If Ketting is used in a browser, and the API you're using is hosted on a different domain, this is a good set of CORS headers that allow you to use every feature.
Access-Control-Allow-Origin: [yourdomain]
Access-Control-Allow-Headers: Content-Type, User-Agent, Authorization, Accept, Prefer, Link
Access-Control-Allow-Methods: DELETE, GET, PATCH, POST, PUT, HEAD
Access-Control-Expose-Headers: Location, Link
You might want to customize these for your specific purposes. A good rule of thumb is to only add things to these lists as you need them.
Here's a breakdown of how each request header is used:
Authorization
- Only used if Authentication is on.Accept
- Sent with everyGET
request.Content-Type
- Sent with everyPUT
,PATCH
andPOST
request.Link
- Set toLink
to provide a means for serialising one or more links in HTTP headers.Link: < uri-reference >; param1=value1; param2="value2"
Prefer
- Set toPrefer: transclude="rel1, rel2"
as a hint to the server that it might want to embed linked resources for optimization. See Prefer-Transclude.Prefer-Push
- Set toPrefer-Push: rel1, rel2
as a hint to the server that the client might want to fetch those resources next, so that it can do a HTTP/2 push for them. See Prefer-PushUser-Agent
- Set toketting/[version]
and sent with every request.
Response headers:
Location
. Ketting will attempt to read theLocation
header from a201 Created
response to aPOST
request to find a newly created resource.