What HTTP headers does Chrome send?

By default, Chrome sends: Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, plus low-entropy Client Hints Sec-CH-UA, Sec-CH-UA-Mobile, and Sec-CH-UA-Platform, the full Sec-Fetch-* metadata family, and Upgrade-Insecure-Requests: 1. Higher-entropy hints like Sec-CH-UA-Platform-Version are only sent when the server requests them via Accept-CH.

What HTTP headers does Safari send?

Safari sends Host, User-Agent, Accept, Accept-Language, Accept-Encoding, and Connection. Safari does not send Sec-CH-UA Client Hints as of 2026 — Apple has declined to implement them citing privacy. Safari also strips Referer more aggressively by default.

What HTTP headers does Firefox send?

Firefox sends Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, and Upgrade-Insecure-Requests. Firefox does not send Client Hints. With privacy.resistFingerprinting enabled, Firefox spoofs a generic User-Agent and standardizes timezone, screen size, and language.

Can I hide my HTTP headers?

Not entirely — servers need most of them to respond correctly. You can spoof or strip identifying headers using privacy-focused browsers (Tor Browser, hardened Firefox with resistFingerprinting) or browser extensions.

Is my User-Agent unique?

Often yes. The combination of browser + version + OS + architecture narrows most users to a few thousand worldwide. Combined with Accept-Language and Sec-CH-UA-*, you typically become uniquely identifiable.

What is X-Forwarded-For?

A header added by proxies and CDNs that records the original client IP. If you are behind a VPN or corporate proxy, your real IP may still appear here — even though the connecting IP is the proxy.

Why is "Referer" misspelled?

The HTTP/1.0 spec (RFC 1945, 1996) contained the typo. By the time anyone noticed, it was deployed everywhere and impossible to change. The English spelling is "Referrer"; the header name remains Referer.

Are HTTP headers private?

No. Every server you connect to sees them. Over HTTPS, intermediaries see only the destination domain via SNI — or nothing at all if Encrypted Client Hello (ECH) is negotiated. Over HTTP, everyone in the path sees everything.

Can a website see my real IP if I use a VPN?

The IP your VPN exit node sends will be in the headers. However, WebRTC leaks, DNS leaks, and JavaScript-based detection can sometimes reveal your real IP separately from headers.

What's the difference between Referer and Origin?

Referer is the full URL of the previous page (path + query). Origin is just scheme + host. Browsers send Origin on cross-origin requests for CORS; Referer is sent on most navigation.

My HTTP Headers

See exactly what your browser is sending — and what it reveals about you.

Wondering how unique your browser is? Check your browser fingerprint — the signals websites use to identify you without any cookies.

Check Your Fingerprint →

Cosa sono gli header HTTP?

Ogni volta che il tuo browser apre un sito web, non invia solo una richiesta per la pagina — invia anche un pacchetto di metadati insieme a quella richiesta. Quei metadati sono gli header HTTP.

Non digiti mai questi header. Non li vedi mai durante la navigazione normale. Ma ogni server che visiti li legge, e rivelano una quantità sorprendente di informazioni su di te: quale browser usi, quale sistema operativo hai, quali lingue parli, da dove vieni, se sei dietro un proxy e che tipo di contenuto accetti.

Il widget in tempo reale sopra mostra ogni header che il tuo browser ha inviato per caricare questa pagina. Di seguito trovi un riferimento completo e categorizzato degli header HTTP comuni.

Cosa rivelano i tuoi header su di te

Alcuni header HTTP sono tecnicamente necessari. Altri sono impronte digitali di identità: combinati, rendono il tuo browser univocamente riconoscibile su internet, anche senza cookie.

Il tuo User-Agent da solo ti riduce a poche migliaia di persone. A volte molto meno, a seconda della tua combinazione di browser/OS/architettura.
Accept-Language rivela il tuo paese e probabilmente la tua lingua madre. I siti lo usano per localizzare; i tracker lo usano per costruire profili.
I Client Hints (Sec-CH-UA-*) sono versioni più recenti e precise dello User-Agent. Safari si rifiuta di implementarli per motivi di privacy.

Riferimento degli header HTTP

~38 header di richiesta comuni, raggruppati per scopo.

Header di identificazione

`User-Agent`#

Identifies your browser, version, rendering engine, and OS. The most fingerprintable single header. Combined with other data, it often makes you uniquely identifiable. Defined in RFC 9110 §10.1.5.

