rick
/
rest-api
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
2 Branches
0 Tags
233 KiB
 
 
 
 
 
Tag: Branch: Tree: api
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'api'
${ noResults }
rest-api/HEADERS.md

109 lines
6.0 KiB
Raw Permalink Blame History

# Common HTTP Headers in REST APIs
## Request Headers
| Header Name | Purpose | Example Value |
|-----------------------|-------------------------------------------------------|-----------------------------------------------|
| `Authorization` | Carries auth credentials (token, Basic, Bearer) | `Bearer eyJhbGciOi...` |
| `X-API-Key` | Custom API key for client authentication | `758b7d596dbc...` |
| `X-Auth-Token` | Token-based session authentication | `d3f1c3a1-...` |
| `X-Requested-With` | Identifies AJAX requests (legacy jQuery, CSRF checks) | `XMLHttpRequest` |
| `Content-Type` | Declares request body format | `application/json` |
| `Accept` | Declares expected response format | `application/json` |
| `User-Agent` | Identifies client application | `MyApp/1.2.3` |
| `X-Correlation-ID` | Tracks a request across distributed systems | `abc123-request-id` |
| `X-Forwarded-For` | Shows originating IP behind proxies | `203.0.113.42` |
| `X-Real-IP` | Alternate client IP header used by some proxies | `198.51.100.7` |
| `If-None-Match` | Used with ETag for caching | `"abc123etag"` |
| `If-Modified-Since` | Used for conditional GET requests | `Wed, 21 Oct 2015 07:28:00 GMT` |
| `Cookie` | Sends session tokens or other state data | `session_id=abc123; logged_in=true` |
---
## Response Headers
| Header Name | Purpose | Example Value |
|----------------------|-------------------------------------------------------|------------------------------------------------|
| `Content-Type` | Format of the response body | `application/json` |
| `Cache-Control` | Caching policy for the response | `no-cache`, `max-age=3600` |
| `ETag` | Unique identifier for the response version | `"abc123etag"` |
| `Last-Modified` | Timestamp of last modification | `Wed, 21 Oct 2015 07:28:00 GMT` |
| `Expires` | Date/time when the response becomes stale | `Thu, 01 Dec 1994 16:00:00 GMT` |
| `Location` | URL to newly created resource or redirect | `/users/123` or `https://api.example.com/...` |
| `Retry-After` | Suggests wait time before retrying | `120` (seconds) or HTTP-date |
| `WWW-Authenticate` | Declares required authentication scheme | `Bearer realm="example"` |
| `Set-Cookie` | Sends cookies back to the client | `session_id=abc123; HttpOnly; Secure` |
| `X-RateLimit-Limit` | Max requests allowed in current window | `1000` |
| `X-RateLimit-Remaining` | Requests left in current window | `428` |
| `X-RateLimit-Reset` | When rate limit resets (UNIX timestamp) | `1714684800` |
| `X-Correlation-ID` | Unique ID for tracking this response (log tracing) | `abc123-response-id` |
| `Access-Control-Allow-Origin` | CORS policy for allowed domains | `*` or `https://yourdomain.com` |
| `Allow` | Accompanied with a 405 Response code | `GET,POST,PUT,DELETE` |
---
## Nonce-Related Headers
| Header Name | Purpose | Example Value |
|---------------------------|-----------------------------------------------------|----------------------------------------------|
| `Content-Security-Policy` | Allows inline scripts/styles with specific nonces | `script-src 'nonce-abc123'` |
| `X-CSRF-Token` | Sends a per-request anti-CSRF token (often custom) | `e1f9e2d4-8f4b-4d2a-8450-c38a1fba57d4` |
| `X-Nonce` (custom) | General-use nonce for replay prevention | `abc123noncevalue` |
---
## Sample: Bearer Token in Authorization Header (PHP)
```php
$token = 'your-jwt-or-api-token';
$headers = [
'Authorization: Bearer ' . $token,
# Alternately using API tokens
# 'X-API-Key: ' . $apiKey,
'Content-Type: application/json'
];
$ch = curl_init('https://api.example.com/endpoint');
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => $headers
]);
$response = curl_exec($ch);
curl_close($ch);
```
## Sample: Bearer Token in Authorization Header (JavaScript / Fetch)
```js
const token = 'your-jwt-or-api-token';
fetch('https://api.example.com/endpoint', {
method: 'GET',
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json',
'Accept': 'application/json'
}
})
.then(response => response.json())
.then(data => console.log(data))
.catch(err => console.error('Request failed', err));
```
---
## Sample: Content-Security-Policy Nonce (PHP)
### Server-side nonce generation:
```php
$nonce = base64_encode(random_bytes(16));
header("Content-Security-Policy: script-src 'self' 'nonce-$nonce'");
```
### Outputting safe inline script:
```php
echo "<script nonce="$nonce">console.log('Safe inline script');</script>";
```