Differencebetween Http Parameters and Http Headers

What is the difference between HTTP parameters and HTTP headers?

Here is the list of differences:

1. They are designed for different purposes. Headers carry meta info, parameters carry actual data.

2. HTTP Servers will automatically un-escape/decode parameter names/values. This does not apply to header names/values.

3. Header names/values need to be manually escaped/encoded at client side and be manually un-escaped/decoded at server side. Base64 encoding or percent escape is often used.

4. Parameters can be seen by end-users (in URL), but headers are hidden to end-users.

Is there any security difference between http-headers and http-body?

Header is more convenient for the server.

Imagine an API where you upload a file as a body for PUT - if token was also in body, you'd have to deal with encoding the body some way to make it clear what is the token and what is the uploaded file.

If body is JSON, you could put token next to the body (in which case you can't just JSON.parse it, you need to again decode how they fit together) or you can bury the token inside the JSON (in which case you have to download the entire JSON and parse it before you can get at the token).

A header can be accessed before the body is downloaded - so if a malicious agent is performing a DoS attack on your server by sending you tons of 100Mb requests, you can detect the lack of proper authorisation as soon as the headers are received, and shut down the connection without having to download and analyse the 100Mb payload.

I can't see any benefit of having token in the body, as opposed to in the header.

REST APIs: custom HTTP headers vs URL parameters

The URL indicates the resource itself. A "client" is a resource that can be acted upon, so should be part of the base url: /orders/view/client/23.

Parameters are just that, to parameterize access to the resource. This especially comes into play with posts and searches: /orders/find?q=blahblah&sort=foo. There's a fine line between parameters and sub-resources: /orders/view/client/23/active versus /orders/view/client/23?show=active. I recommend the sub-resource style and reserve parameters for searches.

Since each endpoint REpresents a State Transfer (to mangle the mnemonic), custom headers should only be used for things that don't involve the name of the resource (the url), the state of the resource (the body), or parameters directly affecting the resource (parameters). That leaves true metadata about the request for custom headers.

HTTP has a very wide selection of headers that cover most everything you'll need. Where I've seen custom headers come up is in a system to system request operating on behalf of a user. The proxy system will validate the user and add "X-User: userid" to the headers and use the system credentials to hit the endpoint. The receiving system validates that the system credentials are authorized to act on behalf of the user, then validate that the user is authorized to perform the action.

What is the difference between Resource and Method for HTTP Header?

As you can read in the SoapUI documentation:

• Resource level parameters are added to all requests for this resource, regardless of method.
• Method level parameters are only added to requests with this specific method.

So if the parameter/header should be added for all methods, use resource level. If the parameters/header should be only added for a specific method, use method level.

---

Related Topics