HTTP 헤더 참조
개발
매일 쓰는 HTTP 헤더의 빠른 조회 — 무엇을 하는지, 요청·응답·양방향인지, CORS·캐싱·보안·쿠키 안에서 어떻게 맞물리는지. 카테고리 필터 또는 이름·설명 검색.
—
| 헤더 | 설명 | ||
|---|---|---|---|
| Date | ↔ | Timestamp when the message was originated, in IMF-fixdate format. | |
| Connection | ↔ | Whether the network connection stays open after the current exchange (keep-alive / close). | |
| Transfer-Encoding | ↔ | How the message body is encoded for transfer — chunked, compress, deflate, gzip, identity. | |
| Content-Type | ↔ | Media type of the body (e.g. application/json; charset=utf-8). | |
| Content-Length | ↔ | Size of the body in bytes. | |
| Content-Encoding | ↔ | Compression applied to the body (gzip, br, zstd). | |
| Content-Language | ↔ | Natural language of the body (e.g. ko-KR). | |
| Content-Disposition | ↔ | Whether the body is displayed inline or treated as an attachment to be downloaded. | |
| Host | → | Domain name of the server (required for HTTP/1.1). | |
| User-Agent | → | Identifies the client software (browser, bot, library). | |
| Accept | → | Media types the client can handle (e.g. text/html, application/json). | |
| Accept-Encoding | → | Content encodings the client can decode (gzip, br). | |
| Accept-Language | → | Preferred languages of the client (e.g. ko, en;q=0.8). | |
| Referer | → | URL of the page that triggered the request — yes, misspelled in the spec. | |
| Authorization | → | Credentials — Basic, Bearer, Digest, etc. | |
| Range | → | Request only a portion of the resource (e.g. bytes=0-1023). Triggers a 206 response. | |
| If-None-Match | → | Conditional request — only return the resource if its ETag does not match. | |
| If-Modified-Since | → | Conditional request — only return the resource if changed since the given date. | |
| Origin | → | Scheme + host + port of the page that initiated a CORS or fetch request. | |
| Server | ← | Identifies the server software handling the request. | |
| Location | ← | Target URL for redirects (3xx) or location of a newly created resource (201). | |
| ETag | ← | Opaque identifier for a specific version of the resource — used with If-None-Match. | |
| Last-Modified | ← | When the resource was last changed — used with If-Modified-Since. | |
| Retry-After | ← | How long to wait before retrying — used with 429 and 503. | |
| WWW-Authenticate | ← | Challenges the client to authenticate — sent with 401 responses. | |
| Vary | ← | Lists request headers that affect this response — caches use it to key entries. | |
| Allow | ← | HTTP methods allowed on the resource — sent with 405 responses. | |
| Access-Control-Allow-Origin | ← | Which origin(s) may read the response — exact origin or `*`. Cannot be `*` with credentials. | |
| Access-Control-Allow-Methods | ← | Methods allowed on the resource for cross-origin requests — sent in the preflight response. | |
| Access-Control-Allow-Headers | ← | Custom request headers the client may include — sent in the preflight response. | |
| Access-Control-Allow-Credentials | ← | Whether the response can be shared when credentials (cookies, basic auth) are sent. | |
| Access-Control-Max-Age | ← | How long the browser may cache the preflight response, in seconds. | |
| Access-Control-Expose-Headers | ← | Response headers JavaScript may read (beyond the default safelist). | |
| Access-Control-Request-Method | → | In a preflight, the method the actual request will use. | |
| Access-Control-Request-Headers | → | In a preflight, the custom headers the actual request will include. | |
| Cache-Control | ↔ | Caching directives — max-age, no-store, public, private, immutable, etc. | |
| Expires | ← | Absolute date after which the response is stale — Cache-Control: max-age takes precedence. | |
| Pragma | → | Legacy caching control — `Pragma: no-cache` for HTTP/1.0 compatibility. | |
| Age | ← | How long ago (seconds) the response was generated by the origin, per the proxy. | |
| Strict-Transport-Security | ← | HSTS — forces future visits to use HTTPS, optionally including subdomains and preload. | |
| Content-Security-Policy | ← | CSP — restricts which sources of scripts, styles, frames, etc. the browser may load. | |
| X-Frame-Options | ← | Whether the page may be embedded in a frame — DENY, SAMEORIGIN. Superseded by CSP frame-ancestors. | |
| X-Content-Type-Options | ← | `nosniff` disables MIME sniffing — the browser must trust the declared Content-Type. | |
| Referrer-Policy | ← | Controls how much of the Referer URL is sent with outgoing requests. | |
| Permissions-Policy | ← | Opts in/out of browser features (camera, microphone, geolocation, etc.) for the page and its frames. | |
| Cross-Origin-Opener-Policy | ← | COOP — isolates the browsing context from cross-origin documents. Required for SharedArrayBuffer. | |
| Cross-Origin-Resource-Policy | ← | CORP — restricts which origins may load this resource. | |
| Cookie | → | Cookies the client sends back to the server. | |
| Set-Cookie | ← | Asks the client to store one or more cookies — attributes: Path, Domain, Max-Age, Secure, HttpOnly, SameSite. |
사용법
- 검색창에 헤더 이름(`cache-control`) 또는 키워드(`cors`·`redirect`) 입력.
- 카테고리 칩으로 범위 좁히기 — 예: Security로 CSP·HSTS·COOP 비교.
- 각 행의 복사 버튼으로 헤더 이름 복사.
자주 묻는 질문
- 왜 `Cache-Control`이 양방향으로 표시됨?
- `Cache-Control`·`Content-Type`·`Date`·`Connection` 같은 일부 헤더는 요청·응답 둘 다 유효. 테이블에서 `↔`로 표시.
- `Origin`과 `Referer` 차이?
- `Origin`은 scheme + host + port — CORS·POST 요청에 전송. `Referer`는 이전 페이지의 전체 URL이며 주로 분석 용도 — `Referrer-Policy`로 얼마나 누설할지 제어.
- CORS preflight 헤더는 언제 사용?
- fetch가 non-simple 메서드(`PUT`·`DELETE`)나 커스텀 헤더 사용 시 브라우저가 먼저 `OPTIONS` preflight 전송. `Access-Control-Request-*`는 preflight에, `Access-Control-Allow-*`는 응답에. 허용되면 실제 요청이 뒤따름.
관련 도구
JWT 디코더
JWT의 헤더·클레임·만료를 즉시 확인하세요.
개발00
UUID 생성기
무작위 버전4 UUID를 여러 개 한 번에 생성하고 복사하세요.
개발00
해시 생성기 (SHA)
텍스트로 SHA-1·SHA-256·SHA-384·SHA-512 해시를 생성하세요.
개발00
URL 인코더 / 디코더
URL용으로 텍스트를 퍼센트 인코딩하거나, 인코딩된 URL을 디코딩하세요.
개발00
Base64 인코더 / 디코더
텍스트를 Base64로 인코딩하거나 다시 텍스트로 디코딩하세요.
개발00
JSON 포맷터 & 검증기
브라우저에서 바로 JSON을 포맷·정렬·압축·검증하세요.
개발00