How many HTTP headers are there?

Over 200 registered with IANA, plus dozens of non-standard 'X-' headers in common use. The reference covers the ~100 most relevant for web development and API design.

What's the difference between request and response headers?

Request headers are sent by the client (Authorization, Accept, User-Agent). Response headers are sent by the server (Content-Type, Set-Cookie, Cache-Control). Some headers appear in both (Content-Type in request bodies and responses).

Which security headers should every web app send?

Content-Security-Policy, Strict-Transport-Security, X-Frame-Options (or CSP frame-ancestors), X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy are the core security header set.

HTTP Headers Reference | DevTools Surf

DevTools Surf

About HTTP Headers Reference

HTTP Headers Reference preview - Info / Guides tool

Search and reference HTTP request/response headers. Part of the DevTools Surf developer suite. Browse more tools in the Info / Guides collection.

Use Cases

Look up the correct syntax for Cache-Control directives before configuring a CDN.
Find which CORS headers to set when debugging cross-origin request failures.
Identify security headers (CSP, HSTS, X-Frame-Options) needed for a security audit.
Reference the correct Accept header format for content negotiation in an API client.

Tips

Search by use case (caching, CORS, security) rather than name when you can't remember the exact header — the reference groups headers by function.
Check the 'deprecated' tag before implementing a header — X-XSS-Protection and X-Content-Security-Policy have official replacements.
Use the 'security headers checklist' filter to quickly see which response headers your application should send for a OWASP-compliant configuration.

Fun Facts

The HTTP/1.1 specification (RFC 2616, 1999) defined 47 standard request and response headers. HTTP/2 (2015) added none — headers are semantically the same; only the wire encoding changed to HPACK compression.
The Strict-Transport-Security (HSTS) header was first proposed in 2009 by Jeff Hodges, Collin Jackson, and Adam Barth after studies showed that cookie theft via HTTP was a widespread attack. It became an RFC standard in 2012.
The Referrer-Policy header was introduced to address privacy concerns with the older 'Referer' header (which has a deliberate typo from the original 1996 HTTP specification — the misspelling was never corrected).

FAQ

How many HTTP headers are there?: Over 200 registered with IANA, plus dozens of non-standard 'X-' headers in common use. The reference covers the ~100 most relevant for web development and API design.
What's the difference between request and response headers?: Request headers are sent by the client (Authorization, Accept, User-Agent). Response headers are sent by the server (Content-Type, Set-Cookie, Cache-Control). Some headers appear in both (Content-Type in request bodies and responses).
Which security headers should every web app send?: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options (or CSP frame-ancestors), X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy are the core security header set.

Related Info / Guides Tools

Docker Basics SEO Basics for Developers REST API Basics Next.js App Router Basics Connect Your Site to Google Git Basics (First Hour)Kubernetes Basics GraphQL vs REST