Web application security - the fast guide 1.1 | Page 30

Chapter 2 - Web Application technologies



P a g e | 30
Content-type and content-length: refer to the html contents contained
in the response body and the length of body part of the message in bytes.
Set-Cookie: set the name and value of the cookie that will be sent to the
browser and resent afterwards with each request to this server.
Connection: it tells HTTP to keep alive, for additional messages, or close
the TCP connection.
2.2.3 Different HTTP methods:
As you see in the previous example that we use the GET method to retrieve
resource from the server. Different other methods are available the most
common are:
 POST: GET and POST method are the most used methods while GET
method send name of the requested resource in the header along with
other parameters, POST method helps to send the information in the
body part.




Post method helps to send information without disclosing it in the
address bar as the GET method additionally it helps to send bigger
information size noting that most web servers limit the size of header
to less than 20K.
Head: this method it like GET method but it does not return any body
part in the response.
Trace: this method works as an echo method were the response
contains the exact same contents as the request message. It is mainly
used for diagnoses purposes.
Options: returns a response containing allowed HTTP methods for
specific resource.
Put: helps to upload a resource to the server, this method can be a
main source of attack if activated so it should be carefully controlled.
2.2.4 Cookies:
cookie approach is HTTP way to overcome the stateless issue for the protocol as
it allows the server to store information on the client machine receiving a
response through the set-cookie header then this pair of name value will be sent
to the server with any request from the client to same domain.
More control can be applied on this method using different attributes like expire
attribute that set the expiration date of the cookie and the domain attribute that
can set the domain that the cookie is valid in.
Other attributes are path attribute which set the exact path where the cookie is
valid. The secure attribute specifies the usage of cookies only over HTTPS.