HTTP

Redirects (Often Confused)

• 307 vs 308: both preserve method; 307 temporary, 308 permanent—use these for POST/PUT redirects
• 301/302 may change POST to GET (browser behavior)—don't use for API redirects with body
• Include

  Location

  header with absolute URL—relative may fail in older clients
• Redirect loops: limit to 5-10 follows; infinite loops crash clients

Caching Combinations

• Cache-Control: no-store

  for sensitive data—never written to disk

• no-cache

  still caches but revalidates every time—not "don't cache"

• private, max-age=0, must-revalidate

  for user-specific, always-fresh content

• public, max-age=31536000, immutable

  for versioned static assets

• Vary: Accept-Encoding, Authorization

  when response depends on these headers—forgetting Vary breaks caching

Conditional Requests

• ETag

  +

  If-None-Match

  : prefer for APIs—content hash based
• Strong vs weak ETags:

  "abc"

  vs

  W/"abc"

  —weak allows semantically equivalent responses

• If-Match

  for optimistic locking: fail update if resource changed since read
• 412 Precondition Failed when

  If-Match

  fails—not 409 Conflict

CORS Preflight Triggers

• Custom headers (anything not Accept, Accept-Language, Content-Language, Content-Type simple values)
• Content-Type other than: application/x-www-form-urlencoded, multipart/form-data, text/plain
• PUT, DELETE, PATCH methods—even to same origin if other conditions met
• ReadableStream body—triggers preflight
• Preflight cached per

  Access-Control-Max-Age

  —set to 86400 to reduce OPTIONS spam

Security Headers (Always Set)

• Strict-Transport-Security: max-age=31536000; includeSubDomains

  —HSTS, once set can't easily undo

• X-Content-Type-Options: nosniff

  —prevents MIME sniffing attacks

• X-Frame-Options: DENY

  or

  SAMEORIGIN

  —prevents clickjacking

• Content-Security-Policy

  —complex but essential; start with report-only mode

Range Requests

• Accept-Ranges: bytes

  signals support—clients can request partial content

• Range: bytes=0-1023

  requests first 1024 bytes;

  bytes=-500

  requests last 500
• Return 206 Partial Content with

  Content-Range: bytes 0-1023/5000

• 416 Range Not Satisfiable if range invalid—include

  Content-Range: bytes */5000

Error Response Best Practices

• Structured JSON errors:

  {"error": {"code": "VALIDATION_FAILED", "message": "...", "details": [...]}}

• Include request ID in error response—enables log correlation
• Don't leak stack traces in production—log server-side, return generic message
• 409 Conflict for business rule violations (duplicate email, insufficient funds)—not just 400

Retry Patterns

• Retry only idempotent methods by default—GET, PUT, DELETE, HEAD
• POST retry needs idempotency key—

  Idempotency-Key: <client-generated-uuid>

• Exponential backoff: 1s, 2s, 4s, 8s... with jitter—prevents thundering herd
• Respect

  Retry-After

  header—can be seconds or HTTP date
• Set reasonable timeout (30s typical)—don't wait forever

Headers Often Forgotten

• Vary

  : must include headers that affect response—CORS without

  Vary: Origin

  breaks

• Content-Disposition: attachment; filename="report.pdf"

  for downloads

• X-Request-ID

  : generate if not present, propagate to downstream services

• Accept-Language

  for localized responses—respect with graceful fallback

Connection Behavior

• HTTP/1.1 without

  Content-Length

  or chunked = connection close after response

• Transfer-Encoding: chunked

  for streaming—can't set Content-Length
• HTTP/2 is binary, multiplexed—no head-of-line blocking at HTTP level
• WebSocket upgrade: GET with

  Connection: Upgrade

  ,

  Upgrade: websocket