KEMBAR78
HTTP fundamentals for developers | PPTX
Mario Cardinal, profile picture
Uploaded byMario Cardinal
PPTX, PDF4,509 views

HTTP fundamentals for developers

The document provides a comprehensive overview of HTTP fundamentals including resources, requests, responses, media types, and security measures. It explains components such as URL structure, headers, request methods (GET, POST, etc.), response status codes, authentication methods, and the importance of secure HTTP (HTTPS). The author, Mario Cardinal, presents these concepts in a way intended for developers looking to understand web communication protocols.

Downloaded 122 times
HTTP Fundamentals for Developers Mario Cardinal Agile Coach & Software Architect www.mariocardinal.com @mario_cardinal October 15
Who am I? • Agile Coach & Software architect • Co-Founder of Slingboards Lab • http://mariocardinal.com
3 Content 1. Resources 2. Request 3. Response 4. Media Type 5. Caching 6. Cookie 7. Connection 8. Security http://www.slideshare.net/mario_cardinal
Ressources (URL)
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.amazon.com:80/gp/product/B00D3UDMEU  URL Scheme : http  Host: www.amazon.com  Port : 80  URL path: /gp/product/B00D3UDMEU
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.google.com/search?q=kindle  URL Scheme : http  Host: www.google.com  Port : 80 (default value)  URL path: /search  Query string: ?q=kindle
Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> https://foo.com/homepage.html#ingredients  URL Scheme : https  Host: www.foo.com (default to www)  Port : 443 (default value)  URL path: /homepage.html  Query string: (none)  Fragment: #ingredients refers to the element with id=“ingredients“ <div id=ingredients> </div>
URL Encoding  http://someserver.com/%5Emy%20resume.txt  URL encoding: "^my resume.txt"
HTTP Request and response  A client sends an HTTP request to a server using a message that the server will understand.  A server responds by sending an HTTP response that the client will understand.  The request and the response are two different message types. Request Message Browser Client HTTP server Response Message
Request  An HTTP request message is a simple, plain text message Request Message Browser Client HTTP server
HTTP Request Message  A full HTTP request message consists of the following parts: [method] [URL] [version] [headers] [body]
HTTP Request Method Method Description GET Retrieve a resource PUT Store a resource DELETE Remove a resource POST Update a resource HEAD Retrieve the headers for a resource
HTTP Request Method [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1
HTTP Request Header Header Description Referer When the user clicks on a link, the client can send the URL of the referring page in this header. User-Agent Information about the user agent (the software) making the request. Many applications use the information in this header, when present, to figure out what browser is making the request (Internet Explorer 9 versus Chrome, etc.). Accept Describes the media types the user agent is willing to accept. This header is used for content negotiation. Accept-Language Describes the languages the user agent prefers. Cookie Cookie information generally helps a server track or identify a user. If-Modified-Since Will contain a date of when the user agent last retrieved (and cached) the resource. The server only has to send back the entire resource if it's been modified since that time.
HTTP Request Header [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1 Accept-Language: fr-CA Date: Fri, 9 Aug 2013 21:12:00 GMT
HTTP request message (POST example) <form action="/account/create" method="POST"> <label for="firstName">First name</label> <input id="firstName" name="firstName" type="text" /> <label for="lastName">Last name</label> <input id="lastName" name="lastName" type="text" /> <input type="submit" value="Sign up!"/> </form> POST http://server.com:1060/account/create HTTP/1.1 Host: server.com firstName=Mario&lastName=Cardinal
Response  An HTTP response message is a simple, plain text message Browser Client HTTP server Response Message
HTTP Response Message  A full HTTP response message consists of the following parts: [version] [status] [reason] [headers] [body]
HTTP Response Status Code Range Category 100–199 Informational 100 Continue 200–299 Successful 200 OK 201 Created 204 No Content 300–399 Redirection 301 Moved Permanently 304 Not Modified 400–499 Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500–599 Server Error 500 Internal Server Error 503 Service Unavailable
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK
HTTP Response Header Header Description Connection Options that are desired for the connection. Content-Encoding The type of encoding used on the data. Content-Length The length of the response body in octets (8-bit bytes). Content-Type Describes the media type of this content. Date The date and time that the message was sent. Expires Gives the date/time after which the response is considered stale. Location Used in redirection, or when a new resource has been created. Server A name for the server.
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151
Resources and media types  When a host responds to an HTTP request, it returns a resource (content)  Host also specifies the content type (also known as the media type) of the resource  Defined using Multipurpose Internet Mail Extensions (MIME)  "text/html"  "image/jpeg"  "text/xml"  "application/json"
Content negotiation  Content negotiation is part of what makes HTTP great  Request message  Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8  Response message  Content-Type: text/html; charset=utf-8
HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151 <html> <head> <title>Hello</title> </head> <body> ... content ... </body> </html>
Time-Based Caching HTTP/1.1 200 OK Last-Modified: Wed, 25 Jan 2012 17:55:15 GMT Expires: Sat, 22 Jan 2022 17:55:15 GMT Cache-Control: max-age=315360000,public Content-Length: 208 <html> <head> </head> <body> </body> </html>
