HTTP və HTTPS
HTTP Nədir?
HTTP (HyperText Transfer Protocol) - World Wide Web-də data mübadiləsi üçün istifadə olunan application layer protokoludur.
Xüsusiyyətlər:
- Stateless - hər request müstəqildir
- Text-based - human-readable format
- Client-Server model - request/response pattern
- Port 80 - default port
- TCP üzərində işləyir
HTTP Request Structure
graph TD
A[HTTP Request] --> B[Request Line]
A --> C[Headers]
A --> D[Empty Line]
A --> E[Body - optional]
B --> F[Method]
B --> G[URL/URI]
B --> H[HTTP Version]
C --> I[Host]
C --> J[User-Agent]
C --> K[Accept]
C --> L[Content-Type]
style A fill:#e1f5ff
Nümunə Request:
GET /api/users/123 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
Accept: application/json
Authorization: Bearer token123
HTTP Methods
GET
Məqsəd: Resource-u əldə etmək
- Idempotent: Bəli
- Safe: Bəli (dəyişiklik etmir)
- Cacheable: Bəli
- Body: Yox
GET /api/users HTTP/1.1
Host: api.example.com
POST
Məqsəd: Yeni resource yaratmaq
- Idempotent: Xeyr
- Safe: Xeyr
- Cacheable: Şərti
- Body: Bəli
POST /api/users HTTP/1.1
Host: api.example.com
Content-Type: application/json
{
"name": "Tural",
"email": "tural@example.com"
}
PUT
Məqsəd: Resource-u tamamilə dəyişdirmək
- Idempotent: Bəli
- Safe: Xeyr
- Cacheable: Xeyr
- Body: Bəli
PUT /api/users/123 HTTP/1.1
Host: api.example.com
Content-Type: application/json
{
"id": 123,
"name": "Tural Updated",
"email": "tural.new@example.com"
}
PATCH
Məqsəd: Resource-u qismən dəyişdirmək
- Idempotent: Xeyr (method-dan asılı)
- Safe: Xeyr
- Cacheable: Xeyr
- Body: Bəli
PATCH /api/users/123 HTTP/1.1
Host: api.example.com
Content-Type: application/json
{
"email": "tural.new@example.com"
}
DELETE
Məqsəd: Resource-u silmək
- Idempotent: Bəli
- Safe: Xeyr
- Cacheable: Xeyr
- Body: Xeyr (optional)
DELETE /api/users/123 HTTP/1.1
Host: api.example.com
HEAD
Məqsəd: GET kimi, amma yalnız headers qaytarır
- Metadata əldə etmək üçün
- Resource mövcudluğunu yoxlamaq
OPTIONS
Məqsəd: Server-in dəstəklədiyi method-ları öyrənmək
- CORS preflight requests
- API discovery
OPTIONS /api/users HTTP/1.1
Host: api.example.com
HTTP Methods Flow
sequenceDiagram
participant Client
participant Server
participant Database
Client->>Server: GET /api/users
Server->>Database: SELECT * FROM users
Database->>Server: Users data
Server->>Client: 200 OK + Users list
Client->>Server: POST /api/users
Server->>Database: INSERT user
Database->>Server: Success
Server->>Client: 201 Created + New user
Client->>Server: PUT /api/users/1
Server->>Database: UPDATE user WHERE id=1
Database->>Server: Success
Server->>Client: 200 OK + Updated user
Client->>Server: DELETE /api/users/1
Server->>Database: DELETE FROM users WHERE id=1
Database->>Server: Success
Server->>Client: 204 No Content
HTTP Status Codes
graph TD
A[HTTP Status Codes] --> B[1xx Informational]
A --> C[2xx Success]
A --> D[3xx Redirection]
A --> E[4xx Client Error]
A --> F[5xx Server Error]
style C fill:#90EE90
style E fill:#FFB6C1
style F fill:#FF6B6B
1xx - Informational
| Code | Meaning | Açıqlama |
|---|---|---|
| 100 | Continue | Server request-in ilk hissəsini qəbul edib |
| 101 | Switching Protocols | Protocol dəyişdirilir (WebSocket) |
2xx - Success
| Code | Meaning | Açıqlama |
|---|---|---|
| 200 | OK | Request uğurlu oldu |
| 201 | Created | Yeni resource yaradıldı |
