HTTP

Topic Cluster

HTTP Security

Security headers, cookie hardening, CORS policy design, and defensive API behavior.

All Topic Clusters Search All Content
HTTP Headers

Access-Control-Allow-Credentials Header

Learn how Access-Control-Allow-Credentials controls whether browsers expose responses when credentials (cookies, auth headers) are included in CORS requests.

 HTTP Headers

Access-Control-Allow-Headers Header

Learn how Access-Control-Allow-Headers specifies which custom HTTP headers can be used during cross-origin requests in CORS preflight responses.

 HTTP Headers

Access-Control-Allow-Methods Header

Learn how Access-Control-Allow-Methods specifies which HTTP methods are permitted for cross-origin requests in CORS preflight responses.

 HTTP Headers

Access-Control-Allow-Origin

Learn how Access-Control-Allow-Origin controls which origins can access resources in CORS. Covers wildcard, specific origin, and credential configurations.

 HTTP Headers

Access-Control-Request-Headers Header

Learn how Access-Control-Request-Headers tells servers which custom headers will be used in CORS requests. Essential for preflight request handling.

 HTTP Headers

Access-Control-Request-Method Header

Learn how Access-Control-Request-Method tells servers which HTTP method will be used in the actual CORS request. Essential for preflight request handling.

 HTTP Headers

Content-Security-Policy Header

Learn how Content-Security-Policy (CSP) defines security policies to prevent XSS, clickjacking, and code injection. Master CSP directives and best practices.

 HTTP Headers

Cross-Origin-Embedder-Policy

Learn how Cross-Origin-Embedder-Policy (COEP) controls cross-origin resource loading. Required for SharedArrayBuffer and high-resolution timer access.

 HTTP Headers

Cross-Origin-Opener-Policy

Learn how Cross-Origin-Opener-Policy (COOP) isolates your browsing context from cross-origin documents. Required for SharedArrayBuffer and enhanced security.

 HTTP Headers

Cross-Origin-Resource-Policy

Learn how Cross-Origin-Resource-Policy (CORP) blocks no-cors cross-origin requests to protect resources from Spectre attacks and data leaks.

 HTTP Headers

Origin Header

Learn how the Origin header identifies where cross-origin requests come from. Essential for CORS security policies and preventing cross-site request forgery.

 HTTP Headers

Permissions-Policy Header

Learn how the Permissions-Policy header controls which browser features and APIs can be used in your site and embedded iframes. Enhance security and privacy.

 HTTP Headers

Referrer-Policy Header

Learn how Referrer-Policy controls how much referrer information is sent with requests. Protect user privacy while maintaining analytics functionality.

 HTTP Headers

Strict-Transport-Security Header

Learn how Strict-Transport-Security (HSTS) forces browsers to only communicate over HTTPS, preventing protocol downgrade and man-in-the-middle attacks.

 HTTP Headers

X-Content-Type-Options Header

Learn how X-Content-Type-Options with nosniff prevents browsers from MIME-sniffing responses. Protect against XSS attacks from content type confusion.

 HTTP Headers

X-Forwarded-Proto

Learn how the X-Forwarded-Proto header identifies the original protocol (HTTP/HTTPS) used by clients connecting through proxies or load balancers.

 HTTP Headers

X-Frame-Options Header

Learn how X-Frame-Options prevents clickjacking attacks by controlling whether your site can be embedded in frames, iframes, or objects on other domains.

 HTTP Headers

X-XSS-Protection Header

Deprecated header that enabled browser XSS filters to detect and block reflected cross-site scripting attacks.

 Cookie Attributes

HttpOnly Cookie Attribute: XSS Protection

Learn how the HttpOnly cookie attribute protects against XSS attacks by preventing JavaScript access to sensitive cookies.

 Cookie Attributes

SameSite Cookie Attribute: CSRF Protection

Learn how the SameSite cookie attribute prevents CSRF attacks, the differences between Strict, Lax, and None, and when to use each.

 Cookie Attributes

Secure

Learn how the Secure cookie attribute ensures cookies are only sent over HTTPS connections. Protect sensitive data from man-in-the-middle attacks.

 Guides

Cookie Security: HttpOnly, SameSite, and Secure Flags

A comprehensive guide to understanding and implementing secure HTTP cookies to protect against XSS, CSRF, and session hijacking attacks.

 Guides

Cross-Origin Resource Sharing (CORS)

Master Cross-Origin Resource Sharing (CORS) for secure cross-origin HTTP requests. Learn preflight requests, headers, credentials, and common error solutions.

 Guides

HTTPS and TLS: How Secure Connections Work

Beginner-to-advanced guide to HTTP vs HTTPS, TLS basics, migration checklists, and HTTP/1.1 vs HTTP/2 tradeoffs for production systems.

More Topic Clusters

56 resources

HTTP Fundamentals

Core HTTP primitives and baseline concepts every web engineer should know.

 29 resources

HTTP Performance

Caching, compression, connection behavior, and practical latency optimization topics.

 27 resources

HTTP Troubleshooting

Error diagnosis, status code debugging, and production-safe HTTP troubleshooting workflows.

 10 resources

HTTP Authentication

Auth flows, authorization semantics, credentials handling, and access control patterns.