HTTP protocol – All about

What happen when you type “http://google.com” in browser?

You type in google.com, it will do a DNS look up for the domain name,
and it will get an IP address back from the DNS server.

Then once it gets that IP address, it will send an HTTP request for the google.com site to that IP address.

What is HTTPS?

  • HTTPS includes HTTP
  • HTTPS is like you’re sending an HTTP request, but that request encrypted
  • You’re still sending an HTTP request that looks sort of the same as the HTTP request that you would send if it weren’t encrypted

What is difference between doing CURL in terminal and type “google.com” in browser?

The only difference is HTTP header it sends

CURL sends only 2 headers:

  • User agent header that says this request comes from cURL
  • Host header, which is like a required part of the HTTP vertical that every HTTP request has to have

Browser send a lot more headers, especially:

  • Cookies that it saved from previous times visiting the website
  • Cache, for example
    • CDN will look at the headers and make decisions on what to cache based on it.
    • For example, cache control max age equals 300 seconds.
      CDN gets a request and then look at what it has in its cache, if that’s one to 5 minutes old, CDN will delete it and request a new version of the resource.

Why is HTTP so important to browser?

  • Every time your browser requests any website, it uses HTTP
  • You can’t go to a website without using HTTP
  • HTTP is a relatively simple protocol
    • Anyone can implement an HTTP server and people have implemented HTTP servers in so many different languages

Why does it matter what kind of HTTP request method we have because isn’t everything in the body?

It’s because of browser security model. Browsers do a lot of work to protect you from like malicious websites

  • GET request to get resources
  • POST request to submit form

Even though conceptually you can do whatever you want with a GET request and a POST request, they’re not treated the same way by the browser security model.

Cross-origin GET request or certain kinds of get requests are allowed, and cross-origin POST request with bodies are not allowed

What is CROSS-ORIGIN?

You open two different websites and the JavaScript on one website is trying to send a request to the other website.

A sketchy website can send a request to my bank with my log-in cookies, because the browser is the same browser. The browser has the cookies for my bank and it will let the sketchy website send a request to my bank with my log-in cookies, which is kind of scary

What’s same origin policy

When you make a cross-origin POST request, it’s actually to request as an options request that’s like, “Is this okay?” Then there’s the real post request after.

The browser won’t even allow you to send a post request right away because sending a POST request itself is already sort of a dangerous thing to do.

What it will actually do, from your JavaScript, it looks like you just sent a post request, but the browser will first send an options request being
like, “Am I allowed to send a post request?” Then Twilio would be like, “Yes, you are allowed to send a post request.” Then you’ll send the post request and Twilio will be like, “Yes, this is okay again,” and then you’ll get the response with those requests.

Does API request from BACK END server need to set headers for same origin policy to get these two origins to trust one another?

NO because

  • You’re making a request to Twilio from your server, there’s no browser there. You’re just talking from your server to Twilio server
  • You would need to use your API keys, which is a private thing between you and Twilio

It’s only if you make the request to Twilio from the JavaScript that’s
running in the browser that you need to set headers for same origin policy.

Is it better to request API with API key from back end?

YES because anyone using your website can potentially look at that
request and see all the requests that are being made and all the headers

If you’re making a request to Twilio and your API key is in a header, I can just take it and be like, “Sweet! Now I can make a request to Twilio,” using your account, which probably you don’t want.

Be the first to comment

Leave a Reply

Your email address will not be published.


*