.. _api-response-header:

API Response Header
-------------------

.. _19.3.4-PB5|EKB-9241:

The following is a header data example of an API response
from an API request not using Basic Auth:

::

   HTTP/1.1 200 OK
   Server: nginx/1.4.6 (Ubuntu)
   Date: Mon, 09 Oct 2017 09:57:54 GMT
   Content-Type: application/json
   Transfer-Encoding: chunked
   Connection: keep-alive
   X-CSRFToken: MnPzYbeIVKcSleCsmHWNUapz3igZ79iy
   X-Request-ID: 137fcf465ed6f77880f2739e0c50ad88d8e45073
   Content-Language: en-us
   Vary: Accept, Cookie, Accept-Language, X-CSRFToken
   Allow: GET, POST, HEAD, OPTIONS
   X-Session: {"max_age": 1200, 
    "extendable": true, 
    "expiry": "2017-10-09T10:17:54.542300+00:00"}
   Set-Cookie: csrftoken=MnPzYbeItKcSyyysmHWyyypz3igZ79iy; 
    SameSite=Lax;
    httponly; 
    Path=/
   Set-Cookie: sessionid=q150dg1ctpgc1sza3ktggyguo4nsbg5u; 
    SameSite=Lax;
    httponly; 
    Path=/
   Content-Security-Policy: 
      style-src 'unsafe-inline' 'self';
      script-src 'unsafe-eval' 'self';


* The ``Set-Cookie`` header entries with ``csrftoken`` and ``sessionid``
  have ``SameSite=Lax;`` set to defend against
  Cross Site Request Forgery (CSRF) attacks.

* The ``X-Session`` header entry has the following properties:

  * ``max_age``: The number of seconds remaining for the session.
  * ``expiry``: The date at which the session will expire.
  * ``extendable``: Boolean indicating if the client can extend the 
    length of the session by triggering an API request.

  This information is also available from a POST call to the
  following endpoint:

  ::

     POST <hostname>/api/session/keep_alive/


  An example response JSON payload:

  ::
  
     {
       max_age: 86296
       extendable: false
       expiry: "2015-03-18T10:24:53.059Z"
     }


  Refer to the section: Time to Live (TTL)

.. note::
   This header is not present in responses from Basic Auth 
   API requests.