Cette présentation est un site en HTML5
Appuyez sur → pour avancer.
Contrôles :
➜ ~ ping www.google.fr PING www.google.fr (74.125.230.247) 56(84) bytes of data. ... ^C ➜ ~ telnet 74.125.230.247 80 Trying 74.125.230.247... Connected to 74.125.230.247. Escape character is '^]'. GET / HTTP/1.1 Host: www.google.fr HTTP/1.1 200 OK Date: Fri, 02 Dec 2011 15:03:11 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Content-Length: 4386 Set-Cookie: ... Server: gws <!doctype html><html><head>...
Une URI identifie.
Une URL identifie et localise.
une URN identifie et nomme.
Last-modified
, Pragma
, Expires
et la compression
Host
obligatoire (permettant plusieurs sites web depuis une même IP)
Accept
, Accept-Language
, Accept-Charset
), un pas en avant vers REST
Connection: keep-alive
permettant le pipelining
Transfer-Encoding: chunked
(un exemple est l’usage "temps réel" tel que les premiers chats)
GET / HTTP/1.1 Host: www.exemple.org ...
HTTP/1.1 200 OK Content-type: text/html Set-Cookie: name=value ...
GET /page.html HTTP/1.1 Host: www.exemple.org Cookie: name=value ...
Set-Cookie: LSID=DQAAAK…Eaem_vYg; Domain=docs.foo.com; Path=/accounts; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
Set-Cookie: HSID=AYQEVn….DKrdst; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; HttpOnly
Set-Cookie: SSID=Ap4P….GTEq; Domain=.foo.com; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT; Secure; HttpOnly
Démo sur blog.valtech.fr avec LiveHTTPHeaders et telnet
GET / HTTP/1.1 Host: www.exemple.org Accept: text/html; q=1.0, text/*; q=0.8, image/gif; q=0.6, image/jpeg; q=0.6, image/*; q=0.5, */*; q=0.1 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Accept-Encoding: gzip,deflate Accept-Language: fr-FR; q=1.0, en; q=0.5 ...
HTTP/1.1 200 OK Content-Encoding: gzip Content-Length: 25719 Content-type: text/html; charset=UTF-8 Content-Language: en-US ...
GET /shops/all/address HTTP/1.1 Host: www.exemple.org Accept: application/json; q=1.0, text/xml; q=0.8 Accept-Charset: ISO-8859-1,utf-8; q=0.7, *; q=0.3 Accept-Encoding: gzip,deflate Accept-Language: fr-FR; q=1.0, en; q=0.5 ...
HTTP/1.1 200 OK Content-Encoding: gzip Content-Length: 25719 Content-type: application/json; charset=utf-8 Content-Language: en-US ...
HEAD /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1 Host: farm3.static.flickr.com
HTTP/1.0 200 OK Date: Mon, 05 May 2008 00:33:14 GMT Server: Apache/2.0.52 (Red Hat) Accept-Ranges: bytes Content-Length: 3980 Content-Type: image/jpeg
GET /2390/2253727548_a413c88ab3_s.jpg HTTP/1.1 Host: farm3.static.flickr.com Range: bytes=0-999
HTTP/1.0 206 Partial Content Date: Mon, 05 May 2008 00:36:57 GMT Server: Apache/2.0.52 (Red Hat) Accept-Ranges: bytes Content-Length: 1000 Content-Range: bytes 0-999/3980 Content-Type: image/jpeg ...
Date:Tue, 04 Sep 2012 09:24:26 GMT Expires: Thu, 01 Dec 1994 16:00:00 GMT
Date
obligatoire !
Expires > now()
: caché jusqu’à la date indiquée puis revalidation
Expires == now()
: caché mais revalidation à la prochaine requête
Expires < now() || Expires == -1
: pas de cache
Cache-Control: private
: Cache client
Cache-Control: public
: Cache client et proxy
Cache-Control: no-cache
: Cache client et proxy mais revalidation
Cache-Control: no-cache=Set-Cookie
: Ne pas cacher cet entête
Cache-Control: no-store
: Cache client ou proxy interdit
Cache-Control: must-revalidate
: Revalidation après expiration
Cache-Control: proxy-revalidate
: Idem mais pour les proxies
Cache-Control: max-age=xxx
: Temps relatif, en secondes
Cache-Control: s-maxage=xxx
: Idem mais que pour les proxies
Cache-Control: no-transform
: Les proxies ne doivent pas transformer la ressource
GET /logo.png HTTP/1.1 ...
