<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>Peakhour.IO - HTTP</title><link href="https://www.peakhour.io/" rel="alternate"></link><link href="https://www.peakhour.io/feeds/tag/http.atom.xml" rel="self"></link><id>https://www.peakhour.io/</id><updated>2023-11-16T00:00:00+11:00</updated><entry><title>RFC 9460</title><link href="https://www.peakhour.io/blog/rfc-9460-dns-evolution/" rel="alternate"></link><published>2023-11-16T00:00:00+11:00</published><updated>2023-11-16T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-11-16:/blog/rfc-9460-dns-evolution/</id><summary type="html">&lt;p&gt;Introducing SVCB and HTTPS records in DNS and their impact on web connectivity.&lt;/p&gt;</summary><content type="html">&lt;p&gt;RFC 9460 introduces two DNS record types: "SVCB" (Service Binding) and "HTTPS". They let browsers learn more connection details during DNS lookup, before redirects and TLS negotiation add extra steps. The result is cleaner connection setup, with practical improvements in speed, security, and efficiency.&lt;/p&gt;
&lt;h2&gt;Understanding the Current Process&lt;/h2&gt;
&lt;p&gt;Traditionally, when a browser connects to a website, it follows a sequence:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Browser requests site via HTTP.&lt;/li&gt;
&lt;li&gt;Server redirects request to HTTPS.&lt;/li&gt;
&lt;li&gt;Browser receives ALPN (Application-Layer Protocol Negotiation) during the HTTPS handshake.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The model is secure, but it is not optimal. It involves multiple round trips, which affects Time to First Byte (TTFB) and the overall user experience. Load balancing and failover are also less direct than they could be. RFC 9460 changes this by allowing DNS to provide the necessary connection details earlier. That reduces the steps involved in establishing a secure connection, lowering TTFB.&lt;/p&gt;
&lt;h2&gt;The Impact of SVCB and HTTPS Records&lt;/h2&gt;
&lt;p&gt;SVCB and HTTPS records move useful connection hints into DNS. They speed up the time-to-first-packet by incorporating the Alt-Svc HTTP header and ALPN TLS extension into DNS, which shortens connection setup. These records also enable redirection at the zone apex, a task not possible with CNAMEs. They simplify DNS load distribution and failover, making web services more resilient. They also remove the need for HSTS preloading and support Encrypted Client Hello (ECH), formerly ESNI, for better privacy.&lt;/p&gt;
&lt;h2&gt;Adoption and Industry Response&lt;/h2&gt;
&lt;p&gt;Adoption started before the RFC was finalised. Firefox has been conducting HTTPS lookups since May 2020, limited to DNS over HTTPS (DoH). Apple's iOS, Safari, and macOS have followed suit since September 2020. Chrome introduced partial support in December 2020 and has recently enabled ECH by default. Various DNS service providers have also started supporting HTTPS and SVCB records.&lt;/p&gt;
&lt;p&gt;As reported on &lt;a href="https://netmeister.org/blog/https-rrs.html"&gt;Netmeister&lt;/a&gt;, adoption is still early but not insignificant. As of October 2023, about 10 million domains have implemented an HTTPS record for their 'www' service names, roughly 4.4% of domains. Around 9.1 million domains, or about 4.0%, use the record on their bare second-level domain name. Among the top 1 million domains, approximately 22.5K (25.5%) use HTTPS records for 'www' service names, and nearly 24K (25.6%) use them on bare domains.&lt;/p&gt;
&lt;p&gt;&lt;img alt="October 2023 Usage" src="/static/images/blog/https-records-oct-2023.png"&gt;&lt;/p&gt;
&lt;h2&gt;What the Records Look Like&lt;/h2&gt;
&lt;p&gt;A typical &lt;a href="/learning/service-binding-record/"&gt;SVCB record&lt;/a&gt; might look like this:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;_example.com. 7200 IN SVCB 1 svc4.example.net. (alpn=&amp;quot;h2,h3&amp;quot; port=&amp;quot;8004&amp;quot;)
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This record indicates that the service at &lt;code&gt;_example.com&lt;/code&gt; can be accessed at &lt;code&gt;svc4.example.net&lt;/code&gt; using either HTTP/2 or HTTP/3 on port 8004.&lt;/p&gt;
&lt;p&gt;An &lt;a href="/learning/https-record/"&gt;HTTPS record&lt;/a&gt; could be:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;example.com. 3600 IN HTTPS 0 svc.example.net.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This record suggests that &lt;code&gt;example.com&lt;/code&gt; should be accessed securely through &lt;code&gt;svc.example.net&lt;/code&gt;.&lt;/p&gt;
&lt;h2&gt;Apex Domains and the Importance of SVCB/HTTPS Records&lt;/h2&gt;
&lt;p&gt;One long-running DNS limitation is the inability to use CNAME records at the apex (root level) of a domain due to conflicts with other necessary records like NS and SOA. RFC 9460's SVCB/HTTPS records address this by enabling apex domain aliasing without those conflicts. This matters for efficient content delivery networks (CDNs) and load balancing strategies.&lt;/p&gt;
&lt;h2&gt;These records enhance capability&lt;/h2&gt;
&lt;p&gt;&lt;strong&gt;1. Load Balancing:&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Consider a website that needs to distribute traffic across multiple servers. SVCB records can indicate different server endpoints with varying priorities.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;example.com. IN SVCB 10 server1.example.com. (alpn=&amp;quot;h2,h3&amp;quot;)
example.com. IN SVCB 20 server2.example.com. (alpn=&amp;quot;h2&amp;quot;)
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;In this example, &lt;code&gt;server1.example.com&lt;/code&gt; is the preferred endpoint (lower priority number), offering both HTTP/2 and HTTP/3 protocols. If it's unavailable, traffic automatically shifts to &lt;code&gt;server2.example.com&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;2. Failover Mechanism:&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;For a service that requires high availability, SVCB records can express failover directly:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;critical-service.example.com. IN SVCB 1 primary-service.example.com. (alpn=&amp;quot;h2,h3&amp;quot;)
critical-service.example.com. IN SVCB 2 backup-service.example.com. (alpn=&amp;quot;h2&amp;quot;)
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Here, &lt;code&gt;primary-service.example.com&lt;/code&gt; is the primary endpoint. If it fails, the system automatically falls back to &lt;code&gt;backup-service.example.com&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;3. Apex Domain Usage:&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;A practical advantage of SVCB/HTTPS records is their ability to handle apex domains, where CNAME records are not feasible. This is important for root domain aliasing to different service providers.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;example.com. IN HTTPS 0 cdn-provider.example.net.
