Introduction to HTTP

Aviran Mordo

Head Of Back-End Engineering @ Wix

@aviranm

http://www.linkedin.com/in/aviran

http://www.aviransplace.com

Intro

• The Hyper Text Transfer Protocol (HTTP) is a client-server network protocol

• In use by the World-Wide Web since 1990.

• It is based on Request – Response Paradigm.

HTTP Request Message

GET /website/template/photography/

HTTP/1.1

Accept:*/*

Accept-Language: en-gb

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible;

MSIE 6.0)

Host: www.httpwatch.com

Connection: Keep-Alive

HTTP

Method relative URL of the resource

or a full URL

HTTP

Version

Head

ers

HTTP Response HTTP/1.1 200 OK

X-Seen-By: sputnik3.aus_dsp

X-Seen-By: s3.aus_pp

Date: Wed, 21 Aug 2013 09:02:49 GMT

Server: Apache

cache-control: max-age=604800

cache-control: no-cache

Pragma: no-cache

Set-Cookie: _wixAB2=5371#5567#2014-03-19T14-27-00.000-0500|15711#3472#2014-08-13T11-01-00.000-

0500|14841#8565#2014-07-23T09-16-00.000-0500|15551#935#2014-08-11T07-55-00.000-0500|15451#3523#2014-08-07T07-

55-00.000-0500|14451#3267#2014-07-14T09-23-00.000-0500|15941#4497#2014-08-15T15-39-00.000-

0500|14951#8608#2014-07-28T07-24-00.000-0500|15861#7296#2014-08-15T10-02-00.000-0500|12891#3395#2014-06-23T07-

34-00.000-0500|13501#6547#2014-07-01T12-46-00.000-0500|15361#2985#2014-08-05T13-30-00.000-0500;

Domain=.wix.com; Expires=Tue, 21-Aug-2018 14:06:39 GMT; Path=/

Set-Cookie: _wixCIDX=7e98f6cd-1c79-4661-9312-6f7aaeebf932; Domain=.wix.com; Expires=Mon, 17-Feb-2014 09:02:49 GMT;

Path=/

Set-Cookie: _wixUIDX=10647958|1a2c4034-469d-4f4d-bbd9-17deddaf67ec; Domain=.wix.com; Expires=Mon, 17-Feb-2014

09:02:49 GMT; Path=/

Vary: User-Agent,Accept-Encoding

Content-Language: en

Content-Encoding: gzip

Content-Length: 8162

Content-Type: text/html;charset=UTF-8

Expires: 0

Cache-Control: no-cache

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-

transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="https://www.facebook.com/2008/fbml" >

<head>

<meta http-equ

Status

line

Headers

double CRLF (carriage return, line feed)

contents of the requested resource

Everything is an extendable convention

• You may create your own headers

• You may create your own methods

• You may not implement some methods

• You may not implement header logic

HTTP Methods

• GET method means retrieve whatever information. Is identified by the Request-URI

• POST - used to send data to the server for updates.

• PUT - method requests that the enclosed entity be stored under the supplied Request-URI.

• DELETE - requests that the origin server delete the resource identified by the Request-URI.

• HEAD - identical to GET except that the server MUST NOT return a message-body in the response.

• TRACE - llows the client to see what is being received at the other end of the request chain and use that data for testing or diagnostic

• CONNECT - use with a proxy that can dynamically switch to being a tunnel

HTTP Headers

• Accept: text/plain; - specify certain media types which are acceptable for the response.

• Accept-Encoding: compress, gzip ;

• Accept-Language: da, en-gb;q=0.8, en;q=0.7 ;

• Cache-Control: max-age=0, must-revalidate

• Vary: User-Agent,Accept-Encoding

• ETag: "xyzzy"

• Set-Cookie: _wixAB2=15361#2985#2014-08-05T13-30-00.000-0500

• Access-Control-Allow-Origin: *

• X-Seen-By: sputnik3.aus_dsp

• X-Wix-Dispatcher-Cache-Hit: no

• X-Wix-Renderer-Server: apu2.aus.wixpress.com

• X-Wix-Not-Found-Reason: Meta Site was not found

HTTP Status Codes and Errors

• 1xx – Informational - intermediate response and indicates that the server has received the request but has not finished processing it.

• 2xx – Successful: 200 OK

• 3xx – Redirection: 301-permanent, 302-temporary

• 4xx - Client Error: 400-bad request, 403-forbidden, 404-not found, 418 I'm a teapot

• 5xx - Server Error: 500 Internal Server Error, 503-Service Unavailable,504-Gateway Timeout

Cookies

Name Name of the cookie

Value Textual value to be held by the cookie

Expire

s

Date/time when the cookie should be discarded by the browser.

If this field is empty the cookie expires at the end of the current browser session. This field can

also be used to delete a cookie by setting a date/time in the past.

Path Path below which the cookie should be supplied by the browser.

Domai

n

Web site domain to which this cookie applies.

This will default to the current domain and attempts to set cookies on other domains are subject

to the privacy controls built into the browser.

Servers supply cookies by populating the set-cookie

response header with the following details: Set-Cookie: name=value

Type of cookies - Terminology

• Session cookie - Web browsers normally delete session cookies when the user closes the browser

• Persistent cookie - A persistent cookie will outlast user sessions – expires on a set timestamp

• Secure cookie - A secure cookie has the secure attribute enabled and is only used via HTTPS

• HttpOnly cookie - On a supported browser, only when transmitting HTTP (or HTTPS) requests. Not accessible to Javascript.

• Third-party cookie - cookies that belong to domains different from the one shown in the address bar.

• Supercookie - cookie with an origin of a TLD(such as .com)

Browsers send cookies via request header. Cookie: name=value; name2=value2

HTTP Caching

• Preventing Caching - Cache-Control: no-cache (HTTP 1.1); Pragma: no-cache (HTTP 1.0)

• Last-Modified: Wed, 15 Sep 2004 12:00:00 GMT – Browser can check the server for changes

• Expires: Sun, 17 Jan 2038 19:14:07 GMT - browser can reuse the content without having to check the server

GET /images/logo.gif HTTP/1.1

Accept: */*

Referer: http://www.google.com/

Accept-Encoding: gzip, deflate

If-Modified-Since: Thu, 23 Sep 2004 17:42:04 GMT

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

Host: www.google.com

HTTP/1.1 304 Not Modified

Content-Type: text/html

Server: GWS/2.1

Content-Length: 0

Date: Thu, 04 Oct 2004 12:00:00 GMT

HTTP Methods

• GET - method is used to retrieve information from a specified URI and is assumed to be a safe, have no side effects repeatable operation by browsers, caches and other HTTP aware components. • GET can only supply data in the form of parameters encoded in the

URI (Query String) or as cookies. Therefore, GET cannot be used for uploading files or other operations that require large amounts of data to be sent to the server.

• POST method is used for operations that have side effects and cannot be safely repeated. • POST request message has a content body that is normally used to

send parameters and data. Unlike using the request URI or cookies, there is no upper limit on the amount of data that can be sent

POST Request POST /httpgallery/methods/default.aspx HTTP/1.1

Host: www.httpwatch.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Referer: http://www.httpwatch.com/httpgallery/methods/

Cookie: __utma=1.1256977602.1377003403.1377082307.1377092487.5; __utmc=1;

__utmz=1.1377003403.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided);

__utmb=1.4.9.1377092850054

Proxy-Authorization: Basic b21lckB3aXguY29tOmg2M2ZycQ==

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 19

Set-Cookie: _wixAB2=5371#5567#2014-03-19T14-27-00.000-0500|15711#3472#2014-08-13T11-01-00.000-

0500|14841#8565#2014-07-23T09-16-00.000-0500|15551#935#2014-08-11T07-55-00.000-0500|15451#3523#2014-08-07T07-

55-00.000-0500|14451#3267#2014-07-14T09-23-00.000-0500|15941#4497#2014-08-15T15-39-00.000-

0500|14951#8608#2014-07-28T07-24-00.000-0500|15861#7296#2014-08-15T10-02-00.000-0500|12891#3395#2014-06-23T07-

34-00.000-0500|13501#6547#2014-07-01T12-46-00.000-0500|15361#2985#2014-08-05T13-30-00.000-0500;

