HTTP Headers

HTTP requests and responses include headers providing additional information. For example, Content-Type: application/json indicates the the content is encoded as JSON.

Request Headers

  • User-Agent: Identifies the client (browser, mobile device, bot, etc.).
  • Accept: Specifies acceptable content types (e.g., HTML, JSON, XML).
  • Referer: Indicates the referring URL.

Response Headers

  • Content-Type: Specifies the MIME type of the response body.
  • Content-Length: Indicates the length of the response body.
  • Location: Specifies a redirect URL.

Caching Headers

Caching improves performance by storing frequently accessed data locally or on caching servers. HTTP headers control caching behavior.

Response Headers

  • Cache-Control: Offers fine-grained caching control with directives like:
    • max-age: Specifies the maximum cache age (in seconds).
    • public: Cacheable by any cache.
    • private: Cacheable only by private cache(the browser).
    • no-cache: Prevents caching.
    • no-store: Prevents storage in any cache.
  • ETag: A unique resource identifier used with If-None-Match for conditional caching.
  • Expires: Sets an absolute expiration date/time for cached resources. (superseded by Cache-Control)
  • Last-Modified: Indicates the date/time when a resource was last modified.

Request Headers

  • If-Modified-Since: Specifies the last known modification time. If unchanged, the server returns a 304 Not Modified response.
  • If-None-Match: Provides an ETag (Entity Tag) for resource identification. A matching ETag results in a 304 Not Modified response.

Authorization Headers

GET /protected-resource HTTP/1.1
Authorization: Bearer <token>

The Authorization header conveys client authentication credentials. The format depends on the authentication scheme:

  • Basic Authentication: Base64-encoded username and password.
  • Digest Authentication: A more secure alternative to Basic Authentication using cryptographic hashing.
  • Bearer Token: A bearer token (often a JWT) is included as Bearer <token>.
  • Set-Cookie: The server sets a cookie on the client.
  • Cookie: The client sends cookies to the server.

CORS Headers

CORS (Cross-Origin Resource Sharing) allows web pages to make requests to servers on different domains. This is crucial for modern web applications interacting with external APIs.

Request Headers

  • Origin: Specifies the request's origin (protocol, domain, port).
  • Access-Control-Request-Method: Specifies the HTTP method for the actual request (e.g., GET, POST).
  • Access-Control-Request-Headers: Specifies custom headers for the actual request.

Response Headers

  • Access-Control-Allow-Origin: Specifies allowed origins (* for all, a specific origin, or a list).
  • Access-Control-Allow-Methods: Specifies allowed HTTP methods.
  • Access-Control-Allow-Headers: Specifies allowed custom headers.
  • Access-Control-Max-Age: Specifies the maximum preflight response cache age (in seconds).
  • Access-Control-Expose-Headers: Specifies response headers accessible by JavaScript in the requesting origin.

Preflight Requests

Before cross-origin requests, browsers send a preflight OPTIONS request to check server permissions. This request includes Access-Control-Request-Method and Access-Control-Request-Headers.

Custom Headers

Custom headers (e.g., x-request-id for request tracing) can carry application specific information.