This is the 21st day of my participation in Gwen Challenge

With the development of the Internet, network security is increasingly complex and important, so today summarize some front-end related network and security knowledge points. I will expand from the core concepts of HTTP, browser loading principles, interaction technology, cross-domain, security, these five points.

HTTP Core Concepts

HTTP(/1.1) Core concepts

HTTP: HyperText Transfer Protocol HTTP is an application layer Protocol and the transport layer is TCP. Http1.1 works in half-duplex mode and is stateless

HTTP Core Concepts -HTTP Method

Verb. Req. has body Res. has body Safe Idempotent Cacheable
GET No Yes Yes Yes Yes
POST Yes Yes No No No
PUT Yes Yes No Yes No
HEAD No No Yes Yes Yes
DELETE No Yes No Yes No
OPTIONS Optional Yes Yes Yes No

HTTP core concepts -Status Code

100: Continue

101: Switch protocols

200: ok

301: Moved permanently

302: Found

304: Not modified

400: Bad Request

401: Unauthorized

403: Forbidden

404: Not found

413: Payload too large

414: Uri too long

HTTP core concepts -Request/Response Headers

1. REQUEST/response Information

  • Origin: www.baidu.com
  • Host: www.baidu.com
  • The user-agent: Mozilla / 5.0 (X11; Linux x86_64; The rv: 12.0) Gecko / 20100101 Firefox 21.0
  • Referer: www.baidu.com/a/b.html
  • Date: Tue, 15 Nov 1994 08:12:31 GMT

RESPONSE:

  • Server: Apache/against 2.4.1
  • Date: Tue, 15 Nov 1994 08:12:31 GMT
  • Allow: GET, POST

2. Content Negotiation REQUEST:

  • Accept: text/plain
  • Accept-Charset: utf-8
  • Accept-Encoding: gzip,deflate
  • Accept-Language: en-US
  • Range: bytes 500-999

RESPONSE:

  • Content-Type: application/json
  • Content-Length: 348
  • Content-Encoding: gzip
  • Content-Language: en-US
  • Content-Range: bytes 500-999
  • Content-Disposition: attachment; filename=”guide.pdf”

3. Cache control REQUEST

  • If None – Match: “737060 cd8c284d8af7ad3082f209582d”
  • If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT

RESPONSE:

  • Cache-Control: public, max-age=max
  • Expires: Wed, 21 Oct 2015 07:28:00 GMT
  • Pragma: no-cache
  • ETag: “737060 cd8c284d8af7ad3082f209582d”
  • Last-Modified: Sat, 29 Oct 1994 19:43:31 GMT
  • Vary: user-agent

4. Connect to REQUEST:

  • Connection: Upgrade
  • Upgrade: websocket
  • Expect: 100 – continue

RESPONSE:

  • Transfer – Encoding: chunked
  • Connection: keep alive
  • Location:www.baidu.com
  • Refresh: 5; www.baidu.com

5, Cookie REQUEST:

  • Cookie: PHPSESSID = 298 zf09hf012fh2; csrftoken=u32t4o3tb3gg43; _gat=1;

RESPONSE:

  • The Set – cookies: id = a3fWa; Expires=Wed, 21 Oct 2015 07:28:00 GMT; Secure; HttpOnly

Principles of Browser loading

Principles of Browser loading

Browser add-on principle – Cache Read

 

How browsers load — Blocked

The browser HTTP1.1 Number of concurrent connections
IE 6, IE 7 2
IE 8, IE 9 6
Firefox 2 2
Firefox 3 6
Safari 3, Safari 4 4
Chrome 1,Chrome 2 6
Chrome 3 4
Chrome 4 or later 6
Opera 9.63, Opera 10.00 alpha 4
Opera 10.51 and above 8
Android 2-4 (default) 4
 
 

Optimization methods: (1), reduce the request to merge CSS, merge JS, CSS Sprite, base64 small pictures

(2) Add domain static resource server and CDN

DNS Lookup (DNS Lookup)

<meta http-equiv="x-dns-prefetch-control" content="off">  
<link rel="dns-prefetch" href="http://www.google.com">  
Copy the code

Browser add-on principle – Connect

Connect: close | keep-alive

Browser add-on principle – Receive

Optimization methods: (1) Reduce minify request, optimize picture, gZIP (2), improve network speed, increase bandwidth, CDN

