Network

DNS

• How DNS works

• linux - Force dig to resolve without using cache - Server Fault

• What's in a hostname?

Encrypted DNS

macOS and iOS configuration profiles:

• paulmillr/encrypted-dns: Configuration profiles for DNS HTTPS and DNS over TLS for iOS 14 and MacOS Big Sur

• Encrypted DNS Party - nitrohorse / encrypted-dns-configs · GitLab

• iOS 14, mobileconfig, DNS over HTTPS with DNSDomainMatch whitelist support - Stack Overflow

• DNS Resolver Selection in iOS 14 and macOS 11 – OpenDNS

• DNS Profile Creator - fyr77/dns-mobileconfig: A simple website to create DoH and DoT config files for iOS

DNS over HTTPS aka DoH:

• show information in Firefox: about:networking

• application/dns-message content type

• RFC8484

• DNS over HTTPS — Wikipedia

• DNS-over-HTTPS (DoH) | Public DNS | Google Developers

• dcid/doh-php-client: DoH (DNS over HTTPS) PHP Client

• danog/dns-over-https: Async DNS-over-HTTPS resolution for AMPHP.

<?php
if (!isset($_GET['token']) || $_GET['token'] != 'some-random-token')
{
	die('Invalid token');
}

// From https://github.com/NotMikeDEV/DoH
if (isset($_SERVER['CONTENT_TYPE']) && $_SERVER['CONTENT_TYPE'] == 'application/dns-message')
{
        $request = file_get_contents("php://input");
        header("Content-Type: application/dns-message");
        $s = fsockopen("udp://127.0.0.1", 53, $errno, $errstr);
        if ($s)
        {
                fwrite($s, $request);
                echo fread($s, 4096);
                fclose($s);
        }
}
else if (isset($_GET['dns']))
{
        $request = base64_decode(str_replace(array('-', '_'), array('+', '/'), $_GET['dns']));
        header("Content-Type: application/dns-message");
        $s = fsockopen("udp://127.0.0.1", 53, $errno, $errstr);
        if ($s)
        {
                fwrite($s, $request);
                echo fread($s, 4096);
                fclose($s);
        }
}
?>

DNS over TLS aka DoT:

• DNS over TLS — Wikipedia

DNS records

Names (exemples for example.com):

• @ naked name (example.com), the domain itself

• * fallback subdomain (*.example.com, but doesn't match *.test.example.com if test.example.com is declared)

• www subdomain (www.example.com)

• test.www subsubdomain (test.www.example.com)

• *.www fallback subsubdomain (*.www.example.com)

* CNAME @ is not possible with all DNS servers, and not recommended (need 2 DNS requests to resolve subdomain)

@ IN A 192.0.2.1
@ IN TXT "some text"

# dig www.example without DNS cache
dig @$(dig example.com NS +short | head -n1) www.example.com ANY +noall +answer

• List of DNS record types - Wikipedia

• Domain Name System - Wikipedia

Local gTLD

• *.test (purpose: "testing of current or new DNS related code")

• *.localhost (but need a change in hosts file) for local only

• *.dev own by Google, HSTS preload is enable (HTTPS is forced)

  • .dev — ICANNWiki

• *.local not recommended

  might be used for mDNS, mostly with Apple hardware (Bonjour).

  Any DNS query for a name ending with ".local." MUST be sent to the mDNS IPv4 link-local multicast address 224.0.0.251 (or its IPv6 equivalent FF02::FB).

  • RFC 6762 - Multicast DNS

  we recommend against using .local as a private Unicast DNS top-level domain

  • RFC 6762 - Multicast DNS

  • .local - Wikipedia

• *.intranet

• *.internal

• *.private

• *.corp

• *.home

• *.lan

HTTP

Note: don't name your local server *.local. See Local TLD Note: Range header could be ignore if the content need to be gzipped (It's the case with nginx)

FQDN: fully qualified domain name, with the trailing dot (root zone) TLD: top level domain (e.g. .com, .net, .bmw, .us). See the list of TLDs eTLD: effective top level domain (e.g. .com, .co.uk and .pvt.k12.wy.us). See the public suffix list eTLD+1: effective top level domain plus one level (e.g. example.com, example.co.uk) SLD: second level domain (e.g. co is the SLD of www.example.co.uk)

See also:

• We Suck at HTTP

• Proxy auto-config — Wikipedia

• Journey to HTTP/2 · @kamranahmedse

• HTTP: HTTP/2 - High Performance Browser Networking (O'Reilly)

• Network

• Wireshark · Go Deep. - network protocol analyzer

Headers

X- prefix is discouraged ("SHOULD NOT") if this header would come a standard

• RFC 7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing

• Custom HTTP headers : naming conventions - Stack Overflow

• RFC 6648 - Deprecating the "X-" Prefix and Similar Constructs in Application Protocols

Use right status

• 401 Unauthorized: concern authentification

• 403 Forbidden: concern authorization

• File:Http-headers-status.svg - Wikimedia Commons

• Choosing an HTTP Status Code — Stop Making It Hard | Racksburg

• 410 Gone

• HTTP Status Codes — httpstatuses.com

• RFC for the 7XX Range of HTTP Status codes - Developer Errors

• https://restpatterns.mindtouch.us/HTTP_Status_Codes

Redirects can break POST

...or any other method other than GET.

23:50:52:658: Network: POST http://host/folder [HTTP/1.1 301 Moved Permanently 947ms]
23:50:53:614: Network: GET http://host/folder/ [HTTP/1.1 200 OK 400ms]

When you use a 301 or 302 redirect, the browser will change the method on the redirect to be a GET request, even if the original method was a POST request.

Use the 307 and 308 status codes instead if you need to retain the method

• 301s, 302s, 307s & 308s: Report URI's journey to a permanent redirect

• web development - Why doesn't HTTP have POST redirect? - Software Engineering Stack Exchange

HTTPS (TLS)

See Transport Layer Security and Decrypt TLS

About mixed content:

• Content-Security-Policy: upgrade-insecure-requests; - see CSP: upgrade-insecure-requests - HTTP | MDN

• Troy Hunt: Disqus' mixed content problem and fixing it with a CSP

• The Complete Guide To Switching From HTTP To HTTPS – Smashing Magazine

• See also HSTS

Streaming and Push

Server Side Event, WebSocket or long-polling HTTP request, pull

For live content (live number of watchers, real-time transport traffic, real-time updated article, etc.), doesn't require bi-directional (full-duplex) communication, use SSE first

• Google Maps .Net Control

• Push technology — Wikipedia

• Comet (programming) — Wikipedia

• Streaming media — Wikipedia

• Progressive download — Wikipedia

• How Facebook Live Streams to 800,000 Simultaneous Viewers - High Scalability -

• Browser APIs and Protocols: XMLHttpRequest - High Performance Browser Networking (O'Reilly)

• WebSockets vs Server-Sent Events vs Long-polling

Note: proxy servers and firewalls could buffer the response, increasing the latency of the message delivery. Antivirus software may block the event streaming data chunks. TLS could be use to solve this problem:

Note: don't forget to push/flush the content: - php - Server sent events work, but with a massive time delay - Stack Overflow

• Networking 101: Transport Layer Security (TLS) - High Performance Browser Networking (O'Reilly)

• html5 - JavaScript EventSource SSE not firing in browser - Stack Overflow

• Sophos AV blocks server-sent events (SSE) on Mac OS X Yosemite - Sophos Anti-Virus for Mac Home Edition - Free Tools - Sophos Community

• Server Sent Events blocked by Download Scanner - Sophos Endpoint Software - Endpoint Security and Control - Sophos Community

Server Side Event

Aka SSE, EventSource

SSE use vanilla HTTP (eg thru load-balancers) and do auto-reconnect

• Browser APIs and Protocols: Server-Sent Events (SSE) - High Performance Browser Networking (O'Reilly)

• Stream Updates with Server-Sent Events - HTML5 Rocks

• Using server-sent events - Web APIs | MDN

• Server-Sent Events explained with usecases

• html5 - Server-Sent Events vs Polling - Stack Overflow

• Yaffle/EventSource: a polyfill for http://www.w3.org/TR/eventsource/ - Example of Server-sent events with Node.js

• SSE vs Websockets - Streamdata.io

• Server-Sent Events with Node.js (Express)

Websocket

Aka WS

• Fanout Blog » You might not need a WebSocket

• WebSockets, caution required!

