What HTTP headers does Chrome send?

By default, Chrome sends: Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, plus low-entropy Client Hints Sec-CH-UA, Sec-CH-UA-Mobile, and Sec-CH-UA-Platform, the full Sec-Fetch-* metadata family, and Upgrade-Insecure-Requests: 1. Higher-entropy hints like Sec-CH-UA-Platform-Version are only sent when the server requests them via Accept-CH.

What HTTP headers does Safari send?

Safari sends Host, User-Agent, Accept, Accept-Language, Accept-Encoding, and Connection. Safari does not send Sec-CH-UA Client Hints as of 2026 — Apple has declined to implement them citing privacy. Safari also strips Referer more aggressively by default.

What HTTP headers does Firefox send?

Firefox sends Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, and Upgrade-Insecure-Requests. Firefox does not send Client Hints. With privacy.resistFingerprinting enabled, Firefox spoofs a generic User-Agent and standardizes timezone, screen size, and language.

Can I hide my HTTP headers?

Not entirely — servers need most of them to respond correctly. You can spoof or strip identifying headers using privacy-focused browsers (Tor Browser, hardened Firefox with resistFingerprinting) or browser extensions.

Is my User-Agent unique?

Often yes. The combination of browser + version + OS + architecture narrows most users to a few thousand worldwide. Combined with Accept-Language and Sec-CH-UA-*, you typically become uniquely identifiable.

What is X-Forwarded-For?

A header added by proxies and CDNs that records the original client IP. If you are behind a VPN or corporate proxy, your real IP may still appear here — even though the connecting IP is the proxy.

Why is "Referer" misspelled?

The HTTP/1.0 spec (RFC 1945, 1996) contained the typo. By the time anyone noticed, it was deployed everywhere and impossible to change. The English spelling is "Referrer"; the header name remains Referer.

Are HTTP headers private?

No. Every server you connect to sees them. Over HTTPS, intermediaries see only the destination domain via SNI — or nothing at all if Encrypted Client Hello (ECH) is negotiated. Over HTTP, everyone in the path sees everything.

Can a website see my real IP if I use a VPN?

The IP your VPN exit node sends will be in the headers. However, WebRTC leaks, DNS leaks, and JavaScript-based detection can sometimes reveal your real IP separately from headers.

What's the difference between Referer and Origin?

Referer is the full URL of the previous page (path + query). Origin is just scheme + host. Browsers send Origin on cross-origin requests for CORS; Referer is sent on most navigation.

My HTTP Headers

See exactly what your browser is sending — and what it reveals about you.

Wondering how unique your browser is? Check your browser fingerprint — the signals websites use to identify you without any cookies.

Check Your Fingerprint →

O que são cabeçalhos HTTP?

Toda vez que seu navegador abre um site, ele não envia apenas uma solicitação para a página — ele envia um pacote de metadados junto com essa solicitação. Esses metadados são os cabeçalhos HTTP.

Você nunca digita esses cabeçalhos. Você nunca os vê durante a navegação normal. Mas cada servidor que você visita os lê, e eles revelam uma quantidade surpreendente sobre você: qual navegador você usa, qual sistema operacional você tem, quais idiomas você fala, de onde você veio, se você está atrás de um proxy e que tipo de conteúdo você aceita.

O widget ao vivo acima mostra cada cabeçalho que seu navegador enviou para carregar esta página. Abaixo está uma referência completa e categorizada dos cabeçalhos HTTP comuns.

O que seus cabeçalhos revelam sobre você

Alguns cabeçalhos HTTP são tecnicamente necessários. Outros são impressões digitais de identidade: combinados, tornam seu navegador reconhecível de forma única na internet, mesmo sem cookies.

Seu User-Agent sozinho te reduz a alguns milhares de pessoas. Às vezes muito menos, dependendo da sua combinação de navegador/SO/arquitetura.
Accept-Language revela seu país e provavelmente seu idioma nativo. Sites o usam para localizar; rastreadores o usam para construir perfis.
Client Hints (Sec-CH-UA-*) são versões mais novas e precisas do User-Agent. Habilitados por padrão nos navegadores Chromium. O Safari se recusa a implementá-los por razões de privacidade.

Referência de cabeçalhos HTTP

~38 cabeçalhos de solicitação comuns, agrupados por finalidade.

Cabeçalhos de identificação

`User-Agent`#

Identifies your browser, version, rendering engine, and OS. The most fingerprintable single header. Combined with other data, it often makes you uniquely identifiable. Defined in RFC 9110 §10.1.5.

