HTTP - HyperText Transfer Protocol
Related pages
Related RFCs
Summary
Definition
HyperText Transfer Protocol (HTTP)
Application layer protocol that specifies how to transmit data over the Internet. HTTP is a request-response model using a client-server architecture
Key characteristics
- Stateless protocol
- Supports multiple versions: HTTP/1.1, HTTP/2, HTTP/3 (see below)
HTTP versions HTTP/1.1 : pipelining (asynchronous requests) HTTP/2 : multiplexing and header compression (HPACK) HTTP/3 : QUIC support (UDP-based)
Note
- All example provided in this page can be found it the associated
pcapfile: - This capture was generate using this Python script leveraging the scapy library.
Requests
Request definition
A request is sent by a client to a server.
The start line includes a method name, a request URI and the protocol version with a single space between each field. The following request start line specifies method GET, URI /page and protocol version HTTP/1.1:
GET /page HTTP/1.1
Requests can pass additional information using Request header fields.
Example request
Below is an example request to example.com.
GET / HTTP/1.1
Host: example.com
User-Agent: Mozilla/1.0
Accept: text/html
Connection: keep-alive
Note: There are two blank lines at the end of the request, marking the end of the request.
The subsequent response can be found in the response section.
Requests methods
| Method | RFC | Safe | Cacheable |
|---|---|---|---|
| GET | RFC 9110 | Yes | Yes |
| POST | RFC 9110 | No | Yes |
| PUT | RFC 9110 | No | No |
| HEAD | RFC 9110 | Yes | Yes |
| DELETE | RFC 9110 | No | No |
| CONNECT | RFC 9110 | No | No |
| OPTIONS | RFC 9110 | Yes | No |
| TRACE | RFC 9110 | Yes | No |
| PATCH | RFC 5789 | No | No |
| Notes: |
- A request is said safe if it does not modify server state.
- A request is cacheable if its response may be stored by the server for future reuse.
Status codes
| Class | Description |
|---|---|
| 1XX | Informational - Request received and continuing |
| 2XX | Successful - Request accepted and processed |
| 3XX | Redirection - Further action required |
| 4XX | Client Error - Request contains error |
| 5XX | Server Error - Server failed to process request |
Responses
Definition
A response is sent by the server to the client.
The start line contains:
- Protocol version
- Status code
- Reason phrase (optional)
Example start line:
HTTP/1.1 200 OK
Responses may include additional response header fields
Example Response
Below is the response from the request from previous section
HTTP/1.1 200 OK
Date: Sat, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html
Content-Length: 48
Connection: keep-alive
<html>
<head><title>Example</title></head>
<body>Test Page</body>
</html>
Security considerations
HTTP is generally secured through TLS, resulting in HTTPS. Other security considerations are to be bear in mind:
- Never trust user input
- Methods Enforcement - Restrict or disable unsafe methods (cf. request methods)
- Security Headers - Implement headers such as
Strict-Transport Security(enforces HTTPS-only),X-Frame-Options,Content-Security-Policy(enforces CSP) andX-Content-Type-Options(also see the [dedicated headers page]) - Response Header Validation - Ensure headers do not leak sensitive informations (e.g., server software and version)
- IP and Header Spoofing Mitigation - Validate incoming headers (cf. furnished OWASP article)
