Download as PDF, PPTX
![Small and safe alphabet
Readable by people
always complete
Encoding%20Bypasses%20limitations
Reserved Characters (most of them)
% / . .. # ? ; : $ , + @ & = { } | ^ [ ] ‘ < > “](https://image.slidesharecdn.com/http-141014082957-conversion-gate02/75/HTTP-8-2048.jpg)
![Request
GET / HTTP/1.1
Host: www.namics.com
Accept: text/html
CLIENT Server
Response
HTTP/1.1 200 OK
Server: nginx/1.4.3
Content-Type: text/html;
Content-Length: 4323
GET / HTTP/1.1 Start line
Headers
Body
Host: www.namics.com [CRLF]
Accept: text/html [CRLF]
[CRLF]
HTTP/1.1 200 OK
Content-Type: text/html [CRLF]
Server: nginx/1.4.3 [CRLF]
[CRLF]
<html>…</html>
Plain ASCII
Plain ASCII](https://image.slidesharecdn.com/http-141014082957-conversion-gate02/75/HTTP-12-2048.jpg)
![VERSION 0 - NETSCAPE COOKIES
Cookie: name1=value1
[; name2=value2]
Set-Cookie: name=value
[; expires=date]
[; path=path]
[; domain=domain] [; secure]
Request Header
Response Header](https://image.slidesharecdn.com/http-141014082957-conversion-gate02/75/HTTP-41-2048.jpg)
Uploaded byDaniel Kummer
HTTP
The document provides a historical overview of the evolution of the HTTP protocol, detailing significant milestones from 1945 to the introduction of HTTP/2 in 2015. It discusses URLs, HTTP messages, methods, status codes, and headers while exploring key features of HTTP/1.1 and the issues it faced, such as the limitations of connection management and performance concerns. Additionally, the document touches on the emergence of cookies for state management, security risks associated with them, and mentions alternative storage methods like HTML5 browser storage.
More Related Content
HTTP
- 1. HTTP !" #$%"r$"%& '()%#'"*#+ ,-(r#"r
- 2. A bit of History First
- 3. 1945 – THEMEMEX SYSTEM Microfilm management 1965 – HyperText Project Xanadu 1991 – HTTP 0.9 GET only 1996 – HTTP 1.0 Headers, MIME, … 1997 – HTTP 1.1 Flaw correction 1998 – HTTP-NG stopped 2015 – HTTP/2 RFC Publish date
- 4. What about HTTP-NG? It was planned to replace HTTP-1.1… Nah, HTTP-1.1 worked – no one wanted to adapt HTTP-NG and replace 1.1! By now we don’t need it anymore…
- 5.
- 6. The Navigator Berners-Lees’“Biggest Mistake” <scheme>://<user>:<password>@<host>:<port> /<path>;<params>?<query>#<frag>
- 7. URLs are 7-BIT US-ASCII
- 8. Small and safealphabet Readable by people always complete Encoding%20Bypasses%20limitations Reserved Characters (most of them) % / . .. # ? ; : $ , + @ & = { } | ^ [ ] ‘ < > “
- 9.
- 10. Uniform resource name stable name for an object Persistend uRL URN through URL using a resource locator server URN PURL
- 11.
- 12. Request GET /HTTP/1.1 Host: www.namics.com Accept: text/html CLIENT Server Response HTTP/1.1 200 OK Server: nginx/1.4.3 Content-Type: text/html; Content-Length: 4323 GET / HTTP/1.1 Start line Headers Body Host: www.namics.com [CRLF] Accept: text/html [CRLF] [CRLF] HTTP/1.1 200 OK Content-Type: text/html [CRLF] Server: nginx/1.4.3 [CRLF] [CRLF] <html>…</html> Plain ASCII Plain ASCII
- 13.
- 14. safe Methods Noaction on server GET HEAD PUT POST Patch TRACE Options Delete Message With Body Send data to server HTTP/1.1 must implement this method Inspect resource headers Deposit data on server – inverse of get Send input data for processing Partially modify a resource Echo back received message Server capabilities Delete a resource – not guaranteed
- 15.
- 16. 1xx 100-101 Informational 2xx 200-206 Successful 3xx 300-305 Redirection 4xx 400-415 Client error 5xx 500-505 Server error
- 17. You Should knowthe most important ones! http://httpstatus.es Statuses are primarily for agents (Browsers) THE HTTP Protocol Version of the client DetermineS HOW IT Processes STATUS CODES!
- 18. TRIVIA Created Responsealso contains a Location Header Multiple Choices Preferred URL in Location Header Request Timeout Close the connection Gone Resource one was on the server Service currently unavailable Motherfucking Snakes on the Motherfucking Plane 201 300 408 410 503 747
- 19. Everything is Extendable You may create your own headers, methods and status codes You may not implement some methods or header logic
- 20.
