Since it's HTTP, I just took a packet capture of a suspected workload and following is what I found.