Not the full IANA registry — the 43 headers you actually meet while debugging, each with a real example and the way it typically bites.
What the client tells the server.
Carries the credentials for the request: Bearer tokens, Basic base64 pairs, Digest challenges, or signature schemes like AWS SigV4.
Tells the server which media types the client can handle, with optional quality weights (q=).
Lists the compression algorithms the client understands.
Expresses the user's preferred languages for content negotiation.
Conditional GET: "give me the resource only if its ETag changed".
Conditional write: "apply my PUT/PATCH/DELETE only if the resource still has this ETag".
Conditional GET by date: unchanged since this timestamp → 304.
Sends the stored cookies back to the server, semicolon-separated in a single header.
The scheme+host+port of the page making the request.
The URL of the page that triggered the request (yes, misspelled in the spec since 1996).
Identifies the client software making the request.
The hostname (and optional port) the request targets — mandatory in HTTP/1.
Requests only part of a resource — download resume, video seeking.
The de-facto chain of client IPs appended by each proxy hop.
Tells the origin which scheme the client actually used before TLS terminated at the load balancer.
A client-generated key letting the server deduplicate retries of unsafe operations — send the same key, get the same result instead of a double charge.
What the server tells the client (and every cache in between).
Sent with 401 responses to tell the client which authentication scheme and parameters the server expects.
Declares how the body bytes are compressed (gzip, br, zstd).
Streams the body in length-prefixed chunks when the total size is unknown upfront — common for dynamically generated responses and SSE-ish streams.
An opaque version identifier for the response.
Timestamp-based cache validator, the simpler sibling of ETag.
Legacy absolute-time cache expiry.
Where to go next: the redirect target on 3xx responses, or the URL of the freshly created resource on 201.
The server storing state in the client: one cookie per Set-Cookie header, with attributes controlling scope (Domain/Path), lifetime (Max-Age), and security (Secure/HttpOnly/SameSite).
Labels which slice of the full resource this 206 response carries, and the total size after the slash.
Advertises that the server supports Range requests on this resource.
The core CORS response header: which Origin may read this response from browser JavaScript.
Preflight answer: which HTTP methods the cross-origin caller may use.
Preflight answer: which request headers the cross-origin caller may send.
Permits cross-origin requests to include cookies/credentials — requires the JS side to set credentials: "include".
HSTS: instructs browsers to use HTTPS only for this host for max-age seconds, killing protocol-downgrade attacks.
Declares which sources the browser may load scripts, styles, images and more from — the big anti-XSS control.
Forbids browsers from MIME-sniffing the body into a different type than Content-Type declares — blocks a class of XSS via mislabeled uploads.
Controls whether the page may be embedded in an iframe — the classic clickjacking defense (DENY / SAMEORIGIN).
Controls how much of the current URL leaks in the Referer header of outgoing requests.
How long to wait before retrying, in seconds or as an HTTP date.
Tells caches which request headers change the response — each combination gets its own cache entry.
Whether the body displays inline or downloads as an attachment, with the suggested filename.
Headers that travel both ways.
Declares the media type of the body — what the bytes mean.
The exact size of the body in bytes.
The caching rulebook: how long (max-age), where (public/private), and whether to cache at all (no-store).
Controls whether the TCP connection survives after the response (keep-alive) or closes (close), plus which hop-by-hop headers to strip.
A correlation ID for one request across services and logs.
ReqPad shows auto-generated and custom headers for all six protocols — edit, send, inspect, from your phone.