Ever wonder how the web really works? Demystify the process through looking at how the HTTP protocol works through the OSI and TCP/IP model.

1. Understanding the Web through HTTP
Olivia Brundage

2. Agenda
• Overall Flow of Data
• How HTTP Requests Work
• Introduction to HTTPS

3. Meet Datum!
He’s just a baby now, but let’s see how he grows into a big
data through the OSI (Open System Interconnection)
model.

4. Physical Layer
Datum’s home town.
He communicates with
everyone through a physical
medium (like wires).
His language is bits (0’s and
1’s).

5. Trailer
Data Link Layer
To talk to neighbors,
Datum’s bits gets
encapsulated as a
frame so that the
receiver know the start
and end of the message.
This layer provides node-
to-node data transfer.Header DATA
1010 101001000100111
Bit pattern that
specifies the start
of the frame
Bit pattern that
specifies the end of
the frame
Frame

6. Network Layer
In order to reach the outside
world, Datum has to be
transformed into a packet.
Routers are responsible
directing data to the correct
machine.
This is where you’ll find IP
addresses.
IP

7. Transport Layer
To reach his destination, Datum
must be transported via a
segment or datagram.
Segments are sent through the
Transmission Control Protocol
(TCP), which is for a connection-
oriented transmission.
Datagrams are sent through the
User Datagram Protocol (UDP),
which is for a connectionless
transmission (e.g., streaming).
IP

8. Session Layer
Upon arriving at his
destination, Datum must
create an open session to
the client, so that they can
continue their business.
Once here, Datum evolves
into his final form: Data.
IP

9. Presentation Layer
Datum is now on the full
screen!
This layer takes all your
backend code, CSS files,
etc and delivers them to
the final layer.
IP

10. Application Layer
This layer is the end-user
product and contains
high-level APIs like
resource sharing and
remote file access.
This is also the layer you
develop in!
IP

11. What’s with this abstraction?
• Gives us a framework on how data transforms
throughout the network.
• But it’s a little too specific; real networks are a lot muddier
than this.

12. OSI vs TCP/IP
TCP/IP combines some layers of the OSI, making it more
succinct to the messier way of real life.

13. Where does HTTP fit into this?

14. First, let’s go over what HTTP is
• HTTP stands for hyper-text transfer protocol.
• This protocol is in plain-text and is stateless.
• This protocol resides in the application layer.

15. Let’s break down these requests!

16. Make the Request!
You type the URL (Uniform Resource Locator) in the
browser:
http://www.google.com

17. Hey, wait! What’s an URL?
http://www.domain.com:1234/path/to/resource?a=b&x=y
protocol
host
port
resource path
query

18. Now, time to get the IP address!
After you type the address, another application layer
protocol is used to get the IP address:
the Domain Name System (DNS)
What’s the IP to Google’s server?
Google’s IP is 65.246.5.22
Domain Name Server Web Browser

19. HTTP makes the Request Racket

20. Generic Structure of HTTP Requests
message = <start-line>
*(<message-header>)
CRLF # Carriage Return Line Feed (i.e., new line)
[<message-body>]
• Start line contains the initial request
• Message headers give more details about the request you’re making
(i.e., the host, how to maintain the connection, how to handle cookies,
etc).
NB: GET requests do not contain a message body, but POST requests can.

21. tl/dr:
A simple request looks likes:
VERB RESOURCE-URL PROTOCOL
MESSAGE-HEADERS
GET / HTTP/1.1
HOST: www.google.com
CONNECTION: keep-alive

22. HTTP Main Verbs
• GET: fetches a resource determined by the URL
• The server sends the resource in the message body if the status code is 200
• POST: creates a new resource where the requests specifies the data needed
for the resource
• Params are carried in the body of the request instead of the header; making
this a more ‘secure’ type of request
• PUT: updates a resource
• DELETE: deletes a resource
NB: PUT and DELETE can be considered a specialized versions of POST

23. Lesser-known Verbs
• HEAD: Requests only the server headers. Primarily used
for checking if the resource has changed via timestamps.
• TRACE: Retrieves the hops that a request takes to round
trip the serve. Used for network diagnostic purposes.
• OPTIONS: Retrieves the server capabilities. For the
client-side, it can be used to modify the request based
on what the server can support.