• 600k concurrent websocket connections on AWS using Node.js - blog. - 600k concurrent websocket connections on AWS using Node.js (2015) | Hacker News

• Millions of active WebSockets with Node.js | by uNetworking AB | Medium

• websocket server library used by Stack Overflow: https://github.com/StackExchange/NetGain

• node.js - Proxying WebSockets with TCP load balancer without sticky sessions - Stack Overflow

• HTML5 WebSocket - A Quantum Leap in Scalability for the Web

For Nodejs:

• Starting Node.js using forever with --nouse-idle-notification and other flags - Stack Overflow

For Ngnix:

Example of Ngnix-as-proxy configuration:

http {
	map $http_upgrade $connection_upgrade {
		default upgrade;
		'' close;
	}

	upstream ws_server {
		server localhost:9000;
	}

	server {
		ssl on;
		ssl_certificate /path/to/crt;
		ssl_certificate_key /path/to/key;

		root /data/www/public;

		location / {
		}

		location /app {
			proxy_pass http://ws_server;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection $connection_upgrade;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		}
	}
}

• Using NGINX as a WebSocket Proxy

• Websockets SSL/TLS Termination Using NGINX Proxy · Pankaj Malhotra

For Apache:

Example of Apache-as-proxy configuration (require mod_proxy and mod_proxy_wstunnel - require httpd 2.4.5)

# Reverse proxy to nodejs
<Location /ws-service>
	Require all granted
	ProxyPass ws://localhost:9000
	ProxyPassReverse ws://localhost:9000
</Location>

• https://stackoverflow.com/questions/30443999/how-to-add-mod-proxy-wstunnel-to-apache2-2-2-on-raspberry-pi-backport-mod-proxy

Content type

• HTML

• XML

• JSON

• Action Message Format (AMF)

• Concise Binary Object Representation (CBOR)

Note: use text/html even if it's a fragment of a HTML document

See also

• Comparison of data serialization formats — Wikipedia

• JSON Homogeneous Collections Compression (JSONH)

HSTS

To disable HSTS use the following header (when HTTPS): Strict-Transport-Security: max-age=0 (in .htaccess: Header set Strict-Transport-Security "max-age=0")

• tls - Is there a problem with issuing a HSTS header in PHP? - Information Security Stack Exchange

• Preloading HSTS | Mozilla Security Blog

See HSTS

Server Push

Aka HTTP/2 Server Push

Adviced order, push while processing (while waiting for the app response): static assets (script, image, style, fetch, etc.) then the html (let the time to the server to processing the request and render the response). Possible to send status 103 Early Hints then 200 OK Concatenate small files

Browsers often implent HTTP/2.0 only over TLS

• Required Assets: CSS, JavaScript, and image assets required by a web page

• Uncacheable Assets: Pushing dynamic assets = reduce page load time

• Likely Next Pages: the page that a user is likely to load (e.g., the link they’re hovering over), make it look like it loads instantaneously

• Redirects

<Location /index.html>
   Header add Link "</css/site.css>;rel=preload;as=style"
   Header add Link "</images/logo.jpg>;rel=preload;as=image"
</Location>

Inline Link: </css/my.css>;rel=preload;as=style, </js/jquery.js>;rel=preload;as=script works too

Or define it via PHP:

<?php
header('Link: </css/my.css>;rel=preload;as=style', false);
?>

Note: I you don't want the server push the resource (preload only) with Link header, use nopush as: Link: </css/image.webp>;rel=preload;as=image;type=image/webp;nopush Use this if the header Save-Data: on It's usefull in case the resource format is not widely supported

• mod_http2 - Apache HTTP Server Version 2.4

• HTTP/2 Server Push — Wikipedia

• Preload

• Using HTTP/2 Server Push with PHP

• HTTP/2 Frequently Asked Questions

• OptimizingForSpdy - mod-spdy - How to tune your server to serve pages over SPDY efficiently - Apache SPDY module - Google Project Hosting

• concept-request-type

• Reorganizing Website Architecture for HTTP/2 and Beyond

Cache-aware server push

<?php
// https://css-tricks.com/cache-aware-server-push/
function pushAssets() {
	$pushes = array(
		'/css/styles.css' => substr(md5_file('/var/www/css/styles.css'), 0, 8),
		'/js/scripts.js' => substr(md5_file('/var/www/js/scripts.js'), 0, 8)
	);

	if (!isset($_COOKIE['h2pushes'])) {
		$pushString = buildPushString($pushes);
		header($pushString);
		setcookie('h2pushes', json_encode($pushes), 0, 2592000, '', '.myradwebsite.com', true);
	} else {
		$serializedPushes = json_encode($pushes);

		if ($serializedPushes !== $_COOKIE['h2pushes']) {
			$oldPushes = json_decode($_COOKIE['h2pushes'], true);
			$diff = array_diff_assoc($pushes, $oldPushes);
			$pushString = buildPushString($diff);
			header($pushString);
			setcookie('h2pushes', json_encode($pushes), 0, 2592000, '', '.myradwebsite.com', true);
		}
	}
}

function buildPushString($pushes) {
	$pushString = 'Link: ';

	foreach($pushes as $asset => $version) {
		// TODO add "as" parameter (style, script, etc.)
		$pushString .= '<' . $asset . '>; rel=preload';

		if ($asset !== end($pushes)) {
			$pushString .= ',';
		}
	}

	return $pushString;
}

// Push those assets!
pushAssets();
?>

• HTTP/2 push is tougher than I thought - JakeArchibald.com

• Creating a Cache-aware HTTP/2 Server Push Mechanism | CSS-Tricks

• A Comprehensive Guide To HTTP/2 Server Push – Smashing Magazine

• HTTP/2 Directives - Configure - H2O - the optimized HTTP/2 server

• Hypertext Transfer Protocol Version 2 (HTTP/2) - see http - RST_STREAM frame in HTTP2 - Stack Overflow

Force download

Aka generated filename

use a filename that clearly mention the website or the service that allow its identification, and the content type (invoice, contrat, etc). — Internal names for downloadable files make it possible to identify their content and origin. - Check-list The Web Quality Assurance Check-list - Opquast Check-lists

Content-Disposition: attachment; filename="file.ext"

You can use also:

Content-Type: application/octet-stream

X-Download-Options: noopen

• Content-Disposition - HTTP | MDN

Access

• XSS and injection prevention - CORS, CSP, SI, etc.

Referer

See Security

Method

Aka POST, GET, HEAD, PUT, etc.

An HTTP method is safe if it doesn't alter the state of the server. In other words, a method is safe if it leads to a read-only operation. Several common HTTP methods are safe: GET, HEAD, or OPTIONS.

