WEB API's Lesson 8 – Request and Response | Dataplexa

Web APIs

I. API Fundamentals
1. Introduction to Web APIs 2. What is an API 3. API Types 4. Client–Server Model 5. HTTP Basics 6. HTTP Methods 7. HTTP Status Codes 8. Request and Response
II. RESTful APIs & HTTP
9. REST Architecture 10. REST Principles 11. Designing REST APIs 12. Resource Modeling 13. CRUD Operations 14. Pagination & Filtering 15. Versioning APIs 16. Error Handling in APIs
III. Advanced APIs & Security
17. Authentication Basics 18. Authorization 19. API Keys 20. OAuth Basics 21. JWT Authentication 22. CORS 23. Rate Limiting 24. API Security Best Practices
IV. Projects, Testing & Best Practices
25. API Documentation 26. OpenAPI & Swagger 27. Testing APIs 28. Postman 29. Monitoring & Logging 30. API Performance 31. Mini Project – REST API 32. Mini Project – Auth API 33. Mini Project – API Gateway 34. API Case Study 35. Real-World Use Cases 36. Project Planning 37. Final Project 38. Deployment 39. Course Review 40. Career Roadmap
Web APIs · Lesson 8

Request and Response

Master the anatomy of HTTP messages and how data flows between clients and servers.

Every time you check your bank balance on your phone, a request flies across the internet to your bank's servers. Milliseconds later, a response carries your account data back. This conversation happens billions of times daily across the web, yet most developers never peek inside these messages to understand what makes them tick.

HTTP requests and responses are the envelopes that carry your API data. Just like postal mail needs addresses, stamps, and proper formatting, HTTP messages follow strict rules about how information gets packaged and delivered.

When you understand request and response structure, debugging API issues becomes straightforward. Missing data? Check the request body. Authentication failing? Look at the headers. Slow performance? Examine response sizes.

Anatomy of an HTTP Request

An HTTP request breaks down into four distinct parts that work together to tell a server exactly what you want. Think of it like filling out a detailed order form at a restaurant — you need to specify the dish, table number, dietary restrictions, and payment method.

The request line comes first and contains three critical pieces: the HTTP method (GET, POST, PUT, DELETE), the target URL path, and the HTTP version. This line tells the server what action to perform and where to perform it.

Headers follow next, carrying metadata about the request. These include content type, authentication credentials, accepted response formats, and browser information. Headers work like instruction labels on a package — they tell the server how to handle what's inside.

1
Request Line: Method + URL + HTTP Version
2
Headers: Metadata and Instructions
3
Empty Line: Separator
4
Request Body: Actual Data (optional)

An empty line signals the end of headers and the start of the request body. This separator is mandatory — without it, servers can't distinguish between headers and data.

The request body carries the actual data you're sending, like form submissions, file uploads, or JSON payloads. GET requests typically have no body, while POST and PUT requests use bodies to send information to the server.

Real Request Example

When you log into GitHub, your browser sends a POST request with your username and password in the body, Content-Type header set to application/json, and Authorization header containing session tokens. The request line might look like: POST /login HTTP/1.1

HTTP Headers Deep Dive

Headers transform basic HTTP requests into sophisticated communication tools. While you can technically send a request with just a method and URL, headers add the intelligence that makes modern web applications possible.

Content-Type tells the server what format your data uses. Send JSON? Use application/json. Uploading a file? Use multipart/form-data. Submit a web form? Use application/x-www-form-urlencoded. Get this wrong and servers reject your request entirely.

Authorization headers carry credentials that prove your identity. Basic auth encodes username and password. Bearer tokens carry JWT or API key data. OAuth flows use complex token exchanges. Without proper authorization, you get 401 Unauthorized responses.

Request Headers

Content-Type, Authorization, Accept, User-Agent, Accept-Language

Response Headers

Content-Type, Content-Length, Cache-Control, Set-Cookie, Location

Security Headers

X-API-Key, X-CSRF-Token, X-Frame-Options, Strict-Transport-Security

Custom Headers

X-Request-ID, X-Forwarded-For, X-Rate-Limit-Remaining

Accept headers tell servers what response formats you can handle. Accept: application/json means you want JSON back. Accept: text/html requests HTML pages. Accept: */* means you'll take anything the server sends.

User-Agent identifies your client software to the server. Browsers send detailed version info. API clients often send custom identifiers. Some servers block requests with missing or suspicious User-Agent values.

Custom headers starting with X- let you pass application-specific data. Stripe uses X-Stripe-Version for API versioning. Many services use X-Request-ID for tracing requests through distributed systems.

Response Structure and Components

HTTP responses mirror request structure but carry different information. Instead of asking for something, responses deliver what was requested along with metadata about the transaction.

The status line opens every response with the HTTP version, status code, and reason phrase. HTTP/1.1 200 OK means success. HTTP/1.1 404 Not Found means the resource doesn't exist. HTTP/1.1 500 Internal Server Error means something broke on the server.

Response headers provide crucial metadata about what's being returned. Content-Length tells you how many bytes to expect. Content-Type describes the data format. Cache-Control explains how long browsers can store the response.

Component Purpose Example
Status Line Indicates success or failure HTTP/1.1 201 Created
Response Headers Metadata about the response Content-Type: application/json
Empty Line Separates headers from body (blank line)
Response Body The actual data requested {"user": "john", "active": true}

Location headers appear in redirect responses to tell clients where to go next. When you visit a shortened URL, the response includes Location: https://actual-destination.com along with a 301 or 302 status code.

Set-Cookie headers establish sessions and store user preferences. These cookies get automatically included in future requests to the same domain, enabling stateful interactions across multiple API calls.

