March 30, 2013

Hypertext Transfer Protocol


Introduction:

The Hypertext Transfer Protocol (HTTP) is designed to enable between client and server and work as a Request-Response Protocol. A web browser may be client and an application on a computer that host a website may be the server.

The Life Cycle begins as:

A client (browser) submits an HTTP request to the server; then server returns
a response to a client. The response contains status information about request
and may also the request content.”


HTTP Protocols:

Three HTTP protocols are present:
  1. HTTP Persistent: HTTP Persistence connection is also called “HTTP keep-alive” or “HTTP connection reuse”, is the idea of using single TCP connection to send and receive multiple HTTP requests/responses, as opposed to opening new connection for every single request/response pair.
  2. HTTP Compression: HTTP compression is an ability that can build into web servers and web clients to make better use of available bandwidth and provide greater transmission speeds between both.
  3. HTTPS: HTTPS is widely used communication protocol for secure communication over computer network with especially wide deployment on the internet. Technically it is not a protocol, it is result of simply layering the HTTP protocol on the top of SSL/TLS protocol thus adding the security capabilities of SSL/TLS to standard HTTP communication.

HTTP Request Methods:

There are nine HTTP request methods are present but most widely two of them use named as GET and POST.
  1. GET:
  • It can be cached.
  • It remains in the browser history.
  • It can be bookmarked.
  • It should never be used when dealing with sensitive data.
  • It have length restriction.
  • It should be only use to retrieve data
  1. POST:
  • It cannot be cached.
  • It don't remain in browser history.
  • It cannot be bookmarked.
  • It has no restriction on data length.
  1. HEAD: Same as GET but returns only headers and no document body.
  2. PUT: Upload a representation of the specified URI.
  3. DELETE: Delete the specified resource.
  4. OPTIONS: Returns the HTTP methods that the server supports.
  5. CONNECT: Converts the request connection to a transparent TCP/IP tunnel.

Compare GET vs POST:

  1. Back Button/Reload:
  • GET: Harmless
  • POST: Data will be re-submitted (alert the user about re submission)
  1. Bookmarked
  • GET: Can be bookmarked
  • POST: Cannot be bookmarked
  1. Cached
  • GET: Can be cached
  • POST: Not cached
  1. Encoding Type
  • GET: application/x-www-form-urlencoded
  • POST: application/x-www-form-urlencodede or multipart/form-data (For binary data)
  1. History
  • GET: Parameter remains in browser history
  • POST: Parameters are not saved in browser history
  1. Restriction on data length
  • GET: Maximum URL length is 2048 characters
  • POST: No restriction
  1. Restrictions on data type
  • GET: Only ASCII characters are allowed
  • POST: No restriction. Binary data is also allowed
  1. Security
  • GET: GET is less secure than POST because data sent is the part of URL.
  • POST: POST is little safer than GET because the parameters are not stored in browsers history or in web server logs.
  1. Visibility
  • GET: Data is visible to everyone in the URL
  • POST: Data is not displayed in URL
HTTP Status Codes:

There are five types of Status classes present in HTTP Status which are
  1. 1xx Informational
This class of status code indicates a provisional response consisting only of the Status-Line and optional headers, and is terminated by an empty line.

  • 100 Continue: This means that server has receive the request headers and that client should proceed to send the request body.
  • 101 Switching Protocols: This means requester has asked the server to switch protocols and server is acknowledging that it will do so.
  • 102 Processing: This code indicates that server has received and in processing the request but no response is available yet. This prevents the client from timing out and assuming the request was lost.
  1. 2xx Success
This class of status code indicates the action requested by client was received, understood, accepted and processed.

  • 200 OK: Standard response for successful HTTP requests.
  • 201 Created: This means that the request has been fulfilled and resulting in a new resource being created.
  • 202 Accepted: This code indicates that request has been accepted for processing but the processing has not be completed.
  • 203 Non-Authoritative Information: Means server successfully processed the request but is returning information that may be from another resource.
  • 204 No Content: Means server successfully processed the request, but is not returning any content.
  • 205 Reset Content: Means server successfully processed the request, but is not returning any content. Unlike 204 response, this response requires that the requester reset the document view.
  • 206 Partial Content: Means server is delivering only part of resource due to range header send by the client.
  • 207 Multi Status: Means the message body that follow is an XML message and can contain the number of separate response codes, depending on how many sub-requests were made.
  • 208 Already Reported: Means the number of DAV binding have already been enumerated in a previous reply to this request and are not be included again.
  • 250 Low on Storage Space: Means the sever receive this warning after receiving a RECORD request that it may not be able to fulfill completely due to insufficient storage space.
  • 226 IM Used: Means the sever has fulfilled the GET request for the resource and the response is the representation of the result of one or more instance manipulations applied to the current instance.
  1. 3xx Redirection
This class of status code indicates that further action needs to be taken by the user agent to fulfill the request. The action required may be carried out by the user agent without with the user if and only if the method used in second request is GET or HEAD.

  • 300 Multiple Choices: Indicates multiple options for the resource that the client may follow.
  • 301 Moved Permanently: This and all future requests should be redirected to the given URL.
  • 302 Found: This code means the original describing phrase “Moved Temporarily” but the popular browsers implemented 302 with the functionality of 303.
  • 303 See Other: Means the response to the request can be found under another URL using GET method. It should assume that the server has received the data and redirect should be issued with separate GET message.
  • 304 Not Modified: Indicates that the resource has not been modified since the version specified by request headers.
  • 305 Use Proxy: The requested resource is only available through a proxy whose address is provided in the response.
  • 306 Switch Proxy: No longer used. Originally meant “Subsequent requests should use the specified proxy.”
  • 307 Temporary Redirect: The request should be repeated with another URI, however future request should still use the Original URI.
  • 308 Permanent Redirect: The request and all future request should be repeated using another URI.
  1. 4xx Client Error
This class of status code intended for cases in which client seemed to be erred. These are applicable to any request method.

