HTTP Headers Explained: Key Types and Uses
Learn HTTP headers — content negotiation, caching, authentication, and CORS/CSP security — with networking interview Q&A.
Expected Interview Answer
HTTP headers are key-value metadata sent alongside a request or response that control behavior without touching the body — covering content negotiation (Accept, Content-Type), caching (Cache-Control, ETag), authentication (Authorization), and security policy (CORS, CSP, HSTS).
Request headers like Accept and Accept-Language let a client negotiate the response format and locale, while Content-Type tells the server (or client) how to parse the body that follows. Caching headers form a system of their own: Cache-Control directives (max-age, no-store, private) set caching policy, and ETag/Last-Modified enable conditional requests (If-None-Match/If-Modified-Since) so a server can reply 304 Not Modified instead of resending an unchanged body. Authentication typically rides in the Authorization header (Bearer tokens, Basic auth), while cross-origin behavior is governed by CORS response headers like Access-Control-Allow-Origin, which the browser — not the server — actually enforces against JavaScript reading the response. Security-oriented response headers like Strict-Transport-Security (HSTS) force future requests over HTTPS, and Content-Security-Policy restricts which sources scripts and assets may load from, both mitigating classes of attacks like protocol downgrade and XSS. Headers are case-insensitive by name and, since HTTP/2, are compressed via HPACK to reduce per-request overhead.
- Enables content negotiation without embedding logic in the body
- Powers conditional requests and caching to cut redundant transfers
- Carries authentication and authorization without polluting the URL
- Enforces cross-origin and transport security policy at the protocol level
AI Mentor Explanation
HTTP headers are like the information written on a scorecard envelope before you even open it — the format preference (Accept), the sender's credentials (Authorization), and handling instructions all sit on the outside without touching the scoresheet inside. A Cache-Control header is like a note saying “valid until stumps” so a runner does not need to fetch a fresh copy from the pavilion every over. An Authorization header is like a team badge checked at the gate before anyone even looks at the contents of the kit bag.
Step-by-Step Explanation
Step 1
Content negotiation
Accept and Content-Type headers let client and server agree on the format of the request and response bodies.
Step 2
Caching
Cache-Control sets policy; ETag/Last-Modified support conditional requests that return 304 Not Modified when unchanged.
Step 3
Authentication
The Authorization header carries credentials (Bearer token, Basic auth) so the server can identify the caller.
Step 4
Security policy
Response headers like CORS, CSP, and HSTS instruct the browser on cross-origin access, script sources, and forced HTTPS.
What Interviewer Expects
- Explains headers carry metadata separate from the body
- Names at least one header each for negotiation, caching, auth, and security
- Understands ETag/If-None-Match conditional request flow
- Knows CORS headers are enforced by the browser, not a server-side firewall
Common Mistakes
- Confusing CORS with a server-side security control that blocks requests
- Not knowing the difference between Cache-Control directives (no-store vs no-cache vs private)
- Assuming header names are case-sensitive
- Putting sensitive data in headers cached by shared/public caches
Best Answer (HR Friendly)
“HTTP headers are like extra notes attached to a web request or response that are not part of the actual content — they tell the server or browser things like what format you want the data in, whether you are logged in, whether it is safe to reuse a cached copy, and what security rules to enforce. They are a big part of how the web stays fast and secure without cluttering the actual data being sent.”
Code Example
# Inspect all response headers for a URL
curl -sI https://api.example.com/users/42
# Send an Authorization header with a bearer token
curl -s https://api.example.com/users/42 \
-H "Authorization: Bearer eyJhbGciOi..."
# Send a conditional request using a cached ETag
curl -sI https://api.example.com/users/42 \
-H 'If-None-Match: "33a64df551"'
# Request JSON explicitly via content negotiation
curl -s https://api.example.com/users/42 -H "Accept: application/json"Follow-up Questions
- What is the difference between Cache-Control: no-cache and no-store?
- How does the ETag/If-None-Match conditional request flow reduce bandwidth?
- Why is CORS enforced by the browser rather than acting as a server firewall?
- What does the Strict-Transport-Security header protect against?
MCQ Practice
1. Which header would a server use to tell the client a resource has not changed since last fetched?
The server compares the client-sent If-None-Match ETag; if unchanged, it returns 304 Not Modified instead of the body.
2. Who actually enforces CORS restrictions on cross-origin JavaScript requests?
CORS response headers are enforcement instructions the browser follows; a non-browser client can ignore them entirely.
3. Which header carries authentication credentials in most modern APIs?
The Authorization header carries credentials such as a Bearer token or Basic auth string.
Flash Cards
What is Content-Type for? — Tells the receiver how to parse the body (e.g. application/json).
What does ETag enable? — Conditional requests that can return 304 Not Modified instead of resending the body.
Who enforces CORS? — The requesting browser, not the origin server acting as a firewall.
What does HSTS do? — Forces the browser to only use HTTPS for future requests to that host.