SlideShare a Scribd company logo

HTTP fundamentals for developers

Download as PPTX, PDF
Mario Cardinal
Mario Cardinal

HTTP is the protocol of the web, and in this session we will look at HTTP from a web developer's perspective. We will cover resources, messages, cookies, and authentication protocols and we will see how the web scales to meet demand using cache headers. Armed with the fundamentals about HTTP, you will have the knowledge not only to build better Web/Mobile applications but also for consuming Web API.

Technology
1 of 48
HTTP Fundamentals for Developers Mario Cardinal Agile Coach & Software Architect www.mariocardinal.com @mario_cardinal October 15
Who am I? • Agile Coach & Software architect • Co-Founder of Slingboards Lab • http://mariocardinal.com
3 Content 1. Resources 2. Request 3. Response 4. Media Type 5. Caching 6. Cookie 7. Connection 8. Security http://www.slideshare.net/mario_cardinal
Ressources (URL)
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.amazon.com:80/gp/product/B00D3UDMEU  URL Scheme : http  Host: www.amazon.com  Port : 80  URL path: /gp/product/B00D3UDMEU
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.google.com/search?q=kindle  URL Scheme : http  Host: www.google.com  Port : 80 (default value)  URL path: /search  Query string: ?q=kindle
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> https://foo.com/homepage.html#ingredients  URL Scheme : https  Host: www.foo.com (default to www)  Port : 443 (default value)  URL path: /homepage.html  Query string: (none)  Fragment: #ingredients refers to the element with id=“ingredients“ <div id=ingredients> </div>
URL Encoding  http://someserver.com/%5Emy%20resume.txt  URL encoding: "^my resume.txt"
HTTP Request and response  A client sends an HTTP request to a server using a message that the server will understand.  A server responds by sending an HTTP response that the client will understand.  The request and the response are two different message types. Request Message Browser Client HTTP server Response Message
Request  An HTTP request message is a simple, plain text message Request Message Browser Client HTTP server
HTTP Request Message  A full HTTP request message consists of the following parts: [method] [URL] [version] [headers] [body]
HTTP Request Method Method Description GET Retrieve a resource PUT Store a resource DELETE Remove a resource POST Update a resource HEAD Retrieve the headers for a resource
HTTP Request Method [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1
HTTP Request Header Header Description Referer When the user clicks on a link, the client can send the URL of the referring page in this header. User-Agent Information about the user agent (the software) making the request. Many applications use the information in this header, when present, to figure out what browser is making the request (Internet Explorer 9 versus Chrome, etc.). Accept Describes the media types the user agent is willing to accept. This header is used for content negotiation. Accept-Language Describes the languages the user agent prefers. Cookie Cookie information generally helps a server track or identify a user. If-Modified-Since Will contain a date of when the user agent last retrieved (and cached) the resource. The server only has to send back the entire resource if it's been modified since that time.
HTTP Request Header [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1 Accept-Language: fr-CA Date: Fri, 9 Aug 2013 21:12:00 GMT
HTTP request message (POST example) <form action="/account/create" method="POST"> <label for="firstName">First name</label> <input id="firstName" name="firstName" type="text" /> <label for="lastName">Last name</label> <input id="lastName" name="lastName" type="text" /> <input type="submit" value="Sign up!"/> </form> POST http://server.com:1060/account/create HTTP/1.1 Host: server.com firstName=Mario&lastName=Cardinal
Response  An HTTP response message is a simple, plain text message Browser Client HTTP server Response Message
HTTP Response Message  A full HTTP response message consists of the following parts: [version] [status] [reason] [headers] [body]
HTTP Response Status Code Range Category 100–199 Informational 100 Continue 200–299 Successful 200 OK 201 Created 204 No Content 300–399 Redirection 301 Moved Permanently 304 Not Modified 400–499 Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500–599 Server Error 500 Internal Server Error 503 Service Unavailable
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK
HTTP Response Header Header Description Connection Options that are desired for the connection. Content-Encoding The type of encoding used on the data. Content-Length The length of the response body in octets (8-bit bytes). Content-Type Describes the media type of this content. Date The date and time that the message was sent. Expires Gives the date/time after which the response is considered stale. Location Used in redirection, or when a new resource has been created. Server A name for the server.
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151
Resources and media types  When a host responds to an HTTP request, it returns a resource (content)  Host also specifies the content type (also known as the media type) of the resource  Defined using Multipurpose Internet Mail Extensions (MIME)  "text/html"  "image/jpeg"  "text/xml"  "application/json"
Content negotiation  Content negotiation is part of what makes HTTP great  Request message  Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8  Response message  Content-Type: text/html; charset=utf-8
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151 <html> <head> <title>Hello</title> </head> <body> ... content ... </body> </html>
Time-Based Caching HTTP/1.1 200 OK Last-Modified: Wed, 25 Jan 2012 17:55:15 GMT Expires: Sat, 22 Jan 2022 17:55:15 GMT Cache-Control: max-age=315360000,public Content-Length: 208 <html> <head> </head> <body> </body> </html>
