Professional Documents
Culture Documents
Uniform Resource Identifiers (URIs): It is meant to identify a resource of any kind, It’s
just a name following some syntax. URL & URN are subsets of URI.
URL (Uniform Resource Locator):- is a special kind of URI which is meant to specify
the location of a resource available on the Internet. It does not have to be HTTP URL
(http://), a URL can also be (ftp://) or (smb://)
URN (Uniform Resource Name): A URN is intended to label a resource based on its
actual identity, rather than where it can be found. Both URNs (names) and URLs
(locators) are URIs, and a particular URI may be both a name and a locator at the same
time.
Concretely, the key difference between the two is: a URL always refers to something that
is network-addressable, whereas a URN is a logical identifier which might have no
endpoint.
Example:
GET / HTTP/1.1
Host: www.blahblahblahblah.com
HTTP pipelining By default, HTTP requests are issued sequentially. The next
request is only issued once the response to the current request has been received.
As they are affected by network latencies and bandwidth limitations, this can
result in significant delay before the next request is seen by the server.Pipelining
is the process to send successive requests, over the same persistent connection,
without waiting for the answer. This avoids latency of the connection.
Theoretically, performance could also be improved if two HTTP requests were to
be packed into the same TCP message. The typical MSS (Maximum Segment Size),
is big enough to contain several simple requests, although the demand in size of
HTTP requests continues to grow.
Not all types of HTTP requests can be pipelined:
only GET, HEAD, PUT and DELETE, can be replayed safely: should a failure
happen, the pipeline content can simply be repeated.
Today, every HTTP/1.1-compliant proxy and server should support pipelining,
though many have limitations in practice: a significant reason no modern browser
activates this feature by default. In 1.0, this was achieved by using connection
header.
Partial Resource Selection: In HTTP/1.1, a client can ask for only part of a resource
rather than the entire document, which reduces the load on the server and saves
transfer bandwidth. (Using the Ranges Header)
Better Caching and Proxying Support: HTTP 1.0 had support for caching via the
header: If-Modified-Since.
HTTP 1.1 expands on the caching support a lot by using something called 'entity tag'.
If 2 resources are the same, then they will have the same entity tags. HTTP 1.1 also
adds the If-Unmodified-Since, If-Match, If-None-Match conditional headers. There
are also further additions relating to caching like the Cache-Control header. The
caching mechanism within HTTP 1.0 is simple in design. The client requests a
resource, the resource is then returned by the origin server along with the
following HTTP headers:-
Expires - The Expires header contains the date/time after which the response is
considered stale. Invalid dates, like the value 0, represent a date in the past and mean
that the resource is already expired. If there is a Cache-Control header with
the directive in the response, the Expires header is ignored.
Last-Modified - when the resource was last modified. The client can then
instruct the origin server to only send the resource if it has a newer copy by
using the If-Modified-Since header. Otherwise the origin will send a HTTP 304 -
Not Modified response. This is also known as a Conditional Request. However,
the client can also request the resource is not served from cache by using
the Pragma: no-cache header.
HTTP 1.1 extends the caching functionality from HTTP 1.0. In HTTP 1.1 a cached
entry is considered fresh. At the point the expiry time is reached it is deemed stale.
Should the cache entry be considered stale it must be revalidated with the origin server.
However, both client and origin are able to override this requirement.
If-None-Match : <entitiy tag>- Instructs the server to send the resource if the entity
DOES NOT exist of the server. If the entity does exist on the server a 304 (Not Modified)
is returned.
If-Match : <entitiy tag> - Instructs the server to send the resource if the entity
DOES exists on the server.
If-Unmodifed-Since : <date> - Instructs the server to send the resource if the resource
has NOT been modified since the date provided.
If-Range (entity_tag | date) - Used along with the Range header. This follows the same
principle as above but is instead works a a byte range level rather then a resource level.
2 further headers that were also added to HTTP 1.1 are the headers - cache-control and
vary.
OPTIONS method
HTTP Methods
Difference between Get and POST:-
In Get, data is sent with query string and with POST, it’s sent as body.
