SlideShare a Scribd company logo

HTTP fundamentals for developers

Download as PPTX, PDF
Mario Cardinal
Mario Cardinal

HTTP is the protocol of the web, and in this session we will look at HTTP from a web developer's perspective. We will cover resources, messages, cookies, and authentication protocols and we will see how the web scales to meet demand using cache headers. Armed with the fundamentals about HTTP, you will have the knowledge not only to build better Web/Mobile applications but also for consuming Web API.

Technology
1 of 48
HTTP Fundamentals for Developers Mario Cardinal Agile Coach & Software Architect www.mariocardinal.com @mario_cardinal October 15
Who am I? • Agile Coach & Software architect • Co-Founder of Slingboards Lab • http://mariocardinal.com
3 Content 1. Resources 2. Request 3. Response 4. Media Type 5. Caching 6. Cookie 7. Connection 8. Security http://www.slideshare.net/mario_cardinal
Ressources (URL)
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.amazon.com:80/gp/product/B00D3UDMEU  URL Scheme : http  Host: www.amazon.com  Port : 80  URL path: /gp/product/B00D3UDMEU
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.google.com/search?q=kindle  URL Scheme : http  Host: www.google.com  Port : 80 (default value)  URL path: /search  Query string: ?q=kindle
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> https://foo.com/homepage.html#ingredients  URL Scheme : https  Host: www.foo.com (default to www)  Port : 443 (default value)  URL path: /homepage.html  Query string: (none)  Fragment: #ingredients refers to the element with id=“ingredients“ <div id=ingredients> </div>
URL Encoding  http://someserver.com/%5Emy%20resume.txt  URL encoding: "^my resume.txt"
HTTP Request and response  A client sends an HTTP request to a server using a message that the server will understand.  A server responds by sending an HTTP response that the client will understand.  The request and the response are two different message types. Request Message Browser Client HTTP server Response Message
Request  An HTTP request message is a simple, plain text message Request Message Browser Client HTTP server
HTTP Request Message  A full HTTP request message consists of the following parts: [method] [URL] [version] [headers] [body]
HTTP Request Method Method Description GET Retrieve a resource PUT Store a resource DELETE Remove a resource POST Update a resource HEAD Retrieve the headers for a resource
HTTP Request Method [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1
HTTP Request Header Header Description Referer When the user clicks on a link, the client can send the URL of the referring page in this header. User-Agent Information about the user agent (the software) making the request. Many applications use the information in this header, when present, to figure out what browser is making the request (Internet Explorer 9 versus Chrome, etc.). Accept Describes the media types the user agent is willing to accept. This header is used for content negotiation. Accept-Language Describes the languages the user agent prefers. Cookie Cookie information generally helps a server track or identify a user. If-Modified-Since Will contain a date of when the user agent last retrieved (and cached) the resource. The server only has to send back the entire resource if it's been modified since that time.
HTTP Request Header [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1 Accept-Language: fr-CA Date: Fri, 9 Aug 2013 21:12:00 GMT
HTTP request message (POST example) <form action="/account/create" method="POST"> <label for="firstName">First name</label> <input id="firstName" name="firstName" type="text" /> <label for="lastName">Last name</label> <input id="lastName" name="lastName" type="text" /> <input type="submit" value="Sign up!"/> </form> POST http://server.com:1060/account/create HTTP/1.1 Host: server.com firstName=Mario&lastName=Cardinal
Response  An HTTP response message is a simple, plain text message Browser Client HTTP server Response Message
HTTP Response Message  A full HTTP response message consists of the following parts: [version] [status] [reason] [headers] [body]
HTTP Response Status Code Range Category 100–199 Informational 100 Continue 200–299 Successful 200 OK 201 Created 204 No Content 300–399 Redirection 301 Moved Permanently 304 Not Modified 400–499 Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500–599 Server Error 500 Internal Server Error 503 Service Unavailable
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK
HTTP Response Header Header Description Connection Options that are desired for the connection. Content-Encoding The type of encoding used on the data. Content-Length The length of the response body in octets (8-bit bytes). Content-Type Describes the media type of this content. Date The date and time that the message was sent. Expires Gives the date/time after which the response is considered stale. Location Used in redirection, or when a new resource has been created. Server A name for the server.
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151
Resources and media types  When a host responds to an HTTP request, it returns a resource (content)  Host also specifies the content type (also known as the media type) of the resource  Defined using Multipurpose Internet Mail Extensions (MIME)  "text/html"  "image/jpeg"  "text/xml"  "application/json"
Content negotiation  Content negotiation is part of what makes HTTP great  Request message  Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8  Response message  Content-Type: text/html; charset=utf-8
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151 <html> <head> <title>Hello</title> </head> <body> ... content ... </body> </html>
Time-Based Caching HTTP/1.1 200 OK Last-Modified: Wed, 25 Jan 2012 17:55:15 GMT Expires: Sat, 22 Jan 2022 17:55:15 GMT Cache-Control: max-age=315360000,public Content-Length: 208 <html> <head> </head> <body> </body> </html>
