Sign InSign Up

Response Headers

Configure HTTP headers for your mock API responses. Response Headers control how clients interpret and handle your mock data, including content type, caching behavior, CORS settings, and authentication requirements.

What are Response Headers?

Response Headers are HTTP headers sent back to the client with your mock response. They provide metadata about the response content and control how browsers and API clients process the data.

Use Cases:

  • • Specify content type (JSON, XML, HTML, plain text)
  • • Configure CORS (Cross-Origin Resource Sharing) policies
  • • Set caching directives for performance testing
  • • Simulate authentication token responses
  • • Control browser behavior with security headers

Headers Table

The Headers table in the Response editor allows you to add, modify, and remove HTTP headers for each mock response.

Table Columns

Drag Handle (⋮⋮)- Drag to reorder headers. Header order is preserved in responses.
Use- Toggle to enable/disable the header. Disabled headers skip validation and won't be sent in responses.
Key- Header name with autocomplete. Type to filter from 91 standard HTTP headers, or enter custom names.
Value- Header value (static text values only)
Actions- Plus icon adds new rows, minus icon removes rows

Default Configuration

New responses include one pre-configured header:

text
Content-Type: application/json  (enabled)

New rows added via the + button default to disabled (Use: OFF) with empty key/value fields.

Validation Rules

  • When a header is enabled (Use: ON), both Key and Value are required and cannot be empty
  • When a header is disabled (Use: OFF), validation is skipped and fields can be left empty
  • Empty or whitespace-only values are invalid for enabled headers
Basic Headers Exampletext
Content-Type: application/json
Content-Length: 1234
Cache-Control: no-cache

Common HTTP Headers

Frequently used headers for mock API responses:

Content Headers

Content-Type

Specifies the media type of the response body.

text
Content-Type: application/json
Content-Type: application/xml
Content-Type: text/html; charset=utf-8
Content-Type: text/plain
Content-Length

Size of the response body in bytes (auto-calculated if not specified).

Content-Encoding

Compression method used (e.g., gzip, deflate, br).

CORS Headers

Control cross-origin access to your mock API.

CORS Configurationtext
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 3600
Access-Control-Allow-Credentials: true

Caching Headers

Control how browsers and proxies cache your responses.

Cache Control Examplestext
# No caching (good for testing)
Cache-Control: no-cache, no-store, must-revalidate

# Cache for 1 hour
Cache-Control: public, max-age=3600

# Cache with validation
Cache-Control: public, must-revalidate
ETag: "abc123xyz"

# Expiration date
Expires: Wed, 21 Oct 2025 07:28:00 GMT

Authentication Headers

Simulate authentication tokens and requirements.

Auth Headerstext
# Bearer token response
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

# API key header
X-API-Key: your-api-key-here

# Authentication challenge
WWW-Authenticate: Bearer realm="api", error="invalid_token"

Security Headers

Enhance security for browser-based clients.

Security Headerstext
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'

Other Common Headers

Location

Redirect URL for 3xx status codes.

Set-Cookie

Set cookies in the client browser.

Retry-After

Indicate when to retry after 503 or 429 errors.

X-RateLimit-*

Simulate rate limiting information.

Dynamic Values with Template Variables

Coming Soon

In a future release, you'll be able to use template variables in header values to create dynamic responses based on request data.

🚧 This feature is planned for a future release

Planned Template Syntax: Use {{variable}} to insert dynamic values from the request.

Planned Dynamic Header Examples (Not Yet Implemented)text
# Echo request ID back
X-Request-ID: {{request.headers.X-Request-ID}}

# Generate correlation ID based on user
X-Correlation-ID: user-{{request.params.userId}}-{{timestamp}}

# Dynamic rate limit based on user tier
X-RateLimit-Limit: {{request.headers.X-User-Tier == "premium" ? "10000" : "1000"}}

# Custom tracking header
X-Session-User: {{request.body.user.email}}

Currently, header values only support static text. Template variable support will be added in a future update.

Real-World Examples

Practical examples of response header configurations for common scenarios.

Example 1: JSON API Response

Standard headers for a JSON REST API with CORS enabled.

Headers Configurationtext
Content-Type: application/json; charset=utf-8
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Cache-Control: no-cache
X-API-Version: 2.0

Example 2: Authentication Token Response

Mock login endpoint returning JWT token in header.

Headers Configurationtext
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
X-Token-Expires: 2025-12-31T23:59:59Z
Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict

Example 3: File Download Response

Headers for triggering file download in browser.

Headers Configurationtext
Content-Type: application/pdf
Content-Disposition: attachment; filename="report.pdf"
Content-Length: 524288
Cache-Control: private, no-cache

Example 4: Rate-Limited API

Simulate rate limiting headers for API usage tracking.

Headers Configurationtext
Content-Type: application/json
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 750
X-RateLimit-Reset: 1640995200
Retry-After: 60

Example 5: Redirect Response

Headers for 301/302 redirect responses (Status: 301 or 302).

Headers Configurationtext
Location: https://example.com/new-location
Cache-Control: no-cache
X-Redirect-Reason: Resource moved permanently

Tips and Best Practices

Header Name Casing

HTTP headers are case-insensitive, but by convention use Title-Case or lowercase-with-dashes.

Content-Type is Critical

Always set Content-Type to help clients parse response correctly. Default is application/json.

CORS for Browser Testing

Enable CORS headers (Access-Control-*) when testing from browser-based applications.

Disable Caching During Development

Use Cache-Control: no-cache to prevent browser caching during testing.

Use Template Variables Wisely

Template variables in headers are powerful but validate input to avoid injection issues.

Response Headers - DoMock Documentation