WSEC-320

WEB SECURITY

Lecture 1: Web Architecture

(HTTP/HTTPS)
Course Lecturer: Dr. B. Kankuzi, Dept of
CSIT, MUST
LESSON OUTCOMES

 Describe the client-server architecture used

in web applications.
 Explain the pivotal role that HTTP plays in
web architecture.
 Describe the elements of HTTP request
messages and HTTP response messages.
 Distinguish various HTTP message headers.

 Distinguish HTTP and HTTPS.

 Explain the limitations of HTTP and also

HTTPS. 2
INTRODUCTION
 The Hypertext Transfer Protocol (HTTP) is a
TCP/IP based communication protocol, which
is used to deliver data (HTML files, image
files, query results etc) on the World Wide
Web.
 The HTTP protocol is a request/response
protocol based on the client/server based
architecture where web browser, robots and
search engines, etc. act like HTTP clients and
Web server acts as server.

3
INTRODUCTION (CONT’D)
 In general, a client-server architecture is an
architecture that has:
 A client that sends a request.
 A server that responds to a client's request.

 Client-server architecture is also known as

Request-Response Architecture.

4
INTRODUCTION (CONT’D)

5
INTRODUCTION (CONT’D)
 A web server is a program which runs on the
server.
 A web server processes all the requests coming
from the client.
 A web server accepts a request and (if possible)
gives back an HTTP response accompanied by an
HTML page.
 A web browser is a client-side application
which requests resources from web servers.

6
INTRODUCTION (CONT’D)
 A web server can host a web application or a
website.
 A website is just a a set of related web pages
located under a single domain name e.g.
must.ac.mw
 A web application is web-based program or piece
of software designed to fulfill a particular
purpose e.g. saris.must.ac.mw

7
INTRODUCTION (CONT’D)

Architecture of a web application

ADVANTAGES OF HTTP
 Each request is independent of the previous
requests as HTTP is a stateless protocol.
 Reduces data transfer because the server
does not need to track the state of multiple
requests as HTTP is a stateless protocol.
 The server can scale to many clients as HTTP
is a connectionless protocol.
 Any type of data can be sent by HTTP as long
as both the client and server know how to
handle the data content as HTTP is media
independent.
9
ADVANTAGES OF HTTP (CONT’D)
 NB: HTTP/1.0 uses a new connection for
each request/response exchange whereas
HTTP/1.1 connection may be used for one or
more request/response exchanges.

10
HTTP MESSAGES
 Client
 The HTTP client sends a request to the server in
the form of a request method, URI, and protocol
version, followed by a MIME-like message
containing request modifiers, client information,
and possible body content over a TCP/IP
connection.
 Server
 The HTTP server responds with a status line,
including the message's protocol version and a
success or error code, followed by a MIME-like
message containing server information, entity
metainformation, and possible entity-body 11
content.
HTTP MESSAGES (CONT’D)
 HTTP request and HTTP response use a
generic message format of RFC 822 for
transferring the required data.
 This generic message format consists of
following four items.
 A Start-line
 Zero or more header fields followed by CRLF
 An empty line (i.e., a line with nothing preceding
the CRLF) indicating the end of the header fields
 Optionally a message-body

12
HTTP MESSAGES (CONT’D)
 Example HTTP request message (fetch
hello.html from www.mywebsite.com)

GET /hello.html HTTP/1.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Host: www.mywebsite.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

13
HTTP MESSAGES (CONT’D)
 Example HTTP response message (from the
request in previous slide)

HTTP/1.1 200 OK
Date: Mon, 3 April 2023 12:28:53 GMT
Server: Apache/2.2.14 (Win64)
Last-Modified: Wed, 22 Feb 2023 19:15:56 GMT
Content-Length: 88
Content-Type: text/html
Connection: Closed

<html>
<body>
<h1>Hello, World!</h1>
</body> 14
</html>
HTTP MESSAGES (CONT’D)
 HTTP headers can be grouped based on their
context:
 Request headers contain more information about
the resource to be fetched, or about the client
requesting the resource.
 Response headers hold additional information
about the response, like its location or about the
server providing it.
 Representation headers contain information
about the body of the resource, like its MIME
type, or encoding/compression applied.
 Payload headers contain representation-
independent information about payload data,
including content length and the encoding used 15
for transport.
HTTP MESSAGES (CONT’D)
 A list of various HTTP headers can be
accessed at
https://en.wikipedia.org/wiki/List_of_HTTP_h
eader_fields

16
HTTP VS HTTPS
 HTTPS stands for Hypertext Transfer Protocol
Secure.
 Although it functions similarly to HTTP, HTTPS works
to protect communication between web servers and
browsers when transporting data.
 HTTPS secures connections with a digital security
protocol that uses cryptographic keys to encrypt
and validate data.
 Most common way for websites to use HTTPS and
have a secure domain is by obtaining a Secure
Sockets Layer (SSL) or Transport Layer Security (TLS)
certificate.
 Although TLS is widely becoming the standard for
HTTPS, most SSL certificates support both
SSL/TLS protocols. 17
LIMITATIONS OF HTTPS
 Deployment Limitations
 HTTPS only works if one uses it.
 One needs to specify HTTPS:// on every URL, including
URLs in documentation, email, advertisements, and
everything else.
 Use Strict-Transport-Security and Content-Security-

Policy’s Upgrade-Insecure-Requests directive (and

optionally Block-All-Mixed-Content) to help mitigate
failures to properly set URLs to HTTPS.
 The HSTS Policy is communicated by the server to

the user agent via an HTTP response header field

named "Strict-Transport-Security".

18
LIMITATIONS OF HTTPS (CONT’D)
 Privacy Limitations
 SNI / IP-Address
 When one connects to a server over HTTPS, the URL
they are requesting is encrypted and invisible to
network observers.
 However, observers can see both the IP address they

are connecting to, and the hostname they are

requesting on that server (via the Server Name
Indication ClientHello extension).

19
LIMITATIONS OF HTTPS (CONT’D)
 Server Limitations
 Server Compromise
 HTTPS only aims to protect the bytes in transit.
 DOM mixing
 Access to https resources can be mixed with http
resources.

20
LIMITATIONS OF HTTPS (CONT’D)
 Client Identity Limitations
 A man-in-the-middle attack can still occur when
a client application has been compromised by
malware, such that tampering or data leaks are
performed before encryption or after decryption.
 The spyware could take the form of malware in
the OS, a malicious or buggy browser extension.

21
CONCLUSION
 The Hypertext Transfer Protocol (HTTP) is a
TCP/IP based communication protocol, which is
used to deliver data (HTML files, image files,
query results etc) on the World Wide Web.
 The HTTP protocol is a request/response protocol
based on the client/server based architecture
where web browser, robots and search engines,
etc. act like HTTP clients and Web server acts as
server.
 HTTP request and HTTP response use a generic
message format of RFC 822 for transferring the
required data.
 Although it functions similarly to HTTP, HTTPS
works to protect communication between web 22
servers and browsers when transporting data.
 END OF LECTURE 1

THANK YOU!

23
REFERENCES & FURTHER READING

 https://www.tutorialspoint.com/http/http_qu
ick_guide.htm
 https://datatracker.ietf.org/doc/html/rfc6454
#page-7

24