— Safe (HTTP Methods) - MDN Web Docs Glossary: Definitions of Web-related terms | MDN

See RESTful and API

• X-HTTP-Method (Microsoft), X-HTTP-Method-Override (Google/GData), X-Method-Override (IBM)

• The Definitive Guide to GET vs POST - Treehouse Blog

• Safe (HTTP Methods) - MDN Web Docs Glossary: Definitions of Web-related terms | MDN

Simple HTTP Server

Aka simple server

Run in controlled environments only!. Useful for testing purposes or for application demonstrations

• http.server — HTTP servers — Python 3 documentation python -m http.server 8000 -d /path/to/wwwroot

• PHP: Built-in web server - Manual - php -S localhost:8000 -t /path/to/wwwroot

• HTTP | Node.js Documentation - const http = require("http"); http.createServer((req, res) => {res.writeHead(200, {"Content-Type": "text/html"}); res.write("Hello World!"); res.end();}).listen(8000);

• Netcat — Wikipedia - while true; do nc -l 8000 < response.http; done. Will serve an unique stream/page. To get the raw HTTP response, use printf "GET / HTTP/1.1\nHost:example.com\nUser-Agent:Firefox\Connection: close\n\n" | nc example.com 80 > response.http or write/edit it with text editor

• A simple HTTP/2 server for development - Written in Go

• (deprecated) kzahel/web-server-chrome: An HTTP Web Server for Chrome (chrome.socket API)

With Python you can create a file in server dir root MySimpleHTTPServer.py:

#!/usr/bin/python

import http.server
import socketserver

PORT = 8000

Handler = http.server.SimpleHTTPRequestHandler

with socketserver.TCPServer(("", PORT), Handler) as httpd:
	print("serving at port", PORT)
	httpd.serve_forever()

Then execute in the same folder:

python -m MySimpleHTTPServer

• 21.22. http.server — HTTP servers — Python 3.6.3 documentation

• 20.19. SimpleHTTPServer — Simple HTTP request handler — Python 2.7.14 documentation

• python - SimpleHTTPServer Custom Headers - Stack Overflow

Content encoding

See Precompress

Note: sometimes you can't encode content, event if the final client support it, mediators could not (proxies, cache servers, etc.): Who’s not getting gzip? | High Performance Web Sites

Aka brotli, gzip, zlib, deflate

• gzip is the GZIP file format: GZIP headers (can contains filename and a timestamp), DEFLATE data, and a checksum

• deflate is actually the ZLIB data format: zlib header, DEFLATE data, and a checksum

Some clients do also accept the actual DEFLATE data format for deflate.

Note: GZip remove the advantage UTF-16 might have over UTF-8 for East Asian-heavy text.

About brotli vs gzip:

Brotli is mostly nice for clients, with decompression performance comparable to gzip while significantly improving the compression ratio. These are powerful properties for serving static content such as fonts and html pages. However compression performance, at least for the current implementation, is considerably slower than gzip, which makes Brotli unsuitable for on-the-fly compression in http servers or other data streams. — OpenCPU - Compression Benchmarks: brotli, gzip, xz, bz2

• GZip

• Content-Encoding - HTTP | MDN

• Compression Tests: About

• Lose the Wait: HTTP Compression - Zoompf Web Performance

• compression - Why use deflate instead of gzip for text files served by Apache? - Stack Overflow

• You're Reading The World's Most Dangerous Programming Blog

• http - Why do real-world servers prefer gzip over deflate encoding? - Stack Overflow

• Lose the Wait: HTTP Compression - Zoompf Web Performance

Cache

Aka cache policy

Sending last-modified: Thu, 01 Jan 1970 00:00:01 GMT prevents the page from updating. Gives it super long cache heuristic, and makes revalidation think it never ever changes.

— kornel@mastodon.social on Twitter: "New fun failure mode added to my collection: Sending last-modified: Thu, 01 Jan 1970 00:00:01 GMT prevents the page from updating. Gives it super long cache heuristic, and makes revalidation think it never ever changes." / Twitter

• kornelski/http-cache-semantics: RFC 7234 in JavaScript. Parses HTTP headers to correctly compute cacheability of responses, even in complex cases

Content language

lang HTML attribute indicates the language of the text, whereas Content-Language provides metadata about the intended audience of the document.

• Types of language declaration

Request content encoding

See Content encoding

Send compressed request body

If the server doesn't support the given encoding, should response with the status 415 (Unsupported Media Type)

• gzip - Compressing HTTP Post Data sent from browser - Stack Overflow

• Is it possible to enable http compression for requests? - Server Fault

Transfert encoding

Note that chunked is always acceptable for HTTP/1.1 recipients

• Chunked transfert encoding

• TE - HTTP | MDN

• Transfer-Encoding - HTTP | MDN

• Trailer - HTTP | MDN

• Chunked transfer encoding — Wikipedia

• http - How to make PHP generate Chunked response - Stack Overflow

• How to generate Chunked response with a Trailer in Apache/PHP? - Stack Overflow

About ranges and chunked transfert encoding:

• HTTP range requests - HTTP | MDN -

• Byte serving — Wikipedia

Send binary data in JSON

See Request content encoding

base64 or multipart/form-data + use a "pointer" that data field name

• Binary Data in JSON String. Something better than Base64 - Stack Overflow

• javascript - fetch post with multipart form data - Stack Overflow

Prevent form replay

Always provide a way for the user to keep provided values, in case the submit form data fail. Show an error message and fill fields with provided values: <input value="Value provided by the user that is not used until the error is fixed">

• Post/Redirect/Get - Wikipedia

• Cross-site request forgery - Wikipedia

• Prevent form resubmit after Browser Back button click - Webmasters Stack Exchange

WebRTC

• Janus WebRTC Gateway - WebRTC protocol used in client-server architecture

• serverless-webrtc - A demo of using WebRTC with no signaling server

• https://github.com/js-platform/node-webrtc

• https://github.com/mappum/electron-webrtc

Measure network quality

https://docs.google.com/document/d/1eBix6HvKSXihGhSbhd3Ld7AGTMXGfqXleu1XKSFtKWQ/edit

Get client IP

Or proxy's IP

Note: X-Forwarded-For header can be spoofed, see The perils of the “real” client IP | adam-p

• wp-geoip-detect/api.php at d48a2d6134a4edf9843d5e4c7c0e4bfd8c4e139d · yellowtree/wp-geoip-detect

• X-Forwarded-For — Wikipedia

<?php
// Note: X-Forwarded-For contains a list of IP address, where the first one is the client's IP
if (array_key_exists('HTTP_CLIENT_IP', $_SERVER)) {
   $ipaddress = $_SERVER['HTTP_CLIENT_IP'];
} else if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) {
   $ipaddress = $_SERVER['HTTP_X_FORWARDED_FOR'];
} else if (array_key_exists('HTTP_X_FORWARDED', $_SERVER)) {
   $ipaddress = $_SERVER['HTTP_X_FORWARDED'];
} else if (array_key_exists('HTTP_FORWARDED_FOR', $_SERVER)) {
   $ipaddress = $_SERVER['HTTP_FORWARDED_FOR'];
} else if (array_key_exists('HTTP_FORWARDED', $_SERVER)) {
   $ipaddress = $_SERVER['HTTP_FORWARDED'];
} else if (array_key_exists('REMOTE_ADDR', $_SERVER)) {
   $ipaddress = $_SERVER['REMOTE_ADDR'];
} else {
   $ipaddress = null;// not known
}

$_SERVER['HTTP_X_REAL_IP'];

$iptype = 'unknown';
if(!empty($iptype)){
   if(preg_match("/^[0-9a-f]{1,4}:([0-9a-f]{0,4}:){1,6}[0-9a-f]{1,4}$/", $ip) != 0){
   	$iptype = 'IPv6';
   }else if(preg_match("/^([0-9]{1,3}\.){3}[0-9]{1,3}$/", $ip) != 0){
   	$iptype = 'IPv4';
   }
}
?>

• apache - How to set REMOTE_ADDR to HTTP_X_REAL_IP? - Stack Overflow

Geo IP

• apilayer/geolocationapi: IP Geolocation API is a free service for locating your visitors in real-time with detailed country information.

