How to read HTTP headers

Headers are metadata attached to HTTP requests and responses. They can describe body format, accepted formats, caching, cookies, authentication, redirects, compression, CORS, tracing, and rate limits.

A response body may show the data, but headers often explain why the browser or API client behaved a certain way.

Content-Type tells you whether the body is JSON, HTML, text, or another format. Authorization and WWW-Authenticate explain authentication. Cache-Control, ETag, and Last-Modified explain caching. Location appears with redirects. Retry-After and rate limit headers explain throttling.

Request IDs and trace headers are valuable when asking backend teams to find a specific request in logs.

Header names are case-insensitive, so Content-Type and content-type refer to the same header. Some headers can appear more than once, and tooling should avoid silently dropping duplicates.

Parsing headers into structured JSON makes duplicates and values easier to inspect, especially after copying raw output from cURL or DevTools.

Headers can expose tokens, cookies, user identifiers, internal infrastructure, and request tracing values. Redact sensitive values before sharing screenshots or logs in public places.

When reporting bugs, include safe metadata: status code, content type, cache behavior, request ID, and a redacted auth state description.