GET
GET is used to request data from a specified resource. Caching also comes into play, as
a proxy server or even the client itself might satisfy the request before it gets to
the server. It’s important to remember that the meaning of a GET request may change if
certain headers, such as If-Modified-Since or If-Match are used—these and other
similar headers tell the server to only send the resource if certain conditions are met. A
request of this sort is sometimes called a conditional GET. Similarly, the Range header
may be used by the client to request that the server send it only part of a resource; this
is usually used for large files. When this header is included, the request may be called a
partial GET.
POST
The HTTP POST method sends data to the server. The type of the body of the request is
indicated by the Content-Type header.
The difference between PUT and POST is that POST appends the data and Put does not. If
post uploads a file with value of 1-10 and if it does upload the same file with a value of
11-20, the value would be changed to 1-20 and with put it would just override the data
and value would be changed to 11-20.
PUT
The HTTP PUT request method creates a new resource or replaces a representation of the
target resource with the request payload.
OPTIONS
The HTTP OPTIONS method is used to describe the communication options for the target
resource. The client can specify a URL for the OPTIONS method, or an asterisk (*) to refer to
the entire server.
HEAD
This is identical to the GET method but tells the server to not send the actual body of the
message. Thus, the response will contain all of the headers that would have
accompanied a reply to the equivalent GET message, including entity headers describing
the entity that the server would have sent had the method been GET. This method is
often used by the client to check the existence, status or size of a file before
deciding whether or not it wants the server to send the whole thing.
HEAD requests are processed in the same way as GET requests, except that only the
headers are returned, not the actual resource. It is used to get the meta data (like
content length).
DELETE
Requests that the specified resource be deleted. This has the same issues as PUT and is
not often used for similar reasons. If this method is used to delete a resource which
has been deleted already, it would get a 404 (Not found error), if its successful, it
would get 200 (OK).
Response Codes
To have a server check the request's headers, a client must send Expect: 100-
continue as a header in its initial request and receive a 100 Continue status code
in response before sending the body.
200(OK) :- The 200 (OK) status code indicates that the request has succeeded. The
payload sent in a 200 response depends on the request method. For the methods
defined by this specification, the intended meaning of the payload can be summarized
as:
GET a representation of the target resource;
HEAD the same representation as GET, but without the representation data;
POST a representation of the status of, or results obtained from, the action;
PUT, DELETE a representation of the status of the action;
OPTIONS a representation of the communications options;
TRACE a representation of the request message as received by the end server
201(Created):- The HTTP 201 Created success status response code indicates that
the request has succeeded and has led to the creation of a resource. The new resource is
effectively created before this response is sent back and the new resource is returned in
the body of the message, its location being either the URL of the request, or the content
of the Location header.
The common use case of this status code is as the result of a put request.
204 No Content :- The HTTP 204 No Content success status response code indicates
that the request has succeeded, but that the client doesn't need to go away from its
current page. A 204 response is cacheable by default. An ETag header is included in such
a response.
The common use case is to return 204 as a result of a PUT request, updating a resource,
without changing the current content of the page displayed to the user. If the resource is
created, 201 Created is returned instead. If the page should be changed to the newly
updated page, the 200 should be used instead.
206 Partial Content :- The HTTP 206 Partial Content success status response code
indicates that the request has succeeded and has the body contains the requested ranges
of data, as described in the Range header of the request.
If there is only one range, the Content-Type of the whole response is set to the type of the
document, and a Content-Range is provided.
If several ranges are sent back, the Content-Type is set to multipart/byteranges and each
fragment covers one range, with Content-Range and Content-Type describing it.
301 (Moved Permanently):- The HyperText Transfer Protocol (HTTP) 301
Moved Permanently redirect status response code indicates that the resource
requested has been definitively moved to the URL given by the Location headers. A
browser redirects to this page and search engines update their links to the resource
Note: For historical reasons, a user agent MAY change the request method from POST to
GET for the subsequent request. If this behaviour is undesired, the 308 (Permanent
Redirect status code can be used instead. A 301 response is cacheable by default;
302 (Found):- The HyperText Transfer Protocol (HTTP) 302 Found redirect status
response code indicates that the resource requested has been temporarily moved to the
URL given by the Location header. A browser redirects to this page but search engines
don't update their links to the resource.