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This record indicates that the apex domain &lt;code&gt;example.com&lt;/code&gt; is to be served through &lt;code&gt;cdn-provider.example.net&lt;/code&gt;, overcoming traditional DNS limitations.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;4. Encrypted ClientHello Support:&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Future enhancements of SVCB could include keys for Encrypted ClientHello, which improves privacy and security during the initial TLS handshake.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;secure.example.com. IN SVCB 1 tls-service.example.net. (ech=&amp;quot;base64-encoded-key&amp;quot;)
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This record can be used to initiate a TLS connection with &lt;code&gt;tls-service.example.net&lt;/code&gt; using the provided Encrypted ClientHello key.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;5. Directing Traffic to Specific Protocols:&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;For services that need to direct clients to newer or more efficient protocols, SVCB records can specify the exact protocols to use.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;api.example.com. IN SVCB 1 api-server.example.com. (alpn=&amp;quot;h3&amp;quot;)
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Clients that understand HTTP/3 can connect directly using this protocol, bypassing the usual HTTP/1.1 or HTTP/2 protocols.&lt;/p&gt;
&lt;h2&gt;The Long Wait&lt;/h2&gt;
&lt;p&gt;HTTPS has been around for a while, so RFC 9460 raises an obvious question: why did this take so long? Apex records have had their share of problems, including not being able to use CNAMEs and having to resort to custom records like ALIAS or Cloudflare's 'cname flattening'.&lt;/p&gt;
&lt;p&gt;It is a fair question. We've had some bizarre records hanging around for ages along with a wide range of solutions to the "CNAME at the zone apex"
problem.&lt;/p&gt;
&lt;p&gt;Credit to the creators of RFC 9460 for getting this through and obtaining browser support:
   - B. Schwartz from Meta Platforms, Inc.
   - M. Bishop from Akamai Technologies
   - E. Nygren from Akamai Technologies&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;RFC 9460 gives DNS a more useful role in HTTPS connection setup. SVCB and HTTPS records let operators publish endpoint, protocol, failover, and privacy information before the browser starts negotiating the connection. That gives service providers more precise control over how clients reach web services, with practical benefits for performance, reliability, and security.&lt;/p&gt;</content><category term="Interest"></category><category term="HTTP"></category><category term="Web Performance"></category><category term="Rate Limiting"></category><category term="TLS Fingerprinting"></category><category term="CDN"></category><category term="DDoS"></category></entry><entry><title>HTTP/2 Rapid Reset Attack Deepdive</title><link href="https://www.peakhour.io/blog/http-rapid-reset-attack-deepdive/" rel="alternate"></link><published>2023-10-12T00:00:00+11:00</published><updated>2023-10-12T00:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-10-12:/blog/http-rapid-reset-attack-deepdive/</id><summary type="html">&lt;p&gt;The technicalities of the HTTP/2 Rapid Reset vulnerability and steps to fortify against DDoS threats.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Distributed &lt;a href="/products/ddos-protection/"&gt;Denial of Service&lt;/a&gt; (DDoS) attack vectors keep changing. The recent spike in HTTP/2-based DDoS
attacks has been notable for its volume, with some attacks surpassing 398 million requests per second. Peakhour observed
these attacks and worked through how to understand and mitigate them. This article explains how they work and what
operators can do to reduce exposure.&lt;/p&gt;
&lt;h2&gt;The Rise of HTTP/2 in DDoS Attacks&lt;/h2&gt;
&lt;p&gt;HTTP/2 was designed to make web traffic more efficient. The same features that improve performance for legitimate users
can also be abused in DDoS traffic.&lt;/p&gt;
&lt;p&gt;Much of HTTP/2's efficiency lies in "stream multiplexing." It allows multiple messages to be sent over a single TCP
connection. While HTTP/1.1 processes each request serially, HTTP/2 can manage multiple concurrent streams on a single
connection. This means a client can send multiple requests in a single round trip, increasing how much work each
connection can drive.&lt;/p&gt;
&lt;h2&gt;The 'Rapid Reset' Attack Explained&lt;/h2&gt;
&lt;p&gt;The "Rapid Reset" attack is a specific DDoS technique built around HTTP/2. The attacker starts by opening
multiple streams, much like in a standard HTTP/2 attack. However, instead of waiting for responses, they cancel each
request immediately.&lt;/p&gt;
&lt;p&gt;The client does this by sending a RST_STREAM frame, indicating that a previous stream should be cancelled. The rapid
request-and-reset sequence means the server spends resources processing the request, only for it to be cancelled before a
response is generated. This tactic amplifies the server's workload without the attacker needing to wait for responses,
which increases the pressure each connection can place on the server.&lt;/p&gt;
&lt;h2&gt;Variants of the Rapid Reset Attack&lt;/h2&gt;
&lt;p&gt;Attackers also used variations of the Rapid &lt;a href="/blog/http-rapid-reset-attack/"&gt;Reset attack&lt;/a&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;One variant involves delaying the reset action. The attacker opens multiple streams, waits, then cancels the streams
  and instantly opens new ones. This method can evade some rate-based defences.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Another variant avoids stream cancellations. Instead, the attacker tries to open more streams than the server allows.
