Headers and Body
~300 words Β· 2 min read
Headers carry metadata
Every HTTP message has a header section: keyβvalue pairs that describe the request or response. They're how the client and server negotiate format, prove identity, and control caching.
The headers you'll see most
- Content-Type β the media type of the body, e.g.
application/json. Tells the receiver how to parse it. - Accept β the format the client wants back, e.g.
application/json. - Authorization β credentials, usually
Bearer <token>. - Cache-Control β how long the response may be cached.
The body
The body carries the actual payload. For APIs the de-facto standard is JSON:
POST /api/users HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJhbGciOi...
{ "name": "Ada", "email": "ada@mail.com" }
GET and DELETE typically have no body; POST, PUT, and PATCH usually do.
CORS
CORS (Cross-Origin Resource Sharing) is a browser-enforced security mechanism. When JavaScript on site-a.com fetches api.site-b.com, the browser blocks the response unless the server explicitly permits it:
Access-Control-Allow-Origin: https://site-a.com
CORS prevents malicious sites from reading data from another site using the user's credentials. It does not protect the server itself β it protects the user's browser.
CORS only applies to browser-based requests. A server-to-server call or a mobile app is never subject to CORS β it's purely a browser safeguard.