ASP. NET basic learning 2

HTTP protocol Overview

1. web Development deals with the http protocol. You must understand the http protocol. Http protocol versions: http/0.9, http/1.0, and http/1.1

Http analysis tools

1. DebugBar, Http (s) label content. For free, only content in the current browser can be analyzed.

HttpWatch, charged, can only analyze the content of the current browser. Recommended.

Http concepts:

1. connection: the data transmission channel between the browser and the server. Generally, the connection is closed after the request is complete and will not be kept.

2. Request: "I want to..." sent by the browser to the server .." Message, including the request type, request data, browser information (language, browser version, etc)

3. Response: The data returned by the server to the browser request, including whether the request is successful or not, and the error code.

The Http response code browser sends a request to the server. The server may be successful, possibly because it fails, or has no access permission. The server will notify the browser of the processing result through the response code.

HTTP/1.1 200 OK 200 is the status code, indicating that the request is successfully processed.

301 indicates permanent transfer. 302 Found temporarily transfers 400 Error requests to send requests that do not comply with the http protocol

404 page not found. 307 temporary redirection 401 unauthenticated users generally need to enter the user name and password to log on

500 internal server error. 403: Forbidden access prohibited

If the webpage contains external files such as images, css, and js, the images, css, and js are all in separate requests, that is, not all the content of the page is completed in one request, but a request for each resource.

Generally, only the browser requests the server, and the server sends the corresponding data to the browser and does not actively push data to the browser. This is a security consideration and improves the server performance. If you want the server to push data like a client browser, you need to use additional technologies such as ServerPush.

Http is a "request-response" method, so the page is constantly refreshed. If you do not want the page to be refreshed, AJAX and other technologies are required.

Multi‑thread download is based on resumable upload.

Example of a Request Response Model

The difference between a hyperlink and a submitted form is direct access and postback.

 

Some basic principles of Web Development

1. Minimum permission principle. Only users are allowed to perform ***, rather than "users are not allowed to perform ***"

2. the browser displays and views the output text of the server-side code execution. the browser cannot see the server-side aspx and cs code unless the server has a vulnerability, the target save as is also the execution result of the stored aspx, rather than the source code of the aspx. JavaScript and html are first executed in the browser, so it is impossible for viewers to view Js and html.

C # The code is run on the server side, and the js Code is run on the browser side. The code that can be executed on the client. For example, the button confirms that the onclientclick = "return confirm submitted on the button ('Do you really want to delete it? '). Run on the browser side.

A dialog box appears on the server. But it is actually executed in the browser:

Response. Write ("<script> alert ('deleted successfully! ') </Script> "); in fact, this code is written to the browser on the server side. When the Browser executes the code, it identifies it as a JavaScript code, and it will pop up. In fact, the server does not know that this is a bullet box code, nor does it block the server code to continue execution. (Not recommended. RegisterClientStartupScript is recommended)

The pop-up dialog box on the server does not really make sense: for example, DialogResult dr = MessageBox. Show ("What is displayed on the server? In the dialog box, you must add a reference to winForm. Why was it so silly to me last time! I did not expect this. "," Silly? ", MessageBoxButtons. YesNo );

Why is it meaningless? It is very simple. Our website is accessible to people, but if the prompt box popped up after each visit is on the server side, the client will not know at all, in addition, the server is stuck because too many boxes are displayed !!

To hide a control, do not write the server code. You can use JavaScript and dom on the client. Verify the user name and password, which can be placed on the browser side, but with poor security. Therefore, the user must be placed on the server side.

Client verification cannot replace server Verification

For example, the online banking amount verification is not only performed on the client, but also on the server. The client verification is performed to ensure a good customer experience and quickly discover problems, so it is not necessary to proceed, the server is the last check to prevent malicious requests.

Do not write sensitive data or algorithms on the browser.

Do not store confidential information in html

When the server-side control is visible = false, the control definition is not painted in the client browser, while the client control is different, but the display attribute is set to none.

 

XSS Vulnerability

Do not directly request a string in a page and display it as html code. You can display the request string after html encoding, instead of letting it execute html code.

The xss issue also exists when users post. Save the post content to a text file.

We can detect the request data. If the request data contains <etc., it is regarded as a malicious attack and cannot be submitted. This policy is used by default by aspx, the disadvantage of this is that you cannot post html code in the Forum.

Therefore, a better solution is to display the html content as is, rather than html content. HttpUtility HtmlEncode can be used to display special strings in the string, that is, it does not regard <script> as the tag for defining the script, but as & lt; script & gt; this allows you to directly display the content on the page.