We’ve secured what we can at build time. Now we enter a maze of twisty little passages, seeking security at runtime.
Just as a little SMTP knowledge aids understanding of email-security issues, a little background on HTTP and URLs improves knowledge of web security.
Every exchange between a web client and server is defined by the
Hypertext Transfer Protocol (HTTP). HTTP 1.0 was the first widely
used version, but it had some shortcomings. Most of these were
addressed with HTTP 1.1, the current version that is almost
universal. HTTP 1.1 is defined in RFC 2616
The web client makes HTTP requests, and the web server responds. Web
browsers hide much of the data exchange, such as MIME types, cache
settings, content negotiation, timestamps, and other details. Other
clients (such as a web spider,
curl) offer much more control over the exchange.
request contains an initial
Method URI HTTP-Version\r\n
Methods include OPTIONS, GET, HEAD, POST, PUT, TRACE, DELETE, and CONNECT. Some methods have a corresponding URL format.
This line may be followed by request header lines containing information about the client, the host, authorization, and other things. These lines may be followed by a message body. The web server returns a header and an optional body, depending on the request.
There are security implications with the type of URLs you use. Since the protocol is text, ...