projects/nginx/fuzz/http_request_fuzzer.dict - platform/external/oss-fuzz - Git at Google

 # Sources: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

 # misc
 "HTTP/1.1"

 # verbs
 "CONNECT"
 "DELETE"
 "GET"
 "HEAD"
 "OPTIONS"
 "PATCH"
 "POST"
 "PUT"
 "TRACE"


 # Webdav/caldav verbs
 "ACL"
 "BASELINE-CONTROL"
 "BIND"
 "CHECKIN"
 "CHECKOUT"
 "COPY"
 "LABEL"
 "LINK"
 "LOCK"
 "MERGE"
 "MKACTIVITY"
 "MKCALENDAR"
 "MKCOL"
 "MKREDIRECTREF"
 "MKWORKSPACE"
 "MOVE"
 "ORDERPATCH"
 "PRI"
 "PROPFIND"
 "PROPPATCH"
 "REBIND"
 "REPORT"
 "SEARCH"
 "UNBIND"
 "UNCHECKOUT"
 "UNLINK"
 "UNLOCK"
 "UPDATE"
 "UPDATEREDIRECTREF"
 "VERSION-CONTROL"


 # Fields
 "A-IM"
 "Accept"
 "Accept-Charset"
 "Accept-Datetime"
 "Accept-Encoding"
 "Accept-Language"
 "Accept-Patch"
 "Accept-Ranges"
 "Access-Control-Allow-Credentials"
 "Access-Control-Allow-Headers"
 "Access-Control-Allow-Methods"
 "Access-Control-Allow-Origin"
 "Access-Control-Expose-Headers"
 "Access-Control-Max-Age"
 "Access-Control-Request-Headers"
 "Access-Control-Request-Method"
 "Age"
 "Allow"
 "Alt-Svc"
 "Authorization"
 "Cache-Control"
 "Connection"
 "Connection:"
 "Content-Disposition"
 "Content-Encoding"
 "Content-Language"
 "Content-Length"
 "Content-Location"
 "Content-MD5"
 "Content-Range"
 "Content-Security-Policy"
 "Content-Type"
 "Cookie"
 "DNT"
 "Date"
 "Delta-Base"
 "ETag"
 "Expect"
 "Expires"
 "Forwarded"
 "From"
 "Front-End-Https"
 "HTTP2-Settings"
 "Host"
 "IM"
 "If-Match"
 "If-Modified-Since"
 "If-None-Match"
 "If-Range"
 "If-Unmodified-Since"
 "Last-Modified"
 "Link"
 "Location"
 "Max-Forwards"
 "Origin"
 "P3P"
 "Pragma"
 "Proxy-Authenticate"
 "Proxy-Authorization"
 "Proxy-Connection"
 "Public-Key-Pins"
 "Range"
 "Referer"
 "Refresh"
 "Retry-After"
 "Save-Data"
 "Server"
 "Set-Cookie"
 "Status"
 "Strict-Transport-Security"
 "TE"
 "Timing-Allow-Origin"
 "Tk"
 "Trailer"
 "Transfer-Encoding"
 "Upgrade"
 "Upgrade-Insecure-Requests"
 "User-Agent"
 "Vary"
 "Via"
 "WWW-Authenticate"
 "Warning"
 "X-ATT-DeviceId"
 "X-Content-Duration"
 "X-Content-Security-Policy"
 "X-Content-Type-Options"
 "X-Correlation-ID"
 "X-Csrf-Token"
 "X-Forwarded-For"
 "X-Forwarded-Host"
 "X-Forwarded-Proto"
 "X-Frame-Options"
 "X-Http-Method-Override"
 "X-Powered-By"
 "X-Request-ID"
 "X-Requested-With"
 "X-UA-Compatible"
 "X-UIDH"
 "X-Wap-Profile"
 "X-WebKit-CSP"
 "X-XSS-Protection"
	# Sources: https://en.wikipedia.org/wiki/List_of_HTTP_header_fields

	# misc
	"HTTP/1.1"

	# verbs
	"CONNECT"
	"DELETE"
	"GET"
	"HEAD"
	"OPTIONS"
	"PATCH"
	"POST"
	"PUT"
	"TRACE"


	# Webdav/caldav verbs
	"ACL"
	"BASELINE-CONTROL"
	"BIND"
	"CHECKIN"
	"CHECKOUT"
	"COPY"
	"LABEL"
	"LINK"
	"LOCK"
	"MERGE"
	"MKACTIVITY"
	"MKCALENDAR"
	"MKCOL"
	"MKREDIRECTREF"
	"MKWORKSPACE"
	"MOVE"
	"ORDERPATCH"
	"PRI"
	"PROPFIND"
	"PROPPATCH"
	"REBIND"
	"REPORT"
	"SEARCH"
	"UNBIND"
	"UNCHECKOUT"
	"UNLINK"
	"UNLOCK"
	"UPDATE"
	"UPDATEREDIRECTREF"
	"VERSION-CONTROL"


	# Fields
	"A-IM"
	"Accept"
	"Accept-Charset"
	"Accept-Datetime"
	"Accept-Encoding"
	"Accept-Language"
	"Accept-Patch"
	"Accept-Ranges"
	"Access-Control-Allow-Credentials"
	"Access-Control-Allow-Headers"
	"Access-Control-Allow-Methods"
	"Access-Control-Allow-Origin"
	"Access-Control-Expose-Headers"
	"Access-Control-Max-Age"
	"Access-Control-Request-Headers"
	"Access-Control-Request-Method"
	"Age"
	"Allow"
	"Alt-Svc"
	"Authorization"
	"Cache-Control"
	"Connection"
	"Connection:"
	"Content-Disposition"
	"Content-Encoding"
	"Content-Language"
	"Content-Length"
	"Content-Location"
	"Content-MD5"
	"Content-Range"
	"Content-Security-Policy"
	"Content-Type"
	"Cookie"
	"DNT"
	"Date"
	"Delta-Base"
	"ETag"
	"Expect"
	"Expires"
	"Forwarded"
	"From"
	"Front-End-Https"
	"HTTP2-Settings"
	"Host"
	"IM"
	"If-Match"
	"If-Modified-Since"
	"If-None-Match"
	"If-Range"
	"If-Unmodified-Since"
	"Last-Modified"
	"Link"
	"Location"
	"Max-Forwards"
	"Origin"
	"P3P"
	"Pragma"
	"Proxy-Authenticate"
	"Proxy-Authorization"
	"Proxy-Connection"
	"Public-Key-Pins"
	"Range"
	"Referer"
	"Refresh"
	"Retry-After"
	"Save-Data"
	"Server"
	"Set-Cookie"
	"Status"
	"Strict-Transport-Security"
	"TE"
	"Timing-Allow-Origin"
	"Tk"
	"Trailer"
	"Transfer-Encoding"
	"Upgrade"
	"Upgrade-Insecure-Requests"
	"User-Agent"
	"Vary"
	"Via"
	"WWW-Authenticate"
	"Warning"
	"X-ATT-DeviceId"
	"X-Content-Duration"
	"X-Content-Security-Policy"
	"X-Content-Type-Options"
	"X-Correlation-ID"
	"X-Csrf-Token"
	"X-Forwarded-For"
	"X-Forwarded-Host"
	"X-Forwarded-Proto"
	"X-Frame-Options"
	"X-Http-Method-Override"
	"X-Powered-By"
	"X-Request-ID"
	"X-Requested-With"
	"X-UA-Compatible"
	"X-UIDH"
	"X-Wap-Profile"
	"X-WebKit-CSP"
	"X-XSS-Protection"