Understanding HTTP Requests with curl

3.1.1. Installing on Mac OS X

Installing curl on Mac OS X can be made very easy if you have Homebrew installed. If you don’t have it, run the following command (taken from the official website):

/usr/bin/ruby -e \
"$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then install curl using the brew command:

brew install curl

If everything went well, you should now have curl installed. Give it a try and enter curl in your terminal.

$ curl
curl: try 'curl --help' or 'curl --manual' for more information

3.1.2. Installing on Linux

You should already have a packet manager, so simply use it to install the curl package.

Ubuntu/Debian:

sudo apt-get install curl

Now that we have curl, let’s learn more about how it works. We will be using it throughout this book to simulate clients.

3.4.1. The Start-Line

The Start-Line, as defined in RFC 2616, contains two parts: the Request-Line and the Status-Line.

HTTP/1.1 200 OK

In the example above, the Request-Line is HTTP/1.1 and begins with the version of HTTP being used, while the Status-Line (200 OK) indicates how the request went. We will learn more about the Status-Line when we talk about HTTP status codes.

3.4.2. The Header Fields

The header fields represent the metadata of the HTTP requests and responses. They contain information about how the transfer of data should be handled.

In this response, we’ve got 8 header fields:

• Content-Type
• Content-Length
• X-XSS-Protection
• X-Content-Type-Options
• X-Frame-Options
• Connection
• Server.

Content-Type is a very important header since it defines how the representation is serialized. It contains the media type of the representation. In our case, you can see how incorrect it is. It defines the media type as being text/html when we actually received a JSON document (media type application/json). There is obviously a bug in our server and we will need to fix it.

Content-Type: text/html;charset=utf-8

The Content-Length header indicates the size of the body sent in the response, in octets.

Content-Length: 203

Non-official headers start, by convention, with an X. They are used to add metadata to the HTTP requests/responses to deal with specific problems. Anyone can add new HTTP headers to their requests very easily since there is no limitation for this in the HTTP implementation.

However, it’s not a recommended practice and should generally be avoided. You shouldn’t have to add anything. HTTP provides a big number of headers that can be used for various situations and you can usually find what you need.

If one day you really need to add a new header, do not use the X prefix. It is now deprecated, so you should just use MY-SUPER-HEADER instead of X-MY-SUPER-HEADER.

All the headers starting with X- in the response we got deal with security and web browser behavior. They are outside of the scope of this book and you won’t need them to build web APIs. They are usually added by web servers automatically. They play a role in protecting from clickjacking, preventing XSS attacks and preventing browsers from MIME-sniffing a response away from the declared content-type.

X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

We don’t really have to worry about the Connection header. It contains control options for the current connection and in what way it should be handled.

Connection: keep-alive

The Server response-header contains information about the software that handled the request. In our case, that’s the Ruby web server thin.

Server: thin

There are almost 50 header fields defined in the HTTP RFC document and we will learn about many others in the rest of this book.

3.4.3. The Empty Line

The empty line is here just to define the end of the list of headers and the beginning of the body (if there is one).

*Empty, nothing to see.*

3.4.4. The Message-Body

The body, or Message-Body as defined in the RFC, contains the data the server is sending back based on the request we made.

In this case, it’s a JSON string that we generated in the Sinatra API.

[
  {"first_name":"Thibault", "last_name":"Denizet", "age":25, "id":"thibault"},
  {"first_name":"Simon", "last_name":"Random", "age":26, "id":"simon"},
  {"first_name":"John", "last_name":"Smith", "age":28, "id":"john"}
]

We just reviewed how an HTTP response is structured. It wasn’t the most enjoyable thing to do, but we are done with it. Just kidding - now we are going to see how HTTP requests are formatted! Don’t worry, it’s pretty similar and shouldn’t take long.

3.5.1. The Start-Line

The Start-Line for a request contains the HTTP method to use (GET), the identifier of the resource (/users) and the protocol version in use (HTTP/1.1).

3.5.2. The Header Fields

The list of headers is more minimalist and contains only two header fields: Host and User-Agent. Host is a mandatory header in HTTP requests since it contains the address (IP address or domain name) where the specified resource can be found.

I’m sure you already know about the User-Agent; it’s a pretty well known header that contains information about the emitter of the request. In our case, it was made from curl so it includes the name of the software and its version. In the end, it looks like curl/7.43.0.

To give you another example, here is the user agent for requests sent by Google Chrome (version 41.0.2228.0):

Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko)
  Chrome/41.0.2228.0 Safari/537.36

3.5.3. The Empty Line

It’s the same goal here as for HTTP responses - to separate headers from body.

*Empty, nothing to see.*

3.5.4. The Message-Body

Once we start working with other HTTP methods, like POST, we will see how a body is integrated inside an HTTP request.