The Basics of HTTP - Series Introduction

In preparation for an upcoming user group presentation and a project I have been working on, I have been doing a lot of reading about our old friend the Hypertext Transfer Protocol(HTTP).

Kurt Wiersma and I were talking at the last Twin Cities ColdFusion User Group meeting about application security and while talking we came to the realization that understanding the basics of how HTTP works is the foundation for recognizing threats to your application and in creating security countermeasure. Right there I decided that one of the next steps in my path along learning more about security and in educating other on security topics, was to learn as much as I could about the protocol on which we run our most precious applications.

I started where any reasonable person would think. Wikipedia. While Wikipedia may be fraught with errors and omissions, I usually find its technical articles to be quite a good starting place for understanding the basics.

I did also order an O'Reilly Text for deeper understanding and I began reading that this past weekend.

One thing I have found very interesting about HTTP, is that while its basics are, in fact, quite basic, I am finding it difficult to articulate them. Which, of course, is exactly what I need to do for my presentation. I find myself asking some questions:

  • Do I need to explain what a protocol is?
  • Do I need to discuss TCP/IP?
  • Do I need to discuss the OSI Model? (Oh God please no!!!)
  • How can I keep my presentation entertaining and yet informative?

I think that the answer to the first three questions is "no". I may mention these things, but I will not delve into detail. If anyone thinks I should do otherwise, I would love to hear your reasoning.

As for the last question, I am hoping to use what I am learning from Presentation Zen to liven up my presentation and make it more interesting than my previous slide shows.

While I am sure that most of the people reading my blog understand the basics of HTTP, you may be surprised, like me, about some of the subtleties you may have missed. I will also try to discuss some of the security implications that go a long with how HTTP works. Because that is the overall point of why I am doing this research.

I want to write about the basics of HTTP to help solidify my understanding and to help me articulate the basics for my presentation. So for my next few blog posts I will go into more detail on HTTP, and I will use some of the tools I have at my disposal to demonstrate these basics. I would also love to hear from others with expertise that could offer me their insights to help make my presentation and understanding better.

The tools I will look at using are:

Ben Nadel's Gravatar I understood HTTP to support GET and POST. And then, I attended a presentation on REST web services and there was discussion of PUT and DELETE (I think). I know that those are part of the HTTP protocol but not necessarily supported in any standard way. It might be interested to cover that.
# Posted By Ben Nadel | 2/17/09 10:38 AM
Jason Dean's Gravatar @Ben, thanks for the comment. Great idea. I have not looked at them in great detail, but they would definitely be great to cover, especially from a security aspect. My understanding is that they can be quite dangerous if enabled.
# Posted By Jason Dean | 2/17/09 10:55 AM
Ben Nadel's Gravatar Yeah, I think I had a site that was hacked once cause PUT was not disabled :)
# Posted By Ben Nadel | 2/17/09 11:00 AM
justin's Gravatar Hello OSI my old friend. It's humorous to see you once again.

I had to laugh when I saw your comment. It brings back memories of so many hours of networking classes. I wonder if I would be a network admin had I taken programming classes. A B.S. is really BS sometimes.

I have to admit seeing it again with years of experience makes it much more comprehensible. I say that you should briefly cover it.
# Posted By justin | 2/17/09 11:03 AM
Rick O's Gravatar "Do I need to discuss TCP/IP?"

I agree that the OSI model is probably a bit much. But, if you don't discuss TCP/IP, I think you're going to be making some assumptions that you may not want to make, especially if this is as "back to basics" as you want it to be. If you don't discuss TCP/IP then you're going to have a hard time explaining concepts like virtual hosts, handshaking, content negotiation, clustering and failover, TLS/SSL, and pipelining. Admittedly, with the exception of virtual hosts, those are more advanced concepts, but they are still very relevant.
# Posted By Rick O | 2/17/09 1:21 PM
Rick O's Gravatar Sorry, that was more long-winded than I wanted to be. Let me sum up:

You'd be amazed how many "professional web developers" can't draw a state diagram of an HTTP session, much less the series of state diagrams for an entire page request and content.

Keep coming back to that thought.
# Posted By Rick O | 2/17/09 1:24 PM
Jason Dean's Gravatar @Justin - The OSI model one of the main reasons I lost interest in networking classes. I'll be quite glad to skip it.

@Rick, Thanks for the comments. You make a good point. I will probably, at least, touch on TCP/IP and discuss it when pertinent to understanding a concept. As I do more research and draw a better understanding of some of these things, I may include more.
# Posted By Jason Dean | 2/17/09 2:11 PM
Henry Ho's Gravatar I'd love to learn more about the OSI Model. I didn't know those layer x and layer y is part of OSI model until reading your blog today. :)
# Posted By Henry Ho | 2/18/09 12:03 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner