forked from uofa-cmput404/cmput404-slides
-
Notifications
You must be signed in to change notification settings - Fork 0
/
05-More-HTTP.html
1466 lines (1444 loc) · 63.3 KB
/
05-More-HTTP.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
<title>CMPUT 404</title>
<!-- Styling from reveal.js -->
<link rel="stylesheet" href="node_modules/reveal.js/css/reveal.css">
<link id="revealtheme" rel="stylesheet" href="">
<!-- Theme used for syntax highlighting of code -->
<link id="highlighttheme" rel="stylesheet" href="">
<!-- Custom Styling -->
<link rel="stylesheet" href="cmput404-slides.css">
<link id="404theme" rel="stylesheet" href="">
<!-- Scripts! -->
<script src="node_modules/reveal.js/lib/js/head.min.js"></script>
<script src="node_modules/reveal.js/js/reveal.js"></script>
<script src="node_modules/chai/chai.js"></script>
<script src="node_modules/fitty/dist/fitty.min.js"></script>
<script src="https://twemoji.maxcdn.com/2/twemoji.min.js"></script>
<script src="node_modules/highlightjs/highlight.pack.js"></script>
<script src="fiddler.js"></script><!-- make sure fiddler is last -->
</head>
<body>
<div class="reveal">
<div class="slides">
<!-- Anything before this will be sync'd with the other files in the directory if you run ./sync-header-footer.py *.html
HEADER --------------------------
-->
<section>
<h1>CMPUT 404</h1>
<h3>Web Applications and Architecture</h3>
<h2>Part 05: More HTTP</h2>
<p>
<small>Created by <br>
<a href="http://softwareprocess.es">Abram Hindle</a>
(<a href="mailto:[email protected]">[email protected]</a>) <br>
and Hazel Campbell (<a href="mailto:[email protected]">[email protected]</a>).<br>
Copyright 2014-2019.
</small>
</p>
</section>
<section>
<h3>HTTP PUT</h3>
<ul style="font-size: 85%">
<li>Like HTTP POST except the URI does not handle the request, it <em>is</em> the request.
<blockquote>
The URI in a POST request identifies the resource that
will handle the enclosed entity. That resource might be
a data-accepting process, a gateway to some other
protocol, or a separate entity that accepts annotations.
In contrast, the URI in a PUT request identifies the entity
enclosed with the request -- the user agent knows what
URI is intended and the server MUST NOT attempt to
apply the request to some other resource. <cite>Fielding, et al. ,RFC2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6
</cite></blockquote>
</ul>
</section>
<section>
<h3>POST vs PUT</h3>
<div class="columns">
<div class="column">
<ul>
<li>URI identifies a service/handler/script/process</li>
<li>Arguments are stored in HTTP request body</li>
<li>The request body is interpreted by some software and processed</li>
<li><em>"Send this here for processing"</em></li>
</ul>
</div>
<div class="column">
<ul>
<li>URI identifies an <em>entity</em> (file, db entry...)</li>
<li>Arguments are stored in the URI query string or HTTP headers</li>
<li>Request body contains the entire entity</li>
<li><em>"Put this here, so I can GET it later"</em></li>
</ul>
</div>
</div>
</section>
<section>
<h3>POST vs PUT</h3>
<div class="columns">
<div class="column">
<ul>
<li>Login/logout</li>
<li>Reply</li>
<li>Post on a forum/blog</li>
<li>Upload multiple files (somewhere?)</li>
<li>Make an order</li>
<li>Fill out a survey/poll</li>
</ul>
</div>
<div class="column">
<ul>
<li>Create a new entity at the URI</li>
<li>Replace an existing entity at the URI</li>
<li>Add/replace an entry to a DB</li>
<li>Entity can be retrieved later with GET and the same URI</li>
</ul>
</div>
</div>
</section>
<section>
<h3>HTTP Delete</h3>
<ul style="font-size: 80%">
<li>Like HTTP POST except the URI does not handle the request, it <em>is</em> the request, a request to delete the entity at that URI.</li>
</ul>
<blockquote style="font-size: 80%">
The DELETE method requests that the origin server delete the resource
identified by the Request-URI. This method MAY be overridden by human
intervention (or other means) on the origin server. The client cannot be
guaranteed that the operation has been carried out, even if the status code
returned from the origin server indicates that the action has been
completed successfully. However, the server SHOULD NOT indicate success
unless, at the time the response is given, it intends to delete the resource
or move it to an inaccessible location.
A successful response SHOULD be 200 (OK) if the response includes an
entity describing the status, 202 (Accepted) if the action has not yet been
enacted, or 204 (No Content) if the action has been enacted but the
response does not include an entity.
