| Request | Informs the server of the media types the client can handle in the response. | Standard | RFC 9110 |
| Request | Informs the server of acceptable character sets. Obsolete — UTF-8 is now assumed. | Obsolete | RFC 9110 |
| Request | Informs the server of the content encodings (compressions) the client supports, such as gzip or br. | Standard | RFC 9110 |
| Request | Informs the server of the human languages preferred by the client for the response. | Standard | RFC 9110 |
| Response | Advertises which media types the server accepts in PATCH request bodies. | Standard | RFC 5789 |
| Response | Advertises which media types the server accepts in POST request bodies. | Standard | — |
| Response | Indicates whether the server supports range requests and which units are acceptable (bytes or none). | Standard | RFC 9110 |
| Response | Indicates whether the response can be shared with the requesting page when credentials (cookies) are included. | Standard | — |
| Response | Specifies which headers can be used in the actual CORS request. | Standard | — |
| Response | Specifies which HTTP methods are allowed in CORS requests. | Standard | — |
| Response | Specifies which origins may access the resource in a CORS response. Value is a specific origin or *. | Standard | — |
| Response | Indicates which response headers can be exposed to the browser in a CORS response. | Standard | — |
| Response | How long (in seconds) the result of a CORS preflight request can be cached. | Standard | — |
| Request | Used in preflight requests to tell the server which headers will be used in the actual CORS request. | Standard | — |
| Request | Used in preflight requests to tell the server which HTTP method will be used in the actual CORS request. | Standard | — |
| Response | The number of seconds the response has been in a proxy cache. | Standard | RFC 9111 |
| Response | Lists the HTTP methods supported by the resource. Sent with 405 Method Not Allowed responses. | Standard | RFC 9110 |
| Request | Carries credentials to authenticate a user-agent with a server, typically as Bearer token or Basic base64 pair. | Standard | RFC 9110 |
| Both | Directives that control caching in requests and responses, including max-age, no-store, and must-revalidate. | Standard | RFC 9111 |
| Response | Clears browsing data (cookies, storage, cache) associated with the requesting site. | Standard | — |
| Both | Controls whether the network connection stays open after the current transaction. Values: keep-alive or close. | Standard | RFC 9110 |
| Both | Lists the encodings applied to the payload body, in the order in which they were applied. | Standard | RFC 9110 |
| Both | Describes the human language(s) intended for the audience of the payload. | Standard | RFC 9110 |
| Both | The size of the request or response body in bytes. | Standard | RFC 9110 |
| Both | An alternate URL for the returned data, indicating the specific resource represented in the payload. | Standard | RFC 9110 |
| Both | Indicates where in the full body a partial response body belongs (used with range requests). | Standard | RFC 9110 |
| Response | CSP — controls the resources the browser is allowed to load, mitigating XSS and injection attacks. | Standard | — |
| Response | Like CSP but only reports violations without enforcing them. Used for testing new policies. | Standard | — |
| Both | Describes the media type of the resource or request body, including optional charset and boundary parameters. | Standard | RFC 9110 |
| Request | Sends stored HTTP cookies to the server. Cookies were set by the server using Set-Cookie. | Standard | RFC 6265 |
| Response | COEP — prevents a document from loading cross-origin resources that do not explicitly grant permission. | Standard | — |
| Response | COOP — isolates the browsing context from cross-origin popups to prevent cross-origin attacks. | Standard | — |
| Response | CORP — allows a server to opt in to protection against certain cross-origin resource loads. | Standard | — |
| Response | An identifier for a specific version of a resource, used for cache validation and optimistic concurrency. | Standard | RFC 9110 |
| Response | The date and time after which the response is considered stale. Superseded by Cache-Control max-age. | Standard | RFC 9111 |
| Request | Standardised header for proxy-forwarded request information (original IP, host, protocol). Supersedes X-Forwarded-*. | Standard | RFC 7239 |
| Request | The email address of the user making the request. Used by automated bots to identify themselves. | Standard | RFC 9110 |
| Request | The domain name and port of the target server. Mandatory in HTTP/1.1 requests for virtual hosting. | Standard | RFC 9110 |
| Request | Makes the request conditional on the ETag matching. Used for safe updates with optimistic locking. | Standard | RFC 9110 |
| Request | Returns the resource only if it has been modified after the specified date. Otherwise returns 304. | Standard | RFC 9110 |
| Request | Makes the request conditional on the ETag not matching. Returns 304 if the resource has not changed. | Standard | RFC 9110 |