| 202 | Accepted | Request qəbul edildi, amma hələ process olunur |
| 204 | No Content | Uğurlu, amma content yoxdur |
3xx - Redirection
| Code | Meaning | Açıqlama |
|---|---|---|
| 301 | Moved Permanently | Resource daimi olaraq köçürülüb |
| 302 | Found | Müvəqqəti redirect |
| 304 | Not Modified | Cache-dəki versiya актуaldır |
| 307 | Temporary Redirect | Müvəqqəti redirect, method dəyişməz |
| 308 | Permanent Redirect | Daimi redirect, method dəyişməz |
4xx - Client Error
| Code | Meaning | Açıqlama |
|---|---|---|
| 400 | Bad Request | Səhv request formatı |
| 401 | Unauthorized | Authentication lazımdır |
| 403 | Forbidden | Access rədd edildi |
| 404 | Not Found | Resource tapılmadı |
| 405 | Method Not Allowed | HTTP method dəstəklənmir |
| 409 | Conflict | Konflikt (məs: duplicate) |
| 429 | Too Many Requests | Rate limit aşıldı |
5xx - Server Error
| Code | Meaning | Açıqlama |
|---|---|---|
| 500 | Internal Server Error | Server-də xəta baş verdi |
| 502 | Bad Gateway | Gateway/proxy səhv cavab aldı |
| 503 | Service Unavailable | Server müvəqqəti əlçatmazdır |
| 504 | Gateway Timeout | Gateway timeout |
HTTP Response Structure
graph TD
A[HTTP Response] --> B[Status Line]
A --> C[Headers]
A --> D[Empty Line]
A --> E[Body]
B --> F[HTTP Version]
B --> G[Status Code]
B --> H[Reason Phrase]
C --> I[Content-Type]
C --> J[Content-Length]
C --> K[Cache-Control]
C --> L[Set-Cookie]
style A fill:#ffe1e1
Nümunə Response:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 85
Cache-Control: max-age=3600
Set-Cookie: session=abc123; HttpOnly
{
"id": 123,
"name": "Tural",
"email": "tural@example.com"
}
HTTP Headers
Request Headers
Host:
Host: www.example.com
User-Agent: Client məlumatı
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: Qəbul edilən content type-lar
Accept: application/json, text/html
Accept-Language: az, en
Accept-Encoding: gzip, deflate
Authorization: Authentication məlumatı
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Authorization: Basic dXNlcjpwYXNzd29yZA==
Cookie: Client-side cookies
Cookie: session=abc123; user_id=456
Content-Type: Request body-nin tipi
Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
Content-Type: multipart/form-data
Response Headers
Content-Type: Response body-nin tipi
Content-Type: application/json; charset=utf-8
Content-Length: Body-nin ölçüsü (bytes)
Content-Length: 1234
Set-Cookie: Cookie set etmək
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
Cache-Control: Caching directives
Cache-Control: max-age=3600, public
Cache-Control: no-cache, no-store, must-revalidate
Location: Redirect URL
Location: https://example.com/new-location
ETag: Resource versiyası
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
HTTPS (HTTP Secure)
HTTPS = HTTP + SSL/TLS
Xüsusiyyətlər:
- Encryption: Data şifrələnir
- Authentication: Server identity doğrulanır
- Integrity: Data dəyişdirilmədiyini təmin edir
- Port 443: Default port
SSL/TLS Handshake
sequenceDiagram
participant Client
participant Server
Note over Client,Server: SSL/TLS Handshake
Client->>Server: 1. Client Hello<br/>(supported cipher suites)
Server->>Client: 2. Server Hello<br/>(selected cipher suite)
Server->>Client: 3. Certificate<br/>(public key)
Server->>Client: 4. Server Hello Done
Note over Client: Verify certificate