Content-Based Caching HTTP/1.1 200 OK Last-Modified: Fri, 06 Jan 2012 18:08:20 GMT ETag: "8e5bcd-59f-4b5dfef104d00" Content-Type: text/xml Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 437 <html> <head> > </head> <body> </body> </html>
HTTP Request and Caching Request GET … HTTP/1.1 If-Modified-Since: Wed, 25 Jan 2012 17:55:15 GMT Response HTTP/1.1 304 Not Modified Expires: Sat, 22 Jan 2022 17:16:19 GMT Cache-Control: max-age=315360000,public
Cookies HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: fname=Mario$lname=Cardinal; expires=Monday, 09-July-2012 21:12:00 GMT domain=.mywebsite.com; path=/ ; HttpOnly
Identification and Cookies  There is a size limitation of 4 KB  Many websites only put in a unique identifier for a user HTTP/1.1 200 OK Set-Cookie: GUID=00a48b7f6a4946a8adf593373e53347c; domain=.msn.com; path=/ ; HttpOnly
Identification and Cookies  Assuming the browser is configured to accept cookies, the browser will send the cookie to the server in every subsequent HTTP request. GET msn.com HTTP/1.1 Cookie: GUID=00a48b7f6a4946a8adf593373e53347c;
Downsides to cookies  They interfere with caching  Any response with a Set-Cookie header should not be cached, at least not the headers, since this can interfere with user identification and create security problems  They transmit data with every request  Large cookie raise demand for network bandwidth  A cookie should never store sensitive information
Connection Browser Client HTTP HTTP server TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
Network Debugging  Observe TCP handshake and IP headers http://www.wireshark.org/  Observe and manipulate HTTP request and response http://www.telerik.com/fiddler
Security  Authentication  Process by which a client prove its identity to the server  Basic  Digest  Windows  Form-based 35
Basic Authentication Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost"  The WWW-Authenticate header tells the client to collect the user credentials and try again  The realm attribute gives the user agent a string it can use as a description for the protected area  What happens next depends on the user agent, but most browsers will display a UI for the user to enter credentials.
Basic Authentication Request GET http://localhost/Demo/ HTTP/1.1 Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh  The value of the authorization header is the client's username and password in a base 64 encoding.  Basic authentication is insecure by default,
Digest Authentication  Digest authentication is an improvement over basic authentication because it does not transmit user passwords using base 64 encoding  The client must send a digest of the password. Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost« , qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"  Still vulnerable to man-in-the-middle attacks in which someone is sniffing network traffic
Windows Authentication  Windows Authentication depends on the underlying authentication protocols supported by Microsoft Windows Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate  Windows Authentication has the advantage of being secure even without using secure HTTP  Require Microsoft products and servers (Active Directory)
Form-based Authentication  Forms authentication is the most popular approach to user authentication over the Internet.  It is not a standard authentication protocol and doesn't use WWW-Authenticate or Authorization headers Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 302 Found Location: /Login.aspx?ReturnUrl=/demo/ Response HTTP/1.1 302 Found Location: /demo/ Set-Cookie: .ASPXAUTH=9694BAB... path=/demo/; HttpOnly  Still vulnerable to session hijacking in which someone is sniffing network traffic
Security  Autorization  Process by which a server determines if the client has permission to use a resource 41
403 Forbidden HTTP status  A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource  Indicate that the server can be reached and understood the request, but refuses to take any further action. 42 HTTP/1.1 403 Forbidden Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Sat, 14 Jan 2012 04:00:08 GMT Content-Length: 251 { “code" : 123, “description" : "You are not allowed to read this resource" }
401 Unauthorized HTTP status  401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.  I would expect that 401 to be named "Unauthenticated" and 403 to be named "Unauthorized". It is very confusing that 401, which has to do with Authentication, has the format accompanying text "Unauthorized".  Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.”  To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. 43
Security  Encryption  Process of transforming data so that it is unreadable by anyone who does not have a decryption key  Secure HTTP (TLS) 44
Secure HTTP (TLS)  Hypertext Transfer Protocol over TLS (Transport Layer Security) is used for secure communication over a network, or perhaps more importantly – over the Internet.  You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS.  TLS is the successor to the Secure Sockets Layer (SSL).
Secure HTTP (TLS) Browser Client HTTP HTTP server TLS (SSL) Encryption TLS (SSL) TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
Secure HTTP (SSL)  All traffic over HTTPS is encrypted in the request and response  HTTPS requires a server to have a cryptographic certificate.  Administrators have to purchase and install certificates from the certificate authorities like Verisign.  The server is authenticated to the client thanks to the server certificate  The certificate is sent to the client during setup of the HTTPS communication.  The certificate enable to validate that the client is truly talking to the server it thinks it is talking to.  The validation is all made possible using public key cryptography and the existence of certificate authorities that will sign and vouch for the integrity of a certificate.  HTTPS does not authenticate the client  Applications still need to implement forms or Basic authentication
48 Do not hesitate to contact me mcardinal@mariocardinal.com @mario_cardinal Q & A

