HTTP and HTTPS
Lecture Notes for CS 142
Spring 2013
John Ousterhout
- Additional reading for this topic: none.
HTTP: HyperText Transfer Protocol
- Used by browsers to communicate with Web servers.
- Simple request-response protocol, sent using TCP/IP sockets.
- Sample request:
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html*/*
Accept-Language: en-us
Accept-Charset: ISO-8859-1,utf-8
Connection: keep-alive
<blank line>
- First line contains method, URL, version number
- GET method: read information from server. Should have no side
effects.
- POST method: uploads data from the browser to the server (typically
form data), returns information from the server. Likely to have
side effects. Data is in the body of the message, after the
blank line.
- There are several other methods defined besides these two, but
we won't use them in CS142.
- Headers: name-value pairs providing various information that may be
useful to the server.
- A request can also contain data following the headers, but the
GET method doesn't have any data (POST does, though).
- Sample response:
HTTP/1.1 200 OK
Date: Thu, 24 Jul 2008 17:36:27 GMT
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Content-Length: 1846
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC ... >
<html ... >
...
</html>
- First line contains protocol version number, numerical status code,
textual explanation.
- Headers have same general format as for requests
- Blank line separates headers from response data.
- Response body doesn't necessarily have to be HTML.
- Redirection: causes browser to fetch a new URL in place of
the page initially requested.
- Set Location header to some other URL.
- Return a status of 307.
- Useful if information has moved, and for POST requests.
HTTPS
- Identical to HTTP, except request and response
messages are transmitted using SSL (Secure Sockets Layer) or its
successor TLS (Transport Layer Security).
- HTTPS is used automatically for any URL beginning with "https:"
instead of "http:".
- What HTTPS does for you:
- The request and response messages are transmitted between the
browser and server in encrypted form.
- This prevents snoopers on the network from accessing private
information in the messages, such as passwords or credit card
numbers.
- A certificate exchange allows the browser to identify the server
it is communicating with. HTTPS doesn't help the server to
identify the browser.
- HTTPS does not guarantee that the browser and server can
trust each other. You just know that no-one else is listening.
- HTTPS requires additional server setup: must create a certificate
that identifies the server to the browser.
- In designing Web applications you must use HTTPS
whenever private data is being transmitted, such as passwords or
credit card numbers.