Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why responses to PUT requests MUST NOT provide an ETag?

Tags:

rest

http

put

rfc

etag

From Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content:

An origin server MUST NOT send a validator header field (Section 7.2), such as an ETag or Last-Modified field, in a successful response to PUT unless the request's representation data was saved without any transformation applied to the body (i.e., the resource's new representation data is identical to the representation data received in the PUT request) and the validator field value reflects the new representation. This requirement allows a user agent to know when the representation body it has in memory remains current as a result of the PUT, thus not in need of being retrieved again from the origin server, and that the new validator(s) received in the response can be used for future conditional requests in order to prevent accidental overwrites (Section 5.2).

I can't fully understand this section... Bolded sentences seem to contradict themselves, don't they?

Note that PUT is the only verb having a section concerning validator headers (see GET/POST/DELETE/PATCH).

like image 967
sp00m Avatar asked Feb 15 '17 10:02

sp00m


People also ask

What is ETag in response?

The ETag (or entity tag) HTTP response header is an identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content was not changed.

What is the use of ETag in REST API?

An entity tag, or ETag, is a mechanism that is provided by the HTTP protocol so that a browser client or a script can make conditional REST requests for optimistic updating or optimized retrieval of entities.

How is ETag generated?

Generating ETag ValueIt can be created and updated manually or can be auto-generated. Common methods of its auto-generation include using a hash of the resource's content or just a hash of the last modification timestamp. The generated hash should be collision-free.

What is ETag in nginx?

ETag is a server response header that allows browsers to do cache validation efficiently and make conditional requests. However, it poses security risks in case it gets leaked by your code, and result in cache poisoning attack on your website.


1 Answers

The key point is that the server may, or may not, alter the representation before storing it. From the section you linked to:

A successful PUT of a given representation would suggest that a subsequent GET on that same target resource will result in an equivalent representation being sent in a 200 (OK) response. However, there is no guarantee that such a state change will be observable, since the target... might be subject to dynamic processing by the origin server.

Therefore, the standard uses the presence or absence of the validator header to indicate to the user agent whether or not the representation has been altered.

If the representation hasn't been altered, then the server can return the validator header field, and the user agent can use that to conditionally validate the representation it just sent.

If the representation has been altered, then the user agent's representation is, by definition, invalid. Therefore no validator header is returned, and the user agent will have to do an unconditional GET.

like image 53
Kevin Christopher Henry Avatar answered Oct 05 '22 09:10

Kevin Christopher Henry