Note: Most of these blogs are for my personal reference and at a given time, some of those might just be unpolished drafts.

Some notes on HTTP

Learning from the udacity course on client server communication

course link: https://classroom.udacity.com/courses/ud897

Using netcat:

nc google.com 80
<head/get/post/put>
headers:
    OPTIONS: get a list of methods supported by the URL end point
    HEAD: just the header and not the body.. validate if the incoming data will fit the memory, cache validation

xml-http-request: xhr, traditional way of doing ajax, new way is javascript promises which are chainable callbacks and are asynchronous

How head is used for cache checking.. check for incoming size and the size of the data chunk stored in cache.. but with increasing assets in a website it becomes in efficient (each round trip costs network)

Common response headers: content-length: content-type: browser uses appropriate parsing enginer (render image, play audio/video) Last-modified: not very good to detect modification.. (dev can change one file but upload entire project to server again) E-tag: entity tag, based on file content, most servers use hashing (sort of like version control of the resources) If-Modified-Since: based on last Last-modified If-None-Match: based on e tag (this takes precedence over If-Modified-Since)

tcp/ip joke, udp joke

time to first byte (ttfb) head of line blocking

http connection keep alive: use same channel (each http connection requires a tcp handshake underneath) (js+css bundled together in a bundle.js)

using proxy: export http_proxy=http://localhost:8080/ $ export https_proxy=$http_proxy (in linux) there are several tools like burp suite, foxy proxy for firefox (route browser traffic through a proxy)

tls: transfer layer security (can be combined with http->https, ftp->ftps)

asymmetric cryptography: sign documents using public key, but documents can be fairly huge, so just sign the hash of it

server sends a certificate, browsers store (CA collection) public key and certificates (key, domain, authority signature) browser generates a random key (meant for symmetric encryption) encrypts is using public key and sends it to the server.. now client server can have symmetric encryption connection (faster, scales more, efficient), also validates server’s identity because if it didn’t have private key it would not be able to communicate with the client

https://badssl.com/ website to find out what sort of things are valid, trustable or not

http 2: http 1 header cannot be compressed, 2’s header can be (saving header data can be significant improvement where requests are more. )

header compression, avoid head of line blocking, security via TLS are the main points

no head of line blocking: single connection, multiple streams, multiplexing: header compression.. streams can share the header too


what should be different with http2: (find the screenshot)

javascript and CORS: (same origin policy) by default it’s only allowed to interact with it’s own origin origin:: DAta scheme, hostname, port http: something.com 90

         change either one of these and the origin is different

         can't get/fetch,

Cross origin resources sharing

jsonp json with padding

why it requires pre-flight: pre-flight is an OPTIONS request to check what operations and what origins are supported (just not to lose the operations) normal GET are not preflighted (if it’s blocked it won’t give any resources)

csrf:

Written on August 12, 2018