  • 400 Bad Request: The request cannot be fulfilled by bad request.
  • 401 Unauthorized: Similar to 403 but use when authentication is required and has failed or has not yet been provided.
  • 402 Payment Required: This code might be used as part of some form of digital cash but that has not happen and this code is not usually used.
  • 403 Forbidden: The request was valid request but server is refusing to respond it.
  • 404 Not Found: The requested resource could not be found but may be available again in future.
  • 405 Method Not Allowed: A request was made of resource using a request method not supported by that request.
  • 406 Not Acceptable: The requested resource is only capable of generating content according to accept headers sent in the request.
  • 407 Proxy Authentication Required: The client must first authenticate itself with the proxy.
  • 408 Request Timeout: The server time out waiting for request.
  • 409 Conflict: Indicates that request could not be processed because of conflict in the request.
  • 410 Gone: Indicate that resource requested is no longer available and will not be available again.
  • 411 Length Required: The request didn't specified the length of its content which is required by requested resource.
  • 412 Preconditioned Failed: The server does not meet one of the precondition that the requester put on the request.
  • 413 Request Entity Too Large: The request is larger than the server is willing or able to process.
  • 414 Request URI Too Long: The URI provided was too long for the server to process.
  • 415 Unsupported Media Type: The request entity has media type which the server or resource does not support.
  • 416 Requested Range Not Satisfiable: The client has asked for a portion of the file, but the server cannot supply that portion.
  • 417 Expectation Failed: The server cannot meet the requirements of the Expect-request header field.
  • 422 Unprocessable Entity : The request was well-formed but was unable to followed due to semantic errors.
  • 423 Locked: The resource that is being accessed is locked.
  • 424 Failed Dependency: The request failed due to failure of a previous request.
  • 426 Upgrade Required: The client should switch to a different protocol.
  • 429 Too Many Request: The user is sent too many request in a given amount of time.
  • 431 Request Header Field Too Large: The server is unwilling to process the request because either an individual header fields collectively are too large.
  • 451 Parameter Not Understood: The recipient of request does not support one or more parameters contained in the request.
  • 452 Conference Not Found: The conference indicated by Conference header field is unknown to media server.
  • 453 Not Enough Bandwidth: The request was refused because there was insufficient bandwidth.
  • 454 Session Not Found: The session identifier in session header is missing, invalid or timeout.
  1. 5xx Server Error
This class of status code are applicable to any request methods.

  • 500 Internal Server Error: A generic error message given when no more specific message is suitable.
  • 501 Not Implemented: The server either does not recognized the request method or its lack the ability to fulfill the request.
  • 502 Bad Gateway: The server was acting as a gateway or proxy and received an invalid response from the upstream server.
  • 503 Service Unavailable: The service is currently unavailable, generally this is temporarily state.
  • 504 Gateway Timeout: The server was acting as a gateway or proxy and received an invalid response from the upstream server.
  • 505 HTTP Version Not Supported: The server does not support the HTTP protocol version used in request.
  • 507 Insufficient Storage: The server is unable to store the representation needed to complete request.
  • 508 Loop Detected: The server detected an infinite loop while processing the request.
  • 510 Not Extended: Further extensions to the request are required for the server to fulfill it.
  • 511 Network Authentication Required: The client need to authenticate to gain network access.
  • 551 Option Not Supported: An option given in an Require or the Proxy-Require field was not supported.

HTTP Header Fields:

There are six types of header fields presents which are:

  1. HTTP Cookie:
A cookie is usually a small piece of data sent from website and store into user's browser while a user is browsing a website. There are seven types of cookies present which are:

  • Session Cookie: A user's session cookie for a website exists in temporary memory only while the user is reading and navigating the website.
  • Persistent Cookie: This cookie is use to record a vital piece of information such as how the user initially came to website. It is also called “Tracking Cookies”.
  • Secure Cookie: This cookie is use via HTTPS and has secure attribute enabled, ensuring that cookie is always encrypted when transmitting from client to server.
  • HTTPOnly Cookie: Only supported by most modern browsers. It is use when only transmitted HTTP or HTTPS request and restricted access from others.
  • Third Party Cookie: These cookies are set with domains different from one shown in the address bar.
  • Super Cookie: This cookie is use for tracking technologies that do not rely on HTTP cookies.
  • Zombie Cookie: This cookie is automatically recreated after the user has deleted them. This is accomplished by script store in content of cookie in other location.

  1. HTTP Etag
It is one of the several mechanisms that HTTP provides for web cache validation and which allows a client to make conditional requests. This allow cache to more efficient and saves bandwidth, as a web server does not need to send a full response if the content has not changed.

  1. HTTP Location
It returned responses from HTTP servers under two circumstances.

  • To ask web browser to load different page. In this circumstances, HTTP Status Code of 3xx should be sent. It is passed as part of response by a web server when request URI has: Move Temporarily or More Permanently
  • To provide information about the location of the newly created resource. In this circumstance, location header should be sent HTTP Status Code of 201 & 202.

  1. HTTP Referer
That identifies the address of web page that linked to resource being requested. By clicking the referer, the new web page can see when request originated. Referer logging is used to allow websites and web servers to identify when people are visiting them for statistical puposes.

  1. DNT
The DNT (Do not track) header is HTTP proposed header field use to disable either its tracking or cross-site user tacking of web applications.

  1. X-Forwaded-For
A header field for identifying the originated IP address of client connecting to a web server through an HTTP proxy or load balancer.