What are HTTP headers? Request and Response Metadata Guide

Every time you browse a website, stream a video, or check your email, HTTP headers are working behind the scenes to make these interactions possible. These key-value pairs carry essential metadata that tells servers and clients how to communicate, what data formats to expect, and how to handle security and caching.

Headers define how every API communicates. Getting them right is essential for reliability, performance, and security. This guide explains what HTTP headers are, how they work, the most common types you’ll encounter, and how to test and validate them effectively in Postman.

Related: What is HTTP?

The structure of HTTP headers

Every HTTP header follows a simple format:

Header-Name: header-value

Headers are case-insensitive for the name portion but case-sensitive for values. Multiple headers can be included in a single request or response, with each header on its own line.

Example request

GET /api/users/123 HTTP/1.1
Host: api.example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Content-Type: application/json

Example response

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 348
Cache-Control: max-age=3600
Set-Cookie: sessionId=abc123; HttpOnly; Secure

How HTTP headers work

HTTP headers facilitate communication throughout the entire request-response cycle. When a client initiates a request, it includes headers that provide context about what it expects and what it can handle. The server then processes these headers and returns a response with its own set of headers.

The request-response flow:

1. Client prepares the request: The browser or application assembles an HTTP request with relevant headers that describe what it wants and what formats it can accept.

2. Headers travel with the request: The headers accompany the request as it traverses the network to the server.

3. Server processes headers: The server examines the request headers to understand authentication, preferred response formats, caching directives, and other metadata.

4. Server generates response: Based on the request headers and its own logic, the server creates a response with appropriate response headers.

5. Client receives and processes response: The client interprets the response headers to determine how to handle the returned data, including caching, security policies, and content rendering.

This bidirectional communication through headers enables sophisticated behaviors like content negotiation (serving different formats based on client capabilities), conditional requests (only sending data if it has changed), and stateful sessions (maintaining user context across multiple requests).

Types of HTTP headers

HTTP headers fall into several categories based on their purpose and where they appear in the communication cycle:

• Request headers: Sent from the client to the server, containing information about the request, the client’s capabilities, and what the client expects in return.

• Response headers: Sent from the server to the client, providing metadata about the response, including how the client should handle the returned data.

• Representation headers: Describe the encoding, format, and other characteristics of the message body in both requests and responses.

• Payload headers: Contain information about the payload data, including content length, encoding, and range information for partial content delivery.

Common HTTP request headers

Request headers communicate the client’s needs, capabilities, and credentials to the server.

Accept

The Accept header defines the media types that the client can process and which formats it prefers. For example, Accept: application/json, text/html indicates that the client prefers JSON or HTML responses.

Accept: application/json
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8

The q parameter indicates preference weight, with values from 0 to 1 (default is 1).

User-Agent

The User-Agent header identifies the web browser or client application making the request, which enables the server to tailor its response to the client’s capabilities.

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
User-Agent: PostmanRuntime/7.32.3

Authorization

The Authorization header is used to send the client’s credentials to the server when accessing protected resources. This header supports various authentication schemes, including Bearer tokens, Basic authentication, and API keys. For instance, the client might include a JSON Web Token (JWT) as the value of the header, which the server will then verify before returning the requested resource.

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Authorization: ApiKey sk_live_abc123xyz789

Content-Type

The Content-Type header identifies the media type of the content in the request body. For example, Content-Type: application/json indicates that the request body contains JSON data.

Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data

Cookie

The client uses the Cookie header to send previously stored cookies back to the server. The server uses these cookies to associate the request with a specific user or session.

Cookie: sessionId=abc123; userId=456; theme=dark

Accept-Language

The Accept-Language header indicates the client’s preferred natural languages for the response content.

Accept-Language: en-US,en;q=0.9,es;q=0.8

Accept-Encoding

The Accept-Encoding header tells the server which compression algorithms the client supports, allowing the server to compress the response body and reduce bandwidth usage.

Accept-Encoding: gzip, deflate, br

Referer

The Referer header (note the historical misspelling) indicates the URL of the page that linked to the currently requested resource. This helps servers understand where traffic is coming from.

Referer: https://www.example.com/previous-page

If-Modified-Since

The If-Modified-Since header enables conditional requests by asking the server to return the resource only if it has been modified after a specific date.

If-Modified-Since: Wed, 21 Oct 2023 07:28:00 GMT

Common HTTP response headers

Response headers provide crucial information about how clients should handle the server’s response.

Content-Type

The Content-Type header indicates the media type of the returned content.

Content-Type: application/json; charset=utf-8
Content-Type: text/html; charset=UTF-8
Content-Type: image/png

Cache-Control

The Cache-Control header controls caching behavior in the client’s browser or intermediate caches. It defines how the response can be cached, when it expires, and how it should be revalidated.

Cache-Control: max-age=3600, public
Cache-Control: no-cache, no-store, must-revalidate
Cache-Control: private, max-age=0

Server

The Server header includes the name and version of the server software that generated the response.

