Foundations of Web Development

Scott Frees, Ph.D.

Program Director, M.S. Computer Science
Program Director, M.S. Data Science
Convenor, B.S. Cybersecurity

Ramapo College of New Jersey
505 Ramapo Valley Road
Mahwah, NJ 07430
sfrees@ramapo.edu

©2025

A foundational guide to modern web development—from protocols to front-end interactivity, grounded in real-world architecture and time-tested pedagogy.

This book isn’t just about HTML, CSS, and JavaScript—though you’ll encounter plenty of all three. It’s a comprehensive guide to the concepts of web development, and how those concepts span across frameworks, languages, and layers of modern full stack applications.

Written for college students, instructors, and professional developers alike, it takes a pedagogically sound, hands-on approach to learning how the web actually works—starting from the ground up. You’ll begin with the fundamentals: internet protocols, TCP/IP, sockets, and HTTP. From there, you’ll build up a working knowledge of web standards like HTML and CSS, and then dive into backend programming using JavaScript in the Node.js runtime—not because it's the only option, but because it minimizes language overhead and maximizes focus on the architecture and ideas that matter.

You won’t learn just one way to build a web app. You’ll build your own framework before adopting industry-standard tools like Express, gaining insight into routing, middleware, templating, databases, and state management. You’ll incrementally evolve a single example—a number guessing game—through nine iterations, each showcasing a deeper or more advanced feature, from form handling to RESTful APIs to reactive front ends built with Vue.js.

You’ll cover:

• Networks & Protocols – Learn what really happens when you click a link, from TCP handshakes to HTTP requests.

• Markup & Hypertext – Go beyond tags and learn how HTML works as the structural backbone of the web.

• JavaScript (Server & Client) – Explore the language in a way that emphasizes conceptual understanding over syntax memorization.

• Asynchronous Programming – Master callbacks, promises, and async/await as you build responsive, concurrent systems.

• Databases & State – Learn how modern web apps manage persistent state with relational databases and sessions.

• Templating & Frameworks – Understand how server-side rendering works from first principles, then leverage Pug and Express.

• Styling & Layout – Dive deep into CSS, including Flexbox, Grid, and responsive design, before layering in frameworks like Bootstrap.

• Client-side Development – Manipulate the DOM, handle events, make AJAX requests, and build interactive SPAs with Vue.js.

• Security, Deployment & Infrastructure – Round out your knowledge with practical insight into authentication, encryption, and modern DevOps topics.

Whether you’re a computer science student getting your first taste of real-world development, an instructor looking for a curriculum-aligned text, or a working developer aiming to fill conceptual gaps, this book will challenge and reward you. It doesn’t shy away from the complexity of the modern web—but it does guide you through it with clarity, consistency, and context.

If you're tired of chasing trends and frameworks without understanding the foundations, this book is your starting point—and your roadmap—for becoming a thoughtful, well-rounded web developer.

Introduction

What, Who, Why

This book is not a comprehensive reference for any programming language - although you will see quite a lot of HTML, CSS, and JavaScript. This book is a comprehensive guide to web development concepts - including server side (backend) and client side (front end) development, and most things in between. We will keep our attention on the design of the web architecture, concepts that remain constant across so many of the programming languages, frameworks, and acronyms you’ve probably heard about. This book won’t play favorites - you’ll see how different architectural styles like Single Page Applications (SPA) differs from Server Side Rendering (SSR), how Representational State Transfer (REST) using JSON differs from Hypertext as the engine of application state (HATEOAS), and how conventional “roll your own” CSS can blend with full styling frameworks. This book covers the full stack.

If you are a beginner in computer science and programming, you are in for a ride - a fun one! We won’t assume you know advanced programming concepts, but we will move quickly - you will be challenged if you haven’t done much software development. One promise I can make is that you won’t walk away with shallow knowledge - we will cover concepts from the ground up, which will allow you to pick up new trends in web development as they arise - well after you are done reading this book. You won’t be taught one way of doing things, only to be left feeling lost when the next web framework becomes the new hotness of the world.