  This aims to keep the server continually busy, processing a near-constant flow of requests.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Effective Mitigation Techniques&lt;/h2&gt;
&lt;p&gt;Mitigation is not as simple as blocking individual malicious requests. A more effective approach is to close the entire
TCP connection when malicious activity is detected. The HTTP/2 protocol supports connection termination through the
GOAWAY frame. This feature needs to be used aggressively to prevent &lt;a href="/blog/http-rapid-reset-attack/"&gt;Rapid Reset&lt;/a&gt; attacks, rather than
relying on the more passive, standard implementation.&lt;/p&gt;
&lt;p&gt;Deciding which connections to treat as malicious is a challenge. One potential strategy is to monitor connection
statistics. If a connection exceeds a set threshold of cancelled requests, it might be deemed malicious. Responses to
suspect activity could range from sending a GOAWAY frame to terminating the TCP connection.&lt;/p&gt;
&lt;p&gt;For the non-cancelling variant, the best approach is to shut down connections that breach the concurrent stream limit,
either immediately or after a few violations.&lt;/p&gt;
&lt;h2&gt;Broader Protocol Implications&lt;/h2&gt;
&lt;p&gt;These attack techniques are specific to HTTP/2, but the wider protocol lesson still matters. The HTTP/3 (QUIC) protocol
isn't directly vulnerable in the same way. As a precaution, server implementations should consider limiting the work done
by a single connection.&lt;/p&gt;
&lt;h2&gt;The Importance of Industry Collaboration&lt;/h2&gt;
&lt;p&gt;When the threat of the Rapid Reset attack became apparent, the industry collaborated to address the issue. The
vulnerability was disclosed to key HTTP/2 implementers, helping to devise and distribute effective countermeasures. The
vulnerability is logged against &lt;a href="https://www.cve.org/CVERecord?id=CVE-2023-44487"&gt;CVE-2023-44487&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;HTTP/2 'Rapid Reset' DDoS attacks pose a serious risk to services using the protocol. To reduce exposure, service
providers should promptly apply available software patches and updates.&lt;/p&gt;
&lt;hr&gt;
&lt;p&gt;&lt;em&gt;Learn how Peakhour's Application Security Platform helps protect against Layer 7 DDoS attacks, including the HTTP/2 Rapid Reset vulnerability. &lt;a href="/contact-sales/"&gt;Contact our team&lt;/a&gt; to secure your infrastructure.&lt;/em&gt;&lt;/p&gt;</content><category term="DDoS"></category><category term="DDoS"></category><category term="Rate Limiting"></category><category term="HTTP"></category><category term="Bot Management"></category><category term="Web Performance"></category><category term="DNS"></category></entry><entry><title>A Secure Internet</title><link href="https://www.peakhour.io/blog/chrome-https-default-experiment/" rel="alternate"></link><published>2023-08-16T00:00:00+10:00</published><updated>2023-08-16T00:00:00+10:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-08-16:/blog/chrome-https-default-experiment/</id><summary type="html">&lt;p&gt;Google Chrome is advancing towards making the web secure by default through HTTPS-First Mode.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Here at Peakhour, we track browser security changes because they affect how sites are delivered and how users experience
warnings. Google Chrome has made another move towards encrypted and authenticated traffic by expanding HTTPS-First Mode.