24. HTTP Packet gets ready for Transportation!
HTTP
Request
HTTP Packet
TCP Packet
The TCP information maintains the session.
Now to the IP layer!
TCP

25. TCP now hands it over to the Internet Protocol
• Local/Sender Address: Your PC’s IP
• Receiver Address: Google’s Server IP
• Post Service Nodes: Routers

26. HTTP
Request
IP
IP further encapsulates the data
TCP
TCP
IP Packet
Now we head over to the last layer!

27. Trailer
HTTP
Request
Header
The Network Interface Layer makes the Ethernet
frame.
IP TCP
IP Packet
Ethernet Frame
We can finally send this HTTP request out!

28. The HTTP request is out!

29. So let’s recap.

30. But there’s still more to HTTP!!

31. Some important notes about the response:
• The server will send the status code along with the
message payload.
• The status code tells the client how to interpret the server
response.

33. 1xx: Informational Messages
• This is just a provisional code and provides informational
messages like:
• Keep this connection alive (i.e., still sending
information)
• Tell the client to continue sending it’s message
• Ignore the next response
• This class was introduces in HTTP/1.1. Version 1.0
ignores this message.

34. 2xx: Successful
Your request made it!

35. Request was completely successful.

36. Message successful, but there was no message
body

37. 3xx: Redirection
Your request needs to directed elsewhere.

38. Resource has moved to a new URL.

39. Resource has not been modified since last
request.

40. 4xx: Client Error
When the server thinks the client made a bad request.

41. Request can’t be fulfilled due to bad syntax.

42. Specifically used when authentication has failed.

43. Request was valid, but the server won’t
respond.

44. Resource can’t be found. Try again later?

45. Method isn’t supported (like using a GET on a
form that requires a POST method)

46. 5xx: Server Error
Server failed creating the request

47. The infamous, generic server error.

48. The server doesn’t recognize the request
method or can’t fulfill it.

49. The server was acting as a proxy and received
something bad from the upstream server.

50. The server was acting as a proxy and did not
receive a timely response from the upstream server.

51. Want more status codes?
Here’s your source: https://httpstatusdogs.com/

52. Overall HTTP Interaction

53. So where does HTTPS come into play?
That is:
HTTP over TLS, HTTP over SSL, and HTTP Secure

54. What HTTPS Is
• HTTPS provides authentication to the website and
protection of the privacy and integrity of the exchanged
data
• Security is brought to you by the Secure Sockets Layer
(SSL) or the improved Transport Layer Security (TLS).
• Encryption is brought to you by Public Key
Encryption and Symmetric Key Encryption.
• This security component happens between HTTP
request and TCP (before they connect).

55. HTTPS Happens Before the Connection is Made

56. How HTTPS Works
• Client/Server Hellos
• Authenticate Client and Server with Cryptography
• Generate session keys
• Further interactions will be based on the encrypted
session keys

57. Questions?

58. Resources
• “What is the role of the OSI layers when making a request to a website?”
https://www.quora.com/What-is-the-role-of-OSI-layers-when-we-open-
a-webpage
• “HTTP: The Protocol Every Web Developer Must Know - Part 1"
https://code.tutsplus.com/tutorials/http-the-protocol-every-web-
developer-must-know-part-1--net-31177
• “HTTP: The Protocol Every Web Developer Must Know - Part 2"
https://code.tutsplus.com/tutorials/http-the-protocol-every-web-
developer-must-know-part-2--net-31155
• "Understanding HTTP Basics"
http://learn.onemonth.com/understanding-http-basics