For seasoned developers new to web development, you might be surprised to learn web development doesn’t have to be the fad-obsessed, inefficient "Wild West" it can sometimes appear to be. The essentials of web development can be grounded in solid software engineering, and can be simple - if not always easy.

This book is written for university students and professionals alike. If you’ve already done some work in web development, you will likely still learn a lot from seeing things presented from a foundational perspective. Once you’ve mastered the concepts presented here, you will be better able to make use of new development trends, and make better connections between the acronym soup you encounter as you dive deeper into the discipline.

Languages and Organization

The web is programming language agnostic. The web runs on open protocols - mostly plain text being transmitted back and forth between web browsers (and other clients) and web servers. Clients and servers can programmatically generate their requests and responses using any language they want - as long as the text they are producing conforms to web standards.

You might be surprised, or even a little confused by this - especially if you've only just started studying Computer Science and the web. You've heard of HTML, CSS, JavaScript, and probably also heard people talking about Java, C#/ASP.NET, Python, Go, Rust, and a whole slew of other languages when they talk about web development. It can be absolutely befuddling... where do you start? If there isn't just one language, then which should you learn?

The other hard part about getting started with web development is that it's really hard to draw boundaries around it. Does web development include working with a database? Does it include UI design? How about distributed computing? What about queues? The answer is... yes - it probably includes everything! The reality is that a web application is a system - and depending on what it does, it could contain functionality associated with just about every branch of computer science. A typical web developer has to (or should be prepared to) integrate a lot of different sub-disciplines. In fact, the bulk of the complexity in many web applications have nothing to do with web development at all!.

In this book, we are going to try really hard to stick to purely web development, but not to the extent that you won't understand the integration points to things like UI design, databases, networks, etc.

I strongly believe there shouldn't be a distinction between web developer and software developer, and this book is written for reader who agree.

JavaScript, everywhere?

I have chosen JavaScript for no reason other than this: If you are new to web development, you must learn JavaScript for client-side browser-based development. Learning multiple programming languages at the same time obscures concepts - and concepts are what this book is about. In teaching web development to undergraduate university students for over a dozen years, I’ve found that using JavaScript limits the overhead in learning web topics. If you already know the JavaScript language, this book will give you a tour-de-force in web development concepts - without needing to learn a new language. If you are new to JavaScript, this book should give you enough of a primer while teaching you the backend such that by the time we cover client side programming, you’ll be able to focus on concepts and not syntax. Once you learn the concepts of web development, you won’t have trouble moving to other languages on the backend if you prefer.

There are other arguments made for JavaScript on the backend, such as sharing code between server and front end runtimes, and the suitability of JavaScript’s I/O model for backend web development. These arguments have some validity, but they aren’t universally agreed to by any stretch. We use JavaScript here for no other reason but to flatten the learning curve.

On the front end, there are of course other paradigms beyond JavaScript. There is no question that JavaScript has some rough edges, and until very recently lacked many language features that support solid application development. Still at the time of this writing (and well beyond I imagine!), JavaScript is not a strongly typed or compiled language - and those attributes alone rub some the wrong way. TypeScript is a widely popular derivation of JavaScript, adding many features such as strong typing and better tooling to JavaScript. Like many of it's descendent (or inspirations), such as CoffeeScript, TypeScript compiles to plain old JavaScript, so it can be effectively used to write both backend and front end applications.

WebAssembly continues to grow in popularity and promise, allowing developers to run many different languages within the browser. At the time of writing, WebAssembly supports executing C/C++, Rust, Java, Go, and several other performant languages directly within the browser - bringing near native performance to front end code. The caveat, for the time being, is that WebAssembly code executes this code in a sandboxed environment that does not have access to the browser's document object model (DOM) - meaning interacting seamlessly with the rendered HTML is not yet achievable.

This book will only touch on the above alternatives for front end development, sticking with plain old JavaScript instead. Once again, this decision is rooted in the learning curve. The aim of the book is to teach you how web development works, and whether you are writing JavaScript, TypeScript, or WASM-enabled C++/Java/Rust/etc - front end development is still front end development - so we are going to stick with the most straightforward choice - JavaScript here.

