Http - All you need to know
-
Upload
goekhan-senguen -
Category
Technology
-
view
335 -
download
1
Transcript of Http - All you need to know
![Page 1: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/1.jpg)
HTTPAll you need to
know
![Page 2: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/2.jpg)
Who are you?
![Page 3: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/3.jpg)
Gökhan Şengün
R&D Business Dev., New Product & Solutions Manager
www.gokhansengun.com
@gokhansengun
![Page 4: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/4.jpg)
Aim• Better understand HTTP basics to debug problems
better• Know HTTP players to see the big picture• Know useful tools to do things faster
![Page 5: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/5.jpg)
HTTP• HTTP is a stateless protocol. • How is being stateless like?• A stateless protocol does not require the server to retain
information or status about each user for the duration of multiple requests.
![Page 6: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/6.jpg)
Http Proxy
![Page 7: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/7.jpg)
Popular Http Proxies• Fiddler• Burp Suite• Browser Developer Tools (Embedded Proxy)
![Page 8: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/8.jpg)
Demo – Bare Metal - Using Telnet
![Page 9: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/9.jpg)
Demo – Browser Developer Tool
![Page 10: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/10.jpg)
Demo – Fiddler
![Page 11: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/11.jpg)
Demo – Burp Suite
![Page 12: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/12.jpg)
Http Protocol – Important Parts
![Page 13: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/13.jpg)
MethodsMethod Used for
GET Retrieve a resource
POST Create / Update a resource [Not Idempotent]
PUT Create / Update a resource [Idempotent]
DELETE Delete a resource
HEAD Retrieve a resource except the body
![Page 14: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/14.jpg)
Response CodesCode Meaning
1xx Informative
2xx Success
3xx Requires Additional Action
4xx Client Error (It is your fault)
5xx Server Error (It is my fault)
![Page 15: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/15.jpg)
Accept (Req)
MIME used for media-type. Client gives hint about the types that it understands well and preference.
Syntax:
• Accept: <MIME_type>/<MIME_subtype>
Examples:
• Accept: application/json, text/xml;q=0.9, */*;q=0.8
![Page 16: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/16.jpg)
Content-Type (Req / Resp)
MIME used for media-type
Examples:
• Content-Type: text/html; charset=utf-8 • Content-Type: application/json• Content-Type: text/xml
![Page 17: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/17.jpg)
Demo – Accept and Content-Type
![Page 18: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/18.jpg)
Host (Req)
• Hints the web server about the domain name requested• Optionally includes port, default• HTTP: 80• HTTPS: 443
Examples:
• Host: www.gokhansengun.com• Host: localhost:8090
![Page 19: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/19.jpg)
Connection (Req / Resp)
• Hint from both client and the web server about TCP connection• close: if either party for some reason wants to close• keep-alive: if either party want to keep open for further
requests• Persistent connection (default in HTTP/1.1
• RFC 2616 limits 2 connection per host, browsers have 6 now.
Examples:
• Connection: close• Connection: keep-alive
![Page 20: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/20.jpg)
BTW: Http Pipelining• Only Idempotent
requests allowed (GET, HEAD)• Guess why?
• Has benefit only on high latency setups.
![Page 21: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/21.jpg)
Accept-Languge (Req)
• Hint from client about its language preference
Examples:
• Accept-Language: en-US,en;q=0.8• Accept-Language: tr-TR, tr;q=0.9, en;q=0.8, *;q=0.5
![Page 22: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/22.jpg)
Demo – Accept-Language
![Page 23: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/23.jpg)
Accept-Encoding (Req)
• Hint from client about its encoding preference
Examples:
• Accept-Encoding: Accept-Encoding: gzip, deflate, sdch• Omit for non-encoding
![Page 24: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/24.jpg)
Demo – Accept-Encoding
![Page 25: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/25.jpg)
Referer (Req)
• Hint from client about the last page user navigated from.• Allows analytics, caching, logging
Examples:
• Referer: http://ads.xyz.com
![Page 26: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/26.jpg)
User-Agent (Req)
• Hint from client about the type of client
Examples:
• User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36
![Page 27: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/27.jpg)
Cache-Control (Req / Resp)
• Hint from server to all over the world about resource’s cache eligibility.
