Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is there any security difference between http-headers and http-body?

Tags:

rest

http-headers

http

https

I am going to create a post request and I am using token why i have to put the token into headers instead of request body? My understanding that body is more secure than http-headers is it so?

or only the reason to put token into headers is to separate and maintain consistency among multiple methods in our API's

like image 642
Kiwi Rupela Avatar asked Dec 21 '18 07:12

Kiwi Rupela

People also ask

What is the difference between an HTTP header and an HTTP body?

A HTTP body (request) body is the one which carries actual HTTP request data (including form data and uploaded etc.) and HTTP response data from the server ( including files, images etc). While HTTP Request header header can't not contain actual data like as above.

Are HTTP headers safe?

HTTP security headers are a fundamental part of website security. Upon implementation, they protect you against the types of attacks that your site is most likely to come across. These headers protect against XSS, code injection, clickjacking, etc.

Are security headers important?

Why HTTP Security Headers are necessary ? As you know, nowadays too many data breaches are happening, many websites are hacked due to misconfiguration or lack of protection. These security headers will protect your website from some common attacks like XSS, code injection, clickjacking, etc.

Are headers case sensitive?

An HTTP header consists of its case-insensitive name followed by a colon ( : ), then by its value.

1 Answers

Header is more convenient for the server.

Imagine an API where you upload a file as a body for PUT - if token was also in body, you'd have to deal with encoding the body some way to make it clear what is the token and what is the uploaded file.

If body is JSON, you could put token next to the body (in which case you can't just JSON.parse it, you need to again decode how they fit together) or you can bury the token inside the JSON (in which case you have to download the entire JSON and parse it before you can get at the token).

A header can be accessed before the body is downloaded - so if a malicious agent is performing a DoS attack on your server by sending you tons of 100Mb requests, you can detect the lack of proper authorisation as soon as the headers are received, and shut down the connection without having to download and analyse the 100Mb payload.

I can't see any benefit of having token in the body, as opposed to in the header.

like image 113
Amadan Avatar answered Oct 03 '22 02:10

Amadan
Sign in to Comment

Related questions

HTTP status while POST with incorrect data (using id of resource which does not exist)
Help me to understand <script src="some.js?param1=one;param2=two" />
How to consume REST in C# including PUT, POST and DELETE?
Error handling with CXF interceptors - changing the response message
how to set header['content-type']='application/json' in ruby
Getting 404 on simple Spring 4 REST service
Is it possible to use a REST or web api in a java Swing application
Difference between HttpStatus.OK and HttpStatus.ACCEPTED
Serialize Objects with One-to-One Relationship Django
Spring Boot - Load multiple YAML files
OpenShift Service Proxy timeout
Codeigniter and RestServer. How to upload images?
Node.js Rest Framework
Should I pass a full webpage as html/text for a rest GET call
Spring MVC @RequestBody receive an Object wrapper with non-primitive attributes
Under what conditions are HTTP request headers removed by proxies?
Authentication headers using Rest Client Ruby Gem
Django REST API to expose images
PHP Slim Framework: The requested URL was not found on this server
Hazelcast REST API

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!