← HTTP & REST APIs

Headers and Body

~300 words Β· 2 min read

Headers carry metadata

Every HTTP message has a header section: key–value pairs that describe the request or response. They're how the client and server negotiate format, prove identity, and control caching.

The headers you'll see most

  • Content-Type β€” the media type of the body, e.g. application/json. Tells the receiver how to parse it.
  • Accept β€” the format the client wants back, e.g. application/json.
  • Authorization β€” credentials, usually Bearer <token>.
  • Cache-Control β€” how long the response may be cached.

The body

The body carries the actual payload. For APIs the de-facto standard is JSON:

POST /api/users HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJhbGciOi...

{ "name": "Ada", "email": "ada@mail.com" }

GET and DELETE typically have no body; POST, PUT, and PATCH usually do.

CORS

CORS (Cross-Origin Resource Sharing) is a browser-enforced security mechanism. When JavaScript on site-a.com fetches api.site-b.com, the browser blocks the response unless the server explicitly permits it:

Access-Control-Allow-Origin: https://site-a.com

CORS prevents malicious sites from reading data from another site using the user's credentials. It does not protect the server itself β€” it protects the user's browser.

CORS only applies to browser-based requests. A server-to-server call or a mobile app is never subject to CORS β€” it's purely a browser safeguard.