HTTP Request and Response

-Sahil Agarwal

HTTP Generic Message

●All of the communication between devices using the Hypertext Transfer Protocol takes place via HTTP messages.

●There are only two types of HTTP messages : requests and responses.

●HTTP messages are text-based and loosely based on RFC 822 and 2822 message standards, and MIME standards.

HTTP Generic Message Format

The HTTP generic message format is as follows:<start-line><message-headers><empty-line>[<message-body>][<message-trailers>]

HTTP Generic Message Format

<start-line>The start line is a special text line that conveys the nature of the message. In a request, this line indicates the nature of the request, in the form of a method, as well as specifying a URI to indicate the resource that is the object of the request. Responses use the start line to indicate status information in reply to a request.

<message-headers>There are many dozens of message headers defined in HTTP, which are organized into groups by function as we will soon see. Almost all of these are optional; the one exception is the Host header, which must be present in each request in HTTP/1.1. Headers may be sent in any order, and all follow the same header format used in e-mail messages:

<header-name>: <header-value>

HTTP Generic Message Format

[<message-body>]The message body is optional, because it is only needed for certain types of messages.

It may carry a set of information to be communicated between the client and server, such as a detailed error message in a response. More commonly, when present, it carries a file or other resource, which is formally called an entity in the HTTP standard. Entities are most often found in the body of a response message, since most client requests ask for a server to send a file or other resource. However, they can also be found in certain requests.

HTTP Generic Message Format[<message-trailers>]HTTP/1.1 uses persistent connections by default, so messages are sent in a steady stream from client to server and server to client. This requires that some means be used to mark where one message ends and the next begins, which is usually accomplished in one of two ways.

● The first is using a special header that indicates the length of the message so the receiving device knows when the entire message has been received.

● The second is a method called “chunking”, where a message is broken into pieces for transmission and the length of each piece indicated in the message body.When chunking is done, a set of message trailers may follow the body of the

message.

Trailers are in fact the same as headers except for their position in the file, but may only be used for entity headers.

Request Format

HTTP requests use a message format that is based on the generic message format, but specific to the needs of requests.

<request-line><general-headers><request-headers><entity-headers><empty-line>[<message-body>][<message-trailers>]

Request Format

Request Line Format : <METHOD> <request-uri> <HTTP-VERSION>Example - GET /login HTTP/1.1

● Method - The type of action that the client wants the server to take.

● Request URI - Uniform Resource Identifier

● HTTP Version - Tells the server what version of HTTP is the client using.

Headers :● General Headers

○ These refer mainly to the message itself, instead of it’s contents.

○ They are used to control its processing or provide the recipient with extra information.

● Request Headers○ Contain information about the

nature of the client’s request. They give client more control over how the request is to be handled.

○ Format, encodings etc.● Entity Headers

○ They describe the entity contained in the body of the request, if any.

Response Format

HTTP responses use a message format that is based on the generic message format, but specific to the needs of responses.

<status-line><general-headers><response-headers><entity-headers><empty-line>[<message-body>][<message-trailers>]

Response FormatStatus Line Format : <HTTP-VERSION> <status-code> <reason-phrase>Example - HTTP/1.0 200 OK

● HTTP Version - Tells the client what version of HTTP is the server using.

● Status Code -

○ A three-digit number that indicates the formal result that the server is communicating to the client.

○ Intended for the client HTTP implementation to process so the software can take appropriate action.

● Reason Parse - Text String for human user to see how the client responded.

Headers :● General Headers

○ These refer mainly to the message itself, instead of it’s contents.

● Response Headers○ They provide additional data that

expands upon the summary result information in the status line.

○ The server may also return extra result information in the body of the message, especially when an error occurs,

● Entity Headers○ They describe the entity

contained in the body of the response, if any.

What’s in an HTTP Request?

Raw InformationGET /login HTTP/1.1Host: 127.0.0.1:5000Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, sdchAccept-Language: en-US,en;q=0.8

What’s in an HTTP Request?

Source IP address, port and proxy

●Source IP address and Source port : In order to send the appropriate response back to your computer, the web server necessarily knows your computer's IP address and source port.

●Via and X-Forwarded-For: If the HTTP request includes the header "Via", or "X-Forwarded-For", then that's a strong indication that there is at least one proxy server somewhere along the line.

What’s in an HTTP Request?

Destination IP address, port, host and protocol

●Destination IP address tells us where the server is located. ●Port tells us which port is being used to contact the server.●Host - Since many websites can be hosted on a single server, we

need this to identify our website.●Protocol - The HTTP protocol being used. Eg - HTTP/1.1

What’s in an HTTP Request?

●Requested URI - This specifies which document is to be retrieved from the website.

●Request method and content - The type of action that the client wants the server to take. Eg - POST, GET. If POST was submitted as request method, then a form is submitted. The contents of this form would appear here.

What’s in an HTTP Request?User Agent - The User-Agent header describes your web browser. Typically it contains the browser name and version, your Operating System and version , and possibly additional information. Eg -User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36

Accept Headers - These describe what sort of things the web browser can handle, and what it would prefer to be given if there's a choice.Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, sdchAccept-Language: en-US,en;q=0.8

What’s in an HTTP Request?Referer:

The "referer" header tells the page which document referred the user to it - in essence, if you followed a link to get to this page, it is the URL of the page you came from to get here.

Cookie:

● Every time a web server provides you with a response (a page, a graphic, etc), it can send your browser a "cookie". These cookies are small pieces of information which your browser stores, and then sends back to that same web server whenever you subsequently request a document.

● The "contents" of the cookie (the data it contains) can only be made up of whatever information the web server already knew anyway.

What’s in an HTTP Request?Connection control

Connection: keep-aliveKeep-Alive: not present

These headers are used to fine-tune the network traffic between you and the web server. They don't tell us much, except a little about the capabilities of your web browser.

Cache controlPragma: not presentCache-Control: not presentIf-Modified-Since: not present

These headers control cacheing of the document. By examining them the we can detect if you used your browser's "refresh" button to force the page to reload.For example, Mozilla (Netscape 6) sets "Cache-Control" to "max-age=0" when you use the "reload" button. MSIE 5.5 sets it to "no-cache" if you do a "hard" reload (while holding down the "control" key).

What’s in an HTTP Request?AuthorisationUsername: If you have "logged in" to a web site, your username appears here.

This only applies to web sites which use proper HTTP authentication - a "login" window pops up and you get three chances to enter your username and password, otherwise you see a page which says "Authentication Required" or similar. It doesn't apply to web sites where the "login" is a separate page.

It's also possible to supply the username and password in the URL you tell your browser to visit - for example, http://user:password@www.example.com/. In that case, the username would appear here too.

References●RFC 2616 - "Hypertext Transfer Protocol -- HTTP/1.1"