`Sec-CH-UA`#

"User-Agent Client Hints." A newer, structured replacement for User-Agent. Reveals browser brand and version in a machine-readable format. Sent by default in Chrome, Edge, and other Chromium browsers. Not sent by Safari or Firefox.

`Sec-CH-UA-Platform`#

Your OS family — "Windows", "macOS", "Linux", "Android", or "iOS". Sent by default in Chromium as a low-entropy hint.

`Sec-CH-UA-Mobile`#

?1 if you're on a mobile device, ?0 if not. Sent by default in Chromium alongside the other low-entropy Client Hints.

Idioma e negociação de conteúdo

`Accept-Language`#

Your preferred languages in priority order (e.g. en-US,en;q=0.9,fr;q=0.7). Servers use it to localize content; trackers use it to infer your country and native language.

`Accept`#

The MIME types your browser is willing to receive. Reveals which image formats and content types your browser supports — another fingerprinting signal.

`Accept-Encoding`#

Compression algorithms your browser supports (typically gzip, deflate, br, zstd). Lets the server send compressed responses to reduce transfer size.

`Accept-Charset`#

Character sets the client accepts. Almost always omitted by modern browsers — servers default to UTF-8 and this header became redundant.

Conexão e cadeia de proxy

`X-Forwarded-For`#

The chain of IP addresses your request passed through. If you're behind a proxy or VPN, your real IP can still appear here as the leftmost address. Sites can read this to bypass simple VPN masking.

`X-Real-IP`#

Often set by reverse proxies (nginx, Caddy) to indicate the client's true IP, separate from the proxy chain.

`CF-Connecting-IP`#

Cloudflare's version of "your real IP." On any Cloudflare-protected site, this is what the origin server actually sees — not the Cloudflare edge node IP.

`CF-IPCountry`#

Two-letter country code Cloudflare detected from your IP (e.g. US, DE, IN).

`CF-Ray`#

Unique ID Cloudflare assigns to each request. Useful for debugging; useless for tracking you since it changes with every request.

`Via`#

Indicates intermediate proxies or gateways the request passed through. Rare for normal traffic; common in corporate networks and CDN chains.

`Forwarded`#

The standardized version of X-Forwarded-For (RFC 7239). Slowly replacing the older X-prefixed variants.

Origem e referenciador

`Referer`#

The full URL of the page you came from. Reveals your browsing path to every site you visit. Many browsers now strip or shorten this for privacy. Note: yes, this is an official misspelling — the original 1996 spec (RFC 1945) had a typo, and it was too late to fix it.

`Origin`#

The scheme + host of the page making the request (no path, no query). Sent on cross-origin requests so the server can enforce CORS. Less leaky than Referer — it only reveals the site, not the specific page.

Segurança e metadados de fetch

`Sec-Fetch-Site`#

Where the request originated: same-origin, same-site, cross-site, or none. Helps servers detect CSRF and SSRF attacks.

`Sec-Fetch-Mode`#

The mode: navigate (you clicked a link), cors, no-cors, same-origin, or websocket.

`Sec-Fetch-Dest`#

What the response is for: document, image, script, style, font, iframe, etc.

`Sec-Fetch-User`#

?1 if the request was triggered by user action (click, key press). Distinguishes user-initiated navigation from script-initiated requests.

`Sec-Fetch-Storage-Access`#

active or inactive — whether the request has access to unpartitioned cookies. Part of the Storage Access API (2024+), relevant for cross-site auth flows.

Cache

`Cache-Control`#

Instructions to caches (browser, CDN, proxy) about freshness and storage. Defined in RFC 9111.

`If-None-Match`#

Sent with an ETag from a previous response. The server replies 304 Not Modified if the resource hasn't changed — saves bandwidth.

`If-Modified-Since`#

A timestamp from your last fetch. Same idea as If-None-Match, older mechanism.

`If-Match`#

Only proceed if the resource matches the given ETag. Used for optimistic concurrency control in REST APIs.

`Pragma`#

Legacy HTTP/1.0 cache directive. Modern browsers may still send Pragma: no-cachefor backward compatibility, but it's deprecated in favor of Cache-Control.

Cookies e estado

Autenticação

`Authorization`#

Carries credentials (Basic, Bearer/JWT, Digest). Browsers only send this on navigation after a 401 Unauthorized challenge, or when explicitly set by JavaScript (e.g. API calls).

`Proxy-Authorization`#

Same idea as Authorization, but credentials for the proxy itself rather than the destination server.

Controle de conexão e desempenho

`Connection`#

Usually keep-alive — keeps the TCP connection open for multiple sequential requests.

