You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
| Header Name |
Purpose |
Example Value |
Authorization |
Carries auth credentials (token, Basic, Bearer) |
Bearer eyJhbGciOi... |
X-API-Key |
Custom API key for client authentication |
758b7d596dbc... |
X-Auth-Token |
Token-based session authentication |
d3f1c3a1-... |
X-Requested-With |
Identifies AJAX requests (legacy jQuery, CSRF checks) |
XMLHttpRequest |
Content-Type |
Declares request body format |
application/json |
Accept |
Declares expected response format |
application/json |
User-Agent |
Identifies client application |
MyApp/1.2.3 |
X-Correlation-ID |
Tracks a request across distributed systems |
abc123-request-id |
X-Forwarded-For |
Shows originating IP behind proxies |
203.0.113.42 |
X-Real-IP |
Alternate client IP header used by some proxies |
198.51.100.7 |
If-None-Match |
Used with ETag for caching |
"abc123etag" |
If-Modified-Since |
Used for conditional GET requests |
Wed, 21 Oct 2015 07:28:00 GMT |
Cookie |
Sends session tokens or other state data |
session_id=abc123; logged_in=true |
| Header Name |
Purpose |
Example Value |
Content-Type |
Format of the response body |
application/json |
Cache-Control |
Caching policy for the response |
no-cache, max-age=3600 |
ETag |
Unique identifier for the response version |
"abc123etag" |
Last-Modified |
Timestamp of last modification |
Wed, 21 Oct 2015 07:28:00 GMT |
Expires |
Date/time when the response becomes stale |
Thu, 01 Dec 1994 16:00:00 GMT |
Location |
URL to newly created resource or redirect |
/users/123 or https://api.example.com/... |
Retry-After |
Suggests wait time before retrying |
120 (seconds) or HTTP-date |
WWW-Authenticate |
Declares required authentication scheme |
Bearer realm="example" |
Set-Cookie |
Sends cookies back to the client |
session_id=abc123; HttpOnly; Secure |
X-RateLimit-Limit |
Max requests allowed in current window |
1000 |
X-RateLimit-Remaining |
Requests left in current window |
428 |
X-RateLimit-Reset |
When rate limit resets (UNIX timestamp) |
1714684800 |
X-Correlation-ID |
Unique ID for tracking this response (log tracing) |
abc123-response-id |
Access-Control-Allow-Origin |
CORS policy for allowed domains |
* or https://yourdomain.com |
Allow |
Accompanied with a 405 Response code |
GET,POST,PUT,DELETE |
| Header Name |
Purpose |
Example Value |
Content-Security-Policy |
Allows inline scripts/styles with specific nonces |
script-src 'nonce-abc123' |
X-CSRF-Token |
Sends a per-request anti-CSRF token (often custom) |
e1f9e2d4-8f4b-4d2a-8450-c38a1fba57d4 |
X-Nonce (custom) |
General-use nonce for replay prevention |
abc123noncevalue |
$token = 'your-jwt-or-api-token';
$headers = [
'Authorization: Bearer ' . $token,
# Alternately using API tokens
# 'X-API-Key: ' . $apiKey,
'Content-Type: application/json'
];
$ch = curl_init('https://api.example.com/endpoint');
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => $headers
]);
$response = curl_exec($ch);
curl_close($ch);
const token = 'your-jwt-or-api-token';
fetch('https://api.example.com/endpoint', {
method: 'GET',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json',
'Accept': 'application/json'
}
})
.then(response => response.json())
.then(data => console.log(data))
.catch(err => console.error('Request failed', err));
Sample: Content-Security-Policy Nonce (PHP)
Server-side nonce generation:
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: script-src 'self' 'nonce-$nonce'");
Outputting safe inline script:
echo "<script nonce="$nonce">console.log('Safe inline script');</script>";
