Apa itu header HTTP dan mengapa penting?

Header HTTP adalah pasangan kunci-nilai yang dikirim dengan setiap permintaan dan respons HTTP. Mereka membawa metadata tentang komunikasi: kredensial autentikasi, tipe konten, instruksi caching, kebijakan CORS, cookie, dan lainnya. Header memungkinkan server dan klien bernegosiasi tentang cara pertukaran data tanpa mengenkode semuanya di URL atau body.

Apa perbedaan antara header permintaan dan header respons?

Header permintaan dikirim oleh klien (browser/aplikasi) ke server — contoh: Accept, Authorization, Content-Type, Cookie. Header respons dikirim oleh server kembali ke klien — contoh: Set-Cookie, Cache-Control, Content-Encoding, Location. Beberapa header (seperti Content-Type) valid di kedua arah.

Untuk apa header Content-Type digunakan?

Content-Type mendeklarasikan tipe media dari body permintaan atau respons. Misalnya, `application/json` untuk data JSON, `text/html` untuk halaman HTML, `multipart/form-data` untuk upload file. Server menggunakannya untuk mengurai body dengan benar; browser menggunakannya untuk merender konten dengan tepat. Content-Type yang tidak cocok adalah penyebab umum kesalahan API.

Apa itu header CORS dan mengapa penting?

Header CORS (Cross-Origin Resource Sharing) mengontrol apakah halaman web dapat membuat permintaan ke domain yang berbeda. Header utama: `Access-Control-Allow-Origin` (origin mana yang dapat mengakses), `Access-Control-Allow-Methods` (metode HTTP yang diizinkan), `Access-Control-Allow-Headers` (header kustom yang diizinkan). Tanpa header CORS yang tepat, browser memblokir permintaan lintas asal karena alasan keamanan.

Apa itu header Authorization dan bagaimana strukturnya?

Header Authorization membawa kredensial untuk autentikasi HTTP. Skema umum: `Basic base64(user:password)` untuk autentikasi dasar, `Bearer ` untuk OAuth 2.0/JWT, `Digest` untuk autentikasi digest. Formatnya selalu `Authorization: `. Header ini biasanya diatur pada setiap permintaan API yang memerlukan autentikasi.

Referensi Header HTTP

Tabel referensi yang dapat dicari untuk header permintaan dan respons HTTP.

Header	Tipe	Kategori	Deskripsi
Accept	Request	Content Negotiation	Media types acceptable for the response (e.g. text/html, application/json).
Accept-Charset	Request	Content Negotiation	Character sets acceptable for the response.
Accept-Encoding	Request	Content Negotiation	Encoding algorithms the client supports (e.g. gzip, deflate, br).
Accept-Language	Request	Content Negotiation	Natural languages preferred for the response (e.g. en-US, fr).
Authorization	Request	Authentication	Credentials for authenticating the client with the server (e.g. Bearer token).
Cookie	Request	State	HTTP cookies previously set by the server, sent back with each request.
Expect	Request	Request Control	Indicates that particular server behaviors are required by the client (e.g. 100-continue).
Host	Request	Request Target	Domain name and port number of the server being addressed. Required in HTTP/1.1.
If-Match	Request	Conditional	Makes the request conditional based on matching ETag values.
If-Modified-Since	Request	Conditional	Makes the request conditional based on modification date.
If-None-Match	Request	Conditional	Makes the request conditional based on non-matching ETag values.
If-Unmodified-Since	Request	Conditional	Makes the request conditional on the resource not being modified since the given date.
Origin	Request	CORS	Indicates the origin from which the cross-site request is initiated.
Proxy-Authorization	Request	Authentication	Credentials for authenticating with a proxy server.
Range	Request	Partial Requests	Requests only part of a resource (e.g. bytes=0-1023 for the first 1 KB).
Referer	Request	Request Context	URL of the page from which the request originated.
TE	Request	Transfer Encoding	Specifies transfer encodings the client is willing to accept.
User-Agent	Request	Request Context	Contains information about the client software making the request.
X-Forwarded-For	Request	Proxies	Identifies the originating IP address when the request passes through proxies.
X-Requested-With	Request	Custom	Commonly used to identify Ajax requests (value: XMLHttpRequest).
Accept-Ranges	Response	Partial Requests	Indicates if the server supports range requests (bytes or none).
Age	Response	Caching	Time in seconds the object has been stored in a proxy cache.
Allow	Response	Request Methods	HTTP methods allowed for the requested resource (used in 405 responses).
Content-Disposition	Response	Response Body	Indicates whether content should be displayed inline or as a file download.
Content-Encoding	Response	Response Body	Encoding applied to the response body (e.g. gzip, br).
Content-Language	Response	Content Negotiation	Natural language(s) of the response body.
Content-Length	Response	Response Body	Size of the response body in bytes.
Content-Range	Response	Partial Requests	Indicates the range of bytes sent in a partial content response (206).
ETag	Response	Caching	Unique identifier for the specific version of a resource; used for cache validation.
Expires	Response	Caching	Date/time after which the response is considered stale.
Last-Modified	Response	Caching	Date and time the resource was last modified on the server.
Location	Response	Redirects	URL to redirect the client to in 3xx or 201 responses.
Proxy-Authenticate	Response	Authentication	Defines the authentication method to use for a proxy (407 response).
Retry-After	Response	Request Control	How long to wait before making a new request after a 429 or 503 response.
Server	Response	Server Info	Software information about the origin server.
Set-Cookie	Response	State	Sends a cookie from the server to the client for storage.
Strict-Transport-Security	Response	Security	HSTS: forces browsers to use HTTPS for subsequent requests.
Vary	Response	Caching	Tells caches which request headers to use as cache keys.
WWW-Authenticate	Response	Authentication	Defines the authentication method for accessing the resource (401 response).
X-Content-Type-Options	Response	Security	Prevents MIME sniffing. Use value: nosniff.
X-Frame-Options	Response	Security	Controls whether the page can be embedded in an iframe (DENY, SAMEORIGIN).
X-XSS-Protection	Response	Security	Enables XSS filtering in older browsers (legacy, mostly deprecated).
Cache-Control	Both	Caching	Directives for caching in requests and responses (e.g. no-cache, max-age=3600).
Connection	Both	Connection Management	Controls whether the network connection stays open (keep-alive or close).
Content-Type	Both	Response Body	Media type of the request or response body (e.g. application/json).
Date	Both	Timestamps	Date and time the message was sent.
Pragma	Both	Caching	Legacy cache control directive (no-cache). Superseded by Cache-Control.
Trailer	Both	Transfer Encoding	Indicates which headers will be present in the trailer of a chunked response.
Transfer-Encoding	Both	Transfer Encoding	Encoding applied to the message body for transfer (e.g. chunked).
Via	Both	Proxies	Added by proxies to indicate intermediate protocols and recipients.
Warning	Both	Request Control	General warnings about possible problems with the message (deprecated in RFC 9110).
Access-Control-Allow-Origin	Response	CORS	Specifies which origins are allowed for CORS requests.
Access-Control-Allow-Methods	Response	CORS	HTTP methods allowed for CORS preflight responses.
Access-Control-Allow-Headers	Response	CORS	HTTP headers allowed in CORS preflight responses.
Access-Control-Allow-Credentials	Response	CORS	Indicates if the response can be shared when credentials are included.
Access-Control-Max-Age	Response	CORS	How long the preflight response can be cached (in seconds).
Cross-Origin-Opener-Policy	Response	Security	Controls the browsing context group for cross-origin documents.
Cross-Origin-Resource-Policy	Response	Security	Prevents cross-origin reads of the response in certain contexts.
Content-Security-Policy	Response	Security	Specifies allowed sources for content types to prevent XSS and injection attacks.
Referrer-Policy	Response	Security	Controls how much referrer information is sent with requests.
Permissions-Policy	Response	Security	Controls browser features and APIs that are allowed to be used (formerly Feature-Policy).

Tentang alat ini

Header HTTP adalah bidang metadata yang menemani setiap permintaan dan respons web, mengendalikan segalanya mulai dari perilaku cache hingga autentikasi dan negosiasi konten. HTTP Headers Reference adalah panduan yang dapat dicari untuk header yang paling umum dan penting yang digunakan dalam pengembangan web modern, membantu pengembang dengan cepat memahami apa yang dilakukan setiap header, nilai mana yang diterima, dan kapan menggunakannya.

Cukup cari nama header atau telusuri daftar yang dikategorikan untuk menemukan informasi terperinci tentang tujuan, sintaks, dan kasus penggunaan tipikal header tersebut. Apakah Anda men-debug kesalahan CORS, mengonfigurasi kontrol cache, menetapkan kebijakan keamanan, atau memahami perilaku pengalihan, referensi ini memberikan informasi yang tepat yang Anda butuhkan tanpa harus meninggalkan halaman.

Alat ini sangat penting bagi pengembang backend, insinyur frontend, profesional DevOps, dan siapa pun yang mengelola infrastruktur HTTP. Berfungsi sepenuhnya di browser Anda tanpa panggilan server, menjadikannya cepat dan pribadi sebagai referensi offline saat membangun API, mengonfigurasi server web, atau memecahkan masalah header permintaan di production.

Pertanyaan yang Sering Diajukan

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.