https://takao.blog/en/tags/http/Recent content in Http on Commentary of TakaoHugo -- gohugo.ioenCommentary of TakaoSat, 13 Jun 2026 23:11:50 +0900https://takao.blog/en/web/performance-dns-prefetch-preconnect/Wed, 15 Apr 2026 00:00:00 +0900https://takao.blog/en/web/performance-dns-prefetch-preconnect/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post Speeding Up assets Loading using DNS-Prefetch and Preconnect" /><h2 id="introduction">Introduction </h2><p>Every external resource — fonts, scripts, images, API endpoints — requires a network connection. The overhead of <strong>DNS resolution</strong>, <strong>TCP handshake</strong>, and <strong>TLS negotiation</strong> can add hundreds of milliseconds to page load time. <strong>Resource hints</strong> like <code>dns-prefetch</code> and <code>preconnect</code> let you tell the browser to perform these steps <strong>in advance</strong>, before the resource is actually needed.</p> <hr> <h2 id="the-cost-of-connection">The Cost of Connection </h2><p>Establishing an HTTPS connection involves multiple round trips:</p> <table> <thead> <tr> <th>Step</th> <th>Latency (approx.)</th> </tr> </thead> <tbody> <tr> <td>DNS lookup</td> <td>20-120 ms</td> </tr> <tr> <td>TCP handshake</td> <td>1 RTT</td> </tr> <tr> <td>TLS negotiation</td> <td>2 RTT</td> </tr> <tr> <td><strong>Total</strong></td> <td><strong>3+ RTT</strong></td> </tr> </tbody> </table> <p>On a 3G connection (300ms RTT), that&rsquo;s nearly <strong>1 second</strong> of overhead before any data is transferred. Resource hints eliminate most of this.</p>https://takao.blog/en/web/web-security-http-headers-cors/Mon, 15 Dec 2025 00:00:00 +0900https://takao.blog/en/web/web-security-http-headers-cors/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post How CORS Works and Fixing Access Block Errors" /><h2 id="introduction">Introduction </h2><p><strong>CORS (Cross-Origin Resource Sharing)</strong> is a browser security mechanism that controls how web pages from one origin can request resources from a different origin. When a frontend at <code>https://app.example.com</code> tries to fetch data from <code>https://api.example.org</code>, the browser enforces a <strong>same-origin policy</strong> by default. CORS provides a controlled way to relax this policy through HTTP headers. This article explains the complete CORS flow, preflight requests, and how to fix common access-block errors.</p>https://takao.blog/en/web/secure-cookies/Mon, 09 Dec 2024 00:00:00 +0900https://takao.blog/en/web/secure-cookies/<img src="https://takao.blog/img/thumnail.webp" alt="Featured image of post Secure Cookie Configuration: A Complete Web Developer Guide" /><p>Cookies remain one of the most frequently misconfigured security controls on the web. A single missing attribute can expose your application to session hijacking, CSRF, or cross-site information leakage. Modern browsers have pushed stricter defaults, but understanding each attribute and combining them correctly is essential for defense-in-depth.</p> <p>The core security attributes are <code>Secure</code>, <code>HttpOnly</code>, <code>SameSite</code>, and the <code>__Host-</code> / <code>__Secure-</code> prefixes. Each serves a distinct purpose, and they work best when combined.</p>