HTTP&HTTPS
- HTTP: HTTP->TCP
- HTTPS: http - > SSL / TLS (encryption / decryption) - > TCP
1.HTTP
- HyperText Transfer Protocol is an application layer protocol for distributed, cooperative and hypermedia information systems. Simply put, it is a method of publishing and receiving HTML pages, which is used to transfer information between Web browsers and Web servers.
- By default, it works on port 80 of TCP protocol. The standard HTTP service starts with http: / / when users visit the website.
- The content is sent in clear text without any data encryption. If the attacker intercepts the transmission message between the Web browser and the website server, he can directly read the information. Therefore, the HTTP protocol is not suitable for transmitting some sensitive information, such as credit card number, password and other payment information.
- Brief communication process: establish connection - > send request packet - > return response packet - > close connection
2.HTTPS
- Hypertext transfer protocol secure (Hypertext Transfer Protocol Secure) is a transmission protocol for secure communication through computer network. HTTPS communicates via HTTP, but encrypts packets using SSL/TLS. The main purpose of HTTPS development is to provide identity authentication for website server and protect the privacy and integrity of exchange data.
- By default, it works on TCP protocol port 443. The workflow is generally as follows:
TCP triple synchronous handshake
Client authentication server digital certificate
DH algorithm negotiates the key of symmetric encryption algorithm and the key of hash algorithm
SSL secure encryption tunnel negotiation completed
Web pages are transmitted in an encrypted manner, encrypted with a negotiated symmetric encryption algorithm and key to ensure data confidentiality; The negotiated hash algorithm is used for data integrity protection to ensure that the data is not tampered with.
3. Difference between HTTP and HTTPS
- For HTTP plaintext transmission, the data is unencrypted and has poor security. The HTTPS (SSL+HTTP) data transmission process is encrypted and has good security.
- To use HTTPS protocol, you need to apply for a certificate from CA (Certificate Authority). Generally, there are few free certificates, so you need to pay a certain fee. Certification authorities such as Symantec, Comodo, GoDaddy and GlobalSign.
- The response speed of HTTP page is faster than that of HTTPS, mainly because HTTP uses TCP three-time handshake to establish a connection, and the client and server need to exchange three packets. In addition to the three packets of TCP, HTTPS also needs nine packets for ssl handshake, so there are 12 packets in total.
- HTTP and HTTPS use completely different connection modes and different ports. The former is 80 and the latter is 443.
- HTTPS is actually an HTTP protocol built on SSL/TLS. Therefore, HTTPS consumes more server resources than http.
Request packet data format
- Request line: request type / request resource path, protocol version and type
- Request header: some key value pairs can be sent between the browser and the web server, with a specific meaning
- Blank line: the request header is separated from the request body by a blank line
- Request body: data to be sent (generally used for post submission); Example: user = 123 & pass = 123
Example:
#Request Headers POST /adduser HTTP/1.1 Host: localhost:8030 Connection: keep-alive Content-Length: 16 Pragma: no-cache Cache-Control: no-cache Origin: chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36 Content-Type: application/x-www-form-urlencoded Accept: */ * Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Form Data name=name&age=11
1. Request line
The request line consists of three Tags: request method and request URL and HTTP Version, they are shared with spaces. For example: GET /index.html HTTP/1.1 HTTP The plan defines eight possible request methods: GET: retrieval URL A simple request to identify resources in HEAD: And GET The method is the same. The server only returns the status line and header, and does not return the request document POST: The server accepts a request to write data to the client output stream PUT: The server saves the requested data as the specified URL Request for new content DELETE: Server delete URL Requests for resources in commands OPTIONS: Request for information about the request method supported by the server TRACE: web Server feedback Http Request and its header CONNECT : A documented but not implemented method is reserved for tunneling
2. Request header
By keyword/It is composed of value pairs, one pair per line, and keywords and values are shared with colons. The request header notifies the server of the functionality and identity of the client. HOST: Host or domain name address Accept: It refers to the browser or other acceptable to customers MIME File format. Servlet It can be used to determine and return the appropriate file format. User-Agent: Is the client browser name Host: Corresponding website URL Medium Web Name and port number. Accept-Langeuage: Indicate the language types that the browser can accept, such as en or en-us,Refers to English. connection: Used to tell the server whether it can maintain a fixed HTTP connect. http Is disconnected, HTTP/1.1 use Keep-Alive Is the default, so that when the browser needs multiple files(Like one HTML Files and related drawing files),You don't need to establish a connection every time Cookie: The browser uses this property to send to the server Cookie. Cookie It is a small data body registered in the browser. It can record user information related to the server and can also be used to realize the session function. Referer: Indicates the web page that generated the request URL. Such as from the web page/icconcept/index.jsp Click a link to the web page/icwork/search,When sending to the server GET/icwork/search In the request in, Referer yes http://hostname:8080/icconcept/index.jsp. This property can be used to track what website the Web request comes from. Content-Type: Table name request The content type of the. Can use HttpServletRequest of getContentType()Method. Accept-Charset: Indicates the character encoding acceptable to the browser. The default value for English browsers is ISO-8859-1. Accept-Encoding: Indicates the encoding method acceptable to the browser. The encoding method is different from the file format. It is to compress the file and speed up the file transfer speed. Browser received Web The response is decoded before checking the file format.
3. Blank line
The last request header is followed by an empty line. Send a carriage return and a return line to notify the server that there is no header below.
4. Request data
use POST Transmission, the most commonly used is Content-Type and Content-Length Header.
Response returns the datagram data format
A response consists of four parts; Status line, response header, blank line, response data.
- Status line: protocol version, status code and status description in digital form. Each element is separated by a space
- Response header: including server type, date, length, content type, etc
- Blank line: the response header and the response body are separated by blank lines
- Response data: the browser will take out the data in the entity content and generate the corresponding page
1.HTTP response code
1xx: Message, request received, continue processing 2xx: Successful behavior is successfully accepted, understood and adopted 3xx: Redirection, an action that must be performed further in order to complete the request 4xx: Client error 5xx: Server error 200 Existing file 403 Existing folder 3xx May exist 404 No files and folders exist 500 May exist
2. Response header
Like request headers, they indicate the functionality of the server and identify the details of the response data.
3. Blank line
The last response header is followed by an empty line. Send a carriage return and a return line, indicating that there is no header below the server.
4. Response data
HTML Documents and images, that is HTML Itself.