HTTP/1.1 — THE CLASSIC TEXT-BASED PROTOCOL

POST /api/v1/users HTTP/1.1            ← Request line: Method SP Path SP Version CRLF
Host: api.example.com                  ← Mandatory in HTTP/1.1 (virtual hosting)
Content-Type: application/json         ← Body format
Content-Length: 27                    ← Body length in bytes
Authorization: Bearer eyJhbGciOiJIUzI1...
Accept: application/json
User-Agent: MyApp/2.1 (Linux x86_64)
Connection: keep-alive
                                         ← Empty line (CRLF) separates headers from body
{"name":"Ajay","role":"admin"}         ← Request body (27 bytes)

HTTP/1.1 201 Created                   ← Status line: Version SP Status-Code SP Reason CRLF
Content-Type: application/json
Content-Length: 45
Location: /api/v1/users/42              ← URL of created resource
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
X-Request-ID: 7f3a9c2d
Date: Wed, 18 Mar 2026 10:00:00 GMT

{"id":42,"name":"Ajay","role":"admin"}

/* Server sends response body in chunks — no Content-Length needed */
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html

1a               ← chunk size in hex: 0x1a = 26 bytes
This is the first chunk.
13               ← 0x13 = 19 bytes
And the second chunk.
0                ← zero-length chunk = end of body
                 ← trailing CRLF

/* Used for: streaming responses, server-sent events */
/* server starts sending before it knows total size */

HTTP METHODS AND STATUS CODES — THE COMPLETE REFERENCE

KEY HTTP HEADERS — REQUEST, RESPONSE, AND SECURITY HEADERS

/* Security headers — every production server should send these */

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  # HSTS: browser must use HTTPS for this domain for 1 year
  # Prevents SSL stripping attacks
  # preload: submit to browser preload list

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com; object-src 'none'
  # CSP: whitelist of allowed content sources
  # Prevents XSS by blocking inline scripts and untrusted sources

X-Frame-Options: DENY
  # Prevent clickjacking — page cannot be embedded in iframe
  # Superseded by CSP frame-ancestors, but still widely needed

X-Content-Type-Options: nosniff
  # Browser must not MIME-sniff — prevents content-type confusion attacks

Referrer-Policy: strict-origin-when-cross-origin
  # Controls what goes in Referer header on cross-origin requests
  # Prevents leaking sensitive URLs to third parties

Permissions-Policy: camera=(), microphone=(), geolocation=(self)
  # Restrict browser APIs — prevent malicious pages accessing camera/mic

Set-Cookie: session=abc; HttpOnly; Secure; SameSite=Strict; Path=/
  # HttpOnly: JS cannot access cookie (prevents XSS cookie theft)
  # Secure: only sent over HTTPS
  # SameSite=Strict: not sent on cross-site requests (prevents CSRF)

HTTP/2 — BINARY FRAMING AND MULTIPLEXING

/* HTTP/2 Frame format */
+-----------------------------------------------+
| Length (24 bits) | Type (8 bits) | Flags (8b) |
+-----------------------------------------------+
|R|            Stream ID (31 bits)               |
+-----------------------------------------------+
|                  Frame Payload                 |
+-----------------------------------------------+

/* Frame types */
Type 0x0 DATA:        request/response body data
Type 0x1 HEADERS:     request/response headers (HPACK compressed)
Type 0x2 PRIORITY:    stream dependency and weight for scheduling
Type 0x3 RST_STREAM:  cancel/error a specific stream
Type 0x4 SETTINGS:    negotiate connection parameters (max frame size, max streams)
Type 0x5 PUSH_PROMISE:server announces pushed resource
Type 0x6 PING:        keepalive and RTT measurement
Type 0x7 GOAWAY:      graceful connection shutdown — last processed stream ID
Type 0x8 WINDOW_UPDATE:flow control — increase receive window
Type 0x9 CONTINUATION:continue HEADERS frame if too large for one frame

/* HEADERS frame example — HPACK compressed */
/* Static table entry: :method GET = index 2, :path / = index 4 */
\x82           # :method = GET  (index 2 from static table)
\x84           # :path = /       (index 4)
\x86           # :scheme = https (index 6)
\x41 \x8a...   # :authority = www.google.com (literal with indexing)

