What HTTP headers does Chrome send?

By default, Chrome sends: Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, plus low-entropy Client Hints Sec-CH-UA, Sec-CH-UA-Mobile, and Sec-CH-UA-Platform, the full Sec-Fetch-* metadata family, and Upgrade-Insecure-Requests: 1. Higher-entropy hints like Sec-CH-UA-Platform-Version are only sent when the server requests them via Accept-CH.

What HTTP headers does Safari send?

Safari sends Host, User-Agent, Accept, Accept-Language, Accept-Encoding, and Connection. Safari does not send Sec-CH-UA Client Hints as of 2026 — Apple has declined to implement them citing privacy. Safari also strips Referer more aggressively by default.

What HTTP headers does Firefox send?

Firefox sends Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Connection, and Upgrade-Insecure-Requests. Firefox does not send Client Hints. With privacy.resistFingerprinting enabled, Firefox spoofs a generic User-Agent and standardizes timezone, screen size, and language.

Can I hide my HTTP headers?

Not entirely — servers need most of them to respond correctly. You can spoof or strip identifying headers using privacy-focused browsers (Tor Browser, hardened Firefox with resistFingerprinting) or browser extensions.

Is my User-Agent unique?

Often yes. The combination of browser + version + OS + architecture narrows most users to a few thousand worldwide. Combined with Accept-Language and Sec-CH-UA-*, you typically become uniquely identifiable.

What is X-Forwarded-For?

A header added by proxies and CDNs that records the original client IP. If you are behind a VPN or corporate proxy, your real IP may still appear here — even though the connecting IP is the proxy.

Why is "Referer" misspelled?

The HTTP/1.0 spec (RFC 1945, 1996) contained the typo. By the time anyone noticed, it was deployed everywhere and impossible to change. The English spelling is "Referrer"; the header name remains Referer.

Are HTTP headers private?

No. Every server you connect to sees them. Over HTTPS, intermediaries see only the destination domain via SNI — or nothing at all if Encrypted Client Hello (ECH) is negotiated. Over HTTP, everyone in the path sees everything.

Can a website see my real IP if I use a VPN?

The IP your VPN exit node sends will be in the headers. However, WebRTC leaks, DNS leaks, and JavaScript-based detection can sometimes reveal your real IP separately from headers.

What's the difference between Referer and Origin?

Referer is the full URL of the previous page (path + query). Origin is just scheme + host. Browsers send Origin on cross-origin requests for CORS; Referer is sent on most navigation.

My HTTP Headers

See exactly what your browser is sending — and what it reveals about you.

Wondering how unique your browser is? Check your browser fingerprint — the signals websites use to identify you without any cookies.

Check Your Fingerprint →

什么是HTTP标头？

每次您的浏览器打开一个网站时，它不仅仅发送页面请求——它还会随该请求发送一个元数据包。这些元数据就是HTTP标头。

您从不输入这些标头。在正常浏览时您也从未见过它们。但您访问的每个服务器都会读取它们，它们揭示了大量关于您的信息：您使用什么浏览器、操作系统、语言，以及您是否在代理后面。

上方的实时小部件显示了您的浏览器发送的每个标头。以下是常见HTTP标头的完整分类参考。

您的标头揭示了哪些关于您的信息

一些HTTP标头在技术上是必要的。其他标头则是身份指纹：组合在一起，即使没有Cookie，也能在互联网上唯一地识别您的浏览器。

仅凭您的User-Agent就可以将您缩小到几千人。有时更少，取决于浏览器/操作系统/架构组合。
Accept-Language揭示您的国家和可能的母语。追踪者用它来构建用户画像。
客户端提示（Sec-CH-UA-*）是User-Agent的更新版本。Safari以隐私为由拒绝实现它们。

HTTP标头参考

约38个常见请求标头，按用途分组。

识别标头

`User-Agent`#

Identifies your browser, version, rendering engine, and OS. The most fingerprintable single header. Combined with other data, it often makes you uniquely identifiable. Defined in RFC 9110 §10.1.5.

`Sec-CH-UA`#

"User-Agent Client Hints." A newer, structured replacement for User-Agent. Reveals browser brand and version in a machine-readable format. Sent by default in Chrome, Edge, and other Chromium browsers. Not sent by Safari or Firefox.

