List of important HTTP request headers

📋 Complete Standard HTTP Request Headers

1. A-IM - Acceptable instance-manipulations for the resource, used for delta encoding
2. Accept - Media types the client can process (JSON, HTML, etc.)
3. Accept-Charset - Character sets the client supports (UTF-8, ISO-8859-1)
4. Accept-Encoding - Compression algorithms client accepts (gzip, deflate, br)
5. Accept-Language - Preferred natural languages for response (en-US, fr-CA)
6. Accept-Datetime - Request past version before specific datetime
7. Access-Control-Request-Method - Method to use in actual CORS request
8. Access-Control-Request-Headers - Headers to use in actual CORS request
9. Authorization - Authentication credentials for HTTP auth
10. Cache-Control - Directives for caching mechanisms
11. Connection - Controls connection persistence (keep-alive, close)
12. Content-Length - Size of request body in decimal bytes
13. Content-Type - Media type of request body (POST/PUT only)
14. Cookie - Previously stored HTTP cookies from server
15. Date - Date and time when request was originated
16. Expect - Expectations server must fulfill (100-continue)
17. Forwarded - Proxy/client original connection information
18. From - Email address of human user controlling agent
19. Host - Server domain and port (REQUIRED in HTTP/1.1)
20. If-Match - Only proceed if ETag matches (prevents lost updates)
21. If-Modified-Since - Return 304 if unchanged since date (saves bandwidth)
22. If-None-Match - Return 304 if ETag matches (caching optimization)
23. If-Range - Resume downloads if ETag/date matches, full resource if not
24. If-Unmodified-Since - Only proceed if resource not modified since date
25. Max-Forwards - Limit proxy/gateway forwarding (TRACE/OPTIONS)
26. Origin - Cross-origin request source (triggers CORS)
27. Pragma - Implementation-specific directives (legacy: no-cache)
28. Proxy-Authorization - Credentials for proxy authentication
29. Range - Request only specific byte range of resource
30. Referer - Previous page address that linked to current request
31. TE - Acceptable transfer encodings (trailers, gzip)
32. User-Agent - Client application identification string
33. Upgrade - Request to switch to different protocol
34. Via - Intermediate proxies traversed by request
35. Warning - General warning about message status

🔧 Non-Standard & Custom Headers

1. DNT - Do Not Track preference signal (1 = do not track)
2. X-Requested-With - Identifies AJAX requests (XMLHttpRequest)
3. X-CSRF-Token - Anti-CSRF protection token validation
4. X-Forwarded-For - Client original IP through proxies (de facto standard)
5. X-Forwarded-Proto - Original protocol (http/https) through proxies
6. X-Forwarded-Host - Original host through load balancers

🛡️ Important Security Headers to Know

1. Authorization & Cookie handle authentication and sessions
2. Origin & CORS headers manage cross-origin security
3. X-CSRF-Token prevents Cross-Site Request Forgery attacks
4. Content-Type validation prevents MIME-type attacks

⚡ Quick Usage Guide

1. For APIs: Use Accept: application/json, Content-Type: application/json, Authorization: Bearer <token>
2. For Browsers: Automatically includes User-Agent, Accept, Accept-Encoding, Accept-Language, Cookie, Referer
3. For CORS: Browser sends Origin, preflight uses Access-Control-Request-Method and Access-Control-Request-Headers
4. For Performance: Use Accept-Encoding: gzip, cache headers, If-Modified-Since, and If-None-Match

🎯 Key Takeaways

1. Host header is mandatory in HTTP/1.1 requests
2. Content-Type required when sending data in request body
3. Security headers like Authorization and X-CSRF-Token protect your application
4. Performance headers like Accept-Encoding and cache controls improve speed
5. CORS headers enable secure cross-origin API access
6. Most headers are optional but using appropriate ones improves functionality