Content-Based Caching HTTP/1.1 200 OK Last-Modified: Fri, 06 Jan 2012 18:08:20 GMT ETag: "8e5bcd-59f-4b5dfef104d00" Content-Type: text/xml Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 437 <html> <head> > </head> <body> </body> </html>
HTTP Request and Caching Request GET … HTTP/1.1 If-Modified-Since: Wed, 25 Jan 2012 17:55:15 GMT Response HTTP/1.1 304 Not Modified Expires: Sat, 22 Jan 2022 17:16:19 GMT Cache-Control: max-age=315360000,public
Cookies HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Set-Cookie: fname=Mario$lname=Cardinal; expires=Monday, 09-July-2012 21:12:00 GMT domain=.mywebsite.com; path=/ ; HttpOnly
Identification and Cookies  There is a size limitation of 4 KB  Many websites only put in a unique identifier for a user HTTP/1.1 200 OK Set-Cookie: GUID=00a48b7f6a4946a8adf593373e53347c; domain=.msn.com; path=/ ; HttpOnly
Identification and Cookies  Assuming the browser is configured to accept cookies, the browser will send the cookie to the server in every subsequent HTTP request. GET msn.com HTTP/1.1 Cookie: GUID=00a48b7f6a4946a8adf593373e53347c;
Downsides to cookies  They interfere with caching  Any response with a Set-Cookie header should not be cached, at least not the headers, since this can interfere with user identification and create security problems  They transmit data with every request  Large cookie raise demand for network bandwidth  A cookie should never store sensitive information
Connection Browser Client HTTP HTTP server TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
Network Debugging  Observe TCP handshake and IP headers http://www.wireshark.org/  Observe and manipulate HTTP request and response http://www.telerik.com/fiddler
Security  Authentication  Process by which a client prove its identity to the server  Basic  Digest  Windows  Form-based 35
Basic Authentication Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost"  The WWW-Authenticate header tells the client to collect the user credentials and try again  The realm attribute gives the user agent a string it can use as a description for the protected area  What happens next depends on the user agent, but most browsers will display a UI for the user to enter credentials.
Basic Authentication Request GET http://localhost/Demo/ HTTP/1.1 Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh  The value of the authorization header is the client's username and password in a base 64 encoding.  Basic authentication is insecure by default,
Digest Authentication  Digest authentication is an improvement over basic authentication because it does not transmit user passwords using base 64 encoding  The client must send a digest of the password. Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost« , qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"  Still vulnerable to man-in-the-middle attacks in which someone is sniffing network traffic
Windows Authentication  Windows Authentication depends on the underlying authentication protocols supported by Microsoft Windows Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate  Windows Authentication has the advantage of being secure even without using secure HTTP  Require Microsoft products and servers (Active Directory)
Form-based Authentication  Forms authentication is the most popular approach to user authentication over the Internet.  It is not a standard authentication protocol and doesn't use WWW-Authenticate or Authorization headers Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 302 Found Location: /Login.aspx?ReturnUrl=/demo/ Response HTTP/1.1 302 Found Location: /demo/ Set-Cookie: .ASPXAUTH=9694BAB... path=/demo/; HttpOnly  Still vulnerable to session hijacking in which someone is sniffing network traffic
Security  Autorization  Process by which a server determines if the client has permission to use a resource 41
403 Forbidden HTTP status  A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource  Indicate that the server can be reached and understood the request, but refuses to take any further action. 42 HTTP/1.1 403 Forbidden Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Sat, 14 Jan 2012 04:00:08 GMT Content-Length: 251 { “code" : 123, “description" : "You are not allowed to read this resource" }
401 Unauthorized HTTP status  401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.  I would expect that 401 to be named "Unauthenticated" and 403 to be named "Unauthorized". It is very confusing that 401, which has to do with Authentication, has the format accompanying text "Unauthorized".  Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.”  To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. 43
Security  Encryption  Process of transforming data so that it is unreadable by anyone who does not have a decryption key  Secure HTTP (TLS) 44
Secure HTTP (TLS)  Hypertext Transfer Protocol over TLS (Transport Layer Security) is used for secure communication over a network, or perhaps more importantly – over the Internet.  You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS.  TLS is the successor to the Secure Sockets Layer (SSL).
Secure HTTP (TLS) Browser Client HTTP HTTP server TLS (SSL) Encryption TLS (SSL) TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
Secure HTTP (SSL)  All traffic over HTTPS is encrypted in the request and response  HTTPS requires a server to have a cryptographic certificate.  Administrators have to purchase and install certificates from the certificate authorities like Verisign.  The server is authenticated to the client thanks to the server certificate  The certificate is sent to the client during setup of the HTTPS communication.  The certificate enable to validate that the client is truly talking to the server it thinks it is talking to.  The validation is all made possible using public key cryptography and the existence of certificate authorities that will sign and vouch for the integrity of a certificate.  HTTPS does not authenticate the client  Applications still need to implement forms or Basic authentication
48 Do not hesitate to contact me mcardinal@mariocardinal.com @mario_cardinal Q & A

