IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [http]

Definition: HTTP - the Hypertext Transfer Protocol - provides a standard for Web browsers and servers to communicate. The definition of HTTP is a technical specification of a network protocol that software must implement. HTTP is an application layer network protocol built on top of TCP. HTTP clients (such as Web browsers) and servers communicate via HTTP request and response messages. The three main HTTP message types are GET, POST, and HEAD.

Definition: HTTP - the Hypertext Transfer Protocol - provides a standard for Web browsers and servers to communicate. The definition of HTTP is a technical specification of a network protocol that software must implement.

HTTP is an application layer network protocol built on top of TCP. HTTP clients (such as Web browsers) and servers communicate via HTTP request and response messages. The three main HTTP message types are GET, POST, and HEAD.

1415 questions
407
votes
10 answers

Is BASIC-Auth secure if done over HTTPS?

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?
Morten
  • 4,223
  • 3
  • 14
  • 7
400
votes
5 answers

Why is 'Bearer' required before the token in 'Authorization' header in a HTTP request?

What exactly is the difference between following two headers: Authorization : Bearer cn389ncoiwuencr vs Authorization : cn389ncoiwuencr All the sources which I have gone through, sets the value of 'Authorization' header as 'Bearer'…
Anmol Gupta
  • 4,101
  • 2
  • 9
  • 5
241
votes
5 answers

What is the difference between https://google.com and https://encrypted.google.com?

Is it there any difference between the encrypted Google search (at https://encrypted.google.com) and the ordinary HTTPS Google search (at https://google.com)? In terms of security what were the benefits of browsing through encrypted Google…
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
151
votes
4 answers

Which security measures make sense for a static web site?

I have a static web site. Users cannot log in or perform any other actions. Which of the common HTTP security measures make sense for my site? Do I need any of these? HTTPS Strict transport security Content security policy Certificate…
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
127
votes
4 answers

Is it safe to include an API key in a request's URL?

Lately I've seen plenty of APIs designed like this: curl "https://api.somewebsite.com/v1/something&key=YOUR-API-KEY" Isn't it elementary that passing an API key in a query string as a part of the URL is not secure at least in HTTP.
Incerteza
  • 2,177
  • 3
  • 15
  • 22
121
votes
8 answers

Attacking an office printer?

I did an nmap scan on an advanced office printer that has a domain name and is accessible from outside the corporate network. Surprisingly I found many open ports like http:80, https:443, and svrloc:427 and some others. The OS fingerprint says…
hsnm
  • 1,281
  • 1
  • 10
  • 11
112
votes
6 answers

Why should I offer HTTP in addition to HTTPS?

I am setting up a new webserver. In addition to TLS/HTTPS, I'm considering implementing Strict-Transport-Security and other HTTPS-enforcement mechanisms. These all seem to be based on the assumption that I am serving http://www.example.com in…
lofidevops
  • 3,550
  • 6
  • 23
  • 32
92
votes
9 answers

Can my company see what HTTPS sites I went to?

At work my company uses internet monitoring software (Websense). I know if I visit a https ssl-encrypted site (such as https://secure.example.com) they can't see what I'm doing on the site since all the traffic is encrypted. But do they see, that I…
IAmARegisteredUser
  • 923
  • 1
  • 7
  • 5
83
votes
7 answers

Does a CSRF cookie need to be HttpOnly?

We were recently handed a security report containing the following: Cookie(s) without HttpOnly flag set vulnerability, which we apparently had in one of our internal applications. The applied fix was as simple as setting Django's…
alecxe
  • 1,515
  • 5
  • 19
  • 34
80
votes
10 answers

Why is HTTPS not the default protocol?

Why is HTTP still commonly used, instead what I would believe much more secure HTTPS?
blunders
  • 5,052
  • 4
  • 28
  • 45
73
votes
3 answers

How to exploit HTTP Methods

Many security scanners like nikto, nessus, nmap, and w3af sometimes show that certain HTTP Methods like HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, etc are vulnerable to attack. What do these methods do and how can they be exploited? I'm…
Digital fire
  • 3,126
  • 5
  • 31
  • 44
71
votes
3 answers

What was the aim of this invalid HTTP request that tells a story about goats in the request URI?

I currently run an Apache HTTP server, and have set up monitoring to receive emails whenever an error appears in the error logs. I get the usual trying to find if I'm using HTTP 1.0 and trying to see if I'm using off the shelf software like…
Crazy Dino
  • 1,517
  • 11
  • 12
70
votes
8 answers

Why use HTTPS Everywhere when we have HSTS supported browsers?

I know that the browser's default protocol to access any site is http:// when https:// is explicitly not mentioned, but even then if we browse to a website say www.facebook.com, the response header from the Facebook servers would have HSTS mentioned…
GypsyCosmonaut
  • 882
  • 1
  • 7
  • 16
69
votes
6 answers

What's the difference between using HSTS and doing a 301 redirection?

If I already have done a 301 redirection from all the HTTP inner pages to HTTPS, why should I use HSTS as well?
Franzech Domâs
  • 975
  • 1
  • 8
  • 10
66
votes
5 answers

HTTPS web service switched to HTTP. What can go wrong?

I recently visited a website which used to have an HTTPS connection. Now it has just a plain HTTP connection, and the authentication method has changed from user+password to "authenticate with Google account". I contacted them and asked them why…
Peque
  • 663
  • 1
  • 5
  • 7
1
2 3
94 95