What are HTTP headers?

Don’t forget to register here to attend POST/CON 24, Postman’s biggest API conference ever: April 30 to May 1, 2024 in San Francisco.

HTTP headers contain metadata in key-value pairs that are sent along with HTTP requests and responses. They can be used to define caching behavior, facilitate authentication, and manage session state. HTTP headers help the API client and server communicate more effectively—and enable developers to optimize and customize the API’s behavior.

Here, we’ll review the most common HTTP request and response headers, explore some best practices for using them, and review how the Postman API Platform can help streamline header-related workflows.

Related: What is HTTP?

What are the most common HTTP headers?

HTTP headers play a crucial role in server and client behavior throughout the request and response cycle. Request headers are sent by the client to the server and contain information and instructions related to the requested resource, while response headers are sent by the server to the client and provide metadata, instructions, and additional information about the response itself.

Some of the most commonly used request headers are:

Accept

The Accept header defines the media types that the client is able to accept from the server. For instance, Accept: application/json, text/html indicates that the client prefers JSON or HTML responses. This information allows the server to send a resource representation that meets the client’s needs.

User-Agent

The User-Agent header identifies the web browser or client application that is making the request, which enables the server to tailor its response to the client. For instance, if the User-Agent header indicates that the request is coming from the Chrome browser, the server may include CSS prefixes for CSS properties that are compatible with Chrome.

Authorization

The Authorization header is used to send the client’s credentials to the server when the client is attempting to access a protected resource. For instance, the client might include a JSON Web Token (JWT) as the value of the header, which the server will then verify before returning the requested resource.

Content-Type

The Content-Type header identifies the media type of the content in the request body. For instance, Content-Type: application/json indicates that the request body contains JSON data. This information helps the server successfully interpret and process the payload.

Cookie

The client can use the Cookie header to send previously stored cookies back to the server. The server then uses these cookies to associate the request with a specific user or session. This header plays an important role in delivering personalized experiences, as it enables the server to remember a user’s login state or language preference.

The most common response headers are:

Content-Type

The Content-Type response header is the counterpart of the Content-Type request header, as it indicates the type of data that the server is sending to the client. The header value typically includes the media type (such as text/html, application/json, image/jpeg, and audio/mp3), as well as any optional parameters.

Cache-Control

The Cache-Control header controls caching behavior in the client’s browser or intermediate caches. It defines how the response can be cached, when it expires, and how it should be revalidated. For example, Cache-Control: max-age=3600, public instructs the client to cache the response for a maximum of 3600 seconds (1 hour) and allows caching by public caches.

Server

The Server header includes the name and version of the server software that generated the response, as well as information about the server’s technology stack. For instance, Server: Apache/2.4.10 (Unix) indicates that the response was generated by the Apache web server version 2.4.10. It’s important to note that the Server header is informational and doesn’t affect the API’s functionality.

Set-Cookie

The Set-Cookie header instructs the client to store a cookie with the specified name, value, and additional attributes, such as expiration, domain, path, and security flags. The client will then include the cookie in subsequent requests in order to facilitate stateful communication and personalized experiences.

Content-Length

The Content-Length header, which specifies the size of the response body in bytes, can help the client anticipate how much data it is going to receive. This improves performance by allowing the client to plan in advance for more efficient memory allocation and data processing.

What are some best practices for using HTTP headers?

HTTP headers are ubiquitous in modern web applications, so it’s essential for developers to follow these best practices when implementing them:

Keep headers concise

Developers should avoid including unnecessary information in headers—and remove redundant headers. Concision helps reduce the size of both requests and responses, which improves the application’s overall performance. Some headers may also contain sensitive information, so being judicious about which headers should be included can reduce the risk of accidental exposure.

Leverage caching headers

The caching headers we discussed above play an important role in reducing load on the server and improving response times. For instance, if a user visits the same web application several times in a short interval, the client can retrieve the content from the browser’s cache, which eliminates the need for a round trip to the server. This improves the user experience by accelerating page rendering, minimizing network usage, and reducing the number of repetitive requests for the same unchanged content.

Prioritize security at the header level

Developers should never include sensitive data, such as passwords and API keys, in plain text headers. They should also implement logic to validate and sanitize request headers in order to prevent header injection attacks, such as CRLF injection or HTTP response splitting.

Safely handle Cross-Origin Resource Sharing (CORS)

CORS, which stands for Cross-Origin Resource Sharing, is a mechanism that allows a resource to be requested from a different origin than the one from which it originated. CORs plays a critical role in API integration, but it must be carefully configured to prevent unauthorized access. Developers should therefore use the Access-Control-Allow-Origin header to specify the permitted request origins—and employ other CORS headers, like Access-Control-Allow-Methods and Access-Control-Allow-Headers. to restrict the types of requests and headers allowed.

How does Postman make it easier to work with HTTP headers?

The Postman API Platform is the gold standard for all API-related work, and it includes several features that streamline the process of working with HTTP request and response headers. With Postman, you can:

• Set request headers from an intuitive user interface: Users can easily set and adjust headers from within the Headers tab of a request. Postman will also prompt you with common headers to help you automatically complete your setup.
• Save groups of commonly used request headers: Header presets allow users to keep commonly used headers together, which can then be reused in other requests.
• Leverage auto-generated request headers: Postman will automatically add certain headers to your request according to its configuration. You can hover over any of these headers for additional information about why it was included, as well as instructions for how to deactivate or override it.
• View, edit, and capture cookies: Postman’s cookie manager enables users to easily keep track of the cookies that are associated with various domains. Users can also capture cookies with the Postman proxy or Postman Interceptor—and then use the cookies in the cookie jar when sending requests.
• Safely store credentials: Users can set credentials in the Authorization tab—and add these credentials to the Authorization request header. Postman provides support for several types of authorization, including API keys, OAuth 2.0, and JWT.
• View response headers: All response headers are displayed as key-value pairs under the Headers tab of the response. Users can hover over any header’s information icon to learn more about it.