HTTP methods, status codes, and headers you need to know

HTTP Methods, Status Codes, and Headers You Need to Know

Before you can write effective API tests, you need a solid mental model of how HTTP works. Most API bugs you will find come down to incorrect methods, wrong status codes, or missing/malformed headers.

The Core HTTP Methods

Safe means the operation does not modify server state. Idempotent means calling it multiple times produces the same result as calling it once.

When testing APIs, verify that each endpoint uses the semantically correct method. A DELETE endpoint that accepts GET requests is a security issue.

Status Code Families

Status Codes Testers Miss

• 401 vs 403: 401 means "not authenticated" (no/invalid token). 403 means "authenticated but not authorised" (you are logged in but lack permission). Many APIs return 403 for both, which is correct from a security perspective (avoid leaking whether a resource exists).
• 422 Unprocessable Entity: The request was well-formed (valid JSON) but the semantics failed validation (a required field is missing). Prefer this over 400 for validation failures.
• 204 No Content: A successful DELETE or PATCH that returns no body. Tests that assert response.json() on a 204 will fail — check status only.

Critical Headers for API Testing

Request headers to set:

• Content-Type: application/json — tells the server what format you're sending
• Accept: application/json — tells the server what format you want back
• Authorization: Bearer <token> — authentication

Response headers to assert:

• Content-Type: application/json — the server is actually sending JSON
• X-RateLimit-Remaining — track API rate limiting
• Cache-Control — verify caching behaviour for read endpoints