More Related Content

PPTX
Akamai waf
byAysegul Ekinci
 
PPTX
HTTP Request Header and HTTP Status Code
byAbhishek L.R
 
PDF
REST API Authentication Methods.pdf
byRubersy Ramos García
 
PPTX
Design API using RAML - basics
bykunal vishe
 
PDF
Edge architecture ieee international conference on cloud engineering
byMikey Cohen - Hiring Amazing Engineers
 
PPTX
Web Exploitation Security
byAman Singh
 
PPTX
HCL Commerce Developer V9.1.11 Installation
byFrancisBooth2
 
PPTX
WAFs.pptx
byHamzaJamil41
 
Akamai waf
byAysegul Ekinci
 
HTTP Request Header and HTTP Status Code
byAbhishek L.R
 
REST API Authentication Methods.pdf
byRubersy Ramos García
 
Design API using RAML - basics
bykunal vishe
 
Edge architecture ieee international conference on cloud engineering
byMikey Cohen - Hiring Amazing Engineers
 
Web Exploitation Security
byAman Singh
 
HCL Commerce Developer V9.1.11 Installation
byFrancisBooth2
 
WAFs.pptx
byHamzaJamil41
 

What's hot

PPTX
Domain Name System
byMahavir Vataliya
 
PDF
La cryptographie asymétrique enfin expliquée simplement
byAlice and Bob
 
PPTX
Footprinting and reconnaissance
byNishaYadav177
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PDF
Ip base
byAritraNayak4
 
PPTX
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
PPTX
NMap
byPritesh Raka
 
