HTTP Protocols

From HackOps
Revision as of 07:34, 14 June 2025 by Vegard (talk | contribs) (Created page with "= HTTP Protocols = == Introduction == The Hypertext Transfer Protocol (HTTP) is the application-layer protocol used for communication between clients and servers on the web. It enables retrieval of resources such as HTML, JSON, or binary content by defining a standardized format for request and response messages. HTTP is stateless, meaning each request is independent unless explicitly managed using sessions, cookies, or tokens. == HTTP vs HTTPS == {| class="wikitabl...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

HTTP Protocols

Introduction

The Hypertext Transfer Protocol (HTTP) is the application-layer protocol used for communication between clients and servers on the web. It enables retrieval of resources such as HTML, JSON, or binary content by defining a standardized format for request and response messages.

HTTP is stateless, meaning each request is independent unless explicitly managed using sessions, cookies, or tokens.

HTTP vs HTTPS

Feature HTTP HTTPS
Encryption No Yes (via TLS)
Default Port 80 443
Visibility Unencrypted, readable by intermediaries Encrypted end-to-end
Certificate Required No Yes (X.509 certificate)

HTTPS is HTTP over TLS (Transport Layer Security). It provides integrity, confidentiality, and authentication using cryptographic certificates and a handshake process.

Request Structure

An HTTP request typically consists of:

  • A request line
 e.g., `GET /index.html HTTP/1.1`
  • Request headers
 e.g., `Host`, `User-Agent`, `Accept`, `Content-Type`
  • Optional body (for methods like POST or PUT)

Example:

GET /resource HTTP/1.1  
Host: example.com  
User-Agent: curl/8.0  
Accept: */*

Response Structure

An HTTP response from a server includes:

  • A status line
 e.g., `HTTP/1.1 200 OK`
  • Response headers
 e.g., `Content-Type`, `Server`, `Set-Cookie`
  • Optional body (e.g., JSON, HTML, binary data)

Example:

HTTP/1.1 200 OK  
Content-Type: application/json  
Content-Length: 48  
 
{"status":"ok","data":["value1","value2"]}

HTTP Methods

Method Description Notes
GET Retrieves a resource No side effects expected
POST Submits data to a resource Used for creating or triggering actions
PUT Replaces a resource Idempotent
PATCH Partially modifies a resource Efficient for small updates
DELETE Removes a resource Use with caution
HEAD Same as GET but returns headers only Used for validation
OPTIONS Returns allowed methods for a resource Used in CORS preflight

Status Codes

HTTP responses include status codes to describe the outcome of the request.

Code Range Category Examples
1xx Informational 100 Continue, 101 Switching Protocols
2xx Success 200 OK, 201 Created
3xx Redirection 301 Moved Permanently, 302 Found
4xx Client Error 400 Bad Request, 404 Not Found
5xx Server Error 500 Internal Server Error, 502 Bad Gateway

Important Headers

Header Purpose
Host Indicates the domain being requested
User-Agent Identifies the requesting client
Accept Lists acceptable response formats
Authorization Contains credentials (e.g., Basic or Bearer)
Content-Type Declares media type of the request/response body
Set-Cookie Instructs browser to store a cookie
Referer Specifies origin of the request
X-Forwarded-For Shows original IP behind proxy

Session Handling

Because HTTP is stateless, persistent user sessions require one or more of the following:

  • Cookies – Stored on the client to identify a session
  • Session IDs – Server-stored session reference
  • JWT (JSON Web Tokens) – Signed token containing session data

These mechanisms allow users to remain "logged in" and retain application context across requests.

Caching and Proxying

Caching is used to reduce latency and bandwidth usage. Proxy servers and browsers often store cacheable responses using headers like:

  • `Cache-Control`
  • `ETag`
  • `Last-Modified`
  • `Expires`

Caching behavior is controlled using these headers to define rules like expiration time, revalidation conditions, or cache-bypass.

TLS Handshake (in HTTPS)

The TLS handshake occurs before any HTTP data is exchanged:

  • ClientHello: Client proposes supported ciphers and sends a random value
  • ServerHello: Server selects a cipher and provides its certificate
  • Key exchange: Secure key is derived
  • Symmetric encryption begins

This secures the session and validates the server identity.

Diagnostic Tools

Tool Example Usage Function
curl curl -v https://example.com Command-line HTTP client
wget wget https://example.com/file.txt File downloader
tcpdump tcpdump -A -i eth0 port 80 Inspect raw HTTP packets
mitmproxy mitmproxy -p 8080 Intercept and modify traffic
browser devtools F12 → Network tab View request and response headers

Common Weaknesses

  • Sensitive data in query parameters (GET)
  • Lack of TLS encryption on login forms
  • Broad `Access-Control-Allow-Origin` headers
  • Improper use of caching for private data
  • Default error pages revealing server information

See also

  • curl
  • /tcpdump