HTTP

Statuses great link

Cookies

Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly]

if (max-age AND expiry) {
    use max-age
}

Default: cookie is associated with the location of current document (domain as well as path).

Best practices:

  • Cookie security: manage cookie scope

Secure (Security)

if (HTTPS && cookie_has_Secure_attribute) {
    transmit_cookie()    
} 
if (HTTP && cookie_has_Secure_attribute) {
    do_not_transmit_cookie    
}

HttpOnly (Security)

A cookie can be set and used over HTTP, but also directly on the web browser via JavaScript.

if (XSS_breach && CSP_did_not_help) { 
    if (cookie_has_HttpOnly_flag) {
        JS_can_not_access_cookie
        break;
    }

    inject_Malicious_JS()
    access_Cookie_Value()
}

First-party and third-party

if (cookie.domain == browser_address_bar) => first_party cookie
if (cookie.domain != browser_address_bar) => third_party cookie

SameSite (security)

Useful links ONE TWO THREE

Spec. SameSite allows you to declare if your cookie should be restricted to a first-party or same-site context. Preventing Cross Site Request Forgery (CSRF).

Set-Cookie: CookieName=CookieValue; SameSite=Strict;
Set-Cookie: CookieName=CookieValue; SameSite=Lax;

(If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request. your-project.github.com and my-project.github.com are separate sites. If the user is on your-project.github.io and requests an image from my-project.github.io that's a cross-site request.).

  • SameSite = Strict => the cookies will be sent only in first-party context (only if cookie.site == browser_url_bar.site ).

    • For example, if you click on a link that points to a Facebook profile page, and if Facebook.com has set its cookie as SameSite=Strict, you cannot continue navigation on Facebook (view the Facebook page) unless you log in to Facebook again. The reason for this is because Facebook`s cookie was not sent by this request.

  • SameSite = Lax => the cookie will be sent along with the GET request initiated by third party website (this request must cause top level navigation).

    • Resources can be loaded by iframe, img tags, and script tags. These requests can also operate as GET requests, but none of them cause TOP LEVEL navigation. Basically, they don't change the URL in your address bar. Because these GET requests do not cause a TOP LEVEL navigation, thus cookies set to Lax won't be sent with them.

      • Request Type

        Example Code

        Cookies sent

        Link

        <a href="..."></a>

        Normal, Lax

        Perender

        <link rel="prerender" href=".."/>

        Normal, Lax

        Form GET

        <form method="GET" action="...">

        Normal, Lax

        Form POST

        <form method="POST" action="...">

        Normal

        iframe

        <iframe src="..."></iframe>

        Normal

        AJAX

        $.get("...")

        Normal

        Image

        <img src="...">

        Normal

  • SameSite = None => you intentionally want the cookie sent in a third-party context. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections. This won’t mitigate all risks associated with cross-site access but it will provide protection against network attacks.

--------------------------------

if (cookie.domain == external_service
    && cookie.domain != address_bar) {
    cross-site
}

⚠️Chrome, Since 02.2020: SameSite=Lax as default. Only cookies SameSite=None; Secure are available for external access.

  • Chrome implements these behavior as of version 80. Firefox has them available to test as of Firefox 69 and will make them default behavior in the future. To test these behaviors in Firefox, open about:config and set network.cookie.sameSite.laxByDefault. Edge also plans to change its default behaviors.

  • SameSite=None: Known Incompatible Clients

How to test

You can test this behaviour as of Chrome 76 by enabling chrome://flags/#cookies-without-same-site-must-be-secure and from Firefox 69 in about:config by setting network.cookie.sameSite.noneRequiresSecure.

HTTPS

HTTP transforms data in plain text. SSL 3.0 (@Deprecated, Secure Sockets Layer) <-based_on_SSL_3.0- TLS 1.3 (Transport Layer Security) Goals of HTTPS:

  • Privacy: encrypting data traffic

  • Integrity: data received on either side was not altered unknowingly along the way

  • Authentication: website you are talking to is who they say they are

Symmetric encription

The same key is used for encryption and decryption. This is what home WIFI uses. There is one key (password), which is set into router and laptop.

ENCRYPTION: encryption_algorithm(data, encryption_key) = cipher_text

Asymmetric encryption

Self-signed certificate

Self-signed certificate is a certificate that is not signed by certificate authority (CA).

protocol = https
var certificate
if (certificate.NOT_signed_by_CA()) {
    browser_warning = visit_website()
    if (bypass_warning) {
        possible(() -> man-in-the-middle_attack_with(certificate))
    }
} else {
    no_warning = visit_website()
}

Digital signature

signed_data = sign_data(private_key)
result = verify_signature(public_key)

if (result is correct) {
    certain_that_data_came_from_owner_of_associated_private_key
    certain_that_data_was_not_modified_along_the_way
}

TLS

PreviousMulti partNextOAuth 2.0

Last updated