Hypertext Transfer Protocol (HTTP)

httpindetail protocolsandservers networksecurityprotocols wireshark webrequests introductiontowebapplications

HTTP is a protocol used to exchange with a webserver. Your browser is sending an HTTP request to a webserver, receives a response with HTML inside, and displays the page in your browser.

🐊️ Port: 80 (TCP)

πŸ”’ There is a secure version called HTTPS (port 443, over SSL/TLS).

$ telnet IP 80
GET / HTTP/1.1
Host: example.com
# leave a blank line

Method

The first element in a request is the method.

  • GET: get a resource (ex: return /index.html)
  • POST: create a resource (ex: create a user)
  • PUT: update ONE field of a resource (ex: update user password)
  • PATCH: update a resource (ex: update user data)
  • DELETE: delete a resource (ex: delete a user)
  • HEAD: returns the headers for a GET request
  • OPTIONS: returns a list of allowed methods for an endpoint
  • ...

Path/Route

The second is called Path/Route. It's a path relative to the webserver root. For instance, for https://example.com/index.html, the path is /index.html.

HTTP versions

HTTP versions that are widely used are HTTP/1.1, and HTTP 2.0, while HTTP 3.0 was released in 2022.

HTTP Headers

In every HTTP/HTTPS request/response, there are headers that are set both by the client and the server. The format is Header-name: value, and anyone can add their own headers.

  • Set-cookie: The server request the creation of cookies
  • Cookie: The client send in every request the created cookies
  • Host: one of the domain names hosted by the server
  • Server: name of the HTTP server, maybe the version/OS too
  • Accept: media types that the client can understand
  • User-Agent: describe the client initiating the request
  • X-Forwarded-For/CF-Connecting-IP: can be used to find the client IP when the client is behind an HTTP proxy or a load balancer
  • ...

HTTP Payload

If you are using GET, the payload is inside the URL. For others, the data is inside the body. In both case, it's URL-encoded.

HTTP Response code

When the server answers, it returns an HTTP response code according to how it could handle the request

  • 200: OK
  • 301/303: Redirected
  • 403: Forbidden
  • 404: Not found
  • 500: Internal server error
  • ...

You can use httpstatus to test the response code for a batch or URLs. It supports automatic redirection.

HTTP Headers in web applications

HTTP Headers are commonly used to determine the web browser behavior for a website. Common usages are:

  • βŒ› Define how long assets (images/scripts/css) are cached
  • πŸ”‘ Define if a browser can open a website in an iframe
  • 🌍 Define if the server supports a protocol
  • πŸ—ΊοΈ Define what websites are used to host scripts/... (CDNs...)
  • πŸš€ Specify required browser features
  • ...

These headers if incorrectly configured, may disclose information about the server, or allow some web browsers to be exploited.

πŸ”₯ You should not leave a place exposed, for instance, by using secure headers at the website level, leaving the server exposed.

To find what headers you can use, and check if you headers are secure, they are many tools πŸ”¨ and guides πŸ“—:

To see the website headers, you can use

  • Your web browser, in the network tab of the dev tools
  • curl -I https://example.com/
  • Postman (software)

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.