30 Days of API Testing Day 18: Share an HTTP Header and explain its purpose
This is a simple HTTP Header when calling GET method from my project, using Katalon.
- The Content-Type entity header is used to indicate the media type of the resource.
- The Cookie HTTP request header contains stored HTTP cookies previously sent by the server with the Set-Cookie header.
I use this document https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers to learn HTTP Headers
My sample HTTP header:
GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
- First line:
- Using method GET
- Read url /hello.html
- Using HTTP version 1.1
- Second line: User-Agent request-header field contains information about the user agent originating the request. User Agent String explanation. This sample request use Firefox browser to send request.
- Third line: The Host request-header field is used to specify the Internet host and the port number of the resource being requested.
- Fourth line: The Accept-Language request-header field restricts the set of natural languages that are preferred as a response to the request.
- Fifth line: The Accept-Encoding request-header field restricts the content-codings that are acceptable in the response.
- Sixth line: The Connection general-header field allows the sender to specify options that are desired for that particular connection and must not be communicated by proxies over further connections.
For more details about HTTP - Header Fields please refer here
From our friends participating on Twitter:
Iâd like to share some response headers. Itâs always interesting to read response headers and try to understand how server responds to request.
Location - 1) identifies the URI to what server asks client to move. 2) server provide information about the location of a newly created resource
Vary - the list of request parameters that were taken into account by server
Allow - identifies the list of supported by server (or resource) HTTP methods.
At exercise 2 about POST OAuth 1.0 on Katalon, when the auth information is entered at Authorization then clicking âupdate to HTTP Headerâ, this information will generate to HTTP Header tab as:
Name | Description |
---|---|
Type | Authorize type is Basic Auth or OAuth 1.0 or OAuth 2.0 |
Consumer Key | The API key associated with the application (Twitter, Facebook, etc.). This key (or âclient IDâ, as Facebook calls it) is what identifies the client, which is a website/service that is trying to access an end-userâs resources. |
Consumer Secret | The clientâs password that is used to authenticate with the authentication server, which is a Twitter/Facebook/etc. server that authenticates the client. |
Signature Method | A consumerâs secret that establishes ownership of a given token. |
Token | What is issued to the client once the client successfully authenticates itself (using the consumer key & secret). This access token defines the privileges of the client (what data the client can and cannot access) |
Token Secret | The string sent with the access token as a password |
GET /home.do HTTP/1.1 â GET method, URL /home.do, HTTP version 1.1
Host: Host request header field
Connection: Connection general-header field, and keep-alive is the default in HTTP/1.1
Upgrade-Insecure-Requests: request header sends a signal to the server expressing the clientâs preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.
User-Agent: request-header field contains information about the user agent originating the request
Accept: request-header field can be used to specify certain media types which are acceptable for the response
Accept-Encoding: request-header field is similar to Accept, but restricts the content-codings that are acceptable in the response
Accept-Language: request-header field is similar to Accept, but restricts the set of natural languages that are preferred as a response to the request
- authority: the host/domain or the request
- method: HTTP method.
- path: relative path of content.
- accept: certain media types which are acceptable for the response.
- accept-encoding: similar to accept, but restricts the content-codings that are acceptable in the response
- accept-language: set of natural languages that are preferred as a response to the request
- content-length: the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent, had the request been a GET
- content-type: indicates the media type of the entity-body sent to the recipient
- cookie: contains a name/value pair of information stored for that URL
- user-agent: contains information about the user agent originating the request
I found some common HTTP headers to refer
- Common request headers
Authorization: The verification information used to verify the validity of a request.
Usage scenario: non-anonymous requests
Content-Length: Content length of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
Content-Type: Content type of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
date: The GMT time stipulated in the HTTP 1.1 protocol, for example, Wed, 05 Sep. 2012 23:00:00 GMT
- Common response headers
Content-Length: Content length of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
Connection: The connection status between the client and the OSS server.
Valid values: open or close
Date: The GMT time stipulated in the HTTP 1.1 protocol, for example, Wed, 05 Sep. 2012 23:00:00 GMT
Server: The server that generates the response.
- authority : the host/domain or the request
- method : POST method.
- path : relative path of content.
- accept : certain media types which are acceptable for the response.
- accept-encoding: similar to accept, but restricts the content-codings that are acceptable in the response
- accept-language : set of natural languages that are preferred as a response to the request
- content-length : the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent, had the request been a GET
- content-type : indicates the media type of the entity-body sent to the recipient
- cookie : contains a name/value pair of information stored for that URL
-
user-agent : contains information about the user agent originating the request
Form Data - timings: The responded time from API(milisecond)
Did a little research on Referrer-Policy, which is a security header used to control how referral information is passed when navigating from one document to another (e.g. clicking links on a webpage). Scott Helm wrote a blog post that summarizes how this header works very nicely.
We can control how much and in which cases referral information is transmitted by specifying one of the following policies:
Policy | Referrer Directive |
---|---|
no-referrer |
Never send the referrer URL |
no-referrer-when-downgrade |
Send the referrer if the protocol security level stays the same (HTTPâHTTP, HTTPSâHTTPS) but donât send it to a less secure address (HTTPS â HTTP) |
origin |
Send only the origin of the document (protocol, hostname and port number) |
origin-when-cross-origin |
Send the full URL when doing same-origin requests; otherwise, send only the origin |
same-origin |
Send the origin of the document when doing same-origin requests; otherwise, donât send a referrer |
strict-origin |
Similar to origin but donât send a secure origin via HTTP |
strict-origin-when-cross-origin |
Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPSâHTTPS), and send no header to a less secure destination (HTTPSâHTTP) |
unsafe-url |
Always send the full URL on any requests |
Mozillaâs web doc on Referrer-Policy as well as W3Câs page are two sources that go more in-depth in explaining this header.