Interactive technologies

Interactive technology – data interchange format

XML, JSON,

Interactive Technology – Front end -Form

<form action= "http://www.a.com/b" method="get"> <input type="text" name="name" value="Mike"> <input type="file" name="file"> </form> <! -- GET /b? Name =Mike&file=1.jpg HTTP/1.1 Host: www.a.com -->Copy the code
<form action= "http://www.a.com/b" method="post" enctype="application/x-www-form-urlencoded"> <input type="text" name="name" value="Mike"> <input type="file" name="file"> </form> <! -- POST /b HTTP/1.1 Content-length: 20 Host: www.a.com content-type: application/x-www-form-urlencoded name=Mike&file=1.jpg -->Copy the code
<form action= "http://www.a.com/b" method="post" encType ="multipart/form-data"> <input type="text" name="name" value="Mike"> <input type="file" name="file"> </form> <! -- POST /b HTTP/1.1 Content-length: 261 Host: www.baidu.com content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="name" Mike ------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="file"; filename="1.jpg" Content-Type: image/jpeg ------WebKitFormBoundary7MA4YWxkTrZu0gW-- -->Copy the code

Interactive Technology – Front end – WebSocket

(1), and HTTP

  • Passive link
  • Nonpersistent connection
  • TCP/IP
  • axios

(2), WebSocket

  • Full duplex
  • Permanent link
  • TCP/IP
  • Socket.io

Cross domain

Cross-domain – Picture ping/jsonp

  • Only GET requests can be sent
  • Limited transmission information
  • Cookie cannot be carried
  • Can’t set header

Cross domain – CORS

REQUEST:

  • GET/HTTP / 1.1 b
  • Host: www.b.com
  • Origin: www.a.com
  • X-Header: test

RESPONSE:

  • HTTP / 1.1 200 OK
  • Server: Apache / 2.0.61
  • N-Header: Test
  • Access-Control-Allow-Origin: www.a.com
  • Access-Control-Allow-Methods: GET, POST
  • –Access-Control-Allow-Headers: X-Header
  • -Access-Control-Expose-Header: N-Header
  • Access-Control-Max-Age: 1728000

Cross domain – CORS – cookies

REQUEST:

const xhr = new XMLHttpRequest();
const url = 'http://www.b.com';

xhr.open('GET', url, true);
xhr.withCredentials = true;
xhr.send();
Copy the code

RESPONSE:

HTTP/1.1 200 OK Server: Apache/2.0.61 N-header: Test access-Control-Allow-Origin: HTTP/1.1 200 OK Server: Apache/2.0.61 N-header: Test access-Control-Allow-Origin: http://www.a.com Access-Control-Allow-Methods: GET, POST Access-Control-Allow-Headers: X-Header Access-Control-Expose-Header: N-Header Access-Control-Max-Age: 1728000 Access-Control-Allow-Credentials: trueCopy the code

security

All input is untrusted

Safety – XSS

Cross Site Scripting

Example 1: Inject JS code directly in the comment box

<script>while(true) {alert(" You were attacked!" ); }</script>Copy the code

** Filter script tags

Example 2: Induced click

<img SRC =" image.jpg "onClick="alert" (' you have been attacked!! ')"> <a harf="javascript(' You have been attacked! ')"> </a>Copy the code

** Filter unsafe tag attributes/disable HTML

Example 3: Injection

<input type="text" id="name" value="${name}"> <! --name = "\"><script>alert('oops! ')</script>--> <! --name = "\" onClick=\"alert('oops!) \ "" -- >Copy the code

** All displayed fields are escaped by default

Safety – CSRF

Cross-site Request Forgery

Example: Forge A request from Site A at site B

<! -- User colleagues visiting sites A and B --> <! - B site - > < image SRC = "http://www.a.com/buy/car?id=111" > <! --or--> <form action="http://www.a.com/buy/car" method="post"> <input type="hidden" name="id" value="111"> </form>Copy the code

(1) Detect the referer (1), generate the CSRF-Token for the form (1), the server sets the CSRF-token in the cookie, and the client transmits the CSRF-Token through the custom header

That’s all for today’s sharing and welcome your valuable suggestions