PPTX
Email Forensics
byprimeteacher32
 
PDF
Advanced Wi-Fi pentesting
byYunfei Yang
 
PDF
Réseaux et protocoles - Cours + exercices
bysarah Benmerzouk
 
PPTX
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
PDF
Http methods
bymaamir farooq
 
ODP
Authentication & Authorization in ASPdotNet MVC
byMindfire Solutions
 
PDF
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
PDF
Cross site scripting
byn|u - The Open Security Community
 
PDF
Wireshark course, Ch 03: Capture and display filters
byYoram Orzach
 
PPTX
Http Introduction
byAkshay Dhole
 
PDF
CNIT 129S: Ch 7: Attacking Session Management
bySam Bowne
 
PDF
Email Forensics
byGol D Roger
 
PPTX
Http Vs Https .
bysimplyharshad
 
Domain Name System
byMahavir Vataliya
 
La cryptographie asymétrique enfin expliquée simplement
byAlice and Bob
 
Footprinting and reconnaissance
byNishaYadav177
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
Ip base
byAritraNayak4
 
DVWA(Damn Vulnerabilities Web Application)
bySoham Kansodaria
 
NMap
byPritesh Raka
 
Email Forensics
byprimeteacher32
 
Advanced Wi-Fi pentesting
byYunfei Yang
 
Réseaux et protocoles - Cours + exercices
bysarah Benmerzouk
 
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
Http methods
bymaamir farooq
 
Authentication & Authorization in ASPdotNet MVC
byMindfire Solutions
 
SQL Injection: complete walkthrough (not only) for PHP developers
byKrzysztof Kotowicz
 
Cross site scripting
byn|u - The Open Security Community
 
Wireshark course, Ch 03: Capture and display filters
byYoram Orzach
 
Http Introduction
byAkshay Dhole
 
CNIT 129S: Ch 7: Attacking Session Management
bySam Bowne
 
Email Forensics
byGol D Roger
 
Http Vs Https .
bysimplyharshad
 

Viewers also liked

PPTX
Content Acceleration Beyond Caching, Understanding Dynamic Content
byCDNetworks
 
PPTX
User Manager
byEmpowerID
 
PDF
Mt26 identity management as a service
byDell World
 
PPTX
Testing of non functional requirements in agile
bySubrahmaniam S.R.V
 
PDF
Identity & Access Management by K. K. Mookhey
byNetwork Intelligence India
 
PPTX
Adressing nonfunctional requirements with agile practices
byMario Cardinal
 
PDF
The Keys To A Successful Identity And Access Management Program: How Does You...
byDell World
 
PDF
Standardizing Identity Provisioning with SCIM
byWSO2
 
PPT
Identity as a Service
byPrabath Siriwardena
 
PPTX
Agile requirements discovery
byMario Cardinal
 
PPTX
IdM vs. IDaaS
byDrew Koenig
 
PPTX
Best Practices for Architecting a Pragmatic Web API.
byMario Cardinal
 
PPTX
Non functional requirements. do we really care…?
byOSSCube
 
PPT
Capturing Measurable Non Functional Requirements
byShehzad Lakdawala
 
Content Acceleration Beyond Caching, Understanding Dynamic Content
byCDNetworks
 
User Manager
byEmpowerID
 
Mt26 identity management as a service
byDell World
 
Testing of non functional requirements in agile
bySubrahmaniam S.R.V
 
Identity & Access Management by K. K. Mookhey
byNetwork Intelligence India
 
Adressing nonfunctional requirements with agile practices
byMario Cardinal
 
The Keys To A Successful Identity And Access Management Program: How Does You...
byDell World
 
