🔐 Day 18: HTTP Authentication and Advance HTTP Concepts

Authentication is how the server knows you are who you claim to be. It is the "Digital Handshake" that unlocks the door. 🔐

🔑 Part 1: HTTP Authentication Methods

Mechanism: Encodes your username:password into a Base64 string and sends it in the Authorization header.
Security Note: Base64 is not encryption; it is a formatting method. Anyone who intercepts this string can decode it instantly.
Example Header: Authorization: Basic dXNlcjpwYXNzd29yZA==

A JSON Web Token (JWT) is a compact, self-contained way of securely transmitting information between parties. It consists of three parts:

Header: Specifies the algorithm used to secure the token.
Payload: Contains the actual data (Claims), such as the username, user role, and expiration time.
Signature: The "Security Seal." It is created by hashing the header and payload with a secret key. If a hacker changes the payload, the signature will no longer match, and the server will reject the token.

Purpose: Primarily used for machine-to-machine communication.
Use Case: If you build a weather app, you don't own satellites. You "buy" access to data from a provider (like Google or OpenWeather) and use an API Key to identify your app to their server.
Hacker Note: If a developer "hardcodes" an API key into a public repository (like GitHub), attackers can steal it to access premium services or private data for free.

Mechanism: After login, the server provides a "pass" so you don't have to re-enter credentials for every click. Your browser stores this and attaches it to every subsequent request.
Clarification: The difference between a Session Token and a Session ID:
- The Session ID is the specific unique string (the "ID Number").
- The Session Token is the "Container" (the "ID Card") that carries that number.
Lifespan: These usually expire upon logout or after a period of inactivity (Session Timeout).

Purpose: Storing assets on your local Hard Drive to save bandwidth and increase loading speed.
Technical Note: Files like .js or .css are stored as their original file types, not converted to .txt. Python files (.py) are rarely cached by browsers as they run on the server side.
Security Risk: If a system is compromised, a hacker can inspect the browser's "Disk Cache." If private data was incorrectly cached, they can steal it.

Mechanism: The browser sends headers like User-Agent (device info), Accept-Encoding (compression preference), and Accept-Language. The server uses these to decide which version of the site to send.
Hacker Note: This allows for Fingerprinting, where an attacker uses these unique combinations of headers to identify and track a specific user's device.

Mechanism: To save time, the server "zips" data using tools like Gzip or Brotli.
Process: The browser sends Accept-Encoding: gzip. The server sends the compressed data. The browser then "unpacks" it into RAM (Memory) for the user to see.

Evolution: In HTTP/1.0, connections were closed after every single request. Modern HTTP uses Persistent Connections via TCP.
Analogy: It is like staying on a phone call while searching for a lost ring, rather than hanging up and redialing for every single sentence.

Mechanism: Used when the final size of the data is unknown (e.g., live streaming or dynamic database results). The server sends data in "chunks" as they become ready. Recall Transfer-Encoding: chunked
Hacker Note: This is the primary mechanism exploited in HTTP Request Smuggling attacks, where attackers hide a second request inside the chunks of the first.

Concept: Similar to Parallelism. It allows a browser to send multiple requests at once without waiting for the response of the first one.
Goal: To achieve faster loading by utilizing the connection more efficiently. Note: This has largely been improved upon by HTTP/2 Multiplexing.

Purpose: Acts as a "speed limit" for requests to a server.
Security: It is the primary defense against Brute Force (guessing passwords) and DoS (Denial of Service) attacks by limiting how many times an IP address can talk to the server per minute.