Requests forces the host to access in HTTPS even tho its HTTP, how does it do this?
Requests is a popular command-line tool and library for making HTTP and HTTPS requests in various programming languages, such as Ruby, Python, and Lua. When using Requests to make an HTTP request to a server that supports HTTPS but does not enforce it (i.e., the server accepts both HTTP and HTTPS connections), Requests will automatically upgrade the connection to HTTPS. This behavior is known as HTTP over HTTPS (Https-Proxy-Protocol) or HTTPS-encrypted fallback.
Here's how Requests achieves this:
- When making an HTTP request to a server that supports HTTPS, Requests sends an ALPN (Application-Layer Protocol Negotiation) message in the initial handshake to indicate its support for HTTP/2 and HTTP/3 over HTTPS.
- If the server responds with an HTTP response instead of an HTTPS response, Requests will send an additional ALPN message to request HTTP/2 or HTTP/3 over HTTPS.
- If the server supports HTTP/2 or HTTP/3 over HTTPS, it will respond with an HTTPS response and upgrade the connection. If the server does not support HTTP/2 or HTTP/3 over HTTPS, it will respond with an HTTP response, and Requests will give up and return an error.
- Once the connection is upgraded to HTTPS, Requests will continue to send HTTP requests over the encrypted HTTPS connection.
This behavior provides several benefits:
- It ensures that all data transmitted between the client and server is encrypted, even if the server does not enforce HTTPS.
- It allows clients to make HTTP requests to servers that only support HTTPS, without having to modify their code or configuration.
- It allows servers to support both HTTP and HTTPS connections, while still providing the security benefits of HTTPS.
Overall, Requests' ability to automatically upgrade HTTP connections to HTTPS is a powerful feature that helps ensure the security and privacy of web communications.