Introduction to HTTP

Aviran Mordo
Head Of Back-End Engineering @ Wix
@aviranm
http://www.linkedin.com/in/aviran
http://www.aviransplace.com

Intro
The Hyper Text Transfer Protocol (HTTP) isa client-server network protocol
In use by the World-Wide Web since 1990.
It is based on Request Response Paradigm.

HTTP Request Message

HTTP Method

relative URL of the resource or a full URL

GET /website/template/photography/ HTTP/1.1
Accept:*/*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: www.httpwatch.com
Connection: Keep-Alive

HTTP Version

Headers

HTTP Response
Status line

Headers

double CRLF (carriage return, line feed)

contents of the requested resource

HTTP/1.1 200 OK
X-Seen-By: sputnik3.aus_dsp
X-Seen-By: s3.aus_pp
Date: Wed, 21 Aug 2013 09:02:49 GMT
Server: Apache
cache-control: max-age=604800
cache-control: no-cache
Pragma: no-cache
Set-Cookie: _wixAB2=5371#5567#2014-03-19T14-27-00.000-0500|15711#3472#2014-08-13T11-01-00.000-0500|14841#8565#2014-07-23T09-16-00.000-0500|
15551#935#2014-08-11T07-55-00.000-0500|15451#3523#2014-08-07T07-55-00.000-0500|14451#3267#2014-07-14T09-23-00.000-0500|15941#4497#2014-08-15T1539-00.000-0500|14951#8608#2014-07-28T07-24-00.000-0500|15861#7296#2014-08-15T10-02-00.000-0500|12891#3395#2014-06-23T07-34-00.000-0500|
13501#6547#2014-07-01T12-46-00.000-0500|15361#2985#2014-08-05T13-30-00.000-0500; Domain=.wix.com; Expires=Tue, 21-Aug-2018 14:06:39 GMT; Path=/
Set-Cookie: _wixCIDX=7e98f6cd-1c79-4661-9312-6f7aaeebf932; Domain=.wix.com; Expires=Mon, 17-Feb-2014 09:02:49 GMT; Path=/
Set-Cookie: _wixUIDX=10647958|1a2c4034-469d-4f4d-bbd9-17deddaf67ec; Domain=.wix.com; Expires=Mon, 17-Feb-2014 09:02:49 GMT; Path=/
Vary: User-Agent,Accept-Encoding
Content-Language: en
Content-Encoding: gzip
Content-Length: 8162
Content-Type: text/html;charset=UTF-8
Expires: 0
Cache-Control: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:fb="https://www.facebook.com/2008/fbml" >
<head>
<meta http-equ

Everything is an extendable convention

You may create your own headers
You may create your own methods
You may not implement some methods
You may not implement header logic

HTTP Methods
GET method means retrieve whatever information. Is identified by the Request-URI
POST - used to send data to the server for updates.
PUT - method requests that the enclosed entity be stored under the supplied Request-URI.
DELETE - requests that the origin server delete the resource identified by the Request-URI.
HEAD - identical to GET except that the server MUST NOT return a message-body in the
response.
TRACE - llows the client to see what is being received at the other end of the request chain
and use that data for testing or diagnostic
CONNECT - use with a proxy that can dynamically switch to being a tunnel

HTTP Headers
Accept: text/plain; - specify certain media types which are acceptable for the response.
Accept-Encoding: compress, gzip ;
Accept-Language: da, en-gb;q=0.8, en;q=0.7 ;
Cache-Control: max-age=0, must-revalidate
Vary: User-Agent,Accept-Encoding
ETag: "xyzzy"
Set-Cookie: _wixAB2=15361#2985#2014-08-05T13-30-00.000-0500
Access-Control-Allow-Origin: *
X-Seen-By: sputnik3.aus_dsp
X-Wix-Dispatcher-Cache-Hit: no
X-Wix-Renderer-Server: apu2.aus.wixpress.com
X-Wix-Not-Found-Reason: Meta Site was not found

