Why HTTP Headers Matter
HTTP headers carry metadata about the request or response. They control caching, authentication, content negotiation, security policies, and much more. Understanding headers is key to debugging web applications.
Request Headers
Host
Specifies the domain name of the server. Required in HTTP/1.1.
Host: api.example.comAuthorization
Carries authentication credentials.
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=Accept
Tells the server which content types the client can handle.
Accept: application/json
Accept: text/html, application/xhtml+xmlUser-Agent
Identifies the client software. Useful for analytics but easily spoofed.
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Response Headers
Content-Type
Describes the media type of the response body.
Content-Type: application/json; charset=utf-8
Content-Type: text/html; charset=utf-8Set-Cookie
Sets cookies in the browser.
Set-Cookie: session_id=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=3600Location
Used with 3xx redirects and 201 Created to point to a URL.
Location: https://example.com/new-pageCaching Headers
- Cache-Control — Primary cache directive (
max-age,no-cache,no-store) - ETag — Resource fingerprint for conditional requests
- Last-Modified — Timestamp of last change
- Expires — Legacy header (use Cache-Control instead)
Security Headers
- Strict-Transport-Security — Force HTTPS
- Content-Security-Policy — Control resource loading
- X-Content-Type-Options: nosniff — Prevent MIME sniffing
- X-Frame-Options: DENY — Prevent clickjacking
Debugging Headers
# View response headers
curl -I https://example.com
# View request and response headers (verbose)
curl -v https://example.com 2>&1 | grep -E '^[<>]'Key Takeaway
Learn these headers and you can debug 90% of web issues: Content-Type, Authorization, Cache-Control, Set-Cookie, Location, and Access-Control-Allow-Origin.