<cite>Fielding, et al. ,RFC2616: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.7</cite>
</blockquote>
</ul>
</section>
<section>
<h3>POST vs DELETE</h3>
<div class="columns" style="font-size: 90%">
<div class="column">
<ul>
<li>URI identifies a service/handler/script/process</li>
<li>Arguments are stored in HTTP request body</li>
<li>The request body is interpreted by some software and processed</li>
<li><em>"Send this here for processing"</em></li>
</ul>
</div>
<div class="column">
<ul>
<li>URI identifies an <em>entity</em> (file, db entry...)</li>
<li>Arguments are stored in the URI query string or HTTP headers</li>
<li>Request body is usually empty</li>
<li>Response body is usually empty</li>
<li><em>"Delete this, so if I GET the same URI I will get a 404"</em></li>
</ul>
</div>
</div>
</section>
<section>
<h3>POST vs DELETE</h3>
<div class="columns">
<div class="column">
<ul>
<li>Login/logout</li>
<li>Reply</li>
<li>Post on a forum/blog</li>
<li>Upload multiple files (somewhere?)</li>
<li>Make an order</li>
<li>Fill out a survey/poll</li>
</ul>
</div>
<div class="column">
<ul>
<li>Delete the entity at the URI</li>
<li>Delete a file on the server's filesystem</li>
<li>Remove an entry in a DB</li>
<li>Entity <em>cannot</em> be retrieved later with GET and the same URI</li>
</ul>
</div>
</div>
</section>
<section>
<h3>HTTP PUT/GET/DELETE/GET</h3>
<p>In the following example we use ElasticSearch and we PUT, GET, DELETE and GET a single URI.</p>
<p>The URI represents an entry in the ElasticSearch index, a NoSQL database, not a file. The entries for ElasticSearch are formatted in JSON.</p>
<ul>
<li>PUT stores the entity</li>
<li>GET retrieves it</li>
<li>DELETE deletes it</li>
</ul>
</section>
<section>
<p>Step 1: PUT the entry in ElasticSearch</p>
<pre><code>curl -v --trace-ascii /dev/stdout -H 'Content-type: application/json' -X PUT http://cmput301.softwareprocess.es:8080/testing/junk/1 -d '{"name":"one"}'</code></pre>
<pre><code>PUT /testing/junk/1 HTTP/1.1
User-Agent: curl/7.29.0
Host: cmput301.softwareprocess.es:8080
Accept: */*
Content-type: application/json
Content-Length: 14
{"name":"one"}</code></pre>
<p>Server response:</p>
<pre><code>HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 68
{"ok":true,"_index":"testing","_type":"junk","_id":"1","_version":5}</code></pre>
</section>
<section>
<p>Step 2: GET the entry from ElasticSearch</p>
<pre><code>curl -v --trace-ascii /dev/stdout -H 'Accept: application/json' -X GET http://cmput301.softwareprocess.es:8080/testing/junk/1</code></pre>
<pre><code>GET /testing/junk/1 HTTP/1.1
User-Agent: curl/7.29.0
Host: cmput301.softwareprocess.es:8080
Accept: application/json
</code></pre>
<p>Server response:</p>
<pre><code>HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 100
{"_index":"testing","_type":"junk","_id":"1","_version":5,"exists":true, "_source" :{"name":"one"}}</code></pre>
</section>
<section>
<p>Step 3: DELETE the entry from ElasticSearch</p>
<pre><code>curl -v --trace-ascii /dev/stdout -X DELETE http://cmput301.softwareprocess.es:8080/testing/junk/1</code></pre>
<pre><code>DELETE /testing/junk/1 HTTP/1.1
User-Agent: curl/7.29.0
Host: cmput301.softwareprocess.es:8080
</code></pre>
<p>Server response:</p>
<pre><code>HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 81
{"ok":true,"found":true,"_index":"testing","_type":"junk","_id": "1","_version":6}
</code></pre>
</section>
<section>
<p>Step 4: GET the entry from ElasticSearch</p>
<pre><code>curl -v --trace-ascii /dev/stdout -H 'Accept: application/json' -X GET http://cmput301.softwareprocess.es:8080/testing/junk/1</code></pre>
<pre><code>GET /testing/junk/1 HTTP/1.1
User-Agent: curl/7.29.0
Host: cmput301.softwareprocess.es:8080
Accept: application/json
</code></pre>
<p>Server response:</p>
<pre><code>HTTP/1.1 404 Not Found
Content-Type: application/json; charset=UTF-8
Content-Length: 60
{"_index":"testing","_type":"junk","_id":"1","exists":false}</code></pre>
<p>It's gone, we deleted it.</p>
</section>
<section>
<h3>WebDAV</h3>
<ul>
<li>RFC: <a href="http://tools.ietf.org/html/rfc4918">http://tools.ietf.org/html/rfc4918</a></li>
<li>Like FTP but for the web!
