Lesson 3: HTTP in the Real World #2
Concurrency
http.server
can only handle one request at a time, therefore the bookmarker server cannot fetch a page from itself- Concurrency: being able to handle two ongoing tasks at the same time;
Add:
import threading
from socketserver import ThreadingMixIn
class ThreadHTTPServer(ThreadingMixIn, http.server.HTTPServer):
"This is an HTTPServer that supports thread-based concurrency."
Modify:
if __name__ == '__main__':
port = int(os.environ.get('PORT', 8000))
server_address = ('', port)
httpd = ThreadHTTPServer(server_address, Shortener)
httpd.serve_forever()
Static Content Web Server
Specialized web server programs — like Apache, Nginx, or IIS can serve static content from disk storage very quickly and efficiently. They can also provide access control, allowing only authenticated users to download particular static content.
- Request routing (reverse proxying): A specilized web server can dispatch requests to the particular backend servers that need to handle each request.
- Load balancing: splitting requests up among several servers
- Concurrent users
- Caching: make use of a temporary storage for resources that are likely to be reused; handled by cache control headers
- Capacity
Cookies
A way that a server can ask a browser to retain a piece of information, and send it back to the server when the browser makes subsequent requests
- server sends back a response with a Set-cookie header, which contains: a cookie name, a value, and some attributes.
- attributes could be:
- name, content
- domain, path
- Secure, HttpOnly
- creation time, expiration time (Expires)/Max-Age
from http.cookies import SimpleCookie, CookieError
out_cookie = SimpleCookie()
out_cookie["bearname"] = "Smokey Bear"
out_cookie["bearname"]["max-age"] = 600
out_cookie["bearname"]["httponly"] = True
self.send_header("Set-Cookie", out_cookie["bearname"].OutputString())
Create a SimpleCookie
from the Cookie
header
in_cookie = SimpleCookie(self.headers["Cookie"])
in_data = in_cookie["bearname"].value
- If a request does not have a cookie in it, the
Cookie
header will raise aKeyError
exception - If the cookie is not valid, the
SimpleCookie
constructor will raisehttp.cookies.CookieError
.
For a lot more information on cookie handling in Python, see the documentation for the http.cookies
module.
Exercise: A server that remembers you
The starter code for this exercise is in Lesson-3/2_CookieServer
.
HTTPS for security
HTTPS encryption follows a standard protocol called Transport Layer Security (TLS)
- It keeps the connection private by encrypting everything sent over it. Only the server and browser should be able to read what’s being sent.
- It lets the browser authenticate the server. For instance, when a user accesses https://www.udacity.com/, they can be sure that the response they’re seeing is really from Udacity’s servers and not from an impostor.
- It helps protect the integrity of the data sent over that connection — checking that it has not been (accidentally or deliberately) modified or replaced.
How does TLS assure privacy?
The data in the TLS certificate and the server’s private key are mathematically related to each other through a system called public-key cryptography
How does TLS assure authentication?
When the browser connects to a particular server, if the TLS domain metadata doesn’t match the DNS domain, the browser will reject the certificate and put up a big scary warning to tell the user that something fishy is going on.
How does TLS assure integrity?
Every request and response sent over a TLS connection is sent with a message authentication code (MAC) that the other end of the connection can verify to make sure that the message hasn’t been altered or damaged in transit.
Other HTTP Methods
PUT
for creating resources
The HTTP PUT
method can be used for creating a new resources. The client sends the URI path that it wants to create, and a piece of data in the request body.
A server should respond to a PUT
request with a 201 Created
status code, if the PUT action completed successfully. After a successful PUT
, a GET
request to the same URI should return the newly created resource.
DELETE
for deleting things
After a DELETE
has happened successfully, further GET
requests for that resource will yield 404 Not Found
PATCH for making changes
One standardized format for PATCH
requests is the JSON Patch format, which expresses changes to a piece of JSON data. A different one is JSON Merge Patch.
HEAD
, OPTIONS
, TRACE
for debugging
HEAD
works just likeGET
, except the server doesn’t return any content — just headers.OPTIONS
can be used to find out what features the server supports.TRACE
echoes back what the server received from the client — but is often disabled for security reasons.
HTTP/2
HTTP/1.0
- Headers
- POST Requests
- Status Codes
- Content-type
HTTP/1.1
- Cache Controls
- Range Requests (resuming downloads)
- Transfer Encodings (compression)
- Persistent Connection
- Chunked Messages
- Host Header (multiple sites per IP address)
HTTP/2
- Multiplexing (many requests at once)
- Better Compression
- Server Push
You can read much more about HTTP/2 in the HTTP/2 FAQ.
Exercise: Multiple connections
Lesson-3/3_Parallelometer
Multiplexing
The browser can send several requests all at once, and the server can send responses as quickly as it can get to them. There’s no limit on how many can be in flight at once.
Server push
Server push allows the server to say, effectively, “If you’re asking for index.html
, I know you’re going to ask for style.css
too, so I’m going to send it along as well.”
Resources
- Mozilla Developer Network’s HTTP index page contains a variety of tutorial and reference materials on every aspect of HTTP.
- The standards documents for HTTP/1.1 start at RFC 7230. The language of Internet standards tends to be a little difficult, but these are the official description of how it’s supposed to work.
- The standards documents for HTTP/2 are at https://http2.github.io/.
- If you already run your own web site, Let’s Encrypt is a great site to learn about HTTPS in a hands-on way, by creating your own HTTPS certificates and installing them on your site.
- HTTP Spy is a neat little Chrome extension that will show you the headers and request information for every request your browser makes.