HTTP Basics
HTTP common status code
1. Classification of status codes
- 1XX The server receives a request
- The request for 2xx is successful, for example, 200
- 3xx redirection, such as 302
- 4XX client error, such as 404
- 5XX server error, such as 500
2. Common status codes
- 200 success
- 301 Permanent redirection (with location, the browser handles it automatically)
- 302 Temporary Redirection (with Location, handled automatically by the browser)
- 304 The resource has not been modified (the resource has been requested and has not expired)
- 404 resource not found
- 403 No Permission
- 500 Server error
- 503 The server is inaccessible
- 504 Gateway times out
Second, the HTTP Methods
1. Traditional methods
- Get Obtains server data
- Post submits data to the server
- Simple web features, just these two operations
2. Present methods
- Get Get data
- Post New data
- Patch/PUT Updates data
- Delete Delete data
3. Restful API
- A new API design approach (already widely used)
- Traditional API design: Treat each URL as a function
- Restful API design: Treat each URL as a unique resource
4. How to design as a resource?
4.1 No URL Parameter
- Traditional API design: / API /list? pageIndex = 2
- Restfux API: /api/list/2
4.2 Using Method to indicate the Operation type
Traditional API Design
- Post request/API/create – blog
- Post request/API/update – blog? id=100
- Get request/API/get – blog? id=100
Restfux API design
- Post request/API/blog
- Patch request/API/blog / 100
- Get request/API/blog / 100
Third, the HTTP Headers
1. Request Headers
- Accept Specifies the format of the data accepted by the browser
- Accept-encoding Indicates the accept-encoding algorithm, such as gzip
- Accept-languange Indicates the language accepted by the browser, for example, zh-cn
- Connection: keep-alive A TCP Connection is used repeatedly
- cookie
- The Host name
- User-agent (UA for short) Browser information
- Content-type Specifies the format of the data to be sent, such as application/ JSON
2. Response Headers
- Content-type Specifies the format of the returned data, such as Application/JSON
- Content-length Specifies the size of the returned data in bytes
- Content-encoding Specifies the compression algorithm for the returned data, such as gzip
- Set-cookie Sets the Cookie on the server
3. Customize Headers
headers: { 'X-Requested-With': 'XMLHttpRequest' }
Copy the code
4. The cache headers
Mandatory cache
Cache-Control
Expires
Negotiate the cache
Last-Modified
If-Modified-Since
Etag
If-None-Match
HTTP caching
1. Force cache
1.1 Cache-Control
In Response Headers, you control the logic of the forced cache
Example: cache-control: max-age=31536000(in seconds)
The cache-control value
- Max-age Specifies the expiration time
- No-cache Does not force the cache to the server
- No-store does not allow forced caching or server caching
- Private allows end users to cache
- Public allows intermediate routes and proxies to do some caching
- Must revalidate necessary. –
After cache-control expires, the server is requested again
1.2 about Expires
- Also in Response Headers
- Also to control cache expiration
- Has been replaced by cache-control
- The problem is that if the time on the browser’s machine differs greatly from the time on the server, the error can be large
2. Negotiation cache (contrast cache)
- Server caching policy (server to determine whether a resource is cached, not cached on the server)
- The client sends a request to the server, and the server determines whether the client resource is the same as the server resource
- If consistent, 304 is returned, otherwise 200 and the latest resource is returned
2.1 Resource Identification
- In Response Headers, there are two
- Last-modified Time when the resource was Last Modified
- A unique identifier for an Etag resource (a string, similar to a human fingerprint)
The if-modifed-since value of the rerequest is the last-modified value of the previous request
The value of if-none-match requested again is the value of the Etag requested first
2.2 last-modified and Etag
- Etag is preferred
- Last-modified is only accurate to the second
- Etag is more accurate if the resource is generated repeatedly without changing the content
Five, three refresh operations
- Normal operation: enter URL in address bar, jump to connect, forward and backward, etc
- Manual Refresh: F5, click refresh button, right click menu refresh
- Force refresh: CTRL + F5
1. Cache policies vary according to refresh operations
-
Normal operation: Force cache valid, negotiate cache valid
-
Manual refresh: Force cache invalidation and negotiate cache validity
-
Force refresh: Force cache invalidation, negotiation cache invalidation
The difference between HTTP and HTTPS
The difference between | HTTP | HTTPS |
---|---|---|
agreement | Running on TOP of TCP, clear text transmission,Neither the client nor the server can verify the identity of the other | HTTP, with the Secure Socket Layer (SSL) shell, runs on SSL, which runs on TCPHTTP adds encryption and authentication mechanisms. |
port | 80 | 443 |
Resource consumption | less | Due to encryption and decryption processing, more CPU and memory resources will be consumed |
overhead | Without the certificate | Certificates are required, and certificates are generally purchased from certification bodies |
Encryption mechanism | There is no | A hybrid encryption mechanism combining shared key encryption and public key encryption |
security | weak | Strong security due to encryption mechanism |
1. Symmetric encryption and asymmetric encryption
HTTPS uses a hybrid encryption mechanism of symmetric and asymmetric encryption.
Symmetric key encryption means that encryption and decryption use the same key. The biggest problem in this method is key sending, that is, how to securely send the key to the other party. Asymmetric encryption refers to the use of a pair of asymmetric keys, namely a public key and a private key. The public key can be distributed freely, but the private key is known only to itself. The party that sends the ciphertext uses the other party’s public key for encryption. After receiving the encrypted information, the other party uses its own private key to decrypt the encrypted information. Asymmetric encryption can ensure security because it does not need to send the private key for decryption. But it’s very slow compared to symmetric encryption.
To sum up: for timeliness, we still need to choose symmetric encryption to transmit messages, but we can send the keys used in symmetric encryption through asymmetric encryption.
You can think of it this way: we only need to secure symmetric encryption keys to keep information secure.