Freek.dev

The HTTP specification says that status codes should be three digits integers, but what happens if they are not? April King, head of website security at Mozilla, did some fun experiments to find out.

While it is easy to create test cases for conditions that don't satisfy this requirement, it is somewhat more difficult to determine how third-party libraries will handle HTTP requests that fall outside this constraint. I looked around the internet for websites to help me test weird status codes, but most of them only let me test with the known status codes. As such, I decided to add arbitrary HTTP status codes to my naughty httpbin fork, called misbehaving.site.

What I discovered is that the various browser manufacturers have wildly different behavior with how they handle unknown HTTP status codes.

https://pokeinthe.io/2017/09/14/http-status-code-handling/

Read more

Curl is not your only tool when creating or testing out APIs. On her blog Lorna Jane Mitchell made a nice list of alternatives.

At a conference a few days ago, I put up a slide with a few of my favourite tools on it. I got some brilliant additional recommendations in return from twitter so I thought I'd collect them all in one place in case anyone is interested - all these tools are excellent for anyone working APIs (so that's everyone!).

https://lornajane.net/posts/2017/http-tools-roundup

Read more

Michael Dyrynda, one of the co-hosts of the Laravel News and the North Meets South podcasts, explains how to easily uptime your models with data coming from requests.

Instead of littering your controller method with multiple request()->has('field') checks, you can employ the request object's intersect method. The intersect method will return a new array containing only the keys that are present in both the specified list and the request itself.

Using intersect allows you to easily handle a PATCH request - one where you partially update a resource's data, rather than all of it as with a PUT - in a much more concise manner.

https://dyrynda.com.au/blog/partial-model-updates-in-laravel

Read more

Zach Silveira made a new JavaScript library that aims to make ajax requests much more readable. Under the hood template literals are used.

Anyone familiar with HTTP requests knows what each line in chrome's network tab means. It's too bad we can't copy and paste this into our code and do that exact request..... But we can (almost), if my idea pans out! Take a look at what I'm proposing:

request`  
  url: http://test.app/settings/user/19
  method: PATCH
  headers: ${{ 
    Authorization: 'Bearer: token' 
  }}
  body: ${{ name: 'Bob' }}
`

https://zach.codes/human-readable-ajax-requests/

Read more

Phil Sturgeon provides a good explanation on the why and how of middlewares in PHP.

Recently there has been a lot of buzz about HTTP middleware in PHP. Since PSR-7 was accepted, everyone and their friend Sherly has been knocking out middleware implementations, some of them stunning, some of them half-arsed, and some of them rolled into existing frameworks. HTTP Middleware is a wonderful thing, but the PHP-FIG is working on a specific standard for middleware, which will standardise this mess of implementations, but some folks don't seem to think that would be useful.

Let's look into middleware a little closer, to show you why it's something to smile about.

https://philsturgeon.uk/2016/05/31/why-care-about-php-middleware/

Read more

Over at the CloudFlare blog John Graham-Cumming wrote an interesting article on SQL injection attacks via http request headers.

SQL injection is a perennial favorite of attackers and can happen anywhere input controlled by an attacker is processed by a web application. It's easy to imagine how an attacker might manipulate a web form or a URI, but even HTTP request headers are vulnerable. Literally any input the web browser sends to a web application should be considered hostile.

Read more

Hannes Van De Vreken shows what awesome async things you can do with Guzzle promises.

Now what happens if you need to perform a large number of concurrent requests? If you don’t control the number of requests you might end up with a dangerously large amount of open TCP sockets to a server. You’ll need to use some sort of dispatching to have a limited number of concurrent requests at any given time.

Let’s show you how to do that.

Read more

Chris Fidao posted a good tutorial on how to use some lesser known built-in Laravel methods to handle content negotiation.

An HTTP client, such as your browser, or perhaps jQuery's ajax method, can set an `Accept` header as part of an HTTP request.

It's up to the server to follow the rules of HTTP. When a request comes to our application, it's pretty easy to ignore these rules, as our frameworks generally let us return whatever we want.

Laravel provides a nice, easy way to check if a request "wants json".

Read more

Beau Simensen gave a good overview of PSR-7 at the recent PHP North West conference.

https://www.youtube.com/watch?v=iZhcM0NH6J8

Read more

httpie is a command-line http client, much like cURL or wget. Written entirely in Python (using requests for the backend and pygments for syntax highlighting), it’s well portable to many platforms, including the big three Windows, Linux and OSX.

Read more

HTTP/2 has a great feature called server push. It enables the server to send multiple responses in parallel for one request. In a blogpost on the Symfony Finland blog Jani Tarvainen demonstrates how to make use of server push with the Symfony Kernel.

$app->get('/images'), function () use ($app) {
    $images = array('/images/1.jpg','/images/2.jpg','/images/3.jpg');
    $response = new JsonResponse($images);
    foreach($images as $image){
        $response->headers->set('link','<' . $image . '>; rel=preload; as=image',false);
    }
    
    return $response;

Read the entire article for some more background info.

Read more

Coming soon to a server near you.

http://http2.github.io/faq/

Read more

The DOM and all additional resources don't need to be parsed, the client can already begin the download of the `screen.css` resource, without "wasting time" processing the DOM and all external resources, only to make a new request to the server to begin fetching them.

When you add this all up for all resources on a page, this can easily save 100-200ms of the total page load/paint of a website. Those are numbers that should really have you consider implementing HTTP/2.

Read more

Chrome has supported SPDY since Chrome 6, but since most of the benefits are present in HTTP/2, it’s time to say goodbye. We plan to remove support for SPDY in early 2016, and to also remove support for the TLS extension named NPN in favor of ALPN in Chrome at the same time. Server developers are strongly encouraged to move to HTTP/2 and ALPN.

Read more

One thing frameworks have been providing for many years is HTTP message abstraction. PSR-7 aims to provide a common set of interfaces so that frameworks can use the same set of abstractions. This will enable developers to write re-usable, framework-agnostic web components that frameworks can consume.

Read more

Here's a big list of things to be aware of when switching an http site over to https. Ignore the bit about social buttons, just don't use them.

Read more

Last week Bramus presented a cool mixed content scanner on his blog. Just for fun/as an excercise I made my own version.

The core scanner is mostly a copy of Bramus' code but there are a few noticeable differences. My version:

• can be installed via composer
• uses the Symfony console component
• uses Guzzle instead of naked curl
• can write the scanresults as json to a file

You'll find the instructions how to use it on github.

Read more

Ultimately, we can even imagine a long term in which secure origins are so widely deployed that we can leave them unmarked (as HTTP is today), and mark only the rare non-secure origins.

I'm all for it.

Read more

Compare load times of the unsecure HTTP and encrypted HTTPS versions of this page.

Read more

With my recent move to HTTPS I wasn’t sure if there were any pages left on my site that had Mixed Content or not. To check this I wrote a little PHP CLI app to scan an HTTPS website for Mixed Content. The script starts crawling at a given URL, and processes the page.

Nice!

Read more