HTTP Status Codes and Errors

1xx Informational - intermediate response and indicates that the server has received the request but
has not finished processing it.
2xx Successful: 200 OK
3xx Redirection: 301-permanent, 302-temporary
4xx - Client Error: 400-bad request, 403-forbidden, 404-not found, 418 I'm a teapot
5xx - Server Error: 500 Internal Server Error, 503-Service Unavailable,504-Gateway Timeout

Cookies
Servers supply cookies by populating the set-cookie
response header with the following details: Set-Cookie: name=value
Name Name of the cookie
Value Textual value to be held by the cookie
Expires Date/time when the cookie should be discarded by the browser.
If this field is empty the cookie expires at the end of the current browser session. This field can also be used to delete a cookie by setting a
date/time in the past.
Path
Path below which the cookie should be supplied by the browser.
Domain Web site domain to which this cookie applies.
This will default to the current domain and attempts to set cookies on other domains are subject to the privacy controls built into the browser.

Type of cookies - Terminology

Session cookie - Web browsers normally delete session cookies when the user closes the browser
Persistent cookie - A persistent cookie will outlast user sessions expires on a set timestamp
Secure cookie - A secure cookie has the secure attribute enabled and is only used via HTTPS
HttpOnly cookie - On a supported browser, only when transmitting HTTP (or HTTPS) requests. Not accessible to Javascript.
Third-party cookie - cookies that belong to domains different from the one shown in the address bar.
Supercookie - cookie with an origin of a TLD(such as .com)

Browsers send cookies via request header. Cookie: name=value; name2=value2

HTTP Caching
Preventing Caching - Cache-Control: no-cache (HTTP 1.1); Pragma: no-cache (HTTP 1.0)
Last-Modified: Wed, 15 Sep 2004 12:00:00 GMT Browser can check the server for changes
Expires: Sun, 17 Jan 2038 19:14:07 GMT - browser can reuse the content without having to
check the server
GET /images/logo.gif HTTP/1.1
Accept: */*
Referer: http://www.google.com/
Accept-Encoding: gzip, deflate
If-Modified-Since: Thu, 23 Sep 2004 17:42:04 GMT
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)
Host: www.google.com
HTTP/1.1 304 Not Modified
Content-Type: text/html
Server: GWS/2.1
Content-Length: 0
Date: Thu, 04 Oct 2004 12:00:00 GMT

HTTP Methods
GET - method is used to retrieve information from a specified URI and is assumed to be a safe,
have no side effects repeatable operation by browsers, caches and other HTTP aware
components.
GET can only supply data in the form of parameters encoded in the URI (Query String) or as cookies.
Therefore, GET cannot be used for uploading files or other operations that require large amounts of data
to be sent to the server.

POST method is used for operations that have side effects and cannot be safely repeated.
POST request message has a content body that is normally used to send parameters and data. Unlike
using the request URI or cookies, there is no upper limit on the amount of data that can be sent

POST Request
Method

Headers

double CRLF (carriage return, line feed)

POST /httpgallery/methods/default.aspx HTTP/1.1

Host: www.httpwatch.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://www.httpwatch.com/httpgallery/methods/
Cookie: __utma=1.1256977602.1377003403.1377082307.1377092487.5; __utmc=1; __utmz=1.1377003403.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not
%20provided); __utmb=1.4.9.1377092850054
Proxy-Authorization: Basic b21lckB3aXguY29tOmg2M2ZycQ==
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Set-Cookie: _wixAB2=5371#5567#2014-03-19T14-27-00.000-0500|15711#3472#2014-08-13T11-01-00.000-0500|14841#8565#2014-07-23T09-16-00.000-0500|
15551#935#2014-08-11T07-55-00.000-0500|15451#3523#2014-08-07T07-55-00.000-0500|14451#3267#2014-07-14T09-23-00.000-0500|15941#4497#2014-08-15T1539-00.000-0500|14951#8608#2014-07-28T07-24-00.000-0500|15861#7296#2014-08-15T10-02-00.000-0500|12891#3395#2014-06-23T07-34-00.000-0500|
13501#6547#2014-07-01T12-46-00.000-0500|15361#2985#2014-08-05T13-30-00.000-0500; Domain=.wix.com; Expires=Tue, 21-Aug-2018 14:06:39 GMT; Path=/
Set-Cookie: _wixCIDX=7e98f6cd-1c79-4661-9312-6f7aaeebf932; Domain=.wix.com; Expires=Mon, 17-Feb-2014 09:02:49 GMT; Path=/
Set-Cookie: _wixUIDX=10647958|1a2c4034-469d-4f4d-bbd9-17deddaf67ec; Domain=.wix.com; Expires=Mon, 17-Feb-2014 09:02:49 GMT; Path=/
Cache-Control: no-cache
Amount=10&B2=Submit