Standardizing Identity Provisioning with SCIM
byWSO2
 
Identity as a Service
byPrabath Siriwardena
 
Agile requirements discovery
byMario Cardinal
 
IdM vs. IDaaS
byDrew Koenig
 
Best Practices for Architecting a Pragmatic Web API.
byMario Cardinal
 
Non functional requirements. do we really care…?
byOSSCube
 
Capturing Measurable Non Functional Requirements
byShehzad Lakdawala
 

Similar to HTTP fundamentals for developers

PDF
Introduction to HTTP
bySeble Nigussie
 
PPTX
Http
byNITT, KAMK
 
PPTX
Hypertex transfer protocol
bywanangwa234
 
PPT
KMUTNB - Internet Programming 2/7
byphuphax
 
PPTX
http presentation 1.pptx
byDeepakKumar408406
 
PPTX
Web technologies: HTTP
byPiero Fraternali
 
PPTX
www and http services
byJenica Salmorin
 
PPT
Http VS. Https
byRaed Aldahdooh
 
PPTX
Http-protocol
byToushik Paul
 
PPT
Http request&response by Vignesh 15 MAR 2014
byNavaneethan Naveen
 
PPT
HTTP
byspacecharge
 
PPTX
HTTP
byvaibhavrai1993
 
PDF
HTTP
byMaeEstherMaguadMaralit
 
PPTX
Hypertext Transfer Protocol
byShubham Srivastava
 
PPT
Http request&response
byAswin Krishnamoorthy
 
PPTX
application of http.pptx
byssuseraf60311
 
PPTX
Http and its Applications
byNayan Dagliya
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
PDF
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
PPTX
HTTP Protocol Basic
byChuong Mai
 
Introduction to HTTP
bySeble Nigussie
 
Http
byNITT, KAMK
 
Hypertex transfer protocol
bywanangwa234
 
KMUTNB - Internet Programming 2/7
byphuphax
 
http presentation 1.pptx
byDeepakKumar408406
 
Web technologies: HTTP
byPiero Fraternali
 
www and http services
byJenica Salmorin
 
Http VS. Https
byRaed Aldahdooh
 
Http-protocol
byToushik Paul
 
Http request&response by Vignesh 15 MAR 2014
byNavaneethan Naveen
 
HTTP
byspacecharge
 
HTTP
byvaibhavrai1993
 
HTTP
byMaeEstherMaguadMaralit
 
Hypertext Transfer Protocol
byShubham Srivastava
 
Http request&response
byAswin Krishnamoorthy
 
application of http.pptx
byssuseraf60311
 
Http and its Applications
byNayan Dagliya
 
CNIT 129S: Ch 3: Web Application Technologies
bySam Bowne
 
CNIT 129S - Ch 3: Web Application Technologies
bySam Bowne
 
HTTP Protocol Basic
byChuong Mai
 

Recently uploaded

PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PDF
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PDF
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PDF
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
2025 October Patch Tuesday
byIvanti
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
Expert Python App Development Company for Modern Enterprises
bySynapseIndia
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
Ask Me Anything About AI Assist: Practical Answers for Real Workflows
bySafe Software
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
Agentic AI Guide for Enterprise Use-cases
byDebmalya Biswas
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
2025 October Patch Tuesday
byIvanti
 
In this document
Powered by AI

Overview of the presentation by Mario Cardinal, introducing HTTP fundamentals and its relevance for developers.

Deep dive into URLs, their structures, encoding, and examples including http and https.

Description of the HTTP request and response mechanism, emphasizing the request structure.

Overview of HTTP request methods: GET, PUT, DELETE, POST, and HEAD with examples.

In-depth analysis of commonly used HTTP request headers and their implications.

Illustration of an HTTP POST request with a form submission example.

Basic structure of an HTTP response including its parts and message format.

Detailed breakdown of various HTTP response status codes categorized by their ranges.

Components of an HTTP response message and practical examples illustrating common headers.

Explanation of content types and content negotiation in HTTP responses.

Discussion on time-based and content-based caching methods in HTTP.

Understanding cookies for user sessions, including size limitations and implications.

Fundamentals of HTTP connections, networking troubleshooting tools like Wireshark.

Various authentication methods in HTTP including Basic, Digest, and Windows Authentication.