Server: Apache/2.4.10 (Unix)
Server: nginx/1.21.0
Server: Cloudflare

Set-Cookie

The Set-Cookie header instructs the client to store a cookie with the specified name, value, and attributes, such as expiration, domain, path, and security flags.

Set-Cookie: sessionId=abc123; Expires=Wed, 09 Jun 2024 10:18:14 GMT
Set-Cookie: userId=456; HttpOnly; Secure; SameSite=Strict

Content-Length

The Content-Length header specifies the size of the response body in bytes.

Content-Length: 348

Location

The Location header is used in redirect responses (3xx status codes) and indicates where the client should navigate next.

Location: https://api.example.com/users/12345
Location: /dashboard

ETag

The ETag (Entity Tag) header provides a unique identifier for a specific version of a resource.

ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

Access-Control-Allow-Origin

The Access-Control-Allow-Origin header specifies which origins can access the resource from a browser context.

Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: https://www.example.com

Strict-Transport-Security

The Strict-Transport-Security (HSTS) header tells browsers to only access the site using HTTPS, enhancing security by preventing downgrade attacks.

Strict-Transport-Security: max-age=31536000; includeSubDomains

Security-related HTTP headers

Security headers protect applications from attacks and vulnerabilities by instructing browsers on how to handle content safely.

Content-Security-Policy

Prevents cross-site scripting (XSS) by controlling which resources the browser can load.

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'

X-Content-Type-Options

Prevents browsers from MIME-sniffing a response away from the declared content type.

X-Content-Type-Options: nosniff

X-Frame-Options

Protects against clickjacking attacks by controlling whether a page can be displayed in a frame.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

X-XSS-Protection

Enables the browser’s built-in XSS filtering capabilities.

X-XSS-Protection: 1; mode=block

Custom HTTP headers

Beyond standard headers, developers can create custom headers to pass application-specific information.

X-Request-ID: f058ebd6-02f7-4d3f-942e-904344e8cde5
X-RateLimit-Remaining: 95
API-Version: 2.0

Custom headers enable functionality such as request tracing, API versioning, rate-limiting communication, and feature flags.

Best practices for using HTTP headers

Keep headers concise

Avoid unnecessary or redundant headers to reduce the size of both requests and responses.

Leverage caching headers

Use caching headers to reduce load on the server and improve response times.

Prioritize security

Never include sensitive data such as passwords or API keys in plain-text headers. Always use HTTPS to encrypt header data in transit.

Safely handle Cross-Origin Resource Sharing (CORS)

Configure CORS carefully to prevent unauthorized access. Avoid using Access-Control-Allow-Origin: * for authenticated endpoints.

Use appropriate compression

Enable compression through the Accept-Encoding and Content-Encoding headers to reduce bandwidth usage.

Document your headers

Document all expected request and response headers in your API documentation, and include example values and descriptions.

Common mistakes to avoid

• Sending excessive headers: Large headers slow down communication.

• Ignoring security headers: Omitting headers like Strict-Transport-Security or Content-Security-Policy exposes vulnerabilities.

• Improper CORS configuration: Avoid overly permissive origins.

• Exposing server information: Limit or remove the Server header in production.

• Not validating header values: Sanitize input to prevent injection attacks.

• Misconfiguring cache headers: Avoid caching sensitive data.

Testing HTTP headers in Postman

Postman makes it easy to work with HTTP headers during development and testing. Developers and QA teams can design, inspect, and automate header validation within the same workspace to maintain consistency across the entire API lifecycle.

Inspect and modify request headers

Add or edit headers directly in the Headers tab. Postman automatically adds common headers and lets you override them to simulate real-world requests.

Reuse common headers

Use header presets to group and reuse common header sets across multiple requests (such as authentication tokens or version headers).

Validate response headers with tests

You can write automated tests to confirm that your API responses include required headers:

pm.test("Content-Type header is correct", function () {
    pm.response.to.have.header("Content-Type");
    pm.expect(pm.response.headers.get("Content-Type")).to.include("application/json");
});

pm.test("Cache-Control is set", function () {
    pm.response.to.have.header("Cache-Control");
});

Run these tests manually, with the Collection Runner, or through your CI/CD pipelines using the Postman CLI.

Monitor header compliance

Postman Monitors can schedule tests to run automatically across environments, ensuring your headers (such as security or caching directives) stay correctly configured over time.

Quick Reference

Question	Answer
What are HTTP headers?	Metadata sent with HTTP requests and responses that provide context about the communication.
Where do headers go?	Between the request/response line and the body, before any payload data.
Are header names case-sensitive?	No, but header values are case-sensitive.
Can I create custom headers?	Yes, though standard headers should be used when available.
Do all requests need headers?	The Host header is required for HTTP/1.1; other headers are optional but recommended.
How many headers can I include?	No hard limit, but keep requests lightweight for performance.

Headers might seem small, but they define how APIs communicate securely and efficiently. From authentication to caching, they play a critical role in every phase of the API lifecycle.

Postman makes it easy to inspect, test, and automate header behavior, helping teams catch issues early and enforce standards consistently.