Response Header in REST API: Examples & Key Headers

Q: Are response headers mandatory in REST APIs?

Some headers are essential. For example, Content-Type is usually required because clients need to know how to interpret the response body. Other headers are optional but highly recommended for performance, security, and caching.

Q: Which response headers are used for caching?

The most common caching-related headers are: Cache-Control ETag Expires Last-Modified These headers help reduce server load and improve response times.

Q: Which response headers improve API security?

Common security headers include: Strict-Transport-Security Content-Security-Policy X-Content-Type-Options Referrer-Policy These headers help protect applications from several common web vulnerabilities.

Every REST API response contains more than just data. Alongside the response body, the server sends response headers that provide metadata about the response.

These headers help clients understand how to process the data, whether the response can be cached, what security policies apply, and how to handle future requests.

If you have ever inspected an API response in Postman, Chrome DevTools, or cURL, you have already worked with response headers.

To understand where response headers fit into API communication, first review how a REST API request and response pair works.

What Is a Response Header in REST API?

A response header is a key-value pair sent by the server as part of an HTTP response.

Response headers provide additional information about:

The format of the response data
Caching behavior
Security policies
Resource location
Allowed HTTP methods
Rate limiting rules

A typical HTTP response looks like this:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 87
Date: Mon, 15 Jul 2024 12:34:56 GMT

{
  "id": 123,
  "name": "John Doe"
}

In this example:

HTTP/1.1 200 OK is the status line.
Content-Type, Content-Length, and Date are response headers.
The JSON object is the response body.

If you are new to APIs, start with this guide on What is REST API?.

Why Response Headers Matter in REST APIs

Response headers influence how clients and intermediary systems handle responses.

They are important for several reasons:

Data Interpretation

Headers tell clients what type of content is being returned.

For example:

Content-Type: application/json

This tells the client that the response body contains JSON data.

Learn more about JSON and how it is commonly used in REST APIs.

Caching

Caching headers reduce unnecessary network traffic and improve performance.

Common caching headers include:

Cache-Control
ETag
Expires

These headers help browsers, CDNs, and proxies determine whether a cached response can be reused.

Security

Security-related headers protect users and applications from common web attacks.

Examples include:

Strict-Transport-Security
Content-Security-Policy
X-Content-Type-Options
Referrer-Policy

The latest security header recommendations are maintained by OWASP Secure Headers Project.

Rate Limiting

Many public APIs use headers to communicate usage limits.

Common examples include:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 750
X-RateLimit-Reset: 1721000000

These headers help clients avoid exceeding API quotas.

Error Handling

Response headers can provide instructions when a request cannot be processed immediately.

Example:

Retry-After: 60

This tells the client to wait 60 seconds before retrying the request.

6 Essential Response Headers Every Developer Should Know

Content-Type

The Content-Type header specifies the format of the response body.

Example:

Content-Type: application/json

Common values include:

application/json
application/xml
text/html
text/plain

Example response:

HTTP/1.1 200 OK
Content-Type: application/json

{
  "id": 123,
  "username": "ashish"
}

Without the Content-Type header, clients may not know how to parse the response correctly.

Content-Length

The Content-Length header indicates the size of the response body in bytes.

Example:

Content-Length: 150

Benefits include:

Better download tracking
Efficient network communication
Improved client-side processing

Date

The Date header indicates when the server generated the response.

Example:

Date: Mon, 15 Jul 2024 12:34:56 GMT

This information is often used by caching systems and debugging tools.

ETag

The ETag header identifies a specific version of a resource.

Example:

ETag: "33a64df551425fcc55e4d42a148795d9f"

When the client requests the resource again, it can send the ETag back to the server.

If the resource has not changed, the server can return:

304 Not Modified

instead of sending the full response body again.

This reduces bandwidth usage and improves performance.

Location

The Location header points to a resource URI.

It is commonly returned after a successful POST request.

Example:

HTTP/1.1 201 Created
Location: /users/12345

The client can use this URI to access the newly created resource.

To understand resources better, read Resource in REST API.

Allow

The Allow header indicates which HTTP methods are supported by a resource.

Example:

Allow: GET, POST, PUT

This header frequently appears in 405 Method Not Allowed responses.

To understand HTTP methods in detail, see:

Other Useful Response Headers

Cache-Control

Controls caching behavior.

Example:

Cache-Control: max-age=3600

Cache-Control: no-cache

The official HTTP caching specification is available from the IETF HTTP Semantics RFC.

Expires

Defines when cached content becomes stale.

Example:

Expires: Wed, 21 Oct 2026 07:28:00 GMT

Retry-After

Tells the client when to retry a request.

Example:

Retry-After: 120

This is commonly used with:

429 Too Many Requests
503 Service Unavailable

Server

Identifies the server software handling the request.

Example:

Server: nginx

Many organizations intentionally limit or hide this information for security reasons.

Strict-Transport-Security (HSTS)

Forces browsers to use HTTPS.

Example:

Strict-Transport-Security: max-age=31536000

This helps protect against protocol downgrade attacks.

Content-Security-Policy (CSP)

Defines which content sources browsers are allowed to load.

Example:

Content-Security-Policy: default-src 'self'

CSP helps reduce the risk of cross-site scripting (XSS) attacks.

How to View Response Headers

Using Chrome DevTools

Open Developer Tools.
Navigate to the Network tab.
Refresh the page or trigger the API request.
Select the request.
Open the Headers section.

You will see both request headers and response headers.

Using Postman

Send an API request.
Open the response panel.
Select the Headers tab.

Postman displays all response headers returned by the server.

Using cURL

Run:

curl -I https://example.com

The -I option fetches only the response headers.

Response Headers and HTTP Status Codes

Response headers and status codes work together.

For example:

HTTP/1.1 201 Created
Location: /users/12345

The status code tells the client that a resource was created.

The Location header tells the client where the resource exists.

To learn more, see HTTP Status Message in REST API.

FAQs About Response Headers in REST API

How do I view response headers?

You can inspect response headers using:

Chrome DevTools
Firefox Developer Tools
Postman
cURL
Wireshark

These tools are commonly used for API debugging and troubleshooting.

Are response headers mandatory in REST APIs?

Some headers are essential.

For example, Content-Type is usually required because clients need to know how to interpret the response body.

Other headers are optional but highly recommended for performance, security, and caching.

Can I create custom response headers?

Yes.

Applications can define custom headers to share additional metadata with clients.

Modern APIs typically avoid the older X- prefix and instead use descriptive names that clearly indicate their purpose.

Which response headers are used for caching?

The most common caching-related headers are:

Cache-Control
ETag
Expires
Last-Modified

These headers help reduce server load and improve response times.

Which response headers improve API security?

Common security headers include:

Strict-Transport-Security
Content-Security-Policy
X-Content-Type-Options
Referrer-Policy

These headers help protect applications from several common web vulnerabilities.

Are response headers part of HTTP or REST?

Response headers are part of the HTTP protocol.

Since REST APIs use HTTP as their communication protocol, they rely heavily on HTTP response headers for metadata and control information.

For a deeper understanding of this relationship, read How REST API Related to HTTP.

Final Thoughts

Response headers are a critical part of every REST API response.

They help clients understand content formats, manage caching, enforce security policies, handle rate limits, and interact with resources more efficiently.

Whether you are building APIs, testing them, or troubleshooting production systems, understanding response headers will make it easier to diagnose issues and design reliable API integrations.