HTTP Header
Table of Contents
Referer- When is
Authorizationheader sent by the browser? - Basic access authentication
AcceptvsContent-Type- Cache Control
- Cookies
- Cookies vs Web Storage
Referer header
- Misspelling of Referrer
- There are some tricky parts when requesting between HTTPS and HTTP (detail)
Referer: https://developer.mozilla.org/en-US/docs/Web/JavaScript
when a user clicks a hyperlink in a web browser, the browser sends a request to the server holding the destination webpage. The request includes the referer field, which indicates the last page the user was on (the one where they clicked the link).
When is Authorization header sent by the browser? discussion
Only types like Basic, NTLM of Authorization header is sent automatically by browser in following cases:
The
Authorizationheader field allows a user agent to authenticate itself with an origin server – usually, but not necessarily, after receiving a 401 (Unauthorized) response.
On the other hand, other types must explicitly be added by JS.
A
Bearertoken in theAuthorizationheader necessarily requires being added by JavaScript because the browser will never include it
Basic access authentication discussion
Because the BA field(
Authorization: Basic) has to be sent in the header of each HTTP request, the web browser needs to cache credentials for a reasonable period of time to avoid constantly prompting the user for their username and password. Caching policy differs between browsers. Microsoft Internet Explorer by default caches them for 15 minutes.[1]
Accept vs Content-Type discussion
Acceptheader is used by HTTP clients to tell the server what content types they'll accept. The server will then send back a response, which will include aContent-Typeheader telling the client what the content type of the returned content actually is.
The Content-Type header on HTTP Request is for the payload of POST or PUT, which tells the server how the payload is formed.
Cache Control discussion
Request
Cache-Control: max-age=<seconds>
Cache-Control: max-stale[=<seconds>]
Cache-Control: min-fresh=<seconds>
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-transform
Cache-Control: only-if-cached
response
Cache-Control: must-revalidate
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-transform
Cache-Control: public
Cache-Control: private
Cache-Control: proxy-revalidate
Cache-Control: max-age=<seconds>
Cache-Control: s-maxage=<seconds>
Cookies discussion
Yes, as long as the URL requested is within the same domain and path defined in the cookie (and all of the other restrictions – secure, httponly, not expired, etc) hold, then the cookie will be sent for every request.
Set-Cookie
Set-Cookie: id=a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly
- Secure
- The cookies that are set can only be sent over HTTPS
- HttpOnly
- The cookies that are set cannot be retrieved with JS. Only be sent to the designated server.
Cookies vs Web Storage discussion
Does your auth token protect anything to do with money?
- You'll probably want the cookie
httpOnlysecure option. - By using
httpOnlyoption, the credential is safe from XSS attack, because no JavaScript can access to it.
Is the level of effort required to implement CSRF protection not worth the assets it's protecting?
- Then the Web Storage might be the right place.
Cookies
Disadvantages compared to Web Storages:
4KBof max size (it counts all elements like name, value, expiry date)- Because cookies are automatically sent, cookies are vulnerable to CSRF attacks, which let the victim make some unwanted requests inadvertently
Web Storage
There are two types of Web Storage:
- localStorage
- data persists until explicitly deleted.
- sessionStorage
- Once the window is closed, the storage is deleted.
Web Storage is safe from CSRF attacks, since it doesn't automatically send its contents.
However, there are some disadvantages compared to Cookies:
- sandboxed to a specific domain
- accessible through JS, which means that it's vulnerable to XSS attacks