HTTP

HTTP Headers

HTTP header is a field(key:value) in an HTTP request or response that contains extra information about the request or response.

Header Types

1. Reqeust header

HTTP client uses this to provide information about the request context, so that the server can tailor the response.

Header Name Content

Accept request header

MIME types HTTP client is able to understand.


Accept: text/html

Accept: image/*

// General default
Accept: */*

// Default for navigation requests
Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8

Authorization request header

Provide credentials that authenticate a user agent with a server, allowing access to a protected resource


Authorization: Basic 

OR

Authorization: Digest username=,    //Digest(String of the hex digits that proves that the user knows a password.)
realm="",
uri="",
algorithm=,
nonce="",
nc=,
cnonce="",
qop=,
response="",
opaque=""

Accept-Language

natural language and locale that the client prefers


Accept-Language: en-US,en;q=0.5

Referer

Absolute or partial address from which a resource has been requested


Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
Referer: https://example.com/page?q=123
Referer: https://example.com/

Connection

whether the network connection stays open after the current transaction finishes
If the value sent is keep-alive, the connection is persistent and not closed, allowing for subsequent requests to the same server to be done.


Connection: keep-alive
Connection: close

Upgrade-Insecure-Requests

sends a signal to the server expressing the client's preference for an encrypted and authenticated response


GET / HTTP/1.1
Host: example.com
Upgrade-Insecure-Requests: 1

Fetch metadata request header

- Provides additional information about the context from which the request originated.
- This allows the server to make decisions about whether a request should be allowed based on where the request came
- With this information a server can implement a resource isolation policy
- This approach can help mitigate common cross-site web vulnerabilities such as CSRF, Cross-site Script Inclusion('XSSI'), timing attacks, and cross-origin information leaks
- Forbidden header name: These headers are prefixed with Sec-, and hence have forbidden header names.
A forbidden header name is the name of any HTTP header that cannot be modified programmatically(ie using javascript)

Header Description

Sec-Fetch-Site

- Tells relationship between a Request initiator's origin and the Requested resource's Origin.


Sec-Fetch-Site: same-origin                  
/*
Meaning: Initiator is directly requesting the resource
Example: User sitting on laptop opens(https://www.espn.com). Since user is typing resource directly
*/

Sec-Fetch-Site: cross-site      
Sec-Fetch-Site: same-site
Sec-Fetch-Site: none

2. Response header

3. Representation header

describes one particular representation of a resource. Data might be present as XML, JSON, HTML

Header Name Meaning Content

Content-Type header

Header Name	Meaning	Content
Content-Type header	Indicate the original media type(sound file might be labeled audio/ogg, or an image file image/png) of the resource In requests, (such as POST or PUT), the client tells the server what type of data is actually sent.	Syntax: Content-Type: text/html; charset=utf-8 Content-Type: multipart/form-data; boundary=something POST /foo HTTP/1.1 Content-Length: 68137 Content-Type: multipart/form-data; boundary=---------------------------974767299852498929531610575 -----------------------------974767299852498929531610575 Content-Disposition: form-data; name="description" some text -----------------------------974767299852498929531610575 Content-Disposition: form-data; name="myFile"; filename="foo.txt" Content-Type: text/plain (content of the uploaded file foo.txt) -----------------------------974767299852498929531610575--
Content-Encoding header	Tells any encodings that have been applied to the message payload. This lets the recipient know how to decode the representation in order to obtain the original payload format.	`Syntax: Content-Encoding: gzip Content-Encoding: compress Content-Encoding: deflate Content-Encoding: br Content-Encoding: zstd // Multiple, in the order in which they were applied Content-Encoding: deflate, gzip`

Indicate the original media type(sound file might be labeled audio/ogg, or an image file image/png) of the resource
In requests, (such as POST or PUT), the client tells the server what type of data is actually sent.


Syntax:
Content-Type: text/html; charset=utf-8
Content-Type: multipart/form-data; boundary=something
            
POST /foo HTTP/1.1
Content-Length: 68137
Content-Type: multipart/form-data; boundary=---------------------------974767299852498929531610575

-----------------------------974767299852498929531610575
Content-Disposition: form-data; name="description"

some text
-----------------------------974767299852498929531610575
Content-Disposition: form-data; name="myFile"; filename="foo.txt"
Content-Type: text/plain

(content of the uploaded file foo.txt)
-----------------------------974767299852498929531610575--

Content-Encoding header

Tells any encodings that have been applied to the message payload.
This lets the recipient know how to decode the representation in order to obtain the original payload format.


Syntax:
Content-Encoding: gzip
Content-Encoding: compress
Content-Encoding: deflate
Content-Encoding: br
Content-Encoding: zstd
// Multiple, in the order in which they were applied
Content-Encoding: deflate, gzip