How to view HTTPS headers - WKB202467
Article number: 202467
OBJECTIVE or GOAL
Troubleshoot HTTPS connection issues in Waters software products by viewing the HTTP request and response headers.
ENVIRONMENT
- Windows 10
- Windows Server 2019/2016/2012
- Microsoft Edge, Mozilla Firefox, Google Chrome, Internet Explorer (also IE mode in Microsoft Edge)
PROCEDURE
- Via Developer Tools in a web browser (available in MS Edge, IE Mode in Edge, Chrome, Firefox):
- Click the Menu button > Developer Tools. The exact name of the menu item differs between browsers and browser versions; however, "developer tools" seems to be commonly used in all of the major web browsers.
- Click the Network tab.
- Start recording network activity.
- Reproduce the problem, or browse the website, as applicable. The HTTP requests will be recorded and made visible in the Developer Tools tab or window.
- Stop the capture when appropriate.
- Click one of the requests in the list. The request and response headers for that request should now appear. In some browsers the headers are in a separate tab in the user interface.
- Review the HTTP headers for clues to the problem.
- Via cURL:
- Download the appropriate binary package for cURL from https://www.curl.se/.
- Open a command prompt.
- Browse to the installation path for cURL.
- Run curl.exe with parameters.
- Example: curl.exe --include https://server
- "--include" means that cURL should include the HTTP headers in the output.
- "--insecure" is useful if the web server has a self-signed certificate. This type of certificate is commonly used for test servers and is categorically rejected by web clients as being inherently insecure. This option is the most expedient way to bypass the restriction. The connection will still be via HTTPS, but cURL will ignore the certificate error. Another option is to supply the web server with a certificate issued by a trusted CA, and configure CA to trust that certificate.
- "--http1.1" and "--http2" specify the version of the HTTP to use, in case of transient transport errors, incompatible servers, or for checking for differences in server output between protocol versions.
- Copy the output from the command prompt to a file as evidence or for further offline analysis.
ADDITIONAL INFORMATION
Request headers are sent by a web client as part of each request to a web server. Response headers are sent by the web server in response to requests from web clients. The headers are a means of communication between web clients and servers about the requests.
Articles on specific HTTP headers:
- X-UA-Compatible
- Specifies the recommend user-agent and version for use with the site. Largely used only by Microsoft and Google browsers. It should be set to "IE=5" for legacy SDMS WebVision sites and to "IE=Edge" for LMS SampleShare sites.
- How to add the X-UA-Compatible HTTP header to NuGenesis web servers
- Strict-Transport-Security
- When a web browser receives this header from a site via a secure channel, it should cache this information as per time limit in the max-age attribute, and direct all future HTTP requests for that site to HTTPS. Web browsers should ignore this header if received via insecure HTTP.
- Can HTTP Strict Transport Security (HSTS) be used with NuGenesis Web servers?
- How to add the HTTP Strict Transport Security (HSTS) header to the Default Web Site in Windows' IIS Manager
- X-Powered-By
- Specifies the supporting technology that assisted in the response. For Microsoft IIS, this header is often "ASP.NET". The header may also contain "ARR/3.0" if the Application Request Module was involved in the response (as is the case for SDMS WebVision for NuGenesis 8 and 9.0-9.2). It often contains information about the server that would be useful to an attacker, so the recommendation is to remove this header from all sites within IIS.
- How to disable the X-Powered-By HTTP header in Microsoft IIS
- How to disable the Server and X-Powered-By HTTP headers in NuGenesis LMS
- Accept
- NuGenesis SDMS web servers check the accept header in the HTTP request for "application/nugenesis-sdms" when a user tries to download a file or report. If the header does not contain that string (case-sensitive), the server prompts the user to download the Transfer App, as documented in article WKB967.
id202467, comms