Organization

This book teaches web development almost in the order in which things developed - first focusing on networks, hypertext, markup and server side rendering. You will be introduced to JavaScript early on when, just before we begin processing input from users. We will build our own frameworks around HTML templating, databases, routing, and other common backend tasks - only to have our homegrown implementations replaced with Express. The Express framework was chosen for its relative stability and ubiquity, among the many frameworks in use within the Node.js ecosystem.

Only after we have a full web application up and running do we begin to turn our attention towards styling and interactivity. CSS is introduced approximately midway through the text book, and client side JavaScript makes up the majority of the final half dozen chapters. This book will show you the differences between traditional web applications, single page applications, and cover hybrid approaches that adhere to Hypertext as the engine of application state (HATEOAS) philosophy, while still providing interactive (and incrementally/partially rendered) user interfaces. Along the way, we will cover things like local storage, PWAs, web sockets, and reactivity.

The Appendices and Perspectives sections at the end of the text are optional components aimed towards filling in some of the details different readers may be wondering about. The goal of the entire textbook, in fact, is to do this that - fill in the gaps - by providing a comprehensive overview of web development.

The Field of Web Development

Web applications are just software applications, with networking.

Maybe more specifically, they are software applications with networking separating the user interface (the part people see and click on) and the business logic. No matter what languages you use, the general design of the frameworks you will find are pretty much the same. The industry is very cyclical, and very susceptible to buzzwords and trends. For example, I've witnessed several iterations away and back to server-side rendering. I've witnessed front end development changing to require it's own application and build structure, separate from the rest of the application; and I've witnessed a revolt against this taking hold - perhaps returning us to simpler architectures.

For a long time, web development was thought of as a lesser sub-field of computer science. Real programmers built "big" programs that had their own UI's and were written in C++ and Java. Toy web sites had some JavaScript, and were written in "broken" scripting languages like Perl and php. Real programmers couldn't be bothered with creating applications for the web, and even if they wanted to, web browsers were such a mess that it was too expensive and error prone to pull off. Times have changed, and few think of web development as lesser anymore. It's been a fascinating ride.

The change started to take hold in the early 2000's. While it took a long time, the dominance of Internet Explorer waned, and the competition among browsers fostered improving web standards. Better standards meant web developers had a better chance to make their app work well on everyone's machines. Browsers like Chrome also got way faster, and way more powerful - making it worth everyone's time to start looking at what they could do with JavaScript. Suddenly, real application were starting to be delivered on web technology - driving more development focus into those same technologies. HTML got better. CSS got a lot better. JavaScript grew up.

Along the same time as all these nice things were happening on the front end, back end (server-side) development was changing too. The first web application were written in a way most wouldn't recognize - actually instantiating new processes and running entire programs to respond to each request. These programs could be written in any language, and a web server would handle the networking and invoke the appropriate (compiled) program to create the network response. Languages like php and ASP, and later Java extended this model, allowing server side applications to be written as one process in it's own containers. These containers handled a lot of the web-specific plumbing, like making parsing / writing HTTP much easier. They all focused on different ways of allowing developers to generate HTML responses programmatically, and they all took somewhat different approaches. There was little separation of concerns - the business logic, HTTP processing, HTML generation, and other aspects of the programs were highly integrated. Applications written in different frameworks looked completely different from each other, even if they largely did the same thing.

Ruby on Rails - or just "Rails" - was released in 2004, and things changed. Rails took a number of huge leaps in how server side frameworks worked. Rails pioneered and/or refined rapid application development on the server, using command line interfaces to build out routes, controllers, and views. Web applications began to be more modular, and composable. It worked with view template engines to separate view generation from business logic. It didn't invent the MVC pattern, but it was really the first web framework to truly deliver on the MVC promise. We'll talk a lot more about it later in this book.