Domain=.wix.com; Expires=Tue, 21-Aug-2018 14:06:39 GMT; Path=/

Set-Cookie: _wixCIDX=7e98f6cd-1c79-4661-9312-6f7aaeebf932; Domain=.wix.com; Expires=Mon, 17-Feb-2014 09:02:49 GMT;

Path=/

Set-Cookie: _wixUIDX=10647958|1a2c4034-469d-4f4d-bbd9-17deddaf67ec; Domain=.wix.com; Expires=Mon, 17-Feb-2014

09:02:49 GMT; Path=/

Cache-Control: no-cache

Amount=10&B2=Submit

Method

Headers

double CRLF (carriage return, line feed)

post data / body

Redirection

• HTTP allows servers to redirect a client request to a different location. Although, this will usually result in another network round trip

30

1

Permanent redirect – Content move permanently at the location specified by the Location header

and future requests should be directed to this location.

30

2

Temporary Redirect - future requests should still be sent to the original location

30

3

This status code was intended to be the only status code that caused a POST to be converted to a

GET. However, most browsers treat a 302 like a 303.

30

4

Not modified - Used in response to an If-Modified header to redirect a request to the browser's local

cache. HTTP/1.1 302 Found

Cache-Control: private,Public

Content-Length: 162

Content-Type: text/html; charset=utf-8

Location: /httpgallery/redirection/default.aspx#example

Set-Cookie: balance=990; path=/httpgallery/redirection/

HTTPS

• The Secure Sockets Layer (SSL) was designed to encrypt any TCP/IP based network traffic and provide the following capabilities • Prevents eavesdropping

• Prevents tampering or replaying of messages

• Uses certificates to authenticate servers and optionally clients

• The HTTPS protocol is the same text based protocol as HTTP but is run over an encrypted SSL session.

AJAX - Asynchronous JavaScript And XML • AJAX is a technology used by interactive web applications to

make HTTP requests to a server without causing page transitions.

• Requests have to go to the same domain as the page

<script type="text/javascript">

function GetShoppingList()

{

// Create an instance of the HTTP request object

var xmlHttp = new XMLHttpRequest();

// Specify HTTP GET by default and supply the relative url

xmlHttp.open("GET", "getlist.aspx", false);

// Start a synchronous AJAX request and wait for the response

xmlHttp.send(null);

var targetNode = document.getElementById("divShoppingList")

;

// Use the HTML returned from server to create list

targetNode.innerHTML = xmlHttp.responseText;

}

</script>

Cross-origin resource sharing (CORS) • Allows JavaScript on a web page to make XMLHttpRequests to

another domain

• "preflighted" requests first send an HTTP OPTIONS method request to the resource on the other domain, to determine if the request is safe to send.

OPTIONS /resources/post-here/ HTTP/1.1

Host: bar.other

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130

Minefield/3.1b3pre

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Connection: keep-alive

Origin: http://foo.example

Access-Control-Request-Method: POST

Access-Control-Request-Headers: X-PINGOTHER HTTP/1.1 200 OK

Date: Mon, 01 Dec 2008 01:15:39 GMT

Access-Control-Allow-Origin: http://foo.example

Access-Control-Allow-Methods: POST, GET, OPTIONS

Access-Control-Allow-Headers: X-PINGOTHER

Access-Control-Max-Age: 1728000

POST /resources/post-here/ HTTP/1.1

Host: bar.other

…

JSONP - "JSON with padding"

• Provides a method to request data from a server in a different domain

• JSONP has nothing to do with Ajax, since it does not use XMLHttpRequest. Instead it dynamically inserts

Step 1 - You need to create a callback function. The function accepts

some data. function w3r_callback(data){

console.log(data);

}

Step 2 - Include a script in your web page which contains the callback

function created a step 1 as a parameter <script src="http://www.example.com?q=w3r_callback"><script>

Step 3 - It outputs a script which calls the function

and requested data is passed w3r_callback({

"FirstName" : "xyz",

"LastName" : "abc",

"Grade" : "A"

}

);

Resources

• http://www.httpwatch.com/httpgallery/introduction/

• http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html