2. HTTP Generic Message
● All of the communication between devices using the Hypertext Transfer
Protocol takes place via HTTP messages.
● There are only two types of HTTP messages : requests and responses.
● HTTP messages are text-based and loosely based on RFC 822 and 2822
message standards, and MIME standards.
3. HTTP Generic Message Format
The HTTP generic message format is as follows:
<start-line>
<message-headers>
<empty-line>
[<message-body>]
[<message-trailers>]
4. HTTP Generic Message Format
<start-line>
The start line is a special text line that conveys
the nature of the message. In a request, this line
indicates the nature of the request, in the form
of a method, as well as specifying a URI to
indicate the resource that is the object of the
request. Responses use the start line to indicate
status information in reply to a request.
<message-headers>
There are many dozens of message headers
defined in HTTP, which are organized into
groups by function as we will soon see. Almost
all of these are optional; the one exception is the
Host header, which must be present in each
request in HTTP/1.1. Headers may be sent in
any order, and all follow the same header format
used in e-mail messages:
<header-name>: <header-value>
5. HTTP Generic Message Format
[<message-body>]
The message body is optional, because it is only needed for certain types of messages.
It may carry a set of information to be communicated between the client and server, such
as a detailed error message in a response. More commonly, when present, it carries a file or
other resource, which is formally called an entity in the HTTP standard. Entities are most
often found in the body of a response message, since most client requests ask for a server
to send a file or other resource. However, they can also be found in certain requests.
6. HTTP Generic Message Format
[<message-trailers>]
HTTP/1.1 uses persistent connections by
default, so messages are sent in a steady
stream from client to server and server to
client. This requires that some means be used
to mark where one message ends and the
next begins, which is usually accomplished in
one of two ways.
● The first is using a special header that
indicates the length of the message so the
receiving device knows when the entire
message has been received.
● The second is a method called “chunking”,
where a message is broken into pieces for
transmission and the length of each piece
indicated in the message body.
When chunking is done, a set of message trailers may follow the body of the message.
Trailers are in fact the same as headers except for their position in the file, but may only
be used for entity headers.
7. Request Format
HTTP requests use a message format that is based on the generic message
format, but specific to the needs of requests.
<request-line>
<general-headers>
<request-headers>
<entity-headers>
<empty-line>
[<message-body>]
[<message-trailers>]
8. Request Format
Request Line Format :
<METHOD> <request-uri> <HTTP-VERSION>
Example - GET /login HTTP/1.1
● Method - The type of action that the client
wants the server to take.
● Request URI - Uniform Resource Identifier
● HTTP Version - Tells the server what version
of HTTP is the client using.
Headers :
● General Headers
○ These refer mainly to the message
itself, instead of it’s contents.
○ They are used to control its processing
or provide the recipient with extra
information.
● Request Headers
○ Contain information about the nature
of the client’s request. They give client
more control over how the request is
to be handled.
○ Format, encodings etc.
● Entity Headers
○ They describe the entity contained in
the body of the request, if any.
9. Response Format
HTTP responses use a message format that is based on the generic
message format, but specific to the needs of responses.
<status-line>
<general-headers>
<response-headers>
<entity-headers>
<empty-line>
[<message-body>]
[<message-trailers>]
10. Response Format
Status Line Format :
<HTTP-VERSION> <status-code> <reason-phrase>
Example - HTTP/1.0 200 OK
● HTTP Version - Tells the client what version of
HTTP is the server using.
● Status Code -
○ A three-digit number that indicates the
formal result that the server is
communicating to the client.
○ Intended for the client HTTP
implementation to process so the
Headers :
● General Headers
○ These refer mainly to the message
itself, instead of it’s contents.
● Response Headers
○ They provide additional data that
expands upon the summary result
information in the status line.
○ The server may also return extra result
information in the body of the
message, especially when an error
occurs,
● Entity Headers
○ They describe the entity contained in
the body of the response, if any.
11. What’s in an HTTP Request?
Raw Information
GET /login HTTP/1.1
Host: 127.0.0.1:5000
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.106 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
12. What’s in an HTTP Request?
Source IP address, port and proxy
● Source IP address and Source port : In order to send the appropriate
response back to your computer, the web server necessarily knows your
computer's IP address and source port.
● Via and X-Forwarded-For: If the HTTP request includes the header "Via", or
"X-Forwarded-For", then that's a strong indication that there is at least one
proxy server somewhere along the line.
13. What’s in an HTTP Request?
Destination IP address, port, host and protocol
● Destination IP address tells us where the server is located.
● Port tells us which port is being used to contact the server.
● Host - Since many websites can be hosted on a single server, we need this
to identify our website.
● Protocol - The HTTP protocol being used. Eg - HTTP/1.1
14. What’s in an HTTP Request?
● Requested URI - This specifies which document is to be retrieved from the
website.
● Request method and content - The type of action that the client wants the
server to take. Eg - POST, GET.
If POST was submitted as request method, then a form is submitted. The
contents of this form would appear here.
15. What’s in an HTTP Request?
User Agent - The User-Agent header describes your web browser. Typically it
contains the browser name and version, your Operating System and version , and
possibly additional information. Eg -
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/51.0.2704.106 Safari/537.36
Accept Headers - These describe what sort of things the web browser can handle,
and what it would prefer to be given if there's a choice.
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
16. What’s in an HTTP Request?
Referer:
The "referer" header tells the page
which document referred the user
to it - in essence, if you followed a
link to get to this page, it is the URL
of the page you came from to get
here.
Cookie:
● Every time a web server provides you with a
response (a page, a graphic, etc), it can send
your browser a "cookie". These cookies are
small pieces of information which your
browser stores, and then sends back to that
same web server whenever you subsequently
request a document.
● The "contents" of the cookie (the data it
contains) can only be made up of whatever
information the web server already knew
anyway.
17. What’s in an HTTP Request?
Connection control
Connection: keep-alive
Keep-Alive: not present
These headers are used to fine-
tune the network traffic between
you and the web server. They don't
tell us much, except a little about
the capabilities of your web
browser.
Cache control
Pragma: not present
Cache-Control: not present
If-Modified-Since: not present
These headers control cacheing of the document. By
examining them the we can detect if you used your
browser's "refresh" button to force the page to reload.
For example, Mozilla (Netscape 6) sets "Cache-Control"
to "max-age=0" when you use the "reload" button. MSIE
5.5 sets it to "no-cache" if you do a "hard" reload (while
holding down the "control" key).
18. What’s in an HTTP Request?
Authorisation
Username:
If you have "logged in" to a web site, your username appears here.
This only applies to web sites which use proper HTTP authentication - a "login"
window pops up and you get three chances to enter your username and password,
otherwise you see a page which says "Authentication Required" or similar. It
doesn't apply to web sites where the "login" is a separate page.
It's also possible to supply the username and password in the URL you tell your
browser to visit - for example, http://user:password@www.example.com/. In that
case, the username would appear here too.