• IP Geolocation API [ip-api]

• The Google Maps Geolocation API | Google Maps Geolocation API | Google Developers

• freegeoip.net

• http://dev.maxmind.com/geoip/legacy/downloadable/

• https://countryblocklist.com/

• Major IP Addresses Blocks By Country

• http://www.ipdeny.com/ipblocks/data/countries/

Proxy

Proxy can transform content

Can transform content: remove comments (HTML, JS, CSS), recompress (reduce JPEG quality), block files, change formats (APNG → PNG, remove fdAT and fcTL chunks), rewrite links (src or href attributes), etc.

(SFR) if file header looklike an image header (JPEG or PNG), the following content could be broken

• Mobile network providers/ISP like SFR (FR), Bouygues Telecom (FR), O2 (UK), Centertel, China Mobile, Cingular, Connex, Nextel, NTT DoCoMo, Orange, Proximus, Sprint Nextel, T-Mobile, Telefónica Móviles, O2, Vodafone (IE, DE), Willcom... often use Citrix ByteMobile Proxy

• Cache proxies

• Proxy browsers like Opera Mini (use Citrix ByteMobile Proxy too), UCBrowser or Puffin. "reduce data usage" mode in mobile Chrome.

• Other Proxies/VPN like Opera Turbo, Opera Max, Mozilla Janus, Google Data Saver

To prevent proxys from modifying the website's content, serve the content with this HTTP header:

Cache-Control: no-transform

Apache config (ex.: in .htaccess):

<IfModule headers_module>
	Header set Cache-Control no-transform
</IfModule>

Serve HTTPS can't always resolve issues.

• HTTP/1.1: Header Field Definitions - 14.9.5 No-Transform Directive

• Performance Calendar » Mobile ISP image recompression

• SFR modifie le source HTML des pages que vous visitez en 3G : Reflets

• Stop mobile network proxy from injecting JavaScript - Stack Overflow

• Mobile ISP can break WebSocket connections

• Any reason not to add "Cache-Control: no-transform" header to every page? - Stack Overflow

• Bytemobile and Opera Software Form Partnership for Browser Optimization - Opera Software

• Cache-Control — Wikipédia

See also Ads / Content blockers like Focus or Adblock Plus or Anti Ad blocker https://github.com/reek/anti-adblock-killer/ See Validity of CSS class names and ids

Proxy Server

• mitmproxy/mitmproxy: An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

• Charles Web Debugging Proxy • HTTP Monitor / HTTP Proxy / HTTPS & SSL Proxy / Reverse Proxy

• Fiddler - Free Web Debugging Proxy - Telerik

Use Apache as proxy server

Serve http://X.X.X.X:8080/pac.php

(Listen 8080) Some browsers map internaly localhost without proxy. To skip that, add the FQDN trailing dot to it (IE7+): localhost.

<proxy *> or <proxy http://www.google.com>

proxy.conf:

# Forward proxy server
<VirtualHost *:8080>
	ProxyRequests On
	ProxyVia On

	<Proxy *>
		Order deny,allow
		Deny from all
		Allow from 127.0.0.1
		Allow from 192.168

		RewriteEngine on
		RewriteCond %{REQUEST_URI} !/pac.php
		RewriteRule ^ /endpoint.php [L]
	</Proxy>
</VirtualHost>

endpoint.php:

<?php
// Don't handle domain existance
$url = $_SERVER['REQUEST_URI'];
$url_parts = parse_url($url);
// Some security checks (no local file...)
if(false === $url_parts || empty($url_parts['scheme']) || !in_array($url_parts['scheme'], array('http', 'https'))){
	die();
}

$headers_raw = '';
foreach ($_SERVER as $name => $value)
{
	if (substr($name, 0, 5) == 'HTTP_')
	{
		$name = str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))));
		$headers_raw .= $name . ': ' . $value . "\r\n";
	} else if ($name == "CONTENT_TYPE") {
		$headers_raw .= 'Content-Type: ' . $value . "\r\n";
	} else if ($name == "CONTENT_LENGTH") {
		$headers_raw .= 'Content-Length: ' . $value . "\r\n";
	}
}

// http://php.net/manual/en/context.http.php
$context = stream_context_create(array(
	'http' => array(
		'method' => $_SERVER['REQUEST_METHOD'],
		'header' => $headers_raw,
		'ignore_errors' => true,
		'content' => file_get_contents('php://input')
	)
));
$content = file_get_contents($url, false, $context);

$content_type = 'application/octet-stream';// "text/html"
$content_type_raw = $content_type;// "text/html; charset=UTF-8"
foreach($http_response_header as $response_header){
	if('Content-Type:' == substr($response_header, 0, 13)){
		$content_type_raw = substr($response_header, 14);
		$content_type = strstr($content_type_raw, ';', true);
		header($response_header);
	}
	elseif('Content-Encoding:' == substr($response_header, 0, 17) && 'gzip' == substr($response_header, 18, 4))
	{
		//Now lets uncompress the compressed data
		$content = gzinflate(substr($content, 10, -8));
	}
	elseif('Content-Length:' == substr($response_header, 0, 15))
	{
		//Skip it
	}
	else{
		header($response_header);
	}
}

// Content transforms
//var_dump($url_parts);exit();
if('text/html' == $content_type){
	echo str_replace('cat', 'dog', $content);
}else{
	echo $content;
}
?>

pac.php:

<?php header('Content-Type: application/x-javascript-config') ?>
function FindProxyForURL(url, host)
{
	 return "PROXY <?php echo $_SERVER['SERVER_ADDR'] ?>:<?php echo $_SERVER['SERVER_PORT'] ?>; DIRECT";
}

• Proxy auto-config - Wikipedia, the free encyclopedia

• PHP+Apache as forward/reverse proxy: ¿how to process client requests and server responses in PHP? - Server Fault

• jenssegers/php-proxy

Internet Content Adaptation Protocol

Aka ICAP

• Internet Content Adaptation Protocol - Wikipedia, the free encyclopedia

• http://wiki.squid-cache.org/Features/ICAP

• php-icap-server - Internet Content Adaptation Protocol Server implemented in PHP - Google Project Hosting

• icapjs/icap_server.js at master · LordEidi/icapjs

HTTP/2.0

• Performance testing HTTP/1.1 vs HTTP/2 vs HTTP/2 + Server Push for REST APIs

Header compression

Aka HPACK

• Headers

• mnot’s blog: Designing Headers for HTTP Compression

• RFC 7541 - HPACK: Header Compression for HTTP/2

• HPACK: the silent killer (feature) of HTTP/2

• h2load - HTTP/2 benchmarking tool - HOW-TO — nghttp2 1.36.0-DEV documentation

Anonymous requests require clean connection

Requests without credentials use a separate connection — HTTP/2 push is tougher than I thought - JakeArchibald.com

Fonts require to be loaded as CORS anonymous or require CORS authorization: CSS Fonts Module Level 3

• CORS Anonymous requests complicates preconnect · Issue #32 · w3c/resource-hints

• Chrome prefix group_name for SOCKET->TRANSPORT_CONNECT_JOB group_name as pm/ (example of pm/ssl/example.com:443 vs ssl/example.com:443, pm/example.com:80 vs example.com:80) for anonymous connections chrome://net-internals/#events&q=type:SOCKET,TRANSPORT_CONNECT_JOB

Shared connection with multiple hosts

Aka connection coalescing

Multiple hosts can use the same connection, but need the same IP (?) and (when HTTPS) require to use the same certificate (that use Subject Alternative Names) But may not support this.

HTTP/2 supports multi-host multiplexing which further reduces RTTs. SPDY only supports single-host multiplexing. — HTTP/2 - What Does it Mean for a CDN?