`Sec-CH-UA`#

"User-Agent Client Hints." A newer, structured replacement for User-Agent. Reveals browser brand and version in a machine-readable format. Sent by default in Chrome, Edge, and other Chromium browsers. Not sent by Safari or Firefox.

`Sec-CH-UA-Platform`#

Your OS family — "Windows", "macOS", "Linux", "Android", or "iOS". Sent by default in Chromium as a low-entropy hint.

`Sec-CH-UA-Mobile`#

?1 if you're on a mobile device, ?0 if not. Sent by default in Chromium alongside the other low-entropy Client Hints.

Lingua e negoziazione del contenuto

`Accept-Language`#

Your preferred languages in priority order (e.g. en-US,en;q=0.9,fr;q=0.7). Servers use it to localize content; trackers use it to infer your country and native language.

`Accept`#

The MIME types your browser is willing to receive. Reveals which image formats and content types your browser supports — another fingerprinting signal.

`Accept-Encoding`#

Compression algorithms your browser supports (typically gzip, deflate, br, zstd). Lets the server send compressed responses to reduce transfer size.

`Accept-Charset`#

Character sets the client accepts. Almost always omitted by modern browsers — servers default to UTF-8 and this header became redundant.

Connessione e catena proxy

`X-Forwarded-For`#

The chain of IP addresses your request passed through. If you're behind a proxy or VPN, your real IP can still appear here as the leftmost address. Sites can read this to bypass simple VPN masking.

`X-Real-IP`#

Often set by reverse proxies (nginx, Caddy) to indicate the client's true IP, separate from the proxy chain.

`CF-Connecting-IP`#

Cloudflare's version of "your real IP." On any Cloudflare-protected site, this is what the origin server actually sees — not the Cloudflare edge node IP.

`CF-IPCountry`#

Two-letter country code Cloudflare detected from your IP (e.g. US, DE, IN).

`CF-Ray`#

Unique ID Cloudflare assigns to each request. Useful for debugging; useless for tracking you since it changes with every request.

`Via`#

Indicates intermediate proxies or gateways the request passed through. Rare for normal traffic; common in corporate networks and CDN chains.

`Forwarded`#

The standardized version of X-Forwarded-For (RFC 7239). Slowly replacing the older X-prefixed variants.

Origine e referrer

`Referer`#

The full URL of the page you came from. Reveals your browsing path to every site you visit. Many browsers now strip or shorten this for privacy. Note: yes, this is an official misspelling — the original 1996 spec (RFC 1945) had a typo, and it was too late to fix it.

`Origin`#

The scheme + host of the page making the request (no path, no query). Sent on cross-origin requests so the server can enforce CORS. Less leaky than Referer — it only reveals the site, not the specific page.

Sicurezza e metadati fetch

`Sec-Fetch-Site`#

Where the request originated: same-origin, same-site, cross-site, or none. Helps servers detect CSRF and SSRF attacks.

`Sec-Fetch-Mode`#

The mode: navigate (you clicked a link), cors, no-cors, same-origin, or websocket.

`Sec-Fetch-Dest`#

What the response is for: document, image, script, style, font, iframe, etc.

`Sec-Fetch-User`#

?1 if the request was triggered by user action (click, key press). Distinguishes user-initiated navigation from script-initiated requests.

`Sec-Fetch-Storage-Access`#

active or inactive — whether the request has access to unpartitioned cookies. Part of the Storage Access API (2024+), relevant for cross-site auth flows.

Caching

`Cache-Control`#

Instructions to caches (browser, CDN, proxy) about freshness and storage. Defined in RFC 9111.

`If-None-Match`#

Sent with an ETag from a previous response. The server replies 304 Not Modified if the resource hasn't changed — saves bandwidth.

`If-Modified-Since`#

A timestamp from your last fetch. Same idea as If-None-Match, older mechanism.

`If-Match`#

Only proceed if the resource matches the given ETag. Used for optimistic concurrency control in REST APIs.

`Pragma`#

Legacy HTTP/1.0 cache directive. Modern browsers may still send Pragma: no-cachefor backward compatibility, but it's deprecated in favor of Cache-Control.

Cookie e stato

Autenticazione

`Authorization`#

Carries credentials (Basic, Bearer/JWT, Digest). Browsers only send this on navigation after a 401 Unauthorized challenge, or when explicitly set by JavaScript (e.g. API calls).

`Proxy-Authorization`#

Same idea as Authorization, but credentials for the proxy itself rather than the destination server.