• Cache-Control: no-cache• Cache-Control: public• Cache-Control: private• Cache-Control: no-store• Cache-Control: max-age=300• Cache-Control: public, max-age=31536000
![Page 28: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/28.jpg)
Post / Redirect / Get Pattern (1)• Problem (Multiple Post requests)
![Page 29: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/29.jpg)
Post / Redirect / Get Pattern (2)
![Page 30: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/30.jpg)
Post / Redirect / Get Pattern (3)• Solution
![Page 31: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/31.jpg)
Demo – Mix
![Page 32: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/32.jpg)
HTTP Players• Web Servers• Load Balancers• DDoS Protection and WAF Systems• Cache Server• CDN (Content Delivery Networks)• Cloudflare
![Page 33: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/33.jpg)
Web Servers• Nginx• Apache• IIS
![Page 34: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/34.jpg)
Load Balancers• Balance HTTP load between servers• Balance statefully (needs your SSL private key)• Cache responses• Alters requests and responses• Blocks, rate-limits requests• Does SSL-offloading (needs your SSL private key and
beneficial only if you have HW LB)
![Page 35: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/35.jpg)
DDoS Protection Systems and WAF• Observes traffic (needs your SSL private key)• Detects malicious activity – several attacks• Blocks IP, IP Range• Redirects to No CAPTCHA or reCAPTCHA• Rate-limits requests
![Page 36: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/36.jpg)
Cache Servers• Caches any type of HTTP responses from origion• Could be static file or reference data• Like very very simple KV store• Powerful if scripting allowed
Examples:
• Varnish• Nginx
![Page 37: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/37.jpg)
CDN (Content Delivery Network)• Caches the content on the edges• Request does not enter your data center• Very very efficient
![Page 38: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/38.jpg)
![Page 39: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/39.jpg)
Cloudflare• CDN• Load Balancing (Cloud – Region Based through DNS)• DDoS• WAF• Rate Limiting• Website Optimization• Cache Header Optimization• AutoMinify• Aggressive Gzip• Automatic Content Caching
![Page 40: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/40.jpg)
Cookies• Helps stateless HTTP protocol statefulness when
necessary,• Has restrictions in EU.
Types:
• Session Cookies• Persistent Cookies
![Page 41: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/41.jpg)
Authentication and Tokens• Basic Authentication• Forms Authentication• Token Authentication
![Page 42: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/42.jpg)
Session Cookie vs Token Auth
![Page 43: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/43.jpg)
HTTP Security• Use SSL/TLS for transport layer security (HTTPS
everything)• Why?
• Set Cookies with HttpOnly• Avoid Cross Site Scripting
• Set Cookies with Secure• Avoid sending cookies in HTTP requests
• Use HSTS (HTTP Strict Transport Security) header• Instruct browser to comm only with HTTPS for a period of time• Avoid SSL-stripping attacks
![Page 44: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/44.jpg)
HTTP Performance Measurement• Use Apache ab• Use Apache JMeter (blogs from
www.gokhansengun.com)• http://loader.io/• https://www.blazemeter.com/• Use APM (Application Performance Monitoring) tools• NewRelic, Dynatrace, Riverbed, App
![Page 45: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/45.jpg)
Scaling HTTP• Use Cache Server• Use CDN• Cache Aggressively• Use DNS load balancing• Use SPA (Single Page Application) Technique• Minify and bundle JS / CSS
![Page 46: Http - All you need to know](https://reader035.fdocuments.in/reader035/viewer/2022070522/58ee99411a28ab7a498b462f/html5/thumbnails/46.jpg)
Questions?