100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

HTTP Headers Explained: Key Types and Uses

Learn HTTP headers — content negotiation, caching, authentication, and CORS/CSP security — with networking interview Q&A.

mediumQ64 of 224 in Computer Networks Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

HTTP headers are key-value metadata sent alongside a request or response that control behavior without touching the body — covering content negotiation (Accept, Content-Type), caching (Cache-Control, ETag), authentication (Authorization), and security policy (CORS, CSP, HSTS).

Request headers like Accept and Accept-Language let a client negotiate the response format and locale, while Content-Type tells the server (or client) how to parse the body that follows. Caching headers form a system of their own: Cache-Control directives (max-age, no-store, private) set caching policy, and ETag/Last-Modified enable conditional requests (If-None-Match/If-Modified-Since) so a server can reply 304 Not Modified instead of resending an unchanged body. Authentication typically rides in the Authorization header (Bearer tokens, Basic auth), while cross-origin behavior is governed by CORS response headers like Access-Control-Allow-Origin, which the browser — not the server — actually enforces against JavaScript reading the response. Security-oriented response headers like Strict-Transport-Security (HSTS) force future requests over HTTPS, and Content-Security-Policy restricts which sources scripts and assets may load from, both mitigating classes of attacks like protocol downgrade and XSS. Headers are case-insensitive by name and, since HTTP/2, are compressed via HPACK to reduce per-request overhead.

  • Enables content negotiation without embedding logic in the body
  • Powers conditional requests and caching to cut redundant transfers
  • Carries authentication and authorization without polluting the URL
  • Enforces cross-origin and transport security policy at the protocol level

AI Mentor Explanation

HTTP headers are like the information written on a scorecard envelope before you even open it — the format preference (Accept), the sender's credentials (Authorization), and handling instructions all sit on the outside without touching the scoresheet inside. A Cache-Control header is like a note saying “valid until stumps” so a runner does not need to fetch a fresh copy from the pavilion every over. An Authorization header is like a team badge checked at the gate before anyone even looks at the contents of the kit bag.

Step-by-Step Explanation

  1. Step 1

    Content negotiation

    Accept and Content-Type headers let client and server agree on the format of the request and response bodies.

  2. Step 2

    Caching

    Cache-Control sets policy; ETag/Last-Modified support conditional requests that return 304 Not Modified when unchanged.

  3. Step 3

    Authentication

    The Authorization header carries credentials (Bearer token, Basic auth) so the server can identify the caller.

  4. Step 4

    Security policy

    Response headers like CORS, CSP, and HSTS instruct the browser on cross-origin access, script sources, and forced HTTPS.

What Interviewer Expects

  • Explains headers carry metadata separate from the body
  • Names at least one header each for negotiation, caching, auth, and security
  • Understands ETag/If-None-Match conditional request flow
  • Knows CORS headers are enforced by the browser, not a server-side firewall

Common Mistakes

  • Confusing CORS with a server-side security control that blocks requests
  • Not knowing the difference between Cache-Control directives (no-store vs no-cache vs private)
  • Assuming header names are case-sensitive
  • Putting sensitive data in headers cached by shared/public caches

Best Answer (HR Friendly)

HTTP headers are like extra notes attached to a web request or response that are not part of the actual content — they tell the server or browser things like what format you want the data in, whether you are logged in, whether it is safe to reuse a cached copy, and what security rules to enforce. They are a big part of how the web stays fast and secure without cluttering the actual data being sent.

Code Example

Inspecting and sending HTTP headers with curl
# Inspect all response headers for a URL
curl -sI https://api.example.com/users/42

# Send an Authorization header with a bearer token
curl -s https://api.example.com/users/42 \
  -H "Authorization: Bearer eyJhbGciOi..."

# Send a conditional request using a cached ETag
curl -sI https://api.example.com/users/42 \
  -H 'If-None-Match: "33a64df551"'

# Request JSON explicitly via content negotiation
curl -s https://api.example.com/users/42 -H "Accept: application/json"

Follow-up Questions

  • What is the difference between Cache-Control: no-cache and no-store?
  • How does the ETag/If-None-Match conditional request flow reduce bandwidth?
  • Why is CORS enforced by the browser rather than acting as a server firewall?
  • What does the Strict-Transport-Security header protect against?

MCQ Practice

1. Which header would a server use to tell the client a resource has not changed since last fetched?

The server compares the client-sent If-None-Match ETag; if unchanged, it returns 304 Not Modified instead of the body.

2. Who actually enforces CORS restrictions on cross-origin JavaScript requests?

CORS response headers are enforcement instructions the browser follows; a non-browser client can ignore them entirely.

3. Which header carries authentication credentials in most modern APIs?

The Authorization header carries credentials such as a Bearer token or Basic auth string.

Flash Cards

What is Content-Type for?Tells the receiver how to parse the body (e.g. application/json).

What does ETag enable?Conditional requests that can return 304 Not Modified instead of resending the body.

Who enforces CORS?The requesting browser, not the origin server acting as a firewall.

What does HSTS do?Forces the browser to only use HTTPS for future requests to that host.

1 / 4

Continue Learning