Client->>Server: 5. Client Key Exchange<br/>(encrypted pre-master secret)
Client->>Server: 6. Change Cipher Spec
Client->>Server: 7. Finished
Server->>Client: 8. Change Cipher Spec
Server->>Client: 9. Finished
Note over Client,Server: Encrypted Communication
Client->>Server: Encrypted HTTP Request
Server->>Client: Encrypted HTTP Response
SSL/TLS Versions
| Version | İl | Status |
|---|---|---|
| SSL 1.0 | - | Never released |
| SSL 2.0 | 1995 | Deprecated (2011) |
| SSL 3.0 | 1996 | Deprecated (2015) |
| TLS 1.0 | 1999 | Deprecated (2020) |
| TLS 1.1 | 2006 | Deprecated (2020) |
| TLS 1.2 | 2008 | ✅ Current |
| TLS 1.3 | 2018 | ✅ Recommended |
Certificate Chain
graph TD
A[Root CA<br/>Trusted Authority] --> B[Intermediate CA]
B --> C[example.com<br/>Server Certificate]
style A fill:#90EE90
style B fill:#FFD93D
style C fill:#87CEEB
HTTP/2
Təkmilləşdirmələr:
- Binary protocol - text əvəzinə binary
- Multiplexing - bir connection-da çox request
- Server Push - server proaktiv olaraq data göndərir
- Header compression - HPACK algoritmi
- Stream prioritization - prioritet sistemi
graph LR
subgraph HTTP/1.1
A1[Request 1] --> B1[Response 1]
A2[Request 2] --> B2[Response 2]
A3[Request 3] --> B3[Response 3]
end
subgraph HTTP/2
C[Multiple Requests<br/>Stream 1, 2, 3] --> D[Single TCP Connection]
D --> E[Multiple Responses<br/>Multiplexed]
end
style HTTP/1.1 fill:#FFB6C1
style HTTP/2 fill:#90EE90
HTTP/1.1 vs HTTP/2
| Feature | HTTP/1.1 | HTTP/2 |
|---|---|---|
| Protocol | Text-based | Binary |
| Connections | Multiple | Single multiplexed |
| Header | Plain text, repetitive | Compressed (HPACK) |
| Server Push | No | Yes |
| Prioritization | No | Yes |
| Performance | Good | Better |
HTTP/3 (QUIC)
Əsas fərqlər:
- UDP üzərində (TCP əvəzinə)
- 0-RTT connection - daha sürətli
- Improved loss recovery
- Connection migration - IP dəyişikliklərinə davamlı
graph TD
A[HTTP/3] --> B[QUIC Protocol]
B --> C[UDP]
D[HTTP/2] --> E[TLS]
E --> F[TCP]
style A fill:#90EE90
style D fill:#FFD93D
Caching
Cache-Control Directives
Request directives:
Cache-Control: no-cache
Cache-Control: no-store
Cache-Control: max-age=3600
Response directives:
Cache-Control: public, max-age=86400
Cache-Control: private, max-age=3600
Cache-Control: no-cache, no-store, must-revalidate
Caching Flow
sequenceDiagram
participant Client
participant Cache
participant Server
Client->>Cache: Request resource
Cache->>Cache: Check if cached
alt Cache Hit (Fresh)
Cache->>Client: Return cached response
else Cache Hit (Stale)
Cache->>Server: Revalidate (If-None-Match)
alt Not Modified
Server->>Cache: 304 Not Modified
Cache->>Client: Return cached response
else Modified
Server->>Cache: 200 OK + New content
Cache->>Cache: Update cache
Cache->>Client: Return new response
end
else Cache Miss
Cache->>Server: Forward request
Server->>Cache: 200 OK + Content
Cache->>Cache: Store in cache
Cache->>Client: Return response
end
ETag və Conditional Requests
First Request:
GET /api/users/123 HTTP/1.1
Host: api.example.com
HTTP/1.1 200 OK
ETag: "686897696a7c876b7e"
Content-Type: application/json
{"id": 123, "name": "Tural"}
Subsequent Request:
GET /api/users/123 HTTP/1.1
Host: api.example.com
If-None-Match: "686897696a7c876b7e"
HTTP/1.1 304 Not Modified
CORS (Cross-Origin Resource Sharing)
Məqsəd: Cross-origin requests-ə icazə vermək/rədd etmək.
