ops@toolbox:~$ httpheadersreference --run

HTTP Headers Reference

Searchable reference of the HTTP request and response headers that matter in operations.

HeaderDirPurpose & notes
HostreqWhich virtual host the client wants. Mandatory in HTTP/1.1; how one IP serves many sites.
AuthorizationreqCredentials: Basic base64(user:pass), or Bearer . Never log this header.
User-AgentreqClient self-identification. Parse for analytics, never for access control.
Accept / Accept-EncodingreqContent negotiation: formats and compressions the client understands (gzip, br, zstd).
Cookie / Set-CookiebothSession state. Set-Cookie flags matter: Secure, HttpOnly, SameSite defend against theft and CSRF.
X-Forwarded-ForreqClient IP chain appended by each proxy. Trivially spoofable by the client, trust only the entry your own proxy appended.
X-Forwarded-Proto / X-Real-IPreqOriginal scheme and client IP as seen by your edge proxy. Apps behind TLS-terminating proxies need these to build correct URLs.
ForwardedreqRFC 7239 standardised replacement for the X-Forwarded-* family. Adoption still partial.
Cache-ControlbothThe caching contract: no-store, no-cache, max-age, s-maxage, private/public, immutable. The most misunderstood header in HTTP.
ETag / If-None-MatchbothValidator pair enabling 304 Not Modified. Beware: default nginx/Apache ETags differ per server, breaking caching behind load balancers.
Last-Modified / If-Modified-SincebothTimestamp-based validation; weaker than ETags (1-second resolution).
ExpiresresLegacy absolute expiry; Cache-Control max-age wins when both present.
VaryresWhich request headers the cached response depends on (e.g. Accept-Encoding). Wrong Vary = users served each other's content.
LocationresTarget of a 3xx redirect (or URL of a 201-created resource).
Content-TyperesMIME type + charset. Wrong type breaks browsers subtly; X-Content-Type-Options: nosniff makes them believe you.
Content-Length / Transfer-EncodingbothBody size, or chunked streaming. Conflicts between the two are the root of request-smuggling attacks.
Content-Dispositionresattachment; filename=… forces download instead of inline rendering.
Strict-Transport-SecurityresHSTS: browsers refuse plain HTTP for max-age seconds. Test with a short age before setting a year; includeSubDomains is a commitment.
Content-Security-PolicyresWhitelist of script/style/img sources, the strongest XSS mitigation. Deploy with Content-Security-Policy-Report-Only first.
X-Frame-OptionsresDENY / SAMEORIGIN against clickjacking. Superseded by CSP frame-ancestors but still worth sending.
X-Content-Type-Optionsresnosniff, disables MIME guessing. No reason not to send it everywhere.
Referrer-PolicyresHow much of the current URL leaks in the Referer header of outbound requests. strict-origin-when-cross-origin is the sane default.
Access-Control-Allow-OriginresCORS: which origins may read this response from JavaScript. * is fine for public data, forbidden with credentials.
Access-Control-Allow-Methods / -HeadersresCORS preflight answers: permitted methods and custom headers for the OPTIONS check.
Retry-AfterresSeconds (or date) to wait, sent with 429 and 503. Well-behaved clients honour it; your rate limiter should send it.
WWW-AuthenticateresSent with 401 to describe the expected auth scheme (Basic realm=…, Bearer).
ServerresSoftware self-identification. Common hardening step: suppress the version (server_tokens off).
Connection / Keep-AlivebothHop-by-hop connection management (HTTP/1.1). Must not be forwarded by proxies.
UpgradereqProtocol switch request, how WebSocket handshakes begin (Upgrade: websocket).
Range / Content-RangebothPartial content: resumed downloads and video seeking (206 responses).

Debugging with headers

Headers are where HTTP problems confess. curl -sI https://site/ (or -sv for both directions) shows them raw; browser devtools' Network tab shows them per request. The usual suspects by symptom: stale content → Cache-Control, ETag, Vary; login loops behind a proxy → missing X-Forwarded-Proto making the app generate http:// URLs; CORS errors → the Access-Control-* family on the server's response (CORS is never fixed client-side); mysterious 411/400s → Content-Length vs Transfer-Encoding disagreements.

The security six

A static site can ship a respectable security posture in six response headers: Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and a trimmed Server. The first two deserve care: HSTS with a year's max-age on a domain that later needs plain HTTP is self-inflicted downtime, and CSP deployed without a report-only trial period breaks inline scripts you forgot existed. The others are effectively free.

Trust boundaries

Any header the client sends is attacker-controlled: X-Forwarded-For can be pre-populated with garbage, User-Agent lies, and custom auth headers must be stripped and re-set at your edge. The operational rule: your reverse proxy overwrites or appends identity headers, and applications trust only the proxy, enforced by network placement, not politeness.

Related tools

DNS Record Types
Searchable reference of DNS record types with practical notes.
Linux Signals Reference
kill -9 and friends: every signal a sysadmin meets, with default actions and notes.
tar Command Examples
The tar invocations you actually need: create, extract, list, compress, exclude.
rsync Command Examples
The rsync invocations that matter: mirror, dry-run, delete, resume, bandwidth limits.