<ul>
<li>Let's you create and upload to a URI using HTTP <var>PUT</var></li>
<li>Download from a URI using HTTP <var>GET</var></li>
<li>Delete an entity at a URI (and the URI) using HTTP <var>DELETE</var></li>
<li>Make directories/folders using a new HTTP command: HTTP <var>MKCOL</var>
<ul>
<li>MaKe COLlection</li>
</ul>
</li>
</ul>
</li>
</ul>
</section>
<section>
<h3>Why PUT/DELETE and WebDAV?</h3>
<ul>
<li>Why would we bother with HTTP PUT and DELETE when we have POST which can do both?</li>
</ul>
</section>
<section>
<h3>HTTP User Agent</h3>
<ul>
<li>A client/browser
<ul>
<li>In RFCs it usually means the HTTP client and often means a browser</li>
</ul>
<blockquote><b>Flynn</b>: Who's that guy?<br>
<b>Program</b>: That's Tron. He fights for the Users.
<cite>Tron, 1982</cite>
</blockquote>
</li>
</ul>
</section>
<section>
<h4>Example User-Agents</h4>
<ul style="font-size: 70%">
<li>Chrome 71.0 on Windows 10 on a PC:
<var class="light">Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36</var></li>
<li>Firefox 64.0 on Windows 10 on a PC:
<var class="light">Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0</var></li>
<li>Safari 12 on OSX 10.14:
<var class="light">Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15</var></li>
<li>MS Edge 17:
<var class="light">Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</var></li>
</ul>
<cite>https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ retrieved on 20192-01-21</cite>
</section>
<section style="font-size: 65%">
<p>Put the word Mobile in there if its coming from a mobile device, iPhone for an iPhone, Android for an Android device, etc.</p>
<ul>
<li>Samsung Galaxy S8:
<var class="light">Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36</var></li>
<li>Apple iPhone X:
<var class="light">Mozilla/5.0 (iPhone; CPU iPhone OS 11_0 like Mac OS X) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Mobile/15A372 Safari/604.1</var></li>
<li>Nintendo Switch:
<var class="light">Mozilla/5.0 (New Nintendo Switch like iPhone) AppleWebKit/536.30 (KHTML, like Gecko) NX/3.0.0.5.20 Mobile NintendoBrowser/1.9.10160.US</var></li>
</ul>
<p>Search engines gathering webpages so you can search them:</p>
<ul>
<li>Google's web crawler:
<var class="light">Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)</var></li>
</ul>
<cite>https://deviceatlas.com/blog/list-of-user-agent-strings retrieved on 20192-01-21</cite>
</section>
<section>
<p>What?</p>
<pre><code class="http">User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134</pre></code>
<p style="font-size: 80%">Microsoft Edge version 17<br>
which is based on Chrome 64<br>
which is based on WebKit 537 (part of Safari)<br>
(WebKit itself was forked from/based on KHTML, KDE's HTML rendering engine, but it claims to work like Gecko, Mozilla's old rendering engine)<br>
which is like Mozilla/5.0 (Netscape Navigator version 5.0)<br>
running on Windows NT 10.0 on a 64-bit Intel x86 CPU.<br>
</p>
<p style="font-size: 80%">So some code from KDE (a linux Desktop Environment) is now in Microsft's latest browser, Edge.</p>
<p style="font-size: 50%">2019: year of the Linux desktop on the Windows desktop</p>
</section>
<section>
<h3>HTTP Status Codes</h3>
<p>In <var>HTTP/1.1 200 OK</var>, 200 is the status code.</p>
<ul>
<li>1XX — Informational codes, ex: 100 Continue</li>
<li>2XX — Success codes, ex: 200 OK</li>
<li>3XX — Redirection codes, ex: 301 Moved Permanently</li>
<li>4XX — Client Error codes, ex: 404 Not Found</li>
<li>5XX — Server Error codes, ex: 500 Internal Server Error</li>
</ul>
<cite>RFC: <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html">https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html</a></cite>
</section>
<section>
<h3>Informational Status Codes: 1XX</h3>
<ul>
<li><var>HTTP/1.1 100 Continue</var>
<ul>
<li>Used in multipart and uploads</li>
<li>Tells the client to send the request body/data</li>
<li>The server had a choice to accept the request or not and it has decided to accept it</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 75%">
