Referência de Cabeçalhos HTTP
Desenvolvimento
Busca rápida pros cabeçalhos HTTP do dia a dia — o que fazem, se fluem na requisição, resposta ou ambos, e como se encaixam em CORS, cache, segurança e cookies. Filtre por categoria ou busque por nome e descrição.
—
| Cabeçalho | Descrição | ||
|---|---|---|---|
| Date | ↔ | Timestamp when the message was originated, in IMF-fixdate format. | |
| Connection | ↔ | Whether the network connection stays open after the current exchange (keep-alive / close). | |
| Transfer-Encoding | ↔ | How the message body is encoded for transfer — chunked, compress, deflate, gzip, identity. | |
| Content-Type | ↔ | Media type of the body (e.g. application/json; charset=utf-8). | |
| Content-Length | ↔ | Size of the body in bytes. | |
| Content-Encoding | ↔ | Compression applied to the body (gzip, br, zstd). | |
| Content-Language | ↔ | Natural language of the body (e.g. ko-KR). | |
| Content-Disposition | ↔ | Whether the body is displayed inline or treated as an attachment to be downloaded. | |
| Host | → | Domain name of the server (required for HTTP/1.1). | |
| User-Agent | → | Identifies the client software (browser, bot, library). | |
| Accept | → | Media types the client can handle (e.g. text/html, application/json). | |
| Accept-Encoding | → | Content encodings the client can decode (gzip, br). | |
| Accept-Language | → | Preferred languages of the client (e.g. ko, en;q=0.8). | |
| Referer | → | URL of the page that triggered the request — yes, misspelled in the spec. | |
| Authorization | → | Credentials — Basic, Bearer, Digest, etc. | |
| Range | → | Request only a portion of the resource (e.g. bytes=0-1023). Triggers a 206 response. | |
| If-None-Match | → | Conditional request — only return the resource if its ETag does not match. | |
| If-Modified-Since | → | Conditional request — only return the resource if changed since the given date. | |
| Origin | → | Scheme + host + port of the page that initiated a CORS or fetch request. | |
| Server | ← | Identifies the server software handling the request. | |
| Location | ← | Target URL for redirects (3xx) or location of a newly created resource (201). | |
| ETag | ← | Opaque identifier for a specific version of the resource — used with If-None-Match. | |
| Last-Modified | ← | When the resource was last changed — used with If-Modified-Since. | |
| Retry-After | ← | How long to wait before retrying — used with 429 and 503. | |
| WWW-Authenticate | ← | Challenges the client to authenticate — sent with 401 responses. | |
| Vary | ← | Lists request headers that affect this response — caches use it to key entries. | |
| Allow | ← | HTTP methods allowed on the resource — sent with 405 responses. | |
| Access-Control-Allow-Origin | ← | Which origin(s) may read the response — exact origin or `*`. Cannot be `*` with credentials. | |
| Access-Control-Allow-Methods | ← | Methods allowed on the resource for cross-origin requests — sent in the preflight response. | |
| Access-Control-Allow-Headers | ← | Custom request headers the client may include — sent in the preflight response. | |
| Access-Control-Allow-Credentials | ← | Whether the response can be shared when credentials (cookies, basic auth) are sent. | |
| Access-Control-Max-Age | ← | How long the browser may cache the preflight response, in seconds. | |
| Access-Control-Expose-Headers | ← | Response headers JavaScript may read (beyond the default safelist). | |
| Access-Control-Request-Method | → | In a preflight, the method the actual request will use. | |
| Access-Control-Request-Headers | → | In a preflight, the custom headers the actual request will include. | |
| Cache-Control | ↔ | Caching directives — max-age, no-store, public, private, immutable, etc. | |
| Expires | ← | Absolute date after which the response is stale — Cache-Control: max-age takes precedence. | |
| Pragma | → | Legacy caching control — `Pragma: no-cache` for HTTP/1.0 compatibility. | |
| Age | ← | How long ago (seconds) the response was generated by the origin, per the proxy. | |
| Strict-Transport-Security | ← | HSTS — forces future visits to use HTTPS, optionally including subdomains and preload. | |
| Content-Security-Policy | ← | CSP — restricts which sources of scripts, styles, frames, etc. the browser may load. | |
| X-Frame-Options | ← | Whether the page may be embedded in a frame — DENY, SAMEORIGIN. Superseded by CSP frame-ancestors. | |
| X-Content-Type-Options | ← | `nosniff` disables MIME sniffing — the browser must trust the declared Content-Type. | |
| Referrer-Policy | ← | Controls how much of the Referer URL is sent with outgoing requests. | |
| Permissions-Policy | ← | Opts in/out of browser features (camera, microphone, geolocation, etc.) for the page and its frames. | |
| Cross-Origin-Opener-Policy | ← | COOP — isolates the browsing context from cross-origin documents. Required for SharedArrayBuffer. | |
| Cross-Origin-Resource-Policy | ← | CORP — restricts which origins may load this resource. | |
| Cookie | → | Cookies the client sends back to the server. | |
| Set-Cookie | ← | Asks the client to store one or more cookies — attributes: Path, Domain, Max-Age, Secure, HttpOnly, SameSite. |
Como usar
- Digite um nome de cabeçalho (`cache-control`) ou palavra-chave (`cors`, `redirect`) na busca.
- Escolha um chip de categoria pra filtrar — ex. Segurança pra comparar CSP, HSTS, COOP.
- Clique em copiar em qualquer linha pra copiar o nome.
Perguntas frequentes
- Por que `Cache-Control` aparece em ambas direções?
- Alguns cabeçalhos — `Cache-Control`, `Content-Type`, `Date`, `Connection` — são válidos tanto em requisições quanto respostas. A tabela marca esses com `↔`.
- Diferença entre `Origin` e `Referer`?
- `Origin` é só scheme + host + port; é enviado em CORS e POST. `Referer` é a URL completa da página anterior, principalmente pra analytics — `Referrer-Policy` controla quanto vaza.
- Quando os cabeçalhos CORS preflight são usados?
- Quando um fetch usa método não simples (`PUT`, `DELETE`) ou cabeçalhos customizados, o navegador envia primeiro um preflight `OPTIONS`. `Access-Control-Request-*` vão no preflight; `Access-Control-Allow-*` voltam; a requisição real segue se o preflight permitiu.
Ferramentas relacionadas
Decodificador JWT
Decodifique um JSON Web Token para inspecionar cabeçalho, claims e expiração.
Desenvolvimento00
Gerador de UUID
Gere UUIDs v4 aleatórios em lote, com cópia.
Desenvolvimento00
Gerador de Hash (SHA)
Gere hashes SHA-1, SHA-256, SHA-384 e SHA-512 a partir de texto.
Desenvolvimento00
Codificador / Decodificador de URL
Codifique texto para URLs em porcentagem, ou decodifique URLs em texto.
Desenvolvimento00
Codificador / Decodificador Base64
Codifique texto em Base64 ou decodifique Base64 de volta em texto.
Desenvolvimento00
Formatador e Validador de JSON
Formate, embeleze, minifique e valide JSON no seu navegador.
Desenvolvimento00