π Networks and HTTP
The Senior Mindset: The network is unreliable and has latency. A senior engineer treats every byte sent over the wire as a cost and understands that HTTP is a contract between two parties that must be negotiated efficiently and securely.
π HTTP Headers: The Metadata of the Web
Section titled βπ HTTP Headers: The Metadata of the WebβHeaders allow the client and the server to pass additional information with an HTTP request or response.
- Request Headers:
Authorization(JWT/Basic),Accept(Content negotiation),User-Agent. - Response Headers:
Content-Type,Server,Set-Cookie. - Security Headers:
Strict-Transport-Security(HSTS),X-Content-Type-Options: nosniff,Content-Security-Policy(CSP).
π Caching: Reducing Latency
Section titled βπ Caching: Reducing LatencyβCaching is the most effective way to improve performance by avoiding redundant network trips.
- Cache-Control: The primary header.
max-agedefines TTL (Time To Live).no-storeprevents any caching, whileno-cacheforces revalidation. - ETag / If-None-Match: A βfingerprintβ of the resource. The client sends the ETag back; if the content hasnβt changed, the server returns a 304 Not Modified, saving bandwidth.
- Vary: Tells the cache which request headers to consider (e.g.,
Vary: Accept-Encodingensures Gzip vs. Brotli versions are cached separately).
πͺ Cookies and State
Section titled βπͺ Cookies and StateβSince HTTP is stateless, cookies are used to maintain state (sessions).
- Attributes:
- HttpOnly: Prevents JavaScript from accessing the cookie (Mitigates XSS).
- Secure: Only sends the cookie over HTTPS.
- SameSite (Strict/Lax/None): Controls if cookies are sent with cross-site requests (Mitigates CSRF).
π‘οΈ CORS (Cross-Origin Resource Sharing)
Section titled βπ‘οΈ CORS (Cross-Origin Resource Sharing)βA browser security mechanism that restricts web pages from making requests to a different domain than the one that served the web page.
- Preflight Request: For βunsafeβ methods (POST with JSON, PUT, DELETE), the browser sends an
OPTIONSrequest first to check permissions. - Common Headache:
Access-Control-Allow-Origin. A senior knows never to use*in production for authenticated APIs; always whitelist specific domains.
π TLS (Transport Layer Security)
Section titled βπ TLS (Transport Layer Security)βThe βSβ in HTTPS. It provides Encryption, Authentication, and Integrity.
- The Handshake: The process where the client and server agree on cipher suites and exchange keys.
- TLS 1.3: The modern standard. It reduced the handshake from two round-trips to one, significantly improving connection speed.
- Certificates: Issued by Certificate Authorities (CAs). A senior understands the importance of Certificate Transparency and automated renewal (e.g., Letβs Encrypt).
βοΈ Protocols: TCP vs. UDP (The Senior Perspective)
Section titled ββοΈ Protocols: TCP vs. UDP (The Senior Perspective)β| Protocol | Characteristics | Use Case |
|---|---|---|
| TCP | Connection-oriented, Guaranteed delivery, Ordered. | HTTP/1.1, HTTP/2, Email, Databases. |
| UDP | Connectionless, Fast, No guarantee of delivery. | Streaming, Gaming, DNS, Voice over IP. |
The Evolution of HTTP
Section titled βThe Evolution of HTTPβ- HTTP/1.1: Keep-alive connections but suffers from βHead-of-line blocking.β
- HTTP/2: Multiplexing (many requests over one TCP connection) and Header compression (HPACK).
- HTTP/3: Built on QUIC (over UDP). Eliminates TCPβs head-of-line blocking and makes connections faster in unstable networks (like mobile).
π‘ Seniority Note: Donβt just look at the payload size. Look at the Time to First Byte (TTFB). Often, slow APIs are caused by poor DNS resolution, slow TLS handshakes, or unoptimized database queries before the first byte is even sent.
π Related Links
Section titled βπ Related Linksβ- [[Security-OWASP]]
- [[Backend-API-Design]]
- [[Cloud-CDN-Edge-Computing]]