| Accept | Request | Media types accepted by the client. |
| Accept-Encoding | Request | Content encodings accepted by the client. |
| Accept-Language | Request | Preferred response languages. |
| Authorization | Request | Credentials for authentication. |
| Cache-Control | General | Caching directives. |
| Content-Disposition | Representation | Inline or attachment presentation. |
| Content-Encoding | Representation | Encoding applied to the body. |
| Content-Length | Representation | Body size in bytes. |
| Content-Type | Representation | Media type of the body. |
| Cookie | Request | Cookies sent by the client. |
| ETag | Response | Identifier for a resource version. |
| Host | Request | Target host and optional port. |
| If-None-Match | Request | Conditional request using an ETag. |
| Last-Modified | Response | Last known modification time. |
| Location | Response | Redirect or created-resource URL. |
| Origin | Request | Origin that initiated a request. |
| Referer | Request | Address of the referring page. |
| Retry-After | Response | When a client should retry. |
| Set-Cookie | Response | Creates or updates a cookie. |
| User-Agent | Request | Client software identification. |
| Vary | Response | Request fields affecting response selection. |
| WWW-Authenticate | Response | Authentication challenge. |
| X-Content-Type-Options | Security | Prevents MIME type sniffing. |
| Content-Security-Policy | Security | Restricts allowed content sources. |
| Strict-Transport-Security | Security | Forces future HTTPS connections. |