By the late 00's, and throughout the 2010's, both of the above trends just strengthened. Web standards and browser performance led to more developers doing more things client side, in JavaScript. As this happened, developers wanted better tooling, better dependency management, better UI frameworks - so they built them. Server side, developers loved how Rails was designed, but they wanted to use their favorite programming language - not just Ruby. Server-side frameworks heavily influenced by Rails emerged - Django (Python), Laravel (PHP), Grails (Groovy/Java), Express (Node.JS), and many more. Even .NET was on board - releasing ASP.NET MVC - very much in line with the Rails design.

Modern web development has benefited by a virtuous circle - as tools and languages and standards improved, the amount being done on the web grew, which demanded even better tools, languages, and standards. The explosion of different devices accessible to people also created huge demand for standards. Today, nearly every software application we interact with - whether it's through a traditional web browser or through an app on our phone - is a web application. In many respect, today, web development is software development.

The landscape

We are eventually going to focus on a slice of web technologies (our "stack"), but it's important to have an understanding of how things fit together. We've been throwing around some terms that need explanation:

Front end

Front end development refers to all the code used to display the user interface to a user - wherever that user interface might live. In most cases (in the context of this book), this is the web browser. The web browser must draw the user interface (the graphics, the user interface elements, etc.) using code delivered to it from the web server. The code delivered tells it the structure of the web page, the styles of the page, and the interactivity of the user interface.

On the front end, we generally have three languages for these three aspects:

• Structure: HyperText Markup Language (HTML)
• Style: Cascading Style Sheets (CSS)
• Interactivity: JavaScript

Let's look at a tiny example, a simple web page that has a bit of text, and a button.

<!DOCTYPE html>
<html>
    <head>
        <title>Tiny Example</title>
    </head>
    <body>
        <h1>Let's get started!</h1>
        <p>This is an example of a <span>very, very</span> minimal web page.<p>
        <p>
            <button type='button'>Click me</button>
        </p>
    </body>
</html>

Without getting stuck on any details, understand that the above is HTML code. It is defining a page with a heading, some text, and a button. It's the structure of the page. We'll spend lots of time talking about HTML later.

How does this get displayed to a user? The answer is important, and be careful to understand it. The HTML, as text, must be loaded into a web browser, somehow. If you take the text, and you save it in a file called example.html on your computer, you can load it in your web browser by simply double clicking on it. It will look something like this:

Notice what is shown in the URL address bar.

file:///Users/sfrees/projects/web-foundations/web-foundations/src/intro/example.html

The browser has loaded an HTML file directly from the file system and displayed it. To display it, it parsed the HTML into it's own internal representation and invoked it's own drawing/graphics commands to render the page according to HTML specifications.

While that's OK, you must understand that this is not the way the web works. HTML files that appear in your web browser are not stored on your own computer in most cases. In most cases, they are stored on some other machine, on the internet!

This brings us to our first shift away from "front end", and to the back end (and the networking in between). We are going to refine our understanding of this over and over again, here we are going to keep things very high level.

Back end

Type the following into your web browser's address bar:

https://webfoundationsbook.com/wfbook/intro/example.html

The same page loads, but this time, that file didn't come from your own computer. Delete example.html from your own machine, if you don't believe me. Instead, it came from a different machine - webfoundationsbook.com. When you typed the address into your web browser, the web browser connected to webfoundationsbook.com, it sent a specially crafted message (as you'll see soon, crafted with HTTP) asking webfoundationsbook.com to send the text contained in a file found at /intro/example.html on webfoundationsbook.com's hard drive. That text was then parsed and rendered by the browser, just the same.

In order for that to all work, that means some program must be running on the webfoundationsbook.com computer. That program is accepting connections and requests from other machines. It's decoding the requests, finding the file requested, opening the file, and sending the contents of the file back to the connected browser! That program is a web server.

Some of the most common web servers for doing this (and much more) are apache or nginx. We will see more of those later on in this book.

The browser's pseudocode, vastly simplified, might look something like this.