Response Size Matters

Twitter's API returns over 150 fields in tweet objects, but mobile apps only need 10-15 for display. Smart APIs offer field selection to reduce response sizes from 50KB to 5KB, dramatically improving mobile performance.

Content Types and Data Formats

Content-Type headers bridge the gap between raw bytes and meaningful data structures. Send the wrong content type and servers either reject your request or misinterpret your data completely.

JSON dominates modern API communication because it's lightweight, readable, and supported everywhere. application/json tells servers to expect structured data with strings, numbers, arrays, and objects. Most REST APIs default to JSON for both requests and responses.

Form data uses application/x-www-form-urlencoded for simple key-value pairs or multipart/form-data when uploading files. Web browsers automatically choose the right format based on form attributes and input types.

Structured Data

application/json - Most common API format

application/xml - Legacy systems and SOAP

text/csv - Data exports and imports

Binary Content

image/jpeg - Photo uploads and downloads

application/pdf - Document generation

application/octet-stream - Generic binary data

XML still appears in enterprise systems and government APIs, despite JSON's popularity. application/xml or text/xml content types signal XML payload structure with opening tags, closing tags, and attribute-based metadata.

Binary content types handle non-text data like images, videos, and documents. image/jpeg, image/png, and application/pdf tell servers and clients exactly what binary format to expect.

Character encoding matters more than most developers realize. UTF-8 has become the standard, but older systems might expect Latin-1 or other encodings. Content-Type: application/json; charset=utf-8 removes all ambiguity.

APIForge Request-Response Flow

The APIForge backend team discovered that understanding request-response anatomy cut their debugging time in half. Instead of guessing why API calls failed, they learned to read the conversation between client and server.

When APIForge's mobile app creates a new project, it sends a POST request to /api/projects with project details in JSON format. The request includes an Authorization header with the user's JWT token and Content-Type set to application/json.

The server validates the token, processes the project data, stores it in the database, and returns a 201 Created status with the new project object. The response includes a Location header pointing to the project's API endpoint.

Common Request Mistakes

Missing Content-Type headers cause 400 Bad Request errors. Malformed JSON triggers parsing failures. Invalid Authorization tokens return 401 Unauthorized. Wrong HTTP methods get 405 Method Not Allowed responses. Each error tells you exactly what went wrong.

APIForge's frontend team logs full request-response pairs during development to spot patterns. They notice that 404 errors often indicate outdated API endpoints, while 422 errors point to validation problems in request data.

Response headers tell APIForge's caching layer how long to store data. Cache-Control: max-age=300 means cache for 5 minutes. ETag headers enable conditional requests that save bandwidth when data hasn't changed.

Request-Response Optimization

Smart developers optimize both sides of the HTTP conversation to improve performance and user experience. Small changes in request structure can dramatically reduce response times and server load.

Request compression using gzip encoding shrinks JSON payloads by 60-80%. Add Accept-Encoding: gzip to your requests and Content-Encoding: gzip when sending large request bodies. The bandwidth savings add up quickly.

Conditional requests use If-Modified-Since or If-None-Match headers to avoid downloading unchanged data. Send the ETag from your previous response, and servers return 304 Not Modified if nothing changed, saving bandwidth and processing time.

Shopify's REST API includes X-Shopify-Shop-Api-Call-Limit headers in every response to show current rate limit usage. Clients can throttle requests before hitting limits, avoiding 429 Too Many Requests errors that disrupt user experience.

Response streaming handles large datasets without memory bloat. Instead of building massive JSON arrays in memory, servers can stream results one record at a time. Clients process data as it arrives rather than waiting for complete responses.

Connection reuse through HTTP/1.1 persistent connections or HTTP/2 multiplexing reduces overhead. Opening new TCP connections for every request adds 50-200ms latency. Keep connections alive and reuse them for multiple requests.

Request batching combines multiple operations into single API calls. Instead of making 50 separate requests to update user profiles, batch them into one request with an array of updates. The server processes all changes in one transaction.

Security in Request-Response Patterns

HTTP messages carry sensitive data across public networks, making security a fundamental concern rather than an afterthought. Every header, every payload, and every response can become an attack vector if not properly protected.

Request validation stops malicious payloads before they reach your application logic. Check content types, validate JSON schemas, sanitize string inputs, and enforce size limits. Reject requests that don't match expected patterns immediately.

Sensitive data should never appear in URLs or query parameters because they get logged by proxies, load balancers, and web servers. Put confidential information in request bodies with proper encryption and Content-Type headers.

Header Injection Attacks

Attackers can inject malicious headers if you build HTTP requests from user input without validation. Always sanitize header values, remove newline characters, and use parameterized request builders instead of string concatenation.

Response headers can leak information about your infrastructure. Remove or mask Server headers that reveal software versions. Avoid exposing internal error details in production responses. Generic error messages frustrate attackers while helping legitimate users.

HTTPS encryption protects the entire HTTP conversation, including headers and bodies. But remember that SSL/TLS only secures data in transit. Log files, database storage, and memory dumps can still expose sensitive information.

Request signing uses cryptographic signatures to verify message integrity and authenticity. AWS, Google Cloud, and other services require signed requests with HMAC or RSA signatures in Authorization headers to prevent tampering.

Quiz

1. The APIForge mobile app needs to authenticate users when creating new projects. Where should the JWT token be placed in the HTTP request?

2. When APIForge successfully creates a new user account, what should the response status line contain?

3. APIForge needs to send user profile data as JSON in a PUT request. Which header is essential for the server to process this correctly?

Up Next
REST Architecture
APIForge adopts REST principles to design scalable and predictable APIs that follow web standards.
← Previous Course Index Next →