API Response Header

The following is a header data example of an API response from an API request not using Basic Auth:

HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Mon, 09 Oct 2017 09:57:54 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
X-CSRFToken: MnPzYbeIVKcSleCsmHWNUapz3igZ79iy
X-Request-ID: 137fcf465ed6f77880f2739e0c50ad88d8e45073
Content-Language: en-us
Vary: Accept, Cookie, Accept-Language, X-CSRFToken
Allow: GET, POST, HEAD, OPTIONS
X-Session: {"max_age": 1200,
 "extendable": true,
 "expiry": "2017-10-09T10:17:54.542300+00:00"}
Set-Cookie: csrftoken=MnPzYbeItKcSyyysmHWyyypz3igZ79iy;
 SameSite=Lax;
 httponly;
 Path=/
Set-Cookie: sessionid=q150dg1ctpgc1sza3ktggyguo4nsbg5u;
 SameSite=Lax;
 httponly;
 Path=/
Content-Security-Policy:
   style-src 'unsafe-inline' 'self';
   script-src 'unsafe-eval' 'self';
  • The Set-Cookie header entries with csrftoken and sessionid have SameSite=Lax; set to defend against Cross Site Request Forgery (CSRF) attacks.

  • The X-Session header entry has the following properties:

    • max_age: The number of seconds remaining for the session.

    • expiry: The date at which the session will expire.

    • extendable: Boolean indicating if the client can extend the length of the session by triggering an API request.

    This information is also available from a POST call to the following endpoint:

    POST <hostname>/api/session/keep_alive/
    

    An example response JSON payload:

    {
      max_age: 86296
      extendable: false
      expiry: "2015-03-18T10:24:53.059Z"
    }
    

    Refer to the section: Time to Live (TTL)

Note

This header is not present in responses from Basic Auth API requests.