Simple Request
sequenceDiagram
participant Browser
participant Server
Browser->>Server: GET /api/data<br/>Origin: https://example.com
Server->>Browser: Access-Control-Allow-Origin: *<br/>200 OK + Data
Preflight Request
sequenceDiagram
participant Browser
participant Server
Note over Browser,Server: Preflight
Browser->>Server: OPTIONS /api/data<br/>Origin: https://example.com<br/>Access-Control-Request-Method: POST
Server->>Browser: Access-Control-Allow-Origin: https://example.com<br/>Access-Control-Allow-Methods: POST, GET<br/>200 OK
Note over Browser,Server: Actual Request
Browser->>Server: POST /api/data<br/>Origin: https://example.com
Server->>Browser: Access-Control-Allow-Origin: https://example.com<br/>201 Created
CORS Headers:
Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
Access-Control-Allow-Credentials: true
Cookies
Cookie Attributes:
Set-Cookie: session=abc123; Domain=example.com; Path=/; Max-Age=3600; Secure; HttpOnly; SameSite=Strict
Attributes:
- Domain: Cookie-nin keçərli olduğu domain
- Path: Cookie-nin keçərli olduğu path
- Max-Age/Expires: Expiration time
- Secure: Yalnız HTTPS üzərində
- HttpOnly: JavaScript-dən əlçatmaz
- SameSite: CSRF qorunması (Strict, Lax, None)
Authentication
Basic Authentication
GET /api/users HTTP/1.1
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Dezavantajlar:
- Credentials hər request-də göndərilir
- Base64 encoding (encryption deyil)
- HTTPS lazımdır
Bearer Token (JWT)
GET /api/users HTTP/1.1
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Üstünlüklər:
- Stateless
- Self-contained
- Scalable
OAuth 2.0 Flow
sequenceDiagram
participant User
participant Client
participant AuthServer
participant ResourceServer
User->>Client: 1. Login request
Client->>AuthServer: 2. Authorization request
AuthServer->>User: 3. Login page
User->>AuthServer: 4. Credentials
AuthServer->>Client: 5. Authorization code
Client->>AuthServer: 6. Exchange code for token
AuthServer->>Client: 7. Access token
Client->>ResourceServer: 8. Request with token
ResourceServer->>Client: 9. Protected resource
Client->>User: 10. Display data
REST API Best Practices
1. Resource-based URLs:
✅ GET /api/users
✅ POST /api/users
✅ GET /api/users/123
✅ PUT /api/users/123
✅ DELETE /api/users/123
❌ GET /api/getUsers
❌ POST /api/createUser
2. Use HTTP Methods correctly:
- GET - Read
- POST - Create
- PUT - Full update
- PATCH - Partial update
- DELETE - Delete
3. Use Status Codes properly:
- 2xx - Success
- 4xx - Client error
- 5xx - Server error
4. Versioning:
/api/v1/users
/api/v2/users
5. Filtering, Sorting, Pagination:
GET /api/users?role=admin&sort=name&page=2&limit=20
Performance Optimization
1. Compression:
Accept-Encoding: gzip, deflate, br
Content-Encoding: gzip
2. Keep-Alive:
Connection: keep-alive
Keep-Alive: timeout=5, max=100
3. Conditional Requests:
If-None-Match: "etag-value"
If-Modified-Since: Wed, 21 Oct 2020 07:28:00 GMT
4. HTTP/2 Server Push:
Link: </styles.css>; rel=preload; as=style
Security Best Practices
-
Həmişə HTTPS istifadə et
-
HSTS header:
Strict-Transport-Security: max-age=31536000; includeSubDomains -
Security Headers:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' -
Rate Limiting:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 75
X-RateLimit-Reset: 1635789600 -
Input Validation və Sanitization
-
CORS düzgün konfiqurasiya
-
Sensitive data header-larda göndərmə
Əlaqəli Mövzular
- TCP/IP Protocol
- DNS System
- Load Balancing
- CDN
- Network Security
- API Design
- WebSockets