# HTTP ## [Statuses great link](https://www.loggly.com/wp-content/uploads/2015/06/http-decision-diagram.png) ## Cookies ![Set-cookie](http://www.plantuml.com/plantuml/svg/BOwnJiOm48FtF8KtOFXVe09KYOKHYOuieJ4qehqhTvVszObKLd_MPuyUsQ9jQxg3CswpwaybzA0TbMUQrqe9FDuwjHvYWD5t5MSI3SBgzn83xdMFgfBN1tm8NgVf3GjpeGruxzgNIzlHqpC-JK-dOJRceEFQTAYXw9Qh-7-nEGkguAj5CyBus-ZXAQMHKlhfFm00) \ `Set-Cookie: =[; =] [; expires=][; domain=] [; path=][; secure][; HttpOnly]` ```java if (max-age AND expiry) { use max-age } ``` **Default**: cookie is associated with the *location of current document* (**domain** as well as **path**). **Best practices:** * Cookie security: manage cookie scope ### Secure (Security) ```java if (HTTPS && cookie_has_Secure_attribute) { transmit_cookie() } if (HTTP && cookie_has_Secure_attribute) { do_not_transmit_cookie } ``` ### HttpOnly (Security) A cookie can be set and used over HTTP, but also **directly** on the web browser **via JavaScript**. ```java if (XSS_breach && CSP_did_not_help) { if (cookie_has_HttpOnly_flag) { JS_can_not_access_cookie break; } inject_Malicious_JS() access_Cookie_Value() } ``` ### First-party and third-party ```java if (cookie.domain == browser_address_bar) => first_party cookie if (cookie.domain != browser_address_bar) => third_party cookie ``` ### SameSite (security) Useful links [ONE](https://web.dev/samesite-cookie-recipes/) [TWO](https://digiday.com/media/what-is-chrome-samesite/) [THREE](https://web.dev/samesite-cookies-explained/) [Spec](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00). `SameSite` allows you to declare if your cookie should be restricted to a first-party or same-site context. Preventing Cross Site Request Forgery (CSRF). ```java Set-Cookie: CookieName=CookieValue; SameSite=Strict; Set-Cookie: CookieName=CookieValue; SameSite=Lax; ``` (If the user is on `www.web.dev` and requests an image from `static.web.dev` then that is a **same-site** request. `your-project.github.com` and `my-project.github.com` are **separate** sites. If the user is on `your-project.github.io` and requests an image from `my-project.github.io` that's a **cross-site** request.). * **`SameSite = Strict`** => the cookies will be sent only in first-party context (only if `cookie.site == browser_url_bar.site` ). * For example, if you click on a link that points to a Facebook profile page, and if Facebook.com has set its cookie as SameSite=Strict, you cannot continue navigation on Facebook (view the Facebook page) unless you log in to Facebook again. The reason for this is because Facebook\`s cookie was not sent by this request. * **`SameSite = Lax`** => the cookie will be sent along with the **GET** request initiated by third party website (this request must cause top level navigation). * Resources can be loaded by iframe, img tags, and script tags. These requests can also operate as GET requests, but none of them cause TOP LEVEL navigation. Basically, they don't change the URL in your address bar. Because these GET requests do not cause a TOP LEVEL navigation, thus cookies set to Lax won't be sent with them. * | **Request Type** | **Example Code** | **Cookies sent** | | ---------------- | ---------------------------------- | ---------------- | | Link | \\ | Normal, Lax | | Perender | \ | Normal, Lax | | Form GET | \
| Normal, Lax | | Form POST | \ | Normal | | iframe | \ | Normal | | AJAX | $.get("...") | Normal | | Image | \ | Normal | * **`SameSite = None`** => you intentionally want the cookie sent in a third-party context. **When** the SameSite=**None** attribute is present, an additional **Secure** attribute **must be used** so cross-site cookies can only be accessed over HTTPS connections. This **won’t mitigate** all **risks** associated with **cross-site access** **but** it will provide **protection against network attacks**. * \-------------------------------- ![](/files/-LzCrPma_5OIHW2CUAcL) ``` if (cookie.domain == external_service && cookie.domain != address_bar) { cross-site } ``` ![](/files/-LzBkI2tXE7hWf0MDSsS) ![](/files/-LzBkVVX7njffk9pJV5Z) :warning:**Chrome, Since 02.2020**: `SameSite=Lax` as default. Only cookies `SameSite=None; Secure` are available for external access. * Chrome implements these behavior as of version 80. [Firefox](https://groups.google.com/d/msg/mozilla.dev.platform/nx2uP0CzA9k/BNVPWDHsAQAJ) has them available to test as of Firefox 69 and will make them default behavior in the future. To test these behaviors in Firefox, open [`about:config`](http://kb.mozillazine.org/About:config) and set `network.cookie.sameSite.laxByDefault`. [Edge](https://groups.google.com/a/chromium.org/d/msg/blink-dev/AknSSyQTGYs/8lMmI5DwEAAJ) also plans to change its default behaviors. * [SameSite=None: Known Incompatible Clients](https://www.chromium.org/updates/same-site/incompatible-clients) #### How to test You can test this behaviour as of Chrome 76 by enabling `chrome://flags/#cookies-without-same-site-must-be-secure` and from Firefox 69 in [`about:config`](http://kb.mozillazine.org/About:config) by setting `network.cookie.sameSite.noneRequiresSecure`. ## HTTPS HTTP transforms data in plain text.\ `SSL 3.0 (@Deprecated, Secure Sockets Layer) <-based_on_SSL_3.0- TLS 1.3 (Transport Layer Security)`\ Goals of HTTPS: * **Privacy**: encrypting data traffic * **Integrity**: data received on either side was not altered unknowingly along the way * **Authentication**: website you are talking to is who they say they are ### Symmetric encription The same key is used for encryption and decryption.\ This is what home WIFI uses. There is one key (password), which is set into router and laptop. ``` ENCRYPTION: encryption_algorithm(data, encryption_key) = cipher_text ``` ![symmetric encryption](http://www.plantuml.com/plantuml/svg/XT0n3e9G3CRndLDqKmSkG8nXWDN54n3ub4ReUxP5ysulGMFY8Cxzfx-cfNcZFer3jg5J6aUuSakGLZaw1ydQWI5E-O4CUeTIiKnJT7JKDTxGLd6ROBxB93XemDaBgezBGm_sdkop-8hqgfGl_PnLzS_i3U_pDTXY4CENNDN_vVK3IqWtV-G9) ### Asymmetric encryption Two different keys are used. One to encrypt, second to decrypt. => *Public key Cryptography*.\ ![simple overview](http://www.plantuml.com/plantuml/svg/FSun4e8m48NXFgTudPKNe73mA25vm8v9baaMDRTN6CVo_wf_REQhxJcv2-wjvqoh4i0IgcmcMjmgaPXLRTAtExoVZkiDaVyQi2WRj10ltrrH8n9d6x3jKvA01tzQPLaFhlBqnjD7blXT-000) ### Self-signed certificate Self-signed certificate is a certificate that is **not** signed by certificate authority (CA). ```java protocol = https var certificate if (certificate.NOT_signed_by_CA()) { browser_warning = visit_website() if (bypass_warning) { possible(() -> man-in-the-middle_attack_with(certificate)) } } else { no_warning = visit_website() } ``` ### Digital signature ```java signed_data = sign_data(private_key) result = verify_signature(public_key) if (result is correct) { certain_that_data_came_from_owner_of_associated_private_key certain_that_data_was_not_modified_along_the_way } ``` ## TLS
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://amartyushov.gitbook.io/tech/protocols/http.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.