HTTP Headers Explained: What They Reveal About You

HTTP headers are metadata sent along with every HTTP request and response. When your browser requests a webpage, it sends headers containing information about itself, what content it can accept, and any stored cookies. The server responds with headers describing the content, caching policies, and security directives.

Headers are invisible during normal browsing — you don't see them in the page content. But they carry a surprising amount of information about you and your setup. Use LookMyIP's HTTP Headers tool at lookmyip.com/headers to see exactly what headers your browser sends.

Every time your browser makes a request, it sends headers like these:

User-Agent: Identifies your browser, version, and operating system. Example: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36". This single header reveals your OS, browser, version, and device type.

Accept-Language: Lists your preferred languages (e.g., "en-US,en;q=0.9,es;q=0.8"), revealing your nationality and language preferences.

Accept-Encoding: Tells the server what compression formats your browser supports (gzip, br, deflate).

Referer: Shows the URL of the page you came from, allowing the destination site to track where you were before. Note: the header name is intentionally misspelled — the typo was baked into the HTTP specification in 1996.

Cookie: Sends stored cookies for the domain, which may include session IDs, tracking identifiers, and preferences.

DNT (Do Not Track): A header requesting not to be tracked. Unfortunately, this is largely ignored by most websites and is being deprecated.

Sec-CH-UA (Client Hints): Modern browsers send detailed "client hint" headers that provide structured information about browser version, platform, and device characteristics.

Content-Type: Tells the browser what type of content it's receiving (text/html, application/json, image/png, etc.) and the character encoding.

Set-Cookie: Tells the browser to store a cookie. This is how sites maintain sessions and track users across visits.

Cache-Control: Dictates how long the browser should cache the response. Proper caching reduces server load and speeds up page loads.

Content-Security-Policy (CSP): A critical security header that restricts where the page can load resources from, preventing cross-site scripting (XSS) attacks.

Strict-Transport-Security (HSTS): Tells the browser to only connect to this site over HTTPS for a specified period, preventing downgrade attacks.

X-Frame-Options: Prevents the page from being embedded in iframes, protecting against clickjacking attacks.

X-Content-Type-Options: nosniff: Prevents the browser from MIME-type sniffing, ensuring it respects the declared Content-Type.

Your HTTP headers contribute to your browser fingerprint — a combination of characteristics that can uniquely identify you even without cookies:

• User-Agent string identifies your exact browser version and OS
• Accept-Language reveals your language and likely nationality
• Referer reveals your browsing path across sites
• Client Hints provide detailed device information
• Accept header variations differ between browsers

When combined with other fingerprinting techniques (canvas fingerprinting, WebGL, screen resolution, installed fonts), HTTP headers help tracking services identify and follow you across websites — even in private browsing mode.

How to reduce your header footprint:

• Use Firefox with Enhanced Tracking Protection, which limits the User-Agent string
• Install browser extensions like uBlock Origin that can strip or modify headers
• Use a VPN to hide your IP from the header analysis
• Consider the Tor Browser for maximum header uniformity
• Check what your browser reveals using LookMyIP's HTTP Headers tool