Build HTTP request headers from a list of common options and copy them
HTTP headers are key-value pairs sent at the start of every HTTP request and response, providing metadata about the message body, authentication, caching, content type, and connection behaviour. Headers are case-insensitive (per RFC 7230), colon-delimited, and separated from the body by a blank line. Common request headers include `Authorization` (Bearer tokens, Basic auth), `Content-Type` (tells the server what format the body is in), `Accept` (tells the server what formats the client can handle), `Cache-Control` (caching directives for both requests and responses), and `User-Agent` (identifies the client). Response headers include `Content-Type`, `Set-Cookie`, `Location` (redirects), `ETag` (versioning for conditional requests), and `Strict-Transport-Security` (HSTS).
This tool helps you build correct HTTP headers by selecting header name and value from structured options, validating the syntax, and showing the assembled header block for use in curl commands, Postman collections, or application code. It covers: authentication headers (Bearer, Basic, API key, OAuth), content negotiation, caching headers, CORS headers, and security headers.
`Authorization` is the standard HTTP header for sending credentials (RFC 7235). Common schemes: `Basic` (base64-encoded username:password — only safe over HTTPS), `Bearer` (OAuth 2.0 JWT token), `Digest` (challenge-response, avoids sending password), `API-Key` (custom, varies by API). There is no standard `Authentication` header — APIs that use `X-API-Key` or similar are using non-standard custom headers. The `WWW-Authenticate` header is the server's challenge response telling the client what scheme to use.
`Content-Type` describes the media type of the request body, allowing the server to parse it correctly. Critical for POST/PUT/PATCH requests: `application/json` (JSON body), `application/x-www-form-urlencoded` (HTML form data), `multipart/form-data` (file uploads with boundary), `text/plain` (raw text). Without Content-Type on a body request, many servers will reject the request or misparse the body. Content-Type can also include charset: `Content-Type: text/html; charset=utf-8`.
Cache-Control works on both requests and responses. Response directives: `no-store` (don't store at all), `no-cache` (store but revalidate every time), `max-age=3600` (cache for 3600 seconds), `public` (any cache can store it), `private` (only browser cache, not CDN), `immutable` (never revalidate — used for content-hashed assets). Request directives: `no-cache` (force revalidation from server), `max-stale=60` (accept up to 60s stale). `ETag` + `If-None-Match` enable conditional requests — server returns 304 Not Modified if the resource hasn't changed.
Security headers harden your HTTP responses against common attacks: `Strict-Transport-Security: max-age=31536000; includeSubDomains` (HSTS — force HTTPS), `Content-Security-Policy` (CSP — prevent XSS by whitelisting script sources), `X-Content-Type-Options: nosniff` (prevent MIME type sniffing), `X-Frame-Options: DENY` (prevent clickjacking), `Referrer-Policy: strict-origin-when-cross-origin` (control referrer leakage), `Permissions-Policy` (disable browser features like camera/microphone). The Mozilla Observatory and securityheaders.com grade your site's headers.
Subnet Calculator · IP Address to Binary · URL Builder · Query String Parser · MIME Type Finder · Common Ports Reference