👌🏻 🗜️ ‼️ HTTPWTF. Tidak biasa dalam protokol konvensional 🐐 ⚾️ 👩🏽‍💻

Approx. terjemahan. : Artikel ini ditulis oleh penulis Open Source HTTP Toolkit , dirancang untuk menyelidiki dan mengubah lalu lintas HTTP (S) untuk keperluan debugging dan pengujian. Materi berisi fitur luar biasa dari standar HTTP, yang telah hidup bersama kami selama bertahun-tahun, tetapi tidak semua orang menebak tentang keberadaannya.

Protokol HTTP sangat penting untuk semua pengembangan modern, dari frontend hingga backend hingga sistem seluler. Tapi seperti standar dewasa lainnya yang tersebar luas, ia memiliki beberapa kerangka aneh yang tersimpan di lemari.

— , , — , ( ), . , …

No-cache «»

, - HTTP . — no-cache

private

. , HTTP- ?

Cache-Control: private, no-cache

« », — ? --, !

: «, , ». , , .

, no-cache

, , , CDN , If-Match

If-Modified-Since

, , . private

, , , CDN -.

, , , , «» - . no-store

.

Cache-Control: no-store

, , . , — , . , max-age=0

.

, Twitter . Pragma: no-cache

( ) Cache-Control: no-store

, (DM) . , , , . .

HTTP Trailers

, HTTP- (headers). HTTP- , URL ( ) / ( ), / , (headers), (body).

, trailer' ?

, , , ( ). , , .

API- gRPC . , trailer' Server-Timing, . . Trailer' , , HTTP-.

, , , . , :

trailer' TE: trailers

.
trailer', : Trailer: <field names>

.
trailer', Content-Length

, Cache-Control

, Authorization

, Host

, , .

HTTP/1.1 chunked

. , HTTP/2 , .

trailer' HTTP/1.1 :

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Trailer: My-Trailer-Field

[...chunked response body...]

My-Trailer-Field: some-extra-metadata

HTTP 1XX

, HTTP- ? 1 (200, 404 ). .

1 : 100, 101, 102, 103. , :

HTTP 100

HTTP 100 — , .

. , , . , .

, Expect: 100-continue

. , 100 , .

Expect: 100-continue

, ( «» ). URL- , (, ), HTTP 100 — . , 100, . .

HTTP 101

HTTP 101 . : « URL , ». — .

-. , :

Connection: upgrade
Upgrade: websocket

, :

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: upgrade

HTTP raw- - .

101 HTTP/1.1 HTTP/2 . HTTP- TCP.

, HTTP/2 : - ( — - HTTP/1.1).

HTTP 102

HTTP 102 , . 100 , , .

, , - ( , , «»). HTTP, .

, , .

HTTP 103

, HTTP 103 — ( ) , push- HTTP/2 ( Chrome).

HTTP 103 — , . , Link: </style.css>; rel=preload; as=style

, ( , JS- -), .

, , . HTTP 103 , .

Referer

HTTP- Referer

, URL- . , .

referer — . , Unix referer referrer ( ). , , , , , .

, ( , , ), .

, /, , Referrer-Policy

, .

«» UUID -

XKCD ke topik. Komentar dalam kode itu berbunyi: “Diperoleh dengan lemparan tulang. Ini dijamin acak. " — XKCD . : « . »

, HTTP 101 -. :

GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: upgrade
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==
Sec-WebSocket-Protocol: chat, superchat
Sec-WebSocket-Version: 13
Origin: http://example.com

… , -, — :

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Sec-WebSocket-Protocol: chat

Sec-WebSocket-Accept

. websocket-, , , , . :

-, base64;
UUID 258EAFA5-E914-47DA-95CA-C5AB0DC85B11;
, base64 .

. UUID, -? , base64, , base64?

, , , -. , , websocket- .

. , ( ), , websocket- «» UUID.

- CORS

-: , CORS single-origin, HTTP-?

CORS , JavaScript a.com b.com, .

. , ( - ) ( cookies ).

, - CORS, , websocket- , Origin

. , , , , .

, .

, WebSocket API, Origin

/ CSRF, .

X-*

- ( 1982-) RFC , X-

— .

, HTTP-.

— HTTP-:

X-Shenanigans: none

— API Twilio. , , , .
X-Clacks-Overhead: GNU Terry Pratchett

— ; « ».
X-Requested-With: XMLHttpRequest

— JS-, jQuery, AJAX- ( ).
X-Recruiting: <- >

— , , HTTP.
X-Powered-By: <>

— , ( ). , .
X-Http-Method-Override

— , - ( /). , .
X-Forwarded-For: <ip>

— - IP- upstream-.

- , , RFC (2011) .

, . , ( X-

), «» , X-

( ).

, :

- , Content-Type: application/x-www-form-url-encoded

.
RFC HTTP 1997 , content-encoding

, , x-gzip

x-compress

gzip

compress

.
- X-Frame-Options

Frame-Options

.
X-Content-Type-Options

, X-DNS-Prefetch-Control

, X-XSS-Protection

X-Forwarded-*

CDN/. .

, , - . , , (namespacing).

— , HTTP ( ). / Twitter.

P.S.

«3 Linux»;
« swap' [ Linux]: »;
« ».

HTTPWTF. Tidak biasa dalam protokol konvensional