Recommended

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 

Recommended

JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smugglingn|u - The Open Security Community
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Web Service Presentation
Web Service PresentationWeb Service Presentation
Web Service Presentationguest0df6b0
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Making Of PHP Based Web Application
Making Of PHP Based Web ApplicationMaking Of PHP Based Web Application
Making Of PHP Based Web ApplicationSachin Walvekar
 
Oracle OSB Tutorial 1
Oracle OSB Tutorial 1Oracle OSB Tutorial 1
Oracle OSB Tutorial 1Rakesh Gujjarlapudi
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
SignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersSignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersShivanand Arur
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)securityn|u - The Open Security Community
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Alcyon Ferreira de Souza Junior, MSc
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization Chalermpon Areepong
 
Content Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentContent Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentCDNetworks
 
User Manager
User ManagerUser Manager
User ManagerEmpowerID
 

More Related Content

What's hot

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Web Service Presentation
Web Service PresentationWeb Service Presentation
Web Service Presentationguest0df6b0
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Making Of PHP Based Web Application
Making Of PHP Based Web ApplicationMaking Of PHP Based Web Application
Making Of PHP Based Web ApplicationSachin Walvekar
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainSecuRing
 
SignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersSignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersShivanand Arur
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Alcyon Ferreira de Souza Junior, MSc
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2axykim00
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization Chalermpon Areepong
 

What's hot (20)

OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Http request smuggling
Http request smugglingHttp request smuggling
Http request smuggling
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Web Service Presentation
Web Service PresentationWeb Service Presentation
Web Service Presentation
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
Making Of PHP Based Web Application
Making Of PHP Based Web ApplicationMaking Of PHP Based Web Application
Making Of PHP Based Web Application
 
Oracle OSB Tutorial 1
Oracle OSB Tutorial 1Oracle OSB Tutorial 1
Oracle OSB Tutorial 1
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Attacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chainAttacking AWS: the full cyber kill chain
Attacking AWS: the full cyber kill chain
 
SignalR for ASP.NET Developers
SignalR for ASP.NET DevelopersSignalR for ASP.NET Developers
SignalR for ASP.NET Developers
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 01 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
 
