HTTP and HTTPS - Hypertext Transfer Protocol

>[!quote] In a Nutshell >Foundation of data communication for the World Wide Web. It is an [[Internet Protocol Suite (TCP-IP)|application-layer protocol in the Internet protocol suite model]]. --- HTTP defines how messages are formatted and transmitted on the internet, and what actions web servers and browsers should take in response to various commands. * **Application Layer Protocol:** Operates at the highest level of the TCP/IP model. * **Client-Server Model:** Involves a client (typically a web browser) sending requests to a server (typically a web server hosting website data). * **Stateless Protocol:** Each request from a client to a server is treated independently. The server does not retain any information about previous client requests. This simplifies server design but requires mechanisms like cookies and sessions to maintain user state. * **Request-Response Paradigm:** Clients initiate communication by sending requests, and servers respond with data or status information. The HTTP protocol operates on a client-server architecture: * **Client:** Usually a web browser (Chrome, Firefox, Safari, etc.) or any application that needs to access resources on a server. The client initiates an HTTP request to the server. * **Server:** A computer program (like Apache, Nginx, IIS) that listens for HTTP requests from clients and responds with the requested resources (HTML pages, images, videos, etc.) or an error message. --- #### HTTP Requests An HTTP request is sent by the client to the server. It consists of the following components: **Request Line** ```http GET/products/123 HTTP/1.1 # method / target / version ``` * **HTTP Method:** Indicates the action the client wants to perform on the resource. Common methods include: * `GET`: Requests a specific resource. * `POST`: Submits data to be processed by the server. * `PUT`: Updates an existing resource or creates a new resource at a specified URI. * `DELETE`: Deletes a specific resource. * `HEAD`: Similar to GET, but only retrieves the headers, not the body. * `OPTIONS`: Describes the communication options for the target resource. * `CONNECT`: Establishes a tunnel to the server identified by the target resource. * `TRACE`: Performs a message loop-back test along the path to the target resource. * `PATCH`: Applies partial modifications to a resource. * **Request Target (URI):** Identifies the resource on the server that the client wants to access. It can be in various forms: * **Origin Form:** `/index.html` (most common form for GET requests). * **Absolute Form:** `http://www.example.com/index.html` (used in proxy requests). * **Authority Form:** `www.example.com:80` (used for CONNECT requests). * **Asterisk Form:** `*` (used for OPTIONS requests to the server as a whole). * **HTTP Version:** Indicates the version of the HTTP protocol being used (e.g., `HTTP/1.1`, `HTTP/2`, `HTTP/3`). **Request Headers** ```http Host: https://www.google.com/search?q=api.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) 1 Chrome/112.0.0.0 Safari/537.36 Accept: application/json ``` Provide additional information about the request to the server. They are key-value pairs, with each header on a separate line. Common request headers include: - * `Host`: Specifies the domain name of the server. Essential for virtual hosting. * `User-Agent`: Identifies the client software making the request (e.g., browser name and version). * `Accept`: Indicates the content types the client can understand. * `Accept-Language`: Specifies the preferred language(s) for the response. * `Accept-Encoding`: Lists the content encodings the client can handle (e.g., gzip, deflate). * `Connection`: Controls options for the current connection (e.g., `keep-alive` to reuse the connection). * `Cookie`: Contains cookies previously sent by the server. * `Referer`: Indicates the URL of the page that linked to the requested resource. **Request Body (Optional)** Contains data sent to the server, typically used with `POST`, `PUT`, and `PATCH` requests. The format of the body is specified by the `Content-Type` header. Examples include form data, JSON, XML, etc. --- #### HTTP Response An HTTP response is sent by the server back to the client after receiving and processing a request. It consists of the following components: **Status Line** ```http HTTP/1.1 200 OK ``` - **HTTP Version:** Indicates the version of the HTTP protocol used by the server. - **Status Code:** A three-digit integer code that indicates the outcome of the request. | Status Code | Description | Category | |-------------|-------------------------------------------------|---------------| | 200 | OK - The request was successful. | Success | | 201 | Created - A new resource was created. | Success | | 204 | No Content - Request processed, no body returned. | Success | | 301 | Moved Permanently - Resource moved to a new URL. | Redirection | | 302 | Found - Resource temporarily resides elsewhere. | Redirection | | 304 | Not Modified - Resource hasn't changed. | Redirection | | 400 | Bad Request - Server couldn't understand. | Client Error | | 401 | Unauthorized - Authentication is required. | Client Error | | 403 | Forbidden - Server refuses to authorize. | Client Error | | 404 | Not Found - Resource doesn't exist. | Client Error | | 500 | Internal Server Error - Unexpected server error. | Server Error | | 503 | Service Unavailable - Server is temporarily down. | Server Error | * **Reason Phrase:** A human-readable description of the status code. **Response Headers** ```http Content-Type: application/json Content-Length: 150 Date: Thu, 17 Apr 2025 14:30:00 GMT Server: Apache/2.4.54 (Unix) ``` Provide additional information about the response. They are also key-value pairs. Common response headers include: - `Content-Type`: Specifies the media type of the response body (e.g., `text/html`, `application/json`, `image/jpeg`). * `Content-Length`: Indicates the size of the response body in bytes. * `Date`: The date and time at which the response was generated by the server. * `Server`: Identifies the web server software used by the server. * `Location`: Used in redirects (3xx status codes) to specify the new URL. * `Set-Cookie`: Instructs the client to store a cookie. * `Cache-Control`: Specifies directives for caching the response. * `ETag`: An entity tag representing a specific version of the resource. Used for cache validation. * `Last-Modified`: Indicates the date and time the resource was last modified. **Response Body (Optional):** Contains the data requested by the client. The format is determined by the `Content-Type` header. For example, for a request for an HTML page, the body would contain the HTML markup. --- #### HTTPS (HTTP Secure) HTTPS is the secure version of HTTP. It uses TLS (Transport Layer Security) or SSL (Secure Sockets Layer) to encrypt the communication between the client and the server. This provides: * **Confidentiality:** Prevents eavesdropping on the data being transmitted. * **Integrity:** Ensures that the data has not been tampered with during transmission. * **Authentication:** Verifies the identity of the server (and optionally the client). HTTPS typically uses port 443, while HTTP uses port 80. The presence of a valid SSL/TLS certificate on the server is essential for establishing an HTTPS connection.