Skip to main content

HTTP Headers and Caching

What Are HTTP Headers?

HTTP headers are key-value pairs of information transmitted in every HTTP request and response. They provide essential information about:

  • The browser's capabilities and preferences
  • The server's capabilities and rules
  • The resource being transferred
  • How to handle the data
  • Security parameters

Types of Headers

  1. Request Headers

    • Sent by client (browser) to server
    • Contain information about the request and client capabilities
    • Example: Browser type, accepted content types, language preferences

  2. Response Headers

    • Sent by server to client
    • Contain information about the response and server capabilities
    • Example: Content type, caching rules, security policies

Cache-Control Mechanisms

Purpose of Caching

Caching serves multiple purposes:

  1. Reduces server load
  2. Improves page load times
  3. Reduces bandwidth consumption
  4. Enhances user experience

Cache-Control Directives Explained

  1. no-store

    • Purpose: Prevents any caching
    • Use when: Handling sensitive data or real-time information
    Cache-Control: no-store

  2. no-cache

    • Purpose: Requires validation before using cached copy
    • Use when: Content changes frequently but can be cached
    Cache-Control: no-cache

  3. public vs private

    • public: Can be cached by any cache (browsers, CDNs)
    • private: Only browser can cache (for user-specific data)
    Cache-Control: private, max-age=3600

  4. max-age

    • Purpose: Specifies how long content can be cached
    • Use when: Content has known update intervals
    Cache-Control: public, max-age=86400

Resource Validation

ETags

Purpose: Provide a unique identifier for a specific version of a resource

How it works:

  1. Server sends ETag with response
  2. Browser sends If-None-Match in subsequent requests
  3. Server compares ETags
  4. Returns 304 if resource hasn't changed
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"

Last-Modified

Purpose: Time-based validation of resources

How it works:

  1. Server sends Last-Modified date
  2. Browser sends If-Modified-Since
  3. Server compares dates
  4. Returns 304 if resource hasn't changed
Last-Modified: Wed, 21 Oct 2023 07:28:00 GMT
If-Modified-Since: Wed, 21 Oct 2023 07:28:00 GMT

Security Headers Theory

Content Security Policy (CSP)

Purpose: Prevents XSS attacks and other code injection

Key aspects:

  1. Controls resource loading
  2. Specifies trusted sources
  3. Restricts inline scripts
  4. Prevents unwanted framing
Content-Security-Policy: default-src 'self'; script-src 'self' trusted-scripts.com

CORS (Cross-Origin Resource Sharing)

Purpose: Enables secure cross-origin requests

How it works:

  1. Browser sends Origin header
  2. Server checks if origin is allowed
  3. Server responds with appropriate CORS headers
  4. Browser enforces CORS policy
Access-Control-Allow-Origin: https://trusted-site.com
Access-Control-Allow-Methods: GET, POST

  1. HttpOnly

    • Prevents JavaScript access
    • Protects against XSS attacks

  2. Secure

    • Ensures cookies only sent over HTTPS
    • Prevents man-in-the-middle attacks

  3. SameSite

    • Controls cross-site cookie behavior
    • Prevents CSRF attacks
Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict

Performance Headers Theory

Compression Headers

Purpose: Reduces payload size

Process:

  1. Browser indicates supported compression methods
  2. Server compresses content accordingly
  3. Server indicates used compression method
  4. Browser decompresses content
Accept-Encoding: gzip, deflate, br
Content-Encoding: gzip

Connection Management

Purpose: Optimizes connection usage

Types:

  1. Keep-Alive

    • Reuses TCP connections
    • Reduces latency
    • Saves resources

  2. Transfer-Encoding

    • Enables chunked transfers
    • Allows streaming
    • Supports dynamic content

Status Codes Theory

Purpose of Status Codes

Status codes provide standardized communication about:

  1. Request success/failure
  2. Redirection needs
  3. Error conditions
  4. Server status

Categories:

Success (2xx)

  • 200 OK: Successful request
  • 201 Created: Resource created
  • 204 No Content: Success with no content

Redirection (3xx)

  • 301 Moved Permanently: Permanent redirect
  • 302 Found: Temporary redirect
  • 304 Not Modified: Cache valid

Client Error (4xx)

  • 400 Bad Request: Invalid request
  • 401 Unauthorized: Authentication required
  • 403 Forbidden: No permission
  • 404 Not Found: Resource not found
  • 429 Too Many Requests: Rate limit exceeded

Server Error (5xx)

  • 500 Internal Server Error: Server error
  • 502 Bad Gateway: Invalid upstream response
  • 503 Service Unavailable: Server temporarily unavailable

Caching Best Practices Theory

Static Assets

Strategy: Aggressive caching Reason: Content rarely changes

Cache-Control: public, max-age=31536000, immutable

Dynamic Content

Strategy: Conditional caching Reason: Content changes but can be reused

Cache-Control: private, must-revalidate, max-age=0

API Responses

Strategy: Validation caching Reason: Needs freshness checks

Cache-Control: private, no-cache
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"

Common Use Cases and Their Purposes

  1. Static Files (CSS, JS, Images)

    • Long cache times
    • Public caching
    • Versioned URLs

  2. User-Specific Data

    • Private caching
    • Short cache times
    • ETag validation

  3. API Endpoints

    • No caching for POST/PUT
    • Conditional caching for GET
    • CORS headers

  4. Security-Sensitive Pages

    • No caching
    • Strict security headers
    • HTTPS enforcement