<li><var>HTTP/1.1 101 Switching Protocols</var> (rare)
<ul>
<li><var>Upgrade:</var> header specifies the new protocol</li>
<li>Protocol switches immediately after the blank line at the end of headers</li>
<li>Switch from HTTP/1.1 to HTTP/2 on unencrypted connections:
<ul>
<li>but browsers don't support HTTP/2 over unencrypted connections</li>
<li>so it's basically never used</li>
</ul>
</li>
</ul>
</li>
<li>Browsers select HTTP/1.1 or HTTP/2 during the TLS handshake for https URLS
<ul>
<li>TLS Application-Layer Protocol Negotiation</li>
<li>Occurs at the same as cipher suite negotiation</li>
<li>No additional round-trip latency</li>
<li>RFC 7301: <a href="https://tools.ietf.org/html/rfc7301">https://tools.ietf.org/html/rfc7301</a></li>
</ul>
</li>
</ul>
<cite><a href="https://http2.github.io/http2-spec/">https://http2.github.io/http2-spec/</a></cite>
</section>
<section>
<h3>Successful Status Codes: 2XX</h3>
<ul>
<li><var>HTTP/1.1 200 OK</var>
<ul>
<li>Request succeeded, depends on the client request</li>
<li>GET: sends an entity for to the requested URI</li>
<li>HEAD: sends headers for the entity for the requested URI</li>
<li>POST: sends an entity describing the result of the POST</li>
<li>TRACE: sends back the entity it received</li>
</ul>
</li>
</ul>
</section>
<section>
<ul>
<li><var>HTTP/1.1 201 Created</var>
<ul>
<li>Request succeeded and a new entity was created and exists (e.g. PUT)</li>
</ul>
</li>
<li><var>HTTP/1.1 202 Accepted</var>
<ul>
<li>Like <var>200 OK</var> but the server's not done with it yet. For example, you asked the server to perform a calculation and its working on it.</li>
</ul>
</li>
<li><var>HTTP/1.1 203 Non-Authoritative Information</var> (rare)
<ul>
<li>Used with proxies.</li>
</ul>
</li>
</ul>
</section>
<section>
<ul>
<li><var>HTTP/1.1 204 No Content</var>
<ul>
<li>Request succeeded but the server is only sending headers and no entity or response body</li>
</ul>
</li>
<li><var>HTTP/1.1 205 Reset Content</var> (rare)
<ul>
<li>Like <var>204 No Content</var> but the browser should clear the form/page</li>
</ul>
</li>
<li><var>HTTP/1.1 206 Partial Content</var>
<ul style="font-size: 85%">
<li>Used to resume downloads:
<ol>
<li>Client does HTTP GET with a <var>Range</var> header to continue a big download that was interrupted</li>
<li>Server responds with 206 Partial Content and a <var>Content-Range</var> indicating what part its sending</li>
</ol>
</li>
</ul>
</li>
</ul>
</section>
<section style="">
<h3>Redirect Status Codes: 3XX</h3>
<p>There's always a reason why you want to redirect something</p>
<ul style="columns: 2; font-size: 80%;">
<li>HTTP allows for redirection</li>
<li>Redirection is cheap abstraction</li>
<li>Work-around for browser/protocol issues</li>
<li>Redirect HTTP requests to HTTPS</li>
<li>Redirect requests to old URIs to their new URIs</li>
<li>Load balancing</li>
<li>Separate dynamic and static content onto two different servers</li>
<li>One host in URIs but use more than one server behind the scenes</li>
<li>URL shorteners</li>
<li>Reorganized website but want to keep old URIs working (fighting link-rot)</li>
</ul>
</section>
<section>
<div class="columns" style="font-size: 80%">
<div class="column">
<ol>
<li>Use a form to <var>POST</var> to reply on a forum</li>
<li>Server sends you the page showing your reply</li>
<li>Your press refresh to see if they replied back</li>
<li>Browser resends the <var>POST</var> to the page, causing a duplicate forum post</li>
</ol>
</div>
<div class="column">
<ol>
<li>Use a form to <var>POST</var> to reply on a forum</li>
<li>Server sends you a <var>303 See Other</var> to the forum thread</li>
<li>Browser makes a <var>GET</var> request for the forum thread</li>
<li>Server sends you forum thread with your reply</li>
<li>Hitting refresh now works without creating duplicate posts</li>
</ol>
</div>
</div>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 300 Multiple Choices</var> (rare)
<ul>
<li>Responds with a list of choices (e.g. same page in different languages) and the user or the browser chooses one</li>
