HTTP Headers Reference — Request and Response Headers | EvvyTools

About the HTTP Headers Reference

HTTP headers are the metadata layer of every web request and response. The list grew steadily through HTTP/1.0, /1.1, and HTTP/2, plus countless category extensions (CORS, Fetch Metadata, Client Hints, security policies). This dataset captures the headers a working developer is likely to encounter in modern web traffic — both the IANA-registered ones and a handful of widely-used informal ones.

Common Use Cases

API documentation generators, request inspectors and reverse proxies, HTTP debugging tools, security scanners, web framework header autocomplete, postman-style request builders, and any code that needs to map a header name to its purpose without re-reading the relevant RFC.

Column Reference

• header_name — header field name as it appears in HTTP traffic.
• type — Request, Response, or Both.
• category — functional grouping (Caching, CORS, Authentication, Security, etc.).
• description — what the header does.
• example — a realistic example value.

Categories Explained

The category column groups headers by functional role: caching directives (Cache-Control, ETag, Vary), CORS controls (Access-Control-*), security policies (Content-Security-Policy, Strict-Transport-Security), authentication (Authorization, WWW-Authenticate), content negotiation (Accept, Accept-Language), cookies, range requests, transfer encoding, client hints, and so on.

Deprecated and Legacy Headers

Some headers in the dataset are flagged as deprecated or legacy: Public-Key-Pins (HPKP, dropped by Chrome), X-XSS-Protection (replaced by CSP), Feature-Policy (renamed to Permissions-Policy), and Pragma (an HTTP/1.0 holdover). They still appear in the wild but should not be authored in new code.