- 21. Headers are aboutInformation General Client and Server Request Client Requests Response Server Responses Entity Describe Entity body Extension Non-Standard
- 22. GENERAL Headers ResponseHeader from www.namics.com HTTP/1.1 200 OK Server: nginx/1.4.3 Date: Mon, 13 Oct 2014 16:18:08 GMT Transfer-Encoding: chunked Connection: keep-alive Via: 1.1 varnish Content-Type: text/html; charset=utf-8 X-Mod-Pagespeed: 1.6.29.7-3343 Vary: Accept-Encoding X-Powered-By: Secret Namics rocket technology X-Varnish: 1491545138 1491540973 Age: 1110
- 23. Request Headers RequestHeader From Chrome GET / HTTP/1.1 Host: namics.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5 Connection: keep-alive Accept: text/html,application/xhtml+xml,application/xml; q=0.9,image/webp,*/*;q=0.8 Accept Headers Capabilities + Preferences Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,de;q=0.6 Cookie: my_namics_SSL=1; LtpaToken=AAECAzU0M0I3RTlBNTQzQkZEMkFDTj1 q: Quality factor - Relative degree of preference
- 24. Response Headers ResponseHeader from www.namics.com HTTP/1.1 200 OK Date: Mon, 13 Oct 2014 16:18:08 GMT Transfer-Encoding: chunked Connection: keep-alive Server: nginx/1.4.3 Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Age: 1110 X-Mod-Pagespeed: 1.6.29.7-3343 X-Powered-By: Secret Namics rocket technology X-Varnish: 1491545138 1491540973 Via: 1.1 varnish Extension Headers Fully Custom
- 25.
- 26. - Reliable - No damaged or scrambled data! G!"r"#$%%&!
- 27. HTTP TSL ORSSL TCP IP Network interfaces Application Layer Security Layer Transport Layer Network Layer Data Link Layer That’s Why!
- 28.
- 29. CLIENT Server COMMUNICATION Create Socket Bind socket to port 80 Accept Connections DNS Lookup Create Socket Bind Socket Connection Handshake Delay SYN SYN+ACK Read Process ACK GET / HTTP/1.1 HTTP/1.1 200 Ok Data transfer Close connection Connection properties Source IP, Source Port, Destination IP, Destination Port UNIQUE
- 30. Performance considerations Considerabledelay for small Transactions Performance depends on connection age For 1 successfully received packet, the sender can send 2 more Bundles up large amounts of tcp data for efficiency Non-full size packets can only be sent if all others are acknoleged SYN/SYN+ACK Handshake TCP Slow Start congestion control feature Nagle’s Algorithm
- 31.
- 32. The Connection Header HTTP/1.1 200 OK Connection: myheader, close Myheader: local information CLIENT Server Proxy Myheader is a hop-by-hop header and not proxied Messages are forwarded - each “Hop” must delete header fields listed in the connection header This allows protecting “local headers”
- 33. Connection Types “Feel”faster - but still tcp performance issues 2 to 6 per client (browser) is current practice HTTP/1.0+ experimental, deprecated but still used Handled by keep-alive connection header HTTP/1.1 Re-use connections for multiple requests Active by default, explicitly close by header Only works with correct Content-Length Enqueue multiple requests over persistent connection before response arrives only for safe methods (not for “post”) Parallel Keep-Alive Persistent Pipelined
- 34. The Keep-Alive Problem CLIENT Server GET / HTTP/1.0 Host: www.namics.com Connection: keep-alive HTTP/1.0 200 OK Connection: keep-alive Content-type: text/html Connection: keep-alive Connection: keep-alive CLIENT Dumb Proxy Server Connection: keep-alive SHOULD NOT BE PASSED Connection: keep-alive Proxy waits for connection close Connection: keep-alive Ignore request - still waiting for close
- 35. Connection Close Itcan happen anytime If it happens, client should reopen and retry once for methods without side effects (Get is ok, Post is not!)
- 36. A quick HTTP/2Breakout Spdy Protocol
- 37. GoogleS’ Contribution SpeedyOpen Networking Protocol Focus on Performance Base for HTTP/2 draft HTTP - SPDY - TCP 1 TCP Connection Multiplexing Stream priorities SSL by default Compressed headers … and more
- 38. HANDLING STATELESSNESS Copingwith the “goldfish memory”
- 39. Enter cookies Firstdeveloped by netscape Define new extension headers Cookie, Cookie2, Set-Cookie, Set-Cookie2 Flavors are session cookies and persistent cookies
- 40. DOMAIN ATTRIBUTE CONTROLSTHE “VISIBILIY” PATH ATTRIBUTE ALLOWS FINER-GRAINED CONTROL COOKIES ARE STATE INFORMATION MAINTAINED BY THE CLIENT COOKIES ARE NOT PART OF HTTP/1.1 SPECIFICATION
- 41. VERSION 0 -NETSCAPE COOKIES Cookie: name1=value1 [; name2=value2] Set-Cookie: name=value [; expires=date] [; path=path] [; domain=domain] [; secure] Request Header Response Header
- 42. VERSION 1 –RFC2956 COOKIES Descriptive text for cookies Forced destruction support on browser exit Max-age in relative seconds, not date Rfc6265 lists them as deprecated Controlled by Set-Cookie2 and Cookie2
- 43. Cookies + Caching Short answer “NO”
- 44. Cookies and Security Cookies are a security risk DNS Poisoning Cross site scripting Attacks Vulnerable To
- 45. Cookies Alternatives HTML5Browser storage Browser / canvas fingerprint HTTP Authentication ETAG Headers
- 46.
- 47. The evil aJavascript api to create zombie cookies https://github.com/samyk/evercookie uses every possible way to store cookies and avoid deletion FBI uses it to track TOR users Spotify uses it
- 48. HTTP CACHING Pr"&"$%"*b. C/r#& $0% w""1 J
- 49. Things I’Ve missed… Authorization and Security Proxies and Gateways Robots Entities and Encodings Content Negotiation 7xx status codes extension proposal …
- 50. 418 I’m ateapot (http://tools.ietf.org/html/rfc2324)