The BasicsHypertext Transfer Protocol And More.
History Of HTTPSpecified in the early 90s.
Very simple text-based protocol.
Designed for transferring text-based documents.
How It Is BuiltA request and a response.
Request/response line, headers and a body.
Lines delimited by the CRLF characters (0x0d, 0x0a)
Typical HTTP RequestGET /path/to/something HTTP/1.1Host: hostnameUser-Agent: Mozilla/5.0 ...Accept: text/html,application/xhtml+xml,/;q=0.8Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://i/came/from/here
Typical HTTP ResponseHTTP/1.1 200 OKDate: Wed, 23 Nov 2013 10:10:10 GMTServer: Some ServerVary: Accept-EncodingContent-Encoding: gzipContent-Length: 1337Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html;charset=UTF-8
body
Browser → ServerSpecify the method: GET, POST, HEAD, OPTIONS, etc.
Specify the location: a URL/URI (Unified Resource Locator/Identifier).
Tell the server more stuff how you want the data: headers.
Provide optional body.
Browser ← ServerThe server responds with status code: 2xx (ok), 3xx, 4xx, 5xx (not ok).
It is followed by extra information: headers.
There is also optional body.
HTTP Request DeconstructedMETHOD location VERSIONHeader1: Value1Header2: Value2
body
HTTP Response DeconstructedVERSION code MESSAGEHeader1: Value1Header2: Value2
body
In SummaryPlain text format made of lines.
Lines are segmented by the CRLF characters.
Each part made of initial line, headers and a body.
Guarantees simple implementation across different technologies.
Some ObservationsNo authentication!
No encryption!
No sessions!
No streaming!
HTTP DevelopsThe spec is extended with HTTP/1.0 and later HTTP/1.1.
Streaming, Authentication, Sessions, Virtual Hosts and more.
HTTP AuthenticationThere are several kinds: basic, digest, ntlm.
Basic auth is based around base64 encoding.
Digest is based around challange/response.
NTLM is proprietary protocol developed by Microsoft.
HTTP EncryptionA layer underneath HTTP called SSL.
SSL stands for Secure Socket Layer.
It works as a wrapper around sockets.
HTTP SessionsThe HTTP protocol is completely stateless.
Sessions enable state typically stored as cookies.
Cookies are a simple storage provided by the browser.
Cookies are restricted byte SOP (Same Origin Policies).
Cookies also have various security flags: httpOnly and secure.
Enough?There is so much more to learn.
Virtual HostsInitially one HTTP server per box.
This used to be very wasteful pre-virtualization era.
The host header was introduced to enable multiple sites per box.
Transport MechanismsContent-Length: <size> - the body has a length.
Transfer-Encoding: chunked - the body is made of chunks.
Transport Encodingsapplication/x-www-form-urlencoded is used for sending forms.
multipart/form-data is used for submitting files.
application/json is used for uploading/downloading json.
application/xml is used for uploading/downloading xml.
Data EncodingsURL encoding: % followed by the hex representation of a character.
Entity encoding also known as XML encoding: &<entity>;.
Base64 encoding: everything is represented by 64 characters ASCII.
GET vs. POSTHere is a GET request where parameters are in the URL:
GET /path/delete.php?username=guest HTTP/1.1
Here is a POST request where parameters are in the body:
POST /path/delete.php HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 14
username=guest
Sometimes GET and POST are substitutable.
RESTArchitectural style of programming predominately for APIs.
DELETE /username/guest HTTP/1.1
HTMLHyper Text Markup Language
<html><head></head><body></body></html>
XMLExtensible Markup Language
<doc><element></element></doc>
JSONJavaScript Object Notation
{"key": "value"}
LabWe will learn how to apply all of this.
Simple Challenges1. Make a simple GET request .
2. Make a simple POST request .
⇢
⇢
Moderate Challenges1. Make an authenticated request with basic auth .
2. Make an authenticated request with cookies .
3. Make a form data (file upload) request .
⇢
⇢
⇢
Advanced Challenges1. Make a proxy request .⇢