HTTP Request Header in detail

All HTTP messages (requests or responses) consist of one or more headers, each on a separate line, followed by a mandatory blank line, followed by an optional message body.

A typical HTTP request is as follows:

GET /auth/488/YourDetails.php?uid=129 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave- flash, */*
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; InfoPath.3; .NET4.0E; FDM; .NET CLR 1.1.4322) Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Cookie: SessionId=5B70C71F3FD4968935CDB6682E545476

The first line of every HTTP request consists of three items, separated by spaces:

GET /auth/488/YourDetails.php?uid=129 HTTP/1.1

HTTP method. The most commonly used method is GET, whose function is to retrieve a resource from the web server. GET requests do not have a message body, so no further data follows the blank line after the message headers.

The requested URL. The URL typically functions as a name for the resource being requested, together with an optional query string containing param- eters that the client is passing to that resource. The query string is indicated by the ? character in the URL. The example contains a single parameter with the name uid and the value 129.

The HTTP version being used. The only HTTP versions in common use on the Internet are 1.0 and 1.1, and most browsers use version 1.1 by default. There are a few differences between the specifications of these two versions; however, the only difference you are likely to encounter when attacking web applications is that in version 1.1 the Host request header is mandatory.

Other interesting lines in the sample request:

The Referer header is used to indicate the URL from which the request originated.

The User-Agent header is used to provide information about the browser or other client software that generated the request. Note that most brows- ers include the Mozilla prefix for historical reasons.

The Host header specifies the hostname that appeared in the full URL being accessed. This is necessary when multiple websites are hosted on the same server, because the URL sent in the first line of the request usually does not contain a hostname.

The Cookie header is used to submit additional parameters that the server has issued to the client.