If you set a cookie like this: Set-Cookie: name=value then the cookie will only apply to the request domain, and will only be sent for requests to the exact same domain, not any other subdomains. (See What is a host only cookie?) Two different domains (e.g. example.com and subdomain.example.com, or sub1.example.com and sub2.example.com) can only … Read more
I use something similar to this for my admin folder in wordpress: #redirect all https traffic to http, unless it is pointed at /checkout RewriteCond %{HTTPS} on RewriteCond %{REQUEST_URI} !^/checkout/?.*$ RewriteRule ^(.*)$ http://mydomain.com/$1 [R=301,L] The RewriteCond %{HTTPS} on portion may not work for all web servers. My webhost requires RewriteCond %{HTTP:X-Forwarded-SSL} on, for instance. If … Read more
No: “Messages MUST NOT include both a Content-Length header field and a non-identity transfer-coding. If the message does include a non-identity transfer-coding, the Content-Length MUST be ignored.” (RFC 2616, Section 4.4) And no, you can use Content-Length and stream; the protocol doesn’t constrain how your implementation works.
The content type is per specification multipart/form-data. This is a special content type which can be visualized as multiple sub-requests in one big request. Each of those sub-requests (one form-data element) has their own set of headers. The content type of the actual data is in there. Here’s an example how it look like with … Read more
Assuming that your server expects that the username:password combo will be encode it UTF-8 (see RFC 7617 for more details) then use this: import ‘dart:convert’; import ‘package:http/http.dart’; main() async { String username=”test”; String password = ‘123£’; String basicAuth=”Basic ” + base64.encode(utf8.encode(‘$username:$password’)); print(basicAuth); Response r = await get(Uri.parse(‘https://api.somewhere.io’), headers: <String, String>{‘authorization’: basicAuth}); print(r.statusCode); print(r.body); }
RFC 2616 is obsolete, the relevant part has been replaced by RFC 7230. The NUL octet is no longer allowed in comment and quoted-string text, and handling of backslash-escaping in them has been clarified. The quoted-pair rule no longer allows escaping control characters other than HTAB. Non-US-ASCII content in header fields and the reason phrase … Read more
Cookies set with the “Secure” keyword will only be sent by the browser when connecting by a secure means (HTTPS). Apart from that there is no distinction – if “secure” is absent, the cookie may be sent over an insecure connection. In other words, cookies that you want to protect the contents of should use … Read more
**** UPDATE Feb 2021 *** Please read the comments to this response. Their general conclusion seems to be that some web servers accept multiple Authorization schemes, but that it goes against RFC 7230/7235 **** This should be possible, you just have to add a comma between field values, e.g: GET /presence/alice HTTP/1.1 Host: server.example.com Authorization: … Read more
The cache-control header is the primary mechanism for an HTTP server to tell a caching proxy the “freshness” of a response. (i.e., how/if long to store the response in the cache) In some situations, cache-control directives are insufficient. A discussion from the HTTP working group is archived here, describing a page that changes only with … Read more
From the data you gathered, I would tend to say that encoded “https://stackoverflow.com/” in an uri are meant to be seen as “https://stackoverflow.com/” again at application/cgi level. That’s to say, that if you’re using apache with mod_rewrite for instance, it will not match pattern expecting slashes against URI with encoded slashes in it. However, once … Read more