Lesson 3: HTTP in the Real World #2

Concurrency

• http.server can only handle one request at a time, therefore the bookmarker server cannot fetch a page from itself
• Concurrency: being able to handle two ongoing tasks at the same time;

Add:

import threading
from socketserver import ThreadingMixIn

class ThreadHTTPServer(ThreadingMixIn, http.server.HTTPServer):
    "This is an HTTPServer that supports thread-based concurrency."

Modify:

if __name__ == '__main__':
    port = int(os.environ.get('PORT', 8000))
    server_address = ('', port)
    httpd = ThreadHTTPServer(server_address, Shortener)
    httpd.serve_forever()

Static Content Web Server

Specialized web server programs — like Apache, Nginx, or IIS can serve static content from disk storage very quickly and efficiently. They can also provide access control, allowing only authenticated users to download particular static content.

• Request routing (reverse proxying): A specilized web server can dispatch requests to the particular backend servers that need to handle each request.
• Load balancing: splitting requests up among several servers
• Concurrent users
• Caching: make use of a temporary storage for resources that are likely to be reused; handled by cache control headers
• Capacity

Cookies

A way that a server can ask a browser to retain a piece of information, and send it back to the server when the browser makes subsequent requests

• server sends back a response with a Set-cookie header, which contains: a cookie name, a value, and some attributes.
• attributes could be:
  • name, content
  • domain, path
  • Secure, HttpOnly
  • creation time, expiration time (Expires)/Max-Age

from http.cookies import SimpleCookie, CookieError

out_cookie = SimpleCookie()
out_cookie["bearname"] = "Smokey Bear"
out_cookie["bearname"]["max-age"] = 600
out_cookie["bearname"]["httponly"] = True
self.send_header("Set-Cookie", out_cookie["bearname"].OutputString())

Create a SimpleCookie from the Cookie header

in_cookie = SimpleCookie(self.headers["Cookie"])
in_data = in_cookie["bearname"].value

• If a request does not have a cookie in it, the Cookie header will raise a KeyError exception
• If the cookie is not valid, the SimpleCookie constructor will raise http.cookies.CookieError.

For a lot more information on cookie handling in Python, see the documentation for the http.cookies module.

Exercise: A server that remembers you

The starter code for this exercise is in Lesson-3/2_CookieServer.

HTTPS for security

HTTPS encryption follows a standard protocol called Transport Layer Security (TLS)

• It keeps the connection private by encrypting everything sent over it. Only the server and browser should be able to read what’s being sent.
• It lets the browser authenticate the server. For instance, when a user accesses https://www.udacity.com/, they can be sure that the response they’re seeing is really from Udacity’s servers and not from an impostor.
• It helps protect the integrity of the data sent over that connection — checking that it has not been (accidentally or deliberately) modified or replaced.

How does TLS assure privacy?

The data in the TLS certificate and the server’s private key are mathematically related to each other through a system called public-key cryptography

How does TLS assure authentication?

When the browser connects to a particular server, if the TLS domain metadata doesn’t match the DNS domain, the browser will reject the certificate and put up a big scary warning to tell the user that something fishy is going on.

How does TLS assure integrity?

Every request and response sent over a TLS connection is sent with a message authentication code (MAC) that the other end of the connection can verify to make sure that the message hasn’t been altered or damaged in transit.

Other HTTP Methods

PUT for creating resources

The HTTP PUT method can be used for creating a new resources. The client sends the URI path that it wants to create, and a piece of data in the request body.

A server should respond to a PUT request with a 201 Created status code, if the PUT action completed successfully. After a successful PUT, a GET request to the same URI should return the newly created resource.

DELETE for deleting things

After a DELETE has happened successfully, further GET requests for that resource will yield 404 Not Found

PATCH for making changes

One standardized format for PATCH requests is the JSON Patch format, which expresses changes to a piece of JSON data. A different one is JSON Merge Patch.

HEAD, OPTIONS, TRACE for debugging

• HEAD works just like GET, except the server doesn’t return any content — just headers.
• OPTIONS can be used to find out what features the server supports.
• TRACE echoes back what the server received from the client — but is often disabled for security reasons.

HTTP/2

HTTP/1.0

• Headers
• POST Requests
• Status Codes
• Content-type

HTTP/1.1

• Cache Controls
• Range Requests (resuming downloads)
• Transfer Encodings (compression)
• Persistent Connection
• Chunked Messages
• Host Header (multiple sites per IP address)

HTTP/2

• Multiplexing (many requests at once)
• Better Compression
• Server Push

You can read much more about HTTP/2 in the HTTP/2 FAQ.

Exercise: Multiple connections

Lesson-3/3_Parallelometer

Multiplexing

The browser can send several requests all at once, and the server can send responses as quickly as it can get to them. There’s no limit on how many can be in flight at once.

Server push

Server push allows the server to say, effectively, “If you’re asking for index.html, I know you’re going to ask for style.css too, so I’m going to send it along as well.”

Resources

• Mozilla Developer Network’s HTTP index page contains a variety of tutorial and reference materials on every aspect of HTTP.
• The standards documents for HTTP/1.1 start at RFC 7230. The language of Internet standards tends to be a little difficult, but these are the official description of how it’s supposed to work.
• The standards documents for HTTP/2 are at https://http2.github.io/.
• If you already run your own web site, Let’s Encrypt is a great site to learn about HTTPS in a hands-on way, by creating your own HTTPS certificates and installing them on your site.
• HTTP Spy is a neat little Chrome extension that will show you the headers and request information for every request your browser makes.