Content-Based Caching HTTP/1.1 200 OK Last-Modified: Fri, 06 Jan 2012 18:08:20 GMT ETag: "8e5bcd-59f-4b5dfef104d00" Content-Type: text/xml Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 437 <html> <head> > </head> <body> </body> </html>
HTTP Request and Caching Request GET … HTTP/1.1 If-Modified-Since: Wed, 25 Jan 2012 17:55:15 GMT Response HTTP/1.1 304 Not Modified Expires: Sat, 22 Jan 2022 17:16:19 GMT Cache-Control: max-age=315360000,public
Cookies HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: fname=Mario$lname=Cardinal; expires=Monday, 09-July-2012 21:12:00 GMT domain=.mywebsite.com; path=/ ; HttpOnly
Identification and Cookies  There is a size limitation of 4 KB  Many websites only put in a unique identifier for a user HTTP/1.1 200 OK Set-Cookie: GUID=00a48b7f6a4946a8adf593373e53347c; domain=.msn.com; path=/ ; HttpOnly
Identification and Cookies  Assuming the browser is configured to accept cookies, the browser will send the cookie to the server in every subsequent HTTP request. GET msn.com HTTP/1.1 Cookie: GUID=00a48b7f6a4946a8adf593373e53347c;
Downsides to cookies  They interfere with caching  Any response with a Set-Cookie header should not be cached, at least not the headers, since this can interfere with user identification and create security problems  They transmit data with every request  Large cookie raise demand for network bandwidth  A cookie should never store sensitive information
Connection Browser Client HTTP HTTP server TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
Network Debugging  Observe TCP handshake and IP headers http://www.wireshark.org/  Observe and manipulate HTTP request and response http://www.telerik.com/fiddler
Security  Authentication  Process by which a client prove its identity to the server  Basic  Digest  Windows  Form-based 35
Basic Authentication Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost"  The WWW-Authenticate header tells the client to collect the user credentials and try again  The realm attribute gives the user agent a string it can use as a description for the protected area  What happens next depends on the user agent, but most browsers will display a UI for the user to enter credentials.
Basic Authentication Request GET http://localhost/Demo/ HTTP/1.1 Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh  The value of the authorization header is the client's username and password in a base 64 encoding.  Basic authentication is insecure by default,
Digest Authentication  Digest authentication is an improvement over basic authentication because it does not transmit user passwords using base 64 encoding  The client must send a digest of the password. Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost« , qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"  Still vulnerable to man-in-the-middle attacks in which someone is sniffing network traffic
Windows Authentication  Windows Authentication depends on the underlying authentication protocols supported by Microsoft Windows Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate  Windows Authentication has the advantage of being secure even without using secure HTTP  Require Microsoft products and servers (Active Directory)
Form-based Authentication  Forms authentication is the most popular approach to user authentication over the Internet.  It is not a standard authentication protocol and doesn't use WWW-Authenticate or Authorization headers Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 302 Found Location: /Login.aspx?ReturnUrl=/demo/ Response HTTP/1.1 302 Found Location: /demo/ Set-Cookie: .ASPXAUTH=9694BAB... path=/demo/; HttpOnly  Still vulnerable to session hijacking in which someone is sniffing network traffic
Security  Autorization  Process by which a server determines if the client has permission to use a resource 41
403 Forbidden HTTP status  A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource  Indicate that the server can be reached and understood the request, but refuses to take any further action. 42 HTTP/1.1 403 Forbidden Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Sat, 14 Jan 2012 04:00:08 GMT Content-Length: 251 { “code" : 123, “description" : "You are not allowed to read this resource" }
401 Unauthorized HTTP status  401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.  I would expect that 401 to be named "Unauthenticated" and 403 to be named "Unauthorized". It is very confusing that 401, which has to do with Authentication, has the format accompanying text "Unauthorized".  Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.”  To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. 43
Security  Encryption  Process of transforming data so that it is unreadable by anyone who does not have a decryption key  Secure HTTP (TLS) 44
Secure HTTP (TLS)  Hypertext Transfer Protocol over TLS (Transport Layer Security) is used for secure communication over a network, or perhaps more importantly – over the Internet.  You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS.  TLS is the successor to the Secure Sockets Layer (SSL).
Secure HTTP (TLS) Browser Client HTTP HTTP server TLS (SSL) Encryption TLS (SSL) TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
Secure HTTP (SSL)  All traffic over HTTPS is encrypted in the request and response  HTTPS requires a server to have a cryptographic certificate.  Administrators have to purchase and install certificates from the certificate authorities like Verisign.  The server is authenticated to the client thanks to the server certificate  The certificate is sent to the client during setup of the HTTPS communication.  The certificate enable to validate that the client is truly talking to the server it thinks it is talking to.  The validation is all made possible using public key cryptography and the existence of certificate authorities that will sign and vouch for the integrity of a certificate.  HTTPS does not authenticate the client  Applications still need to implement forms or Basic authentication
48 Do not hesitate to contact me mcardinal@mariocardinal.com @mario_cardinal Q & A