</ul>
</li>
<li><var>HTTP/1.1 301 Moved Permanently</var>
<ul>
<li>Go to the URI mentioned in the <var>Location</var> header, <em>and don't ask me again!</em></li>
<li>URI in the location bar automatically changes</li>
</ul>
</li>
<li><var>HTTP/1.1 302 Found</var>
<ul>
<li>Temporary redirect. Client should GET the URI mentioned in the <var>Location</var> header and display that response instead</li>
<li>URI in the location bar stays the same (invisible to the user)</li>
<li>Useful for load-balancing</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 75%">
<li><var>HTTP/1.1 303 See Other</var>
<ul>
<li>Exists to solve the forum-POSTing problem</li>
<li>GET the URI in the <var>Location</var> header</li>
<li>Don't save the redirect in your cache, you can keep making POSTs to the URI that gave you a 303</li>
<li>URI in the location bar changes</li>
</ul>
</li>
<li><var>HTTP/1.1 304 Not Modified</var>
<ul>
<li>Browser can make a conditional <var>GET</var>s request for URIs that it has cached, asking the server to send the entity <em>only</em> if it's changed since the time it was cached or a specific version</li>
<li><var>If-None-Match:</var> followed by a list of etags (like git tags, named versions) will get a 200 OK only if it has a new version not in the list</li>
<li><var>If-Modified-Since:</var> followed by a date and time will get a 200 OK only if it has a newer version since that time</li>
<li>No response body/entity</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 305 Use Proxy</var> (rare)
<ul>
<li>Try the proxy server specified by the <var>Location:</var> header</li>
</ul>
</li>
<li><var>HTTP/1.1 307 Temporary Redirect</var>
<ul>
<li>Go to the URI mentioned in the <var>Location</var> header</li>
<li>Keep making requests to the URI you originally requested in case the server needs to redirect you somewhere else next time</li>
<li>Cache the redirection using standard caching headers and rules</li>
<li>URI in the location bar is updated</li>
</ul>
</li>
</ul>
</section>
<section style="">
<h3>Client Error Status Codes: 4XX</h3>
<p>It's your fault! (or the User Agent's)</p>
<ul style="columns: 2; font-size: 80%;">
<li>You're not allowed</li>
<li>You're wrong</li>
<li>You owe us money</li>
<li>You can't handle it</li>
<li>You're taking too long</li>
<li>You're changing things at the same time as someone else</li>
<li>It ain't here and it ain't never coming back</li>
<li>You're not making any sense</li>
<li>You're asking too much</li>
</ul>
</section>
<section>
<ul style="font-size: 82%">
<li><var>HTTP/1.1 400 Bad Request</var>
<ul>
<li>Hey buddy, I can't read this garbage. <em>Don't send it again.</em></li>
</ul>
</li>
<li><var>HTTP/1.1 401 Unauthorized</var>
<ul>
<li>You have to send authentication information to see this URI.</li>
<li>Headers and entity (response body) explains to the browser and user how to log in.</li>
<li>Mostly useful for HTTP <var>Authorization:</var> header authentication</li>
</ul>
</li>
<li><var>HTTP/1.1 402 Payment Required</var> (rare)
<ul>
<li>Pay up, buttercup!</li>
<li>Supposedly reserved, but some services use it anyway, e.g. MobileMe used it (the predecessor to iCloud)</li>
<li>Google APIs use it</li>
<li>YouTube will use it to force you to solve a CAPTCHA</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 403 Forbidden</var>
<ul>
<li>The web server will never respond to this request, no matter who you log in as</li>
<li> Maybe it could answer your request but an administrator disabled that ability.</li>
</ul>
</li>
<li><var>HTTP/1.1 404 Not Found</var>
<ul>
<li>You've got the wrong resource or path. Can't find what you're looking for. Droids? What droids?</li>
</ul>
</li>
<li><var>HTTP/1.1 405 Method not allowed</var>
<ul>
<li>Whatever method you used (GET/HEAD/POST/PUT/DELETE/...) doesn't work on this URI</li>
</ul>
</li>
</ul>
</section>
<section>
Fancy 404 pages...<br>
<img class="stretch noborder" src="images/github_404.png">
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 406 Not Acceptable</var>
<ul>
