Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Nordic Ruby 2012: We don't know HTTP
Search
Konstantin Haase
June 15, 2012
Technology
5
810
Nordic Ruby 2012: We don't know HTTP
Slides for the talk I gave at Nordic Ruby 2012
Konstantin Haase
June 15, 2012
Tweet
Share
More Decks by Konstantin Haase
See All by Konstantin Haase
RubyConf Philippines 2017: Magenta is a Lie
rkh
0
200
How We Replaced Salary Negotiations with a Sinatra App
rkh
17
4.2k
HTTP (RubyMonsters Edition)
rkh
5
1.1k
GCRC 2015: Abstract Thoughts on Abstract Things
rkh
1
360
Frozen Rails: Magenta - The Art Of Abstraction
rkh
3
310
RedDotRubyConf 2014: Magenta is a Lie - and other tales of abstraction
rkh
0
940
Ancient City Ruby: Hack me, if you can!
rkh
2
430
Boston I/O: Continuous Integration
rkh
3
310
Steel City Ruby: Architecting Chaos
rkh
4
930
Other Decks in Technology
See All in Technology
「タコピーの原罪」から学ぶ間違った”支援” / the bad support of Takopii
piyonakajima
0
150
20251029_Cursor Meetup Tokyo #02_MK_「あなたのAI、私のシェル」 - プロンプトインジェクションによるエージェントのハイジャック
mk0721
PRO
5
1.8k
CLIPでマルチモーダル画像検索 →とても良い
wm3
0
440
Open Table Format (OTF) が必要になった背景とその機能 (2025.10.28)
simosako
2
390
Dify on AWS 環境構築手順
yosse95ai
0
150
NLPコロキウム20251022_超効率化への挑戦: LLM 1bit量子化のロードマップ
yumaichikawa
3
550
もう外には出ない。より快適なフルリモート環境を目指して
mottyzzz
13
11k
re:Inventに行くまでにやっておきたいこと
nagisa53
0
660
Zero Trust DNS でより安全なインターネット アクセス
murachiakira
0
110
ラスベガスの歩き方 2025年版(re:Invent 事前勉強会)
junjikoide
0
490
AI機能プロジェクト炎上の 3つのしくじりと学び
nakawai
0
130
CREが作る自己解決サイクルSlackワークフローに組み込んだAIによる社内ヘルプデスク改革 #cre_meetup
bengo4com
0
360
Featured
See All Featured
Fireside Chat
paigeccino
41
3.7k
Context Engineering - Making Every Token Count
addyosmani
8
310
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
2
97
4 Signs Your Business is Dying
shpigford
185
22k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
The Cult of Friendly URLs
andyhume
79
6.6k
Gamification - CAS2011
davidbonilla
81
5.5k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
22k
Building Flexible Design Systems
yeseniaperezcruz
329
39k
Product Roadmaps are Hard
iamctodd
PRO
55
11k
Build The Right Thing And Hit Your Dates
maggiecrowley
38
2.9k
Transcript
we don’t know HTTP Konstantin Haase
@konstantinhaase (I’m sorry about that) rkh on github
Sinatra Rack, Tilt, Rubinius, ...
None
None
RFC 2616
Performance
Scalability
Security
Interoperability
HTTP has been made for this
We just don’t know.
Database Application Server
Database Application Server Application Application
Database Application Server Application Application Database Database
Database Application Server Application Application Database Database Cache
Database Application Server Application Application Database Database Cache Cache
Database Application Server Application Application Database Database Cache Cache Cache
Database Application Server Application Application Database Database Cache Cache Cache
Cache Cache Cache
Database Application Server Application Application Database Database !!! Cache !!!
!!! Cache !!! !!! Cache !!! !!! Cache !!! !!! Cache !!! !!! Cache !!!
How to scale further?
Requests Resources Representation
GET / HTTP/1.1 Accept: text/html
Optimizing Requests
Persistent Connections
Pipelining
SPDY
HTTP 2.0
Optimizing Resources
aka RFC 2616 - The Good Parts
GET, HEAD, OPTIONS, TRACE PUT, DELETE POST, PATCH
1 GET / Repeatable! :) No state change! :) Deterministic!
:)
1 2 PUT / 2 PUT / 2 Repeatable! :)
State change! :( Deterministic! :)
1 DELETE / DELETE / Repeatable! :) State change! :(
Deterministic! :)
1 2 PATCH / +1 3 PATCH / +1 Not
repeatable! :( State change! :( Deterministic! :)
Not repeatable! :( State change! :( Non-deterministic! :( 1 ?
POST / ...
Safe: Idempotent: PATCH: POST: :) :) :) :) :( :)
:( :( :) :( :( :(
worst case PATCH = Lock on document + PUT
worst case POST = Lock on system + PUT
Resources Renderer Business Logic Business Data optional
Before Request + Business Logic + DB Access + Rendering
After Request + DB Access + Rendering
Performance
Resources Renderer Business Logic Business Data Renderer
Resources Renderer Business Logic Business Data Renderer Business Logic
Resources Renderer Business Logic Business Data Renderer Business Logic Resources
Resources Renderer Business Logic Business Data Renderer Business Logic Resources
Business Data
Server Box A Box B GET GET
Server Box A Box B PUT PUT PUT
Server Box A Box B PATCH PATCH PUT + Lock
Server POST ? :(
Browser support? :( <a href=”/” method=”delete”> <form method=”patch”>
Locking? HTTP?
Locking :(
Optimistic Locking :)
PATCH / If-Match: “XYZ”
PUT / If-Non-Match: *
DELETE / If-Match: *
PATCH / If-Unmodified- Since: ...
Browser support? :( <form if-match=”...”> <form if-unmodified-since=”...”>
Scalability
Example Attack JSON CSRF
// https://foo/secrets.json [“chunky”, “bacon”]
<script ! src=”https://foo/secrets.json” ! type=”text/javascript” />
Browser support? :( <script ! src=”https://foo/secrets.json” ! type=”text/javascript” /> GET
/secrets.json Accept: */*
var captured = []; var oldArray = Array; function Array()
{ var obj = this, id = 0, capture = function(value) { obj.__defineSetter__(id++, capture); if (value) captured.push(value); }; capture(); }
Old Architecture Rerun Request Without Session Side-effects? Server load? :(
New Architecture Don’t Authenticate with Session Yay!
Security
Also, Hypermedia! ;)
Interoperability
hej och tack för kaffet jag är glad att vara
här sätt på en kanna till för jag stannar ett tag hej och tack för kaffet jag är glad att vara här sätt på en kanna till för jag stannar ett tag