| Request | Makes a range request conditional — only returns the range if the ETag or date matches, otherwise the full body. | Standard | RFC 9110 |
| Request | Makes the request conditional on the resource not having been modified after the specified date. | Standard | RFC 9110 |
| Both | Parameters for persistent connections. Obsolete in HTTP/2 — persistent connections are the default. | Obsolete | — |
| Response | The date and time at which the server believes the resource was last modified. | Standard | RFC 9110 |
| Response | The URL to redirect to in 3xx responses, or the URL of the newly created resource in 201 responses. | Standard | RFC 9110 |
| Request | Limits the number of times the request can be forwarded by proxies. Used with TRACE and OPTIONS methods. | Standard | RFC 9110 |
| Request | Indicates the origin (scheme, host, port) of the cross-site request. Used in CORS preflight and actual requests. | Standard | RFC 6454 |
| Response | Controls which browser features and APIs the page is allowed to use (camera, geolocation, etc.). | Standard | — |
| Both | An HTTP/1.0 cache control header. The Pragma: no-cache directive has been superseded by Cache-Control. | Obsolete | RFC 9111 |
| Response | Sent with a 407 response to define the authentication method required by the proxy. | Standard | RFC 9110 |
| Request | Carries credentials to authenticate a user-agent with a proxy server. | Standard | RFC 9110 |
| Request | The URL of the page that linked to the requested resource. Note: intentionally misspelled in the specification. | Standard | RFC 9110 |
| Response | Controls how much referrer information is included in requests. Values range from no-referrer to unsafe-url. | Standard | — |
| Response | Indicates how long to wait before making a follow-up request. Used with 503 and rate-limiting 429 responses. | Standard | RFC 9110 |
| Response | The server's response to the Sec-WebSocket-Key, confirming the upgrade to WebSocket. | Standard | RFC 6455 |
| Both | Negotiates extensions to the WebSocket protocol during the handshake. | Standard | RFC 6455 |
| Request | A base64-encoded random value sent by the client to initiate the WebSocket handshake. | Standard | RFC 6455 |
| Both | Negotiates a subprotocol to use over the WebSocket connection. | Standard | RFC 6455 |
| Request | Indicates the WebSocket protocol version the client wishes to use. | Standard | RFC 6455 |
| Response | Information about the software used by the origin server to handle the request. | Standard | RFC 9110 |
| Response | Sends one cookie from the server to the client, with optional attributes like Secure, HttpOnly, and SameSite. | Standard | RFC 6265 |
| Response | HSTS — instructs browsers to only connect via HTTPS for a specified duration, with optional subDomain inclusion. | Standard | RFC 6797 |
| Request | Indicates the transfer encodings the client is willing to accept, and whether trailer fields are accepted. | Standard | RFC 9110 |
| Both | W3C Trace Context — propagates a distributed trace identifier across services in a standardised format. | Standard | — |
| Both | W3C Trace Context — carries vendor-specific trace state alongside the traceparent header. | Standard | — |
| Both | Lists headers that will be present in the trailer of a chunked transfer-encoded message. | Standard | RFC 9110 |
| Both | Specifies the encoding used to transfer the payload body. Common value: chunked. | Standard | RFC 9110 |
| Both | Asks the server to upgrade the connection to a different protocol, such as WebSocket or HTTP/2. | Standard | RFC 9110 |
| Request | A string identifying the client software — browser, version, OS, and rendering engine. | Standard | RFC 9110 |
| Response | Lists request headers that influenced this response, guiding caches on whether they can reuse the response. | Standard | RFC 9110 |
| Both | Added by proxies to track intermediate nodes a request or response has passed through. | Standard | RFC 9110 |
| Both | Carried additional information about warnings for cached or transformed messages. Removed in RFC 9110. | Obsolete | RFC 9110 |
| Response | Sent with a 401 response to define the authentication method the client must use to gain access. | Standard | RFC 9110 |
| Response | Prevents the browser from MIME-sniffing the Content-Type. The only valid value is nosniff. | De-facto | — |
| Request | De-facto standard for conveying the originating IP address of a client through proxies. | De-facto | — |
| Request | The original host requested by the client before the proxy rewrote the Host header. | De-facto | — |
| Request | The protocol (HTTP or HTTPS) used by the client before a proxy rewrote the request. | De-facto | — |
| Response | Controls whether the page can be embedded in an iframe, protecting against clickjacking. Superseded by CSP. | De-facto | RFC 7034 |
| Both | A unique identifier for the request, used for tracing and correlating logs across distributed systems. | De-facto | — |
| Response | Enabled the browser XSS auditor. Now obsolete — CSP is the recommended replacement. | Obsolete | — |
