## 16. Everyday HTTP headers

Headers are key–value pairs providing request/response metadata:
* **Host** – virtual host selection (mandatory in HTTP/1.1).
* **Content-Type** – media type of body (`application/json`).
* **Accept** – formats the client is willing to receive.
* **Authorization** – credentials (Basic, Bearer…).
* **User-Agent** – client software string.
* **Cookie / Set-Cookie** – session data.

Missing or wrong headers are a top cause of 4xx errors.

```bash
curl -H 'Accept: application/json' -H 'Authorization: Bearer <token>' \
     https://httpbin.org/headers | jq .
```

### Quick check

1. `Host` header is mandatory since:
  a. HTTP/1.0  b. HTTP/1.1

2. True / False `Content-Type` is required on POST with JSON body.

<details><summary>Answer key</summary>

1. **b**.
2. **True** – many APIs return 415 otherwise.

</details>

## 17. Chunked transfer & keep‑alive

`Transfer-Encoding: chunked` lets the server stream data without knowing total length.
Each chunk: `<hex length>\r\n<data>\r\n` … finish with `0\r\n\r\n`.
Persistent connections (`Connection: keep-alive`) reuse the TCP socket, avoiding handshake overhead.

```bash
curl -N https://httpbin.org/stream/3
```

### Quick check

1. Chunk header length is encoded in:
  a. decimal  b. hexadecimal

2. True / False Keep‑alive is the default in HTTP/1.1.

<details><summary>Answer key</summary>

1. **b**.
2. **True**.

</details>

## 18. CORS preflight

Browsers enforce the Same‑Origin Policy. A cross‑site `fetch` with non‑simple method or headers sends a preflight `OPTIONS` request containing `Origin` and `Access-Control-Request-*` headers.
Server must reply with corresponding `Access-Control-Allow-*` headers, else browser blocks the real request.

```bash
curl -i -X OPTIONS https://httpbin.org/anything \
     -H 'Origin: https://foo.com' \
     -H 'Access-Control-Request-Method: PUT'
```

### Quick check

1. `Access-Control-Allow-Origin: *` permits credentials cookies?
  a. yes  b. no

2. True / False CORS is enforced by browsers, not the server.

<details><summary>Answer key</summary>

1. **b** – wildcard forbids credentials.
2. **True**.

</details>

## 19. Idempotency & safety of HTTP verbs

* **Safe**: GET, HEAD – no state change expected.
* **Idempotent**: GET, PUT, DELETE – repeat → same end state.
POST is neither; retries risk duplicates. Some APIs use an `Idempotency-Key` header to make POST safe.

```text
Stripe recommends including `Idempotency-Key: <uuid>` on POST /charges so duplicate network retries don’t double‑charge.
```

### Quick check

1. DELETE repeated twice should:
  a. error second time  b. succeed both with same result

2. True / False PATCH is guaranteed idempotent by spec.

<details><summary>Answer key</summary>

1. **b**.
2. **False** – depends on implementation.

</details>

## 20. REST constraints overview

Fielding’s REST constraints:
1. **Client‑server** separation
2. **Stateless** – no session stored server‑side
3. **Cacheable** – responses mark themselves cacheable or not
4. **Uniform interface** – resource identifiers (URIs) + standard verbs
5. **Layered system** – intermediaries allowed (proxies, gateways)
6. *(Optional)* **Code‑on‑demand** – server can send executable code to extend client
HATEOAS: clients navigate via links in representations.

```json
{
  "id": 42,
  "state": "processing",
  "_links": {
    "cancel": { "href": "/orders/42/cancel" }
  }
}
```

### Quick check

1. REST requires server to store session state?
  a. yes  b. no

2. True / False HATEOAS is an optional but original REST principle.

<details><summary>Answer key</summary>

1. **b**.
2. **True**.

</details>