HTTP protocol analysis :
HTTP Hypertext transfer protocol, the predetermined rule is a detail of mutual communication between the browser and the Web server, which is the basis for the World Wide Web information exchange, which allows an HTML document transmitted from the WEB server to the WEB browser.
URL (Uniform Resource Locator) is also known as web addresses, the Internet standard address.
The standard URL format is as follows:
Protocol: // [server IP: port] / path / [? Inquire】
Browser sends an HTTP request can make use of other tools to initiate HTTP requests, for example, linux system curl command
HTTP protocol, the latest version is 1.1, HTTP is a stateless protocol. No state is not required to establish permanent connection between the WEB server and WEB browser, which means that when a client makes a request to the server, then the WEB server returns a response (the Response), the connection is closed, the server does not retains information about the connection. In other words, HTTP requests can only be initiated by the client and the server can not send data to the client.
1.HTTP request
HTTP request includes three parts, namely a request line (request method), the request header (header message) and a request body.
POST / login.php HTTP / 1.1 // request line
HOST: www.test.com // request header
User-Agent:Mozilla/5.0(windows NT6.1;rv:15.0)Gecko/20100101 firefox/15.0
// blank line, a request on behalf of the head end
Username = admin & password = admin // request body
2.HTTP response
Corresponding to the HTTP request is an HTTP response, the HTTP response is also of three parts, namely the response line, header response (message header) and the response text (message topic).
HTTP / 1.1 200 OK // response line
Date: Thu, 28Feb 2018 01:23:37 GMT // response header
// blank line, the end of the response on behalf of the head
<Html> // call or text message subject response
Request method (all methods all uppercase) There are various methods of interpretation of each as follows:
GET: Request resource identified by Request-URL
POST: Additional new data in the resource identified by the Request-URL
HEAD: Request message in response to the resource identified by the Request-URL in a header
PUT: a storage resource request to the server, and as the Request-URL with its identity
DELETE: requests the server to delete the resource identified by the Request-URL
TRACE: echo request information requesting server received mainly used for testing or diagnosis
CONNECT: Reserved for future use
OPTIONS: Request query performance server, or other relevant resource needs and options
HTTP status code:
When the client initiates an HTTP request, the server receives, sends a response message to the client, wherein the first line of the HTTP response, the most important point is the HTTP status code.
1xx: indication information - indicates a request has been received, processing continues
2xx: Success - indicates that the request has been successfully received, understood, accepted
3xx: Redirection - to fulfill the request must go a step further
4xx: Client Error - The request has a syntax error or a request can not be achieved
5xx: Server-side Error - The server failed to achieve a legitimate request
Common status codes , state description, description:
200 OK // client request was successful
400 Bad Request // client requests a syntax error, it can not be understood by the server
401 Unauthorized // unauthorized request, the status code must be used with the WWW-Authenticate header field
403 Forbidden // server receives the request, but refused to provide services
404 Not Found // requested resource does not exist, eg: enter the wrong URL
Unexpected error 500 Internal Server Error // server occurs
503 Server Unavailable // server is currently unable to process the client's request, may return to normal after a period of time
HTTP message
Also known as HTTP HTTP message header (HTTP header), it consists of four parts, namely, a request header, response header, general header and header entity.
1> request header
Request headers appear only in the HTTP request, request header allows extensions client and the client is transmitted to the server side requests the information itself. Common HTTP request header is as follows:
HOST: mainly used to specify the Internet host and port number of the requested resource, such as: host: www.test.com: 8080
User-agent: allow clients to its operating system, browser, and other attribute tells the server
Referer: URL represents the current access on a URL, simply, from where the user came to this page
Cookie: It is a piece of text, used to represent the identity of the requester, etc.
Range: multi-threaded download will head to this request
X-forward-for: It represents the end of the IP request, there may be multiple, separated by commas
Accept: specifies the type of MIME client receives that information, such as Accept: text / html, it indicates that the client wishes to receive a text html
Accept-Charset: The character set used to specify the client received (tell the server what character set can be sent)
2> response header : HTTP header is transmitted from the server to the client upon request
1.Server: WEB server name used by the server. An attacker can avoid detection modify this header information
2.Set-Cookie: Set-Cookie to the customer service side, by looking at this camera, you can clearly see the Cookie information server to a client-initiated
3.Last-Modified: tells the browser to the server through the head, last modified resources
4.Location: The server tells the browser through this head to visit any page after the browser receives the request, usually immediately access the page Location header within the meaning of the head usually with 302 status code to use
5.Refresh: The server tells the browser Refresh head by periodically refreshing the browser
3> Normal head
In general the header, the header field for a small number of all request and response messages, but not for the entity to be transmitted only for the transmission of the message
4> entity-header
Request and response messages may be transmitted one entity. Meta entity header defines information about resources and entity body identified by the request. Meta-information that is content property of the entity, including the entity type information, length compression method, the last modification time. Common solid head as follows:
Media type entity header field for specifying the entity body of a sender: Content-Type
Content-length: the entity header field indicates the length of the entity body of a decimal number is stored in bytes to represent
Last-Modified: Last Review Date entity header field for indicating the resources and time
HTTP protocol and the HTTPS protocol differences:
It is safe HTTPS protocol aimed HTTP channel, in fact, an upgraded version of HTTP, but it is more secure than a simple HTTP protocol.
HTTPS is the secure foundation SSL, both adding SSL layer under HTTP. Data is transmitted via secure HTTPS transmission mechanism that protects the confidentiality and integrity of all data sent over the network, you can reduce the possibility of non-invasive interception attacks.
The main difference between HTTPS and HTTP as follows :
1, https protocol ca need to apply for a certificate, generally less free certificates, thus requiring a fee
2, http is the hypertext transfer protocol, information is transmitted in the clear, https is encrypted with a security ssl transfer protocol
3, http and https use is completely different connections, with the port are not the same, the former 80, the latter 443
4, http connection is very simple, is stateless: HTTPS protocol is constructed by SSL + HTTP encrypted transmission protocol, a network authentication protocol, the http protocol security than
HTTPS advantages :
Although not absolutely secure HTTPS not grasp authority root certificate to master organizational encryption algorithm can also be an intermediary form of attack, but HTTPS is still under the existing framework of the safest solutions, mainly in the following benefits:
1. using the HTTPS protocol and the server can authenticate the user, transmits data to ensure that the correct client and server
2.HTTPS protocol is constructed by SSL + HTTP encrypted transmission protocol, a network authentication protocol, the http protocol than security, to prevent data from being stolen during transmission, changes to ensure data integrity
3.HTTPS under the current framework is the most secure solution, though not absolute security, but it greatly increases the cost of attacking people
4. Google search engine algorithm adjustment in August 2014, saying "Compared to the same HTTP sites using HTTPS encrypted site's ranking in search results will be higher."
HTTPS shortcomings :
Although HTTPS have a great advantage, but relatively speaking, still shortcomings at:
1.HTTPS protocol handshake stage time-consuming, page load time will be extended by nearly 50%, an increase of 10% to 20% of power consumption
2.HTTPS connection cache as good as HTTP efficient, increases data overhead and power consumption, even existing security measures will also be affected
3.SSL certificate requires money, the more powerful the higher cost certificates, personal sites, small sites generally do not need
4.SSL certificate is usually required to bind IP, can not bind multiple domain names on the same IP, IPv4 can not support the consumption of resources
Range 5.HTTPS encryption protocol is relatively limited, in hacker attacks, denial terms of service attacks, hijacking and other servers will not achieve any effect almost. The most critical, SSL certificate credit chain system is not safe, especially in the case of some countries can control the CA root certificate, as feasible middle attack