Controllo connessione e prestazioni

`Connection`#

Usually keep-alive — keeps the TCP connection open for multiple sequential requests.

`Host`#

The domain you're connecting to. Required since HTTP/1.1 — allows virtual hosting on shared IPs.

`Upgrade-Insecure-Requests`#

1 if your browser prefers HTTPS responses over HTTP when both are available.

`Save-Data`#

on if the user has enabled "data saver" mode in the browser or OS. Sites can respond with lighter assets — smaller images, fewer fonts.

`Priority`#

Hints request priority (u= urgency, i= incremental) for HTTP/2 and HTTP/3 stream scheduling. Defined in RFC 9218.

`Range`#

Request only a byte range of the resource (e.g. bytes=0-1023). Used by video players, download managers, and resumable downloads.

Segnali di privacy

`DNT (Do Not Track)`#

Set to 1 if you've enabled "do not track." Mostly ignored by sites — a polite request with no legal enforcement in most countries.

`Sec-GPC (Global Privacy Control)`#

1 if your browser signals "do not sell or share my personal data." Unlike DNT, GPC has legal standing under California's CCPA. Sent by Firefox by default, Brave, and DuckDuckGo browser; opt-in elsewhere.

Come ridurre ciò che i tuoi header rivelano

Non puoi disabilitare gli header HTTP. Ma puoi ridurre quanto sono identificativi:

Usa Firefox con privacy.resistFingerprinting = true (about:config).
Usa il Tor Browser per la difesa più forte — tutti gli utenti Tor presentano header identici.
Usa una VPN per mascherare il tuo IP — ma questo non cambia User-Agent, Accept-Language o altri segnali di fingerprinting.
Disabilita i Client Hints in Chromium tramite chrome://flags/#user-agent-reduction.
Rimuovi il Referer con un'estensione del browser (uBlock Origin modalità avanzata, uMatrix).

Le modifiche una tantum di solito ti rendono più unico, non meno — perché meno persone hanno quella configurazione esatta.

Domande frequenti

Quali header HTTP invia Chrome?

Per impostazione predefinita: Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, Client Hints Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform, famiglia Sec-Fetch-* e Upgrade-Insecure-Requests: 1.

Quali header HTTP invia Safari?

Safari invia Host, User-Agent, Accept, Accept-Language, Accept-Encoding e Connection. Non invia Client Hints Sec-CH-UA e rimuove il Referer più aggressivamente per impostazione predefinita.

Quali header HTTP invia Firefox?

Firefox invia Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection e Upgrade-Insecure-Requests. Non invia Client Hints.

Posso nascondere i miei header HTTP?

Non del tutto. Puoi falsificare o rimuovere quelli identificativi usando browser orientati alla privacy o estensioni.

Il mio User-Agent è unico?

Spesso sì. La combinazione browser + versione + OS + architettura riduce la maggior parte degli utenti a poche migliaia nel mondo.

Cos'è X-Forwarded-For?

Un header aggiunto da proxy e CDN che registra l'IP originale del client. Se sei dietro una VPN, il tuo vero IP potrebbe ancora apparire qui.

Perché Referer è scritto in modo errato?

La specifica HTTP/1.0 (RFC 1945, 1996) conteneva il refuso. L'ortografia corretta è Referrer; il nome dell'header rimane Referer.

Gli header HTTP sono privati?

No. Ogni server a cui ti connetti li vede. Tramite HTTPS sono crittografati in transito.

Un sito web può vedere il mio vero IP se uso una VPN?

L'IP del nodo di uscita della VPN sarà negli header. Le perdite WebRTC e DNS possono a volte esporre il tuo vero IP separatamente.

Qual è la differenza tra Referer e Origin?

Referer è l'URL completo della pagina precedente. Origin è solo schema + host — meno rivelatore. Origin viene inviato nelle richieste cross-origin; Referer nella maggior parte delle navigazioni.

My HTTP Headers

Cosa sono gli header HTTP?

Cosa rivelano i tuoi header su di te

Riferimento degli header HTTP

Header di identificazione

User-Agent#

Sec-CH-UA#

Sec-CH-UA-Platform#

Sec-CH-UA-Mobile#

Lingua e negoziazione del contenuto

Accept-Language#

Accept#

Accept-Encoding#

Accept-Charset#

Connessione e catena proxy

X-Forwarded-For#

X-Real-IP#

CF-Connecting-IP#

CF-IPCountry#

CF-Ray#

Via#

Forwarded#

Origine e referrer

Referer#

Origin#