`Host`#

The domain you're connecting to. Required since HTTP/1.1 — allows virtual hosting on shared IPs.

`Upgrade-Insecure-Requests`#

1 if your browser prefers HTTPS responses over HTTP when both are available.

`Save-Data`#

on if the user has enabled "data saver" mode in the browser or OS. Sites can respond with lighter assets — smaller images, fewer fonts.

`Priority`#

Hints request priority (u= urgency, i= incremental) for HTTP/2 and HTTP/3 stream scheduling. Defined in RFC 9218.

`Range`#

Request only a byte range of the resource (e.g. bytes=0-1023). Used by video players, download managers, and resumable downloads.

Sinais de privacidade

`DNT (Do Not Track)`#

Set to 1 if you've enabled "do not track." Mostly ignored by sites — a polite request with no legal enforcement in most countries.

`Sec-GPC (Global Privacy Control)`#

1 if your browser signals "do not sell or share my personal data." Unlike DNT, GPC has legal standing under California's CCPA. Sent by Firefox by default, Brave, and DuckDuckGo browser; opt-in elsewhere.

Como reduzir o que seus cabeçalhos revelam

Você não pode desabilitar cabeçalhos HTTP — eles são necessários para o funcionamento da web. Mas você pode reduzir o quanto eles o identificam:

Use o Firefox com privacy.resistFingerprinting = true (about:config). Falsifica um User-Agent genérico e padroniza fuso horário, tela e idioma.
Use o Tor Browser para a defesa mais forte — todos os usuários apresentam cabeçalhos idênticos.
Use uma VPN para mascarar seu IP — mas isso não muda User-Agent, Accept-Language ou outros sinais de fingerprinting.
Desabilite Client Hints no Chromium via chrome://flags/#user-agent-reduction.
Remova o Referer com uma extensão de navegador (uBlock Origin modo avançado, uMatrix).

Ajustes pontuais geralmente tornam você mais único, não menos — porque menos pessoas têm exatamente essa configuração.

Perguntas frequentes

Quais cabeçalhos HTTP o Chrome envia?

Por padrão: Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, Client Hints Sec-CH-UA, Sec-CH-UA-Mobile, Sec-CH-UA-Platform, família Sec-Fetch-* e Upgrade-Insecure-Requests: 1.

Quais cabeçalhos HTTP o Safari envia?

Safari envia Host, User-Agent, Accept, Accept-Language, Accept-Encoding e Connection. Não envia Client Hints Sec-CH-UA e remove Referer mais agressivamente por padrão.

Quais cabeçalhos HTTP o Firefox envia?

Firefox envia Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection e Upgrade-Insecure-Requests. Não envia Client Hints.

Posso esconder meus cabeçalhos HTTP?

Não totalmente. Você pode falsificar ou remover os identificadores usando navegadores focados em privacidade ou extensões.

Meu User-Agent é único?

Frequentemente, sim. A combinação de navegador + versão + SO + arquitetura reduz a maioria a alguns milhares no mundo.

O que é X-Forwarded-For?

Cabeçalho adicionado por proxies e CDNs registrando o IP original do cliente. Se estiver atrás de VPN, seu IP real pode aparecer aqui.

Por que Referer está com grafia errada?

A especificação HTTP/1.0 (RFC 1945, 1996) continha o erro. A grafia correta é Referrer; o nome do cabeçalho permanece Referer.

Os cabeçalhos HTTP são privados?

Não. Via HTTPS são criptografados em trânsito. Via HTTP simples todos no caminho veem tudo.

Um site pode ver meu IP real se eu usar uma VPN?

O IP do nó de saída da VPN estará nos cabeçalhos. Vazamentos de WebRTC e DNS podem expor seu IP real separadamente.

Qual é a diferença entre Referer e Origin?

Referer é a URL completa da página anterior. Origin é apenas esquema + host — menos revelador. Origin é enviado em solicitações cross-origin; Referer na maioria das navegações.

My HTTP Headers

O que são cabeçalhos HTTP?

O que seus cabeçalhos revelam sobre você

Referência de cabeçalhos HTTP

Cabeçalhos de identificação

User-Agent#

Sec-CH-UA#

Sec-CH-UA-Platform#

Sec-CH-UA-Mobile#

Idioma e negociação de conteúdo

Accept-Language#

Accept#

Accept-Encoding#

Accept-Charset#

Conexão e cadeia de proxy

X-Forwarded-For#

X-Real-IP#

CF-Connecting-IP#

CF-IPCountry#

CF-Ray#

Via#

Forwarded#

Origem e referenciador

Referer#

Origin#