HTTP message Header

HTTP supports many different message headers, some of which are designed for special purposes. Some message headers can be used in requests and responses, while others may only be used exclusively in a particular message. The following is a list of message headers that penetration testers may encounter when attacking a Web application.

1. Common message headers

Connection. This message header is used to tell the other end of the communication whether to close the TCP connection after the HTTP transfer is complete, or to keep the connection open to receive other messages.

Content-encoding. This message header specifies the encoding form (such as gzip) for the content in the message body, which some applications use to compress the response to speed up the transfer.

Content-length. This message header is used to specify the byte length of the message body. (The response exception to the head syntax, which indicates the length of the body in response to the corresponding GET request.) ）

Content-type. This message header is used to specify the content type of the message body. For example, the content type of an HTML document is text/html.

Transfer-encoding. This message header specifies any encoding that is used by the message body to facilitate its transmission over HTTP. If you use this message header, you typically use it to specify the block encoding.

2. Request message Header

Accept. This message header is used to tell the server client what content to accept, such as type, Office document format, and so on.

Accept-encoding. This message header is used to tell the server what content encoding the client is willing to accept.

Authorization. This message header is used to submit a certificate to the server for a built-in HTTP authentication.

Cookies. This message header is used to submit a previously published cookie to the server.

Host. This message header is used to specify the host name in the full URL that is now requested.

If-modified-since. This message header is used to describe the last time that the requested resource was received by the browser. If the resource has not changed since then, the server will issue a response with a status code of 304, indicating that the client is using a cached copy of the resource.

If-none-match. This message header is used to specify an entity label. An entity label is an identifier that describes the content of the message body. When the requested resource is last received, the browser submits the entity label published by the server. The server can use the entity tag to determine whether the browser uses a cached copy of the resource.

Origin. This message header is used in cross-domain AJAX requests to indicate the requested domain (see chapter 13th for related content).

Referer. This message header is used to indicate the original URL that made the current request.

User-agent. This message header provides information about the browser or other client software that generated the request.

3. Response message Header

Access-control-allow-origin. This message header is used to indicate whether a resource can be obtained through a cross-domain Ajax request.

Cache-control. This message header is used to transmit cache instructions (such as No-cache) to the browser.

ETag. This message header is used to specify an entity label. The client can submit this identifier in a future request, obtaining and if-none-match the same resource in the message header, informing the server browser which version of the resource is being saved in the current cache.

Expires. This message header is used to show the browser how long the message body content is valid. Before this time, the browser can use the cached copy of this resource.

Location. This message header is used to describe the target of the redirect in the redirect response (those with the status code starting with 3).

Pragma. This message header is used to transmit cache instructions (such as No-cache) to the browser.

Server. This message header provides information about the Web server software that is used.

Set-cookie. This message header is used to publish a cookie to the browser and the browser will return it to the server on subsequent requests.

Www-authenticate. This message header is used in a response with a 401 status code to provide information about the type of authentication supported by the server.

X-frame-options. This message header indicates whether and how the browser framework loads the current response (see Chapter 13th for related content).

HTTP message Header