30 Days of API Testing Day 18: HTTP headers

30 Days of API Testing Day 18: Share an HTTP Header and explain its purpose

This is a simple HTTP Header when calling GET method from my project, using Katalon.

  • The Content-Type entity header is used to indicate the media type of the resource.
  • The Cookie HTTP request header contains stored HTTP cookies previously sent by the server with the Set-Cookie header.

I use this document https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers to learn HTTP Headers

4 Likes

My sample HTTP header:

GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

  • First line:
    • Using method GET
    • Read url /hello.html
    • Using HTTP version 1.1
  • Second line: User-Agent request-header field contains information about the user agent originating the request. User Agent String explanation. This sample request use Firefox browser to send request.
  • Third line: The Host request-header field is used to specify the Internet host and the port number of the resource being requested.
  • Fourth line: The Accept-Language request-header field restricts the set of natural languages that are preferred as a response to the request.
  • Fifth line: The Accept-Encoding request-header field restricts the content-codings that are acceptable in the response.
  • Sixth line: The Connection general-header field allows the sender to specify options that are desired for that particular connection and must not be communicated by proxies over further connections.

For more details about HTTP - Header Fields please refer here

4 Likes

From our friends participating on Twitter:

2 Likes

I’d like to share some response headers. It’s always interesting to read response headers and try to understand how server responds to request.

Location - 1) identifies the URI to what server asks client to move. 2) server provide information about the location of a newly created resource
Vary - the list of request parameters that were taken into account by server
Allow - identifies the list of supported by server (or resource) HTTP methods.

1 Like

At exercise 2 about POST OAuth 1.0 on Katalon, when the auth information is entered at Authorization then clicking ‘update to HTTP Header’, this information will generate to HTTP Header tab as:

Name Description
Type Authorize type is Basic Auth or OAuth 1.0 or OAuth 2.0
Consumer Key The API key associated with the application (Twitter, Facebook, etc.). This key (or ‘client ID’, as Facebook calls it) is what identifies the client, which is a website/service that is trying to access an end-user’s resources.
Consumer Secret The client’s password that is used to authenticate with the authentication server, which is a Twitter/Facebook/etc. server that authenticates the client.
Signature Method A consumer’s secret that establishes ownership of a given token.
Token What is issued to the client once the client successfully authenticates itself (using the consumer key & secret). This access token defines the privileges of the client (what data the client can and cannot access)
Token Secret The string sent with the access token as a password

image

3 Likes

GET /home.do HTTP/1.1 – GET method, URL /home.do, HTTP version 1.1
Host: Host request header field
Connection: Connection general-header field, and keep-alive is the default in HTTP/1.1
Upgrade-Insecure-Requests: request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.
User-Agent: request-header field contains information about the user agent originating the request
Accept: request-header field can be used to specify certain media types which are acceptable for the response
Accept-Encoding: request-header field is similar to Accept, but restricts the content-codings that are acceptable in the response
Accept-Language: request-header field is similar to Accept, but restricts the set of natural languages that are preferred as a response to the request

4 Likes

  • authority: the host/domain or the request
  • method: HTTP method.
  • path: relative path of content.
  • accept: certain media types which are acceptable for the response.
  • accept-encoding: similar to accept, but restricts the content-codings that are acceptable in the response
  • accept-language: set of natural languages that are preferred as a response to the request
  • content-length: the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent, had the request been a GET
  • content-type: indicates the media type of the entity-body sent to the recipient
  • cookie: contains a name/value pair of information stored for that URL
  • user-agent: contains information about the user agent originating the request
4 Likes

I found some common HTTP headers to refer

  • Common request headers

Authorization: The verification information used to verify the validity of a request.
Usage scenario: non-anonymous requests
Content-Length: Content length of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
Content-Type: Content type of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
date: The GMT time stipulated in the HTTP 1.1 protocol, for example, Wed, 05 Sep. 2012 23:00:00 GMT

  • Common response headers

Content-Length: Content length of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
Connection: The connection status between the client and the OSS server.
Valid values: open or close
Date: The GMT time stipulated in the HTTP 1.1 protocol, for example, Wed, 05 Sep. 2012 23:00:00 GMT
Server: The server that generates the response.

3 Likes

  • authority : the host/domain or the request
  • method : POST method.
  • path : relative path of content.
  • accept : certain media types which are acceptable for the response.
  • accept-encoding: similar to accept, but restricts the content-codings that are acceptable in the response
  • accept-language : set of natural languages that are preferred as a response to the request
  • content-length : the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent, had the request been a GET
  • content-type : indicates the media type of the entity-body sent to the recipient
  • cookie : contains a name/value pair of information stored for that URL
  • user-agent : contains information about the user agent originating the request
    Form Data - timings: The responded time from API(milisecond)
3 Likes

Did a little research on Referrer-Policy, which is a security header used to control how referral information is passed when navigating from one document to another (e.g. clicking links on a webpage). Scott Helm wrote a blog post that summarizes how this header works very nicely.

We can control how much and in which cases referral information is transmitted by specifying one of the following policies:

Policy Referrer Directive
no-referrer Never send the referrer URL
no-referrer-when-downgrade Send the referrer if the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) but don’t send it to a less secure address (HTTPS → HTTP)
origin Send only the origin of the document (protocol, hostname and port number)
origin-when-cross-origin Send the full URL when doing same-origin requests; otherwise, send only the origin
same-origin Send the origin of the document when doing same-origin requests; otherwise, don’t send a referrer
strict-origin Similar to origin but don’t send a secure origin via HTTP
strict-origin-when-cross-origin Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP)
unsafe-url Always send the full URL on any requests

Mozilla’s web doc on Referrer-Policy as well as W3C’s page are two sources that go more in-depth in explaining this header.