Here is an article with a large list of HTTP Headers
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
The one that I want to show is the Content Type
The Content-Type
entity header is used to indicate the media type of the resource.
In responses, a Content-Type
header tells the client what the content type of the returned content actually is. Browsers will do MIME sniffing in some cases and will not necessarily follow the value of this header; to prevent this behavior, the header X-Content-Type-Options
can be set to nosniff
.
In requests, (such as POST
or PUT
), the client tells the server what type of data is actually sent.
HSTS - HTTP Strict Transport Security
The HTTP Strict-Transport-Security
response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.
One of the many forgotten headers of companies.
Syntax
Strict-Transport-Security: max-age=<expire-time>
Example of why you need it:
You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point youâre using is actually a hackerâs laptop, and theyâre intercepting your original HTTP request and redirecting you to a clone of your bankâs site instead of the real thing. Now your private data is exposed to the hacker.
Strict Transport Security resolves this problem; as long as youâve accessed your bankâs web site once using HTTPS, and the bankâs web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.
More info: HTTP Strict Transport Security - OWASP Cheat Sheet Series
- In Chrome > Network > select request > copy - generates numbered list
- In Firefox > Network > select request > Copy > Copy Request headers or Copy Response header (I found it easier to use Firefox)
POST /api/graphql HTTP/1.1
Host: some-url.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://some-url.com/user/dashboard/
Content-Type: application/json
authorization: Bearer <token>
client-utc-offset: 660
x-correlation-id: 6l52cp7
Request-Id: |c0b3ae3247224e7e9f2ef83816fe089
Request-Context: appId=cid-v1:13a112ed-5d3f-4
traceparent: 00-c0b3ae3247224e7e9f2ef83811
Content-Length: 139
Origin: https://some-url.com
Connection: keep-alive
Cookie: _ga=GA1.2.515472801.1638159323;
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Request headers explanation
HTTP headers are the core part of these HTTP requests and responses, and they carry information about the client browser, the requested page, the server, and more.
-
Request headers contain more information about the resource to be fetched, or about the client requesting the resource.
-
Response headers hold additional information about the response, like its location or about the server providing it.
-
Payload headers contain representation-independent information about payload data, including content length and the encoding used for transport.
-
Request URL:
url
used to send request -
Request Method: The âmethodâ indicates what kind of request this is. The most common methods are GET, POST, and HEAD. In this case
POST
-
The âpathâ
/api/graphql
is the part of the URL that comes after the host (domain). -
The
protocol
part containsHTTP
and the version, which is in this case 1.1
The remainder of the request contains HTTP headers as Name: Value
pairs on each line. These contain various information about the HTTP request and your browser.
- User-Agent:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
provides information on the browser version and the Operating System you are using - Accept:
application/json, text/plain, */*
. Which content types the client can process; if the field is empty, these are all content types. - Accept-Language:
en-GB,en;q=0.5
. Informs the server about the human language the server is expected to send back. - Accept-Encoding:
gzip, deflate, br
. Which compressed formats the client supports. - Referer:
https://some-url.com/user/dashboard/
URL of the resource from which the request comes (i.e. from which the link was made) - Content-Type:
application/json
. MIME type of the body; relevant for POST and PUT requests - authorization:
Bearer
. The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource.
Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name âBearer authenticationâ can be understood as âgive access to the bearer of this token.â The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources
The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC 6750, but is sometimes also used on its own. Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).
- client-utc-offset:
660
. Seems like this value used provide information on client timezone by giving utc offset - x-correlation-id:
6l52cp7
. Correlates HTTP requests between a client and server - Request-Id:
|c0b3ae3247224e7e9f2ef83816fe089
. Correlates HTTP requests between a client and server. - Request-Context:
appId=cid-v1:13a112ed-5d3f-480
- traceparent:
00-c0b3ae3247224e7e9f2ef83816f-01
. The traceparent header represents the incoming request in a tracing system in a common format - Content-Length:
139
. Length of the request body - Origin:
https://some-url.com.
Indicates where a fetch originates from - Connection:
keep-alive
. Preferred type of connection. Controls how long a persistent connection should stay open - Cookie:
_ga=GA1.2.515472801.1633
; Cookie stored for this - Sec-Fetch-Dest:
empty
. It is a request header that indicates the requestâs destination to a server. It is a Structured Header whose value is a token with possible values audio, audioworklet, document, embed, empty, font, image, manifest, object, paintworklet, report, script, serviceworker, sharedworker, style, track, video, worker, and xslt. - Sec-Fetch-Mode:
cors
. It is a request header that indicates the requestâs mode to a server. It is a Structured Header whose value is a token with possible valuescors
,navigate
,no-cors
,same-origin
, andwebsocket
- Sec-Fetch-Site:
same-origin
. It is a request header that indicates the relationship between a request initiatorâs origin and its targetâs origin. It is a Structured Header whose value is a token with possible values cross-site, same-origin, same-site, and none
Links: