http protocol core knowledge

Posted by snrecords on Wed, 09 Feb 2022 11:41:21 +0100

Write in front

This is the core knowledge of http protocol. The knowledge involved includes the separation of front and rear ends, common http problems, distributed login solution JWT, etc. it can be used to review the treasure book of eight part essay and deepen the knowledge. It is recommended that you read it in the mode of breaking through the customs, and then check the omissions and fill the gaps according to the content. You are welcome to ask questions and learn from each other.

It was done before

  1. Click the core knowledge of javase to learn the new version
  2. Necessary core knowledge of concurrent programming, click to learn
  3. Message queue of Middleware
  4. Mysql core knowledge

Follow up also like update

  1. Spring mybatis core knowledge points
  2. Core knowledge points of distributed cache

http protocol core knowledge

Knowledge points 1 What are HTTP methods and their usage scenarios
http1.0 defines three types:

GET: Obtain resources from the server, such as common query requests

POST: A request sent to submit data to a server

Head: and get Similarly, there is no specific content in the returned response, which is used to obtain the header

http1.1 defines six

PUT: It is generally used for updating requests, such as updating personal information and commodity information

PATCH: PUT Method supplement,Update partial data of the specified resource

DELETE: Used to delete the specified resource

OPTIONS: Get server supported HTTP Request method,Server performance, cross domain inspection, etc

CONNECT: The function of this method is to use the server as a springboard to let the server visit other web pages instead of users, and then return the data to users in original form. This method is basically not used in web page development. If it is http The proxy will use this to let the server proxy users to access other web pages, similar to intermediaries

TRACE: Echo the request received by the server, which is mainly used for testing or diagnosis

Knowledge points 2 Common http status code analysis
When the browser requests from the server, there is a status code in the message header of the server response, indicating the status of the request result

  • 1XX: after receiving the request, the requester needs to continue to perform the operation, which is less used

  • 2XX: request succeeded, common 200

  • 3XX: redirection. After getting the status code returned by the server, the browser will automatically jump to a new URL address, which can be obtained from the Location header of the response;
    Benefits: website revision, domain name migration, etc. multiple domain names point to the same master site
    You must remember: 301: permanent jump, such as domain name expiration, change domain name 302: temporary jump

  • 4XX: customer service side error, request contains syntax error or cannot complete the request
    It must be remembered that:
    400: request error, such as syntax protocol
    403: no access
    404: the interface or file corresponding to this path cannot be found
    405: this method is not allowed to submit. For example, the interface must be in POST mode, and you use GET

  • 5XX: there was an error on the server. The server made an error while processing the request
    It must be remembered that:
    500: the server reported an internal error and could not complete the request
    503: server downtime

Knowledge points 3 The difference and relation between cookie and Session

cookie The data is saved on the client, session The data is saved on the server
cookie It's not very safe and easy to leak. It can't directly store information in plaintext
Cookie Limited size and number of storage 

Knowledge points 4 Common login solutions for distributed business scenarios JWT
What is JWT

    JWT Is an open standard, which defines a simple, self-contained method for communication between two parties JSON Method for safely transmitting information in the form of object. have access to HMAC Algorithm or RSA Sign the public key pair

    JWT Format composition header, payload, signature

            Header: mainly describes the signature algorithm
            Load: it mainly describes the information of the encrypted object, such as the information of the user id And so on, you can also add some things in the specification, such as iss Issued by, exp Expiration time, sub User oriented
            Signature: it mainly encrypts the first two parts to prevent others from getting it token conduct base Tampering after decryption token

        Produced token It can contain basic information, such as id,The user's nickname, avatar and other information shall be avoided from searching the database again
        It is stored on the client side and does not occupy the memory resources of the server side. It is verified by encryption and decryption, which can better improve performance and save space in distributed services

        token Is through base64 Encoding, so it can be decoded, so token Objects before encryption should not contain sensitive information, such as user permissions, passwords, etc
        If there is no server storage, the login invalidation cannot be handled unless the server changes the secret key

Generated token,Can be stored in cookie,localstorage and sessionStorage inside

Knowledge points 5 The browser inputs a url to the user to see the result. What is the general process in the middle

 1. Browser input url, analysis url Is the address legal
 2. The browser checks whether there is a cache, If there is a direct display. If not, skip to step 3.
 3. Sending http Domain name resolution is required before the request( DNS Parse), parse and obtain the corresponding ip Address.
 4. Browser initiates to server tcp Link, done tcp Three handshakes
 5. After the handshake is successful, the browser sends a message to the server http request
 6. The server receives the processed request and returns the data to the browser
 7. Browser received http Response.
 8. The browser parses the response. If the response can be cached, it is stored in the cache
 9. Browser for page rendering

Knowledge points 6 Browser homology policy
The Same origin policy is a kind of agreement. It is the core and basic security function of the browser. If the Same origin policy is missing, the normal functions of the browser may be affected.

A famous security policy proposed by Netscape.

When the two tab pages of a browser are opened to Baidu and Google respectively, when the baidu tab page of the browser executes a script, it will check which page the script belongs to, that is, check whether it is homologous. Only scripts homologous to Baidu will be executed.
If it is not from the same source, when requesting data, the browser will report an exception in the console and prompt that access is denied. The homology strategy is the behavior of the browser to protect the local data from being polluted by the data obtained by JavaScript code. Therefore, what is intercepted is the data reception of the request sent by the client, that is, the request is sent, the server responds, but it cannot be received by the browser

Knowledge points 7 Why does cross domain occur? What are the common solutions

Cross domain: Browser homology policy in 1995, the homology policy was established by Netscape The company introduced browsers. At present, all browsers implement this policy. Initially, it meant, A Web page settings Cookie,B Web pages cannot be opened unless these two pages"Homology". so-called"Homology"refer to"The three are the same"

Same agreement  http https
 Same domain name
 Same port 80 81

Bottom line: when a browser requests resources of another domain name from a web page of one domain name, any difference in domain name, port and protocol is cross domain

Browser console cross domain prompt:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.



  • The page layer is wrapped with another layer of services. At present, nodejs is the most

  • Http response header configuration allows cross domain

        1.nginx proxy server 
        2. Backend program code configuration

For more details, please refer to the blog:
http super details, click to read

Topics: Java server http