HTTP headers can be identified by their context:

• General Header: These headers are found both in request and response requests. The most common general headers are Date, Cache-Control or Connection.
• Request Header: These headers possess more info about the content to be retrieved to the client or info about the user itself. Example: Host, User-Agent, Referer, Set-Cookie, Accept, etc
• Response Header: These headers are used to give a more detailed context of the response and doesn't relate to the content of the message. Example: Age, Location and Server.
• Entity Header: Headers describing the body of the message, like its content length or its MIME-type. Entity headers are used in both, HTTP requests and responses. Example: Content-Length, Content-Language, Content-Encoding are entity headers.

GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://example.com/testpage.html
Connection: keep-alive
Upgrade-Insecure-Requests: 1

• GET: method; /index.html: path; HTTP/1.1: protocol

• Host: Request header that specifies the server domain name (for virtual hosting).

• User-Agent: Request Header containing a string that identifies the application type, OS, software vendor or software version of the requesting software user agent (browser).

• Accept: Request header that tells the server which content types (a.k.a MIME types) the client can understand. The server selects one option and informs the client with the Content-Type response header.

• Accept-Language: Request HTTP header that informs which natural languages the client can understand. The server selects one of the languages, uses it and tells the client its choice with the Content-Language response header.

• Accept-Encoding: Request HTTP header that tell the server which content encoding, usually a compression algorithm, the user can understand. The server picks one of the proposals and informs the client of its choice with the Content-Encoding response header.

• Referer: Request header containing the address of the previous web page where a link to the currently requested page was followed. The Referer header allows servers to identify where people are visiting them from and may use that data for analytics, logging, or optimized caching, etc.

• Connection: General header that controls whether or not the connection stays open after the current transaction finishes. If the value is keep-alive, the connection is not closed, allowing for subsequent requests to the same server to be done.

• Upgrade-Insecure-Requests: Request header that tells the server the client prefers an encrypted and authenticated response.

200 OK
Access-Control-Allow-Origin: *
Connection: Keep-Alive ***
Content-Encoding: gzip ***
Content-Type: text/html; charset=utf-8 ***
Date: Mon, 18 Jul 2016 16:06:00 GMT ***
Last-Modified: Mon, 18 Jul 2016 02:36:04 GMT
Server: Apache ***
Expires: Thu, 20 Oct 2018 21:00:00 GMT
Location: /index.html

• 200 OK : status code

• Access-Control-Allow-Origin: Access-Control-Allow-Origin is a CORS and response header. When site A tries to retrieve content from site B, site B sends an Access-Control-Allow-Origin response header to tell the browser that the content of the page is accessible to certain origins. For requests without credentials, the literal value * can be specified, as a wildcard. The value tells browsers to allow requesting code from any origin to access the resource.

• Content-Encoding: Entity header used to compress the media-type.

• Content-Type: Entity header used to indicate the media type of the resource.

• Date: General HTTP header with the date and time at which the message was originated.

• Server: Response header containing info about the server. Detailed Server values should be avoided as they can reveal internal implementation details that might make it easier for attackers to find and exploit known server vulnerabilities.

• Expires: Response header contains the date/time that the response is considered obsolete.

• Location: Response header indicates the URL to redirect a page to. Location header is returned in responses under two circumstances:

1. To ask a web browser to load a different web page (URL redirection).
2. To provide information about the location of a newly created resource.

• X-XSS-Protection: Response header used in IE, Chrome and Safari that prevent websites from loading when a reflected XSS attack is detected by sanitizing the page (remove the malicious content).

• HTTP Strict Transport Security (HSTS): response header where the website tell the user browser it only allows secure connections over HTTPS, excluding HTTP. This prevents MITM attacks.

• X-Frame-Options: This response header indicates if a browser is allowed to render a page in a <frame>, <iframe>, <embed> or <object> or not. This feature helps to prevent clickjacking attacks, by ensuring that their content is not embedded into other pages.

• HTTP Public Key Pinning: Prevent attackers to use fraudulent digital certificates.

• Content Security Policy: Response header that prevents XSS by controlling the resources the client can load in a page.

• X-Permitted-Cross-Domain-Policies

• Expect-CT

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
• https://developer.mozilla.org/en-US/docs/Glossary/Response_header
• https://developer.mozilla.org/en-US/docs/Glossary/Entity_header
• https://developer.mozilla.org/en-US/docs/Glossary/Request_header
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Encoding
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Connection
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests
• https://stackoverflow.com/questions/10636611/how-does-access-control-allow-origin-header-work
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Encoding
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Date
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Server
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location
• https://en.wikipedia.org/wiki/HTTP_location
• https://geekflare.com/http-header-implementation/
• https://scotthelme.co.uk/hardening-your-http-response-headers/
• https://www.templarbit.com/blog/2018/07/24/top-http-security-headers-and-how-to-deploy-them/
• https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
• https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning