DEV Community: tiger Z The latest articles on DEV Community by tiger Z (@shuanghu_zhao_d6ead357228). https://dev.to/shuanghu_zhao_d6ead357228 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3928280%2F08bfac6c-8d46-406c-a32f-52c66682b4bd.webp DEV Community: tiger Z https://dev.to/shuanghu_zhao_d6ead357228 en Code Quality Best Practices for Teams tiger Z Tue, 02 Jun 2026 08:56:46 +0000 https://dev.to/shuanghu_zhao_d6ead357228/code-quality-best-practices-for-teams-3d4 https://dev.to/shuanghu_zhao_d6ead357228/code-quality-best-practices-for-teams-3d4 <p>Published May 30, 2026 ยท 8 min read ยท ๐Ÿท๏ธ Best Practices<br> # Code Quality Best Practices for Teams</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Good code is not just about functionality โ€” it's about readability, maintainability, and collaboration. These practices help teams write code that stands the test of time. ## Naming Conventions Names should be self-documenting. If you need a comment to explain what a variable is, rename it: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad</span> <span class="kd">const</span> <span class="nx">x</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">u</span> <span class="o">=&gt;</span> <span class="nx">u</span><span class="p">.</span><span class="nx">s</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">d</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">tmp</span> <span class="o">=</span> <span class="nf">processData</span><span class="p">(</span><span class="nx">data</span><span class="p">);</span> <span class="c1">// Good</span> <span class="kd">const</span> <span class="nx">activeUsers</span> <span class="o">=</span> <span class="nx">users</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">user</span> <span class="o">=&gt;</span> <span class="nx">user</span><span class="p">.</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">active</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">currentTimestamp</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Date</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">processedData</span> <span class="o">=</span> <span class="nf">processData</span><span class="p">(</span><span class="nx">rawData</span><span class="p">);</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> **Variable names:** nouns, descriptive (`userData`, `totalAmount`) **Function names:** verbs or verb phrases (`fetchUser`, `calculateTotal`, `isValidEmail`) **Constants:** ALL_CAPS with underscores (`MAX_RETRY_COUNT`, `DEFAULT_TIMEOUT`) ## Functions: Do One Thing Each function should do one thing well. A good test: if you need "and" to describe what it does, split it: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad: Does multiple things</span> <span class="kd">function</span> <span class="nf">processUser</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nf">validateUser</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="c1">// validation</span> <span class="nf">saveToDatabase</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="c1">// persistence</span> <span class="nf">sendWelcomeEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="c1">// side effect</span> <span class="k">return</span> <span class="nx">user</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Good: Single responsibility</span> <span class="kd">function</span> <span class="nf">validateUser</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">saveUser</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">notifyUser</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">type</span><span class="p">)</span> <span class="p">{</span> <span class="p">...</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">registerUser</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nf">validateUser</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">savedUser</span> <span class="o">=</span> <span class="nf">saveUser</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="nf">notifyUser</span><span class="p">(</span><span class="nx">savedUser</span><span class="p">,</span> <span class="dl">'</span><span class="s1">welcome</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="nx">savedUser</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Keep Functions Small Ideal: less than 20 lines. Good: less than 50 lines. If a function exceeds 100 lines, strongly consider splitting it. </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad: Function doing too much</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleOrder</span><span class="p">(</span><span class="nx">order</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// 200+ lines of validation, calculation, persistence, notification...</span> <span class="p">}</span> <span class="c1">// Good: Composed of smaller functions</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handleOrder</span><span class="p">(</span><span class="nx">order</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">validated</span> <span class="o">=</span> <span class="nf">validateOrder</span><span class="p">(</span><span class="nx">order</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">calculated</span> <span class="o">=</span> <span class="nf">calculatePricing</span><span class="p">(</span><span class="nx">validated</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">saved</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">persistOrder</span><span class="p">(</span><span class="nx">calculated</span><span class="p">);</span> <span class="k">await</span> <span class="nf">notifyCustomer</span><span class="p">(</span><span class="nx">saved</span><span class="p">);</span> <span class="k">return</span> <span class="nx">saved</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Avoid Magic Numbers </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad: What do these numbers mean?</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">age</span> <span class="o">&gt;</span> <span class="mi">18</span> <span class="o">&amp;&amp;</span> <span class="nx">retryCount</span> <span class="mi">5000</span><span class="p">)</span> <span class="p">{</span> <span class="nf">processPayment</span><span class="p">(</span><span class="nx">amount</span> <span class="o">*</span> <span class="mf">0.95</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Good: Named constants explain the intent</span> <span class="kd">const</span> <span class="nx">MINIMUM_AGE</span> <span class="o">=</span> <span class="mi">18</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">MAX_RETRY_COUNT</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">PAYMENT_TIMEOUT_MS</span> <span class="o">=</span> <span class="mi">5000</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">LOYALTY_DISCOUNT</span> <span class="o">=</span> <span class="mf">0.05</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">age</span> <span class="o">&gt;</span> <span class="nx">MINIMUM_AGE</span> <span class="o">&amp;&amp;</span> <span class="nx">retryCount</span> <span class="nx">PAYMENT_TIMEOUT_MS</span><span class="p">)</span> <span class="p">{</span> <span class="nf">processPayment</span><span class="p">(</span><span class="nx">amount</span> <span class="o">*</span> <span class="p">(</span><span class="mi">1</span> <span class="o">-</span> <span class="nx">LOYALTY_DISCOUNT</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Early Returns (Guard Clauses) Handle edge cases and invalid inputs at the start with early returns: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad: Nested conditionals</span> <span class="kd">function</span> <span class="nf">processUser</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">isActive</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// main logic here, deeply nested</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Good: Early returns for edge cases</span> <span class="kd">function</span> <span class="nf">processUser</span><span class="p">(</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">isActive</span><span class="p">)</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="c1">// main logic at top level</span> <span class="k">return</span> <span class="nf">processActiveUser</span><span class="p">(</span><span class="nx">user</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Error Handling Handle errors explicitly. Never swallow exceptions silently: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad: Silently ignoring errors</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Nothing happens, error is lost</span> <span class="p">}</span> <span class="c1">// Good: Explicit handling</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to send email</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">error</span> <span class="p">});</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">EmailDeliveryError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to send notification</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">cause</span><span class="p">:</span> <span class="nx">error</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Or handle gracefully</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">sendEmail</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">'</span><span class="s1">Email failed, will retry</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span> <span class="p">});</span> <span class="k">await</span> <span class="nf">queueForRetry</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Comments That Add Value Good comments explain _why_, not _what_. The code shows what, comments explain why: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Bad: Comments that state the obvious</span> <span class="c1">// Increment counter by 1</span> <span class="nx">counter</span><span class="o">++</span><span class="p">;</span> <span class="c1">// Loop through users</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">user</span> <span class="k">of</span> <span class="nx">users</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="c1">// Good: Comments explain non-obvious decisions</span> <span class="c1">// Using linear search here despite O(n) because:</span> <span class="c1">// 1. Array is guaranteed to be small ( $100</span> <span class="c1">// See: Tax Compliance Doc #2847</span> <span class="kd">const</span> <span class="nx">taxRate</span> <span class="o">=</span> <span class="nx">order</span><span class="p">.</span><span class="nx">total</span> <span class="o">&gt;</span> <span class="mi">100</span> <span class="p">?</span> <span class="mf">0.08</span> <span class="p">:</span> <span class="mi">0</span><span class="p">;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Consistent Code Formatting Use automated formatting. Debating formatting in code reviews is a waste of time: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Use</span><span class="w"> </span><span class="err">Prettier</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="err">JavaScript/TypeScript</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">.prettierrc</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"semi"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"singleQuote"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="p">,</span><span class="w"> </span><span class="nl">"tabWidth"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"trailingComma"</span><span class="p">:</span><span class="w"> </span><span class="s2">"es5"</span><span class="p">,</span><span class="w"> </span><span class="nl">"printWidth"</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Use</span><span class="w"> </span><span class="err">ESLint</span><span class="w"> </span><span class="err">for</span><span class="w"> </span><span class="err">code</span><span class="w"> </span><span class="err">quality</span><span class="w"> </span><span class="err">rules</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">.eslintrc</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"extends"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"eslint:recommended"</span><span class="p">],</span><span class="w"> </span><span class="nl">"rules"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"no-unused-vars"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"prefer-const"</span><span class="p">:</span><span class="w"> </span><span class="s2">"error"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Type Safety Use TypeScript or JSDoc for JavaScript. Types catch bugs at compile time: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Bad: Any type, no safety</span> <span class="kd">function</span> <span class="nf">processOrder</span><span class="p">(</span><span class="nx">order</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">order</span><span class="p">.</span><span class="nx">total</span> <span class="o">*</span> <span class="nx">order</span><span class="p">.</span><span class="nx">quantity</span><span class="p">;</span> <span class="c1">// What if these are undefined?</span> <span class="p">}</span> <span class="c1">// Good: Explicit types</span> <span class="kr">interface</span> <span class="nx">OrderLineItem</span> <span class="p">{</span> <span class="nl">total</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">quantity</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="p">}</span> <span class="kr">interface</span> <span class="nx">Order</span> <span class="p">{</span> <span class="nl">items</span><span class="p">:</span> <span class="nx">OrderLineItem</span><span class="p">[];</span> <span class="nl">customerId</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">processOrder</span><span class="p">(</span><span class="nx">order</span><span class="p">:</span> <span class="nx">Order</span><span class="p">):</span> <span class="kr">number</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">order</span><span class="p">.</span><span class="nx">items</span><span class="p">.</span><span class="nf">reduce</span><span class="p">((</span><span class="nx">sum</span><span class="p">,</span> <span class="nx">item</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">sum</span> <span class="o">+</span> <span class="nx">item</span><span class="p">.</span><span class="nx">total</span> <span class="o">*</span> <span class="nx">item</span><span class="p">.</span><span class="nx">quantity</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Writing Testable Code Testable code is usually better code. Characteristics: - **Pure functions**: Same input โ†’ Same output, no side effects - **Dependency injection**: Pass dependencies as parameters - **Small, focused functions**: Easy to test in isolation - **Single responsibility**: Clear input/output </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Hard to test: dependencies hardcoded</span> <span class="kd">function</span> <span class="nf">getUser</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">db</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Database</span><span class="p">();</span> <span class="c1">// Hardcoded</span> <span class="k">return</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM users</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Easy to test: dependency injection</span> <span class="kd">function</span> <span class="nf">getUser</span><span class="p">(</span><span class="nx">db</span><span class="p">:</span> <span class="nx">Database</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">db</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">'</span><span class="s1">SELECT * FROM users</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Even better: pass interface</span> <span class="kr">interface</span> <span class="nx">UserRepository</span> <span class="p">{</span> <span class="nf">findById</span><span class="p">(</span><span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">getUser</span><span class="p">(</span><span class="nx">repo</span><span class="p">:</span> <span class="nx">UserRepository</span><span class="p">,</span> <span class="nx">id</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">repo</span><span class="p">.</span><span class="nf">findById</span><span class="p">(</span><span class="nx">id</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Code Review Checklist When reviewing code, check for: - Does the code do what the PR claims? - Are edge cases handled? - Is error handling appropriate? - Are there tests for new logic? - Are names descriptive? - Is the code simpler than before? - Any security concerns? - Any performance issues? ## The Boy Scout Rule Leave the code a little better than you found it. Every PR is an opportunity to improve the surrounding code slightly: - Rename a poorly-named variable while changing the function - Extract a magic number while adding new logic - Add a missing test while fixing a bug Small improvements compound. The codebase gets better over time, not worse. </code></pre> </div> webdev programming API Design Best Practices tiger Z Tue, 02 Jun 2026 08:56:00 +0000 https://dev.to/shuanghu_zhao_d6ead357228/api-design-best-practices-1dk9 https://dev.to/shuanghu_zhao_d6ead357228/api-design-best-practices-1dk9 <p>Published May 26, 2026 ยท 10 min read ยท ๐Ÿท๏ธ Backend<br> # API Design Best Practices</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> A well-designed API is intuitive, consistent, and developer-friendly. This guide covers the principles and patterns that make APIs a pleasure to use. ## Use RESTful Conventions REST APIs use standard HTTP methods and URL structures: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">GET /users # list all users GET /users/123 # get single user POST /users # create new user PUT /users/123 # update entire user PATCH /users/123 # partial update DELETE /users/123 # delete user </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Key principles: - Use nouns in URLs, not verbs (`/users` not `/getUsers`) - Use plural nouns consistently - Use nested resources for relationships (`/users/123/orders`) - Keep URLs lowercase with hyphens ## Proper HTTP Status Codes Always return the appropriate status code: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">200 OK # successful GET, PUT, PATCH 201 Created # successful POST creating resource 204 No Content # successful DELETE 400 Bad Request # invalid input data 401 Unauthorized # not authenticated 403 Forbidden # authenticated but not authorized 404 Not Found # resource doesn't exist 422 Unprocessable Entity # validation errors 429 Too Many Requests # rate limit exceeded 500 Internal Server Error # server error </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Consistent Error Format Return errors in a consistent structure: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"error"</span><span class="p">:</span><span class="w"> </span><span class="s2">"validation_error"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"The request body contains invalid data"</span><span class="p">,</span><span class="w"> </span><span class="nl">"details"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"email"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Email format is invalid"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"field"</span><span class="p">:</span><span class="w"> </span><span class="s2">"password"</span><span class="p">,</span><span class="w"> </span><span class="nl">"message"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Password must be at least 8 characters"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Include enough information for developers to debug, but don't expose sensitive internals. ## Pagination Don't return unlimited results. Use cursor or offset pagination: ### Offset Pagination </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">GET</span><span class="w"> </span><span class="err">/users?page=</span><span class="mi">2</span><span class="err">&amp;per_page=</span><span class="mi">20</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"pagination"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"page"</span><span class="p">:</span><span class="w"> </span><span class="mi">2</span><span class="p">,</span><span class="w"> </span><span class="nl">"per_page"</span><span class="p">:</span><span class="w"> </span><span class="mi">20</span><span class="p">,</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">150</span><span class="p">,</span><span class="w"> </span><span class="nl">"total_pages"</span><span class="p">:</span><span class="w"> </span><span class="mi">8</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Cursor Pagination (Better for Large Datasets) </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">GET</span><span class="w"> </span><span class="err">/users?cursor=abc</span><span class="mi">123</span><span class="err">&amp;limit=</span><span class="mi">20</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Response</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="err">...</span><span class="p">],</span><span class="w"> </span><span class="nl">"pagination"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"next_cursor"</span><span class="p">:</span><span class="w"> </span><span class="s2">"def456"</span><span class="p">,</span><span class="w"> </span><span class="nl">"has_more"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Cursor pagination is more efficient for large tables and real-time data. ## API Versioning Version your API to allow breaking changes without breaking clients: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># URL path (most common) GET /v1/users GET /v2/users # Header approach Accept: application/vnd.api.v2+json </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> **Tip:** Start with v1 even if you don't think you'll need versions. Adding versioning later is harder than starting with it. ## Filtering, Sorting, and Field Selection Give clients control over their queries: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Filtering GET /orders?status=pending&amp;created_after=2024-01-01 # Sorting GET /products?sort=price&amp;order=desc # Field selection (sparse fieldsets) GET /users?fields=id,name,email # Combining GET /orders?status=completed&amp;sort=created_at&amp;order=desc&amp;limit=50 </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Authentication Use standard authentication methods: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># API Keys (for server-to-server) X-API-Key: your-api-key # Bearer Tokens (for user authentication) Authorization: Bearer eyJhbGciOiJIUzI1NiIs... # Rate Limiting Headers X-RateLimit-Limit: 1000 X-RateLimit-Remaining: 999 X-RateLimit-Reset: 1640995200 </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Performance Tips ### Response Compression </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Client sends Accept-Encoding: gzip, deflate, br # Server responds Content-Encoding: gzip </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Conditional Requests </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Client sends If-None-Match: "etag-from-previous-response" # Server checks, returns 304 if unchanged </span><span class="k">HTTP</span><span class="o">/</span><span class="m">1.1</span> <span class="m">304</span> <span class="ne">Not Modified</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Cache Control </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Cache-Control: public, max-age=3600 ETag: "abc123" Last-Modified: Wed, 01 Jan 2024 00:00:00 GMT </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Documentation Good API documentation includes: - Authentication instructions - All endpoints with request/response examples - Error codes and messages - Rate limits and quotas - Try-it-out sandbox Use OpenAPI/Swagger for machine-readable specs that generate documentation automatically. </code></pre> </div> webdev programming API Authentication Methods Explained tiger Z Tue, 02 Jun 2026 08:55:53 +0000 https://dev.to/shuanghu_zhao_d6ead357228/api-authentication-methods-explained-2e7a https://dev.to/shuanghu_zhao_d6ead357228/api-authentication-methods-explained-2e7a <p>Published May 29, 2026 ยท 8 min read ยท ๐Ÿท๏ธ Security<br> # API Authentication Methods Explained</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Authentication is critical for API security. This guide compares the main methods โ€” API Keys, Basic Auth, Bearer Tokens, OAuth 2.0, and JWT โ€” with pros, cons, and when to use each. ## API Keys Simple static keys assigned to clients: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-H</span> <span class="s2">"X-API-Key: your-api-key-here"</span> https://api.example.com/data </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> **Pros:** - Simple to implement - Easy to understand and debug - Good for server-to-server communication **Cons:** - No expiration (unless you implement it) - If leaked, full access until revoked - No granular permissions (all-or-nothing) **Best for:** Internal services, simple third-party integrations ## Basic Authentication Username and password sent with each request (Base64 encoded, not encrypted): </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Encoding: Base64("username:password")</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ="</span> https://api.example.com/ <span class="c"># Or use curl's built-in auth</span> curl <span class="nt">-u</span> username:password https://api.example.com/ </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> **Pros:** - Extremely simple - Universally supported - Good for testing **Cons:** - Credentials sent with every request - Must always use HTTPS - No built-in expiration **Never use Basic Auth over HTTP.** Without TLS, credentials are sent in plain text visible to anyone watching network traffic. ## Bearer Tokens (Token Authentication) A token is issued after authentication and sent with each request: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># After login, server returns token</span> <span class="c"># Client stores token and sends with requests</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."</span> https://api.example.com/data </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> **Pros:** - Credentials only sent once - Token can expire - Easier to revoke (delete from database) **Cons:** - Requires database lookup to validate (unless using JWT) - State must be stored server-side ## JWT (JSON Web Tokens) Self-contained tokens that include the data payload (stateless): </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// JWT has three parts: header.payload.signature</span> <span class="c1">// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOjEyMywicm9sZSI6ImFkbWluIn0.signature</span> <span class="c1">// Server verifies signature without database lookup</span> <span class="kd">const</span> <span class="nx">payload</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">SECRET_KEY</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">payload</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="c1">// 123</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> **Structure:** - **Header**: Algorithm and token type - **Payload**: Claims (userId, role, exp, etc.) - **Signature**: Prevents tampering **Pros:** - Stateless โ€” no database lookup needed - Can include user data and permissions - Works across services (microservices) **Cons:** - Can't revoke until expiration (use short expiry + refresh tokens) - Payload is visible (don't store sensitive data) - Larger than API keys ## OAuth 2.0 A proper authorization framework for third-party access: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># 1. User clicks "Login with Google" # 2. Redirect to Google with client_id and redirect_uri GET https://accounts.google.com/o/oauth2/v2/auth? client_id=YOUR_CLIENT_ID&amp; redirect_uri=https://yourapp.com/callback&amp; response_type=code&amp; scope=openid%20profile%20email # 3. Google redirects back with authorization code # 4. Your server exchanges code for access token POST https://oauth2.googleapis.com/token { code: "authorization_code", client_id: "YOUR_CLIENT_ID", client_secret: "YOUR_CLIENT_SECRET", redirect_uri: "https://yourapp.com/callback", grant_type: "authorization_code" } # 5. Response includes access token (and optionally refresh token) { access_token: "ya29....", expires_in: 3600, refresh_token: "refresh_token_here" } </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> **Grant Types:** - **Authorization Code**: Web apps (full flow) - **PKCE**: Mobile/SPA apps (no client secret) - **Client Credentials**: Server-to-server (no user) - **Refresh Token**: Get new access tokens ## Comparison Table Method Complexity Best For API Keys Low Simple server-to-server Basic Auth Low Testing, internal tools Bearer Tokens Medium Session-based auth JWT Medium Microservices, stateless auth OAuth 2.0 High Third-party login, social auth ## Security Best Practices - **Always use HTTPS** โ€” never send credentials over HTTP - **Use short token expiry** โ€” 15-60 minutes for access tokens - **Implement refresh tokens** โ€” allow re-authentication without re-login - **Store secrets securely** โ€” environment variables, not in code - **Log authentication events** โ€” detect anomalies - **Implement rate limiting** โ€” prevent brute force attacks - **Rotate secrets** โ€” change API keys periodically </code></pre> </div> webdev programming Base64 Encoding Explained: When to Use It and Why It Matters tiger Z Tue, 02 Jun 2026 08:54:13 +0000 https://dev.to/shuanghu_zhao_d6ead357228/base64-encoding-explained-when-to-use-it-and-why-it-matters-3m4j https://dev.to/shuanghu_zhao_d6ead357228/base64-encoding-explained-when-to-use-it-and-why-it-matters-3m4j <p>Base64 is a binary-to-text encoding scheme that converts binary data into ASCII text format. It's everywhere in modern web development โ€” from API responses to inline images โ€” and understanding it will make you a better developer.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## What Is Base64 and Why Does It Exist? computers store everything as binary data (1s and 0s). But some protocols and systems โ€” like email (SMTP), JSON APIs, and URLs โ€” can only handle text. Base64 solves this by mapping binary data to a set of 64 printable ASCII characters (A-Z, a-z, 0-9, +, and /). Imagine you have an image file. You can't put raw binary into a JSON response โ€” it would break the parser. But if you Base64-encode it, you get a string like `R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7` that any system can handle. ## How Base64 Works (Step by Step) Each 3 bytes of binary data (24 bits) are split into four 6-bit groups. Each group maps to a character in the Base64 alphabet: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Text: "Hi" Binary: 01001000 01101001 Split into 6-bit groups: 010010 000110 1001-- Pad with zeros: 010010 000110 100100 Base64 indices: 18 6 36 -- Result: "S" "G" "k" "=" (padding) </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> So "Hi" becomes `SGk=`. The `=` at the end is padding โ€” Base64 works in groups of 4 characters, so input that isn't divisible by 3 gets padded. ## When to Use Base64 ### 1. Inline Images in CSS/HTML Instead of loading an external image file, you can embed it directly: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>![](data:image/png;base64,iVBORw0KGgo...) </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Use for small icons or images (under 1-2KB) where the HTTP request overhead is larger than the encoded data. Don't use for large images โ€” it inflates file size by ~33% and can't be cached separately. ### 2. JSON API Responses When transmitting binary data through an API, Base64 is the standard encoding: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"filename"</span><span class="p">:</span><span class="w"> </span><span class="s2">"avatar.png"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg=="</span><span class="p">,</span><span class="w"> </span><span class="nl">"mimeType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"image/png"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### 3. Embedding Small Files in Configuration API keys, certificates, and small files are often Base64-encoded in config files or environment variables to avoid escaping issues with special characters. ## Common Use Cases - **Email attachments** โ€” MIME encoding for binary attachments in emails - **JWT tokens** โ€” Header and payload are Base64URL-encoded - **Basic authentication** โ€” Username:password becomes Base64 header - **Data URLs** โ€” Embed images directly in HTML/CSS - **OAuth tokens** โ€” Many providers return tokens as Base64 strings ## Base64 vs Base32 vs Base16 Base64 uses 64 characters and produces compact output (33% overhead). Base32 uses 32 characters (A-Z, 2-7) and is case-insensitive โ€” useful in DNS environments where case can be lost. Base16 (hex) uses only 16 characters and is easiest to read but produces the largest output. ## Try It Yourself Use our [Base64 Encoder tool](../../tools/dev/base64-encoder.html) to convert text or images to Base64 instantly. Everything happens locally in your browser โ€” your data never leaves your device. ## Security Considerations Base64 is **not encryption**. Anyone can decode a Base64 string โ€” it's just encoding, not security. Never store passwords or sensitive data as plain Base64. For data protection, use AES, RSA, or other encryption algorithms. However, Base64 is useful for obscuring data from casual observation โ€” similar to "security through obscurity." It's not a substitute for real encryption but can add a layer against casual inspection. ## Performance Tip Base64 encoding inflates data size by 33%. If you're encoding large files (images over 50KB, documents, archives), consider using binary transfer instead. For small data โ€” tokens, small icons, config values โ€” Base64 is efficient and portable. </code></pre> </div> webdev programming HTTP Headers: The Complete Guide for Developers tiger Z Tue, 02 Jun 2026 08:52:24 +0000 https://dev.to/shuanghu_zhao_d6ead357228/http-headers-the-complete-guide-for-developers-530m https://dev.to/shuanghu_zhao_d6ead357228/http-headers-the-complete-guide-for-developers-530m <p>HTTP headers are the invisible glue that makes the web work. They control caching, enforce security, enable authentication, and shape performance. Most developers only know a handful โ€” this guide covers all the ones that actually matter.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## How HTTP Headers Work Every HTTP request and response carries headers: key-value pairs that pass metadata between client and server. Headers are divided into four categories: - **General** โ€” Apply to both requests and responses (Date, Connection) - **Request** โ€” Sent by the client (Accept, Authorization, User-Agent) - **Response** โ€” Sent by the server (Content-Type, Cache-Control, Set-Cookie) - **Entity** โ€” Describe the body content (Content-Length, Content-Encoding) ## Security Headers (Essential) These five headers prevent the most common web attacks. Set them on every production site: ### Content-Security-Policy (CSP) Controls which resources the browser can load. Prevents XSS by specifying allowed sources: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com; style-src 'self' 'unsafe-inline' </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Start with 'none', then add exceptions as you discover them. Use report-uri to catch violations: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Security-Policy: default-src 'none'; report-uri /csp-violation </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### X-Content-Type-Options Prevents MIME type sniffing. Without this header, browsers might execute files they shouldn't: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">X-Content-Type-Options: nosniff </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### X-Frame-Options Prevents clickjacking by controlling whether your page can be embedded in iframes: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">X-Frame-Options: DENY # No embedding allowed X-Frame-Options: SAMEORIGIN # Only same-site embedding </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Strict-Transport-Security (HSTS) Forces HTTPS connections. Browser remembers to only use HTTPS for your domain: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Strict-Transport-Security: max-age=31536000; includeSubDomains; preload </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Start with a short max-age (like 60 seconds) while testing, then increase. The preload flag lets you submit to the HSTS preload list for maximum protection. ### Referrer-Policy Controls how much referrer information is sent with requests. Prevents leaking sensitive URLs: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Referrer-Policy: strict-origin-when-cross-origin # Default for most sites Referrer-Policy: no-referrer # Most private option Referrer-Policy: same-origin # Only send for same-site requests </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Caching Headers Proper caching makes your site fast and reduces server load. There are two models: ### Expiration Model (Cache-Control) Tell browsers how long to cache a resource: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Cache for 1 year (for versioned/hash files) Cache-Control: public, max-age=31536000, immutable # Cache for 1 hour, but allow stale responses while revalidating Cache-Control: public, max-age=3600, stale-while-revalidate=86400 # Don't cache at all Cache-Control: no-cache, no-store, must-revalidate </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Validation Model (ETag / Last-Modified) Check if cached content is still valid without downloading it: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Server response includes: ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4" Last-Modified: Wed, 21 Oct 2015 07:28:00 GMT # Next request asks if changed: If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4" If-Modified-Since: Wed, 21 Oct 2015 07:28:00 GMT # Server returns 304 Not Modified if still valid (no body) </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Cacheable Responses Not everything should be cached. Rules: - **GET / HEAD** โ€” Cachable by default - **POST / PATCH / PUT / DELETE** โ€” Never cached automatically - **Responses with Set-Cookie** โ€” Never cache - **Authenticated requests** โ€” Usually private, unless using shared caches ## CORS Headers Cross-Origin Resource Sharing headers control which domains can access your API: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Allow specific origin (preferred) Access-Control-Allow-Origin: https://trusted-app.com # Allow any origin (for public APIs, combined with Vary: Origin) Access-Control-Allow-Origin: * # Preflight request for non-simple methods/headers Access-Control-Allow-Methods: GET, POST, PUT, DELETE Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Max-Age: 86400 # Cache preflight for 24 hours </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> Never use `Access-Control-Allow-Origin: *` with credentials (cookies, auth headers): </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Wrong โ€” browsers reject this Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Credentials: true # Correct โ€” use a specific origin Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Credentials: true </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Authentication Headers ### Basic Authentication </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Client sends: Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ= # (Base64 encoded "username:password") # Server responds 401: WWW-Authenticate: Basic realm="Protected Area" </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Bearer Tokens (JWT, API Keys) </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Custom Headers Many APIs use custom headers for authentication: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">X-API-Key: your-api-key-here X-Auth-Token: session-token Authorization: ApiKey your-api-key </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Content Negotiation Tell the server what format you want back: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Accept specific content type Accept: application/json # Accept multiple formats (server chooses best match) Accept: application/json, application/xml, text/html # Prefer compressed responses Accept-Encoding: gzip, deflate, br # Prefer English, but accept Chinese Accept-Language: en, zh;q=0.9 </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Performance Headers ### Compression </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Server sends compressed response Content-Encoding: gzip # or br (Brotli), deflate # Client advertises supported compression Accept-Encoding: gzip, deflate, br </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Range Requests For resumable downloads and video streaming: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Client requests specific bytes Range: bytes=0-99 # Server responds with portion Content-Range: bytes 0-99/total_file_size </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Early Hints Send resource hints before the full response is ready: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"># Early hint response (HTTP 103) Link: ; rel=preload; as=style # Followed by final response 103 Early Hint 200 OK </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Debugging Headers Tools to inspect and test headers: - **Chrome DevTools** โ€” Network tab shows all headers - **curl -I** โ€” Show response headers only - **httpbin.org** โ€” Test headers interactively - **securityheaders.com** โ€” Grade your security headers </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># View headers with curl</span> curl <span class="nt">-I</span> https://example.com <span class="c"># Send custom headers</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer token"</span> https://api.example.com <span class="c"># Show request and response headers</span> curl <span class="nt">-v</span> https://example.com </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Minimum Viable Header Set Every production site should have at minimum: </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Type: text/html; charset=utf-8 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin </span></code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ## Key Takeaways - Security headers (CSP, HSTS, X-Frame-Options) prevent common attacks โ€” set them on every site - Cache-Control with max-age is simpler than ETag validation for most use cases - Use immutable + long max-age for versioned assets (JS, CSS with hashes in filenames) - CORS headers should whitelist specific origins, not use * (except for truly public APIs) - Always test headers with curl or DevTools before deploying to production โ† Back to Blog </code></pre> </div> webdev programming