Here is an article with a large list of HTTP Headers

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

The one that I want to show is the Content Type

The Content-Type entity header is used to indicate the media type of the resource.

In responses, a Content-Type header tells the client what the content type of the returned content actually is. Browsers will do MIME sniffing in some cases and will not necessarily follow the value of this header; to prevent this behavior, the header X-Content-Type-Options can be set to nosniff .

In requests, (such as POST or PUT ), the client tells the server what type of data is actually sent.

1 Like

HSTS - HTTP Strict Transport Security

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP.

One of the many forgotten headers of companies.

Syntax

Strict-Transport-Security: max-age=<expire-time>

Example of why you need it:

You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you’re using is actually a hacker’s laptop, and they’re intercepting your original HTTP request and redirecting you to a clone of your bank’s site instead of the real thing. Now your private data is exposed to the hacker.

Strict Transport Security resolves this problem; as long as you’ve accessed your bank’s web site once using HTTPS, and the bank’s web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

More info: HTTP Strict Transport Security - OWASP Cheat Sheet Series

1 Like
  1. In Chrome > Network > select request > copy - generates numbered list
  2. In Firefox > Network > select request > Copy > Copy Request headers or Copy Response header (I found it easier to use Firefox)
POST /api/graphql HTTP/1.1 
Host: some-url.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://some-url.com/user/dashboard/
Content-Type: application/json
authorization: Bearer <token> 
client-utc-offset: 660
x-correlation-id: 6l52cp7
Request-Id: |c0b3ae3247224e7e9f2ef83816fe089
Request-Context: appId=cid-v1:13a112ed-5d3f-4
traceparent: 00-c0b3ae3247224e7e9f2ef83811
Content-Length: 139
Origin: https://some-url.com
Connection: keep-alive
Cookie: _ga=GA1.2.515472801.1638159323; 
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Request headers explanation

HTTP headers are the core part of these HTTP requests and responses, and they carry information about the client browser, the requested page, the server, and more.

  • Request headers contain more information about the resource to be fetched, or about the client requesting the resource.

  • Response headers hold additional information about the response, like its location or about the server providing it.

  • Payload headers contain representation-independent information about payload data, including content length and the encoding used for transport.

  • Request URL: url used to send request

  • Request Method: The “method” indicates what kind of request this is. The most common methods are GET, POST, and HEAD. In this case POST

  • The “path” /api/graphql is the part of the URL that comes after the host (domain).

  • The protocol part contains HTTP and the version, which is in this case 1.1

The remainder of the request contains HTTP headers as Name: Value pairs on each line. These contain various information about the HTTP request and your browser.

  • User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:95.0) Gecko/20100101 Firefox/95.0 provides information on the browser version and the Operating System you are using
  • Accept: application/json, text/plain, */*. Which content types the client can process; if the field is empty, these are all content types.
  • Accept-Language: en-GB,en;q=0.5. Informs the server about the human language the server is expected to send back.
  • Accept-Encoding: gzip, deflate, br. Which compressed formats the client supports.
  • Referer: https://some-url.com/user/dashboard/ URL of the resource from which the request comes (i.e. from which the link was made)
  • Content-Type: application/json. MIME type of the body; relevant for POST and PUT requests
  • authorization: Bearer. The HTTP Authorization request header can be used to provide credentials that authenticate a user agent with a server, allowing access to a protected resource.

Bearer authentication (also called token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens. The name “Bearer authentication” can be understood as “give access to the bearer of this token.” The bearer token is a cryptic string, usually generated by the server in response to a login request. The client must send this token in the Authorization header when making requests to protected resources

The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC 6750, but is sometimes also used on its own. Similarly to Basic authentication, Bearer authentication should only be used over HTTPS (SSL).

  • client-utc-offset: 660. Seems like this value used provide information on client timezone by giving utc offset
  • x-correlation-id: 6l52cp7. Correlates HTTP requests between a client and server
  • Request-Id: |c0b3ae3247224e7e9f2ef83816fe089. Correlates HTTP requests between a client and server.
  • Request-Context: appId=cid-v1:13a112ed-5d3f-480
  • traceparent: 00-c0b3ae3247224e7e9f2ef83816f-01. The traceparent header represents the incoming request in a tracing system in a common format
  • Content-Length: 139. Length of the request body
  • Origin: https://some-url.com. Indicates where a fetch originates from
  • Connection: keep-alive. Preferred type of connection. Controls how long a persistent connection should stay open
  • Cookie: _ga=GA1.2.515472801.1633; Cookie stored for this
  • Sec-Fetch-Dest: empty. It is a request header that indicates the request’s destination to a server. It is a Structured Header whose value is a token with possible values audio, audioworklet, document, embed, empty, font, image, manifest, object, paintworklet, report, script, serviceworker, sharedworker, style, track, video, worker, and xslt.
  • Sec-Fetch-Mode: cors. It is a request header that indicates the request’s mode to a server. It is a Structured Header whose value is a token with possible values cors, navigate, no-cors, same-origin, and websocket
  • Sec-Fetch-Site: same-origin. It is a request header that indicates the relationship between a request initiator’s origin and its target’s origin. It is a Structured Header whose value is a token with possible values cross-site, same-origin, same-site, and none

Links:

1 Like