Headers overview

eVSB uses a combination of standard HTTP headers and custom headers for various functionalities, including authentication, timestamp validation, IP verification, encryption, and caching.

Native Headers

Authentication: Headers for user credentials.

Timestamp Validity: Ensures the request is within a valid time frame.

IP Verification: Verifies the origin of the request.

Encryption System: Controls response encryption.

Cache System: Manages caching to optimize bandwidth and resources.

Authentication Headers

User (U): Contains the username provided by CSQ.

Salt (ST): Contains a Unix timestamp, valid for 30 seconds, compared with the server's timestamp for validity.

SaltedHash (SH): Calculated as sha256hex(sha256hex(password) + sha256hex(salt)), where sha256hex is the lowercase hex-string representation of a SHA-256 hash, + means concatenation, password is provided by CSQ, and salt is the timestamp.
Incorrect hashes, invalid credentials, or expired salts result in HTTP 401 - Unauthorized or HTTP 500 - Internal Server Error responses.

Force Response Encryption

Accept: Using application/encrypt forces encrypted responses, saving bandwidth and preventing man-in-the-middle attacks. The encryption uses AES/CBC/PKCS5Padding with keys provided by CSQ.

Accept: Using application/json requests plain JSON responses.
eVSB supports only application/json and application/encrypt content types. Encrypted responses are indicated by the Content-Type header and returned in binary format.

Cache Checksum System

The cache system improves bandwidth and resource efficiency by using checksums for identical URL requests.

Cache-Hash: Contains the last response's checksum. If the checksum matches, no body response is sent; if it differs, the full response is sent.

New-Cache-Hash: The server responds with the checksum of the response body.

This system is recommended for operations with large response bodies and should not be used for dynamic or payment operations.

Compression

eVSB supports gzip compression for responses, applied after encryption.

Accept-Encoding: Using gzip returns a compressed response; using identity returns an uncompressed response.
Only gzip and identity values are supported. Compressed responses are indicated by the Content-Encoding header.

Required Request Headers

U: Username provided by CSQ.

ST: Current Unix timestamp.

SH: Calculated SaltedHash.

X-Real-Ip: Origin IP address.

Accept-Encoding: Indicates response compression (gzip or identity).

Accept: Indicates response type (application/json or application/encrypt).

Cache-Hash: Last returned checksum or null/incorrect value for triggering the cache system.

Host: Target server.

Agent: Information about the origin agent/server.
Extra headers are ignored by the server.

Response Headers

UID: Unique request operation ID (internal use).

U: Echoes the request's U header (internal use).

New-Cache-Hash: SHA-256 hash of the response body.

Content-Type: Indicates the response media type (JSON/encrypted) and charset (UTF-8).

Content-Length: Length of the response in bytes.

Date: Server timestamp in GMT.

Connection: Indicates connection state after response (always close as eVSB is stateless).

How to obtain headers

With JavaScript

With Python

With Java

With Php

Headers

Headers overview#

Native Headers#

Authentication Headers#

Force Response Encryption#

Cache Checksum System#

Compression#

Required Request Headers#

Response Headers#

How to obtain headers#