Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why responses to PUT requests MUST NOT provide an ETag?

Tags:

rest

http

put

rfc

etag

From Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content:

An origin server MUST NOT send a validator header field (Section 7.2), such as an ETag or Last-Modified field, in a successful response to PUT unless the request's representation data was saved without any transformation applied to the body (i.e., the resource's new representation data is identical to the representation data received in the PUT request) and the validator field value reflects the new representation. This requirement allows a user agent to know when the representation body it has in memory remains current as a result of the PUT, thus not in need of being retrieved again from the origin server, and that the new validator(s) received in the response can be used for future conditional requests in order to prevent accidental overwrites (Section 5.2).

I can't fully understand this section... Bolded sentences seem to contradict themselves, don't they?

Note that PUT is the only verb having a section concerning validator headers (see GET/POST/DELETE/PATCH).

like image 967
sp00m Avatar asked Feb 15 '17 10:02

sp00m

People also ask

What is ETag in response?

The ETag (or entity tag) HTTP response header is an identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content was not changed.

What is the use of ETag in REST API?

An entity tag, or ETag, is a mechanism that is provided by the HTTP protocol so that a browser client or a script can make conditional REST requests for optimistic updating or optimized retrieval of entities.

How is ETag generated?

Generating ETag ValueIt can be created and updated manually or can be auto-generated. Common methods of its auto-generation include using a hash of the resource's content or just a hash of the last modification timestamp. The generated hash should be collision-free.

What is ETag in nginx?

ETag is a server response header that allows browsers to do cache validation efficiently and make conditional requests. However, it poses security risks in case it gets leaked by your code, and result in cache poisoning attack on your website.

1 Answers

The key point is that the server may, or may not, alter the representation before storing it. From the section you linked to:

A successful PUT of a given representation would suggest that a subsequent GET on that same target resource will result in an equivalent representation being sent in a 200 (OK) response. However, there is no guarantee that such a state change will be observable, since the target... might be subject to dynamic processing by the origin server.

Therefore, the standard uses the presence or absence of the validator header to indicate to the user agent whether or not the representation has been altered.

If the representation hasn't been altered, then the server can return the validator header field, and the user agent can use that to conditionally validate the representation it just sent.

If the representation has been altered, then the user agent's representation is, by definition, invalid. Therefore no validator header is returned, and the user agent will have to do an unconditional GET.

like image 53
Kevin Christopher Henry Avatar answered Oct 05 '22 09:10

Kevin Christopher Henry
Sign in to Comment

Related questions

Django Rest Framework will not display more than one URL at time?
What is @javax.ws.rs.core.Context
Stream a video file over http with Spark Java
Spring Rest Controller, Path Variables on an overriden method's arguement
Spring Data Rest & Spring Data Envers: How to expose REST API for Repository that extends Revision Repository
How do I return string value as json object in golang?
Request header field Access-Control-Allow-Origin is not allowed by Access-Control-Allow-Headers in preflight response
Advantages of using REST API framework over simple URL and view creation in Django?
How do you pass parameters to an Express post HTTP method?
REST services and multiple representations of same object with different fields
Spring security- Send credentials as json instead of regular form in rest service
@RequestBody not working on Rest service
Get a 404 error with simple spring-data-rest project
Exposing the JSON Schema for API endpoints?
Is 202 Accepted appropriate when a resource awaits email confirmation/activation?
Forward JSON POST request from one REST API to another
How do I secure my custom Magento2 REST api
How do I authenticate using Devise in a Rails REST API App?
Spring @DateTimeFormat is changing timezone while converting @PathVariable to Date
how to add a container to service in stack via rancher REST api

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!