Recommended

Introduction to HTTP protocol
Introduction to HTTP protocolIntroduction to HTTP protocol
Introduction to HTTP protocol
Aviran Mordo
 
Http Introduction
Http IntroductionHttp Introduction
Http Introduction
Akshay Dhole
 
HTTP Protocol Basic
HTTP Protocol BasicHTTP Protocol Basic
HTTP Protocol Basic
Chuong Mai
 
User server interaction
User server interactionUser server interaction
User server interaction
bhavanatmithun
 
API : l'architecture REST
API : l'architecture RESTAPI : l'architecture REST
API : l'architecture REST
Fadel Chafai
 
Sample Template for Single Sign-On (SSO)
Sample Template for Single Sign-On (SSO)Sample Template for Single Sign-On (SSO)
Sample Template for Single Sign-On (SSO)
Mike Reams
 
Hypertext Transfer Protocol
Hypertext Transfer ProtocolHypertext Transfer Protocol
Hypertext Transfer ProtocolShubham Srivastava
 
Http Protocol
Http ProtocolHttp Protocol
Http Protocol
N R Z Malik
 

Recommended

Introduction to HTTP protocol
Introduction to HTTP protocolIntroduction to HTTP protocol
Introduction to HTTP protocol
Aviran Mordo
 
Http Introduction
Http IntroductionHttp Introduction
Http Introduction
Akshay Dhole
 
HTTP Protocol Basic
HTTP Protocol BasicHTTP Protocol Basic
HTTP Protocol Basic
Chuong Mai
 
User server interaction
User server interactionUser server interaction
User server interaction
bhavanatmithun
 
API : l'architecture REST
API : l'architecture RESTAPI : l'architecture REST
API : l'architecture REST
Fadel Chafai
 
Sample Template for Single Sign-On (SSO)
Sample Template for Single Sign-On (SSO)Sample Template for Single Sign-On (SSO)
Sample Template for Single Sign-On (SSO)
Mike Reams
 
Hypertext Transfer Protocol
Hypertext Transfer ProtocolHypertext Transfer Protocol
Hypertext Transfer ProtocolShubham Srivastava
 
Http Protocol
Http ProtocolHttp Protocol
Http Protocol
N R Z Malik
 
Http and its Applications
Http and its ApplicationsHttp and its Applications
Http and its Applications
Nayan Dagliya
 
Imap server
Imap server Imap server
Imap server
PrativaMarasini
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
HTTP Presentation
HTTP Presentation HTTP Presentation
HTTP Presentation
Lana Dujanovic
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemZalo_app
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
Cory Forsyth
 
Cisco router modes
Cisco router modesCisco router modes
Cisco router modesmazenetsolution
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4
ENSET, Université Hassan II Casablanca
 
Postman 101 & Office Hours
Postman 101 & Office HoursPostman 101 & Office Hours
Postman 101 & Office Hours
Postman
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Why HATEOAS
Why HATEOASWhy HATEOAS
Why HATEOAS
Lee Wayne
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
ijtsrd
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
FIDO Alliance
 