    // Pseudocode for the web browser

    // Suppose we can access the values in the UI through 
    // through a built-in browser object

    response = send_http_request(browser.address_bar.value);
    
    // The response object might have a body attribute, containing
    // the HTML text that was returned by the server.

    render(response.body);

Here's some pseudocode (missing vital error handling!) further illustrating what is happening on the server.

    // Pseudocode for a web server

    // Suppose we have function to read a request off 
    // the network, from a browser
    request = recv_http_request();

    // Suppose the request object returned has a path 
    // property, corresponding to /intro/example.html
    // when the browser requests https://webfoundationsbook.com/intro/example.html
    file = open_file(request.path);

    // Read the html from the file, as plain text (character buffer)
    html_text = file.readAll();

    // Use a function to send the data back to the browser
    send_http_response(html_text);

So, already, we see there are typically two programs involved - (1) a web browser and (2) a web server. The web browser asks for and receives front end code from the server - in this case html. The web server is responsible for generating that text - in this case, simply by reading the example.html file from it's own file system. Once the web browser receives the HTML code, it uses it to draw the page to the screen.

If you are wondering, web browsers and web servers can be written in literally any programming language. Most web browsers are written in C/C++, and some have at least some components written in other languages like Rust. Web servers, especially the top level ones (we'll explain what that means later) are also often written in C/C++. It's important to remember, they are just ordinary programs, they read files, they make network connections (sockets), they parse and generate specially formatted text, they draw things (browsers, not servers).

Return to the front end - Styling

So we've established that HTML code is delivered to a web browser, usually from a web server. That HTML code defines the structure of the page. Web browsers use standard conventions to draw HTML to the screen in expected ways. Looking at the HTML we were using, notice the text that is wrapped in the <h1> and <button> elements. They look different than the other bits of text wrapped in <p> and <span>. h1 is a heading, button is pretty obviously telling the browser to draw a button. p is a paragraph and span is a text span within a paragraph that can be styled differently (but isn't yet). This is the structure of the page - it's contents.

Front end code also is used to define style and interactivity. Let's add just a bit of style, by making the heading's text underlined, and the span's text blue. We do this by adding Cascading Style Sheet (CSS) rules. CSS is a language unto itself, and we will study it in several future chapters - but for now, we will just embed it right into our HTML code.

<!DOCTYPE html>
<html>
    <head>
        <title>Tiny Example</title>
        <style>
            h1 {
                text-decoration:underline;
            }
            span {
                color:blue;
            }
        </style>
    </head>
    <body>
        <h1>Let's get started!</h1>
        <p>This is an example of a <span>very, very</span> minimal web page.<p>
        <p>
            <button type='button'>Click me</button>
        </p>
    </body>
</html>

All the magic is happening within the style element - we've used CSS syntax to tell the browser to style h1 elements and span elements a bit differently. Go ahead and load the following in your web browser, no surprises - just some styling.

https://webfoundationsbook.com/intro/example-style.html

CSS can be used to define all aspects of the visual styling and layout of HTML content. It's an immensly powerful language, that has undergone incredible cycles of improvements over the decades since it's introduction. While there were some early competitors, no other language is used to style HTML these days - CSS is the language. All browsers support CSS (at least, mostly).

Since visual styling is so important, it shouldn't be surprising that CSS styling code can grow - it can become a huge part of the front end development efforts. If you have any experience in computer science and software engineering, you know that we like to reuse code. CSS is no different - reusing and modularizing CSS is important when creating maintainable web applications. Moreover, not all of us are artists - we aren't all trained in good UI practices. It shouldn't be surprising that there are libraries and frameworks that contain vast quantities of CSS code designed by people who are really good at designing visual systems, and that these libraries and frameworks are often freely available.

Here are a few example of CSS libraries and frameworks that are commonly used. The list isn't exhaustive, but hopefully it gives you an idea of how they fit into the web application landscape if you've heard about them. They are just CSS, they are added into your HTML to provide the web browser styling instructions.

