Why is some `Cache-Control` flagged both directions?

Some headers — `Cache-Control`, `Content-Type`, `Date`, `Connection` — are valid on both requests and responses. The table marks those with `↔`.

What's the difference between `Origin` and `Referer`?

`Origin` is just scheme + host + port; it's sent on CORS and POST requests. `Referer` is the full URL of the previous page and is mostly for analytics — `Referrer-Policy` controls how much of it leaks.

When are CORS preflight headers used?

When a fetch uses a non-simple method (`PUT`, `DELETE`) or sets custom headers, the browser first sends an `OPTIONS` preflight. `Access-Control-Request-*` go on that preflight; `Access-Control-Allow-*` come back; the actual request follows if the preflight allowed it.

HTTP Headers Reference

Developer

Quick lookup for the HTTP headers you reach for every day — what they do, whether they flow request-side, response-side, or both, and how they fit in CORS, caching, security, and cookies. Filter by category or search across name and description.

—

Header		Description
Date	↔	Timestamp when the message was originated, in IMF-fixdate format.
Connection	↔	Whether the network connection stays open after the current exchange (keep-alive / close).
Transfer-Encoding	↔	How the message body is encoded for transfer — chunked, compress, deflate, gzip, identity.
Content-Type	↔	Media type of the body (e.g. application/json; charset=utf-8).
Content-Length	↔	Size of the body in bytes.
Content-Encoding	↔	Compression applied to the body (gzip, br, zstd).
Content-Language	↔	Natural language of the body (e.g. ko-KR).
Content-Disposition	↔	Whether the body is displayed inline or treated as an attachment to be downloaded.
Host	→	Domain name of the server (required for HTTP/1.1).
User-Agent	→	Identifies the client software (browser, bot, library).
Accept	→	Media types the client can handle (e.g. text/html, application/json).
Accept-Encoding	→	Content encodings the client can decode (gzip, br).
Accept-Language	→	Preferred languages of the client (e.g. ko, en;q=0.8).
Referer	→	URL of the page that triggered the request — yes, misspelled in the spec.
Authorization	→	Credentials — Basic, Bearer, Digest, etc.
Range	→	Request only a portion of the resource (e.g. bytes=0-1023). Triggers a 206 response.
If-None-Match	→	Conditional request — only return the resource if its ETag does not match.
If-Modified-Since	→	Conditional request — only return the resource if changed since the given date.
Origin	→	Scheme + host + port of the page that initiated a CORS or fetch request.
Server	←	Identifies the server software handling the request.
Location	←	Target URL for redirects (3xx) or location of a newly created resource (201).
ETag	←	Opaque identifier for a specific version of the resource — used with If-None-Match.
Last-Modified	←	When the resource was last changed — used with If-Modified-Since.
Retry-After	←	How long to wait before retrying — used with 429 and 503.
WWW-Authenticate	←	Challenges the client to authenticate — sent with 401 responses.
Vary	←	Lists request headers that affect this response — caches use it to key entries.
Allow	←	HTTP methods allowed on the resource — sent with 405 responses.
Access-Control-Allow-Origin	←	Which origin(s) may read the response — exact origin or ``. Cannot be `` with credentials.
Access-Control-Allow-Methods	←	Methods allowed on the resource for cross-origin requests — sent in the preflight response.
Access-Control-Allow-Headers	←	Custom request headers the client may include — sent in the preflight response.
Access-Control-Allow-Credentials	←	Whether the response can be shared when credentials (cookies, basic auth) are sent.
Access-Control-Max-Age	←	How long the browser may cache the preflight response, in seconds.
Access-Control-Expose-Headers	←	Response headers JavaScript may read (beyond the default safelist).
Access-Control-Request-Method	→	In a preflight, the method the actual request will use.
Access-Control-Request-Headers	→	In a preflight, the custom headers the actual request will include.
Cache-Control	↔	Caching directives — max-age, no-store, public, private, immutable, etc.
Expires	←	Absolute date after which the response is stale — Cache-Control: max-age takes precedence.
Pragma	→	Legacy caching control — `Pragma: no-cache` for HTTP/1.0 compatibility.
Age	←	How long ago (seconds) the response was generated by the origin, per the proxy.
Strict-Transport-Security	←	HSTS — forces future visits to use HTTPS, optionally including subdomains and preload.
Content-Security-Policy	←	CSP — restricts which sources of scripts, styles, frames, etc. the browser may load.
X-Frame-Options	←	Whether the page may be embedded in a frame — DENY, SAMEORIGIN. Superseded by CSP frame-ancestors.
X-Content-Type-Options	←	`nosniff` disables MIME sniffing — the browser must trust the declared Content-Type.
Referrer-Policy	←	Controls how much of the Referer URL is sent with outgoing requests.
Permissions-Policy	←	Opts in/out of browser features (camera, microphone, geolocation, etc.) for the page and its frames.
Cross-Origin-Opener-Policy	←	COOP — isolates the browsing context from cross-origin documents. Required for SharedArrayBuffer.
Cross-Origin-Resource-Policy	←	CORP — restricts which origins may load this resource.
Cookie	→	Cookies the client sends back to the server.
Set-Cookie	←	Asks the client to store one or more cookies — attributes: Path, Domain, Max-Age, Secure, HttpOnly, SameSite.

How to use

Type a header name (`cache-control`) or keyword (`cors`, `redirect`) in the search box.
Pick a category chip to narrow down — e.g. Security to compare CSP, HSTS, COOP.
Click copy on any row to copy the header name.

Frequently asked questions

Why is some `Cache-Control` flagged both directions?: Some headers — `Cache-Control`, `Content-Type`, `Date`, `Connection` — are valid on both requests and responses. The table marks those with `↔`.
What's the difference between `Origin` and `Referer`?: `Origin` is just scheme + host + port; it's sent on CORS and POST requests. `Referer` is the full URL of the previous page and is mostly for analytics — `Referrer-Policy` controls how much of it leaks.
When are CORS preflight headers used?: When a fetch uses a non-simple method (`PUT`, `DELETE`) or sets custom headers, the browser first sends an `OPTIONS` preflight. `Access-Control-Request-*` go on that preflight; `Access-Control-Allow-*` come back; the actual request follows if the preflight allowed it.