Here is what Chrome unveiled on August 16, 2023, and what it means for HTTPS by default.&lt;/p&gt;
&lt;h2&gt;Automatic Upgrades to HTTPS&lt;/h2&gt;
&lt;p&gt;Chrome aims to make HTTPS the standard protocol by automatically upgrading all HTTP navigations to HTTPS. Even if you
click a link explicitly declaring HTTP, Chrome will try HTTPS first. If the upgrade fails because of an invalid
certificate or another issue, Chrome will fall back to HTTP.&lt;/p&gt;
&lt;p&gt;The change is part of an experiment in Chrome version 115. It does not protect against active network attackers, but it
does shift more everyday traffic away from passive eavesdropping and towards HTTPS as the default.&lt;/p&gt;
&lt;h2&gt;Warning on Insecurely Downloaded Files&lt;/h2&gt;
&lt;p&gt;Chrome is also adding warnings before users download high-risk files over insecure connections. Downloaded files can
contain malicious code that compromises a computer. The warning gives users a clearer signal before they proceed, while
still allowing the download if they accept the risk. The rollout of these warnings is expected to start in mid-September.&lt;/p&gt;
&lt;h2&gt;Expanding HTTPS-First Mode Protections&lt;/h2&gt;
&lt;p&gt;Chrome's longer-term goal is to enable HTTPS-First Mode for all users. It is expanding those protections in several
areas:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Enabling HTTPS-First Mode for users in Google's Advanced Protection Program who are also signed into Chrome.&lt;/li&gt;
&lt;li&gt;Planning to enable HTTPS-First Mode by default in Incognito Mode for a more secure browsing experience.&lt;/li&gt;
&lt;li&gt;Experimenting with automatically enabling HTTPS-First Mode on sites frequently accessed over HTTPS.&lt;/li&gt;
&lt;li&gt;Exploring automatically enabling HTTPS-First Mode for users who rarely use HTTP.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Try it Out&lt;/h2&gt;
&lt;p&gt;For users who want to try HTTPS upgrading or insecure download warnings before the full rollout, Chrome has provided
options in the browser's settings to enable these features.&lt;/p&gt;
&lt;h2&gt;Peakhour's HTTPS Redirection Feature at the Edge&lt;/h2&gt;
&lt;p&gt;At Peakhour, HTTPS redirection is a practical edge control. It helps enforce encrypted and authenticated connections
before a request reaches the origin.&lt;/p&gt;
&lt;p&gt;When a user attempts to access a site over HTTP, our edge identifies the unsecured connection. Instead of allowing that
connection through, we redirect the request to the HTTPS version of the site.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Enhanced Security&lt;/strong&gt;: By enforcing HTTPS, data transmitted between your website and your users is encrypted and
   protected from potential attackers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Compliance with Best Practices&lt;/strong&gt;: This feature aligns with industry standards and recent browser policies, including
   Chrome's push towards HTTPS-first mode.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;User Trust&lt;/strong&gt;: A secure connection gives users a clearer reason to trust the site, improving the user experience and
   potentially supporting higher conversion rates.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;We also offer options for customisation, allowing you to set specific rules and behaviours for how HTTP requests are
handled and redirected to HTTPS. Peakhour's HTTPS redirection feature at the edge is a small control with a clear job:
move HTTP traffic onto HTTPS automatically, protect users, and keep sites aligned with current browser expectations.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Chrome's push towards a secure-by-default web is another step towards a fully encrypted and authenticated internet. It
also matches the way Peakhour thinks about everyday security controls: enforce the basics at the edge, and make the safe
path the default.&lt;/p&gt;
&lt;p&gt;Chrome's changes may require developers, enterprises, and users to adapt. The direction is still clear: less plain HTTP,
more HTTPS by default, and fewer silent insecure paths. If your organisation is reviewing its HTTP handling, Peakhour can
help you apply the right redirects and edge rules.&lt;/p&gt;</content><category term="Interest"></category><category term="TLS"></category><category term="HTTP"></category></entry><entry><title>Understanding HTTP Link Headers</title><link href="https://www.peakhour.io/blog/http-link-headers/" rel="alternate"></link><published>2023-05-24T13:00:00+10:00</published><updated>2023-05-24T13:00:00+10:00</updated><author><name>Dan</name></author><id>tag:www.peakhour.io,2023-05-24:/blog/http-link-headers/</id><summary type="html">&lt;p&gt;HTTP Link headers are a relatively unknown but powerful way to improve page load times.&lt;/p&gt;</summary><content type="html">&lt;p&gt;HTTP headers are part of browser requests and server responses. They carry information about the
connecting client, the requested resource, the server, and other request context.
An HTTP header has a case-insensitive name followed by a colon (:), then its value. Headers are used for
authentication information, content negotiation, and related protocol behaviour. Here are some sample
request headers sent by my browser when requesting a page on the Peakhour website:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="n"&gt;Accept&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="sr"&gt;/html,application/xhtml+xml,application/xml;q=0.9,*/&lt;/span&gt;&lt;span class="o"&gt;*;&lt;/span&gt;&lt;span class="n"&gt;q&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mf"&gt;0.8&lt;/span&gt;
&lt;span class="n"&gt;Accept&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Encoding&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;gzip&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;deflate&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;br&lt;/span&gt;
&lt;span class="n"&gt;Accept&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Language&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;en&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;AU&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="n"&gt;en&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="n"&gt;q&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="mf"&gt;0.9&lt;/span&gt;
&lt;span class="n"&gt;Connection&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;keep&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;alive&lt;/span&gt;
&lt;span class="n"&gt;Cookie&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;_ga_NRWSVE0PSC&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;GS1&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="mf"&gt;1.1685943893&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="mf"&gt;13.0&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="mf"&gt;1685943893.0&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="mf"&gt;0.0&lt;/span&gt;
&lt;span class="n"&gt;Host&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;www&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;peakhour&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="na"&gt;io&lt;/span&gt;
&lt;span class="n"&gt;Sec&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Fetch&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Dest&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;document&lt;/span&gt;
&lt;span class="n"&gt;Sec&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Fetch&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Mode&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;navigate&lt;/span&gt;
&lt;span class="n"&gt;Sec&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Fetch&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Site&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;none&lt;/span&gt;
&lt;span class="n"&gt;User&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;Agent&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;Mozilla&lt;/span&gt;&lt;span class="sr"&gt;/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4.1 Safari/&lt;/span&gt;&lt;span class="mf"&gt;605.1&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="mi"&gt;15&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;The HTTP Link header&lt;/h2&gt;
&lt;p&gt;An HTTP Link header lets a server send
context about a document back to a client. It can identify related
resources or the direct location of a specific asset. For page-load optimisation, Link headers can be an alternative to
putting preload/preconnect/prefetch hints in the HTML.&lt;/p&gt;
&lt;h2&gt;History&lt;/h2&gt;
&lt;p&gt;HTTP Link headers were proposed as a standard in the late 1990s, around the same time the
HTTP/1.1 protocol was defined. However, it wasn't until 2010 that HTTP Link headers were officially recognised by
the Internet Engineering Task Force (IETF) in RFC 5988, which described their purpose and functionality.&lt;/p&gt;
&lt;h2&gt;Uses&lt;/h2&gt;
&lt;p&gt;HTTP Link headers have several uses in web development. Some common examples are:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Pagination&lt;/strong&gt;: Say we have a blog site with hundreds of posts, and we display 10 posts per page.
