📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • HTTP
  • Source attribution

Was this helpful?

  1. Introduction
  2. Basic web concepts

HTTP

PreviousBasic web conceptsNextJavaScript

Last updated 3 years ago

Was this helpful?

HTTP

Hypertext Transfer Protocol (HTTP) is an application layer protocol used to transmit data between a web client and a web server. The client issues a request and waits for a response from the server. The server can only send data in response to a request.

HTTP is a stateless protocol, which means that the server has no way of knowing that two subsequent requests are related even if they are carried out on the same connection. To the server each request is independent and unrelated to other requests. This is problematic. Imagine a server maintaining a shopping basket not being able to link requests to each other.

While the core of HTTP is stateless, servers are able to bundle requests into sessions thanks to other technologies such as HTTP cookies. A shopping basket is part of a session, a session is given a session identifier, and this identifier is stored in a HTTP cookie.

The fact that a server can only respond to a client after the client has issued a request is an important disadvantage. Today this is sometimes circumvented by using web sockets, which is an advanced technology that makes two-way communication possible (https://developer.mozilla.org/en-US/docs/Web/API/WebSockets_API).

Source attribution

Some parts of this page are based on and by Mozilla Contributors, which is licensed under .

HTTP
An overview of HTTP
CC-BY-SA 2.5