Request Headers

Access incoming request headers through the request.headers property, which provides a case-insensitive dictionary-like interface:

from nexios import NexiosApp
app = NexiosApp()
@app.get("/")
async def show_headers(request, response):
    user_agent = request.headers.get("user-agent")
    accept_language = request.headers.get("accept-language")
    return {
        "user_agent": user_agent,
        "accept_language": accept_language
    }

Common Request Headers

Header	Description	Example
Accept	Content types the client can process	application/json, text/html
Authorization	Credentials for authentication	Bearer xyz123
Content-Type	Media type of the request body	application/json
Cookie	Cookies sent by the client	session_id=abc123
User-Agent	Client application information	Mozilla/5.0
X-Requested-With	Indicates AJAX request	XMLHttpRequest

💡 Tip

Nexios normalizes header names to lowercase, so request.headers.get("User-Agent") and request.headers.get("user-agent") are equivalent.

Response Headers

Set response headers using the response.set_header() method or by passing a headers dictionary:

from nexios import NexiosApp
app = NexiosApp()
@app.get("/")
async def set_headers(request, response):
    response.set_header("X-Custom-Header", "Custom Value")
    response.set_header("Cache-Control", "no-store")
    return response.text("Hello, World!")

Common Response Headers

Header	Description	Example
Content-Type	Media type of the response	text/html; charset=utf-8
Cache-Control	Caching directives	max-age=3600
Set-Cookie	Sets cookies on client	session_id=abc123; Path=/
Location	URL for redirects	https://example.com/new
X-Frame-Options	Clickjacking protection	DENY
Content-Security-Policy	Security policy	default-src 'self'

Setting Headers In Middleware

Middleware is an ideal place to set headers that should be applied to multiple routes:

from nexios import NexiosApp
app = NexiosApp()

async def security_headers_middleware(request, response, next):
    # Set security headers before processing
    response.set_header("X-Content-Type-Options", "nosniff")
    response.set_header("X-Frame-Options", "DENY")
    response.set_header("Content-Security-Policy", "default-src 'self'")
    
    await next()
    
    # Can also modify headers after processing
    response.remove_header("Server")  # Remove server identification

app.add_middleware(security_headers_middleware)

Header Manipulation Methods

Nexios provides several methods for working with headers:

Request Header Methods

• request.headers.get(key, default=None) - Get a header value
• request.headers.items() - Get all headers as key-value pairs
• request.headers.keys() - Get all header names
• request.headers.values() - Get all header values

Response Header Methods

• response.set_header(key, value, override=False) - Set a header
• response.remove_header(key) - Remove a header
• response.has_header(key) - Check if header exists
• response.set_headers(headers_dict, override_all=False) - Set multiple headers

Security Headers Best Practices

For enhanced security, consider these recommended headers:

@app.middleware
async def add_security_headers(request, response, next):
    response.set_headers({
        "X-Content-Type-Options": "nosniff",
        "X-Frame-Options": "DENY",
        "X-XSS-Protection": "1; mode=block",
        "Referrer-Policy": "strict-origin-when-cross-origin",
        "Content-Security-Policy": "default-src 'self'; script-src 'self'",
        "Strict-Transport-Security": "max-age=63072000; includeSubDomains; preload"
    })
    await next()

Performance Headers

Optimize client-side caching and resource loading:

@app.middleware
async def add_performance_headers(request, response, next):
    if request.path.endswith(('.js', '.css', '.png', '.jpg')):
        response.set_header("Cache-Control", "public, max-age=31536000, immutable")
    await next()

Cookie Headers

Cookies are set via special Set-Cookie headers:

@app.get("/login")
async def login(request, response):
    response.set_cookie(
        key="session_id",
        value="abc123",
        max_age=3600,
        secure=True,
        httponly=True,
        samesite="strict"
    )
    return response.redirect("/dashboard")

Conditional Headers

Handle conditional requests with these headers:

Header	Purpose	Example
If-Modified-Since	Check if resource changed	Sat, 01 Jan 2022 00:00:00 GMT
If-None-Match	Check ETag match	"abc123"
ETag	Resource version identifier	W/"xyz456"
Last-Modified	Resource modification time	Sat, 01 Jan 2022 00:00:00 GMT

Restricted Headers

Some headers are restricted and cannot be modified:

• Content-Length (automatically calculated)
• Connection
• Transfer-Encoding
• Host

⚠️ Warning

Always set headers after the request is processed in middleware when modifying responses. Setting headers too early may result in them being overwritten.

Further Reading

• MDN HTTP Headers Reference
• OWASP Secure Headers Project
• RFC 7231: HTTP/1.1 Semantics