  When a user requests a page, we can use Link headers to provide URLs for the next and previous pages.
  This helps navigation through the large list of posts. Here's an example of how it might look:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;Link:&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;/posts?page=2&amp;gt;;&lt;span class="w"&gt; &lt;/span&gt;rel=&amp;quot;next&amp;quot;,&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;/posts?page=4&amp;gt;;&lt;span class="w"&gt; &lt;/span&gt;rel=&amp;quot;prev&amp;quot;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Preloading&lt;/strong&gt;: Suppose we have a heavy image or a large CSS file that we know will be required for a webpage.
  We can use a Link header to tell the browser to start downloading it early, improving the perceived page
  load speed. For instance:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="n"&gt;Link&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="n"&gt;images&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="n"&gt;big&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;picture&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;jpg&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;rel&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nb"&gt;preload&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;as&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="n"&gt;image&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;&lt;strong&gt;Resource Hints&lt;/strong&gt;: Link headers can give the browser hints about resources that might be needed in the
  future, so the browser can decide whether to fetch them ahead of time. For instance:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="nt"&gt;Link&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;scripts&lt;/span&gt;&lt;span class="o"&gt;/&lt;/span&gt;&lt;span class="nt"&gt;myscript&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;js&lt;/span&gt;&lt;span class="o"&gt;&amp;gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rel&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;prefetch&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Comparison to Link Tags and Why Headers Can Be Better&lt;/h2&gt;
&lt;p&gt;Now you might be wondering, "Why use Link headers when we can use HTML Link tags?" There are several reasons
HTTP Link headers might be a better choice:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;Faster Processing&lt;/strong&gt;: Since HTTP Link headers are part of the HTTP response, they arrive before the HTML document.
  This allows browsers to start preloading or prefetching resources sooner, which can improve page load times.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Greater Flexibility&lt;/strong&gt;: HTTP Link headers can be used in situations where HTML Link tags cannot. For instance, they
  can be used with file types that don't support HTML, like JSON or XML. They can also be added by a third party, e.g.,
  &lt;strong&gt;an edge delivery layer such as Peakhour&lt;/strong&gt;, without the need to parse and rewrite the HTML document.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Less Clutter&lt;/strong&gt;: Link headers can make your HTML less cluttered, as you can avoid filling the HTML document with
  numerous Link tags.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;HTTP Link headers are a small part of HTTP, but they are useful for performance and flexibility. An edge delivery layer
can add Link headers without the overhead of parsing or manipulating the main document, which makes them useful for
optimising website performance.&lt;/p&gt;</content><category term="Learning"></category><category term="HTTP"></category><category term="Web Performance"></category><category term="Caching"></category><category term="Rate Limiting"></category><category term="Core Web Vitals"></category><category term="CDN"></category></entry><entry><title>TLS Fingerprinting</title><link href="https://www.peakhour.io/blog/tls-fingerprinting/" rel="alternate"></link><published>2023-02-02T13:00:00+11:00</published><updated>2023-02-02T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2023-02-02:/blog/tls-fingerprinting/</id><summary type="html">&lt;p&gt;What is fingerprinting, and in particular TLS fingerprinting?&lt;/p&gt;</summary><content type="html">&lt;h2&gt;What is Fingerprinting?&lt;/h2&gt;
&lt;p&gt;Fingerprinting is a technique that may be used to identify the specific device, web browser,
and operating system making a request, regardless of what the client says in its user-agent header.
By helping organisations identify and characterise the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;Fingerprinting can also refer to techniques for following or uniquely identifying individual users across the web.
That is a separate set of techniques and is not discussed in this article.&lt;/p&gt;
&lt;p&gt;&lt;a href="/learning/fingerprinting/what-is-tls-fingerprinting/"&gt;Transport Layer Security (TLS) Fingerprinting&lt;/a&gt; determines the specific characteristics of a client's TLS
implementation by examining the initial TLS handshake packet, known as the "Client Hello." This packet
contains fields and parameters such as supported cipher suites, extensions, and the client's preferred order of
those parameters, which can be used to create a unique "fingerprint" of the client's TLS implementation.&lt;/p&gt;
&lt;h2&gt;Why is it used?&lt;/h2&gt;
&lt;p&gt;Fingerprinting has several uses, including &lt;a href="/products/bot-management/"&gt;bot protection&lt;/a&gt;, DDoS protection, and client
identification. By identifying and characterising the attributes of a client's connection,
fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;h2&gt;How does TLS Fingerprinting work?&lt;/h2&gt;
&lt;p&gt;TLS Fingerprinting examines the initial TLS handshake packet, known as the "Client Hello".