Tp2 - WS avec JAXRS
Tp2 - WS avec JAXRSTp2 - WS avec JAXRS
Tp2 - WS avec JAXRS
Lilia Sfaxi
 
Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Sophan Nhean
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
Rubersy Ramos García
 
Content Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentContent Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic Content
CDNetworks
 
User Manager
User ManagerUser Manager
User Manager
EmpowerID
 

More Related Content

What's hot

Http and its Applications
Http and its ApplicationsHttp and its Applications
Http and its Applications
Nayan Dagliya
 
Imap server
Imap server Imap server
Imap server
PrativaMarasini
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
HTTP Presentation
HTTP Presentation HTTP Presentation
HTTP Presentation
Lana Dujanovic
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemZalo_app
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
Ubisecure
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
Cory Forsyth
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4
ENSET, Université Hassan II Casablanca
 
Postman 101 & Office Hours
Postman 101 & Office HoursPostman 101 & Office Hours
Postman 101 & Office Hours
Postman
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Why HATEOAS
Why HATEOASWhy HATEOAS
Why HATEOAS
Lee Wayne
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
ijtsrd
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
FIDO Alliance
 
Tp2 - WS avec JAXRS
Tp2 - WS avec JAXRSTp2 - WS avec JAXRS
Tp2 - WS avec JAXRS
Lilia Sfaxi
 
Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Sophan Nhean
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
Rubersy Ramos García
 

What's hot (20)

Http and its Applications
Http and its ApplicationsHttp and its Applications
Http and its Applications
 
Imap server
Imap server Imap server
Imap server
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
HTTP Presentation
HTTP Presentation HTTP Presentation
HTTP Presentation
 
Experience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time systemExperience lessons from architecture of zalo real time system
Experience lessons from architecture of zalo real time system
 
SAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID ConnectSAML VS OAuth 2.0 VS OpenID Connect
SAML VS OAuth 2.0 VS OpenID Connect
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
Cisco router modes
Cisco router modesCisco router modes
Cisco router modes
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4Support developpement applications mobiles avec ionic v3 et v4
Support developpement applications mobiles avec ionic v3 et v4
 
Postman 101 & Office Hours
Postman 101 & Office HoursPostman 101 & Office Hours
Postman 101 & Office Hours
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Why HATEOAS
Why HATEOASWhy HATEOAS
Why HATEOAS
 
Malware Detection in Android Applications
Malware Detection in Android ApplicationsMalware Detection in Android Applications
Malware Detection in Android Applications
 
FIDO U2F & UAF Tutorial
FIDO U2F & UAF TutorialFIDO U2F & UAF Tutorial
FIDO U2F & UAF Tutorial
 
Tp2 - WS avec JAXRS
Tp2 - WS avec JAXRSTp2 - WS avec JAXRS
Tp2 - WS avec JAXRS
 
Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3Dhcp & dhcp relay agent in cent os 5.3
Dhcp & dhcp relay agent in cent os 5.3
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 

Viewers also liked

Content Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentContent Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic Content
CDNetworks
 
User Manager
User ManagerUser Manager
User Manager
EmpowerID
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a service
Dell World
 
Testing of non functional requirements in agile
Testing of non functional requirements in agileTesting of non functional requirements in agile
Testing of non functional requirements in agile
Subrahmaniam S.R.V
 
Adressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practicesAdressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practices
Mario Cardinal
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...
Dell World
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
WSO2
 
Agile requirements discovery
Agile requirements discoveryAgile requirements discovery
Agile requirements discoveryMario Cardinal
 
IdM vs. IDaaS
IdM vs. IDaaSIdM vs. IDaaS
IdM vs. IDaaS
Drew Koenig
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
Mario Cardinal
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?
OSSCube
 
Capturing Measurable Non Functional Requirements
Capturing Measurable Non Functional RequirementsCapturing Measurable Non Functional Requirements
Capturing Measurable Non Functional Requirements
Shehzad Lakdawala
 

Viewers also liked (14)

Content Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentContent Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic Content
 
User Manager
User ManagerUser Manager
User Manager
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a service
 
Testing of non functional requirements in agile
Testing of non functional requirements in agileTesting of non functional requirements in agile
Testing of non functional requirements in agile
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
Adressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practicesAdressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practices
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
Agile requirements discovery
Agile requirements discoveryAgile requirements discovery
Agile requirements discovery
 
IdM vs. IDaaS
IdM vs. IDaaSIdM vs. IDaaS
IdM vs. IDaaS
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?
 
