Httpwtf?
HTTP has hidden features like cache directives, trailers for metadata, and 1XX codes. Websockets bypass CORS, X-* headers allow custom extensions. Despite quirks, HTTP is vital for client-server communication.
Read original article
HTTP is a crucial part of modern development, but it harbors some lesser-known features and quirks. For instance, the "no-cache" directive can actually lead to caching, contrary to its name, while "private" restricts caching to end-client browsers only. Misusing cache control headers can inadvertently store sensitive data, as seen in Twitter's mishap with private messages. Additionally, HTTP trailers allow appending metadata after the message body, useful for protocols like gRPC. HTTP also supports 1XX codes like 100 for interim responses and 101 for protocol switching, commonly used for setting up websockets. Notably, websockets bypass CORS restrictions, potentially exposing vulnerabilities. The use of X-* headers for custom extensions in HTTP requests is a common practice, with examples like X-Shenanigans and X-Requested-With. Despite its quirks, HTTP remains a foundational technology in the digital landscape, facilitating communication and data exchange between clients and servers.
Related
Timeliness without datagrams using QUIC
The debate between TCP and UDP for internet applications emphasizes reliability and timeliness. UDP suits real-time scenarios like video streaming, while QUIC with congestion control mechanisms ensures efficient media delivery.
Trailer (As Opposite to HTTP Header)
The Trailer response header in HTTP allows senders to add extra fields at the end of chunked messages for metadata like integrity checks. TE header must be set to "trailers" to enable this feature, enhancing data transmission security.
Htmx does not play well with content security policy
HTMX, a JavaScript framework, presents security challenges due to its handling of HTML tags and external script loading. Despite some security features, HTMX usage raises HTML injection risks, complicating full security implementation.
Mozilla has relaunched HTTP Observatory under MDN
The HTTP Observatory on MDN Web Docs provides a free tool to scan websites for HTTP header security, aiding developers in assessing and enhancing website security to protect against threats.
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.
4 commentsInstead of
HTTP/1.1 103 Early Hints
Link: foo ...
Link: bar ...
<...time-consuming processing...>
HTTP/1.1 200 OK
Baz: boo
<... actual response...>
HTTP/1.1 200 OK
Link: foo ...
Link: bar ...
<...time-consuming processing...>
Baz: boo
<... actual response...>
The only actual new functionality I see is that you can send the "early hints" headers before having to commit to a status code for the response. Is that it?
It would make certain types of processing simpler and lighter being able to stream SSR bodies as they are constructed rather than all at once at the end.
Related
Timeliness without datagrams using QUIC
The debate between TCP and UDP for internet applications emphasizes reliability and timeliness. UDP suits real-time scenarios like video streaming, while QUIC with congestion control mechanisms ensures efficient media delivery.
Trailer (As Opposite to HTTP Header)
The Trailer response header in HTTP allows senders to add extra fields at the end of chunked messages for metadata like integrity checks. TE header must be set to "trailers" to enable this feature, enhancing data transmission security.
Htmx does not play well with content security policy
HTMX, a JavaScript framework, presents security challenges due to its handling of HTML tags and external script loading. Despite some security features, HTMX usage raises HTML injection risks, complicating full security implementation.
Mozilla has relaunched HTTP Observatory under MDN
The HTTP Observatory on MDN Web Docs provides a free tool to scan websites for HTTP header security, aiding developers in assessing and enhancing website security to protect against threats.
Universal Code Execution by Chaining Messages in Browser Extensions
Researchers demonstrate universal code execution in browser extensions by exploiting messaging APIs, bypassing security measures. Vulnerabilities in extensions can compromise millions of users, allowing access to sensitive data and enabling arbitrary command execution.