SEC 260

Web and Applications Security

​

4- HTTP Messages, Status and Headers

HTTP Messages Overview

• The three parts of HTTP messages: start line, headers, and entity body

​

• The differences between request and response messages

​

• The various functions (methods) that request messages support

​

• The various status codes that are returned with response messages

​

2

Parts of a HTTP Message

• The start line and headers are just ASCII text, broken up by lines.
• Each line ends with a two-character end-of-line sequence, consisting of a carriage return (ASCII 13) and a line-feed character (ASCII 10). This end-of-line sequence is written " CRLF.” �

​

​

​

​

​

​

​

• The entity body or message body (or just plain “body”) is simply an �optional chunk of data. Unlike the start line and headers, the body�can contain text or binary data or can be empty.

3

Client

Server

HTTP/1.0 200 OK

Content-type: text/plain�Content-length: 19

Hi! I am a message

Start Line

Headers

Body

4

HTTP Message Syntax

Client

Server

HTTP/1.0 200 OK�Content-type: image/gif�Content-Length:8572

GET /specials/saw-blade.gif HTTP/1.0�Host: www.joes-hardware.com

• All HTTP messages fall into two types: request and response messages.
• Request messages request an action from a web server.
• Response messages carry results of a request back to a client.
• Both types of messages have the same basic message structure

HTTP request contains the command and the URL

HTTP response contains the result of the transaction

5

Start Lines

Client

Server

HTTP/1.0 200 OK

GET /specials/saw-blade.gif HTTP/1.0

• All HTTP messages begin with a start line
• Request messages ask servers to do something to a resource.
• Response messages carry status information and any resulting data from an operation back to a client.
• The method begins the start line of requests, telling the server what to do. For example, in the line “GET /specials/saw-blade.gif HTTP/1.0,” the method is GET.

6

Start Lines: Methods

7

Response Start Lines: Status Codes

Tell the client what happened:

https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

​

8

HTTP Headers

9

HTTP Request

Everything after the GET is a Header Field

10

HTTP Response

Everything after the Status is a Header. Until DocType which starts the Content

HTTP/1.x 200 OK

Date: Sat, 28 Nov 2017 04:36:25 GMT

Server: LiteSpeed

Connection: close

Expires: Sat, 28 Nov 2017 05:36:25 GMT

Cache-Control: max-age=3600, public

Content-Type: text/html; charset=UTF-8

Last-Modified: Sat, 28 Nov 2017 03:50:37 GMT

Content-Encoding: gzip

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Top 20+ MySQL Best Practices - Nettuts+</title>

<!-- ... rest of the html ... -->

11

HEAD Method

HEAD: Retrieve Header Information

• HEAD is identical to GET, except the server does not return the content in the HTTP response.

​

• When you send a HEAD request, it means that you are only interested in the response code and the HTTP headers, not the document itself.

12

HEAD Method

HEAD: Retrieve Header Information

• HEAD is identical to GET, except the server does not return the content in the HTTP response.
• When you send a HEAD request, it means that you are only interested in the response code and the HTTP headers, not the document itself.

​

With this method, the browser can:

• Check if a document has been modified, for caching purposes.
• It can also check if the document exists at all.

​

Usage:

• If you have a lot of links on your website, you can periodically send HEAD requests to all of them to check for broken links.
• This works much faster than using GET.

​

13

Response Headers

Host:�

• An HTTP Request is sent to a specific IP Addresses. �
• But since most servers are capable of hosting multiple websites under the same IP, they must know which domain name the browser is looking for.

14

Response Headers

User Agent:

​

• This header can carry several pieces of information such as:
• Browser name and version.
• Operating System name and version.
• Default language.

​

• This is how websites can collect certain general information about their surfers' systems.

​

• For example, they can detect if the surfer is using a cell phone browser and redirect them to a mobile version of their website

15

Request: Other Headers

• Accept-Language: What language the client requests

​

• Accept-Encoding: Whether the client support g zip compression of HTML

​

• IF-Modified-Since: If page is cached on client,
• it will ask server if it has been modified since date.
• If not changed, server sends a 304 Not-Modified instead of page

​

• Referrer: Tells server what page you are coming from
• Basically, where did you click the link to this new page
• Misspelling of referrer is correct

​

• Cookies: More on them later

16

Response Headers: Cache-Control

17

Response Headers: Content-Type

18

Response Headers: Last-Modified

Last-Modified: Includes the date the page was last modified

​

Used in conjunction with the If-Modified-Since Request Header

Class Activity

​

Telnet & HTTP

HTTP Status Code

​

19