Note: For historical reasons, a user agent MAY change the request method from POST to
GET for the subsequent request. If this behavior is undesired, the 307 (Temporary
Redirect) status code can be used instead.
303 (Other):- The 303 (See Other) status code indicates that the server is redirecting
the user agent to a different resource, as indicated in the Location header field, which is
intended to provide an indirect response to the original request
304 Not Modified:- This is used for caching purposes. It tells the client that the
response has not been modified, so the client can continue to use the same cached
version of the response.
307 (Temporary Redirect):- HTTP 307 Temporary Redirect redirect status
response code indicates that the resource requested has been temporarily moved to the
URL given by the Location headers.
The method and the body of the original request are reused to perform the redirected
request. In the cases where you want the method used to be changed to GET, use 303 See
Other instead.
Note: This status code is similar to 302 (Found), except that it does not allow changing
the request method from POST to GET.
308 (Permanent Redirect):- status code indicates that the target resource has
been assigned a new permanent URI and any future references to this resource ought to
use one of the enclosed URIs.
The server SHOULD generate a Location header field in the response containing a
preferred URI reference for the new permanent URI. The user agent MAY use the
Location field value for automatic redirection. A 308 response is cacheable by default;
Note: This status code is similar to 301 (Moved Permanently) except that it does not
allow changing the request method from POST to GET.
400 (Bad Request):- status code indicates that the server cannot or will not process
the request due to something that is perceived to be a client error (e.g., malformed
request syntax, invalid request message framing, or deceptive request routing).
401 (Unauthorized):- status code indicates that the request has not been applied
because it lacks valid authentication credentials for the target resource. The server
generating a 401 response MUST send a WWW-Authenticate header field containing at
least one challenge applicable to the target resource.
If the request included authentication credentials, then the 401 response indicates that
authorization has been refused for those credentials. The user agent MAY repeat the
request with a new or replaced Authorization header field (Section 4.2). If the 401
response contains the same challenge as the prior response, and the user agent has
already attempted authentication at least once, then the user agent SHOULD present the
enclosed representation to the user, since it usually contains relevant diagnostic
information.
403 (Forbidden):- status code indicates that the server understood the request but
refuses to authorize it. A server that wishes to make public why the request has been
forbidden can describe that reason in the response payload.
If authentication credentials were provided in the request, the server considers them
insufficient to grant access. The client SHOULD NOT automatically repeat the request
with the same credentials. The client MAY repeat the request with new or different
credentials. However, a request might be forbidden for reasons unrelated to the
credentials.
An origin server that wishes to "hide" the current existence of a forbidden target
resource MAY instead respond with a status code of 404 (Not Found).
a 401 Unauthorized response should be used for missing or bad authentication, and a 403
Forbidden response should be used afterwards, when the user is authenticated but isn’t
authorized to perform the requested operation on the given resource.
There's a problem with 401 Unauthorized, the HTTP status code for authentication errors.
And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the
server telling you, “you aren’t authenticated–either not authenticated at all or authenticated
incorrectly–but please reauthenticate and try again.” To help you out, it will always include
a WWW-Authenticate header that describes how to authenticate.
This is a response generally returned by your web server, not your web application.
It’s also something very temporary; the server is asking you to try again.
So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my
application logic, and it’s a more concrete response than a 401.
Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe
who you say you are–but you just don’t have permission to access this resource. Maybe if
you ask the system administrator nicely, you’ll get permission. But please don’t bother me
again until your predicament changes.”
In summary, a 401 Unauthorized response should be used for missing or bad authentication,
and a 403 Forbidden response should be used afterwards, when the user is authenticated
but isn’t authorized to perform the requested operation on the given resource.
401 Unauthorized:
If the request already included Authorization credentials, then the 401 response indicates
that authorization has been refused for those credentials.