<li>The sever cannot respond in way that matches your request's accept header line.</li>
<li>Example: You asked for JSON and we can only serve XML, but it's your fault.</li>
</ul>
</li>
<li><var>HTTP/1.1 407 Proxy Authentication Required</var>
<ul>
<li>We're not going to proxy your request till you authenticate.</li>
</ul>
</li>
<li><var>HTTP/1.1 408 Request time out</var>
<ul>
<li>You took too long to send your request, we're not going to service you. Try again but faster next time.</li>
<li>Example: the Slowloris attack</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 409 Conflict</var>
<ul>
<li>The request is in conflict. Often used with <var>PUT</var> requests.</li>
<li>Example: Two people trying to <var>PUT</var> a new version for the same URI at the same time</li>
</ul>
</li>
<li><var>HTTP/1.1 410 Gone</var>
<ul>
<li>Yeah it was here, but it ain't coming back. Don't even try again.</li>
</ul>
</li>
<li><var>HTTP/1.1 411 Length Required</var>
<ul>
<li>I can't service a request (ex: <var>POST</var>) without a <var>Content-Length:</var> header</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 412 Precondition Failed</var>
<ul>
<li>Header information wouldn't be what you wanted it to be so I won't process the request</li>
<li>Example: modified too recently, so don't allow PUT to succeed to modify it again</li>
</ul>
</li>
<li><var>HTTP/1.1 413 Request Entity Too Large</var>
<ul>
<li>Sending an entity (POST, PUT, ...) that's bigger than the server can handle</li>
</ul>
</li>
<li><var>HTTP/1.1 414 Request-URI Too Long</var>
<ul>
<li>Webservers will only handle URLs up to a certain length</li>
<li>Example: Apache webserver is limited to 4000-8192 by default (depending on version)</li>
<li>Example: nginx webserver places a limit on total length of HTTP headers + requested URI</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 415 Unsupported Media Type</var>
<ul>
<li>Uploading (POST, PUT, ...) using a format the server doesn't understand.</li>
<li>Example: posting pictures formatted in JPEG2000</li>
</ul>
</li>
<li><var>HTTP/1.1 416 Request Range Not Satisfiable</var>
<ul>
<li>You sent a <var>Range:</var> header to get just part of a file but the part you asked for doesn't make sense</li>
<li>Example: You ask to resume a download that was interrupted of a 1MiB file at 1.1Mib</li>
</ul>
</li>
<li><var>HTTP/1.1 417 Expectation Failed</var>
<ul>
<li>The server cannot meet the <var>Expect:</var> header</li>
<li>Example: client sent <var>Expect: 100 Continue</var> while POSTing multipart/form-data, but the server can't do that</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 418 I'm a teapot</var>
<ul>
<li>Indicates that the server refuses to brew coffee because it is a teapot.</li>
</ul>
</li>
<li><var>HTTP/1.1 422 Unprocessable Entity</var>
<ul>
<li>Indicates that the server understood the Content-Type and the syntax of the entity (request body) is correct but that it was unable to process it.</li>
</ul>
</li>
<li><var>HTTP/1.1 426 Upgrade Required</var>
<ul>
<li>Indicates that the server requires use of HTTP 2 or later.</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 428 Precondition Required</var>
<ul>
<li>Indicates that the client needs to send a request with an If- header.</li>
</ul>
</li>
<li><var>HTTP/1.1 429 Too Many Requests</var>
<ul>
<li>Indicates that the client has sent too many requests in a short period of time.</li>
</ul>
</li>
<li><var>HTTP/1.1 431 Request Header Fields Too Large</var>
<ul>
<li>Indicates that the client has sent request headers that are too long.</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 451 Unavailable For Legal Reasons</var>
<ul>
<li>Indicates that the server could service the request... if it wasn't illegal.</li>
<li>Example: Server used to host content that was later taken down for copyright reasons.</li>
</ul>
</li>
</ul>
<blockquote>This request may not be serviced in the Roman Province
of Judea due to the Lex Julia Majestatis, which disallows
access to resources hosted on servers deemed to be
operated by the People's Front of Judea.
