HTTP Security

HTTP Security provides the authentication of the intended website and protection of data privacy and integrity during transmission to secure communications over the network.

As a prescribed order and syntax used to send data between a web browser and a website, HTTP has seen substantial semantic changes: HTTP/1.0 vs HTTP/1.1. Its encrypted version HTTPS is more of a technical change designed to provide the security of data transfer.

How does HTTP Security work


Authentication

The HTTP authentication provides access control to pages and API resources by sending the authentication credentials in the Authorization header. For example, to retrieve JSON data, the client sends a GET request to the REST API endpoint with Bearer token in the authorization header.

GET Request With Bearer Token Authorization Header Live Request
GET /echo/get/json HTTP/1.1
Host: reqbin.com
Authorization: Bearer mt0dgHmLJMVQhvjpNXDyA83vA_PxH23Y
Accept: application/json

Server Response
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: application/json
Transfer-Encoding: chunked
{"success":"true"}


The Bearer Authentication is one of the most widely used among other authentication schemes, such as:

HTTPS uses Certificate Authority (CA) to verify the identity of a distinct server and to issue a certificate. All root CA certificates have the digital signature generated using the certificate’s private key.

If the certificate is invalid, most browsers display a warning across the entire window along with security information of the site in the address bar. Older browsers in similar cases would ask in dialogue box whether the user wanted to continue.

Data protection

Servers and clients speak over a secure SSL connection that encrypts and decrypts HTTP requests and responses. With SSL connection, communicating parties use the agreed symmetric algorithm and keys (both public and private ones) to ensure the security of messages they are sending to each other. The public key is used to encrypt the symmetric key and send it securely to the server, and the server decrypts it with its private key.

HTTPS can fail


Wi-Fi network is still insecure for HTTP traffic, and a website can be vulnerable to workarounds that can make you send HTTPS traffic over insecure HTTP or deviate the rout completely.

Heartbleed vulnerability has affected half a million secure web servers. It was a failure in the software library providing applications with cryptographic services. Most websites have since corrected that bug.

In general, HTTP Security provides a reasonable assurance that one is protected from malicious interference while communicating on the internet.