6. HTTP Deep Dive — Headers, CORS, & HTTPS
HTTP Deep Dive
Now that you understand the basics of HTTP (requests, responses, methods, status codes), let's go deeper into the hidden metadata that powers the web: Headers, CORS, and HTTPS.
What Are HTTP Headers?
Headers are key-value pairs sent with every request and response. They are invisible to users but critical for servers and browsers. Think of them as the "envelope" of your letter — they don't contain the message, but they tell the postal service how to deliver it.
Here's what headers look like in a real request:
Let's break down the most important headers you'll use daily:
- Content-Type: Tells the server what format the request body is in. Values:
application/json,text/html,multipart/form-data(for file uploads). - Authorization: Carries authentication credentials. Almost always
Bearer <token>for modern APIs. - Accept: Tells the server what format the client wants back.
Accept: application/jsonmeans "give me JSON, please." - User-Agent: Identifies what browser or client is making the request. Used for analytics and compatibility.
- Cache-Control: Instructs the browser how long to store the response.
Cache-Control: max-age=3600means "keep this for 1 hour."
CORS — Cross-Origin Resource Sharing
Imagine you're logged into your bank's website at https://mybank.com. A malicious site https://evil.com tries to send a request to your bank's API to transfer money. Without CORS, that request would succeed — the browser would just send your bank cookies along with the request.
CORS is the security system that prevents this.
When a webpage at https://frontend.com tries to call an API at https://api.backend.com, the browser first sends a preflight request (using the OPTIONS method) asking: "Does api.backend.com allow requests from frontend.com?"
The server must respond with specific headers to grant permission:
The golden rule: Never use Access-Control-Allow-Origin: * in production. Whitelist only your specific frontend domain.
HTTPS — Why Encryption Matters
HTTP sends all data as plain text. If you're on public Wi-Fi (coffee shop, airport, hotel), anyone on the same network can see every request and response — including passwords, credit cards, and private messages.
HTTPS wraps every HTTP conversation inside TLS (Transport Layer Security) encryption. Even if someone intercepts the traffic, they see nothing but scrambled, unreadable ciphertext.
How to spot if a site is secure: Look for the padlock icon in your browser's address bar. If it's not there, do NOT enter any passwords or payment information.
Common Headers You'll Use
Authorization: Bearer <token>Content-Type: application/jsonAccept: application/jsonOrigin: https://myapp.com
Access-Control-Allow-Origin: https://myapp.comCache-Control: max-age=3600Content-Type: application/jsonX-Request-ID: req_abc123
X-Request-ID header to every response. When something breaks, you can search your logs by that ID to trace exactly what happened for that specific user.Knowledge Check
Ready to test your understanding of 6. HTTP Deep Dive — Headers, CORS, & HTTPS?