• linux - HTTP2: different domain but same IP, multiple connection or one connection? - Stack Overflow

• HTTP/2 connection coalescing | daniel.haxx.se

• Shifting from SPDY to HTTP/2 | StackPath Blog

• What is HTTP/2 - The Ultimate Guide by Kinsta

HTTP/3

• Web Performance Calendar » Head-of-Line Blocking in QUIC and HTTP/3: The Details

• HTTP/3 From A To Z: Core Concepts (Part 1) — Smashing Magazine

URI/URL

Cool URIs don't change

What makes a cool URI? A cool URI is one which does not change. What sorts of URI change? URIs don't change: people change them.

— Hypertext Style: Cool URIs don't change.

URI Template format definition: RFC 6570 - URI Template

• absolute URL: http://domain/path/to/some/resource https://url.spec.whatwg.org/#absolute-url-string

• scheme-relative (or Network-path reference or protocol-relative) URL : //domain/path/to/some/resource https://url.spec.whatwg.org/#scheme-relative-special-url-string It usage is discouraged: The protocol-relative URL - Paul Irish

• absolute-path-relative URL: /path/to/some/resource https://url.spec.whatwg.org/#path-absolute-url-string

• path-relative URL: path/to/some/resource, ../path/to/some/resource https://url.spec.whatwg.org/#path-relative-scheme-less-url-string

• origin-form: path and query string of the URI. The query string may or may not be present.

• absolute-form: an absolute URI.

• authority-form: the authority part of a URI, made up of a maximum of 3 parts – user-info (optional), host and port (optional). The user-info may require a password too – user:password. We end up with a pattern of user:password@host:port. The user-info may also have require an

• asterisk-form: just the string, *

• same origin: same scheme, host, and port. URL Standard and HTML Standard

• same origin-domain: HTML Standard

• same site: same registrable domain. URL Standard

scheme:[//[user:password@]host[:port]][/]path[?query][#fragment]

• How many ways can you slice a URL and name the pieces? - Tantek

• http://[::1]:80/, http://[::]:80/, http://0.0.0.0:80/, http://127.0.0.1/, http://127.0.0.1/, http://127.1/, http://127.40.89.34/ (loopback too), http://localhost/, http://3232235778/ (see IP address representation)

• mysql://user:pass@host/mydatabase

• smtps://username:password@smtp.example.com/?pool=true

• memcached://localhost:11211/meta

• redis://user:secret@localhost:6379/0?foo=bar&qux=baz https://www.iana.org/assignments/uri-schemes/prov/redis

• Uniform Resource Identifier (URI) Schemes

• https://github.com/sidorares/node-mysql2/blob/9218f055ceeb95ae7205348e06c07b89b799d031/lib/connection_config.js#L88-L118

• IPv4 - Wikipedia

• Email address format

• Trailing Slashes on URLs: Contentious or Settled?—zachleat.com

• .aspx considered harmful – Jon Udell

• Four Cool URLs - Alex Pounds' Blog

Note: https://-inevitablelament.tumblr.com/ is a valid URL (subdomain start with minus char), see Bug #668926 “can't resolve domain names starting with a dash (mi...” : Bugs : resolvconf package : Ubuntu

IP address representation

aka IP address as number, aka IP decimal notation

1.1.1 will interpret to 1.1.0.1 and not 1.1.1.0 or 0.1.1.1

http://3232235778/ and http://192.168.1.2/ are equivalent http://2130706433/ and http://127.0.0.1/ are equivalent

<?php
function ipv4ToNumberumber($ip) {
	list($a, $b, $c, $d) = explode('.', $ip);
	return (double) ($a*16777216)+($b*65536)+($c*256)+($d);
}
function numberToIPv4($number) {
	$a = ($number/16777216)%256;
	$b = ($number/65536)%256;
	$c = ($number/256)%256;
	$d = ($number)%256;
	return $a.'.'.$b.'.'.$c.'.'.$d;
}
?>

• Dot-decimal notation — Wikipedia

• IPv6 address — Wikipedia

• ip - Why does pinging 192.168.072 (only 2 dots) return a response from 192.168.0.58? - Super User

• WTFriday: http://2915189091 « Super User Blog

• There’s more than one way to write an IP address

• Java - Convert IP address to Decimal Number - Mkyong.com

• Php convert ipv6 to number - Stack Overflow

Scheme-relative URLs

Aka protocol-relative URLs.

It's recommended to always use https:// URLs.

This not work if the protocol is not the same. Example: in email this URLs are not supported

• Stop Using the Protocol-relative URL - Jeremy Wagner

• The protocol-relative URL - Paul Irish

• Protocol Relative URLs, Why to Use Them, and Common Pitfalls - Bill Patrianakos

• Wikipedia:Protocol-relative URL — Wikipedia

• http://tools.ietf.org/html/rfc3986#section-4.2

• https://url.spec.whatwg.org/#concept-scheme-relative-url

Don't use it in email (could be resolve as file protocol: file:///...)

Domain

Naked domain = domain without subdomain (eg. www.). Aka apex domain, base, bare, naked, root apex, or zone apex

|--------------------|-----------------------|-------------------|

Domain	Registrable domain	Public suffix
edition.cnn.com	cnn.com	com
money.cnn.com	cnn.com	com
w3c.github.io	w3c.github.io	github.io
tc39.github.io	tc39.github.io	github.io
--------------------	-----------------------	-------------------

Note: public suffix aka effective top-level domain (eTDL).

• www. is not deprecated – really and Why use www? | Hacker News

• Chrome hide "trivial subdomains" (www., m.)

  • Chrome 69 Removing WWW and M subdomains From the Browser's Address Bar

  • Google Chrome Hides WWW and HTTPS:// in the Address Bar Again

• browser autocomplete/autofill user entering URLs

  • browser.fixup.alternate.*, browser.fixup.*

  • Omnibox - The Chromium Projects

• Mettre un tiret dans mon nom de domaine ? | Gandi News

• Suffixes, like .com, .co.uk, pvt.k12.ma.us, etc. Public Suffix List

Second-level domain

• Second-level domain — Wikipedia

• https://gist.github.com/rubengersons/0ff87fd457c958a503ab

• https://gist.github.com/danallison/905746161b23832b9cd8029ca6919b51

• https://github.com/projectbtle/BLE-GUUIDE/blob/10fdd3f3fa7ca077e0ba5a3efa2c2ac83455cb1a/resources/common/slds.json

• https://github.com/gavingmiller/second-level-domains

• https://github.com/medialize/URI.js/blob/master/src/SecondLevelDomains.js

• https://github.com/adblockplus/adblockpluscore/blob/next/lib/url.js + https://github.com/adblockplus/adblockpluscore/blob/next/build/updatepsl.js / https://github.com/adblockplus/adblockpluscore/blob/next/data/publicSuffixList.json

Password

HTTP Authentification

http://user:password@example.com http://user:p%40ssword@example.com (user, p@ssword)

Encode special chars: mypass#gh647 to mypass%23gh647

Write URI well

See RESTful and API

• Good Practice for Capability URLs

• Use Canonical URLs, Please

• Benefits of Plain English URLs

• The Peril of Self-Replicating Hyperlinks

• Semantic URL — Wikipedia

• Choosing between www and non-www URLs - HTTP | MDN

• Set your preferred domain (www or non-www) - Search Console Help

• How To Create Your Own URL Scheme | CSS-Tricks

• Slug Clean URL - Wikipedia

• URLs are UI - Scott Hanselman

• https://restpatterns.mindtouch.us/Articles/Designing_URIs

URI template

https://example.com/{file}
https://example.com/search{?q*,lang}

• RFC 6570 - URI Template

• URI template online tester

• hannesg/uri_template: A URI template library for ruby.

