httpUse HTTP correctly with proper methods, status codes, headers, and caching.
Install via ClawdBot CLI:
clawdbot install ivangdavila/httpLocation header with absolute URLârelative may fail in older clientsCache-Control: no-store for sensitive dataânever written to diskno-cache still caches but revalidates every timeânot "don't cache"private, max-age=0, must-revalidate for user-specific, always-fresh contentpublic, max-age=31536000, immutable for versioned static assetsVary: Accept-Encoding, Authorization when response depends on these headersâforgetting Vary breaks cachingETag + If-None-Match: prefer for APIsâcontent hash based"abc" vs W/"abc"âweak allows semantically equivalent responsesIf-Match for optimistic locking: fail update if resource changed since readIf-Match failsânot 409 ConflictAccess-Control-Max-Ageâset to 86400 to reduce OPTIONS spamStrict-Transport-Security: max-age=31536000; includeSubDomainsâHSTS, once set can't easily undoX-Content-Type-Options: nosniffâprevents MIME sniffing attacksX-Frame-Options: DENY or SAMEORIGINâprevents clickjackingContent-Security-Policyâcomplex but essential; start with report-only modeAccept-Ranges: bytes signals supportâclients can request partial contentRange: bytes=0-1023 requests first 1024 bytes; bytes=-500 requests last 500Content-Range: bytes 0-1023/5000Content-Range: bytes */5000{"error": {"code": "VALIDATION_FAILED", "message": "...", "details": [...]}}Idempotency-Key: Retry-After headerâcan be seconds or HTTP dateVary: must include headers that affect responseâCORS without Vary: Origin breaksContent-Disposition: attachment; filename="report.pdf" for downloadsX-Request-ID: generate if not present, propagate to downstream servicesAccept-Language for localized responsesârespect with graceful fallbackContent-Length or chunked = connection close after responseTransfer-Encoding: chunked for streamingâcan't set Content-LengthConnection: Upgrade, Upgrade: websocketGenerated Feb 23, 2026
Building a RESTful API for an online store that handles product listings, user carts, and secure checkout processes. Requires proper HTTP methods (GET for browsing, POST for orders), status codes (200 for success, 409 for duplicate orders), and caching for static assets like product images.
Implementing a banking or payment gateway API that processes transactions with idempotency keys for retries, security headers like HSTS, and conditional requests using ETags to prevent double-spending or conflicts in account updates.
Configuring a CDN to serve static files (e.g., JavaScript, CSS) with caching headers like public, max-age=31536000, immutable and handling range requests for video streaming. Includes setting Vary headers for different encodings and managing redirects for updated assets.
Developing an API for sharing patient records between hospitals, ensuring compliance with privacy regulations. Uses no-store caching for sensitive data, CORS preflight for cross-origin requests, and structured JSON errors with request IDs for audit trails.
Creating a web application like a document editor that uses WebSocket upgrades for live updates and HTTP/2 for efficient multiplexing. Implements conditional requests with If-Match for optimistic locking and retry patterns with exponential backoff for network reliability.
Offering a cloud-based API platform where customers pay subscription fees for access to HTTP-based services, such as analytics or authentication. Revenue is generated through tiered pricing based on request volume, features, and support levels.
Selling access to proprietary APIs, such as for payment processing or data enrichment, with usage-based billing. Revenue comes from per-request charges, monthly quotas, or premium endpoints with advanced HTTP features like caching and retry handling.
Providing expertise to businesses for optimizing their HTTP implementations, including performance tuning, security audits, and legacy system upgrades. Revenue is project-based or hourly, focusing on reducing latency and improving reliability.
đŹ Integration Tip
Start by implementing security headers like HSTS and CSP in report-only mode, then add caching and retry logic to improve performance and resilience in production environments.
Use the mcporter CLI to list, configure, auth, and call MCP servers/tools directly (HTTP or stdio), including ad-hoc servers, config edits, and CLI/type generation.
Connect to 100+ APIs (Google Workspace, Microsoft 365, GitHub, Notion, Slack, Airtable, HubSpot, etc.) with managed OAuth. Use this skill when users want to...
Build, debug, and deploy websites using HTML, CSS, JavaScript, and modern frameworks following production best practices.
YouTube Data API integration with managed OAuth. Search videos, manage playlists, access channel data, and interact with comments. Use this skill when users want to interact with YouTube. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).
Scaffold, test, document, and debug REST and GraphQL APIs. Use when the user needs to create API endpoints, write integration tests, generate OpenAPI specs, test with curl, mock APIs, or troubleshoot HTTP issues.
Search for jobs across LinkedIn, Indeed, Glassdoor, ZipRecruiter, Google Jobs, Bayt, Naukri, and BDJobs using the JobSpy MCP server.