30 Days of API Testing Day 18: HTTP headers


(Tu Anh Nguyen - KMS) #1

30 Days of API Testing Day 18: Share an HTTP Header and explain its purpose


(Tu Anh Nguyen - KMS) #2

This is a simple HTTP Header when calling GET method from my project, using Katalon.

  • The Content-Type entity header is used to indicate the media type of the resource.
  • The Cookie HTTP request header contains stored HTTP cookies previously sent by the server with the Set-Cookie header.

I use this document https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers to learn HTTP Headers


(Duong) #3

My sample HTTP header:

GET /hello.htm HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Host: www.tutorialspoint.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

  • First line:
    • Using method GET
    • Read url /hello.html
    • Using HTTP version 1.1
  • Second line: User-Agent request-header field contains information about the user agent originating the request. User Agent String explanation. This sample request use Firefox browser to send request.
  • Third line: The Host request-header field is used to specify the Internet host and the port number of the resource being requested.
  • Fourth line: The Accept-Language request-header field restricts the set of natural languages that are preferred as a response to the request.
  • Fifth line: The Accept-Encoding request-header field restricts the content-codings that are acceptable in the response.
  • Sixth line: The Connection general-header field allows the sender to specify options that are desired for that particular connection and must not be communicated by proxies over further connections.

For more details about HTTP - Header Fields please refer here


(Heather) #4

From our friends participating on Twitter:


(Ilya Lychkou) #5

I’d like to share some response headers. It’s always interesting to read response headers and try to understand how server responds to request.

Location - 1) identifies the URI to what server asks client to move. 2) server provide information about the location of a newly created resource
Vary - the list of request parameters that were taken into account by server
Allow - identifies the list of supported by server (or resource) HTTP methods.


(Trang Ta) #6

At exercise 2 about POST OAuth 1.0 on Katalon, when the auth information is entered at Authorization then clicking ‘update to HTTP Header’, this information will generate to HTTP Header tab as:

Name Description
Type Authorize type is Basic Auth or OAuth 1.0 or OAuth 2.0
Consumer Key The API key associated with the application (Twitter, Facebook, etc.). This key (or ‘client ID’, as Facebook calls it) is what identifies the client, which is a website/service that is trying to access an end-user’s resources.
Consumer Secret The client’s password that is used to authenticate with the authentication server, which is a Twitter/Facebook/etc. server that authenticates the client.
Signature Method A consumer’s secret that establishes ownership of a given token.
Token What is issued to the client once the client successfully authenticates itself (using the consumer key & secret). This access token defines the privileges of the client (what data the client can and cannot access)
Token Secret The string sent with the access token as a password

image


(Thao) #7

GET /home.do HTTP/1.1 – GET method, URL /home.do, HTTP version 1.1
Host: Host request header field
Connection: Connection general-header field, and keep-alive is the default in HTTP/1.1
Upgrade-Insecure-Requests: request header sends a signal to the server expressing the client’s preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.
User-Agent: request-header field contains information about the user agent originating the request
Accept: request-header field can be used to specify certain media types which are acceptable for the response
Accept-Encoding: request-header field is similar to Accept, but restricts the content-codings that are acceptable in the response
Accept-Language: request-header field is similar to Accept, but restricts the set of natural languages that are preferred as a response to the request


(Tuan Tran) #8

  • authority: the host/domain or the request
  • method: HTTP method.
  • path: relative path of content.
  • accept: certain media types which are acceptable for the response.
  • accept-encoding: similar to accept, but restricts the content-codings that are acceptable in the response
  • accept-language: set of natural languages that are preferred as a response to the request
  • content-length: the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent, had the request been a GET
  • content-type: indicates the media type of the entity-body sent to the recipient
  • cookie: contains a name/value pair of information stored for that URL
  • user-agent: contains information about the user agent originating the request

(Thanh) #9

I found some common HTTP headers to refer

  • Common request headers

Authorization: The verification information used to verify the validity of a request.
Usage scenario: non-anonymous requests
Content-Length: Content length of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
Content-Type: Content type of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
date: The GMT time stipulated in the HTTP 1.1 protocol, for example, Wed, 05 Sep. 2012 23:00:00 GMT

  • Common response headers

Content-Length: Content length of an HTTP request, which is defined in RFC2616.
Usage scenario: requests that need to submit data to OSS
Connection: The connection status between the client and the OSS server.
Valid values: open or close
Date: The GMT time stipulated in the HTTP 1.1 protocol, for example, Wed, 05 Sep. 2012 23:00:00 GMT
Server: The server that generates the response.


(KMS Nam Nguyen) #10

  • authority : the host/domain or the request
  • method : POST method.
  • path : relative path of content.
  • accept : certain media types which are acceptable for the response.
  • accept-encoding: similar to accept, but restricts the content-codings that are acceptable in the response
  • accept-language : set of natural languages that are preferred as a response to the request
  • content-length : the size of the entity-body, in decimal number of OCTETs, sent to the recipient or, in the case of the HEAD method, the size of the entity-body that would have been sent, had the request been a GET
  • content-type : indicates the media type of the entity-body sent to the recipient
  • cookie : contains a name/value pair of information stored for that URL
  • user-agent : contains information about the user agent originating the request
    Form Data - timings: The responded time from API(milisecond)

(Felipe) #11

Did a little research on Referrer-Policy, which is a security header used to control how referral information is passed when navigating from one document to another (e.g. clicking links on a webpage). Scott Helm wrote a blog post that summarizes how this header works very nicely.

We can control how much and in which cases referral information is transmitted by specifying one of the following policies:

Policy Referrer Directive
no-referrer Never send the referrer URL
no-referrer-when-downgrade Send the referrer if the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) but don’t send it to a less secure address (HTTPS → HTTP)
origin Send only the origin of the document (protocol, hostname and port number)
origin-when-cross-origin Send the full URL when doing same-origin requests; otherwise, send only the origin
same-origin Send the origin of the document when doing same-origin requests; otherwise, don’t send a referrer
strict-origin Similar to origin but don’t send a secure origin via HTTP
strict-origin-when-cross-origin Send a full URL when performing a same-origin request, only send the origin when the protocol security level stays the same (HTTPS→HTTPS), and send no header to a less secure destination (HTTPS→HTTP)
unsafe-url Always send the full URL on any requests

Mozilla’s web doc on Referrer-Policy as well as W3C’s page are two sources that go more in-depth in explaining this header.