API Response Header

The following is a header data example of an API response from an API request not using Basic Auth:

Date: Tue, 28 Jun 2022 12:17:22 GMT-1s
Content-Type:        text/html; charset=utf-8
Content-Length:      0 byte
Connection:  keep-alive
Content-Language:    en-us
Vary:        Accept-Language, Cookie
X-Request-Id:        b41b12575a97b6b16ca79451b1d5c94c7f488c0b
X-Request-Duration:  0.021724
Location:    /login/
X-Session-Id:        hy1y3y2nj1bm3kjnypfz1w24egvd4vbi
X-Session:   {"max_age": 1800, "extendable": true, "expiry": "2022-06-28T12:47:22.346294+00:00"}
Set-Cookie: csrftoken=MnPzYbeItKcSyyysmHWyyypz3igZ79iy;
 SameSite=Lax;
 httponly;
 Path=/
Set-Cookie: sessionid=q150dg1ctpgc1sza3ktggyguo4nsbg5u;
 SameSite=Lax;
 httponly;
 Path=/
Referrer-Policy: strict-origin-when-cross-origin
Cache-Control:
Content-Security-Policy:     style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'self';
Strict-Transport-Security:   max-age=63072000
X-Content-Type-Options:      nosniff
X-Frame-Options:     SAMEORIGIN
X-XSS-Protection:    1; mode=block
  • The Set-Cookie header entries with csrftoken and sessionid have SameSite=Lax; set to defend against Cross Site Request Forgery (CSRF) attacks.

  • The X-Session header entry has the following properties:

    • max_age: The number of seconds remaining for the session.

    • expiry: The date at which the session will expire.

    • extendable: Boolean indicating if the client can extend the length of the session by triggering an API request.

    This information is also available from a POST call to the following endpoint:

    POST <hostname>/api/session/keep_alive/
    

    An example response JSON payload:

    {
      max_age: 86296
      extendable: false
      expiry: "2015-03-18T10:24:53.059Z"
    }
    

    Refer to the section: Time to Live (TTL)

Note

This header is not present in responses from Basic Auth API requests.