Spring security oauth2
Spring security oauth2Spring security oauth2
Spring security oauth2
 
Web API authentication and authorization
Web API authentication and authorization Web API authentication and authorization
Web API authentication and authorization
 

Viewers also liked

Content Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentContent Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentCDNetworks
 
User Manager
User ManagerUser Manager
User ManagerEmpowerID
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a serviceDell World
 
Testing of non functional requirements in agile
Testing of non functional requirements in agileTesting of non functional requirements in agile
Testing of non functional requirements in agileSubrahmaniam S.R.V
 
Adressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practicesAdressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practicesMario Cardinal
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...Dell World
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMWSO2
 
Agile requirements discovery
Agile requirements discoveryAgile requirements discovery
Agile requirements discoveryMario Cardinal
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Mario Cardinal
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?OSSCube
 
Capturing Measurable Non Functional Requirements
Capturing Measurable Non Functional RequirementsCapturing Measurable Non Functional Requirements
Capturing Measurable Non Functional RequirementsShehzad Lakdawala
 

Viewers also liked (14)

Content Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic ContentContent Acceleration Beyond Caching, Understanding Dynamic Content
Content Acceleration Beyond Caching, Understanding Dynamic Content
 
User Manager
User ManagerUser Manager
User Manager
 
Mt26 identity management as a service
Mt26 identity management as a serviceMt26 identity management as a service
Mt26 identity management as a service
 
Testing of non functional requirements in agile
Testing of non functional requirements in agileTesting of non functional requirements in agile
Testing of non functional requirements in agile
 
Identity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. MookheyIdentity & Access Management by K. K. Mookhey
Identity & Access Management by K. K. Mookhey
 
Adressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practicesAdressing nonfunctional requirements with agile practices
Adressing nonfunctional requirements with agile practices
 
The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...The Keys To A Successful Identity And Access Management Program: How Does You...
The Keys To A Successful Identity And Access Management Program: How Does You...
 
Standardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIMStandardizing Identity Provisioning with SCIM
Standardizing Identity Provisioning with SCIM
 
Identity as a Service
Identity as a ServiceIdentity as a Service
Identity as a Service
 
Agile requirements discovery
Agile requirements discoveryAgile requirements discovery
Agile requirements discovery
 
IdM vs. IDaaS
IdM vs. IDaaSIdM vs. IDaaS
IdM vs. IDaaS
 
Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.Best Practices for Architecting a Pragmatic Web API.
Best Practices for Architecting a Pragmatic Web API.
 
Non functional requirements. do we really care…?
Non functional requirements. do we really care…?Non functional requirements. do we really care…?
Non functional requirements. do we really care…?
 
Capturing Measurable Non Functional Requirements
Capturing Measurable Non Functional RequirementsCapturing Measurable Non Functional Requirements
Capturing Measurable Non Functional Requirements
 

Similar to HTTP fundamentals for developers

Web I - 05 - HTTP Protocol
Web I - 05 - HTTP ProtocolWeb I - 05 - HTTP Protocol
Web I - 05 - HTTP ProtocolRandy Connolly
 
Under the Covers with the Web
Under the Covers with the WebUnder the Covers with the Web
Under the Covers with the WebTrevor Lohrbeer
 
Web II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET WorksWeb II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET WorksRandy Connolly
 
Web essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptxWeb essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptxBalaSubramanian376976
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Navaneethan Naveen
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1hussulinux
 
2014 database - course 1 - www introduction
2014 database - course 1 - www introduction2014 database - course 1 - www introduction
2014 database - course 1 - www introductionHung-yu Lin
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27Eoin Keary
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座Li Yi
 
Resource-Oriented Web Services
Resource-Oriented Web ServicesResource-Oriented Web Services
Resource-Oriented Web ServicesBradley Holt
 
HTTP Basic - PHP
HTTP Basic - PHPHTTP Basic - PHP
HTTP Basic - PHPSulaeman .
 