403 Forbidden:
404 (Not Found):- The HTTP 404 Not Found client error response code indicates
that the server can't find the requested resource. Links which lead to a 404 page are
often called broken or dead links, and can be subject to link rot.
A 404 status code does not indicate whether the resource is temporarily or permanently
missing. But if a resource is permanently removed, a 410 (Gone) should be used instead
of a 404 status.
405 (Method Not Allowed):- status code indicates that the method received in the
request-line is known by the origin server but not supported by the target resource.
The origin server MUST generate an Allow header field in a 405 response containing a
list of the target resource's currently supported methods.
406 (Not Acceptable):- The HyperText Transfer Protocol (HTTP) 406 Not
Acceptable client error response code indicates that the server cannot produce a
response matching the list of acceptable values defined in the request's proactive content
negotiation headers, and that the server is unwilling to supply a default representation.
409 (Conflict):- The HTTP 409 Conflict response status code indicates a request
conflict with current state of the server.
Conflicts are most likely to occur in response to a PUT request. For example, you may get
a 409 response when uploading a file which is older than the one already on the server
resulting in a version control conflict.
410 (Gone):- The HyperText Transfer Protocol (HTTP) 410 Gone client error
response code indicates that access to the target resource is no longer available at the
origin server and that this condition is likely to be permanent.
If you don't know whether this condition is temporary or permanent, a 404 status code
should be used instead.
500 (Internal Server Error):- status code indicates that the server encountered
an unexpected condition that prevented it from fulfilling the request.
501 (Not Implemented):- status code indicates that the server does not support
the functionality required to fulfill the request. This is the appropriate response when
the server does not recognize the request method and is not capable of supporting it for
any resource. A 501 response is cacheable by default.
502 (Bad Gateway):- status code indicates that the server, while acting as a
gateway or proxy, received an invalid response from an inbound server it accessed
while attempting to fulfill the request.
503 (Service Unavailable):- status code indicates that the server is currently
unable to handle the request due to a temporary overload or scheduled maintenance,
which will likely be alleviated after some delay. The server MAY send a Retry-After
header field to suggest an appropriate amount of time for the client to wait before
retrying the request.
Note: The existence of the 503 status code does not imply that a server has to use it
when becoming overloaded. Some servers might simply refuse the connection.
504 (Gateway Timeout):- status code indicates that the server,while acting as a
gateway or proxy, did not receive a timely response from an upstream server it needed
to access in order to complete the request.
The 501 (Not Implemented) status code indicates that the server does not support the
functionality required to fulfill the request. ... The 405 (Method Not Allowed) status code
indicates that the method received in the request-line is known by the origin server but not
supported by the target resource.
The client initiates an HTTP session by opening a TCP connection to the HTTP server
with which it wishes to communicate. It then sends request messages to the server, each
of which specifies a particular type of action that the user of the HTTP client would like
the server to take. Requests can be generated either by specific user action (such as
clicking a hyperlink in a Web browser) or indirectly as a result of a prior action (such as
a reference to an inline image in an HTML document leading to a request for that
image.)
HTTP requests use a message format that is based on the generic message format
described in the preceding topic, but specific to the needs of requests. The structure of
this
format is as follows (see Figure 317):
<request-line>
<general-headers>
<request-headers>
<entity-headers>
<empty-line>
[<message-body>]
[<message-trailers>]
Request Line
The generic start line that begins all HTTP messages is called a request line in request
messages. Its has a three-fold purpose: to indicate the command or action that the client
wants performed; to specify a resource upon which the action should be taken; and to
indicate to the server what version of HTTP the client is using. The formal syntax for the
request line is:
<METHOD> <request-uri> <HTTP-VERSION>
Headers
HTTP headers are the name or value pairs that are displayed in
the request and response messages of message headers for Hypertext Transfer Protocol
(HTTP). Usually, the header name and the value are separated by a single colon. HTTP
headers are an integral part of HTTP requests and responses.
General Headers: General headers refer mainly to the message itself, as opposed to its
contents. There are a few header fields which have general applicability for both
request and response messages, but which do not apply to the entity being transferred.
