notes

Log | Files | Refs | README

http_headers.md (2012B)

      1 # HTTP Headers
      2 
      3 > HTTP headers let the client and the server pass additional information with a
      4 > message in a request or response.
      5 
      6 [HTTP Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers)
      7 
      8 ### Question: Where exactly is HTTP headers stored?
      9 
     10 HTTP headers are not stored in one permanent place; they live briefly in memory
     11 at each hop (browser, proxies, server) as part of the HTTP message being sent or
     12 received.
     13 
     14 #### Client side:
     15 
     16 The browser builds an HTTP request message in its process memeory, which is
     17 written into a TCP/IP packet buffer sent over the network (nothing is saved on
     18 disk so to speak). The browser may keep some header in internal data structures
     19 for cahcing or cookies.
     20 
     21 #### Server side:
     22 
     23 The web server process (apache2, nginx, node.js) receives the TCP stream and
     24 parses out the HTTP headers for your web app to use. Default server headers
     25 cofiguration (apache config, nginx config, .htaccess) do live on disk. Each
     26 actual header that goes to the client is ephermeral and generated on the fly in
     27 memory for each response.
     28 
     29 #### Proxy and Cache:
     30 
     31 CDNs, reverse proxies, or browser's cache store HTTP messages (both headers and
     32 body) in memory or disk for reuse.
     33 
     34 # HTTP Security Headers
     35 
     36 [HTTP Security Headers: A complete guide to HTTP headers](https://www.darkrelay.com/post/http-security-headers)
     37 
     38 [Analyze your headers](https://securityheaders.com/)
     39 
     40 - Access-Control-Allow-Origin Security Header
     41 
     42 - Content-Type Header
     43 
     44 - Content-Security-Policy (CSP) Security Header
     45 
     46 - Cross-Origin-Embedder-Policy Security Header
     47 
     48 - Cross-Origin-Resource-Policy Security Header
     49 
     50 - Cross-Origin-Opener-Policy Security Header
     51 
     52 - Set-Cookie Header
     53 
     54 - Strict-Transport-Security (HSTS) Security Header
     55 
     56 - Referrer-Policy Header
     57 
     58 - X-Content-Type-Options Security Header
     59 
     60 - X-Frame-Options Security Header
     61 
     62 - X-XSS-Protection Security Header
     63 
     64 - X-Permitted-Cross-Domain-Policies Security Header
     65 
     66 - Cache-Control Header
     67 
     68 - X-Powered-By Header
     69 
     70 - Public-Key-Pins(HPKP) header