HTTP Headers

HTTP supports a large number of different headers, some of which are designed for specific unusual purposes. Some headers can be used for both requests and responses, while others are specific to one of these message types. The headers you are likely to encounter when attacking web applications are listed here.

General Headers

■ Connection — This is used to inform the other end of the communication whether it should close the TCP connection after the HTTP transmission has completed or keep it open for further messages.

■ Content-Encoding — This is used to specify what kind of encoding is being used for the content contained in the message body, such as gzip , which is used by some applications to compress responses for faster transmission.

■ Content-Length — This is used to specify the length of the message body, in bytes (except in the case of responses to HEAD requests, when it indicates the length of the body in the response to the corresponding GET request).

Content-Type — This is used to specify the type of content contained in the message body; for example, text/html for HTML documents.

■ Transfer-Encoding — This is used to specify any encoding that was performed on the message body to facilitate its transfer over HTTP. It is normally used to specify chunked encoding when this is employed.

Request Headers

■ Accept — This is used to tell the server what kinds of content the client is willing to accept, such as image types, office document formats, and so on.

■ Accept-Encoding — This is used to tell the server what kinds of content encoding the client is willing to accept.

■ Authorization — This is used to submit credentials to the server for one of the built-in HTTP authentication types.

■ Cookie — This is used to submit cookies to the server which were previously issued by it.

■ Host — This is used to specify the hostname that appeared in the full URL being requested.

■ If-Modified-Since — This is used to specify the time at which the browser last received the requested resource. If the resource has not changed since that time, the server may instruct the client to use its cached copy, using a response with status code 304.

■ If-None-Match — This is used to specify an entity tag, which is an identifier denoting the contents of the message body. The browser submits the entity tag that the server issued with the requested resource when it was last received. The server can use the entity tag to determine whether the browser may use its cached copy of the resource.

■ Referer — This is used to specify the URL from which the current request originated.

■ User-Agent — This is used to provide information about the browser or other client software that generated the request.

Response Headers

■ Cache-Control — This is used to pass caching directives to the browser (for example, no-cache ).

■ ETag — This is used to specify an entity tag. Clients can submit this identifier in future requests for the same resource in the If-None-Match header to notify the server which version of the resource the browser currently holds in its cache.

■ Expires — This is used to instruct the browser how long the contents of the message body are valid for. The browser may use the cached copy of this resource until this time.

■ Location — This is used in redirection responses (those with a status code starting with 3) to specify the target of the redirect.

■ Pragma — This is used to pass caching directives to the browser (for example, no-cache ).

■ Server — This is used to provide information about the web server soft ware being used.

■ Set-Cookie — This is used to issue cookies to the browser that it will submit back to the server in subsequent requests.

■ WWW-Authenticate — This is used in responses with a 401 status code to provide details of the type(s) of authentication supported by the server.— This is used to pass caching directives to the browser (for example, no-cache ).

■ Server — This is used to provide information about the web server software being used.

■ Set-Cookie — This is used to issue cookies to the browser that it will submit back to the server in subsequent requests.

■ WWW-Authenticate — This is used in responses with a 401 status code to provide details of the type(s) of authentication supported by the server.


NEXT article on ..Cookies….,