HTTP – Security

HTTP stands for Hypertext Transfer Protocol, and it is a protocol – or a prescribed order and syntax for presenting information – used for transferring data over a network. Most information that is sent over the Internet, including website content and API calls, uses the HTTP protocol. There are two main kinds of HTTP messages: requests and responses.

HTTP requests are generated by a user's browser as the user interacts with web properties. These HTTP requests all go to either an origin server or a proxy caching server, and that server will generate an HTTP response. HTTP responses are answers to HTTP requests.

HTTP is used for communications over the internet, so application developers, information providers, and users should be aware of the security limitations in HTTP/1.1.

Suggestions for reducing security risks are:

Personal information

Users must be very careful to prevent unintentional leakage of information via the HTTP protocol to other sources.

HTTP cannot regulate the content of data that is transferred. HTTP cannot have any prior method to determine the sensitivity of any particular part of the information within the context of any request.

All the confidential information should be stored at the server in encrypted form.

Authors of services that use the HTTP protocol should not use GET based forms for the submission of sensitive data, because it will cause the data to be encoded in the Request-URI (Uniform resource identifier).

File and Path Names Based Attack

The documents returned by HTTP requests should be restricted to be only those that were intended by the server administrators.

An HTTP server MUST disallow any such construct in the Request-URI, if it would otherwise allow access to a resource outside those intended to be accessible via the HTTP server.

DNS Spoofing

Clients using HTTP depend heavily on the Domain Name Service, and are thus generally prone to security attacks based on the deliberate mis-association of IP addresses and DNS names.

Clients need to be cautious in assuming the continuing validity of an IP number/DNS name association.

If the clients of HTTP cache the results of hostname lookups to improve the performance, they must observe the TTL information, which was reported by the DNS. When the IP address of the previously accessed server is changed, then the HTTP clients could be spoofed if they do not observe this rule.

Authentication Credentials and Idle Clients

Existing HTTP clients and user agents typically retain authentication information indefinitely. HTTP/1.1 does not provide a method for a server to direct clients to discard these cached credentials which are a big security risk.

It is recommended to make the use of password protection in screen savers, idle time-outs, and other methods that mitigate the security problems inherent in this problem.

Proxies and Caching

Proxies have access to security-related information, personal information about individual users and organizations, and proprietary information belonging to users and content providers. Proxy systems should be protected as they contains or transports sensitive information.

Caching proxies provide additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation. Therefore, cache contents should be protected as sensitive information.