These header fields apply only to the message being transmitted.
Cache-Control
| Connection
| Date
| Pragma
| Trailer
| Transfer-Encoding
| Upgrade
| Via
| Warning
Request Headers: The request-header fields allow the client to pass additional
information about the request, and about the client itself, to the server. These fields act
as request modifiers, with semantics equivalent to the parameters on a programming
language method invocation.
Entity Headers: These are headers that describe the entity contained in the body of
the request, if any.
Request headers are obviously used only in request messages, but both general headers
and entity headers can appear in either a request or a response message.
entity-header
= Allow Section 14.7
| Content-Encoding ; Section 14.11
| Content-Language ; Section 14.12
| Content-Length ; Section 14.13
| Content-Location ; Section 14.14
| Content-MD5 ; Section 14.15
| Content-Range ; Section 14.16
| Content-Type ; Section 14.17
| Expires ; Section 14.21
| Last-Modified ; Section 14.29
Response Headers:
Accept-Ranges ; Section 14.5
| Age ; Section 14.6
| ETag ; Section 14.19
| Location ; Section 14.30
| Proxy-Authenticate ; Section 14.33
| Retry-After ; Section 14.37
| Server ; Section 14.38
| Vary ; Section 14.44
| WWW-Authenticate ; Section 14.47
Set-Cookie
A server MUST respond with a 400 (Bad Request) status code to any HTTP/1.1 request
message that lacks a Host header field and to any request message that contains more
than one Host header field or a Host header field with an invalid field-value.
Connection:- The Connection general header controls whether or not the network
connection stays open after the current transaction finishes. If the value sent is keep-
alive, the connection is persistent and not closed, allowing for subsequent requests to the
same server to be done.
Connection: keep-alive
Connection: close
Server:- The "Server" header field contains information about the software used by
the origin server to handle the request, which is often used by clients to help identify
the scope of reported interoperability problems.
Via:- The Via general header is added by proxies, both forward and reverse proxies, and
can appear in the request headers and the response headers. It is used for tracking
message forwards, avoiding request loops, and identifying the protocol capabilities of
senders along the request/response chain.
or
Vary:- The Vary HTTP response header determines how to match future request
headers to decide whether a cached response can be used rather than requesting a fresh
one from the origin server. It is used by the server to indicate which headers it used
when selecting a representation of a resource in a content negotiation algorithm.
The Vary header should be set on a 304 Not Modified response exactly like it would
have been set on an equivalent 200 OK response.
Accept:- The Accept request HTTP header advertises which content types, expressed
as MIME types, the client is able to understand. Using content negotiation, the server
then selects one of the proposals, uses it and informs the client of its choice with
the Content-Type response header.
Accept: <MIME_type>/<MIME_subtype>
Accept: <MIME_type>/*
Accept: */*
Accept-Encoding: gzip
Accept-Encoding: compress
Accept-Encoding: deflate
Accept-Encoding: br
Accept-Encoding: identity
Accept-Encoding: *
Accept-Language: <language>
Accept-Language: *
Content-Length:- The Content-Length entity header indicates the size of the entity-
body, in bytes, sent to the recipient.
Content-Length: <length>
Content-type:- The Content-Type entity header is used to indicate the media type of
the resource.
In responses, a Content-Type header tells the client what the content type of the returned
content actually is.
Date:- The Date general HTTP header contains the date and time at which the message
was originated.
Expires:- The Expires header contains the date/time after which the response is considered
stale.
Expires: <http-date>
Cookie: - The Cookie HTTP request header contains stored HTTP cookies previously
sent by the server with the Set-Cookie header.
The Cookie header is optional and may be omitted if, for example, the browser's privacy
settings block cookies.