Capturing Measurable Non Functional Requirements
Capturing Measurable Non Functional RequirementsCapturing Measurable Non Functional Requirements
Capturing Measurable Non Functional Requirements
 

Similar to HTTP fundamentals for developers

Web I - 05 - HTTP Protocol
Web I - 05 - HTTP ProtocolWeb I - 05 - HTTP Protocol
Web I - 05 - HTTP Protocol
Randy Connolly
 
Under the Covers with the Web
Under the Covers with the WebUnder the Covers with the Web
Under the Covers with the Web
Trevor Lohrbeer
 
Web II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET WorksWeb II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET Works
Randy Connolly
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
Kirsten Hunter
 
Web essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptxWeb essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptx
BalaSubramanian376976
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
sanjoysanyal
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Navaneethan Naveen
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1
hussulinux
 
2014 database - course 1 - www introduction
2014 database - course 1 - www introduction2014 database - course 1 - www introduction
2014 database - course 1 - www introductionHung-yu Lin
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
Eoin Keary
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座Li Yi
 
Resource-Oriented Web Services
Resource-Oriented Web ServicesResource-Oriented Web Services
Resource-Oriented Web Services
Bradley Holt
 
HTTP Basics Demo
HTTP Basics DemoHTTP Basics Demo
HTTP Basics Demo
InMobi Technology
 
HTTP Basic - PHP
HTTP Basic - PHPHTTP Basic - PHP
HTTP Basic - PHP
Sulaeman .
 

Similar to HTTP fundamentals for developers (20)

Web I - 05 - HTTP Protocol
Web I - 05 - HTTP ProtocolWeb I - 05 - HTTP Protocol
Web I - 05 - HTTP Protocol
 
Under the Covers with the Web
Under the Covers with the WebUnder the Covers with the Web
Under the Covers with the Web
 
HTTP
HTTPHTTP
HTTP
 
Web II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET WorksWeb II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET Works
 
Starting With Php
Starting With PhpStarting With Php
Starting With Php
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Web essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptxWeb essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptx
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
 
HTTP.pdf
HTTP.pdfHTTP.pdf
HTTP.pdf
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
 
Http request&response
Http request&responseHttp request&response
Http request&response
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1
 
2014 database - course 1 - www introduction
2014 database - course 1 - www introduction2014 database - course 1 - www introduction
2014 database - course 1 - www introduction
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
 
Resource-Oriented Web Services
Resource-Oriented Web ServicesResource-Oriented Web Services
Resource-Oriented Web Services
 
HTTP Basics Demo
HTTP Basics DemoHTTP Basics Demo
HTTP Basics Demo
 
HTTP Basic - PHP
HTTP Basic - PHPHTTP Basic - PHP
HTTP Basic - PHP
 

Recently uploaded

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 

Recently uploaded (20)

Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 

HTTP fundamentals for developers

  • 1. HTTP Fundamentals for Developers Mario Cardinal Agile Coach & Software Architect www.mariocardinal.com @mario_cardinal October 15
  • 2. Who am I? • Agile Coach & Software architect • Co-Founder of Slingboards Lab • http://mariocardinal.com
  • 3. 3 Content 1. Resources 2. Request 3. Response 4. Media Type 5. Caching 6. Cookie 7. Connection 8. Security http://www.slideshare.net/mario_cardinal
  • 5. Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.amazon.com:80/gp/product/B00D3UDMEU  URL Scheme : http  Host: www.amazon.com  Port : 80  URL path: /gp/product/B00D3UDMEU
  • 6. Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.google.com/search?q=kindle  URL Scheme : http  Host: www.google.com  Port : 80 (default value)  URL path: /search  Query string: ?q=kindle
  • 7. Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> https://foo.com/homepage.html#ingredients  URL Scheme : https  Host: www.foo.com (default to www)  Port : 443 (default value)  URL path: /homepage.html  Query string: (none)  Fragment: #ingredients refers to the element with id=“ingredients“ <div id=ingredients> </div>
  • 8. URL Encoding  http://someserver.com/%5Emy%20resume.txt  URL encoding: "^my resume.txt"
  • 9. HTTP Request and response  A client sends an HTTP request to a server using a message that the server will understand.  A server responds by sending an HTTP response that the client will understand.  The request and the response are two different message types. Request Message Browser Client HTTP server Response Message
  • 10. Request  An HTTP request message is a simple, plain text message Request Message Browser Client HTTP server
  • 11. HTTP Request Message  A full HTTP request message consists of the following parts: [method] [URL] [version] [headers] [body]
  • 12. HTTP Request Method Method Description GET Retrieve a resource PUT Store a resource DELETE Remove a resource POST Update a resource HEAD Retrieve the headers for a resource
  • 13. HTTP Request Method [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1
  • 14. HTTP Request Header Header Description Referer When the user clicks on a link, the client can send the URL of the referring page in this header. User-Agent Information about the user agent (the software) making the request. Many applications use the information in this header, when present, to figure out what browser is making the request (Internet Explorer 9 versus Chrome, etc.). Accept Describes the media types the user agent is willing to accept. This header is used for content negotiation. Accept-Language Describes the languages the user agent prefers. Cookie Cookie information generally helps a server track or identify a user. If-Modified-Since Will contain a date of when the user agent last retrieved (and cached) the resource. The server only has to send back the entire resource if it's been modified since that time.
  • 15. HTTP Request Header [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1 Accept-Language: fr-CA Date: Fri, 9 Aug 2013 21:12:00 GMT
  • 16. HTTP request message (POST example) <form action="/account/create" method="POST"> <label for="firstName">First name</label> <input id="firstName" name="firstName" type="text" /> <label for="lastName">Last name</label> <input id="lastName" name="lastName" type="text" /> <input type="submit" value="Sign up!"/> </form> POST http://server.com:1060/account/create HTTP/1.1 Host: server.com firstName=Mario&lastName=Cardinal
  • 17. Response  An HTTP response message is a simple, plain text message Browser Client HTTP server Response Message
  • 18. HTTP Response Message  A full HTTP response message consists of the following parts: [version] [status] [reason] [headers] [body]
  • 19. HTTP Response Status Code Range Category 100–199 Informational 100 Continue 200–299 Successful 200 OK 201 Created 204 No Content 300–399 Redirection 301 Moved Permanently 304 Not Modified 400–499 Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500–599 Server Error 500 Internal Server Error 503 Service Unavailable
  • 20. HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK
  • 21. HTTP Response Header Header Description Connection Options that are desired for the connection. Content-Encoding The type of encoding used on the data. Content-Length The length of the response body in octets (8-bit bytes). Content-Type Describes the media type of this content. Date The date and time that the message was sent. Expires Gives the date/time after which the response is considered stale. Location Used in redirection, or when a new resource has been created. Server A name for the server.
  • 22. HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151
  • 23. Resources and media types  When a host responds to an HTTP request, it returns a resource (content)  Host also specifies the content type (also known as the media type) of the resource  Defined using Multipurpose Internet Mail Extensions (MIME)  "text/html"  "image/jpeg"  "text/xml"  "application/json"
  • 24. Content negotiation  Content negotiation is part of what makes HTTP great  Request message  Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8  Response message  Content-Type: text/html; charset=utf-8
  • 25. HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151 <html> <head> <title>Hello</title> </head> <body> ... content ... </body> </html>
  • 26. Time-Based Caching HTTP/1.1 200 OK Last-Modified: Wed, 25 Jan 2012 17:55:15 GMT Expires: Sat, 22 Jan 2022 17:55:15 GMT Cache-Control: max-age=315360000,public Content-Length: 208 <html> <head> </head> <body> </body> </html>
  • 27. Content-Based Caching HTTP/1.1 200 OK Last-Modified: Fri, 06 Jan 2012 18:08:20 GMT ETag: "8e5bcd-59f-4b5dfef104d00" Content-Type: text/xml Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 437 <html> <head> > </head> <body> </body> </html>
