An overview of the HTTP protocol showing the protocol basics such as protocol versions, messages, headers, status codes, connection management, cookies and more.
But it still remains an overview without in-depth information. Also some key aspects are left out (because of limited time) such as authentication, content negotiation, robots, web architecture etc..
3. 1945 – THE MEMEX SYSTEM Microfilm management
1965 – HyperText Project Xanadu
1991 – HTTP 0.9 GET only
1996 – HTTP 1.0 Headers, MIME, …
1997 – HTTP 1.1 Flaw correction
1998 – HTTP-NG stopped
2015 – HTTP/2 RFC Publish date
4. What about HTTP-NG?
It was planned to replace HTTP-1.1…
Nah, HTTP-1.1 worked –
no one wanted to adapt
HTTP-NG and replace 1.1!
By now we don’t need it
anymore…
14. safe Methods
No action on server
GET
HEAD
PUT
POST
Patch
TRACE
Options
Delete
Message With
Body
Send data to server
HTTP/1.1 must implement this method
Inspect resource headers
Deposit data on server – inverse of get
Send input data for processing
Partially modify a resource
Echo back received message
Server capabilities
Delete a resource – not guaranteed
17. You Should know the most important ones!
http://httpstatus.es
Statuses are primarily for agents (Browsers)
THE HTTP Protocol Version of the client
DetermineS HOW IT Processes STATUS CODES!
18. TRIVIA
Created Response also contains a Location Header
Multiple Choices Preferred URL in Location Header
Request Timeout Close the connection
Gone Resource one was on the server
Service currently unavailable
Motherfucking Snakes on the Motherfucking Plane
201
300
408
410
503
747
19. Everything is
Extendable
You may create your own headers, methods and status codes
You may not implement some methods or header logic
21. Headers are about Information
General Client and Server
Request Client Requests
Response Server Responses
Entity Describe Entity body
Extension Non-Standard
29. CLIENT Server
COMMUNICATION
Create Socket
Bind socket to port 80
Accept Connections
DNS Lookup
Create Socket
Bind Socket
Connection
Handshake
Delay
SYN
SYN+ACK
Read
Process
ACK
GET / HTTP/1.1
HTTP/1.1 200 Ok
Data transfer
Close connection
Connection properties
Source IP, Source Port, Destination IP, Destination Port UNIQUE
30. Performance considerations
Considerable delay for
small Transactions
Performance depends on connection age
For 1 successfully received packet,
the sender can send 2 more
Bundles up large amounts of tcp data
for efficiency
Non-full size packets can only be sent if
all others are acknoleged
SYN/SYN+ACK
Handshake
TCP Slow Start
congestion control
feature
Nagle’s Algorithm
32. The Connection Header
HTTP/1.1 200 OK
Connection: myheader, close
Myheader: local information
CLIENT Server
Proxy
Myheader is a hop-by-hop header and not proxied
Messages are forwarded - each “Hop” must delete
header fields listed in the connection header
This allows protecting “local headers”
33. Connection Types
“Feel” faster - but still tcp performance issues
2 to 6 per client (browser) is current practice
HTTP/1.0+ experimental, deprecated but still used
Handled by keep-alive connection header
HTTP/1.1 Re-use connections for multiple requests
Active by default, explicitly close by header
Only works with correct Content-Length
Enqueue multiple requests over persistent
connection before response arrives
only for safe methods (not for “post”)
Parallel
Keep-Alive
Persistent
Pipelined
34. The Keep-Alive Problem
CLIENT Server
GET / HTTP/1.0
Host: www.namics.com
Connection: keep-alive
HTTP/1.0 200 OK
Connection: keep-alive
Content-type: text/html
Connection: keep-alive Connection: keep-alive
CLIENT Dumb Proxy Server
Connection: keep-alive
SHOULD NOT BE PASSED
Connection: keep-alive
Proxy waits for connection close
Connection: keep-alive
Ignore request - still waiting for close
35. Connection Close
It can happen anytime
If it happens, client should reopen
and retry once for methods
without side effects
(Get is ok, Post is not!)
37. GoogleS’ Contribution
Speedy Open Networking Protocol
Focus on Performance
Base for HTTP/2 draft
HTTP - SPDY - TCP
1 TCP Connection
Multiplexing
Stream priorities
SSL by default
Compressed headers
… and more
39. Enter cookies
First developed by netscape
Define new extension headers
Cookie, Cookie2, Set-Cookie, Set-Cookie2
Flavors are
session cookies and persistent cookies
40. DOMAIN ATTRIBUTE CONTROLS THE “VISIBILIY”
PATH ATTRIBUTE ALLOWS FINER-GRAINED
CONTROL
COOKIES ARE STATE INFORMATION
MAINTAINED BY THE CLIENT
COOKIES ARE NOT PART OF HTTP/1.1
SPECIFICATION
42. VERSION 1 – RFC2956 COOKIES
Descriptive text for cookies
Forced destruction support on browser exit
Max-age in relative seconds, not date
Rfc6265 lists them as deprecated
Controlled by Set-Cookie2 and Cookie2
47. The evil
a Javascript api to create zombie cookies
https://github.com/samyk/evercookie
uses every possible way to store cookies
and avoid deletion
FBI uses it to track TOR users
Spotify uses it
49. Things I’Ve missed…
Authorization and Security
Proxies and Gateways
Robots
Entities and Encodings
Content Negotiation
7xx status codes extension proposal
…
50. 418
I’m a teapot
(http://tools.ietf.org/html/rfc2324)