Part 3 - Websockets, REST, Auth, and Security Flashcards
3rd Quarter of the course - Design Principles, Security, and Auth
How is TCP stream based communication?
Data is sent and received as a continuous stream of bytes.
This is useful for scenarios where data integrity, reliability, and ordering matter - e.g. file transfer, web page loading, emails, etc.
How is UDP message based communication?
UDP sends discrete, independent messages rather than a continuous stream. Each message is treaded as a separate unit.
What are WebSockets?
Start as regular HTTP connections, but “upgrade” to a WebSocket connection.
Allows WebSockets to use HTTP infrastructure while enabling full-duplex communication.
Which ports do WebSockets operate on? Why is this beneficial?
The same ports as HTTP, 80(http) and 443(https)
Avoids additional port management, works within existing firewalls and network configurations designed for HTTP.
How do WebSockets start?
Use HTTP to establish connection initially, then once the handshake is complete, connection switches to WebSocket mode.
What are HTTP proxies? How do they relate to WebSockets?
intermediaries that handle HTTP requests and responses
Since WebSockets begin as HTTP, they try to work with HTTP proxies
What is Full-Duplex message based communication?
Why is it beneficial?
Full-duplex communication allows both the client and the server to send and receive messages simultaneously.
real-time, two way communication, rather than request/response based.
What are the overall benefits of WebSockets?
Full-Duplex communication
Both sides can send data at the same time
Connection stays open
- Websockets maintain single open connection, reduces overhead of repeatedly opening and closing connections
No need for Polling
No HTTP headers for each meassage
Reuse existing technologies
What is Polling?
Polling is a technique where the client repeatedly sends HTTP requests to check if new data is available.
WebSockets do not use ports, how do they specify which Websocket?
WebSockets begin with a GET request to the server to specify which WebSocket service to connect to.
Then the connection header is set to Upgrade. This tells the server that the client wants to upgrade the HTTP connection to WebSocket connection.
Replaces default ‘keep-alive’ behaviour of HTTP.
The Upgrade header specifies the protocol to upgrade to
Upgrade:websocket
If the server supports WebSockets, it responds with 101 Switching Protocols to confirm the upgrade.
Optionally, they can set
Sec-WebSocket-Protocol: wamp
that allows clients to specify a sub-protocol they want to use on top of websockets
TLDR: With a GET request, specifying the Connection: Upgrade and Upgrade: websocket headers.
What is the the Sec-WebSocket-Key and Accept process?
a “test” to verify that the server understands the WebSocket protocol and has properly upgraded the connection.
Brown M&M test
What is the process of the Sec-WebSocket-Key and Accept process?
Client generates a random key (Sec-WebSocket-Key).
Server:
Appends the fixed string GUID.
Hashes the result with SHA-1.
Base64-encodes it.
Sends it back as Sec-WebSocket-Accept.
Client verifies the returned key to confirm the server is ready for WebSocket communication.
This process ensures proper protocol support and guards against misuse.
What is the purpose of the Sec-WebSocket-Key header?
It is a random key sent by the client to verify the server’s WebSocket capability during the handshake.
What are WebSocket frames?
In the WebSocket protocol, data is transmitted in “frames”, which are small units of information. The frames are categorized into control frames and data frames.
What are control frames?
Control frames are used for managing the connection and are not part of the main data stream. These are sent “out of band” alongside regular data frames.
What are the types of control frames?
Close Connection (0x8)
- Sent by either the client or server to gracefully close the WebSocket connection.
- After this, no further messages are exchanged, and the connection terminates.
Ping (0x9) and Pong (0xA)
- Ping: A heartbeat message sent by one party (e.g., the server) to check if the other party is still responsive.
- Pong: The response to a ping, ensuring the connection is alive.
- This mechanism prevents idle connections from being closed unexpectedly.
What are data frames?
Data frames contain the actual application-level data exchanged between the client and server.
Data frames carry payload data that fulfills the main purpose of the WebSocket connection.
How do the control and data frames work together?
Control frames work on keeping the connection afloat(closing, pings, and pongs), and data frames send the data while the connection stays afloat (payload).
How are messages sent in WebSockets?
Messages are sent in data frames.
What types of data can WebSocket messages contain?
WebSocket messages can contain text (UTF-8) or binary data.
Why is knowing the message size ahead of time in WebSockets important?
It allows for efficient buffering and memory allocation.
How does WebSocket handle large messages?
Large messages can be fragmented into multiple data frames and reassembled at the receiving end.
What does the FIN bit in the WebSocket header indicate?
Whether the frame is the final fragment of a message (1 = final, 0 = more frames follow).
What are the possible values of the WebSocket opcode?
Examples include 0x0 (Continuation), 0x1 (Text), 0x2 (Binary), 0x8 (Close), 0x9 (Ping), 0xA (Pong).
How do websocket uris work?
You can use ws://yourserver.com:9090/websockethandler/
wss: is websocket secure
Inherits TLS from the HTTPS connection used intially
Same format as HTTP URI
GET only
How are errors handled in Websockets?
Bad UTF-8 Encoding → Close Connection
No real prescription other than to close the connection
Closing is done by control frame, TLS, and TCP close
What does REST stand for?
REpresentational
- Describe, name, show
State
- The current values of variables, properties, fields
- Accumulation of the results of past changes
Transfer
- Sent from computer to computer, or from service to service
- Communication
What is REST?
Architectural style
Think design patterns for a software system architecture
Introduced by Fielding’s Dissertation
Now so common, it’s usually just implied and not discussed explicitly
What model does the REST architecture follow?
Client/Server model
Is the REST Architecture Stateless? Why?
Yes, it improves scalability because the server does not need to manage or remember client sessions.
Makes REST APIs simpler and more reliable.
Failure recovery is easier since requests are independent.
Is the REST Architecture Cacheable? Why?
Yes, REST APIs allow responses to be cached by the client of intermediate browsers
Reduces the load on the server.
Improves client performance by avoiding redundant requests for the same resource.
What are the REST basics?
Use URIs (URLs) to “name” objects
- Java/JS/Python/database objects!
Use HTTP methods as verbs to manipulate them
- GET - get the state of an object
- PUT - set the (entire) state of an object
- PUT - create an object
- DELETE - delete an object
- POST - manipulate an object some other way