Questions tagged [http]

Definition: HTTP - the Hypertext Transfer Protocol - provides a standard for Web browsers and servers to communicate. The definition of HTTP is a technical specification of a network protocol that software must implement.

HTTP is an application layer network protocol built on top of TCP. HTTP clients (such as Web browsers) and servers communicate via HTTP request and response messages. The three main HTTP message types are GET, POST, and HEAD.

1471 questions

votes

3 answers

Is the HTTP TRACE method a security vulnerability?

I saw many posts here on this site dishing out advice on disabling HTTP TRACE method to prevent cross site tracing. I sought to do the same thing. But when I read the Apache documentation, it gives the opposite advice: Note Despite claims to the…

http

asked Apr 30 '14 at 09:46

Question Overflow

5,300
6
28
48

votes

2 answers

What is the HTTP "Server" response-header field used for?

It was not until recently that I began to question the use for the Server field in the HTTP Response-Header. I did some research: RFC 2616 states: 14.38 Server The Server response-header field contains information about the software used by the…

http

asked Oct 26 '12 at 17:36

ZnArK

votes

2 answers

What does Django's ALLOWED_HOSTS variable actually do?

I'm supposed to set ALLOWED_HOSTS in my Django project's configuration to the hostnames that belong to me to ... prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake…

http

asked Nov 19 '13 at 04:41

Nick T

3,432
5
22
28

votes

3 answers

Meaningless http request

We've been logging GET requests on our domain to the following: XX/YY/ZZ/CI/MGPGHGPGPFGHCDPFGGHGFHBGCHEGPFHHGG This has no meaning on our site. A search on the web revealed no information, but a few other places which logged similar requests. Is…

http

asked Sep 19 '12 at 05:50

JNF

votes

6 answers

How to perform safe authentication via HTTP?

I have to log in on an HTTP website. There is a login form which contains inputs for username and password and as hidden inputs the sessionId. I am creating an application in which I have to access resources which just can be accessed if you are…

http

asked Feb 24 '15 at 11:12

Richard_Papen

votes

3 answers

Is it possible to create a file that never completes its download process?

Is it possible to built a file from scratch that when it gets downloaded via HTTP, the download never actually completes ? I am not talking about ZIP BOMB here. Some download software allows you to download streaming events, thus the final size of…

http

asked Mar 07 '17 at 09:30

mahen23

votes

4 answers

What information can my ISP see when I visit a website?

For example, when I enter this URL: https://www.google.com/search?q=example or http://www.google.com/search?q=example I can see the word example that I was searching on Google. Can the ISP see this URL and so maybe register it in their logs?

http

asked Dec 02 '15 at 16:16

Frank

votes

5 answers

Obfuscating HTTP Error Codes

I'm working on a REST API endpoint where we only accept requests from certain domain names. Whitelisting. A dev I'm working with recommended that we return HTTP 400 instead of HTTP 403 if the incoming IP address is not whitelisted. They said it was…

http

asked Jan 14 '22 at 06:59

Samuel Labrador

votes

5 answers

Strange request URI with lot of + (spaces) and "chosen nickname"

Over the last six months or so (after publishing a certain article) my site has being pestered with a number of requests URIs that follow this…

http

asked Jan 07 '13 at 09:09

Free Radical

votes

4 answers

How can I identify that my page is requested by robot, but not user's browser?

How can I detect that my page is requested by robot, but not user's browser? I'm aware of basics tricks: Watch for incorrect headers or urls. For example, urls with hash or header with full url - GET www.yoursite.com/test Detect that several…

http

asked Jul 11 '12 at 19:59

Paul Podlipensky

2,847
4
23
26

votes

2 answers

Exploiting HTTP redirect function via the Host header

I am testing a web application and found a redirect function which seems to be insecure. If I visit a non-existing page, then I am getting redirected to login page of application. However the redirect function can be exploited by setting custom Host…

http

asked Jun 29 '17 at 10:48

user1880405

votes

6 answers

Best guidance for allowing users to connect via HTTP in case of a certificate error

I've coded my app to use https, but if a https transaction fails for any reason, I assume it's because the server isn't configured for https, and thereafter start all transactions with http. Seems like that's a vulnerability. Likewise, a script…

http

asked Jun 29 '20 at 17:19

ddyer

2,006
1
13
20

votes

4 answers

How dangerous is plain HTTP?

Usually I try to tell people not to input any data on websites that are not secured with HTTPS. Given that most people are secured by Wifi access control. How bad is it really? What are possible attack scenarios? How easy is it too intercept HTTP…

http

asked Nov 28 '16 at 23:55

Corporal Touchy

votes

1 answer

Is the HTTP method OPTIONS secure nowadays?

I've read How to exploit HTTP Methods: OPTIONS - this is a diagnostic method, which returns a message useful mainly for debugging and the like. This message basically reports, surprisingly, which HTTP Methods are active on the webserver. In…

http

asked Feb 04 '20 at 09:48

angrydev

votes

1 answer

Spoof IP in a TCP Packet & Vulnerable PHP Code

Assuming we have this PHP Script It is vulnerable? I mean let's say that I'm the 22.41.41.41. Can someone else spoof that IP by…

http

asked Apr 20 '15 at 22:01

OhGodWhy

2 3 4 Next