc.) for the page and its frames. | |
| Cross-Origin-Opener-Policy | ← | COOP — isolates the browsing context from cross-origin documents. Required for SharedArrayBuffer. | |
| Cross-Origin-Resource-Policy | ← | CORP — restricts which origins may load this resource. | |
| Cookie | → | Cookies the client sends back to the server. | |
| Set-Cookie | ← | Asks the client to store one or more cookies — attributes: Path, Domain, Max-Age, Secure, HttpOnly, SameSite. |
Cómo usar
- Escribe un nombre de cabecera (`cache-control`) o palabra clave (`cors`, `redirect`) en la búsqueda.
- Elige un chip de categoría para acotar — p.ej. Seguridad para comparar CSP, HSTS, COOP.
- Pulsa copiar en cualquier fila para copiar el nombre.
Preguntas frecuentes
- ¿Por qué `Cache-Control` aparece en ambas direcciones?
- Algunas cabeceras — `Cache-Control`, `Content-Type`, `Date`, `Connection` — son válidas tanto en peticiones como respuestas. La tabla las marca con `↔`.
- ¿Diferencia entre `Origin` y `Referer`?
- `Origin` es solo scheme + host + port; se envía en CORS y POST. `Referer` es la URL completa de la página anterior y es principalmente para analítica — `Referrer-Policy` controla cuánto se filtra.
- ¿Cuándo se usan las cabeceras CORS preflight?
- Cuando un fetch usa un método no simple (`PUT`, `DELETE`) o cabeceras personalizadas, el navegador envía primero un preflight `OPTIONS`. `Access-Control-Request-*` van en el preflight; `Access-Control-Allow-*` vuelven; la petición real sigue si el preflight la permitió.
Herramientas relacionadas
Decodificador JWT
Decodifica un JSON Web Token para ver su cabecera, claims y expiración.
Desarrollo00
Generador de UUID
Genera UUID v4 aleatorios en lote, con copia.
Desarrollo00
Generador de Hash (SHA)
Genera hashes SHA-1, SHA-256, SHA-384 y SHA-512 a partir de texto.
Desarrollo00
Codificador / Decodificador de URL
Codifica texto para URLs en porcentaje, o decodifica URLs a texto.
Desarrollo00
Codificador / Decodificador Base64
Codifica texto a Base64 o decodifica Base64 a texto al instante.
Desarrollo00
Formateador y Validador de JSON
Formatea, embellece, minifica y valida JSON en tu navegador.
Desarrollo00