Skip to content
Network 8 min read

HTTP Headers: The Developer's Guide to CORS, Cache & Security Headers

Understand every important HTTP response header — from Cache-Control and CORS to Content-Security-Policy and Strict-Transport-Security. Parse raw headers into clean key-value tables for debugging.

ToolsVito Team

Why Headers Matter

Every HTTP response carries two payloads: the body (HTML, JSON, image data) and the headers (metadata about the response). Headers control how the browser caches the response, whether JavaScript can access it cross-origin, which security policies apply, how the content is encoded, and dozens of other behaviors. Misconfigure one header and your site might be uncacheable, vulnerable to clickjacking, or broken in cross-origin requests.

CORS Headers

Cross-Origin Resource Sharing headers control which origins can access a resource from JavaScript. The key headers:

Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST, PUT
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
  • Access-Control-Allow-Origin: The allowed origin. * for public APIs, specific origin for authenticated endpoints.
  • Access-Control-Allow-Credentials: Must be true if requests include cookies or auth headers. Cannot be used with * origin.
  • Preflight (OPTIONS): The browser sends an OPTIONS request before cross-origin requests with non-simple methods or headers. The server must respond with the right CORS headers or the real request never fires.

Cache Headers

Cache-Control: public, max-age=31536000, immutable
ETag: "abc123"
Last-Modified: Tue, 23 Jun 2026 10:00:00 GMT
  • Cache-Control: max-age — seconds the response is fresh. Set high for versioned assets (max-age=31536000 for a year), low for HTML pages.
  • Cache-Control: public vs. private — public allows CDN caching; private restricts to the browser only (use for authenticated pages).
  • ETag: A fingerprint the browser sends back in If-None-Match. If unchanged, server returns 304 Not Modified — saves bandwidth.
  • Cache-Control: no-cache — counterintuitively, this doesn't prevent caching. It means "cache it, but revalidate before use." Use no-store to truly prevent caching.

Security Headers You Should Always Set

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
  • CSP: Declares which sources can load scripts, styles, images, and fonts. The single most effective defense against XSS. Start restrictive and loosen as needed.
  • HSTS: Tells browsers to always use HTTPS for this domain, even if the user types http://. The preload directive submits your domain to browser HSTS preload lists.
  • X-Content-Type-Options: nosniff: Prevents MIME-type sniffing — stops browsers from guessing that a .txt file is actually HTML.
  • X-Frame-Options: Prevents your site from being embedded in iframes on other domains (clickjacking defense).

Parse Headers Instantly

Paste raw HTTP response headers into ToolsVito's HTTP Headers Parser to get a clean key-value table organized by header group. Quickly spot missing security headers, debug CORS issues, and understand caching behavior.

Try it now — free, runs in your browser

HTTP Headers Parser

Parse raw HTTP headers
All articles

More articles

Encode & Decode Base64 Encoding & Decoding: The Complete Developer Guide 7 min Security JWT Explained: Decoding JSON Web Tokens Without a Library 8 min Security MD5, SHA-1, SHA-256: Hash Functions Compared for Developers 9 min