The Client Hello packet is sent by the client during the initial phase of the TLS handshake, which establishes a secure
connection between the client and the server. It contains information about the client's preferred encryption methods,
extensions, and parameters, including:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Protocol Version: The version of the TLS protocol desired by the client.&lt;/li&gt;
&lt;li&gt;Random: A 32-byte random value generated by the client, used in key generation and derivation.&lt;/li&gt;
&lt;li&gt;Session ID: An optional session identifier for resuming a previous session.&lt;/li&gt;
&lt;li&gt;Cipher Suites: A list of supported encryption algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Compression Methods: A list of supported compression algorithms, ordered by preference.&lt;/li&gt;
&lt;li&gt;Extensions: Optional extensions that can negotiate additional parameters, such as Server Name Indication (SNI) and
   Elliptic Curve Supported (ECS).&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;The Client Hello packet is central to the operation and security of the TLS connection because it provides information
the server uses to select encryption algorithms and parameters. The packet also enables the client and server to
negotiate an appropriate encryption method for their communication. The Client Hello's variable
content, based on the TLS version, library, cipher suites, extensions, and settings supported by the client, makes it
a strong candidate for fingerprinting.&lt;/p&gt;
&lt;p&gt;Common components used to create a TLS fingerprint include:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Cipher Suites: The order of cipher suites supported by the client.&lt;/li&gt;
&lt;li&gt;Extensions: Supported extensions included in the Client Hello packet, such as SNI and ECS.&lt;/li&gt;
&lt;li&gt;TLS Point Formats: Encoding of cryptographic parameters in a format that can be transmitted as part of the TLS
   protocol, used in elliptic curve cryptography (ECC).&lt;/li&gt;
&lt;li&gt;TLS Curves: The specific elliptic curves used in ECC, a type of public-key cryptography used in the TLS protocol.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;TLS fingerprinting has been a topic of research for several years, with a number of tools and techniques developed
from that work. Notable examples include &lt;a href="/learning/fingerprinting/what-is-ja3-fingerprinting/"&gt;JA3&lt;/a&gt;, developed by John Althouse, Jeff Atkinson, and Josh Atkins of Salesforce,
which uses a hash of the client's SSL/TLS parameters as a unique identifier for tracking and analysing
SSL/TLS traffic. Another tool, Mercury by David McGrew and Blake Anderson, can be used to fingerprint client connections
and identify the device, operating system, and application making the connection.&lt;/p&gt;
&lt;p&gt;TLS fingerprinting has a variety of uses, including bot protection, DDoS protection, malware identification and
client identification. By enabling organisations to identify and characterise the attributes of a client's TLS
implementation, TLS fingerprinting can improve network security and help protect against malicious traffic.&lt;/p&gt;
&lt;p&gt;In production, TLS fingerprints are most useful when combined with &lt;a href="/products/ip-intelligence/"&gt;IP intelligence&lt;/a&gt; and &lt;a href="/products/residential-proxy-detection/"&gt;residential proxy detection&lt;/a&gt;, rather than treated as a standalone verdict.&lt;/p&gt;
&lt;h2&gt;Representation of a TLS Fingerprint&lt;/h2&gt;
&lt;p&gt;A TLS fingerprint is commonly represented as a string or hash that summarises the important components of the Client
Hello packet. The most common components used to create a TLS fingerprint include the supported cipher suites,
extensions, and TLS point formats. The cipher suites are represented as a list of hexadecimal values in the order
they are presented by the client, while extensions and point formats are represented as a list of hexadecimal values
or a unique identifier.&lt;/p&gt;
&lt;p&gt;Raw JA3 signatures are represented by the following fields, which are then hashed with MD5:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;SSLVersion, Cipher, SSLExtension, EllipticCurve, EllipticCurvePointFormat
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example raw signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt; 771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-34-51-43-13-45-28-21,29-23-24-25-256-257,0
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An MD5 hash is then applied, resulting in the final signature.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="mf"&gt;579&lt;/span&gt;&lt;span class="n"&gt;ccef312d18482fc42e2b822ca2430&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Mercury signatures are represented by:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&amp;quot;tls/1&amp;quot; (TLS_Version) (TLS_Ciphersuite) [ Extension* ]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;An example signature is:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;tls/1/
(0303)
(130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff)
[
   (0000)
   (000a000c000a001d0017001e00190018)
   (000b000403000102)
   (000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602)
   (0016)
   (0017)
   (0023)
   (002b0009080304030303020301)
   (002d00020101)
   (0033)
]
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Hash Functions for Representing TLS Fingerprints&lt;/h2&gt;
&lt;p&gt;Hashing algorithms, such as MD5, are commonly used to create a unique representation of a TLS fingerprint.
