HTTP headers are (relatively) arbitrary. Common/Important ones to watch out for:
- Server — Web server information (Apache, NGINX, etc.); useful for recon.
- True-Client-IP — Override the client IP address (direct connections to servers).
- X-Forwarded-For — Override the client IP address (connections forwarded through proxies).
- X-Powered-By — Added by some application engines to advertise themselves; useful for recon.
- Content-Type — Specifies the body content; normally only set by the client for POST/PATCH requests (for example, form data uses application/x-www-form-urlencoded.
- Content-Length — The length of the body in bytes (which is just characters for ASCII) for POST requests.
There are other headers (for example, Cookie), obviously. Arbitrary additional (non-standard) headers should be X-prefixed, though there’s technically nothing stopping anyone from ignoring this convention/standard.