/* HPACK compression example */
Request 1 — first time User-Agent is sent:
  Header: user-agent: Mozilla/5.0 (Linux; Android 11)
  Wire bytes: ~45 bytes (literal encoding, added to dynamic table at index 62)

Request 2 — same User-Agent:
  Wire bytes: \xbe (1 byte = index 62 in dynamic table)
  Savings: 98%

/* CRIME and BREACH attacks — why HPACK must be careful */
# If attacker can inject chosen plaintext adjacent to secrets in compressed data,
# they can observe compression ratio to infer secret values byte by byte.
# TLS compression was disabled due to CRIME. HPACK deliberately does NOT
# compress across streams (separate compression contexts) to mitigate.

HTTP/3 AND QUIC — REIMAGINING THE WEB TRANSPORT STACK

/* QUIC packet structure (simplified) */
┌─────────────────────────────────────────────────────┐
│  UDP Header (8 bytes)                               │
├─────────────────────────────────────────────────────┤
│  QUIC Long/Short Header                             │
│  - Header Form (1 bit): Long=1, Short=0             │
│  - Connection ID (0–20 bytes): identifies connection│
│    without IP/port (enables migration!)             │
│  - Packet Number (1–4 bytes): sequence for ACK      │
├─────────────────────────────────────────────────────┤
│  QUIC Frames (encrypted with TLS 1.3)              │
│  - STREAM frames: carry application data            │
│  - ACK frames: acknowledge received packets         │
│  - CRYPTO frames: TLS handshake messages            │
│  - PADDING, PING, CONNECTION_CLOSE, etc.            │
└─────────────────────────────────────────────────────┘

/* QUIC connection establishment — 1-RTT */
Client → Server: Initial (ClientHello inside CRYPTO frame)
Server → Client: Initial (ServerHello, certificates, Finished) + Handshake + 1-RTT data
Client → Server: Handshake (Finished) + 1-RTT data ← FIRST DATA HERE

vs TLS over TCP: SYN → SYN+ACK → ACK → ClientHello → ServerHello...Finished → data
                 That's 2 RTTs minimum before data flows.

/* 0-RTT resumption */
Client received a "session ticket" from prior connection:
Client → Server: 0-RTT data immediately (with replay-protected pre-shared key)
                 Server accepts 0-RTT data — zero round trips!
Caveat: 0-RTT data is replay-vulnerable — only safe for idempotent requests (GET)

# Detect HTTP/3 support — look for Alt-Svc header in HTTP/1.1 or HTTP/2 response
curl -I https://cloudflare.com | grep -i alt-svc
# alt-svc: h3=":443"; ma=86400
# "I support HTTP/3 (h3) on port 443, this hint is valid for 86400 seconds"

# Test HTTP/3 with curl (requires --http3 support)
curl --http3 -v https://cloudflare.com 2>&1 | head -20

# Wireshark capture of QUIC traffic
# Filter: udp.port == 443 (QUIC uses UDP 443)
# QUIC packets appear as "QUIC" in protocol column
# Content is encrypted — only metadata visible without TLS keys

# Provide TLS keys to Wireshark for decryption
SSLKEYLOGFILE=/tmp/keys.log curl --http3 https://cloudflare.com
# In Wireshark: Edit → Preferences → Protocols → TLS → Master Secret log

HTTPS — HTTP OVER TLS, AND WHY THE URL BAR IS GREEN

/* HTTP/1.1 over TLS 1.3 — minimum 2 RTTs before data */
RTT 0: → TCP SYN
        ← TCP SYN+ACK
RTT 1: → TCP ACK + TLS ClientHello (with key_share)
        ← TLS ServerHello + Certificate + CertVerify + Finished (encrypted)
RTT 2: → TLS Finished + HTTP GET   ← HTTP response arrives
                                      ← DATA arrives

/* HTTP/2 over TLS 1.3 — same, but ALPN negotiates h2 in handshake */
TLS ClientHello includes: ALPN extension ["h2", "http/1.1"]
TLS ServerHello includes: ALPN selected "h2"
After handshake: HTTP/2 binary framing on the same connection

