The request, response and security headers you'll actually set or read.
| Header | Used for |
|---|---|
| Content-Type | Format of the body (e.g. application/json) |
| Content-Length | Size of the body in bytes |
| Cache-Control | Caching rules (max-age, no-store) |
| Connection | Keep the connection alive or close it |
| Header | Used for |
|---|---|
| Accept | Media types the client will accept |
| Accept-Encoding | Compression the client supports (gzip, br) |
| Authorization | Credentials — Bearer token or Basic auth |
| Cookie | Cookies sent back to the server |
| Host | Target domain of the request |
| Origin | Origin of a cross-site request (CORS) |
| Referer | Page the request came from |
| User-Agent | Client browser or app identity |
| If-None-Match | Conditional request using an ETag |
| Header | Used for |
|---|---|
| Content-Encoding | Compression applied to the body |
| ETag | Version identifier for caching |
| Location | Redirect target or new resource URL |
| Set-Cookie | Tell the client to store a cookie |
| Last-Modified | When the resource last changed |
| Retry-After | When to retry (429 or 503) |
| WWW-Authenticate | Auth scheme to use after a 401 |
| Access-Control-Allow-Origin | CORS — origins allowed to read the response |
| Header | Used for |
|---|---|
| Strict-Transport-Security | Force HTTPS (HSTS) |
| Content-Security-Policy | Restrict where resources can load from |
| X-Content-Type-Options | Block MIME sniffing (nosniff) |
| X-Frame-Options | Clickjacking protection (DENY) |
| Referrer-Policy | Control how much Referer is sent |
| Permissions-Policy | Allow or deny browser features |
HTTP headers are the key-value metadata that travels with every request and response, separate from the body. They negotiate the details of the exchange: the client uses headers to say what it accepts and who it is, and the server uses them to describe what it's sending and how to cache it. A few you'll meet constantly: Content-Type declares the body format, Authorization carries the token or credentials, Cache-Control governs caching, and Set-Cookie / Cookie handle sessions. The security headers are a separate cluster worth knowing — HSTS, CSP and the X- headers harden a site against downgrade attacks, content sniffing and clickjacking. When something behaves oddly across origins, the CORS headers (Origin and Access-Control-Allow-Origin) are usually involved. For the codes that accompany these, see HTTP status codes.