• Bootstrap - likely the most widely used framework, this has been around for a long time. Provides full styling of everything from text, navigation toolbars, dialogs, and more. We will spend some time looking at this in more detail in later chapters.
• Foundation - similar in aims to bootstrap, Foundation provides full styling of most user interface components.
• Tailwinds - takes a different approach compared to Bootstrap and Foundation, in that it focuses on composable CSS styles rather than full user interface components. This gives designers more control, but can also be harder to get started with.
• Simple.css - lightweight CSS framework that provides an extremely minimal set of stylings for HTML elements. Theses types of frameworks are really nice for rapid development, because they don't require you to add much to your HTML at all. Their goal is to get things looking "good" immediately, and then you can add more later.

There are also more specialized libraries defining styling. By more, I mean thousands. They are all just CSS, that get added to your front end HTML code. Here are some two interesting ones, just to show how varied they can be.

• United States Web Design System - this is the standard CSS frameworks for use on United States government web sites. Many other countries have similar frameworks. The goal is to provide extremely high quality out-of-the-box accessibility.
• NES.css - all the way on the other side of the spectrum, here's a CSS library that simply styles all your HTML so the page looks like it's from the Nintendo Entertainment System from the 1980's. It's fun, but certainly not general purpose!

Front end interactivity

The page we've been looking at is static. Once it's shown on the screen, it doesn't change. The HTML and CSS are delivered to the browser, and that's that. What if we want something to happen when we click that <button> element though? This is where we can add some interactivity. Interactivity on the web generally means creating code that alters the HTML or CSS currently loaded in the web browser, causing something to change. It can mean more, but for now that's a good enough description.

Let's add some interactivity. When the user clicks the button, we are going to add some content below the button and change some of the CSS attached to the span element.

<!DOCTYPE html>
<html>
    <head>
        <title>Tiny Example</title>
        <style>
            h1 {
                text-decoration:underline;
            }
            span {
                color:blue;
            }
        </style>
    </head>
    <body>
        <h1>Let's get started!</h1>
        <p>This is an example of a <span>very, very</span> minimal web page.<p>
        <p>
            <button type='button'>Click me</button>
        </p>
        <script>
        // Change the "very, very" to red, and add a new text snippet
        // with a random number, and remove the button so it can't be clicked
        // again!
        document.querySelector('button').addEventListener('click', () => {
            document.querySelector('span').style.color = 'red';
            const n = Math.ceil(Math.random() * 10);
            const p = `<p>Random number generated client side: ${n}`;
            document.querySelector('p').innerHTML += p;
            document.querySelector('button').remove();
        });
    </script>
    </body>
</html>

Go ahead and check it out. When you click the button, something really important is happening - the JavaScript inside the script element is changing the HTML itself, using what is called the Document Object Model (DOM). The span is given a new CSS value for color. A new p element is created and appended to the last p element in the document, with a random number within the text (it's different every time you load the page). The button is removed entirely. Notice, the browser changes what is rendered as the JavaScript changes the DOM elements. The DOM elements are what the browser renders - they are the internal representation of the HTML loaded by the browser.

It's important to understand that the JavaScript code that modified the HTML DOM is running inside the web browser. The web browser, in addition to a renderer, a JavaScript runtime environment! The server is not involved in anything that we just did, it has no idea anyone has click a button, or that any HTML has been modified. It all happened within the browser's internal representation of the HTML the server sent to it.

Interactivity on the front end, using JavaScript could (and most definitely is) be the subject of entire books, entire courses, and entire careers. As you might imagine, there are a huge number of frameworks that help developers write JavaScript to add an enormous amount of interactivity to HTML. You've no doubt heard of some.

