HTTP Header

API Testing

// Definition

A key-value metadata field attached to an HTTP request or response, transmitted before the body. Request headers describe the client and request context (User-Agent, Accept, Content-Type, Authorization, Cookie); response headers describe the server's response and instruct the client (Content-Type, Set-Cookie, Cache-Control, CORS access-control headers, security headers). Header names are case-insensitive. QA testing checklist: assert Content-Type matches the body format; verify security headers are present on responses (HSTS, CSP, X-Frame-Options, X-Content-Type-Options); confirm sensitive request headers (Authorization, Cookie) are not logged or exposed in error responses; verify CORS headers permit only expected origins.

// Related terms

REST
Representational State Transfer — an architectural style for HTTP APIs where resources are addressed by URLs and manipulated via standard HTTP verbs (GET, POST, PUT, DELETE). The dominant API style for over a decade.
Cookie
A small name-value string the browser stores and automatically attaches to every request matching the cookie's domain and path. Set by the server via the Set-Cookie response header; read by the server from the Cookie request header; readable by JavaScript via document.cookie unless the HttpOnly flag is set. Key security attributes: HttpOnly (blocks JS access, mitigating XSS token theft); Secure (HTTPS-only transmission); SameSite (controls cross-site attachment — Strict, Lax, or None); Domain and Path (request scope). QA testing checklist: session cookies must have HttpOnly and Secure; auth cookies should be SameSite=Lax or Strict; sensitive data should not be stored in cookie values unencrypted; cookies should expire or be cleared on logout.
CORS
Cross-Origin Resource Sharing — a browser security mechanism that restricts web pages from making HTTP requests to a domain different from the one that served the page. The browser preflight-checks cross-origin requests by sending an `OPTIONS` request; the server responds with `Access-Control-Allow-Origin` (and related) headers to grant or deny access. For API testers: misconfigured CORS is a common security vulnerability, and missing CORS headers cause silent failures in browser-based test environments.
Status Code
A three-digit HTTP response code indicating outcome — 2xx success, 3xx redirect, 4xx client error, 5xx server error. The first signal an API test asserts on.