Fun with HTTP

Nemo (@captn3m0)



200 OK
​Link: <>; rel=twitter,
<>; rel=about,<>; rel=work,
<>; rel=website


Hyper Text Transfer Protocol


RFC1945: May 1996
RFC2068: Jan 1997
RFC2109: Feb 1997

Version 0.9beta of Mosaic Netscape, released on October 13, 1994 supported Cookies

Cache in HTTP

Cache Headers

  • Content-Location

  • Content-MD5

  • ETag

  • ​Last-Modified

  • Cache-Control

  • Expires

Browser As A Caching Proxy?

A transparent proxy MUST NOT modify any of the following fields in a response:

  • Expires

but it MAY add any of these fields if not already present.

If an Expires header is added, it MUST be given a field-value identical to that of the Date header in that response.

Cache-Control: max-age=31536000

Cache-Control wins!

If a response includes both an Expires header and a max-age directive, the max-age directive overrides the Expires header, even if the Expires header is more restrictive.

This rule allows an origin server to provide, for a given response, a longer expiration time to an HTTP/1.1 (or later) cache than to an HTTP/1.0 cache. This might be useful if certain HTTP/1.0 caches improperly calculate ages or expiration times, perhaps due to desynchronized clocks.

Its easier!

A non-transparent proxy MAY modify or add these fields to a message that does not include no-transform, but if it does so, it MUST add a Warning 214 (Transformation applied) if one does not already appear in the message


Warning: 214

451: Unavailable for Legal Reasons


HTTP/1.1 451 Unavailable For Legal Reasons
Content-Type: text/html

    <head><title>Unavailable For Legal Reasons</title></head>
     <h1>Unavailable For Legal Reasons</h1>
     <p>This request may not be serviced in the Roman Province
     of Judea due to the Lex Julia Majestatis, which disallows
     access to resources hosted on servers deemed to be
     operated by the People's Front of Judea.</p>


Content Negotiation

Content Negotiation

  • Accept
  • Accept-Language
  • Accept-Encoding


Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8


Dear Server,

I want the resource in an HTML or XHTML or XML format. If you cannot serve me this way, I'll take in WebP instead. If you can't even give it to me in WebP, well, I'll take anything you've got!


Cross Origin Resource Sharing

Preflight Rules

A simple cross-site request is one that:

  1. Only uses GET, HEAD or POST. If POST is used to send data to the server, the Content-Type of the data sent to the server with the HTTP POST request is one of application/x-www-form-urlencoded, multipart/form-data, or text/plain.
  2. Does not set custom headers with the HTTP Request (such as X-Modified, etc.)


Non Simple Request = Preflight

POSTing is fun!


You can't rely on the Same Origin Policy anymore.

Preflight Crashes

Route::any('foo', function()
    return 'Hello World';


This responds to OPTIONS as well

418 I'm a Teapot

Helpful Teapot Photo

418 I'm a Teapot

TEA-capable pots that are not provisioned to brew coffee may return either a status code of 503, indicating temporary unavailability of coffee, or a code of 418 as defined in the base HTCPCP specification to denote a more permanent indication that the pot is a teapot.

501 Not Implemented

The server does not support the functionality required to fulfil the request. This is the appropriate response when the server does not recognise the request method and is not capable of supporting it for any resource.



BREW /peppermint


501 Not Implemented


402 Payment Required


Reserved for future use. The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used.


Google Developers API uses this status if a particular developer has exceeded the daily limit on requests.
The Hamming Internet Payment System


Fun with HTTP

By Nemo

Fun with HTTP

  • 3,237