今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#http

找到 8 篇相关文章

开发者

Cloudflare Identifies Race Condition in hyper’s HTTP/1 Implementation

Cloudflare recently documented how its development team identified and fixed a rare bug in the widely used Rust HTTP library hyper that could silently truncate large HTTP responses while still returning a successful 200 OK status. The issue had existed for years, was triggered only under specific timing conditions, and has now been fixed upstream. By Renato Losio

2026-07-12 原文 →
开发者

The New HTTP QUERY Method

If you've ever built a search endpoint, you've hit this wall. Your query has filters, sort orders, a nested set of facets, maybe a geo bounding box. It doesn't fit in a URL, and cramming it into query string params is ugly and fragile. So you reach for POST /search , send the whole thing as a JSON body, and quietly accept that you've just lied about what the request does. It's not creating anything. It's a read. But POST is the only tool that lets you attach a body without fighting the platform. That gap finally got filled. In June 2026 the IETF published RFC 10008 , which defines the HTTP QUERY method: a new verb built for exactly this case. The two bad options Every read that needs structured input has been stuck choosing between GET and POST, and both are wrong in their own way. GET is the semantically correct choice. It's safe (the client isn't asking to change anything), it's idempotent (retrying it is fine), and it's cacheable. The problem is the body. RFC 9110 is explicit that content in a GET request has no defined semantics , and sending one may cause some implementations to reject the request. So your query has to live in the URI, where you run into unknown length limits across proxies and servers, encoding overhead, and the query landing in access logs and browser history. POST solves the body problem and creates a new one. It carries any payload you want, but it's neither safe nor idempotent by definition. Intermediaries won't cache it, clients won't retry it automatically after a dropped connection, and anything inspecting traffic has to assume the request might have side effects. You get the body, you lose everything that made the request honest. QUERY is the missing third option: a method that carries a body and keeps the semantics of a read. What QUERY actually is The spec, authored by Julian Reschke, James Snell , and Mike Bishop, describes it in one sentence: A QUERY requests that the request target process the enclosed content in a safe and idempo

2026-07-08 原文 →
AI 资讯

HTTP Server — Request Lifecycle

Request lifecycle: một HTTP request đi qua đâu, và vì sao "quên gọi next()" làm request treo cho tới khi socket timeout Một request tới một Express hay Fastify server không phải là "gọi handler rồi trả về response". Nó là một chuỗi các bước theo thứ tự cố định: parse HTTP, chạy qua middleware/hook, match route, gọi handler, serialize, gửi response, đóng. Nếu bất kỳ bước nào không chuyển tiếp — Express không gọi next() , Fastify hook không reply.send() hay không return — request treo cho tới khi client hoặc server timeout đóng socket. Đây là loại lỗi không ném exception, không xuất hiện trong error log, chỉ hiện ra qua p99 latency phình lên và số socket ở trạng thái ESTABLISHED tăng dần. Hiểu chính xác lifecycle này là điều kiện tiên quyết để debug những request "biến mất" và để đặt middleware đúng thứ tự. Cơ chế hoạt động Bước dưới cùng giống nhau ở cả hai framework: Node core http.Server nhận TCP connection, parse HTTP request line + headers, phát event request với hai object IncomingMessage (req) và ServerResponse (res). Điểm khác nhau là những gì framework làm giữa lúc nhận request và lúc response ra khỏi socket. Express dựng một chuỗi middleware qua Router . Mỗi lần app.use(fn) hay app.get(path, fn) được gọi, Express bọc fn vào một Layer với path regex (thông qua path-to-regexp ) rồi push vào một stack. Khi request đến, Router.handle duyệt stack tuần tự: với mỗi layer, nếu path match, gọi fn(req, res, next) . next() là closure trỏ vào layer kế tiếp; chỉ khi nó được gọi thì layer sau mới chạy. Error handler được nhận diện bằng arity — hàm 4 tham số (err, req, res, next) — và chỉ được duyệt tới khi next(err) được gọi: import express from ' express ' const app = express () app . use ( express . json ({ limit : ' 1mb ' })) // 1. parse body app . use (( req , _res , next ) => { // 2. request id req . id = crypto . randomUUID () next () }) app . use (( req , _res , next ) => { // 3. auth const token = req . headers . authorization if ( ! token ) return next ( new Erro

