A project log for HTTaP

Test Access Port over HTTP

yann-guidon-ygdesYann Guidon / YGDES 03/21/2017 at 21:420 Comments

HTTaP uses a reduced subset of HTTP, keeping only a few essential features.

HTTaP servers work mostly like classic HTTP servers but differ in a few ways, such as

These implementation choices come from constrains in size, speed, complexity : HTTaP must run in "barebone systems" with limited code and data memory, reduced CPU resources and lax security.

Development and support of HTTaP at the lowest level is on the server side because all the clients are meant to be HTTP compliant already. High-level development (the application's intelligence) focuses on the client side, which uses JavaScript (or any other powerful dynamic language, since Python is quite popular for example and a browser is not required) to assemble the requests and interpret the responses.

The HTTaP server must be as lean and simple as possible.

A HTTaP server typically provides two separate domains:

  1. a static files server (a very basic HTTP server)
  2. a dynamic sever, like an embedded CGI inside the server program.

The URL defines which domain is accessed with a very simple method : static files use standard URLs while dynamic ones start with the "?" character.

The question mark is a common indicator and good heuristic for dynamic contents and would not be messed with by eventual proxies.

  1. When the requested URI starts with "/?" then the dynamic mode is selected and an embedded program parses the URI.
  2. Otherwise, this is a standard file, with a direct mapping to the file system (often a sub-directory). There is no support of automatic index.html generation or "open directories".

No access control is provided for the static files, which usuallly contain the HTML/JS web application and all the required supporting files. Access rights must be correctly set on the filesystem by the developer to prevent 403 errors or unwanted access to unrelated files.

Lately, Facebook has added a nasty "fbclid" suffix to outgoing links and this breaks them when they refer to HTTaP resources. Some mitigations on the HTTaP side are possible but they are not considered critical because who would post a HTTaP link on Facebook ?