• medialize/URI.js: Javascript URL mutation library

• grncdr/uri-template: CoffeeScript/Javascript implementation of RFC 6570 for URI-templates

• geraintluff/uri-templates: JavaScript utility for RFC 6570: URI Templates

Subordinate resource

Aka subresource, hash, fragment identifier

Selectors:

• RFC 3236 - The 'application/xhtml+xml' Media Type - HTML: page.html#namedSection

• RFC 3778 - The application/pdf Media Type - PDF: slides.pdf#page=10&viewrect=50,50,640,480

• RFC 5147 - URI Fragment Identifiers for the text/plain Media Type - Plain Text: text.txt#char=0,10, text.txt#line=10,20

• RFC 3023 - XML Media Types - XML: page.xml#xpointer(/a/b/c), page.html#xpointer(string-range(//,"target text"))

• RFC 3870 - application/rdf+xml Media Type Registration - RDF/XML: data.rdf#namedResource

• RFC 7111 - URI Fragment Identifiers for the text/csv Media Type - CSV: data.csv#row=5-7

• Media Fragments URI 1.0 (basic) - Media: image.jpg#xywh=50,50,640,480, video.ogv#t=60,100

• Linking – SVG 1.1 (Second Edition) - SVG: image.svg#svgView(viewBox(50,50,640,480))

• EPUB Canonical Fragment Identifier (epubcfi) Specification - EPUB3: book.epub#epubcfi(/6/4[chap01ref]!/4[body01]/10[para05]/3:10)

• Selectors and States - Media, Text, RDF/HTML/XML: page.html#selector(type=CssSelector,value=%23elemid%20>%20.elemclass%20+%20p)

• Web Annotation Data Model

• Using CSS Selectors as Fragment Identifiers - page.html#css(.myclass)

  • CSS Selectors as Fragment Identifiers Community Group

  • Laurian/CSSFrag: Fork of Shaun Inman 'CSS Selectors as Fragment Identifiers' implementation.

• npm-package.json | npm Documentation - Github repo github.com/npm/cli#semver:^5.0

• fragmention - IndieWeb - page.html##text

• NYTimes/Emphasis: Dynamic Deep-Linking and Highlighting - HTML/XML page.html#h5s1,2

• bokand/ScrollToTextFragment: Proposal to allow specifying a text snippet in a URL fragment - page.html#targetText=percent%20encoded

• fragmention - IndieWeb - page.html##some+text+reference

• Text Fragments

  • page.html#:~:text=[prefix-,]textStart[,textEnd][,-suffix]

  • tomayac/text-fragments-polyfill

  • GoogleChromeLabs/link-to-text-fragment: Browser extension that allows for linking to arbitrary text fragments.

  • Scroll To Text Fragment · Issue #194 · mozilla/standards-positions

• RFC 6901 - JavaScript Object Notation (JSON) Pointer - JSON Pointer: data.json#/foo/0

• jar:https://domain.com/path/to/jar.jar!/Pictures/a.jpg (jar:<url>!/{entry})

• zip:password@http://domain.com/path/to/file#/Pictures/a.jpg

• swf:http://domain.com/path/to/file.swf#com.domain.ClassName and http://domain.com/path/to/file.swc#com.domain.ClassName

• xpath.js - HTML/XML: page.html#xpath:/html/body/p[3]. XPath Bookmark Bookmarklet – Blog

More infos:

• URI fragment - Wikipedia

• Fragment identifier - Wikipedia

• Best Practices for Fragment Identifiers and Media Type Definitions

• List of valid characters for the fragment identifier in an URL? - Stack Overflow

• brettz9/jump-to-anchor: Jump to the closest anchor for a selected element

• Rumperuu/Pinpointer: A browser extension to create and share links to arbitrary bits of webpages. - Developing Pinpointer – bengoldsworthy.net

• karanlyons/pinpoint: Link anywhere.

• ericclemmons/unique-selector: Given a DOM node, return a unique CSS selector matching only that element

• Find an element / text

Data URI

On some browser, data URI are considered from different domain. See javascript - Programmatically accessing an iframe that uses a data URI as a source - Stack Overflow.

application/font-woff

data:application/pdf;name=document.pdf;base64,BASE64_DATA_ENCODED

• Firefox require hash to be encoded/escaped

• IE require more chars to be encoded/escaped

• CSS # Sprites vs Data URI

• Formats and protocols/URI

• SVG gradient and backgrounds

• Optimizing SVGs in data URIs by Taylor Hunt on CodePen

• Probably Don't Base64 SVG | CSS-Tricks

• Getting URL encoded SVG to work in IE

• Blue Box Data URI (svg

• Sass function to encode SVG as a data uri without it being in base64

Data URI base 64 encoding

See Base64

Works with IE 9+ and others browsers

background: red url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0naHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmcnIHZpZXdCb3g9JzAgMCAxMDAgMTAwJz48cmVjdCBmaWxsPSdncmVlbicgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnLz48L3N2Zz4=");

• Base64 Encoding & Performance, Part 1: What’s Up with Base64? – CSS Wizardry – CSS Architecture, Web Performance Optimisation, and more, by Harry Roberts

• Base64 Encoding & Performance, Part 2: Gathering Data – CSS Wizardry – CSS Architecture, Web Performance Optimisation, and more, by Harry Roberts

Data URI percentage encoding

Using encodeURIComponent()

Escapes all characters (including UTF-8 sequences) except the following: alphabetic, decimal digits, -, _, ., !, ~, *, ', (, ).

Note:

For data URI contains SGML like documents, (if it's allowed) you can use simple quote instead of double quotes for attributes values or mix both. This reduce the number of chars used by encoding 1 (') vs. 3 (%22). If the data URI must be quoted, double quote can be used with additional encoding: Example with CSS: use url("data:...value%3D'data'") with double quotes, simple quotes are not escaped. See xhtml - How to properly escape quotes inside html attributes? - Stack Overflow

It's possible to not encode all chars.

Some browsers require some encoded chars:

• Firefox require # to be encoded

• IE 11 & Edge require % to be encoded (no invalid escape sequences, eg. width='100%' , must be height='100%25' instead)

It's safe to keep unencoded:

• (space, %20)

• = (%3D)

• : (%3A)

• / (%2F)

For security reasons, data URIs are restricted to downloaded resources. Data URIs cannot be used for navigation, for scripting, or to populate frame or iframe elements.

Data URIs cannot be larger than 32,768 characters.

The resource data must be properly encoded; otherwise, an error occurs and the resource is not loaded. The "#" and "%" characters must be encoded, as well as control characters, non-US ASCII characters, and multibyte characters. — data Protocol

copy("data:image/svg+xml," + encodeURI(`<svg xmlns="...</svg>`.replace(/"/g, "'").replace(/(^|>)\s+(<|$)/g, "$1$2")).replace(/%20/g, " ").replace(/#/g, "%23"));

• Percent-encoding — Wikipedia

• encodeURIComponent() - JavaScript | MDN

• encodeURI() - JavaScript | MDN

• Optimizing SVGs in data URIs by Taylor Hunt on CodePen

• URL-encoder for SVG

• Probably Don't Base64 SVG | CSS-Tricks

MHTML URI

Multipart document

IE?-8 only

/*
Content-Type: multipart/related; boundary="_ANY_STRING_WILL_DO_AS_A_SEPARATOR"

