HTTP Security

๐Ÿ” HTTP

HTTP(HyperText Transfer Protocol)๋Š” Web(World Wide Web, WWW, W3)์—์„œ ๊ฐ€์žฅ ํ•ต์‹ฌ์ด ๋˜๋Š” ํ”„๋กœํ† ์ฝœ๋กœ ์›น์—์„œ ์ •๋ณด๋ฅผ ์ฃผ๊ณ  ๋ฐ›์„ ์ˆ˜ ์žˆ๋„๋ก ๋ช…์‹œ๋œ ํ”„๋กœํ† ์ฝœ์ž…๋‹ˆ๋‹ค. TCP๋ฅผ ์ฃผ๋กœ ์‚ฌ์šฉํ•˜๋ฉฐ, HTTP/3 ๋ถ€ํ„ด UDP๋ฅผ ํ†ตํ•œ ํ†ต์‹ ๋„ ์ง€์›ํ•˜๊ณ  ์žˆ๊ณ , ๊ธฐ๋ณธ์ ์œผ๋กœ 80ํฌํŠธ์™€ SSL์ด ์ ์šฉ๋œ 443 ํฌํŠธ(https)๋ฅผ ๊ฐ€์žฅ ๋งŽ์ด ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.

Version DT Desc
HTTP/0.9 TCP ์ดˆ๊ธฐ HTTP ํ”„๋กœํ† ์ฝœ, ๋‹จ์ผ Line, Only GET Method
HTTP/1.0 TCP Header ์ง€์›, Content-Type, StatusCode
HTTP/1.1 TCP Persistent Connection, Pipelining
HTTP/2 TCP Multiplexed Streams, Header Compression
HTTP/3 (QUIC) UDP QUIC(Quick UDP Internet Connections)

ํ˜„์žฌ ๊ฐ€์žฅ ๋Œ€์ค‘์ ์œผ๋กœ ์‚ฌ์šฉ๋˜๋Š”๊ฑด HTTP/1.1๊ณผ HTTP/2 ์ž…๋‹ˆ๋‹ค. ์‹ค์ œ๋กœ HTTP/2์˜ ๊ฒฝ์šฐ๋Š” 1.1์˜ ํ™•์žฅ ๋ฒ„์ „์˜ ๋Š๋‚Œ์ด๊ธฐ ๋•Œ๋ฌธ์— ์‹ค์งˆ์ ์œผ๋กœ ํ˜„์žฌ ์›น์„ ์ง€๋ฐฐํ•˜๋Š”๊ฑด HTTP/1.1์ž…๋‹ˆ๋‹ค. ๋‹ค๋งŒ HTTP/2๋ฅผ ์ง€์›ํ•˜๋Š” ์„œ๋น„์Šค๋„ ๋Š˜์–ด๋‚˜๊ณ , ๊ฐ HTTP ๋ฒ„์ „์—์„œ ์ง€์›ํ•˜๊ณ  ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ๊ฒƒ๋“ค์ด ๋‹ค๋ฅด๊ธฐ ๋•Œ๋ฌธ์— ์›น ํ…Œ์ŠคํŒ…์„ ์œ„ํ•ด์„  ๊ฐ ๋ฒ„์ „์˜ ํŠน์ง•์€ ์•Œ์•„๋‘๋Š๋„ฅ ์ข‹์Šต๋‹ˆ๋‹ค.

๐Ÿคย Connections

๊ฐ ๋ฒ„์ „์—์„  Connection์— ๋Œ€ํ•œ ์ฒ˜๋ฆฌ๊ฐ€ ์ค‘์ ์ ์œผ๋กœ ๋ณ€๊ฒฝ๋ฉ๋‹ˆ๋‹ค. ์„ฑ๋Šฅ์ ์ธ ๋ถ€๋ถ„์„ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•จ์ด๊ฒ ์ง€๋งŒ, ๋ณด์•ˆ ํ…Œ์ŠคํŒ… ์ž…์žฅ์—์„  ์ด๋Ÿฐ ์ฒ˜๋ฆฌ ๋ฐฉ์‹์—์„œ ๊ณต๊ฒฉ์ด๋‚˜ ์ทจ์•ฝ์ ์˜ ํžŒํŠธ๋ฅผ ์–ป์„ ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์•Œ์•„๋‘๋Š” ๊ฒƒ์ด ์ข‹์Šต๋‹ˆ๋‹ค.

  • HTTP/0.9
    • 1 Connection = 1 Req + 1 Res
  • HTTP/1.0
    • 1 Connection = 1 Req + 1 Res
  • HTTP/1.1
    • 1 Connection = N Req + N Res
    • Pipelining
    • Req๋Š” ๋ณ‘๋ ฌ, Res๋Š” ์ˆœ์ฐจ์ ์œผ๋กœ ์ฒ˜๋ฆฌ๋จ
  • HTTP/2
    • 1 Connection = N Req + N Res
    • Multiplexed Streams
    • Req/Res ๋ชจ๋‘ ๋ณ‘๋ ฌ ์ฒ˜๋ฆฌ
  • HTTP/3
    • UDP

๐ŸŒ HTTP/0.9

์ดˆ๊ธฐ HTTP ๋ฒ„์ „์œผ๋กœ ์š”์ฒญ์€ ํ•˜๋‚˜์˜ Line์œผ๋กœ, GET Method๋งŒ ์ง€์›ํ–ˆ์Šต๋‹ˆ๋‹ค. HTTP ํ—ค๋”๋ผ๋Š” ๊ฐœ๋…๋„ ์—†๊ณ  ๋‹จ์ˆœํžˆ ํŒŒ์ผ์„ ์ฝ์–ด์„œ ๋ณด์—ฌ์ฃผ๋Š” ์ •๋ณด์˜ ์—ญํ• ๋งŒ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค.