Discussion on authorization processes, and handling 403 Forbidden and 401 Unauthorized errors.

The role of encryption in secure HTTP communications, including TLS and SSL mechanisms.

Wrap-up of the presentation with contact information for further inquiries and a Q&A session.

HTTP fundamentals for developers

  • 1.
    HTTP Fundamentals forDevelopers Mario Cardinal Agile Coach & Software Architect www.mariocardinal.com @mario_cardinal October 15
  • 2.
    Who am I? • Agile Coach & Software architect • Co-Founder of Slingboards Lab • http://mariocardinal.com
  • 3.
    3 Content 1.Resources 2. Request 3. Response 4. Media Type 5. Caching 6. Cookie 7. Connection 8. Security http://www.slideshare.net/mario_cardinal
  • 4.
  • 5.
    Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.amazon.com:80/gp/product/B00D3UDMEU  URL Scheme : http  Host: www.amazon.com  Port : 80  URL path: /gp/product/B00D3UDMEU
  • 6.
    Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> http://www.google.com/search?q=kindle  URL Scheme : http  Host: www.google.com  Port : 80 (default value)  URL path: /search  Query string: ?q=kindle
  • 7.
    Uniform Resource Locator  <scheme>://<host>:<port>/<path>?<query>#<fragment> https://foo.com/homepage.html#ingredients  URL Scheme : https  Host: www.foo.com (default to www)  Port : 443 (default value)  URL path: /homepage.html  Query string: (none)  Fragment: #ingredients refers to the element with id=“ingredients“ <div id=ingredients> </div>
  • 8.
    URL Encoding http://someserver.com/%5Emy%20resume.txt  URL encoding: "^my resume.txt"
  • 9.
    HTTP Request andresponse  A client sends an HTTP request to a server using a message that the server will understand.  A server responds by sending an HTTP response that the client will understand.  The request and the response are two different message types. Request Message Browser Client HTTP server Response Message
  • 10.
    Request  AnHTTP request message is a simple, plain text message Request Message Browser Client HTTP server
  • 11.
    HTTP Request Message  A full HTTP request message consists of the following parts: [method] [URL] [version] [headers] [body]
  • 12.
    HTTP Request Method Method Description GET Retrieve a resource PUT Store a resource DELETE Remove a resource POST Update a resource HEAD Retrieve the headers for a resource
  • 13.
    HTTP Request Method [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1
  • 14.
    HTTP Request Header Header Description Referer When the user clicks on a link, the client can send the URL of the referring page in this header. User-Agent Information about the user agent (the software) making the request. Many applications use the information in this header, when present, to figure out what browser is making the request (Internet Explorer 9 versus Chrome, etc.). Accept Describes the media types the user agent is willing to accept. This header is used for content negotiation. Accept-Language Describes the languages the user agent prefers. Cookie Cookie information generally helps a server track or identify a user. If-Modified-Since Will contain a date of when the user agent last retrieved (and cached) the resource. The server only has to send back the entire resource if it's been modified since that time.
  • 15.
    HTTP Request Header [method] [URL] [version] [headers] [body] GET http://mariocardinal.com/Articles/741.aspx HTTP/1.1 Accept-Language: fr-CA Date: Fri, 9 Aug 2013 21:12:00 GMT
  • 16.
    HTTP request message(POST example) <form action="/account/create" method="POST"> <label for="firstName">First name</label> <input id="firstName" name="firstName" type="text" /> <label for="lastName">Last name</label> <input id="lastName" name="lastName" type="text" /> <input type="submit" value="Sign up!"/> </form> POST http://server.com:1060/account/create HTTP/1.1 Host: server.com firstName=Mario&lastName=Cardinal
  • 17.
    Response  AnHTTP response message is a simple, plain text message Browser Client HTTP server Response Message
  • 18.
    HTTP Response Message  A full HTTP response message consists of the following parts: [version] [status] [reason] [headers] [body]
  • 19.
