1

As far as I know, everything about the Internet is (or rather should be?) defined and documented in the RFCs. I found a listing of several HTTP-headers on mozilla.org (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers), which I assumed to be second-hand knowledge taken from the RFCs. However most of the security-related HTTP-headers are neither in the RFCs (source: https://www.rfc-editor.org/search/rfc_search_detail.php?title=Content-Security-Policy) nor in the HTTP-headers suggested by IANA (source: https://www.iana.org/assignments/message-headers/message-headers.xhtml)

  1. Is there a commitee that decides on such conventions and a central place where I can always find first-hand information about the rules of the internet?
  2. How do programmers of critical applications know which features they have to implement to keep their software up-to-date with the rest of the internet?
  3. How can programmers be sure their software is implemented perfectly according to the rules and works in harmony with the rest of the internet. E.g. somebody who programs an FTP-client (assuming they are not making use of libraries) has to make sure their understanding of the FTP-protocol is the same as that of every single FTP-server-application, right?
Max
  • 63
  • 5
  • `Questions which are too broad, unclear, incomplete or primarily opinion-based` may be **[closed by the community](https://stackoverflow.com/help/closed-questions)** until they are improved. – amarinediary Dec 31 '20 at 01:57
  • One thread per question is the usual best practice on Stackoverflow. – amarinediary Dec 31 '20 at 01:59
  • How ist this question too broad, unclear, incomplete or primarily opinion-based? – Max Dec 31 '20 at 09:51

1 Answers1

1

The RFCs stand as a final approved documentation. In your case the HTTP is under the HTTP Working Group so some new features which some browsers already support are being discussed in this group. Expanding the idea, some security headers present in HTTP may be from other groups and just referenced in HTTP RCFs. The Content Security Policy is documented in the RFC 7762 not that it's tagged as informational.

  1. Each area has its Working groups, in this case HTTP is nested in ART (Applications And Real-Time Area). Each of those groups compile, revise and publish new specifications. As an example you can see HTTP(httpbis) charter

  2. There's two options, implement based on the RCFs and its references or follow the Working Group directives and references. Using only RFCs is more secure and interoperable but will eventually be outdated until a new RFC is published.

  3. The only way is to implement what is documented under the RFCs. It's part o the internet concept, new features or standards will take a while to be fully documented and it's up to developer research and implement those.

Hebert Luiz
  • 66
  • 3
  • HTTP is not secure, it is TLS that can secure HTTP, and there are RFCs for TLS. The OP simply does not know what to search for. – Ron Maupin Dec 31 '20 at 02:02
  • 1
    No, I did not know WHERE to search. Everything I wanted to know, is answered above - so apparently Herbert figured my question was reasoned. Thanks! Encrypting HTTP was not actually part of my initial question. – Max Dec 31 '20 at 10:02