The BasicsHypertext Transfer Protocol And More.

History Of HTTPSpecified in the early 90s.

Very simple text-based protocol.

Designed for transferring text-based documents.

How It Is BuiltA request and a response.

Request/response line, headers and a body.

Lines delimited by the CRLF characters (0x0d, 0x0a)

Typical HTTP RequestGET /path/to/something HTTP/1.1Host: hostnameUser-Agent: Mozilla/5.0 ...Accept: text/html,application/xhtml+xml,/;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://i/came/from/here

Typical HTTP ResponseHTTP/1.1 200 OKDate: Wed, 23 Nov 2013 10:10:10 GMTServer: Some ServerVary: Accept-EncodingContent-Encoding: gzipContent-Length: 1337Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html;charset=UTF-8

body

Browser → ServerSpecify the method: GET, POST, HEAD, OPTIONS, etc.

Specify the location: a URL/URI (Unified Resource Locator/Identifier).

Tell the server more stuff how you want the data: headers.

Provide optional body.

Browser ← ServerThe server responds with status code: 2xx (ok), 3xx, 4xx, 5xx (not ok).

It is followed by extra information: headers.

There is also optional body.

HTTP Request DeconstructedMETHOD location VERSIONHeader1: Value1Header2: Value2

body

HTTP Response DeconstructedVERSION code MESSAGEHeader1: Value1Header2: Value2

body

In SummaryPlain text format made of lines.

Lines are segmented by the CRLF characters.

Each part made of initial line, headers and a body.

Guarantees simple implementation across different technologies.

Some ObservationsNo authentication!

No encryption!

No sessions!

No streaming!

HTTP DevelopsThe spec is extended with HTTP/1.0 and later HTTP/1.1.

Streaming, Authentication, Sessions, Virtual Hosts and more.

HTTP AuthenticationThere are several kinds: basic, digest, ntlm.

Basic auth is based around base64 encoding.

Digest is based around challange/response.

NTLM is proprietary protocol developed by Microsoft.

HTTP EncryptionA layer underneath HTTP called SSL.

SSL stands for Secure Socket Layer.

It works as a wrapper around sockets.

HTTP SessionsThe HTTP protocol is completely stateless.

Sessions enable state typically stored as cookies.

Cookies are a simple storage provided by the browser.

Cookies are restricted byte SOP (Same Origin Policies).

Cookies also have various security flags: httpOnly and secure.

Enough?There is so much more to learn.

Virtual HostsInitially one HTTP server per box.

This used to be very wasteful pre-virtualization era.

The host header was introduced to enable multiple sites per box.

Transport MechanismsContent-Length: <size> - the body has a length.

Transfer-Encoding: chunked - the body is made of chunks.

Transport Encodingsapplication/x-www-form-urlencoded is used for sending forms.

multipart/form-data is used for submitting files.

application/json is used for uploading/downloading json.

application/xml is used for uploading/downloading xml.

Data EncodingsURL encoding: % followed by the hex representation of a character.

Entity encoding also known as XML encoding: &<entity>;.

Base64 encoding: everything is represented by 64 characters ASCII.

GET vs. POSTHere is a GET request where parameters are in the URL:

GET /path/delete.php?username=guest HTTP/1.1

Here is a POST request where parameters are in the body:

POST /path/delete.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 14

username=guest

Sometimes GET and POST are substitutable.

RESTArchitectural style of programming predominately for APIs.

DELETE /username/guest HTTP/1.1

HTMLHyper Text Markup Language

<html><head></head><body></body></html>

XMLExtensible Markup Language

<doc><element></element></doc>

JSONJavaScript Object Notation

{"key": "value"}

LabWe will learn how to apply all of this.

Simple Challenges1. Make a simple GET request .

2. Make a simple POST request .

⇢

⇢

Moderate Challenges1. Make an authenticated request with basic auth .

2. Make an authenticated request with cookies .

3. Make a form data (file upload) request .

⇢

⇢

⇢

Advanced Challenges1. Make a proxy request .⇢