Upgrade to remove ads
Only $35.99/year

HTTP Google Technical Residency Study Guide

Terms in this set (115)

Define HTTP
HTTP stands for Hypertext Transfer Protocol. It is a stateless, application-layer protocol for communicating between distributed systems, and it is the foundation for the modern web.
HTTP allows communication between who?
Variety of hosts and servers. It supports a mixture of network configurations.
Does is keep state between different message exchanges?
No. It knows very little about a particular system.
What transport layer is usually used?
Communication usually occurs over TCP/IP but any transport can be used.
What is the default port for TCP/IP?
Port 80 but other ports can be used and it can be set explicitly in URL.
How does communication between a host and client occur?
Via a request/response pair. The client initiates an HTTP request message, this is serviced through a HTTP response message in return.
What is the current version of the protocol?
HTTP/1.1. This has newer features like persistent connections, chunked transfer-coding, and fine-grained caching headers.
What do URLs stand for and what are they used for.
Request messages are sent via Uniform Resource Locators.
What are URLs?
URLs are addresses used to access web servers and resources on them. The resource path is the local path to the resource on the server.
What is the protocol usually used for URLs?
Typically http but also https for secure communications.
What are HTTP verbs?
The action that should be performed on the host, which is in the URL.
What are the most common HTTP request verbs?
GET, POST, PUT, DELETE.
What does request verb GET request?
Fetch an existing resource. The URL contains the necessary info the server needs to locate and return the resource.
What does the verb POST request?
Create a new resource. POST requests usually carry a payload that specifies the data for a new resource.
What does the verb PUT request?
Update an existing resource. The payload may contain the updated data for the resource.
What does the verb DELETE request?
Deletes an existing resource.
PUT and DELETE are special versions of what verb?
The POST verb. They may be packaged as POST requests with the exact action: create, update, or delete.
What does the HEAD request verb do?
Retrieve the server headers for a particular reason, generally to check if the resource has changed via timestamps. Similar to GET but without the message body.
What does the TRACE request verb do?
Retrieves the hops that a request takes to round trip from the server. Each intermediate proxy or gateway would inject its IP or DNS name into the Via header field. Used for diagnostic purposes.
What does the OPTIONS request verb do?
Retrieves the server capabilities. On the client-side, it can be used to modify the request based on what server can support.
How does the server respond to the client requests (URL and verbs)?
Responds with statue codes and message payloads. The status code tells the client how to interpret the server response. The HTTP spec defines certain number ranges for specific types of responses.
HTTP 1xx
Informational Messages. All HTTP/1.1 clients are required to accept the Transfer-Encoding header. The server can send a Expect: 100-continue message, telling the client to continue sending the remainder of the request or ignore if already sent. (HTTP/1.0 are supposed to ignore this header)
HTTP 2xx
Successful. Tells the client that this response was accepted but may not include the resource in the response. Most common code is 200 OK.
202 Accepted
Request was accepted but may not include the resource in response. Useful for async processing on server side. Server may choose to send info for monitoring.
204 No Content
There is no message body in the response.
205 Reset content
indicates to the client to reset its document view
206 Partial Content
Indicates the response only contains partial content
3xx Redirection
Requires client to take additional action. The most common use-case is to jump to a different URL in order to fetch the resource.
What does 404 indicate?
The resource is invalid and does not exist on the server.
301 Moved Permanently
The resource is now located at a new URL.
303 See Other
The resource is temporarily located at a new URL. The Location response header contains the temporary URL.
304 Not Modified
The server has determined that the resource has not changed and the client should use its cached copy. This relies on the fact that the client is sending ETag (Enttity Tag) information that is a hash of the content. The server compares this with its own computed ETag to check for modifications.
4xx: Client Error
Used when the server thinks that the client is at fault, either by requesting an invalid resource or making a bad request.
Most popular code in 4xx class?
404 Not Found. Indicates resource is invalid and doesn't exist on server.
400 Bad Request
The request was malformed.
401 Unauthorized
Request requires authentication. The client can repeat the request with the Authorization header. If the client already included the Authorization header, the credentials were wrong then.
403 Forbidden
server has denied access to the resource
403 Forbidden
Server has denied access to the resource
405 Method Not Allowed
Invalid HTTP verb used in request line or the server does not support that verb.
409 Conflict
The server could not complete the request because the client is trying to modify the resource
5xx Server Error
Used to indicate a server failure while processing the request.
Most commonly used error code
500 Internal Server Error
501 Not Implemented
the server does not yet support the requested functionality
503 Service Unavailable
if an internal system on the server has failed or the server is overloaded. Typically the server won't even respond and the request will timeout.