HTTP/1.1 200 OK Date: Mon, 03 Sep 2012 15:05:20 GMT Expires: Mon, 03 Sep 2012 15:05:20 GMT Last-Modified: Mon, 02 Apr 2012 02:13:37 GMT ...
GET /logo.png HTTP/1.1 If-Modified-Since: Mon, 02 Apr 2012 02:13:37 GMT ...
HTTP/1.1 304 Not Modified Date: Mon, 03 Sep 2012 15:07:07 GMT Expires: Mon, 03 Sep 2012 15:07:07 GMT ...
GET /logo.png HTTP/1.1 ...
HTTP/1.1 200 OK Date: Mon, 03 Sep 2012 15:05:20 GMT ETag: "8eca4-205f-17b94c" ...
GET /logo.png HTTP/1.1 If-None-Match "8eca4-205f-17b94c" ...
HTTP/1.1 304 Not Modified Date: Mon, 03 Sep 2012 15:07:07 GMT ETag: "8eca4-205f-17b94c" ...
GET /file.js HTTP/1.1 Accept-Encoding: gzip, deflate ...
HTTP/1.1 200 OK Content-Encoding:gzip Date:Thu, 06 Sep 2012 13:56:47 GMT Expires:Thu, 13 Sep 2012 13:56:47 GMT ETag:M0-0eb75f26 Vary:Accept-Encoding ...
GET /shops/all/address HTTP/1.1 Host: www.exemple.org Accept: application/json Accept-Language: fr-FR; q=1.0, en; q=0.5 ...
HTTP/1.1 200 OK Content-type: application/json; charset=utf-8 Content-Language: en-US Vary: Accept,Accept-Language ...
Expires
, soit Cache-Control: max-age
Last-Modified
, soit ETag
pour permettre les requêtes conditionnelles
Cache control: public
(sinon, pas de cache sous FF)
Vary
en fonction du Content-Encoding
, Content-Type
ou encore sur les champs Accept
(Négociation de contenu)
GET /private/index.html HTTP/1.1 Host: www.exemple.org ...
HTTP/1.1 401 Authorization Required Content-type: text/html WWW-Authenticate: Basic realm="Secure Area" ...
GET /private/index.html HTTP/1.1 Host: www.exemple.org Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
HTTP/1.1 401 Authorization Required Content-type: text/html WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth, auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41" ...
GET /private/index.html HTTP/1.1 Host: www.exemple.org GET /dir/index.html HTTP/1.0 Host: localhost Authorization: Digest username="gpaul", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/private/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41"
var hash = sha1(certificat.info) return encrypt(ca.privatekey, hash)
var hash = sha1(certificat.info) var uncryptedSignature = decrypt(ca.publickey, signature) return hash == uncryptedSignature
Version, chiffrement asymétrique, chiffrement symétrique, négociation des clés, signature
Strict-Transport-Security: max-age=16070400; includeSubDomains
En 2011, Thai Duong et Juliano Rizzo démontrent BEAST, une attaque contre TLS/1.0.
En 2012, ils présentent CRIME, se basant sur la compression : TLS et SPDY sont vulnérables.
COPY /~fielding/index.html HTTP/1.1 Host: www.example.com Destination: http://www.example.com/users/f/fielding/index.html If: <http://www.example.com/users/f/fielding/index.html> (<urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6>)
HTTP/1.1 204 No Content
DELETE /locked/member HTTP/1.1 Host: example.com
HTTP/1.1 423 Locked Content-Type: application/xml; charset="utf-8" Content-Length: xxxx <?xml version="1.0" encoding="utf-8" ?> <D:error xmlns:D="DAV:"> <D:lock-token-submitted> <D:href>/locked/</D:href> </D:lock-token-submitted> </D:error>
network.http.spdy.enabled
, cf about:config) et Amazon Silk,