HTTP status codes
HTTP 302
Cookie
-
Attributes
-
HttpOnlyA cookie with the
HttpOnlyattribute is inaccessible to the JavaScriptDocument.cookieAPI; it is sent only to the server. -
SecureA cookie with the
Secureattribute is sent to the server only with an encrypted request over the HTTPS protocol, never with unsecured HTTP (except on localhost). -
SameSite-
StrictA cookie can only be sent to the domain which it originated from.
-
LaxCookies are allowed to be sent with top-level navigations and will be sent along with GET request initiated by third party website. This is the default value in modern browsers.
-
NoneCookies will be sent in all contexts, i.e sending cross-origin is allowed. It requires the
Secureattribute in latest browser versions.
-
-
DomainA cookie is associated with a domain. If this domain is the same as the domain of the page you are on, the cookie is called a
first-party cookie. If the domain is different, it is athird-party cookie.
-
Caching
-
Workflow
- Client sends the initial request
- Server returns
200with resource andETagrepresenting its version - Client caches resource and
ETag - Based on
Cache-Controlstrategy, determine whether to request a new version of the resource - If expired, send a request to server with
If-None-Match: <ETag> - Server returns
304with empty body or200with new version of the resource and the newETag
The client may then decide to cache the representation, along with its ETag. Later, if the client wants to retrieve the same URL resource again, it will first determine whether the locally cached version of the URL has expired (through the Cache-Control and the Expire headers). If the URL has not expired, it will retrieve the locally cached resource. If it is determined that the URL has expired (is stale), the client will send a request to the server that includes its previously saved copy of the ETag in the "If-None-Match" field.[3]
-
Headers-
Cache-Control- Define your caching policies-
Gist
- Request and response header
- Client (
User-Agent) makes the decision
-
Strategies
- No caching
no-store- A request is sent to the server and a full response is downloaded each and every time.
- Cache but revalidate
no-cache- A cache will send the request to the origin server for validation before releasing a cached copy.
- Expiration - Duration in which the cache is served without checking freshness
max-age=<seconds>max-agetakes precedence overExpires
- No caching
-
-
ETag-
Gist
- Server makes the decision
- Response header
- Represent the version of the requested resource (if it has been modified)
- Value generation
- Use
cryptographic hash functionto hash resource content - A hash of the resource last modification timestamp
- Revision number
- Use
- Validation
- Strong:
byte-for-byteidentical - Weak: semantically equivalent
- Strong:
-
-
If-None-Match-
Gist
-
Request header
-
If-None-Matchis primarily used in conditionalGETrequests to enable efficient updates of cached information with a minimum amount of transaction overhead. When a client desires to update one or more stored responses that have entity-tags, the client SHOULD generate anIf-None-Matchheader field containing a list of those entity-tags when making aGETrequest; this allows recipient servers to send a304 (Not Modified)response to indicate when one of those stored responses matches the selected representation. -
When used in combination with
If-Modified-Since,If-None-Matchhas precedence (if the server supports it).
-
-
Workflow
- Request without
If-None-Matchheader 200Response withEtag <ETag>and resource in body- Request with
If-None-Match: <ETag> 304Response with empty body
- Request without
-
-
-
Resources
Cross-origin resource sharing (CORS)
-
A web application executes a cross-origin
HTTPrequest when it requests a resource that has a different origin (domain or protocol or port or any combination of them) from its own. -
CORSrequests-
Simplerequests (opens in a new tab) don't trigger aCORS preflight. -
Preflightedrequests (opens in a new tab) first send anHTTPrequest by theOPTIONSmethod to the resource on the other domain, to determine if the actual request is safe to send.-
PreflightRequest Headers-
Access-Control-Request-MethodNotifies the server as part of a
preflightrequest that when the actual request is sent, it will be sent with the specified request method. -
Access-Control-Request-HeadersNotifies the server that when the actual request is sent, it will be sent with specified headers.
-
-
PreflightResponse Headers-
Access-Control-Allow-Origin: Allowed origin host -
Access-Control-Allow-Methods: Allowed HTTP methods for CORS requests -
Access-Control-Allow-Headers: Allowed HTTP headers for CORS requests -
Access-Control-Max-Age: How long the response to the preflight request can be cached for without sending another preflight request, value in seconds
-
-
-
-
Resources
Tools
Client
httpie
-
Default
-
Headers
GET / HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: HTTPie/<version> Host: <taken-from-URL> -
HTTP redirects are not followed and only the first response is shown.
-
Content type
Content-Type: application/json Accept: application/json, */*;q=0.5
-
httpie - Use a HTTP proxy server
export ALL_PROXY=http://$proxy_ip:$proxy_port
export HTTP_PROXY=http://$proxy_ip:$proxy_port
export HTTPS_PROXY=https://$proxy_ip:$proxy_port
export NO_PROXY=$hostname1,$hostname2...httpie - Download a file and save it via redirected output
http $url > $filehttpie - Upload a file using redirected input
http $url < $filehttpie - Upload a file as a multipart/form-data
http -f POST $url "${file_param_name}@${file}"httpie - Dry run sending a request
http --offline ...httpie - Print the whole HTTP exchange
http -v ...httpie -
httpie - Print the specified parts of the HTTP exchange
| Character | Description |
|---|---|
| H | request headers |
| B | request body |
| h | response headers |
| b | response body |
| m | response meta |
http -p=$parts ...httpie - Showing redirections
http -F --all pie.dev/redirect/3httpie - Skip server SSL certificate verification
http --verify=no ...httpie - Use a specified CA bundle
http --verify=$ca_bundle ...httpie - Use a client side certificate for the SSL communication
http --cert=$client_cert $urlIntelliJ IDEA HTTP Client
-
Notes
-
All
public environmentsmust be inhttp-client.env.json, and file name cannot be changed, but location can be changed. -
All
private environmentsmust be inhttp-client.private.env.json, and file name cannot be changed, but location can be changed. -
Define a local variable
### Get stub mapping by ID @mappingId = 4694d48a-5bdc-476b-8d15-a48751c30d75 GET {{host}}:{{port}}/__admin/mappings/{{mappingId}}
-
-
Resources
Packet Analyzer
mitmproxy
-
Proxy Modes (opens in a new tab)
-
Recommended
- Regular: The default mode. Configure your client(s) to use an HTTP(S) proxy.
- Local Capture: Capture applications on the same device.
- WireGuard: Capture external devices or individual Android apps.
- Reverse: Put mitmproxy in front of a server.
-
Advanced Modes
- Transparent: Capture traffic with custom network routes.
- TUN Interface: Create a virtual network device to capture traffic.
- Upstream: Chain two HTTP(S) proxies.
- SOCKS: Run a SOCKS5 proxy server.
- DNS: Run a scriptable DNS server.
-
mitmproxy CLI
Intercept everything on this machine
mitmproxy --mode localIntercept cURL only
mitmproxy --mode local:curlIntercept cURL and wget only
mitmproxy --mode local:curl,wgetIntercept the specified process only
mitmproxy --mode local:$PIDIntercept everything on this machine but cURL
mitmproxy --mode local:!curl