Similar to HTTP fundamentals for developers (20)

Web I - 05 - HTTP Protocol
Web I - 05 - HTTP ProtocolWeb I - 05 - HTTP Protocol
Web I - 05 - HTTP Protocol
 
Under the Covers with the Web
Under the Covers with the WebUnder the Covers with the Web
Under the Covers with the Web
 
HTTP
HTTPHTTP
HTTP
 
Web II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET WorksWeb II - 02 - How ASP.NET Works
Web II - 02 - How ASP.NET Works
 
Starting With Php
Starting With PhpStarting With Php
Starting With Php
 
Demystifying REST
Demystifying RESTDemystifying REST
Demystifying REST
 
Web essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptxWeb essentials client server Lecture1.pptx
Web essentials client server Lecture1.pptx
 
HTTP Basics
HTTP BasicsHTTP Basics
HTTP Basics
 
Presentation (PPT)
Presentation (PPT)Presentation (PPT)
Presentation (PPT)
 
HTTP.pdf
HTTP.pdfHTTP.pdf
HTTP.pdf
 
Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014Http request&response by Vignesh 15 MAR 2014
Http request&response by Vignesh 15 MAR 2014
 
Http request&response
Http request&responseHttp request&response
Http request&response
 
RESTful services
RESTful servicesRESTful services
RESTful services
 
PHP Training: Module 1
PHP Training: Module 1PHP Training: Module 1
PHP Training: Module 1
 
2014 database - course 1 - www introduction
2014 database - course 1 - www introduction2014 database - course 1 - www introduction
2014 database - course 1 - www introduction
 
01. http basics v27
01. http basics v2701. http basics v27
01. http basics v27
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
 
Resource-Oriented Web Services
Resource-Oriented Web ServicesResource-Oriented Web Services
Resource-Oriented Web Services
 
HTTP Basics Demo
HTTP Basics DemoHTTP Basics Demo
HTTP Basics Demo
 
HTTP Basic - PHP
HTTP Basic - PHPHTTP Basic - PHP
HTTP Basic - PHP
 

Recently uploaded

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Recently uploaded (20)

Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

HTTP fundamentals for developers

  • 1. HTTP Fundamentals for Developers Mario Cardinal Agile Coach & Software Architect www.mariocardinal.com @mario_cardinal October 15
  • 2. Who am I? • Agile Coach & Software architect • Co-Founder of Slingboards Lab • http://mariocardinal.com
  • 3. 3 Content 1. Resources 2. Request 3. Response 4. Media Type 5. Caching 6. Cookie 7. Connection 8. Security http://www.slideshare.net/mario_cardinal
  • 5. Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.amazon.com:80/gp/product/B00D3UDMEU  URL Scheme : http  Host: www.amazon.com  Port : 80  URL path: /gp/product/B00D3UDMEU
  • 6. Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.google.com/search?q=kindle  URL Scheme : http  Host: www.google.com  Port : 80 (default value)  URL path: /search  Query string: ?q=kindle
  • 7. Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> https://foo.com/homepage.html#ingredients  URL Scheme : https  Host: www.foo.com (default to www)  Port : 443 (default value)  URL path: /homepage.html  Query string: (none)  Fragment: #ingredients refers to the element with id=“ingredients“ <div id=ingredients> </div>
  • 8. URL Encoding  http://someserver.com/%5Emy%20resume.txt  URL encoding: "^my resume.txt"
  • 9. HTTP Request and response  A client sends an HTTP request to a server using a message that the server will understand.  A server responds by sending an HTTP response that the client will understand.  The request and the response are two different message types. Request Message Browser Client HTTP server Response Message
  • 10. Request  An HTTP request message is a simple, plain text message Request Message Browser Client HTTP server
  • 11. HTTP Request Message  A full HTTP request message consists of the following parts: [method] [URL] [version] [headers] [body]
  • 12. HTTP Request Method Method Description GET Retrieve a resource PUT Store a resource DELETE Remove a resource POST Update a resource HEAD Retrieve the headers for a resource
  • 13. HTTP Request Method [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1
  • 14. HTTP Request Header Header Description Referer When the user clicks on a link, the client can send the URL of the referring page in this header. User-Agent Information about the user agent (the software) making the request. Many applications use the information in this header, when present, to figure out what browser is making the request (Internet Explorer 9 versus Chrome, etc.). Accept Describes the media types the user agent is willing to accept. This header is used for content negotiation. Accept-Language Describes the languages the user agent prefers. Cookie Cookie information generally helps a server track or identify a user. If-Modified-Since Will contain a date of when the user agent last retrieved (and cached) the resource. The server only has to send back the entire resource if it's been modified since that time.
  • 15. HTTP Request Header [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1 Accept-Language: fr-CA Date: Fri, 9 Aug 2013 21:12:00 GMT
  • 16. HTTP request message (POST example) <form action="/account/create" method="POST"> <label for="firstName">First name</label> <input id="firstName" name="firstName" type="text" /> <label for="lastName">Last name</label> <input id="lastName" name="lastName" type="text" /> <input type="submit" value="Sign up!"/> </form> POST http://server.com:1060/account/create HTTP/1.1 Host: server.com firstName=Mario&lastName=Cardinal
  • 17. Response  An HTTP response message is a simple, plain text message Browser Client HTTP server Response Message
  • 18. HTTP Response Message  A full HTTP response message consists of the following parts: [version] [status] [reason] [headers] [body]
  • 19. HTTP Response Status Code Range Category 100–199 Informational 100 Continue 200–299 Successful 200 OK 201 Created 204 No Content 300–399 Redirection 301 Moved Permanently 304 Not Modified 400–499 Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500–599 Server Error 500 Internal Server Error 503 Service Unavailable
  • 20. HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK
  • 21. HTTP Response Header Header Description Connection Options that are desired for the connection. Content-Encoding The type of encoding used on the data. Content-Length The length of the response body in octets (8-bit bytes). Content-Type Describes the media type of this content. Date The date and time that the message was sent. Expires Gives the date/time after which the response is considered stale. Location Used in redirection, or when a new resource has been created. Server A name for the server.
  • 22. HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151
  • 23. Resources and media types  When a host responds to an HTTP request, it returns a resource (content)  Host also specifies the content type (also known as the media type) of the resource  Defined using Multipurpose Internet Mail Extensions (MIME)  "text/html"  "image/jpeg"  "text/xml"  "application/json"
  • 24. Content negotiation  Content negotiation is part of what makes HTTP great  Request message  Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8  Response message  Content-Type: text/html; charset=utf-8
  • 25. HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151 <html> <head> <title>Hello</title> </head> <body> ... content ... </body> </html>
  • 26. Time-Based Caching HTTP/1.1 200 OK Last-Modified: Wed, 25 Jan 2012 17:55:15 GMT Expires: Sat, 22 Jan 2022 17:55:15 GMT Cache-Control: max-age=315360000,public Content-Length: 208 <html> <head> </head> <body> </body> </html>
  • 27. Content-Based Caching HTTP/1.1 200 OK Last-Modified: Fri, 06 Jan 2012 18:08:20 GMT ETag: "8e5bcd-59f-4b5dfef104d00" Content-Type: text/xml Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 437 <html> <head> > </head> <body> </body> </html>