2026-07-08 原文 →
AI 资讯

How to Fix Mixed Content & "Not Secure" SSL Errors in WordPress

Originally published on wp-nota.com . You installed an SSL certificate and moved your WordPress site to HTTPS — but the browser still shows "Not Secure" in the address bar, or a padlock with a warning. This is the classic mixed content problem: your pages load over secure HTTPS, but some resources on them — images, scripts, or stylesheets — are still being requested over insecure HTTP. Browsers flag the whole page as not fully secure until every resource is served over HTTPS. Here's how to fix it for good. What "Mixed Content" Actually Means When a single page mixes secure (HTTPS) and insecure (HTTP) resources, that's mixed content. The page itself may be secure, but if it pulls in an image or script over http:// , the browser can't guarantee the whole page is safe — so it drops the padlock or shows a warning. The cause is almost always old http:// URLs still saved in your database or hardcoded in your theme. Step 1: Confirm the Certificate and Site URLs First, make sure the foundation is right. Your host must have a valid SSL certificate installed (most offer free Let's Encrypt certificates). Then, in WordPress, go to Settings → General and confirm both WordPress Address (URL) and Site Address (URL) start with https:// . If they still say http:// , update them, save, and log back in. Step 2: Find What's Loading Over HTTP To see exactly which resources are insecure, open the problem page in your browser, right-click and choose Inspect , and look at the Console tab. Mixed content warnings list each http:// resource by URL — often images in old posts, a hardcoded logo, or an asset from a plugin or theme. This tells you precisely what needs fixing. Step 3: Update Old HTTP URLs in the Database The most common fix is a database search-and-replace that swaps every http://yourdomain.com for https://yourdomain.com . Two safe ways to do it: The easy way — the free Really Simple SSL plugin detects insecure URLs and rewrites them to HTTPS automatically, which resolves most mix

2026-07-02 原文 →
AI 资讯

The 2026-07-28 MCP Spec: A Server Readiness Checklist

The next Model Context Protocol specification, 2026-07-28 , is the largest revision since the protocol launched. The release candidate locked on May 21, 2026, and the final spec publishes on July 28. It contains breaking changes to transport, authorization, and how tool schemas are handled. A server that is correct against 2025-11-25 today is not broken. Nothing here is a present-tense vulnerability. But several of these changes are security properties, not just compatibility ones — request routing integrity, cross-user cache scope, and schema-driven fetch behavior all move under this revision. This checklist walks the changes a server operator needs to handle before July 28, and calls out the security implication wherever there is one. Everything below describes the release candidate. Treat specifics as subject to change until the July 28 final, and validate against the official spec before shipping. Transport: the stateless core This is the headline change. MCP becomes stateless at the protocol layer, and most of the migration work lives here. The handshake and session are gone The initialize / initialized handshake is removed (SEP-2575). Protocol version, client info, and client capabilities no longer get exchanged once at connection time — they travel in _meta on every request. The same SEP adds server/discover as the new discovery anchor: servers must implement it, and clients fetch server capabilities from it when they need them up front. Once the handshake is gone, a server that can't answer server/discover can't be negotiated with. The Mcp-Session-Id header and the protocol-level session it carried are also removed (SEP-2567). Any request can now land on any server instance. The sticky routing and shared session stores that horizontal deployments relied on are no longer required at the protocol layer. If a server needs state across calls, mint an explicit handle from a tool — a basket_id , a browser_id — and have the model pass it back as an ordinary argumen