Cookie: <cookie-list>
Cookie: name=value
Cache-Control: max-age=<seconds>
Cache-Control: max-stale[=<seconds>]
Cache-Control: min-fresh=<seconds>
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-transform
Cache-Control: only-if-cached
Cache-Control: must-revalidate
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: no-transform
Cache-Control: public
Cache-Control: private
Cache-Control: proxy-revalidate
Cache-Control: max-age=<seconds>
Cache-Control: s-maxage=<second
Location:- The Location response header indicates the URL to redirect a page to. It
only provides a meaning when served with a 3xx (redirection) or 201 (created) status
response.
Caching:- The performance of web sites and applications can be significantly improved
by reusing previously fetched resources. Web caches reduce latency and network traffic
and thus lessen the time needed to display a representation of a resource. By making use
of HTTP caching, Web sites become more responsive.
Caching is a technique that stores a copy of a given resource and serves it back when
requested. When a web cache has a requested resource in its store, it intercepts the
request and returns its copy instead of re-downloading from the originating server. This
achieves several goals:
There are several kinds of caches: these can be grouped into two main categories:
private or shared caches. A shared cache is a cache that stores responses for reuse by
more than one user. A private cache is dedicated to a single user.
No caching
The cache should not store anything about the client request or server response. A
request is sent to the server and a full response is downloaded each and every time.
Cache-Control: no-store
A cache will send the request to the origin server for validation before releasing a cached
copy.
Cache-Control: no-cache
The "public" directive indicates that the response may be cached by any cache. This can
be useful, if pages with HTTP authentication or response status codes that aren't
normally cacheable, should now be cached.
On the other hand, "private" indicates that the response is intended for a single user only
and must not be stored by a shared cache. A private browser cache may store the
response in this case.
Cache-Control: private
Cache-Control: public
Expiration
The most important directive here is "max-age=<seconds>" which is the maximum amount
of time a resource will be considered fresh. Contrary to Expires, this directive is relative to
the time of the request.
Cache-Control: max-age=31536000
Validation:- When using the "must-revalidate" directive, the cache must verify the
status of the stale resources before using it and expired ones should not be used. For
more details.
Cache-Control: must-revalidate
ETags
The ETag HTTP response header is an identifier for a specific version of a resource. It
allows caches to be more efficient, and saves bandwidth, as a web server does not need
to send a full response if the content has not changed. On the other side, if the content
has changed, etags are useful to help prevent simultaneous updates of a resource from
overwriting each other ("mid-air collisions").
If the resource at a given URL changes, a new Etag value must be generated. Etags are
therefore similar to fingerprints and might also be used for tracking purposes by some
servers. A comparison of them allows the determination of whether two representations
of a resource are the same. They might also be set to persist indefinitely by a tracking
server.
If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
The server compares the client's ETag (sent with If-None-Match) with the ETag for its
current version of the resource, and if both values match (that is, the resource has not
changed), the server sends back a 304 Not Modified status, without a body, which tells the
client that the cached version of the response is still good to use (fresh)
HTTP Cookies:-
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends
to the user's web browser. The browser may store it and send it back with the next
request to the same server. Typically, it's used to tell if two requests came from the same
browser — keeping a user logged-in, for example. It remembers stateful information for
the stateless HTTP protocol.
Cookies are mainly used for three purposes:
Session management- Logins, shopping carts, game scores, or anything else the server should
remember
Personalization - User preferences, themes, and other settings
Creating cookies
When receiving an HTTP request, a server can send a Set-Cookie header with the response.
The cookie is usually stored by the browser, and then the cookie is sent with requests
made to the same server inside a Cookie HTTP header. An expiration date or duration can
be specified, after which the cookie is no longer sent. Additionally, restrictions to a
specific domain and path can be set, limiting where the cookie is sent.
Set-Cookie: <cookie-name>=<cookie-value>
This header from the server tells the client to store a cookie.
HTTP/2.0 200 OK
Content-type: text/html
Set-Cookie: yummy_cookie=choco
Set-Cookie: tasty_cookie=strawberry
[page content]
Now, with every new request to the server, the browser will send back all previously
stored cookies to the server using the Cookie header.
Session cookies
The cookie created above is a session cookie: it is deleted when the client shuts down,
because it didn't specify an Expires or Max-Age directive. However, web browsers may
use session restoring, which makes most session cookies permanent, as if the browser
was never closed.