  • 28. HTTP Request and Caching Request GET … HTTP/1.1 If-Modified-Since: Wed, 25 Jan 2012 17:55:15 GMT Response HTTP/1.1 304 Not Modified Expires: Sat, 22 Jan 2022 17:16:19 GMT Cache-Control: max-age=315360000,public
  • 29. Cookies HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: fname=Mario$lname=Cardinal; expires=Monday, 09-July-2012 21:12:00 GMT domain=.mywebsite.com; path=/ ; HttpOnly
  • 30. Identification and Cookies  There is a size limitation of 4 KB  Many websites only put in a unique identifier for a user HTTP/1.1 200 OK Set-Cookie: GUID=00a48b7f6a4946a8adf593373e53347c; domain=.msn.com; path=/ ; HttpOnly
  • 31. Identification and Cookies  Assuming the browser is configured to accept cookies, the browser will send the cookie to the server in every subsequent HTTP request. GET msn.com HTTP/1.1 Cookie: GUID=00a48b7f6a4946a8adf593373e53347c;
  • 32. Downsides to cookies  They interfere with caching  Any response with a Set-Cookie header should not be cached, at least not the headers, since this can interfere with user identification and create security problems  They transmit data with every request  Large cookie raise demand for network bandwidth  A cookie should never store sensitive information
  • 33. Connection Browser Client HTTP HTTP server TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
  • 34. Network Debugging  Observe TCP handshake and IP headers http://www.wireshark.org/  Observe and manipulate HTTP request and response http://www.telerik.com/fiddler
  • 35. Security  Authentication  Process by which a client prove its identity to the server  Basic  Digest  Windows  Form-based 35
  • 36. Basic Authentication Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost"  The WWW-Authenticate header tells the client to collect the user credentials and try again  The realm attribute gives the user agent a string it can use as a description for the protected area  What happens next depends on the user agent, but most browsers will display a UI for the user to enter credentials.
  • 37. Basic Authentication Request GET http://localhost/Demo/ HTTP/1.1 Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh  The value of the authorization header is the client's username and password in a base 64 encoding.  Basic authentication is insecure by default,
  • 38. Digest Authentication  Digest authentication is an improvement over basic authentication because it does not transmit user passwords using base 64 encoding  The client must send a digest of the password. Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost« , qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"  Still vulnerable to man-in-the-middle attacks in which someone is sniffing network traffic
  • 39. Windows Authentication  Windows Authentication depends on the underlying authentication protocols supported by Microsoft Windows Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate  Windows Authentication has the advantage of being secure even without using secure HTTP  Require Microsoft products and servers (Active Directory)
  • 40. Form-based Authentication  Forms authentication is the most popular approach to user authentication over the Internet.  It is not a standard authentication protocol and doesn't use WWW-Authenticate or Authorization headers Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 302 Found Location: /Login.aspx?ReturnUrl=/demo/ Response HTTP/1.1 302 Found Location: /demo/ Set-Cookie: .ASPXAUTH=9694BAB... path=/demo/; HttpOnly  Still vulnerable to session hijacking in which someone is sniffing network traffic
  • 41. Security  Autorization  Process by which a server determines if the client has permission to use a resource 41
  • 42. 403 Forbidden HTTP status  A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource  Indicate that the server can be reached and understood the request, but refuses to take any further action. 42 HTTP/1.1 403 Forbidden Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Sat, 14 Jan 2012 04:00:08 GMT Content-Length: 251 { “code" : 123, “description" : "You are not allowed to read this resource" }
  • 43. 401 Unauthorized HTTP status  401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.  I would expect that 401 to be named "Unauthenticated" and 403 to be named "Unauthorized". It is very confusing that 401, which has to do with Authentication, has the format accompanying text "Unauthorized".  Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.”  To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. 43
  • 44. Security  Encryption  Process of transforming data so that it is unreadable by anyone who does not have a decryption key  Secure HTTP (TLS) 44
  • 45. Secure HTTP (TLS)  Hypertext Transfer Protocol over TLS (Transport Layer Security) is used for secure communication over a network, or perhaps more importantly – over the Internet.  You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS.  TLS is the successor to the Secure Sockets Layer (SSL).
  • 46. Secure HTTP (TLS) Browser Client HTTP HTTP server TLS (SSL) Encryption TLS (SSL) TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
  • 47. Secure HTTP (SSL)  All traffic over HTTPS is encrypted in the request and response  HTTPS requires a server to have a cryptographic certificate.  Administrators have to purchase and install certificates from the certificate authorities like Verisign.  The server is authenticated to the client thanks to the server certificate  The certificate is sent to the client during setup of the HTTPS communication.  The certificate enable to validate that the client is truly talking to the server it thinks it is talking to.  The validation is all made possible using public key cryptography and the existence of certificate authorities that will sign and vouch for the integrity of a certificate.  HTTPS does not authenticate the client  Applications still need to implement forms or Basic authentication
  • 48. 48 Do not hesitate to contact me mcardinal@mariocardinal.com @mario_cardinal Q & A