`Sec-CH-UA-Platform`#

Your OS family — "Windows", "macOS", "Linux", "Android", or "iOS". Sent by default in Chromium as a low-entropy hint.

`Sec-CH-UA-Mobile`#

?1 if you're on a mobile device, ?0 if not. Sent by default in Chromium alongside the other low-entropy Client Hints.

语言和内容协商

`Accept-Language`#

Your preferred languages in priority order (e.g. en-US,en;q=0.9,fr;q=0.7). Servers use it to localize content; trackers use it to infer your country and native language.

`Accept`#

The MIME types your browser is willing to receive. Reveals which image formats and content types your browser supports — another fingerprinting signal.

`Accept-Encoding`#

Compression algorithms your browser supports (typically gzip, deflate, br, zstd). Lets the server send compressed responses to reduce transfer size.

`Accept-Charset`#

Character sets the client accepts. Almost always omitted by modern browsers — servers default to UTF-8 and this header became redundant.

连接和代理链

`X-Forwarded-For`#

The chain of IP addresses your request passed through. If you're behind a proxy or VPN, your real IP can still appear here as the leftmost address. Sites can read this to bypass simple VPN masking.

`X-Real-IP`#

Often set by reverse proxies (nginx, Caddy) to indicate the client's true IP, separate from the proxy chain.

`CF-Connecting-IP`#

Cloudflare's version of "your real IP." On any Cloudflare-protected site, this is what the origin server actually sees — not the Cloudflare edge node IP.

`CF-IPCountry`#

Two-letter country code Cloudflare detected from your IP (e.g. US, DE, IN).

`CF-Ray`#

Unique ID Cloudflare assigns to each request. Useful for debugging; useless for tracking you since it changes with every request.

`Via`#

Indicates intermediate proxies or gateways the request passed through. Rare for normal traffic; common in corporate networks and CDN chains.

`Forwarded`#

The standardized version of X-Forwarded-For (RFC 7239). Slowly replacing the older X-prefixed variants.

来源和引用页

`Referer`#

The full URL of the page you came from. Reveals your browsing path to every site you visit. Many browsers now strip or shorten this for privacy. Note: yes, this is an official misspelling — the original 1996 spec (RFC 1945) had a typo, and it was too late to fix it.

`Origin`#

The scheme + host of the page making the request (no path, no query). Sent on cross-origin requests so the server can enforce CORS. Less leaky than Referer — it only reveals the site, not the specific page.

安全和Fetch元数据

`Sec-Fetch-Site`#

Where the request originated: same-origin, same-site, cross-site, or none. Helps servers detect CSRF and SSRF attacks.

`Sec-Fetch-Mode`#

The mode: navigate (you clicked a link), cors, no-cors, same-origin, or websocket.

`Sec-Fetch-Dest`#

What the response is for: document, image, script, style, font, iframe, etc.

`Sec-Fetch-User`#

?1 if the request was triggered by user action (click, key press). Distinguishes user-initiated navigation from script-initiated requests.

`Sec-Fetch-Storage-Access`#

active or inactive — whether the request has access to unpartitioned cookies. Part of the Storage Access API (2024+), relevant for cross-site auth flows.

缓存

`Cache-Control`#

Instructions to caches (browser, CDN, proxy) about freshness and storage. Defined in RFC 9111.

`If-None-Match`#

Sent with an ETag from a previous response. The server replies 304 Not Modified if the resource hasn't changed — saves bandwidth.

`If-Modified-Since`#

A timestamp from your last fetch. Same idea as If-None-Match, older mechanism.

`If-Match`#

Only proceed if the resource matches the given ETag. Used for optimistic concurrency control in REST APIs.

`Pragma`#

Legacy HTTP/1.0 cache directive. Modern browsers may still send Pragma: no-cachefor backward compatibility, but it's deprecated in favor of Cache-Control.

Cookie和状态

身份验证

`Authorization`#

Carries credentials (Basic, Bearer/JWT, Digest). Browsers only send this on navigation after a 401 Unauthorized challenge, or when explicitly set by JavaScript (e.g. API calls).

`Proxy-Authorization`#

Same idea as Authorization, but credentials for the proxy itself rather than the destination server.