<cite>— <a href="https://tools.ietf.org/html/rfc7725">RFC 7725</a></cite>
</blockquote>
</section>
<section style="">
<h3>Server Error Status Codes: 5XX</h3>
<p>It's the server's fault!</p>
<ul style="columns: 2; font-size: 80%;">
<li>My script crashed</li>
<li>My system is misconfigured</li>
<li>I broke something</li>
<li>We didn't implement that</li>
<li>The server is down</li>
<li>I don't support that version of HTTP</li>
</ul>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 500 Internal Server Error</var>
<ul>
<li>Server side software encountered some kind of error</li>
<li>Example: your Python Django code crashed</li>
<li>Example: couldn't connect to the database</li>
</ul>
</li>
<li><var>HTTP/1.1 501 Not Implemented</var>
<ul>
<li>The server can't fulfill that request (such as an HTTP PUT) because it doesn't even know what HTTP PUT is</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 65%">
<li><var>HTTP/1.1 502 Bad Gateway</var>
<ul>
<li>The server talks to another HTTP server to fulfill this request and that other server isn't working.</li>
<li>Example: Website using a reverse-proxy to reduce load, balance load, or provide redundancy on their own server
<ul>
<li>Your webbrowser connects to somehost, but that actually resolves to a CDN: a webserver near you that acts a cache that's <em>closer</em> to you than the actual webservers of the website you want to visit</li>
<li>Normally this speeds things up for you while reducing traffic to the actual webservers</li>
<li>You don't see a difference, but only requests for dynamic content actually make it back to the actual webservers, whereas most content (e.g. images, css, javascript, ...) is served from the CDN caching reverse-proxy</li>
<li>When you make a request for dynamic content the CDN caching reverse-proxy forwards the request to the actual website on your behalf</li>
<li>But when the original webservers go down you get 502 Bad Gateway</li>
</ul>
</li>
</ul>
</li>
</ul>
</section>
<section>
<ul>
<li><var>HTTP/1.1 502 Bad Gateway</var>
</ul>
<img class="scale noborder" src="images/cloudflare-502.png">
<cite><a href="https://support.cloudflare.com/hc/en-us/articles/218378978-What-should-I-do-after-seeing-a-502-or-504-gateway-error-on-my-site-">https://support.cloudflare.com/hc/en-us/articles/218378978-What-should-I-do-after-seeing-a-502-or-504-gateway-error-on-my-site-</a></cite>
</section>
<section>
<ul style="font-size: 85%">
<li><var>HTTP/1.1 503 Service Unavailable</var>
<ul>
<li>The service is temporarily down. Something's broken and we'll bring it back up eventually.</li>
</ul>
</li>
<li><var>HTTP/1.1 504 Gateway Timeout</var>
<ul>
<li>The server talks to another process to fulfill this request and that other process isn't responding fast enough. Very common when a webapp is overloaded.</li>
<li>Similar to 502, except in this case the packets between the reverse proxy and the origin webserver are just vanishing...</li>
</ul>
</li>
<li><var>HTTP/1.1 505 HTTP Version Not Supported</var>
<ul>
<li>Your request used the wrong HTTP version. A version the server no longer supports.</li>
<li>Example: Twitter doesn't let you do HTTP/1.0 requests anymore</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 80%">
<li><var>HTTP/1.1 511 Network Authentication Required</var>
<ul>
<li>Not used by webservers, but rather by <em>captive portals</em> to tell the web browser that it should show the user a login page for the network.</li>
<li>Example: You connect to a guest WiFi
<ol>
<li>You try to browse to some random webpage</li>
<li>Captive portal intercepts your request and sends a 511 response back (the request never makes it onto the internet)</li>
<li>Your web browser tells you you need to log on to the network</li>
<li>You log on to the network using a webpage on the captive portal</li>
<li>You retry your original request, this time it's not intercepted and proceeds to the server it was meant for</li>
</ol>
</li>
</ul>
</li>
</ul>
</section>
<section>
<h3>HTTP Errors: Client, Server or Application?</h3>
<ul>
<li>If there's a problem in your web application how should you respond?
<ul>
<li>4xx code?</li>
<li>5xx code?</li>
<li>HTML page explaining to the user what happened?</li>
<li>4xx/5xx + HTML page explaining to the user?</li>
</ul>
</li>
</ul>
</section>
<section>
<ul style="font-size: 80%">
<li>If there's a problem in your web application how should you respond?</li>
<li>Some suggest that business logic errors (software error reporting) should be done with the client without codes</li>
<li>Some suggest that you should use HTTP status codes.</li>
<li>Decide if the application is user facing and how you should handle it for your audience.