    HTTP Response StatusCode Range Category 100–199 Informational 100 Continue 200–299 Successful 200 OK 201 Created 204 No Content 300–399 Redirection 301 Moved Permanently 304 Not Modified 400–499 Client Error 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500–599 Server Error 500 Internal Server Error 503 Service Unavailable
  • 20.
    HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK
  • 21.
    HTTP Response Header Header Description Connection Options that are desired for the connection. Content-Encoding The type of encoding used on the data. Content-Length The length of the response body in octets (8-bit bytes). Content-Type Describes the media type of this content. Date The date and time that the message was sent. Expires Gives the date/time after which the response is considered stale. Location Used in redirection, or when a new resource has been created. Server A name for the server.
  • 22.
    HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151
  • 23.
    Resources and mediatypes  When a host responds to an HTTP request, it returns a resource (content)  Host also specifies the content type (also known as the media type) of the resource  Defined using Multipurpose Internet Mail Extensions (MIME)  "text/html"  "image/jpeg"  "text/xml"  "application/json"
  • 24.
    Content negotiation Content negotiation is part of what makes HTTP great  Request message  Accept: text/html, application/xhtml+xml, application/xml;q=0.9, */*;q=0.8  Response message  Content-Type: text/html; charset=utf-8
  • 25.
    HTTP Response Message [version] [status] [reason] [headers] [body] HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 2.0.50727 X-Powered-By: ASP.NET Date: Sat, 14 Jan 2012 04:00:08 GMT Connection: close Content-Length: 17151 <html> <head> <title>Hello</title> </head> <body> ... content ... </body> </html>
  • 26.
    Time-Based Caching HTTP/1.1200 OK Last-Modified: Wed, 25 Jan 2012 17:55:15 GMT Expires: Sat, 22 Jan 2022 17:55:15 GMT Cache-Control: max-age=315360000,public Content-Length: 208 <html> <head> </head> <body> </body> </html>
  • 27.
    Content-Based Caching HTTP/1.1200 OK Last-Modified: Fri, 06 Jan 2012 18:08:20 GMT ETag: "8e5bcd-59f-4b5dfef104d00" Content-Type: text/xml Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 437 <html> <head> > </head> <body> </body> </html>
  • 28.
    HTTP Request andCaching Request GET … HTTP/1.1 If-Modified-Since: Wed, 25 Jan 2012 17:55:15 GMT Response HTTP/1.1 304 Not Modified Expires: Sat, 22 Jan 2022 17:16:19 GMT Cache-Control: max-age=315360000,public
  • 29.
    Cookies HTTP/1.1 200OK Content-Type: text/html; charset=utf-8 Set-Cookie: fname=Mario$lname=Cardinal; expires=Monday, 09-July-2012 21:12:00 GMT domain=.mywebsite.com; path=/ ; HttpOnly
  • 30.
    Identification and Cookies  There is a size limitation of 4 KB  Many websites only put in a unique identifier for a user HTTP/1.1 200 OK Set-Cookie: GUID=00a48b7f6a4946a8adf593373e53347c; domain=.msn.com; path=/ ; HttpOnly
  • 31.
    Identification and Cookies  Assuming the browser is configured to accept cookies, the browser will send the cookie to the server in every subsequent HTTP request. GET msn.com HTTP/1.1 Cookie: GUID=00a48b7f6a4946a8adf593373e53347c;
  • 32.
    Downsides to cookies  They interfere with caching  Any response with a Set-Cookie header should not be cached, at least not the headers, since this can interfere with user identification and create security problems  They transmit data with every request  Large cookie raise demand for network bandwidth  A cookie should never store sensitive information
  • 33.
    Connection Browser ClientHTTP HTTP server TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
  • 34.
    Network Debugging Observe TCP handshake and IP headers http://www.wireshark.org/  Observe and manipulate HTTP request and response http://www.telerik.com/fiddler
  • 35.
    Security  Authentication  Process by which a client prove its identity to the server  Basic  Digest  Windows  Form-based 35
  • 36.
    Basic Authentication Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost"  The WWW-Authenticate header tells the client to collect the user credentials and try again  The realm attribute gives the user agent a string it can use as a description for the protected area  What happens next depends on the user agent, but most browsers will display a UI for the user to enter credentials.