Permanent cookies
Instead of expiring when the client closes, permanent cookies expire at a specific date
(Expires) or after a specific length of time (Max-Age).
Third-party cookies
Cookies have a domain associated to them. If this domain is the same as the domain of
the page you are on, the cookies is said to be a first-party cookie. If the domain is
different, it is said to be a third-party cookie. While first-party cookies are sent only to the
server setting them, a web page may contain images or other components stored on
servers in other domains (like ad banners). Cookies that are sent through these third-
party components are called third-party cookies and are mainly used for advertising and
tracking across the web. See for example the types of cookies used by Google. Most
browsers allow third-party cookies by default, but there are add-ons available to block
them (for example, Privacy Badger by the EFF).
If you are not disclosing third-party cookies, consumer trust might get harmed if cookie
use is discovered. A clear disclosure (such as in a privacy policy) tends to eliminate any
negative effects of a cookie discovery. Some countries also have legislation about cookies.
See for example Wikimedia Foundation's cookie statement.
Directives
<client>
The client IP address
<proxy1>, <proxy2>
If a request goes through multiple proxies, the IP addresses of each successive proxy is
listed. This means, the right-most IP address is the IP address of the most recent proxy
and the left-most IP address is the IP address of the originating client.
The problem with this mechanism is that it forces the user to wait for the browser to
discover and retrieve critical assets until after an HTML document has been
downloaded. This delays rendering and increases load times.
With server push, we have a solution to this problem. Server push lets the server
preemptively “push” website assets to the client without the user having explicitly
asked for them. When used with care, we can send what we know the user is going to
need for the page they’re requesting.
Let’s say you have a website where all pages rely on styles defined in an external style
sheet named styles.css. When the user requests index.html from the server, we can
push styles.css to the user just after we begin sending the response for index.html.
Web server communication with HTTP/2 server push. (Large preview)
Rather than waiting for the server to send index.html and then waiting for the browser
to request and receive styles.css, the user only has to wait for the server to respond
with both index.html and styles.css on the initial request. This means that the browser
can begin rendering the page faster than if it had to wait.
As you can imagine, this can decrease the rendering time of a page. It also solves some
other problems, particularly in front-end development workflows.
Directives
max-age=<expire-time>
The time, in seconds, that the browser should remember that a site is only to be
accessed using HTTPS.
preload Optional
The HTTP Strict Transport Security header informs the browser that it should never load
a site using HTTP and should automatically convert all attempts to access the site using
HTTP to HTTPS requests instead.
Note: The Strict-Transport-Security header is ignored by the browser when your site is
accessed using HTTP; this is because an attacker may intercept HTTP connections and
inject the header or remove it. When your site is accessed over HTTPS with no certificate
errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-
Security header.
An example scenario
You log into a free WiFi access point at an airport and start surfing the web, visiting your
online banking service to check your balance and pay a couple of bills. Unfortunately, the
access point you're using is actually a hacker's laptop, and they're intercepting your
original HTTP request and redirecting you to a clone of your bank's site instead of the
real thing. Now your private data is exposed to the hacker.
Strict Transport Security resolves this problem; as long as you've accessed your bank's
web site once using HTTPS, and the bank's web site uses Strict Transport Security, your
browser will know to automatically use only HTTPS, which prevents hackers from
performing this sort of man-in-the-middle attack.
The secure flag ensures that the setting and transmitting of a cookie is only done in a secure
manner (i.e. https). If there is an option for http, secure flag should prevent transmission of that
cookie. Therefore, a missing secure flag becomes an issue if there is an option to use or fall back
to http.
httpOnly ensures that scripting languages (ie. javascript) won't be able to get the cookie value
(such as through document.cookie). The only way to get it is through http request and response
headers. Therefore, a missing httpOnly coupled with XSS vulnerability is a recipe for stolen
session token.
It's best to put httpOnly and secure flag for your session token. Other cookies, it would depend
on how sensitive it is and what is it used for.
Please read this document carefully as anything could be asked out of it.