What is a suspicious HTTP indicator?

When looking for suspicious HTTP activity, the strongest red flags are in the content and structure of the requests and responses. Strangeness in the URI or payload, especially when the payload is encoded, stands out as a clear indicator that something unusual or potentially malicious is happening. Unusual URIs can point to hidden or unexpected endpoints, and encoded payloads (like base64 or hex) can hide commands, data exfiltration attempts, or malware communication. These patterns are far more indicative of a problem than what the traffic looks like at a surface level. Standard 200 OK responses are simply normal successes and don’t tell you anything suspicious on their own. Plain text headers only could be misleading or benign in many contexts, and while some oddities there can raise a eyebrow, by themselves they aren’t reliable signals. Moderate bandwidth usage can be normal in many legitimate scenarios and doesn’t inherently imply something malicious.