Security in HTTP

HTTP is used for communication over the Internet, so application programmers, information providers, and users should be aware of the protection limitations in HTTP / 1.1. This discussion chapter will not include clear solutions to the issues mentioned here, but it does provide some suggestions for reducing risks.

The leakage of personal information

Clients often keep a large amount of personal information such as user name, location, mail address, encryption keys, . So you should be very careful to prevent leakage This information passes HTTP protocols to other sources.

All confidential information should be stored in the Server in the encrypted form.

Exploring the server's own software version may allow the Server device to become more vulnerable when attacked by software known as security vulnerabilities.

Authorized stations that serve as a gateway through a network firewall should take special precautions to the transmission of the Header information that identifies the hosts behind the firewall.

Information sent in the "From" field may conflict with the user's personal rights or the site's privacy policy, and therefore, should not be transmitted without user supervision. Use to disallow, allow or edit the contents of the school.

Clients should not include a Referer field in an HTTP (unsafe) request, if the page being directed is spread with a security protocol.

The authors of the service that use the HTTP protocol should not use GET-based patterns to accept sensitive data, because it will make the data encrypted in the Request-URI.

Attacks based on Path and File names

Documentation should be limited to documents that are returned by HTTP requests to only those documents that are intended by the Server manager.

For example, UNIX, Microsoft and other operating systems use `.` as a transmission component to indicate a directory level above the current directory. On such a system, a Server MUST not allow any build in the Request-URI, otherwise it will allow access to a source outside these directories to be accessible via the Server. .

DNS deception (DNS Spoofing)

Clients using HTTP are primarily based on Domain Name Service (DNS), and are therefore vulnerable to security attacks based on the deliberate link deletion of IP addresses and DNS names. So the Client should pay attention while assuming that the ongoing validity of a link between the IP / DNS domain name.

If the clients write to the memory hiding the results of host name lookups to achieve performance improvement, they must monitor TTl information reported by DNS. If the clients do not follow this rule, they can be fooled when a previously accessed server 's IP address changes.

Position Headers and deception

If a single Server supports multiple organizations without trusting each other, then it MUST check the values ​​of the Location and Content Location fields in the responses that are generated under the control of the prompted organizations. come to ensure that they do not attempt to take over invalid resources through which they do not have authorization.

Verification verification

Existing Clients and user agents have the characteristic of recording obscure verification information. HTTP / 1.1 does not provide a method for the Server to direct clients directly to remove cached credentials that are a major security risk.

There is some work around to parts of this problem, and so it is recommended to use password protection in screensaver, free time, and some other methods that do Reduce inherent safety issues in this regard.

Authorizations and caching

HTTP authorizations are an intermediate server, and respectively opportunities for intermediate attacks. The credentials have access to relevant confidential information, personal information about each user and organizations, and the proprietary information of the user and the content provider.

Authorized operators should tell the systems that credentials run on, because they will protect any system that contains or transmits sensitive information.

Writing to memory hides credentials that create additional vulnerabilities, since the contents of the hidden memory represent an attractive target for malicious exploitation. Therefore, hidden memory content must be protected as sensitive information.

According to Tutorialspoint

Previous post: URL encoding in HTTP

Next article: Example of Message in HTTP

4 ★ | 1 Vote

May be interested

  • Message in HTTPMessage in HTTP
    http is built on the basis of the client-server structure model and stateless request / response protocol, which is governed by the exchange of messages (message) along a tcp / ip connection.
  • What's the difference between HTTP and HTTPS?What's the difference between HTTP and HTTPS?
    you probably already know https as an enhanced form of http . however, do you already know the difference between http and https ? if not, let's find out with tipsmake.com!
  • How HTTP worksHow HTTP works
    hypertext transfer protocol (http) provides a network protocol standard that web browsers and servers use to communicate. you see http every day because when you visit a website, the protocol is written right in the url.
  • Response (Response) in HTTPResponse (Response) in HTTP
    after receiving and interpreting a request message, a server sends a response signal with an http response message.
  • What is HTTPS? and why is it needed for your siteWhat is HTTPS?  and why is it needed for your site
    you often visit a website and see https but don't understand what it is and how it is different from http, so read the following article!
  • Chrome will support HTTP cache partitioning to prevent malicious attacks and unauthorized trackingChrome will support HTTP cache partitioning to prevent malicious attacks and unauthorized tracking
    google is planning to add a relatively new (relatively theoretically) new security feature to the chrome web browser.
  • Encrypt status in HTTPEncrypt status in HTTP
    the status-code element is a 3-character integer, in which the first character of the status encoding defines the response type and the last two characters do not have any sorting role. there are 5 values ​​of the first character.
  • Full list of HTTP status codes, HTTP Status CodeFull list of HTTP status codes, HTTP Status Code
    the http status line is the term given to the http status code (real code) when accompanied by the 'http reason phrase' - the term for the reason (short description).
  • MQTT and HTTP: Which protocol is better in the IoT era?MQTT and HTTP: Which protocol is better in the IoT era?
    the hypertext transfer protocol (http) has always been the most popular communication tool between client and web server. but is it still suitable for the internet of things era?
  • Example of Message in HTTPExample of Message in HTTP
    some examples of message in http make it easier for users to visualize.