Postmortem a HTTP Request For Web-Security

In This article We’ll going to postmortem a HTTP request explaining all the HTTP headers for better understanding how HTTP protocols rules are being set using HTTP headers

So here is our HTTP Request which we are going to break each header by header and try to understand purpose of each header, Good Luck ??

POST /api/resource HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: application/json
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Authorization: Bearer YOUR_ACCESS_TOKEN
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 1234
Content-Type: application/json
Cookie: sessionId=abc123; otherCookie=value
DNT: 1
Forwarded: for=192.0.2.60; proto=https; by=203.0.113.43
From: [email protected]
If-Match: "e0023aa4e"
If-None-Match: "67ab43", "54ed21"
Origin: https://example.com
Pragma: no-cache
Referer: https://example.com/previous-page
TE: Trailers
Upgrade-Insecure-Requests: 1
X-Forwarded-For: 203.0.113.195
X-Forwarded-Host: example.com
X-Forwarded-Proto: https
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Request-ID: 123e4567-e89b-12d3-a456-426614174000
X-Correlation-ID: 123e4567-e89b-12d3-a456-426614174001
X-Real-IP: 203.0.113.195

{
  "userId": 1,
  "title": "Large JSON payload for testing",
  "body": "This is a large JSON payload meant to test the handling of large HTTP requests. " +
          "It includes multiple headers to ensure security and proper handling by the server. " +
          "The payload itself can contain various types of data, but for the purpose of this test, " +
          "we will keep it simple yet sizable.",
  "extraField1": "Extra data 1",
  "extraField2": "Extra data 2",
  "nestedObject": {
    "nestedField1": "Nested data 1",
    "nestedField2": "Nested data 2",
    "deeplyNestedObject": {
      "deepNestedField1": "Deep nested data 1",
      "deepNestedField2": "Deep nested data 2"
    }
  },
  "arrayField": [
    "Item 1",
    "Item 2",
    "Item 3",
    {
      "arrayNestedObjectField1": "Array nested data 1",
      "arrayNestedObjectField2": "Array nested data 2"
    }
  ]
}        

1. POST /api/resource HTTP/1.1

Specifies the HTTP method (POST),

the resource path (/api/resource),

and the HTTP version (HTTP/1.1)

2. Host:

Specifies the domain name of the server. eg,

? Host: www.example.com,

? Host: secure.example.com:443,

? Host: api.example.com:8080

3. User-Agent:

Identifies the client software making the request. eg,

? User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36,

? User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.59,

? User-Agent: curl/7.68.0

3. Accept:

Specifies the media types that are acceptable for the response. eg,

? Accept: image/jpeg, image/png,

? Accept: application/json,

? Accept: text/html

4. Accept-Encoding:

Specifies the content encoding (e.g., gzip) that are acceptable. eg,

? Accept-Encoding: *

? Accept-Encoding: gzip

? Accept-Encoding: br

5. Accept-Language:

Specifies the preferred languages for the response. eg,

? Accept-Language: fr, en

? Accept-Language: zh-CN, zh-TW

? Accept-Language: en-US

6. Authorization:

Contains the credentials for authentication (Bearer token in this case). eg,

? Authorization: Token 1234567890abcdef1234567890abcdef,

? Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c,

? Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

7. Cache-Control:

Directs caches on how to handle the request. eg,

? Cache-Control: max-age=3600,

? Cache-Control: no-store,

? Cache-Control: no-cache

8. Connection:

Controls whether the network connection stays open after the current transaction finishes. eg,

? Connection: keep-alive,

? Connection: close,

? Upgrade: websocket

9. Content-Length:

Indicates the size of the request body. eg,

?POST /api/data HTTP/1.1

Host: api.example.com

Content-Type: application/json

Content-Length: 56

? POST /upload HTTP/1.1 Host: upload.example.com

Content-Type: multipart/form-data; boundary= — — — — — — — — ——— -12345678901234567890 Content-Length: 342

— — — — — — — — — — — — — — -12345678901234567890 —

10. Content-Type:

Indicates the media type of the request body. eg,

? POST /api/data HTTP/1.1

Host: api.example.com

Content-Type: application/json

? POST /upload HTTP/1.1

Host: upload.example.com

Content-Type: multipart/form-data; boundary= — — — — — — — — — — — — — -12345678901234567890

11. Cookie:

Contains stored HTTP cookies previously sent by the server. eg,

? Cookie: session_id=abc123; user_prefs=dark_mode,

? Cookie: session_id=abc123; Domain=.example.com,

? Cookie: session_id=; Expires=Thu, 01 Jan 1970 00:00:00 GMT

12. DNT:

Indicates the user’s tracking preference (Do Not Track). eg,

? DNT: 1

13. Forwarded:

Identifies the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer. eg,

? Forwarded: for=192.0.2.60;proto=http;by=203.0.113.195

14. From:

Contains an Internet email address for the human user who controls the requesting user agent. eg,

? From: [email protected],

? From: Alice <[email protected]>, Bob <[email protected]>,

? From: John Doe <[email protected]>

15. If-Match and If-None-Match:

Used for conditional requests, to perform the operation if the resource matches certain conditions. eg,

? If-Match: “etag-value”,

? If-None-Match: “etag-value”

16. Origin:

Indicates the origin of the request. eg,

? Access-Control-Allow-Origin: https://example.com,

? Origin: https://example.com

17. Pragma:

Implementation-specific headers that may have various effects along the request-response chain. eg,

? Pragma: no-cache

18. Referer:

The address of the previous web page from which a link to the currently requested page was followed. eg,

? Referer: https://example.com/previous-page.html

19. TE:

Indicates what transfer encodings the client is willing to accept. eg,

? TE: chunked

20. Upgrade-Insecure-Requests:

Tells the server that the client prefers an encrypted and authenticated response. eg,

? Upgrade-Insecure-Requests: 1

21. X-Forwarded-For, X-Forwarded-Host, X-Forwarded-Proto:

Provide information about the original request's source and protocol when the request passes through a proxy. eg,

? X-Forwarded-For: client1, proxy1, proxy2,

? X-Forwarded-Host: example.com,

? X-Forwarded-Proto: https

22. X-Frame-Options:

Clickjacking defense, specifies whether a browser should be allowed to render a page in a frame or iframe. eg,

? X-Frame-Options: DENY,

? X-Frame-Options: SAMEORIGIN,

? X-Frame-Options: ALLOW-FROM https://example.com

23. X-XSS-Protection:

Cross-site scripting (XSS) filter setting. eg,

? X-XSS-Protection: 1,

? X-XSS-Protection: 1; mode=block

24. X-Content-Type-Options:

Prevents MIME type sniffing. eg,

? X-Content-Type-Options: nosniff

25. Strict-Transport-Security:

Enforces secure (HTTP over SSL/TLS) connections to the server. eg,

? Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

26. X-Request-ID, X-Correlation-ID:

Unique identifiers for tracing requests. eg,

? X-Correlation-ID: abc123def456

? X-Request-ID: 123e4567-e89b-12d3-a456–426614174000

This is it for today. It’s recommended to drop your LinkedIn, twitter, GitHub in comment section so I can connected with the likely minded people & This is my first article please let me know how is it. Strong criticism is required

Thanks