HTTP headers: which ones actually matter

The Headers That Matter

HTTP defines over 100 headers. In practice, about a dozen appear on every project. Know these cold — recognize them instantly in curl output and browser DevTools network tab.

Request headers

Host: api.example.com         # Required. Identifies the virtual host.
Content-Type: application/json # Format of the body you are sending.
Accept: application/json      # Format you want in the response.
Authorization: Bearer  # Authentication credentials.
Cache-Control: no-cache       # Do not serve a cached copy; revalidate.
User-Agent: MyApp/1.0         # Identifies the client application.
Accept-Encoding: gzip, br     # Compression formats the client supports.

Response headers

Content-Type: application/json; charset=utf-8
Content-Length: 348           # Body size in bytes.
Cache-Control: max-age=3600, public
Location: /users/42           # Where the new resource lives (201 responses).
WWW-Authenticate: Bearer      # How to authenticate (401 responses).
Retry-After: 60               # Seconds to wait before retrying (429/503).
X-Request-Id: abc-123         # Unique ID for tracing across distributed services.

CORS headers

Cross-Origin Resource Sharing headers control which browser origins can call your API. The browser adds the Origin header on cross-origin requests automatically. Your server must echo back the appropriate Access-Control headers or the browser blocks the response:

Access-Control-Allow-Origin: https://yourapp.com
Access-Control-Allow-Methods: GET, POST, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400

Headers are case-insensitive in HTTP/1.1. HTTP/2 lowercases all headers by spec. Any middleware that reads headers by name should normalize to lowercase before comparison to handle both versions consistently.