HTTP Header Reference

Header                          | Dir       | Meaning
--------------------------------+-----------+----------------------------------
Accept                          | request   | Media types the client accepts.
Accept-Encoding                 | request   | Content encodings the client accepts (gzip, br, deflate).
Accept-Language                 | request   | Preferred natural languages.
Authorization                   | request   | Authentication credentials (Basic, Bearer, etc.).
Cache-Control                   | both      | Caching directives (no-store, max-age, public…).
Content-Encoding                | response  | Encoding applied to the body.
Content-Length                  | both      | Size of the body in bytes.
Content-Security-Policy         | response  | Restrict allowed resource sources.
Content-Type                    | both      | Media type of the body.
Cookie                          | request   | Stored cookies sent by the client.
Set-Cookie                      | response  | Sets a cookie on the client.
ETag                            | response  | Opaque identifier for the resource version.
If-Modified-Since               | request   | Conditional GET based on date.
If-None-Match                   | request   | Conditional GET based on ETag.
Location                        | response  | Target for redirects or created resource.
Origin                          | request   | Origin of the request (used for CORS).
Referer                         | request   | URL of the referring page.
Strict-Transport-Security       | response  | Force HTTPS (HSTS).
User-Agent                      | request   | Client software identification.
WWW-Authenticate                | response  | Authentication challenge.
X-Forwarded-For                 | request   | Original client IP behind proxies.
X-Frame-Options                 | response  | Clickjacking protection.
X-Content-Type-Options          | response  | nosniff — disable MIME sniffing.
Vary                            | response  | Cache key axes.
Access-Control-Allow-Origin     | response  | CORS allowed origin.
Access-Control-Allow-Methods    | response  | CORS allowed methods.
Access-Control-Allow-Headers    | response  | CORS allowed headers.
Access-Control-Allow-Credentials | response  | CORS credentials flag.
Range                           | request   | Request a partial resource.
Content-Range                   | response  | Partial response range.