2026-06-19 原文 →
AI 资讯

3- AWS Serverless: REST API vs. HTTP API

There is common point of confusion. what's the different between REST API vs. HTTP API in AWS and what's the different between them and a traditional Rest API you write with e.g express in node in the broader software world, a "REST API" is just an architectural pattern built on top of HTTP requests. The confusion comes entirely from AWS-specific marketing terminology . When you are inside the AWS ecosystem, Amazon API Gateway is a specific managed service, and AWS chose to split that service into two different flavors (or software products): one called "REST API" and one called "HTTP API." Here is exactly how they work under the hood, how they differ internally, and how it compares to traditional servers. 1. How It Works: REST API vs. HTTP API (AWS Architecture) Think of Amazon API Gateway as a reverse proxy or a "front door" that sits in front of your Lambda functions. AWS REST API (The Heavyweight) When a request hits an AWS REST API, AWS passes that request through a massive feature pipeline before it ever touches your Lambda code. [Client Request] ──> [Authentication (Cognito/IAM)] ──> [Request Validation] ──> [Data Transformation (VTL)] ──> [Your Lambda] What happens: AWS decrypts the request, validates the JSON schema, checks API keys, runs any custom request transformations using a complex mapping language called VTL, and then invokes your Lambda function. Why it costs more: You are paying AWS for all that computing power happening inside the API Gateway layer itself. AWS HTTP API (The Express Lane) When a request hits an AWS HTTP API, AWS strips out almost the entire middle pipeline. [Client Request] ──> [JWT/OAuth2 Authorization Only] ──> [Your Lambda] What happens: The HTTP API acts as a lightning-fast router. It optionally checks a standard JWT token, converts the incoming HTTP request directly into a clean JSON object, and throws it straight into your Lambda function. Why it costs less: Because AWS is doing almost zero processing or data manipulation. Y

2026-06-15 原文 →
AI 资讯

Your Security Scanner Found 7 Missing Headers. Don't Fix Them Blindly.

Your security scanner just came back with 6 flagged items. All missing HTTP headers. You did what any reasonable developer does: Googled each one, copy-pasted the recommended config, and shipped a fix in 20 minutes. Job done. Security score green. PR merged. You also probably shipped at least two of them wrong. Here is the thing nobody tells you about HTTP security headers: knowing what to add is the easy part. Understanding why it matters, when it actually doesn't, and how a misconfigured one breaks your app in production — that's where most developers fall short. This isn't another "add these 7 headers to secure your app" post. This is the one that explains what's actually happening. First, The Contrarian Take Missing a security header is not automatically a vulnerability. If you do bug bounties, this will save you a rejection. If you're a dev, it'll save you from cargo-culting configs that don't apply to your app. Context is king. X-Frame-Options: DENY is a valid security header. YouTube doesn't use it. Because the entire point of YouTube is for people to embed its videos in iframes. Applying that header would break a core product feature. That's not a security oversight — it's a deliberate design decision. A missing Content-Security-Policy header is not a vulnerability in itself. It only becomes relevant if you already have an XSS problem to mitigate. CSP is defense-in-depth. Not a fix for a broken input sanitisation layer. This matters because a lot of developers (and worse, automated scanners) treat these headers like a binary checklist. Present = secure. Missing = vulnerable. Reality is messier than that. Now — with that said — let's talk about what each one actually does. #1. HTTP Strict Transport Security (HSTS) Most developers think HSTS is just "force HTTPS." It's more precise than that. When your app redirects http:// to https:// , that first request is still unencrypted. For a fraction of a second, on a public network, that window exists. An attacker on

2026-06-05 原文 →
AI 资讯

What Is GraphQL?

You've been building REST APIs — one endpoint for users, another for posts, another for comments. The client makes three requests, stitches the data together, and half of it gets thrown away because it wasn't needed in the first place. GraphQL was built to fix exactly that. It gives the client full control over what data it receives. One request. Exactly what you asked for. Nothing more, nothing less. The Problem REST Couldn't Solve Before understanding GraphQL, you need to understand the two problems that drove its creation. Over-fetching The server returns more data than the client needs. GET /users/123 Response: { "id": 123, "name": "Anne", "email": "anne@example.com", "phone": "...", "address": "...", "createdAt": "...", ← you didn't need any of this "updatedAt": "..." ← but the server sent it anyway } The client only needed name and email — but it downloaded the whole object every time. Under-fetching One endpoint doesn't return enough, so the client has to make multiple requests. GET /users/123 → gets the user GET /users/123/posts → gets their posts GET /users/123/followers → gets their followers Three round trips to the server just to render one screen. On a mobile network, that cost is real. GraphQL's answer: Let the client write the query. The server returns exactly what was asked. What Is GraphQL? GraphQL is a query language for your API and a runtime for executing those queries. It was created by Facebook in 2012, open-sourced in 2015, and is now maintained by the GraphQL Foundation . Unlike REST, which exposes multiple URL endpoints, GraphQL exposes a single endpoint — typically POST /graphql . The client sends a query in the request body describing exactly what it wants, and the server responds with only that data. Key characteristics: Single endpoint — everything goes through POST /graphql Client-driven — the client defines the shape of the response Strongly typed — every field has a declared type in the schema Introspective — clients can query the API

2026-06-05 原文 →