🧾 Headers Overview

eVSB uses a mix of standard HTTP headers and custom ones to handle key functions like authentication, encryption, timestamp validation, IP checking, compression, and caching.

🔐 Native Header Purposes

Each custom header plays a specific role in request validation and performance optimization:

Authentication – Verifies user credentials.

Timestamp Validation – Ensures the request is recent (within 30 seconds).

IP Verification – Confirms the request originates from an expected source.

Encryption System – Controls whether responses are encrypted.

Caching System – Optimizes bandwidth using response checksums.

🔑 Authentication Headers

These headers are mandatory in every request:

Header	Description
`U`	Username assigned by CSQ.
`ST`	Unix timestamp (valid for 30 seconds). Used as a salt for hashing.
`SH`	Salted hash calculated as: `sha256hex( sha256hex(password) + sha256hex(salt) )` — all lowercase hex-encoded.

❗ If any of these are incorrect or expired, the server returns 401 Unauthorized or 500 Internal Server Error.

🔒 Response Encryption

Use the Accept header to define how you want the response:

application/encrypt: Forces AES-encrypted binary responses using AES/CBC/PKCS5Padding with CSQ-provided keys.

application/json: Requests plain JSON (unencrypted).

⚠ Only these two content types are supported.

Encrypted responses are identified by the Content-Type header and returned in binary format.

🧠 Smart Caching via Checksum

To avoid sending unchanged responses, eVSB implements a lightweight checksum strategy:

Header	Role
`Cache-Hash`	Sent by the client, containing the last known hash. If it matches, the body isn’t re-sent.
`New-Cache-Hash`	Server returns the SHA-256 checksum of the current response.

Recommended for endpoints with large static responses. Avoid using this with dynamic or payment operations.

🌀 Compression Support

eVSB supports GZIP compression after encryption.

Header	Value	Result
`Accept-Encoding`	`gzip`	Returns a compressed payload
	`identity`	Returns uncompressed content

Compressed content is indicated with the Content-Encoding header.

📥 Required Request Headers

These must be included in all eVSB requests:

Header	Description
`U`	CSQ-assigned username
`ST`	Current Unix timestamp
`SH`	Salted hash (see above)
`X-Real-Ip`	Client's origin IP
`Accept-Encoding`	Compression method (`gzip` or `identity`)
`Accept`	Response format (`json` or `encrypt`)
`Cache-Hash`	Last response hash or a placeholder
`Host`	Target server
`Agent`	Identifies client system or app

Any extra headers beyond these are ignored.

📤 Response Headers

Header	Meaning
`UID`	Internal request tracking ID
`U`	Echoes the request's `U` value
`New-Cache-Hash`	SHA-256 checksum of the response body
`Content-Type`	Media type (`application/json` or `application/encrypt`)
`Content-Length`	Size of the response in bytes
`Date`	Server-side timestamp (GMT)
`Connection`	Always set to `close` (stateless protocol)

How to obtain headers

With JavaScript

With Python

With Java

With Php

Headers

🧾 Headers Overview#

🔐 Native Header Purposes#

🔑 Authentication Headers#

🔒 Response Encryption#

🧠 Smart Caching via Checksum#

🌀 Compression Support#

📥 Required Request Headers#

📤 Response Headers#

How to obtain headers#