--_ANY_STRING_WILL_DO_AS_A_SEPARATOR
Content-Location:locoloco
Content-Transfer-Encoding:base64

iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAIAAAA7ljmRAAAAGElEQVQIW2P4DwcMDAxAfBvMAhEQMYgcACEHG8ELxtbPAAAAAElFTkSuQmCC
--_ANY_STRING_WILL_DO_AS_A_SEPARATOR
Content-Location:polloloco
Content-Transfer-Encoding:base64

iVBORw0KGgoAAAANSUhEUgAAABkAAAAUBAMAAACKWYuOAAAAMFBMVEX///92dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnYvD4PNAAAAD3RSTlMAACTkfhvbh3iEewTtxBIFliR3AAAAUklEQVQY02NgIBMwijgKCgrAef5fkHnz/y9E4kn+/4XEE6z/34jEE///A4knev7zAwQv7L8RQk40/7MiggeUQpjJff+zIpINykbIbhFSROIRDQAWUhW2oXLWAQAAAABJRU5ErkJggg==
*/

#test1 {
	background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAIAAAA7ljmRAAAAGElEQVQIW2P4DwcMDAxAfBvMAhEQMYgcACEHG8ELxtbPAAAAAElFTkSuQmCC"); /* normal */
	*background-image: url(mhtml:http://phpied.com/files/mhtml/mhtml.css!locoloco); /* IE < 8 */
}

#test2 {
	background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABkAAAAUBAMAAACKWYuOAAAAMFBMVEX///92dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnZ2dnYvD4PNAAAAD3RSTlMAACTkfhvbh3iEewTtxBIFliR3AAAAUklEQVQY02NgIBMwijgKCgrAef5fkHnz/y9E4kn+/4XEE6z/34jEE///A4knev7zAwQv7L8RQk40/7MiggeUQpjJff+zIpINykbIbhFSROIRDQAWUhW2oXLWAQAAAABJRU5ErkJggg=="); /* normal */
	*background-image: url(mhtml:http://phpied.com/files/mhtml/mhtml.css!polloloco); /* IE < 8 */
}

• MHTML — Wikipedia

• MHTML – when you need data: URIs in IE7 and under / Stoyan's phpied.com

mailto: URI

See mailto

Note: Be carefull with non encoded chars. Chrome don't open mailto url if not all required chars that require encoding are not.

You can open mailto in _self or _blank window. If an protocol handler is enable to mailto: this should open the related page (in self or blank, based on the target window).

• as link <a href="mailto:?subject=Hello&body=Hello%20world!" target="_blank">maitlo</a>

• as script window.open("mailto:?subject=Hello&body=Hello%20World!", "_blank")

• as form <form action="mailto:" target="_blank"><input type="hidden" name="subject" value="hello"><input type="hidden" name="body" value="Hello world!"><button>mailto</button></form>. It's not a usefull method for the following reasons:

  • with GET, spaces fields name and values will be replace with +.

  • for file fields (<input type="file">), the value will be replace with the name of the selected file

  • with POST and with encoding type text/plain, the body will contains all fields: one per line with name=value

Target can be omited (default to _self).

tel: URI

See tel

Well known

Aka /.well-known/

Site-wide metadata files

• Well-Known URIs

• www.mysite.com/robots.txt symlink to www.mysite.com/.well-known/robots.txt (only 301 redirection are recommended, see robots.txt)

• App Search Programming Guide: Support Universal Links - /.well-known/apple-app-site-association

• Getting Started | Google Digital Asset Links | Google Developers - /.well-known/assetlinks.json

• WebFinger - https://<domain>/.well-known/webfinger?resource=<resource> (where resource value - URI encoded - is acct:<email-address>)

About URI

• about:blank

• about:invalid

• about URI scheme - Wikipedia

• "about" URI Tokens

HTTP API

See also API

Location: https://... for POST 201 Created entity. https://restpatterns.mindtouch.us/HTTP_Status_Codes/201_-_Created

Infos and docs:

• Common HTTP Implementation Problems

• How to design a REST API | OCTO Talks !

• Web API - Wikipedia

• API designs for low-connectivity | OCTO Talks ! - How to handle API calls when the network fail

• How To Design Better JavaScript APIs – Smashing Magazine

• How to Create a custom Authentication Provider (current)

• http://techblog.appnexus.com/2012/on-restful-api-standards-just-be-cool-11-rules-for-practical-api-development-part-1-of-2/

• http://techblog.appnexus.com/2012/on-restful-api-standards-just-be-cool-11-rules-for-practical-api-development-part-2-of-2/

• API Design is UI for Developers – Terence Eden's Blog

• API Design - Matt Gemmell

• You Really Should Log Client-Side Errors

• Reverse-engineering Instagram to access the private API

• The Definitive Guide to GET vs POST - Treehouse Blog

• The art of creating simple but flexible APIs - Jos de Jong

• APIs are about Policy — Acko.net

Tools:

• Home - OpenAPI Initiative

• GitHub - alufers/mitmproxy2swagger: Automagically reverse-engineer REST APIs via capturing traffic

• JSON:API — A specification for building APIs in JSON

• API Documentation & Design Tools for Teams | Swagger

• Welcome | RAML - "RESTful API Modeling Language (RAML) makes it easy to manage the whole API lifecycle from design to sharing."

• API Blueprint | API Blueprint - "A powerful high-level API description language for web APIs."

• adobe/ride: REST API Automation framework for functional, integration, fuzzing, and performance testing

• API Monitoring and Testing · Runscope API Testing & Monitoring

• A server side OAuth2 Bundle for Symfony2

Examples:

• public-apis/public-apis: A collective list of free APIs for use in software and web development.

• API Events Proposal · DozroK/mp2013 Wiki - opensource API of the opendata database of all events of Marseille Provence 2013

• Events | Google Calendar API | Google Developers

• Flickr Services

• Google Universal Analytics for AS3

• guidelines/DINA-Web-API-Guidelines.md at master · DINA-Web/guidelines

• LiveDNS API

• API Graph - Facebook API

Filter, sort, paging:

• Link header with rel next, prev, last, first

• Resources in the REST API - GitHub Docs

• RFC 5988 - Web Linking

• page cursor (works well for non user paging, or only for "load more") API pagination design API pagination design | Hacker News

• What's good about offset pagination; designing parallel cursor-based web APIs — brandur.org

• REST API Design: Filtering, Sorting, and Pagination | Moesif Blog

• Filtering | JSON:API module | Drupal Wiki guide on Drupal.org

Rate limit (quotas):

• for a resource

• for a user/token/etc. (context, allotted to)

• with a limit (max)

• within a period (window, per hour)

• reset (when the period is renewed)

• -> count / remaining

• HTTP headers Retry-After (toUTCString), X-Rate-Limit and X-Rate-Limit-Remaining

  • Example of HTTP API Rate Limiting HTTP Response header - Stack Overflow

  • Retry-After - HTTP | MDN

• HTTP status code 429

  • rest - Recommended HTTP status code for "plan limit exceeded" response - Software Engineering Stack Exchange

See also:

• Rate limiting - Wikipedia

• GitHub API v3 | GitHub Developer Guide

• Rate Limiting

RESTful

Aka REST, Hypermedia API

CRUD:

• create: POST request, response with 201 Created / 202 Accepted + Location: <URI to created resource> or 303 See Other + Location: <URI to related resource>

• read (retrieve): GET request, response with 200 OK

• update (modify, replace): PUT request, response with 200 OK

• update (modify, partial): PATCH request, response with 200 OK

• delete (destroy): DELETE request, response with 204 No Content

Could use 422 Unprocessable Entity instead of 400 Bad Request when the request body is valid (syntax is valid), but the server is unable to process the instruction. See rest - 400 vs 422 response to POST of data - Stack Overflow

• Best practices for REST API design - Stack Overflow Blog

• REST API Tutorial

• Create, read, update and delete - Wikipedia

• api - Call a Server-side Method on a Resource in a RESTful Way - Stack Overflow

• Please. Don't Patch Like An Idiot. · William Durand

• The RESTful cookbook

• Understanding And Using REST APIs — Smashing Magazine

• angular-symfony/src/Flyers/FrontendBundle/Resources/public/js/services.js at master · FlyersWeb/angular-symfony

• How I Explained REST to My Wife | Looah

• How RESTful is Your API? | BitNative by Cory House

• Proper response for a REST insert - full new record, or just the record id value? - Programmers Stack Exchange

• REST APIs must be hypertext-driven » Untangled

• REST APIs with Symfony2- The Right Way | William DURAND

• RestWiki- Front Page

• RestWiki- Jeff Bone

• The HTTP OPTIONS method and potential for self-describing RESTful APIs | zacstewart.com

• The Real-time Web in REST Services at IMVU | IMVU Engineering Blog

• web services - Link headers vs link elements for RESTful JSON - Stack Overflow

• JSON API :: A standard for building APIs in JSON.