  • 28. HTTP Request and Caching Request GET … HTTP/1.1 If-Modified-Since: Wed, 25 Jan 2012 17:55:15 GMT Response HTTP/1.1 304 Not Modified Expires: Sat, 22 Jan 2022 17:16:19 GMT Cache-Control: max-age=315360000,public
  • 29. Cookies HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: fname=Mario$lname=Cardinal; expires=Monday, 09-July-2012 21:12:00 GMT domain=.mywebsite.com; path=/ ; HttpOnly
  • 30. Identification and Cookies  There is a size limitation of 4 KB  Many websites only put in a unique identifier for a user HTTP/1.1 200 OK Set-Cookie: GUID=00a48b7f6a4946a8adf593373e53347c; domain=.msn.com; path=/ ; HttpOnly
  • 31. Identification and Cookies  Assuming the browser is configured to accept cookies, the browser will send the cookie to the server in every subsequent HTTP request. GET msn.com HTTP/1.1 Cookie: GUID=00a48b7f6a4946a8adf593373e53347c;
  • 32. Downsides to cookies  They interfere with caching  Any response with a Set-Cookie header should not be cached, at least not the headers, since this can interfere with user identification and create security problems  They transmit data with every request  Large cookie raise demand for network bandwidth  A cookie should never store sensitive information
  • 33. Connection Browser Client HTTP HTTP server TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
  • 34. Network Debugging  Observe TCP handshake and IP headers http://www.wireshark.org/  Observe and manipulate HTTP request and response http://www.telerik.com/fiddler
  • 35. Security  Authentication  Process by which a client prove its identity to the server  Basic  Digest  Windows  Form-based 35
  • 36. Basic Authentication Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost"  The WWW-Authenticate header tells the client to collect the user credentials and try again  The realm attribute gives the user agent a string it can use as a description for the protected area  What happens next depends on the user agent, but most browsers will display a UI for the user to enter credentials.
  • 37. Basic Authentication Request GET http://localhost/Demo/ HTTP/1.1 Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh  The value of the authorization header is the client's username and password in a base 64 encoding.  Basic authentication is insecure by default,
  • 38. Digest Authentication  Digest authentication is an improvement over basic authentication because it does not transmit user passwords using base 64 encoding  The client must send a digest of the password. Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost« , qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"  Still vulnerable to man-in-the-middle attacks in which someone is sniffing network traffic
  • 39. Windows Authentication  Windows Authentication depends on the underlying authentication protocols supported by Microsoft Windows Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate  Windows Authentication has the advantage of being secure even without using secure HTTP  Require Microsoft products and servers (Active Directory)
  • 40. Form-based Authentication  Forms authentication is the most popular approach to user authentication over the Internet.  It is not a standard authentication protocol and doesn't use WWW-Authenticate or Authorization headers Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 302 Found Location: /Login.aspx?ReturnUrl=/demo/ Response HTTP/1.1 302 Found Location: /demo/ Set-Cookie: .ASPXAUTH=9694BAB... path=/demo/; HttpOnly  Still vulnerable to session hijacking in which someone is sniffing network traffic
  • 41. Security  Autorization  Process by which a server determines if the client has permission to use a resource 41
  • 42. 403 Forbidden HTTP status  A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource  Indicate that the server can be reached and understood the request, but refuses to take any further action. 42 HTTP/1.1 403 Forbidden Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Sat, 14 Jan 2012 04:00:08 GMT Content-Length: 251 { “code" : 123, “description" : "You are not allowed to read this resource" }
  • 43. 401 Unauthorized HTTP status  401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.  I would expect that 401 to be named "Unauthenticated" and 403 to be named "Unauthorized". It is very confusing that 401, which has to do with Authentication, has the format accompanying text "Unauthorized".  Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.”  To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. 43
  • 44. Security  Encryption  Process of transforming data so that it is unreadable by anyone who does not have a decryption key  Secure HTTP (TLS) 44
  • 45. Secure HTTP (TLS)  Hypertext Transfer Protocol over TLS (Transport Layer Security) is used for secure communication over a network, or perhaps more importantly – over the Internet.  You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS.  TLS is the successor to the Secure Sockets Layer (SSL).
  • 46. Secure HTTP (TLS) Browser Client HTTP HTTP server TLS (SSL) Encryption TLS (SSL) TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
  • 47. Secure HTTP (SSL)  All traffic over HTTPS is encrypted in the request and response  HTTPS requires a server to have a cryptographic certificate.  Administrators have to purchase and install certificates from the certificate authorities like Verisign.  The server is authenticated to the client thanks to the server certificate  The certificate is sent to the client during setup of the HTTPS communication.  The certificate enable to validate that the client is truly talking to the server it thinks it is talking to.  The validation is all made possible using public key cryptography and the existence of certificate authorities that will sign and vouch for the integrity of a certificate.  HTTPS does not authenticate the client  Applications still need to implement forms or Basic authentication
  • 48. 48 Do not hesitate to contact me mcardinal@mariocardinal.com @mario_cardinal Q & A