  • 37.
    Basic Authentication Request GET http://localhost/Demo/ HTTP/1.1 Authorization: Basic bm86aXdvdWxkbnRkb3RoYXQh  The value of the authorization header is the client's username and password in a base 64 encoding.  Basic authentication is insecure by default,
  • 38.
    Digest Authentication Digest authentication is an improvement over basic authentication because it does not transmit user passwords using base 64 encoding  The client must send a digest of the password. Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm="localhost« , qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41"  Still vulnerable to man-in-the-middle attacks in which someone is sniffing network traffic
  • 39.
    Windows Authentication Windows Authentication depends on the underlying authentication protocols supported by Microsoft Windows Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate  Windows Authentication has the advantage of being secure even without using secure HTTP  Require Microsoft products and servers (Active Directory)
  • 40.
    Form-based Authentication Forms authentication is the most popular approach to user authentication over the Internet.  It is not a standard authentication protocol and doesn't use WWW-Authenticate or Authorization headers Request GET http://localhost /demo/ HTTP/1.1 Host: localhost Response HTTP/1.1 302 Found Location: /Login.aspx?ReturnUrl=/demo/ Response HTTP/1.1 302 Found Location: /demo/ Set-Cookie: .ASPXAUTH=9694BAB... path=/demo/; HttpOnly  Still vulnerable to session hijacking in which someone is sniffing network traffic
  • 41.
    Security  Autorization  Process by which a server determines if the client has permission to use a resource 41
  • 42.
    403 Forbidden HTTPstatus  A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page or resource  Indicate that the server can be reached and understood the request, but refuses to take any further action. 42 HTTP/1.1 403 Forbidden Content-Type: application/json; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Sat, 14 Jan 2012 04:00:08 GMT Content-Length: 251 { “code" : 123, “description" : "You are not allowed to read this resource" }
  • 43.
    401 Unauthorized HTTPstatus  401 Unauthorized, the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization.  I would expect that 401 to be named "Unauthenticated" and 403 to be named "Unauthorized". It is very confusing that 401, which has to do with Authentication, has the format accompanying text "Unauthorized".  Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.”  To help you out, it will always include a WWW-Authenticate header that describes how to authenticate. 43
  • 44.
    Security  Encryption  Process of transforming data so that it is unreadable by anyone who does not have a decryption key  Secure HTTP (TLS) 44
  • 45.
    Secure HTTP (TLS)  Hypertext Transfer Protocol over TLS (Transport Layer Security) is used for secure communication over a network, or perhaps more importantly – over the Internet.  You would see https:// in the URI and a lock icon in the browser when you access a page that uses HTTPS.  TLS is the successor to the Secure Sockets Layer (SSL).
  • 46.
    Secure HTTP (TLS) Browser Client HTTP HTTP server TLS (SSL) Encryption TLS (SSL) TCP Media Transport Network Data Link Ethernet Transport Network Data Link IP
  • 47.
    Secure HTTP (SSL)  All traffic over HTTPS is encrypted in the request and response  HTTPS requires a server to have a cryptographic certificate.  Administrators have to purchase and install certificates from the certificate authorities like Verisign.  The server is authenticated to the client thanks to the server certificate  The certificate is sent to the client during setup of the HTTPS communication.  The certificate enable to validate that the client is truly talking to the server it thinks it is talking to.  The validation is all made possible using public key cryptography and the existence of certificate authorities that will sign and vouch for the integrity of a certificate.  HTTPS does not authenticate the client  Applications still need to implement forms or Basic authentication
  • 48.
    48 Do nothesitate to contact me mcardinal@mariocardinal.com @mario_cardinal Q & A