Types of headers
general, request specific, response specific, entity headers
What is the structure of the body of a message?
Can contain the complete entity data or it may be piecemeal if chunked encoding (Transfer-encoding: chunked) is used. All HTTP/1.1 clients are required to accept the Transfer-Encoding header.
Most commonly used pragma-directive?
Pragma: no-cache (which is actually cache-control:no cache under HTTP/1.1
Can custom headers also be created and sent by the client?
Yes! They will be treated as entity headers by the HTTP protocol.
Is ExpressJS a server side framework?
Yes.
What are the two primary tasks when dealing with HTTP messages?
1. Reading URL fragments and request headers
2. Write response headers and body (ExpressJS provides the API for this)
How is Ruby on Rails different from ExpressJS?
The request and response messages are mostly the same except for the first line and message headers
In Rails, which modules provide the API for handling request and response messages?
ActionController and ActionDispatch
What does ActionController do?
provides a high level API to read the request URL, render output and redirect to a different end-point
How is an end-point (aka route) handled by ActionController?
as an action method
What type of library is jQuery Ajax?
client-side library (its Ajax API provides opposite of a server framework)
WHta is jQuery Ajax for?
allows you to read response messages and modify request messages
How is a settings object used in jQuery Ajax?
settings object is passed with the beforeSend callback, allowing modification of the request headers. The callback receives the jqXHR (jQuery XMLHttpRequest) object that exposes a method, called setRequestHeader() to set headers
What must happen before communication between client and server?
A connection must be established
What does HTTP use to make a connection b/w client and server?
TCP (Transmission Control Protocol) protocol (by default, port 80)
How is a TCP stream used?
It is broken into IP (internet protocol) packets and ensures the packets always arrive in correct order without fail
What is HTTPS?
A secure version of HTTP, inserting extra layer between HTTP and TCP called TLS or SSL (Transport Layer Security or Secure Sockets layer)
What port does HTTPS communicate over?
port 443 by default
How is an HTTP connection identified?
By <source-IP, source-port> and <destination-IP, destination-port>
How is HTTP application identified on the client side?
by <IP, port> tuple
What does establishing a connection between 2 endpoints involve?
- resolve IP address from hot name via DNS
- establish a connection with the server
- send a request
- wait for a request
- close connection
Which side is responsible for responding with correct headers and responses?
The server!
How many transactions occurred before closing a connection in HTTP/1.0?
only 1 (if client wanted to request 3 images from the same server, it made 3 separate connections to remote host)
What are persistent connections?
long-lived connections that stay open until client closes them
What request header must be set to make single transaction connection?
Collection: close request header (tells server to close connection after sending response)
What are parallel connections?
technique browsers/clients employ to minimize network delays
What do parallel connections involve?
creating a pool of connections (usually capped at 6) - if 6 assets are needed to download from a website, the client makes six parallel connections to download these (faster turnaround - improvement over serial connections)
How does a server listen for incoming connections and process them when receiving a request?
- establishes a socket to start listening on port 80
- receives the request and parses the messages
- sets the response headers
- sends response to the client
- closes the connection is a Connection: close request header was found
(this is in realm of identification and authentication)
What are the different ways to know who connects to a server for tracking an app's or site's usage?
- Request headers - From, Referer, User-Agent
- Client-IP - the IP address of the client
- Fat URLs - storing state of the current user by modifying the URL and redirecting to a different URL on each click, each lick accumulates state
- cookies - most popular and non-intrusive approach
How do cookies allow the server to attach arbitrary information for outgoing responses?
Set-Cookie response header - a cookie is set with one or more name=value pairs separated by ; (Set-Cookie: session-id=12345ABC; username=nettuts)
Can a server restrict cookies to a specific domain and path?
Yes! and it can make them persistent with an expires value
Are cookies automatically sent by the browser for each request made for a server?
Yes. The browser ensures that only the domain- and path- specific cookies are sent in the request.
What is the request header use to send cookies to the server?
Cookie: name=value [; name2=value2]
What is the best way to identify a user?
require them to sign up and log in but implementing this requires effort by developer as well as user
What is the rudimentary form of authentication that HTTP supports called?
Basic Authentication and Digest Authentication (more secure)
How does Basic Authentication work?
The server initially denies the client's request with a WWW-Authenticate response header and a 401 Unauthorized status code. The Browser displays a login dialog, prompting username and password after seeing the header. The info is sent in a base-64 encoded format in the authentication request header. Some servers might also send Authentication-Info header containing additional authentication details.
What is Proxy Authentication?
The authentication is challenged by an intermediate proxy. The proxy sends a Proxy-Authenticate header with a 407 Unauthorized status code. In return, the client is supposed to send the credentials via the Proxy-Authorization request header.
