Fearless HTTP requests abuse

Fearless HTTP requests abuseLuís Cipriani@lfcipriani (twitter, linkedin, github, ...)20o. GURU (2011-11-26) - Sao Paulo/Brazil

Motivation http://www.youtube.com/watch?v=8FpigqfcvlM “REST implies doing SEVERAL HTTP requests, this is bad, doesn’t scale, blah blah blah...”

Motivation http://www.youtube.com/watch?v=8FpigqfcvlM Shut UP! Don’t think like that! SEVERAL people already solved this problem SEVERAL ways.

Motivation http://www.youtube.com/watch?v=8FpigqfcvlM One of the ways is HTTP cache

http cache BENEFITS • reduce bandwidth • reduce latency • reduce server load • hide network failures

http cache LOCALIZATION

http cache HEADERS 11 headers +15 directives

http cache FLOW 1. may I cache? 2. if it’s cached, is it fresh? 3. if stale, is it valid on server? 4. anything else I need to know? 11+15

http cache 1. POSSO CACHEAR? cache-control should revalidate, may I cache locally? may I cache anywhere? directive even being fresh? no-store no no n/a private yes no no no-cache yes yes yes public yes yes no 1. locally means a cache that servers only one consumer 2. these directives override any conﬁguration of the cache 3. by default, we can cache non safe/authenticated requests, GET and HEAD and those with status code 200, 203, 206, 300, 301, 410 10 +11

http cache 2. IF IT IS CACHED, IS IT FRESH? the server should send the expiration time of an answer Expires: [RFC 1123 date] Cache-Control: max-age=600 but if the server didn’t do this, cache may assign heuristically the expiration time. 9 +10

http cache 2. IF IT IS CACHED, IS IT FRESH? Age calculation 7 +10

http cache 2. IF IT IS CACHED, IS IT FRESH? freshness_lifetime = Cache-Control: max-age | | Expires - Date response_is_fresh = freshness_lifetime > Age 7+7

http cache 3. IF STALE, REVALIDATE Validators Last-Modified ETag Conditionals If-Modified-Since If-None-Match if conditional request == false 304 Not Modified “... only return me a new resource if [conditional] applies on [validator] ...” 3+7

http cache 3.1. CONTROLLING REVALIDATION through client Cache-Control: no-cache + Pragma: no-cache Cache-Control: max-age=0 Cache-Control: only-if-cached 2+6

http cache 3.1. CONTROLLING REVALIDATION through origin server Cache-Control: must-revalidate after stale Cache-Control: proxy-revalidate Cache-Control: no-cache always 2+4

http cache 4. WHAT ELSE SHOULD I KNOW? Vary is part of cache key expired response, failed revalidation, Warning advanced age (more than 24 hours) don’t allow transformation Cache-Control: no-transform on the content Cache-Control: extensions for example, channels Cache-Control: stale-if-error availability over consistency Cache-Control: stale-while-revalidate background revalidation 0+0

http cache TIPS 1. use URLs consistently 2. common image library 3. use cache for pages that changes in low frequency 4. update cache with updated resources 5. don’t change ﬁles unnecessarily 6. use cookies only when necessary 7. minimize the use of SSL 8. validate your strategy on REDbot.org stolen from http://www.mnot.net/cache_docs/#TIPS 0+0

http cache REFERÊNCIAS 1. http://en.wikipedia.org/wiki/Web_cache 2. http://www.w3.org/Protocols/rfc2616/rfc2616.html 3. http://www.mnot.net/cache_docs/ 4. http://redbot.org/ 5. http://www.mnot.net/blog/2008/01/04/cache_channels 6. https://github.com/abril/cachebag 0+0

Reformulação Box de Login Abril ID http://abril-engineering-en.tumblr.com/ FIM

http://engineering.abril.com.br	2474
http://abril-engineering.tumblr.com	187
http://gurusp.org	27
http://www.newsblur.com	10
http://engineering.abril.com.br.	8
http://www.linkedin.com	3
http://webcache.googleusercontent.com	2
http://us-w1.rockmelt.com	2
http://translate.googleusercontent.com	2
http://www.gurusp.org	1
http://app.brandwatch.com	1
http://placar.abril.com.br&_=1361903675464 HTTP	1

Fearless HTTP requests abuse

by Luis Cipriani

Accessibility

Categories

Upload Details

Usage Rights

12 Embeds 2,718

Statistics

Fearless HTTP requests abuse Presentation Transcript