/* HTTP/3 over QUIC — 1 RTT (0-RTT for returning clients) */
RTT 0: → QUIC Initial (ClientHello in CRYPTO frame)
        ← QUIC Initial+Handshake (ServerHello+Cert+Finished)
           + 1-RTT data (server can already send response!)
RTT 1: → QUIC Handshake Finished + HTTP/3 request arrives
        ← (server was already sending response from RTT 0)

/* ALPN — Application-Layer Protocol Negotiation */
# Allows HTTP version negotiation within TLS handshake
# No extra round-trip needed
# Values: "h3" = HTTP/3, "h2" = HTTP/2, "http/1.1" = HTTP/1.1

NGFW HTTP INSPECTION — URL FILTERING, DPI, AND SSL INSPECTION

M08 MASTERY CHECKLIST

• Can explain the key problem each HTTP version solved: 1.0=persistent, 1.1=keep-alive+chunked, 2=multiplexing, 3=no TCP HOL blocking
• Know HTTP/1.1 message format: request line + headers + CRLF + body; status line + headers + CRLF + body
• Know the mandatory HTTP/1.1 header: Host (enables virtual hosting)
• Know all 9 HTTP methods: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, CONNECT, TRACE
• Know safe vs idempotent: GET/HEAD/OPTIONS are safe; GET/PUT/DELETE/HEAD/OPTIONS are idempotent; POST/PATCH are neither
• Know all 5 status code ranges and 15+ specific codes (200, 201, 204, 301, 302, 304, 400, 401, 403, 404, 405, 429, 500, 502, 503)
• Know Head-of-Line blocking in HTTP/1.1: responses must return in request order; one slow response blocks all subsequent
• Know chunked transfer encoding: hex length prefix per chunk, zero-length chunk = end
• Know 8 critical request headers: Host, User-Agent, Authorization, Cookie, Referer, Content-Type, X-Forwarded-For, Origin
• Know 6 security response headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
• Know cookie security flags: HttpOnly (no JS access), Secure (HTTPS only), SameSite=Strict (no cross-site)
• Know HTTP/2's four innovations: binary framing, multiplexing, HPACK compression, server push
• Know HTTP/2 frame types: DATA, HEADERS, RST_STREAM, SETTINGS, PUSH_PROMISE, PING, GOAWAY, WINDOW_UPDATE
• Know HTTP/2 still has TCP HOL blocking — a lost TCP packet stalls all streams
• Know HPACK: static table (61 entries), dynamic table (per-connection learned headers), both compressed to 1-byte index
• Know QUIC's 4 motivations: TCP HOL blocking, 2-RTT connection setup, no connection migration, TCP ossification
• Know QUIC Connection ID: enables connection migration when client IP changes (WiFi → cellular)
• Know QUIC 1-RTT vs 0-RTT: 1-RTT = standard first connection; 0-RTT = session resumption, replay-vulnerable
• Know 6 QUIC frame types: STREAM, ACK, CRYPTO, NEW_CONNECTION_ID, MAX_DATA, CONNECTION_CLOSE
• Know QPACK vs HPACK: QPACK adapted for out-of-order QUIC streams using separate encoder/decoder streams
• Know HTTP/3 uses ALPN "h3", runs on UDP 443, always requires TLS 1.3
• Know what HTTPS encrypts: URL path, headers, body. What it doesn't hide: destination IP, TLS SNI hostname
• Know how SSL inspection works: NGFW → server (real TLS), NGFW → client (forged cert signed by corporate CA)
• Know SSL inspection limitations: certificate pinning, privacy regulations, requires CA cert deployment
• Know HTTP inspection visibility matrix: what's visible in plain HTTP vs HTTPS vs with SSL inspection
• Know 7 HTTP attack types for NGFW detection: SQLi, XSS, path traversal, command injection, webshell, exfiltration, DDoS
• Know NGFW HTTP monitoring: 401/403 spikes = brute force; 404 flood = directory enumeration; 500 flood = injection scan
• Completed Lab 1: captured and decoded HTTP/1.1 and HTTP/2 traffic in Wireshark with TLS key log
• Completed Lab 2: built HTTP/1.1 server from scratch in C with routing, header parsing, and chunked encoding
• Completed Lab 3: audited security headers, simulated SQLi/XSS patterns, implemented rate limiting