post data / body

Redirection
HTTP allows servers to redirect a client request to a different location. Although, this will
usually result in another network round trip
301 Permanent redirect Content move permanently at the location specified by the Location header and future requests should be directed to this
location.
302 Temporary Redirect - future requests should still be sent to the original location
303 This status code was intended to be the only status code that caused a POST to be converted to a GET. However, most browsers treat a 302 like a
303.
304 Not modified - Used in response to an If-Modified header to redirect a request to the browser's local cache.
HTTP/1.1 302 Found
Cache-Control: private,Public
Content-Length: 162
Content-Type: text/html; charset=utf-8
Location: /httpgallery/redirection/default.aspx#example
Set-Cookie: balance=990; path=/httpgallery/redirection/

HTTPS
The Secure Sockets Layer (SSL) was designed to encrypt any TCP/IP based network traffic and
provide the following capabilities
Prevents eavesdropping
Prevents tampering or replaying of messages
Uses certificates to authenticate servers and optionally clients

The HTTPS protocol is the same text based protocol as HTTP but is run over an encrypted SSL
session.

AJAX - Asynchronous JavaScript And XML

AJAX is a technology used by interactive web applications to make HTTP requests to a server
without causing page transitions.
Requests have to go to the same domain as the page
<scripttype="text/javascript">
functionGetShoppingList()
{
//CreateaninstanceoftheHTTPrequestobject
varxmlHttp=newXMLHttpRequest();
//SpecifyHTTPGETbydefaultandsupplytherelativeurl
xmlHttp.open("GET","getlist.aspx",false);

//StartasynchronousAJAXrequestandwaitfortheresponse
xmlHttp.send(null);
vartargetNode=document.getElementById("divShoppingList");
//UsetheHTMLreturnedfromservertocreatelist
targetNode.innerHTML=xmlHttp.responseText;
}
</script>

Cross-origin resource sharing (CORS)

Allows JavaScript on a web page to make XMLHttpRequests to another domain
"preflighted" requests first send an HTTP OPTIONS method request to the resource on the
other domain, to determine if the request is safe to send.
OPTIONS /resources/post-here/ HTTP/1.1
Host: bar.other
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Origin: http://foo.example
Access-Control-Request-Method: POST
Access-Control-Request-Headers: X-PINGOTHER
HTTP/1.1 200 OK
Date: Mon, 01 Dec 2008 01:15:39 GMT
Access-Control-Allow-Origin: http://foo.example
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: X-PINGOTHER
Access-Control-Max-Age: 1728000
POST /resources/post-here/ HTTP/1.1
Host: bar.other

JSONP - "JSON with padding"

Provides a method to request data from a server in a different domain
JSONP has nothing to do with Ajax, since it does not use XMLHttpRequest. Instead it dynamically
inserts
Step 1 - You need to create a callback function. The function accepts some data.
function w3r_callback(data){
console.log(data);
}

Step 2 - Include a script in your web page which contains the callback function created a step 1 as a
parameter
<script src="http://www.example.com?q=w3r_callback"><script>
Step 3 - It outputs a script which calls the function and requested data is
passed
w3r_callback({
"FirstName" : "xyz",
"LastName" : "abc",
"Grade" : "A"
}
);

Resources
http://www.httpwatch.com/httpgallery/introduction/
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html