These hash functions take the client's TLS parameters as input and produce a fixed-length output, which serves as
a unique identifier for the client. The hash value can be compared against a database of known TLS fingerprints to
help determine the identity of the client.&lt;/p&gt;
&lt;p&gt;Other techniques for representing TLS fingerprints include base64 encoding of the client's TLS parameters, such as in the
Mercury fingerprint.&lt;/p&gt;
&lt;h2&gt;Challenges with TLS fingerprinting&lt;/h2&gt;
&lt;p&gt;TLS fingerprinting is not a foolproof method for identifying clients and their attributes. It has several limitations
that need to be considered.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;False Positives: TLS fingerprinting relies on the assumption that the client's Client Hello packet uniquely
   identifies a connecting process by its TLS implementation. However, it is possible for a client to alter the Client
   Hello packet by customising TLS parameters, which affects the Client Hello packet and can result in a false
   positive
   identification. This makes it important to use multiple methods for identifying clients. For example, Mercury takes
   into account destination ports to add additional context.&lt;/li&gt;
&lt;li&gt;False Negatives: While TLS fingerprinting can identify many different clients and their attributes, it is not capable
   of identifying all clients. Some clients may have a unique or unusual TLS implementation that cannot be accurately
   fingerprinted. Additionally, some clients may actively attempt to evade fingerprinting by customising
   TLS parameters or using tools to anonymise their connections.&lt;/li&gt;
&lt;li&gt;Forging of TLS Fingerprints: It is possible for attackers to deliberately forge or modify the information contained
   in their Client Hello packet to appear as a different client. This makes it difficult for fingerprinting tools to
   accurately identify the true identity of a client and can be used for malicious purposes, such as evading security
   measures or disguising the origin of an attack.&lt;/li&gt;
&lt;li&gt;Incomplete Data: TLS fingerprinting is limited by the information contained in the Client Hello packet, which may not
   contain all of the necessary data to accurately identify a client. For example, a client may not send a full list of
   supported cipher suites or extensions, may use a modified version of the TLS protocol that is not recognised by
   the fingerprinting tool, or the fingerprint may not be present in available databases.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;Different fingerprinting implementations can result in different hashes for the same TLS connection, even though the
underlying SSL/TLS protocol remains unchanged. This happens due to the various algorithms, parameters, and
representations used by different fingerprinting tools.&lt;/p&gt;
&lt;p&gt;For instance, implementation differences when generating the TLS fingerprint may cause hashes found in public databases
to be inconsistent with a locally generated hash.&lt;/p&gt;
&lt;h2&gt;Final Thoughts&lt;/h2&gt;
&lt;p&gt;Be aware of the limitations and differences between fingerprinting implementations, and choose the right tool and
representation for your specific use case. Standardising the representation of fingerprints and using common hash
algorithms can help avoid confusion and improve interoperability between databases.&lt;/p&gt;</content><category term="Security"></category><category term="TLS Fingerprinting"></category><category term="Browser Fingerprinting"></category><category term="Fingerprinting"></category><category term="TLS"></category><category term="HTTP"></category><category term="DDoS"></category></entry><entry><title>Cache-Status</title><link href="https://www.peakhour.io/blog/cdn-cache-status-header/" rel="alternate"></link><published>2022-02-25T13:00:00+11:00</published><updated>2022-02-25T13:00:00+11:00</updated><author><name>AC</name></author><id>tag:www.peakhour.io,2022-02-25:/blog/cdn-cache-status-header/</id><summary type="html">&lt;p&gt;Cache-Status is a proposed standard header to provide visibility into how caching providers interact and handle a request.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Diagnosing &lt;a href="/learning/cdn/"&gt;CDN&lt;/a&gt; caching can be complex, with multiple cache layers, Origin Shielding, and local caching.
Understanding how these layers interact can mean spending weeks working through RFCs for the
finer details of ETag, Cache-Control, and Last-Modified headers - before you even account for advanced controls
that override them.&lt;/p&gt;
&lt;p&gt;When you have a problem, or are trying to optimise caching, the first thing you need is visibility into how a request was handled.&lt;/p&gt;
&lt;p&gt;This is where the new Cache-Status header helps. The new draft RFC, RFC draft-ietf-httpbis-cache-header-08, aims to:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="n"&gt;aide&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;debugging&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;by&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;standardising&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;the&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;format&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;of&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;various&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;non&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="n"&gt;standard&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;debug&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;headers&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="n"&gt;used&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;by&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;major&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;CDN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;providers&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;The&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;semantics&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;of&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;these&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;headers&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;are&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;often&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;unclear&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ow"&gt;and&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;vary&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="n"&gt;between&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;implementations&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The draft RFC proposes a new header, Cache-Status, with a uniform format for showing how multiple
caching providers interact and handle a request. The Cache-Status header forms a list. Each member of the list
represents a cache that has handled the request, and the last member belongs to the cache that most recently
served the user. The header is only applicable to responses directly generated
by an origin server. Each member can add a parameter indicating how it handled the request.&lt;/p&gt;
&lt;p&gt;A Cache-Status header looks like this:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;OriginCache&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;hit&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ttl&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;1100&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;CDN Company Here&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fwd&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;uri-miss&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;It is formatted and labelled, with each cache in the line separated in list format by a ','.&lt;/p&gt;
&lt;h6&gt;The format of the Cache-Status header is a list comprising of the following possible parameters:&lt;/h6&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;hit&lt;/strong&gt;          = boolean&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;fwd&lt;/strong&gt;          = (bypass, method, uri-miss, vary-miss, request, stale, partial)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;fwd-status&lt;/strong&gt;   = integer&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;ttl&lt;/strong&gt;          = integer&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;stored&lt;/strong&gt;       = boolean&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;collapsed&lt;/strong&gt;    = boolean&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;key&lt;/strong&gt;          = string&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;detail&lt;/strong&gt;       = token / string&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;What the parameters mean&lt;/h2&gt;
