#19.0 HTTP method 共同研究會 - Method Overview

--- title: "#19.0 HTTP method 共同研究會 - Method Overview" tags: Meetups date: 2022-03-24 --- See: https://datatracker.ietf.org/doc/html/rfc7231 ```text 4.1. Overview The request method token is the primary source of request semantics; it indicates the purpose for which the client has made this request and what is expected by the client as a successful result. ``` Method 可以指出 client 的目的，包括 client 可以拿到的結果，這都是可以從 method 猜的出來。 ``` The request method's semantics might be further specialized by the semantics of some header fields when present in a request (Section 5) if those additional semantics do not conflict with the method. For example, a client can send conditional request header fields (Section 5.2) to make the requested action conditional on the current state of the target resource ([RFC7232]). ``` 可以透 Header 語法， ``` HTTP was originally designed to be usable as an interface to distributed object systems. The request method was envisioned as applying semantics to a target resource in much the same way as invoking a defined method on an identified object would apply semantics. The method token is case-sensitive because it might be used as a gateway to object-based systems with case-sensitive method names. ``` ``` Unlike distributed objects, the standardized request methods in HTTP are not resource-specific, since uniform interfaces provide for better visibility and reuse in network-based systems [REST]. Once defined, a standardized method ought to have the same semantics when applied to any resource, though each resource determines for itself whether those semantics are implemented or allowed. This specification defines a number of standardized methods that are commonly used in HTTP, as outlined by the following table. By convention, standardized methods are defined in all-uppercase US-ASCII letters. ``` ``` +---------+-------------------------------------------------+-------+ | Method | Description | Sec. | +---------+-------------------------------------------------+-------+ | GET | Transfer a current representation of the target | 4.3.1 | | | resource. | | | HEAD | Same as GET, but only transfer the status line | 4.3.2 | | | and header section. | | | POST | Perform resource-specific processing on the | 4.3.3 | | | request payload. | | | PUT | Replace all current representations of the | 4.3.4 | | | target resource with the request payload. | | | DELETE | Remove all current representations of the | 4.3.5 | | | target resource. | | | CONNECT | Establish a tunnel to the server identified by | 4.3.6 | | | the target resource. | | | OPTIONS | Describe the communication options for the | 4.3.7 | | | target resource. | | | TRACE | Perform a message loop-back test along the path | 4.3.8 | | | to the target resource. | | +---------+-------------------------------------------------+-------+ ``` https://www.iana.org/assignments/http-methods/http-methods.xhtml ### TRACE 描述: 目標WEB伺服器啟用了TRACE方法。 TRACE方法是HTTP（超文字傳輸）協議定義的一種協議除錯方法，該方法使得伺服器原樣返回任何客戶端請求的內容（可能會附加路由中間的代理伺服器的資訊），由於該方法原樣返回客戶端提交的任意資料，因此，可用來進行跨站指令碼（XSS）攻擊，這種攻擊方式又稱為跨站跟蹤攻擊（XST）。建議: 如非必要，請禁用TRACE方法。黑客已使用 TRACE 方法来实现对 Web 服务器的安全性攻击。看來沒什麼公開網站會開這方法給人try