连接控制和性能

`Connection`#

Usually keep-alive — keeps the TCP connection open for multiple sequential requests.

`Host`#

The domain you're connecting to. Required since HTTP/1.1 — allows virtual hosting on shared IPs.

`Upgrade-Insecure-Requests`#

1 if your browser prefers HTTPS responses over HTTP when both are available.

`Save-Data`#

on if the user has enabled "data saver" mode in the browser or OS. Sites can respond with lighter assets — smaller images, fewer fonts.

`Priority`#

Hints request priority (u= urgency, i= incremental) for HTTP/2 and HTTP/3 stream scheduling. Defined in RFC 9218.

`Range`#

Request only a byte range of the resource (e.g. bytes=0-1023). Used by video players, download managers, and resumable downloads.

隐私信号

`DNT (Do Not Track)`#

Set to 1 if you've enabled "do not track." Mostly ignored by sites — a polite request with no legal enforcement in most countries.

`Sec-GPC (Global Privacy Control)`#

1 if your browser signals "do not sell or share my personal data." Unlike DNT, GPC has legal standing under California's CCPA. Sent by Firefox by default, Brave, and DuckDuckGo browser; opt-in elsewhere.

如何减少标头揭示的信息

您无法禁用HTTP标头。但您可以减少它们的识别程度：

使用Firefox并设置privacy.resistFingerprinting = true（about:config）。
使用Tor浏览器获得最强保护——所有Tor用户呈现相同的标头。
使用VPN隐藏IP——但这不会改变User-Agent或其他指纹信号。
通过chrome://flags/#user-agent-reduction在Chromium中禁用客户端提示。
使用浏览器扩展程序剥离Referer（uBlock Origin高级模式、uMatrix）。

一次性调整通常会让您更加独特——因为很少有人拥有完全相同的配置。

常见问题

Chrome发送哪些HTTP标头？

默认情况下：Host、User-Agent、Accept、Accept-Language、Accept-Encoding、Connection、客户端提示Sec-CH-UA系列、完整的Sec-Fetch-*元数据以及Upgrade-Insecure-Requests: 1。

Safari发送哪些HTTP标头？

Safari发送Host、User-Agent、Accept、Accept-Language、Accept-Encoding和Connection。不发送Sec-CH-UA客户端提示，并默认更积极地剥离Referer。

Firefox发送哪些HTTP标头？

Firefox发送Host、User-Agent、Accept、Accept-Language、Accept-Encoding、Connection和Upgrade-Insecure-Requests。不发送客户端提示。

我可以隐藏我的HTTP标头吗？

不能完全隐藏。您可以使用注重隐私的浏览器或扩展来伪造或剥离识别性标头。

我的User-Agent是唯一的吗？

通常是的。浏览器+版本+OS+架构的组合将大多数用户缩小到全球几千人。

什么是X-Forwarded-For？

由代理和CDN添加的标头，记录原始客户端IP。如果您在VPN后面，真实IP可能仍会出现在这里。

为什么Referer拼写错误？

HTTP/1.0规范（RFC 1945，1996年）包含了这个拼写错误。正确拼写是Referrer；标头名称仍然是Referer。

HTTP标头是私密的吗？

不是。通过HTTPS，标头在传输中是加密的。通过普通HTTP，路径上的每个人都能看到一切。

如果我使用VPN，网站可以看到我的真实IP吗？

VPN出口节点的IP会在连接标头中。WebRTC泄漏和DNS泄漏有时可以单独暴露真实IP。

Referer和Origin有什么区别？

Referer是前一页的完整URL。Origin只是方案+主机——泄露较少。Origin在跨域请求时发送；Referer在大多数导航时发送。

My HTTP Headers

什么是HTTP标头？

您的标头揭示了哪些关于您的信息

HTTP标头参考

识别标头

User-Agent#

Sec-CH-UA#

Sec-CH-UA-Platform#

Sec-CH-UA-Mobile#

语言和内容协商

Accept-Language#

Accept#

Accept-Encoding#

Accept-Charset#

连接和代理链

X-Forwarded-For#

X-Real-IP#

CF-Connecting-IP#

CF-IPCountry#

CF-Ray#

Via#

Forwarded#

来源和引用页

Referer#

Origin#