Skip to main content
Postman Testing
CHAPTER 07 Beginner

Working with Headers and Query Parameters

Updated: May 13, 2026
20 min read

# CHAPTER 7

Working with Headers and Query Parameters

1. Introduction

While the URL and the HTTP Method define *where* you are going and *what* you want to do, Headers and Query Parameters define the specifics of *how* you want it done. They are the fine-tuning dials of an API request. In this chapter, we will learn how to use Postman to attach key-value pairs to our requests, differentiating between data appended to the URL (Params) and hidden metadata sent behind the scenes (Headers).

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define and use Query Parameters for filtering and pagination.
  • Use the Postman "Params" tab to construct complex URLs.
  • Understand the purpose of HTTP Headers.
  • Configure common headers like Content-Type and Accept.
  • Distinguish between when to use a Query Parameter versus a Header.

3. Beginner-Friendly Explanation

Imagine ordering a coffee at a drive-thru. The URL is the location: "Starbucks on 5th Ave". The Method is the action: "I want a coffee" (GET).

Query Parameters are the specific details of your order: "I want *size=large* and *flavor=vanilla*." You say these out loud for everyone to hear. Headers are your ID card and your language preference. You hand the cashier your ID (Authorization Header) and say "I speak English" (Accept-Language Header). This is metadata. It's not the coffee itself, but it dictates how the transaction is handled.

4. Real-World Examples

  • Filtering (Params): An E-commerce API needs to show shoes under $50. The request is GET /products?category=shoes&maxPrice=50.
  • Pagination (Params): A blog API has 10,000 posts. You only want the second page of 10 posts. The request is GET /posts?page=2&limit=10.
  • Data Formatting (Headers): Your frontend needs XML data instead of JSON. You send a Header: Accept: application/xml.
  • Security (Headers): To access a private profile, you send a Header: Authorization: Bearer mySecretToken123.

5. Step-by-Step Tutorials (Query Parameters)

Let's filter some data using JSONPlaceholder. We want to find all posts written by User ID 2.

Using the Postman Params Tab:

  1. 1. Set the Method to GET.
  1. 2. Enter the base URL: https://jsonplaceholder.typicode.com/posts
  1. 3. Do not type the ? manually! Instead, click the Params tab just below the URL bar.
  1. 4. Under the "Key" column, type userId.
  1. 5. Under the "Value" column, type 2.
  1. 6. Notice how Postman *automatically* updates the URL bar to ...?userId=2.
  1. 7. Hit Send. The response will only contain posts where "userId": 2.

*Why use the Params tab?* If you have 5 different parameters, typing them into the URL is messy and error-prone. The Params tab organizes them into a clean checklist where you can toggle them on and off with checkboxes!

6. Step-by-Step Tutorials (Headers)

Now let's add metadata. We want to tell the server we are sending JSON.

Using the Postman Headers Tab:

  1. 1. Click the Headers tab next to Params.
  1. 2. You will see several hidden headers Postman adds automatically (like User-Agent).
  1. 3. Scroll to the bottom empty row.
  1. 4. Under "Key", start typing Content-Type. Postman has autocomplete to help you! Select Content-Type.
  1. 5. Under "Value", type application/json.
  1. 6. Hit Send.

*(Note: When you use the "Body" tab and select JSON, Postman actually adds this header for you automatically, but it's crucial to know how to do it manually).*

7. Common Headers Explained

Here are the headers you will encounter most often in API testing:
  • Content-Type: Tells the server what format the data in the *Request Body* is (e.g., JSON, form-data).
  • Accept: Tells the server what format the *Response* should be.
  • Authorization: Contains credentials (passwords, tokens) to prove your identity.
  • User-Agent: Identifies the software making the request (e.g., Chrome, Postman, iOS App).

8. Examining Response Headers

Headers go both ways! When the server replies, it also sends metadata.
  1. 1. After sending a request, look at the Response Viewer (bottom pane).
  1. 2. Click the Headers tab.
  1. 3. You will see things like Date, Content-Type: application/json; charset=utf-8, and server info like cloudflare or nginx.
  1. 4. As a tester, you sometimes need to write scripts verifying that specific security headers are present in the response.

9. Best Practices

  • Use the Params grid: Never construct complex query strings (URLs with ? and &) manually in the URL bar. Use the Params tab so you can easily edit, read, and toggle individual filters.
  • Hide Secrets: Never put sensitive information (like API keys or passwords) in Query Parameters. Query parameters are logged in server logs and browser history. Always put sensitive data in Headers or the Request Body.

10. Common Mistakes

  • Confusing Content-Type and Accept: Remember: Content-Type describes the data *you are sending*. Accept describes the data *you want back*.
  • Typos in Headers: Headers are strictly defined by HTTP standards. Typing Content-Format instead of Content-Type means the server will ignore it completely. Rely on Postman's autocomplete feature.

11. Mini Exercises

  1. 1. In Postman, check the box next to a parameter in the Params tab to disable it. Watch what happens to the URL.
  1. 2. Look at the Response Headers of a request to Google.com. What does the Content-Type header say? (It will likely be text/html).

12. Coding/Testing Challenges

Challenge 1: Using JSONPlaceholder, construct a single GET request that fetches comments, but use the Params tab to add two filters: postId should be 1, and id should be 3. What is the email address of the person who left this specific comment?

13. MCQs with Answers

Question 1

Which character denotes the beginning of Query Parameters in a URL?

Question 2

Where should you place sensitive information, like an API Key, to ensure it is not saved in browser histories or basic server routing logs?

Question 3

Which Postman tab provides a spreadsheet-like interface to manage URL query strings without manually typing ? and &?

14. Interview Questions

  • Q: Explain the difference between HTTP Headers and Query Parameters. Give an example of when you would use each.
  • Q: What is the specific purpose of the Content-Type header?
  • Q: Why shouldn't you pass an authentication token in a Query Parameter?

15. FAQs

Q: Does case sensitivity matter in Headers? A: According to the HTTP/1.1 specification, header field names (like content-type vs Content-Type) are case-insensitive. However, the *values* are usually case-sensitive.

16. Summary

In this chapter, we learned how to pass extra instructions to the server. We used the "Params" tab to easily construct URL query strings, which are perfect for filtering, searching, and paginating public data. We then explored the "Headers" tab, learning how to pass invisible metadata like Content-Type and Authorization, which are essential for security and content negotiation.

17. Next Chapter Recommendation

We know how to format URLs and add metadata. Now it is time to look closely at the data payload itself. Proceed to Chapter 8: Working with JSON Request Bodies to master formatting data for POST and PUT requests.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Understanding HTTP Methods in Postman
Next Chapter Working with JSON Request Bodies

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5