• How your API could benefit from Hypermedia — Unexpected Token — Medium

• REST APIs must be hypertext-driven » Untangled

• The HTTP OPTIONS method and potential for self-describing RESTful APIs | zacstewart.com

• The Real-time Web in REST Services at IMVU | IMVU Engineering Blog

• Marcelo Cure: Software Engineer: REST anti-patterns

• Principles of good RESTful API Design

• Best Practices for Designing a Pragmatic RESTful API | Vinay Sahni

• API design guidance | Microsoft Docs

• api-guidelines/Guidelines.md at master · Microsoft/api-guidelines

• Introduction · HTTP API Design - interagent/http-api-design: HTTP API design guide extracted from work on the Heroku Platform API

• HTTP status code for update and delete? - Stack Overflow

Patch

PATCH /my/data HTTP/1.1
Host: example.org
Content-Length: 326
Content-Type: application/json-patch+json
If-Match: "abc123"

[
 { "op": "test", "path": "/a/b/c", "value": "foo" },
 { "op": "remove", "path": "/a/b/c" },
 { "op": "add", "path": "/a/b/c", "value": [ "foo", "bar" ] },
 { "op": "replace", "path": "/a/b/c", "value": 42 },
 { "op": "move", "from": "/a/b/c", "path": "/a/b/d" },
 { "op": "copy", "from": "/a/b/d", "path": "/a/b/e" }
]

• RFC 6902: JavaScript Object Notation (JSON) Patch

• RFC 7396: JSON Merge Patch

Documentation formats

Aka specs, docs format

And generators

• OpenAPI

  • Home - OpenAPI Initiative

  • Swagger 2.0

  • What is OpenAPI? Swagger vs. OpenAPI | Swagger Blog - "OpenAPI = Specification, Swagger = Tools for implementing the specification"

  • some implementations:

    • danivek/json-api-serializer: Node.js/browser framework agnostic JSON API (http://jsonapi.org/) serializer.

    • mu-io/ts-japi: A highly-modular (typescript-friendly)-framework agnostic library for serializing data to the JSON:API specification

    • ostinelli/gin: A LUA fast, low-latency, low-memory footprint, web JSON-API framework with Test Driven Development helpers and patterns.

• Postman collection and environnements files (JSON)

  • Postman | The Collaboration Platform for API Development

  • Postman Inc.

  • postmanlabs/schemas: Repository of all schemas for JSON structures compatible with Postman (such as the Postman Collection Format)

  • adobe/reactor-postman: A Postman collection of Reactor API examples for Adobe Experience Platform Launch

• Apiary — Home

• API Blueprint - API Documentation with powerful tooling

• RAML - RESTful API modeling language

• mashery/iodocs

• Mashape - Free API Management Platform & Marketplace

• Web Application Description Language — Wikipedia

• RSDL - Wikipedia, the free encyclopedia

• https://github.com/nelmio/NelmioApiDocBundle

• Paw – The ultimate REST client for Mac

• API Spec Comparison Tool | MIKESTOWE.COM

• RAML vs. Swagger vs. API Blueprint | MIKESTOWE.COM

• Home · wordnik/swagger-core Wiki

Hypermedia

• The Hypertext Application Language

• kevinswiber/siren: Structured Interface for Representing Entities, super-rad hypermedia

• RFC 8288 - Web Linking

• HTML5 links

JSON API

• JSON:API — A specification for building APIs in JSON

API examples

http://lifeforms.org/<alias> redirect to (305) http://lifeforms.org/<Kingdom>/<Phylum>/<Class>/<Order>/<Family>/<Genus>/<Species>

• RESTBase docs - REST API - MediaWiki

• API References and Guides - PayPal Developer

• GitHub API v3 | GitHub Developer Guide and https://api.github.com/

• timdorr/model-s-api

• Tesla Model S JSON API—by apiary.io

• API REST

• Rest api - Redmine

• Developers - REST API Reference - Thingiverse

• DELETE Object - Amazon Simple Storage Service

• WhiteHouse/api-standards

• microsoft/api-guidelines: Microsoft REST API Guidelines

• public-apis/public-apis: A collective list of free APIs for use in software and web development.

Security

There is no session

• rest - Do sessions really violate RESTfulness? - Stack Overflow

• web applications - Should cookies be used in a RESTful API? - Software Engineering Stack Exchange

• zanox OAuth with REST - zanox Developer Portal - RESTful API authentication - Wiki.zanox.com

• rest - RESTful Authentication - Stack Overflow

• Secure Your REST API... The Right Way - Stormpath User Identity API

• Remote access API - Jenkins - Jenkins Wiki

• Documentation | Words API

Implementation / libs

• Homepage - Silex - The PHP micro-framework based on Symfony2 Components

• Slim Framework - Slim Framework

• Apigility

• badgateway/ketting: Ketting is a Hypermedia client for javascript

• Create a REST API with PHP « Gen X Design | Ian Selby

• Building A RESTful PHP Server: Understanding the Request - LornaJaneLornaJane

WebHook

Aka postback, pixel

• Webhook - Wikipedia

• WebSub - Open protocol for distributed pub–sub communication on the internet

• WebSub Rocks!

• Postback - Wikipedia

See also Server-sent events:

• Server-Sent Events - API Graph

• Give me /events, not webhooks | Hacker News

Or SMTP

Cookies

• Browser Cookie Limits

• WebCookies.org: Websites with most cookies

• http - Why are cookie paths case sensitive? - Stack Overflow

Cookie max age

For document.cookies, max-age is not suppoted by IE and some Edge versions (it considered as session cookie)

• Cookie specification compatibility in modern browsers

• Support for Cookie max-age – Welcome to the Window developer feedback site!

• Cookie specification compatibility issue - Microsoft Edge Development

• Document.cookie - Web API | MDN

Delete a cookie

max-age=0, expires=Thu, 01 Jan 1970 00:00:00 GMT"

document.cookie = 'name=;path=/;domain=.domain.example;expires=Thu, 01 Jan 1970 00:00:00 GMT';

// Clear cookie
// Note the case sensitive
document.cookie = "{cookie-name}=;domain={domain};expires=Thu, 01 Jan 1970 00:00:00 GMT;max-age=0;path=/";

But max-age is not well supported, see [Cookie max age](#Cookie max age)

Cookie names are case-sensitive

RFC 6265 says that "Expires",* "Max-Age", "Domain", "Path", "Secure", "HttpOnly" should match case-insensitively:

there is no assertion there about the cookie name itself - there's a reason for that, because the cookie name should not be matched case insensitively, hence why it is not mentioned there.

In some browsers, the path is case sensitive

• http - Is the name of a cookie case sensitive? - Stack Overflow

• Cookie names must be case insensitive · Issue #2241 · playframework/playframework

• ASP.NET Cookies Overview

• http - Why are cookie paths case sensitive? - Stack Overflow