HTTP Flashcards
HTTP HEADER CATEGORIES
(5)
GENERAL HEADERS
ENTITY HEADERS
REQUEST HEADERS
RESPONSE HEADERS
SECURITY HEADERS
GENERAL HEADERS:
PURPOSE
General headers are used in both HTTP requests and responses. They are contextual and are used to describe the message rather than its contents.
GENERAL HEADERS:
EXAMPLES
DATE
CONNECTION
ENTITY HEADERS:
PURPOSE
Similar to general headers, Entity Headers can be common to both the request and response. These headers are used to describe the content (entity) transferred by a message. They are usually found in responses and POST or PUT requests.
ENTITY HEADERS:
EXAMPLES
CONTENT-TYPE
MEDIA-TYPE
BOUNDARY
CONTENT-LENGTH
CONTENT-ENCODING
REQUEST HEADERS:
EXAMPLES
HOST
USER-AGENT
REFERER
ACCEPT
COOKIE
AUTHORIZATION
REQUEST HEADERS:
PURPOSE
The client sends Request Headers in an HTTP transaction. These headers are used in an HTTP request and do not relate to the content of the message. The following headers are commonly seen in HTTP requests.
RESPONSE HEADERS:
PURPOSE
Response Headers can be used in an HTTP response and do not relate to the content. Certain response headers such as Age, Location, and Server are used to provide more context about the response. The following headers are commonly seen in HTTP responses.
RESPONSE HEADERS:
EXAMPLES
SERVER
SET-COOKIE
WWW-AUTHENTICATE
SECURITY HEADERS:
PURPOSE
HTTP Security headers are a class of response headers used to specify certain rules and policies to be followed by the browser while accessing the website.
SECURITY HEADERS:
EXAMPLES
Content-Security-Policy
Strict-Transport-Security
Referrer-Policy
Content-Security-Policy
Dictates the website’s policy towards externally injected resources. This could be JavaScript code as well as script resources. This header instructs the browser to accept resources only from certain trusted domains, hence preventing attacks such as Cross-site scripting (XSS).
Strict-Transport-Security
Prevents the browser from accessing the website over the plaintext HTTP protocol, and forces all communication to be carried over the secure HTTPS protocol. This prevents attackers from sniffing web traffic and accessing protected information such as passwords or other sensitive data.
Referrer-Policy
Dictates whether the browser should include the value specified via the Referer header or not. It can help in avoiding disclosing sensitive URLs and information while browsing the website.
CONTENT-TYPE
Used to describe the type of resource being transferred. The value is automatically added by the browsers on the client-side and returned in the server response. The charset field denotes the encoding standard, such as UTF-8.
MEDIA-TYPE
The media-type is similar to Content-Type, and describes the data being transferred. This header can play a crucial role in making the server interpret our input. The charset field may also be used with this header.
BOUNDARY
Acts as a marker to separate content when there is more than one in the same message. For example, within a form data, this boundary gets used as –b4e4fbd93540 to separate different parts of the form.
CONTENT-LENGTH
Holds the size of the entity being passed. This header is necessary as the server uses it to read data from the message body, and is automatically generated by the browser and tools like cURL.
CONTENT-ENCODING
Data can undergo multiple transformations before being passed. For example, large amounts of data can be compressed to reduce the message size. The type of encoding being used should be specified using the Content-Encoding header.
DATE
Holds the date and time at which the message originated. It’s preferred to convert the time to the standard UTC time zone.
HOST
Used to specify the host being queried for the resource. This can be a domain name or an IP address. HTTP servers can be configured to host different websites, which are revealed based on the hostname. This makes the host header an important enumeration target, as it can indicate the existence of other hosts on the target server.
CONNECTION
Dictates if the current network connection should stay alive after the request finishes. Two commonly used values for this header are close and keep-alive. The close value from either the client or server means that they would like to terminate the connection, while the keep-alive header indicates that the connection should remain open to receive more data and input.