Imagine you’re testing your API endpoint that’s supposed to super secure. You check it with Postman, but suddenly, your backend throws some weird NullPointerException.
What can be the actual reason behind this?
This is because your API was expecting a header (like X-Auth-Token) that wasn’t there at all. Or worse, the header was there but completely empty.
Without proper header validation, your code ends up doing dangerous guesswork:
- Sometimes it crashes with ugly errors.
- Sometimes it silently lets bad requests in.
- And sometimes… your futures self will curse your past self for not validating headers.
Here, Request Header Validation comes to the picture, as a solution to secure your header endpoint.
Header Validation Code Base Example:
private void validateRequestHeader(MethodParameter parameter, HttpServletRequest request, List<FieldErrorResponse> errors) {
// 1. Get the @RequestHeader annotation from the method parameter
RequestHeader annotation = parameter.getParameterAnnotation(RequestHeader.class);
// 2. Skip if there's no @RequestHeader or if it's marked as not required
if (annotation == null || !annotation.required()) return;
// 3. Figure out the header name (either from annotation or parameter name)
String headerName = getHeaderName(annotation, parameter);
// 4. Read the actual header value from the incoming request
String headerValue = request.getHeader(headerName);
// 5. If the header is missing, add an error
if (headerValue == null) {
errors.add(createError(headerName, "Header not present"));
}
// 6. If the header is just empty, add another error
else if (headerValue.trim().isEmpty()) {
errors.add(createError(headerName, "Header is empty"));
}
}Lets Break it down in Plain English:
Step 1: We look at the controller method parameter to check if it has a @RequestHeader
step 2: If it’s optional (required = false), we don’t bother validating.
Step 3: Grab the name of the header (X-Auth-Token, Authorization, etc.).
Step 4: Peek into the request to see if the header was actually sent.
Step 5: If the header is completely missing -> throw an error.
Step 6: If it’s there but empty -> throw a error “missing header”
that’s quite easy, right?
Real Example in Action:
Suppose this controller:
@GetMapping(“/secure”)
public String secure(@RequestHeader(name = “X-Auth-Token”, required = true) String token) {
return “You’re in! 🚀”;
}
Case 1: Missing header
GET /secure
(no X-Auth-Token sent)
Error: "X-Auth-Token header not present"
Case 2: Empty header
GET /secure
X-Auth-Token:
Error: "X-Auth-Token header is empty"
Case 3: Valid header
GET /secure
X-Auth-Token: abc123
Works fine. Response: "You’re in! "
Why This Matters?
No more random backend crashes.
Clear, friendly error messages for frontend devs.
Stronger API security (attackers can’t sneak past with missing headers).
Bonus: If you’ve ever seen your backend crashing because a request was missing headers, adding a validator like this will make your APIs way more robust (and save you from late-night debugging marathons
