How does HTTP work?
HTTP is one of the most important protocols of the internet/web. Knowledge and understanding of the HTTP protocol will help you understand how data flows from source to destination/s and secure this data. HTTP uses the TCP protocol that provides reliable and error-checked delivery of data from one point to another. HTTP uses port 80 as its default and port 443 when using HTTPS (HTTP over TLS).
HTTP is a message-based protocol that is stateless (a HTTP server does not keep track of any state information). The HTTP messages consist of requests from a client to a server and responses from the server to a client.
What an HTTP URL looks like:
HTTP request establishes a TCP connection from a client to a server.
Request:
GET /HTTP/1.1
Host: www.healthybyte.net/path
The Method token shows the method that is needed on the resource to identify by the Request-URI.
Method = "OPTIONS" ; | "GET" ; | "HEAD" ; | "POST" ; | "PUT" ; | "DELETE" ; | "TRACE" ; | "CONNECT" ; | extension-method extension-method = token
The HTTP response is when a server sends back an HTTP response to the client for the request made.
Response:
HTTP/1.1 200 OK
Content-Type: text/html
HTTP header fields, which include general-header, request-header, response-header, and entity-header fields. The message-body (if any) of an HTTP message is used to carry the entity-body associated with the request or response. The transfer length checks the length of the message-body in the message after any transfer codings are applied.
Status Codes
- 1xx: Informational - Request received, continuing process
- 2xx: Success - The action was successfully received, understood, and accepted
- 3xx: Redirection - Moved to another location
- 4xx: Client Error - The request contains the wrong syntax or cannot be fulfilled
- 5xx: Server Error - The server fails to fulfill a valid request
Persistent HTTP Connections:
By opening and closing fewer TCP connections, CPU time is saved in routers and hosts (clients, servers, proxies, gateways, tunnels, or caches) and can save the memory used for TCP protocol control blocks in hosts.
HTTP requests and responses can be pipelined on a connection. Pipelining allows a client to make increased requests without waiting for each response, thus allows a single TCP connection to be used more efficiently, with lower elapsed time.
Network congestion is reduced by reducing the number of packets caused by TCP opens and allowing TCP sufficient time to determine the network's congestion state.
Latency on consequent requests is reduced since there is no time spent in TCP's connection opening handshake. - HTTP can evolve more gracefully and can report errors without the penalty of closing the TCP connection. Clients using future HTTP versions might favorably try a new feature, but if communicating with an older server, retry with old semantics after reporting errors.
HTTP consists of two built-in authentication mechanisms.
Basic: This is when a client sends an HTTP request to a server, and the server will get back with a 401 response. The client must then input their username and password, which is base64-encoded. This form of authentication is not the most secure as it is susceptible to Man-in-the-Middle attacks, and to mitigate these attacks, one must use TLS/SSL along with HTTP
Digest: Works the same until the point of inputting credentials, but now the HTTP client uses MD5 cryptographic hashing using nonce (An arbitrary number) values that mitigate attacks such as replays.