<ul>
<li>Do you need to talk to the User Agent (browser, software) or to the user (human)?</li>
<li>Example: many websites let you log in with cookie-based authentication. There's no <em>standards-compliant</em> way to use a response code, e.g. <var>401 Unauthorized</var> to tell the user to log in this way. So it may be best to use a 302 or 307 redirect to send the user to the login page.</li>
</ul>
</li>
<li>Warning: Old versions of IE only show a few kb of HTML for 404 pages.</li>
</ul>
</section>
<section>
<h3>HTTP Headers</h3>
<ul style="font-size: 85%">
<li>There are 47+ standard HTTP headers</li>
<li>These headers have an effect on:
<ul>
<li>Authentication</li>
<li>Caching</li>
<li>Encoding</li>
<li>Partial downloading</li>
<li>Content type</li>
<li>More...</li>
</ul>
</li>
<li>There are so many in the RFC that I won't go over all of them</li>
<li><a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html">http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html</a></li>
</ul>
</section>
<section>
<h3>HTTP Request Headers</h3>
<ul>
<li><var>Accept: */*</var>
<ul>
<li>Example: <var>Accept: video/ogg,video/*</var></li>
<li>Specifies the kind of media the client can handle</li>
</ul>
</li>
<li><var>Accept-Charset: UTF-8</var>
<ul>
<li>Specifies character encodings the client can handle</li>
</ul>
</li>
<li><var>Accept-Encoding: gzip,compress,deflate,br</var>
<ul>
<li>Specifies compression formats the client can handle</li>
</ul>
</li>
</ul>
</section>
<section>
<h4>HTTP Request Headers</h4>
<ul>
<li><var>Access-Control-Request-Headers: Content-Type</var>
<ul>
<li>Lets the browser ask the server if JS is allowed to make requests with those headers</li>
</ul>
</li>
<li><var>Access-Control-Request-Method: POST</var>
<ul>
<li>Lets the browser ask the server if JS is allowed to make e.g. POST requests</li>
</ul>
</li>
</ul>
</section>
<section>
<h4>HTTP Request Headers</h4>
<ul style="font-size: 90%">
<li><var>Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l</var>
<ul>
<li>The user agent is sending a username and password or other kind of credentials to the server (rare, usually cookies are used instead)</li>
</ul>
</li>
<li><var>Cache-Control: max-age=60</var>
<ul>
<li>Asks the server/proxy not to send data thats been sitting in its cache too long</li>
</ul>
</li>
<li><var>Content-Disposition: form-data; name="fieldName"; filename="filename.jpg"</var>
<ul>
<li>Tells the server what the name/filename of the form data being uploaded when POSTing multipart/form-data</li>
</ul>
</li>
</ul>
</section>
<section>
<h4>HTTP Request Headers</h4>
<ul>
<li><var>Cookie: session=1nhbn4b123h4; csrftoken=1n1b4b1j2j3j2</var>
<ul>
<li>The user agent is sending cookies (stored key-value pairs) relevant to the server</li>
<li>The cookies were previously sent to the user agent to store by the server or JS</li>
</ul>
</li>
<li><var>DNT: 1</var> (largely ignored)
<ul>
<li>The user prefers not to be tracked over receiving personalized content</li>
</ul>
</li>
</ul>
</section>
<section>
<h4>HTTP Request Headers</h4>
<ul style="font-size: 90%">
<li><var>Expect: 100-continue</var>
<ul>
<li>The user agent is expects the server to respond with <var>100 Continue</var></li>
</ul>
</li>
<li><var>Forwarded: for=192.0.2.60;proto=http;host=example.com</var>
<ul>
<li>Used by (reverse) proxies to tell the server who made the original request, over what protocol, and what the original <var>Host</var> header was</li>
</ul>
</li>
<li><var>From: [email protected]</var>
<ul>
<li>Email address of the person making the requests</li>
<li>Example: bot owner, so people can contact them about their bot if it misbehaves</li>
</ul>
</li>
</ul>
</section>
<section>
<h4>HTTP Request Headers</h4>
<ul style="font-size: 90%">
<li><var>Host: ualberta.ca</var>
<ul>
<li>The hostname (and sometimes port) of the website the user agent is trying to connect to</li>
<li>When a single server or proxy is handling requests for many different websites, it needs to know which site the request was made to</li>
<li>Otherwise it only can differentiate by IP address, but server/proxy usually has only one public IP address</li>
<li>Required in HTTP/1.1 and later for all requests</li>
<li>If <var>Host:</var> is missing the server may respond with <var>400 Bad Request</var></li>
</ul>
</li>
</ul>
</section>
<section>
<h4>HTTP Request Headers</h4>
<ul style="font-size: 70%">
<li><var>If-Match: "705a092f59b73758dbb458f6e654a077d81c938e"</var>
<ul>
<li>Asks the server to send the content only if the ETag matches the specified string</li>
</ul>
</li>
<li><var>If-None-Match: "705a092f59b73758dbb458f6e654a077d81c938e"</var>
<ul>
<li>Asks the server to send the content only if the ETag <em>doesn't</em> match the specified string</li>
</ul>
</li>
<li><var>If-Modified-Since: Tue, 22 Jan 2019 23:15:50 GMT</var>
<ul>
<li>Asks the server to send the content only if it's changed recently</li>