Web Developers’ HTTP Toolbox Lorna Mitchell, Nexmo https://github.com/lornajane/fun-with-http
A presentation at PHP UK Conference in February 2019 in London, UK by Lorna Jane Mitchell
Web Developers’ HTTP Toolbox Lorna Mitchell, Nexmo https://github.com/lornajane/fun-with-http
Why HTTP? Why Toolbox? We build the web, it’s made of HTTP. Let’s look at the tools we need. @lornajane
Getting to Know HTTP Let’s start with some theory @lornajane
Getting to Know HTTP HTTP HyperText Transport Protocol Request Host Path Method Headers Body example.com /index.php POST Accept: text/html, User-Agent: curl, Content-Type: app fruit=apple&noun=sparkle Response Status Headers Body 200 Content-Type: text/html <h1>Hello!</h1> @lornajane
HTTP Verbs A verb is a “doing word” … in HTTP as well as in English. • GET • POST • DELETE • PUT • PATCH • HEAD @lornajane
HTTP Headers Request headers: Host, Accept Response headers: ETag, Location Entity headers: Content-Type @lornajane
HTTP Status Codes Code 200 201 204 302 307 Meaning OK Created No Content Found Moved Temporarily @lornajane
HTTP Status Codes Code 400 401 403 404 500 Meaning Bad Request Unauthorized Forbidden Not Found Server Error @lornajane
HTTP and PHP PHP can be client, server, or both @lornajane
Speaking HTTP @lornajane
Speaking HTTP To speak HTTP, you will need a client. Suggestions include: • curl https://curl.haxx.se/ • Postman https://www.getpostman.com/ • HTTPie https://httpie.org/ • http-console https://github.com/cloudhead/http-console • Paw (Mac only) https://paw.cloud/client • Insomnia https://insomnia.rest/ • probably your IDE? @lornajane
Exercise 1: Get the Sample App @lornajane
Data Formats Form encoded: Content-Length: 40 Content-Type: application/x-www-form-urlencoded message=This is a message&name=lornajane JSON data: Content-Type:application/json Content-Length: 52 {“message”:”This is a message”, “name”:”lornajane”} @lornajane
Working with JSON Use the tools! In PHP: json_encode() and json_decode(). No string matching and definitely no regex. At the commandline: • jq https://stedolan.github.io/jq/ • fx https://github.com/antonmedv/fx @lornajane
Exercise 2: Set up and use your HTTP client @lornajane
Making Requests with PHP @lornajane
Making Requests with PHP PHP can also be an HTTP client. To make HTTP requests: • use PHP streams • use Guzzle http://docs.guzzlephp.org/en/stable/ • your favourite framework may also have specific features @lornajane
HTTP With Streams Make an HTTP request with PHP, no dependencies. $url = “https://httpbin.org/post”; $data = [“name” => “lornajane”, “message” => “Hi there”]; $context = stream_context_create( [“http” => [ “method” => “POST”, “content” => http_build_query($data) ] ]); $response = file_get_contents($url, false, $context); @lornajane
HTTP With Guzzle Use guzzlehttp\guzzle from Composer require “vendor/autoload.php”; $url = “https://httpbin.org/post”; $data = [“name” => “lornajane”, “message” => “Hi there”]; $client = new \GuzzleHttp\Client(); $response = $client->request(“POST”, $url, [ “form_params” => $data ]); @lornajane
HTTPBin https://httpbin.org is a site where you can make requests and get information about the responses. • /post used above shows me the incoming post data and how it was parsed, other verbs also available • /response/* offers a selection of canned responses, such as json data, robots.txt file • /status/* returns the specified status code - great for testing error cases @lornajane
RequestBin Open source project you can run locally (Docker) or deploy (Heroku) to receive and diagnose any HTTP request. https://github.com/runscope/requestbin (but try my lornajane fork for some fixes) Useful for testing outgoing API requests, webhooks, anything really! @lornajane
Exercise 3: PHP as an HTTP Client @lornajane
Ngrok for Local Testing https://ngrok.com/ - secure tunnel to your dev platform Use this tool to: • access your local platform from anywhere • inspect the request and response • replay requests and see the responses @lornajane
Ngrok for Testing Webhooks Start the tunnel on your laptop: receive a public URL @lornajane
Exercise 4: Try Ngrok! @lornajane
Local Proxy Tools @lornajane
Local Proxy Tools Pass your traffic through a proxy to inspect (or change) it. Some good examples: • Charles Proxy (paid product, free trial available) https://www.charlesproxy.com/ • Mitmproxy (open source) https://mitmproxy.org/ • Wireshark is not a proxy but is also useful https://www.wireshark.org/ @lornajane
Transport Layer Security How secure HTTP traffic works: 1. Client meets server, they agree a secret and protocol to use. 2. Server can be identified since its public key or cert is available. 3. All traffic is encrypted and includes integrity checks to eliminate tampering. This makes TLS traffic difficult to inspect! @lornajane
Man in the Middle Attack When a client mistakenly thinks it is talking to a server, but it is actually an impostor! @lornajane
Performing MitM Your devices will not TLS to a host that isn’t verified by a Certificate Authority. To debug TLS traffic: • The proxy tools each have their own cert • Install the cert into your browser/device • Ignore security warnings • Magic! You can inspect/alter even TLS traffic @lornajane
Exercise 5: Superpower Debugging @lornajane
Resources • Feedback please: https://joind.in - this is a new session format for PHP UK and for me • Website: https://lornajane.net (slides linked here) • PHP Web Services has an HTTP chapter For more resources on a specific tool: just ask/tweet! @lornajane