GET /app 
<html>
  response!
</html>

๐ŸŒย HTTP/1.0

HTTP ํ—ค๋”๋ผ๋Š” ๊ฐœ๋…์ด ๋„์ž…๋˜์–ด Request/Response ๋‚ด ํ—ค๋”๋ฅผ ํ†ตํ•ด ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๋ฉ”ํƒ€ ๋ฐ์ดํ„ฐ๋ฅผ ์ฃผ๊ณ ๋ฐ›์„ ์ˆ˜ ์žˆ๋„๋ก ๊ตฌ์„ฑ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด๋•Œ๋ถ€ํ„ฐ Request ๋‚ด ๋ฒ„์ „์ •๋ณด๊ฐ€ ํฌํ•จ๋˜์—ˆ๊ณ  Response์˜ Status Code๋ฅผ ํ†ตํ•ด ์ฒ˜๋ฆฌ ์ƒํ™ฉ์„ ํŒŒ์•…ํ•  ์ˆ˜ ์žˆ๊ฒŒ ๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

GET /app HTTP/1.0
User-Agent: MyCustomApp
200 OK
Content-Type: text/html

<html>
	response!
</html>

์•ž์˜ ์š”์ฒญ(Req-Res)๋ฅผ ์ฒ˜๋ฆฌํ•ด์•ผ ๋‹ค์Œ ์š”์ฒญ์„ ์ฒ˜๋ฆฌํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋ฆฌ์†Œ์Šค๋ฅผ ๊ฐ€์ ธ์˜ค๋Š” ๊ตฌ๊ฐ„์—์„œ ๋”œ๋ ˆ์ด๊ฐ€ ์ปค์ง€๋ฉด ์ „์ฒด์ ์œผ๋กœ ์†๋„์˜ ์˜ํ–ฅ์„ ๋ฐ›๋Š” ๋‹จ์ ์ด ์žˆ์Šต๋‹ˆ๋‹ค.

๐ŸŒย HTTP/1.1

1.1 ๋ถ€ํ„ด Persistent Connect์— ๋Œ€ํ•œ ์ง€์›์ด ์ถ”๊ฐ€๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ ์ง€์ •ํ•œ ์‹œ๊ฐ„ ๋™์•ˆ Connection์„ ์ข…๋ฃŒํ•˜์ง€ ์•Š๊ณ  ์œ ์ง€์‹œ์ผœ ํ•˜๋‚˜์˜ ์ปค๋„ฅ์…˜์— ์—ฌ๋Ÿฌ๊ฐœ์˜ ์š”์ฒญ์„ ์ „์†ก(Pipeline)ํ•  ์ˆ˜ ์žˆ๋„๋ก ๋ณ€๊ฒฝ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์—ฌ๋Ÿฌ๊ฐœ์˜ ์š”์ฒญ์€ ๋ณ‘๋ ฌ ์ฒ˜๋ฆฌ๋˜์ง€ ์•Š๊ณ  ๊ฐ๊ฐ์˜ Response๋ฅผ ๊ฐ€์ง‘๋‹ˆ๋‹ค.

GET /app HTTP/1.1
User-Agent: MyCustomApp
200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Keep-Alive: timeout=5, max=1000
Content-Type: text/html; charset=utf-8

<html>
	response!
</html>

Pipeline์„ ํ†ตํ•ด ์—ฌ๋Ÿฌ ์š”์ฒญ(Req)์„ ๋™์‹œ์— ์ „์†กํ•  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๋น ๋ฅด๊ฒŒ ์—ฌ๋Ÿฌ ๋ฆฌ์†Œ์Šค๋ฅผ ํ˜ธ์ถœํ•˜๊ณ  ์ฒ˜๋ฆฌํ•  ์žˆ๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ์ด๋กœ์ธํ•ด 1.0์˜ ์†๋„ ๋ฌธ์ œ๊ฐ€ ์ค„์–ด๋“ค์—ˆ์ฃ . ๋‹ค๋งŒ Response์˜ ์ฒ˜๋ฆฌ๋Š” ์ˆœ์ฐจ์ ์œผ๋กœ ์ฒ˜๋ฆฌ๋ฉ๋‹ˆ๋‹ค.

๐ŸŒย HTTP/2

HTTP2 ๋ถ€ํ„ด Multiplexed Stream, ์ฆ‰ ๊ฐ ์š”์ฒญ์„ Stream์œผ๋กœ ๊ตฌ์„ฑํ•ด์„œ ๋ณ‘๋ ฌ์ ์ธ ์ฒ˜๋ฆฌ๋ฅผ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ Req, Res ๋ชจ๋‘ ๋ณ‘๋ ฌ๋กœ ์ฒ˜๋ฆฌ๊ฐ€ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

๐ŸŒย HTTP/3

QUIC(Quick UDP Internet Connections)๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ UDP๋ฅผ ์‚ฌ์šฉํ•˜๋ฉฐ TCP์˜ ๊ตฌ์กฐ์  ๋ฌธ์ œ(3-way handshake์˜ ์˜ค๋ฒ„ํ—ค๋“œ)๋ฅผ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•œ ๋ฒ„์ „์ž…๋‹ˆ๋‹ค. ๊ธฐ์กด HTTP ๋ฒ„์ „์—์„  TCP์˜ Stream์ด ์ฒด์ธ์œผ๋กœ ์—ฐ๊ฒฐ๋˜๋˜ ๊ฒƒ๊ณผ ๋‹ค๋ฅด๊ฒŒ HTTP/3์—์„  UDP Strream ๋‹น ๊ฐ๊ฐ ๋…๋ฆฝ๋œ ์ฒด์ธ์„ ๊ฐ€์ง‘๋‹ˆ๋‹ค.