Hypertext Transfer Protocol (HTTP)
HTTP is a protocol used to exchange with a webserver. Your browser is sending an HTTP request to a webserver, receives a response with HTML inside, and displays the page in your browser.
ποΈ Port: 80 (TCP)
π There is a secure version called HTTPS (port 443, over SSL/TLS).
$ telnet IP 80
GET / HTTP/1.1
Host: example.com
# leave a blank line
Method
The first element in a request is the method.
-
GET
: get a resource (ex: return/index.html
) -
POST
: create a resource (ex: create a user) -
PUT
: update ONE field of a resource (ex: update user password) -
PATCH
: update a resource (ex: update user data) -
DELETE
: delete a resource (ex: delete a user) -
HEAD
: returns the headers for a GET request -
OPTIONS
: returns a list of allowed methods for an endpoint - ...
Path/Route
The second is called Path/Route. It's a path relative to the webserver root. For instance, for https://example.com/index.html
, the path is /index.html
.
HTTP versions
HTTP versions that are widely used are HTTP/1.1
, and HTTP 2.0
, while HTTP 3.0
was released in 2022.
HTTP Headers
In every HTTP/HTTPS request/response, there are headers that are set both by the client and the server. The format is Header-name: value
, and anyone can add their own headers.
-
Set-cookie
: The server request the creation of cookies -
Cookie
: The client send in every request the created cookies -
Host
: one of the domain names hosted by the server -
Server
: name of the HTTP server, maybe the version/OS too -
Accept
: media types that the client can understand -
User-Agent
: describe the client initiating the request -
X-Forwarded-For
/CF-Connecting-IP
: can be used to find the client IP when the client is behind an HTTP proxy or a load balancer - ...
HTTP Payload
If you are using GET
, the payload is inside the URL. For others, the data is inside the body. In both case, it's URL-encoded.
HTTP Response code
When the server answers, it returns an HTTP response code according to how it could handle the request
-
200
: OK -
301/303
: Redirected -
403
: Forbidden -
404
: Not found -
500
: Internal server error - ...
You can use httpstatus to test the response code for a batch or URLs. It supports automatic redirection.
HTTP Headers in web applications
HTTP Headers are commonly used to determine the web browser behavior for a website. Common usages are:
- β Define how long assets (images/scripts/css) are cached
- π Define if a browser can open a website in an iframe
- π Define if the server supports a protocol
- πΊοΈ Define what websites are used to host scripts/... (CDNs...)
- π Specify required browser features
- ...
These headers if incorrectly configured, may disclose information about the server, or allow some web browsers to be exploited.
π₯ You should not leave a place exposed, for instance, by using secure headers at the website level, leaving the server exposed.
To find what headers you can use, and check if you headers are secure, they are many tools π¨ and guides π:
- π OWASP Best Practices
- π OWASP TOP 10 Headers
- π Google Secure Headers
- π¨ Mozilla Observatory
- π¨ Security Headers
- π¨ secure-headers-test (test)
- π¨ venom test suite
To see the website headers, you can use
- Your web browser, in the network tab of the dev tools
-
curl -I https://example.com/
- Postman (software)
π» To-do π»
Stuff that I found, but never read/used yet.
- User-Agents
- PowerShell Class
PSUserAgent