What is Digest Authentication?
It's similar to Basic and uses same technique with the WWW-Authenticate and Authorization headers but Digest uses more secure hashing function to encrypt the username and password (usually MD5 or KD). Altho Digest Authentication is more secure than Basic, websites usually use Basic bc of its simplicity. For security, Basic Auth is used with SSL.
What type of encryption does SSL use?
it set RSA and public-key cryptography (ubiquitous standards-based Public-Key Infrastructure (PKI) been underway)
To make a web app work over HTTPS what do you need?
You need a working digital certificate deployed on the server.
What are certificates or "certs" issued by?
a Certificate Authority and vouch for your identity on the web (CAs are the guardians of the PKI)
What is the most common form of certificates?
X.509 v3 standard
What info does the X.509 v3 standard certificate hold?
- certificate issuer
- algorithm used for the certificate
- subject name or organization for whom this cert is created
- public key information for the subject
- Certification Authority Signature, using the specified signing algorithm
What happens with certificates when a client makes a request over HTTPS?
It first tries to locate a certificate on the server. If the seat is found, it tries to verify it against its known list of CAs. If its not one of the listed CAs, it might show dialog to user warning about website's certificate. After certificate is verified, SLL handshake is complete and secure transmission is in effect.
What are the benefits to a cache?
It saves time, cost and bandwidth, and provides an improved experience on the web.
What are the two types of caches?
1. Private - within a browser, caches usernames, ,passwords, URLs, browsing history and web content (small and specific to a user)
2. Public - deployed as caching proxies b/w server and client. These are larger bc they serve multiple users. (common practice = keeping multiple caching proxies b/q client and origin-server which helps serve frequently accesses content while allowing trip to server for infrequently needed content)
How does cache processing work?
1. receive request message
2. parse the URL and headers
3. Lookup a local copy; otherwise, fetch and store locally
3. So a freshness check to determine the age of the content in the cache; make a request to refresh the content only if necessary
4. Create the response from the cached body and updated headers
5. Send the response back to the client
5. Optionally, log the transaction
How does server respond if the document has not changed?
respond with 304 Not Modified
How does server respond if the cached copy has expired?
It should generate a new response with updated response headers and return a 200 OK
How does server respond if if the resource is deleted?
respond with 404 Not Found
How do we minimize network delays?
With parallel connections and persistent connections
What is document expiration?
when HTTP allows an origin-server to attach an expiration date to each document using the Cache-Control and Expires response headers
What happens when a document expires?
the cache must check with the server for a newer copy and update its local copy accordingly
Why is the HTTP/1.0 Expires response header bad?
It specifies the value of an absolute date and it only works if the server clocks are in sync with the client, which is a bad assumption to make!
What header is use to specify age/for expiration?
Cash-Control: max-age=<5>. Max-age = relative age (in seconds) from the time the response was created.
What is server revalidation (happens once a cached document expires)
The cache must revalidate with the server to check if the document has changed. It serves as a querying mechanism for the stale-ness of a document. (Document could be the same even if it's after expiration)
What allows distributed systems to maintain copies with an expiration date?
combination of document expiration and server revalidation
What two kinds of request-headers allow the revalidation step to be accomplished?
If-Modified-Since and If-None-Match
What is If-Modified-Since request-header?
date-based validation that uses Last-Modified response header
What does If-None-Match use?
Entity-Tags or a hash of the content that uses the Tag response header
What response headers are used to set the expiration on documents?
Cache-Control (has different values to contain how client should be caching the response) and Expiration (not a reliable solution) response headers
What does the Cache-Control: no cache response mean?
the client is allowed to store the document but it has to be revalidated with the server on every request (HTTP/1.0 PragmaL no-cache)
Cache-Control: no store
stronger than no-cache and tells client to not store the document
Cache-Control: must-revalidate
tells client to bypass its freshness calculation and always revalidate with the server (not allowed to serve cached response if server is unavailable)
Cache-Control: max-age
sets relative expiration (in seconds) from the time the response is generated
What happens if the server doesn't send a Cache-Control header?
Client is. free to use its own heuristic expiration algo to determine freshness
Can cachability be specified by the client?
Yes. (using Cache-Control header)
Cache-Control : min-fresh=<s> client side
document must be fresh for at least <s> seconds
Cache-Control: max-stale or Cache-Control: max-stale=<s> (Client)
document cannot be served from the cache if it has been stale for longer than <s> seconds
Cache-Control: max-age=<s> (Client)
cache cannot return a document that has been cached longer than <s> seconds
Cache-Control: no-cache or Pragma-no cache (Client)
client will not accept a cached resource unless it has been revalidated
Other sets by this creator