HTTP and Server communication - rahul7838/quora.clone GitHub Wiki

HTTP Response Structure

  1. Status Line

  2. Headers

  3. Empty Line

Response Body (optional)

Common HTTP Response Headers

General Headers

Date: Current date and time

Connection: Type of connection (keep-alive, close)

Cache-Control: Directives for caching mechanisms

Transfer-Encoding: Type of encoding used

Response Headers

Server: Information about the server software

Content-Type: Type of the returned content (e.g., text/html, application/json)

Content-Length: Length of the response body in bytes

Location: Used for redirections

Access-Control-Allow-Origin: CORS (Cross-Origin Resource Sharing) settings

Set-Cookie: Sets cookies in the browser

Security Headers

Strict-Transport-Security: Forces HTTPS connections

X-Content-Type-Options: Prevents MIME type sniffing

X-Frame-Options: Controls if the page can be embedded in frames

Content-Security-Policy: Defines content sources that browser can load

X-XSS-Protection: Cross-site scripting filter

HTTP/1.1 200 OK Date: Mon, 25 Mar 2024 12:00:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Type: application/json Content-Length: 234 Cache-Control: no-cache Access-Control-Allow-Origin: *

{ "message": "Success", "data": { "id": 123, "name": "Example" } }

Important Status Code Categories

1xx: Informational

2xx: Success

3xx: Redirection

4xx: Client Error

5xx: Server Error

Security Header

Let me explain these important security headers and how they protect web applications from different types of attacks.

The X-Content-Type-Options header serves as your first line of defense against MIME type sniffing attacks. When you set it to "nosniff", you're telling browsers to strictly honor the Content-Type header you've specified. Think of it like a strict bouncer at a club who only accepts the exact ID specified - no clever workarounds allowed. Without this protection, browsers might try to "sniff" the content type of downloaded files, which could let attackers disguise malicious files as innocent ones. For example, an attacker might try to pass off a JavaScript file as an image file, but this header prevents that type of deception.

The X-Frame-Options header acts like a permissions slip for your webpage, controlling whether it can be embedded within frames on other websites. This is crucial for preventing clickjacking attacks, where malicious sites try to trick users by embedding your legitimate site in hidden frames. You can set this to "DENY" (no framing allowed at all), "SAMEORIGIN" (only allow framing by pages from the same origin), or "ALLOW-FROM uri" (specify exactly which sites can frame your content). It's like putting restrictions on who can photocopy and display your important documents.

Content-Security-Policy (CSP) is your most comprehensive security control system. It's like having a detailed security rulebook that tells browsers exactly what content sources they're allowed to load and execute. You can specify rules for everything - scripts, styles, images, fonts, and more. For example:

Content-Security-Policy: default-src 'self'; script-src 'self' trusted-scripts.com; img-src *

This tells the browser to only load resources from your own domain by default, accept scripts from your domain and trusted-scripts.com, and allow images from anywhere. It's particularly effective at preventing XSS attacks since it can block unauthorized script execution.

The X-XSS-Protection header works as a backup defense mechanism against cross-site scripting (XSS) attacks. While modern browsers have largely deprecated this in favor of CSP, it's still useful for older browsers. When set to "1; mode=block", it enables the browser's built-in XSS filter and tells it to block (rather than sanitize) any detected attacks. However, it's important to understand that this shouldn't be your only XSS protection - think of it as a safety net beneath your primary security measures.

These headers work together to create multiple layers of security. Consider this complete example:

X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com
X-XSS-Protection: 1; mode=block