&lt;h3&gt;Hit&lt;/h3&gt;
&lt;p&gt;The hit parameter signifies that a request was satisfied by the cache. It is a boolean parameter meaning
that its presence indicates a cache hit.&lt;/p&gt;
&lt;p&gt;For example:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Peakhour&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;IO&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;hit&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;Fwd&lt;/h3&gt;
&lt;p&gt;The Fwd parameter indicates when a response was forwarded to an origin server - and why. The Fwd parameter
contains one of the following arguments:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;bypass&lt;/strong&gt; - The cache was configured to not handle this request&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;method&lt;/strong&gt; - The request method's semantics require the request to be
   forwarded&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;uri-miss&lt;/strong&gt; - The cache did not contain any responses that matched
   the request URI&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;vary-miss&lt;/strong&gt; - The cache contained a response that matched the
   request URI, but could not select a response based upon this
   request's headers and stored Vary headers.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;miss&lt;/strong&gt; - The cache did not contain any responses that could be used
   to satisfy this request (to be used when an implementation cannot
   distinguish between uri-miss and vary-miss)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;request&lt;/strong&gt; - The cache was able to select a fresh response for the
   request, but the request's semantics (e.g., Cache-Control request
   directives) did not allow its use&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;stale&lt;/strong&gt; - The cache was able to select a response for the request,
   but it was stale&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;partial&lt;/strong&gt; - The cache was able to select a partial response for the
   request, but it did not contain all of the requested ranges (or
   the request was for the complete response)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;For example:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Peakhour&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;IO&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fwd&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;uri-miss&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;Fwd-status&lt;/h3&gt;
&lt;p&gt;The fwd-status parameter indicates the status code the next hop returned in response to the request. It is only
meaningful when "fwd" is present. For example, a complete miss would look like &lt;em&gt;fwd=uri-miss&lt;/em&gt;
and the HTTP status code of the downstream response would be supplied in the fwd-status:&lt;/p&gt;
&lt;p&gt;The following example shows that the cache did not satisfy the request and that the downstream server
indicated an HTTP 304 response - HTTP Not Modified.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Peakhour&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;IO&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fwd&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;uri-miss&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fwd-status&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;304&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;ttl&lt;/h3&gt;
&lt;p&gt;Each cache item is associated with a lifetime, referred to as the Time To Live (TTL). A TTL is in seconds
and indicates the remaining  &lt;em&gt;freshness&lt;/em&gt; of the resource. This value is calculated by the cache.&lt;/p&gt;
&lt;p&gt;For example, a cache hit showing that the resource has a &lt;em&gt;freshness&lt;/em&gt; of 376 seconds.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ExampleCache&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;hit&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ttl&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;376&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Another example shows a cache hit with &lt;em&gt;negative freshness&lt;/em&gt;  - a stale resource.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ExampleCache&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;hit&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ttl&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;-412&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;stored&lt;/h3&gt;
&lt;p&gt;Indicates whether the received response was stored by the cache. This example shows a cache miss and the
cache storing the response for the next hit.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ExampleCache&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;fwd&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;uri-miss&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;stored&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;collapsed&lt;/h3&gt;
&lt;p&gt;Indicates whether the received response was collapsed with another request.&lt;/p&gt;
&lt;h3&gt;key&lt;/h3&gt;
&lt;p&gt;The key is the lookup index into a cache. Cache keys convey a representation of how the cache will
look up the resource used for the response. The cache key is implementation-specific.&lt;/p&gt;
&lt;p&gt;This example shows a cache hit, the cache key and secondary key, and the remaining TTL of the resource.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;cache-status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;peakhour&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nc"&gt;io&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;hit&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;key&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;https://example.com/calendar.css&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;secondary-key&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;encoding::gzip&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ttl&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;30674859&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;detail&lt;/h3&gt;
&lt;p&gt;Allows additional implementation-specific information not captured by other parameters.&lt;/p&gt;
&lt;h3&gt;Multiple layers of caching&lt;/h3&gt;
&lt;p&gt;The header allows multiple layers of caching. For example, a global CDN may sit in front of a local varnish server.
Each cache appends its cache-status to the header, so the last item is the closest cache
to the actual application and the first item is the closest cache to the accessing user.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;Cache-Status&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;OriginCache&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;hit&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ttl&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;1100&lt;/span&gt;&lt;span class="o"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;CDN Company Here&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;hit&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;ttl&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="nt"&gt;545&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Security&lt;/h2&gt;
&lt;p&gt;There are security implications to consider with this header. Making it public gives an attacker insight
into how the cache is configured, which may help them bypass a cache entirely and access an origin server directly.
Cache header security is provider-specific, but could involve enabling it only when required, restricting access to specific
IP addresses, or requiring a custom request header to trigger the cache-status header.&lt;/p&gt;
&lt;p&gt;Peakhour.IO regularly sees automated scans sending other providers' headers to trigger a cache-status header response.&lt;/p&gt;
&lt;h2&gt;Conclusion&lt;/h2&gt;
&lt;p&gt;The Cache-Status header gives clear insight into how cache layers interact
on a website. It provides a standardised format for showing how a cache handled a request and
allows multiple caches to report their part of the request path.&lt;/p&gt;
&lt;p&gt;Peakhour fully supports this new header, and it can be enabled/disabled and secured in the dashboard.&lt;/p&gt;</content><category term="Learning"></category><category term="Caching"></category><category term="CDN"></category><category term="Drupal"></category><category term="HTTP"></category><category term="Rate Limiting"></category><category term="Web Performance"></category></entry></feed>