• jQuery - probably the first and most broadly used JavaScript framework, in many ways it revolutionized how we wrote JavaScript. jQuery was created in 2006, when JavaScript suffered from a very poorly standardized DOM API, meaning writing JavaScript to interact with the HTML DOM (change things on the page) needed to be written differently depending on the browser. THis was also a time when Internet Explorer was still quite popular, but Chrome, Safari, and Firefox were too large to be ignored. jQuery created a very powerful API that smoothed over the differences. It inspired iterations to JavaScript itself, which later became part of the standard web APIs across all browsers. jQuery isn't often used these days, because JavaScript has evolved enough that it's no longer necessary - but it's impact is still felt.
• React - released in 2013, React became the most popular reactive framework/library very quickly, and has remained so through the time of this writing. React focuses on component design, and has offshoots like Reach Native which aid in mobile application development. The concept of reactivity centers around how developers map application state (usually state is represented by JavaScript objects) to HTML DOM changes. Reactive frameworks allow the developer to modify state variables, and those changes are automatically applied to the DOM based on declarative rules. This is very different than the procedural approach in our JS example above, where we directly modify the DOM. There are many reactive frameworks, the concept is extremely powerful.
• Vue - released in 2014, Vue is similar to React in terms of it's model of development. A proper Vue app manages front end application state, and automatically modifies the DOM based on those state changes. It has what many people feel is a shallower learning curve than React, and we will use it when we dive deeper into reactive frameworks and single page application design later in this book.
• Angular - AngularJS was initially released in 2010, and rewritten (and renamed to Angular) in 2016. Angular shares a lot of design principles with React and Vue, along with other predecessors like Ember and Knockout.

There are lots and lots of other front end JavaScript libraries and frameworks. Some are large, some are very small. While we won't dive too deeply into them, we will learn the fundamentals of JavaScript on the client (front end) in depth, and you'll be able to pick many of these frameworks up pretty quickly once you've mastered the basics.

Back to the Back end

We could have a web site just with HTML, CSS, and JavaScript. You could have lots of HTML pages, link them together, and use CSS and JavaScript to do a lot interesting things.

We could write our own HTML, CSS, and JavaScript in a text editor, and use a SFTP program to transfer those files to a simple web server that can map network requests from clients to these files. Those files are then transmitted to the browser for rendering. This is in fact still very viable, it's probably still how most web pages are delivered.

However, there is something missing. Our pages are still static in that they are always exactly the same, whenever they are loaded into the browser. Sure, our front end JavaScript might change the DOM later, but it's always exactly the same HTML, CSS, and JavaScript being delivered to the browser, because we are just serving up files.

As a little thought experiment, what if we rewrote the server pseudocode from above so we didn't use a file at all?

    // Pseudocode for a web server, without a file.

    // Suppose we have function to read a request off 
    // the network, from a browser
    request = recv_http_request();

    if (request.path == '/intro/example.html') {
        html_text = "<!DOCTYPE html><html><head><title>Tiny Example</title></head>";
        html_text += "<body><h1>Let's get started!</h1><p>This is an example of a ";
        html_text += "<span>very, very</span> minimal web page.<p><p>";
        html_text += "<button type='button'>Click me</button></p></body></html>";

        send_http_response(html_text);
    }
    else {
        // send some sort of error, we don't have anything for this path...
    }
   

If you look closely, the web server is sending exactly the same text to the web browser when the browser requests /intro/example.html as it was before. The difference is that instead of getting the HTML text from a file saved on disk, the web server is just generating the HTML using string concatenation. It's ugly, but it works - and in fact, the browser cannot tell the difference.

Why would we do this? The answer is simple, and profoundly important. Now, since we are generating the HTML inside a program, we have the freedom to create different HTML whenever we want. We can fetch data from a database, and include that data in the HTML. We can perform any number of computations, interact with any number of data stores and systems, and use any other mechanism to customize the HTML delivered to the browser. We now have the ability to create a fully customized HTML response to /intro/example.html if we please.

To drive this point home a little more, let's generate a random number and put it in the HTML sent to the browser.

    // Pseudocode for a web server, without a file.

    // Suppose we have function to read a request off 
    // the network, from a browser
    request = recv_http_request();

    if (request.path == '/intro/example.html') {
        html_text = "<!DOCTYPE html><html><head><title>Tiny Example</title></head>";
        html_text += "<body><h1>Let's get started!</h1><p>This is an example of a ";
        html_text += "<span>very, very</span> minimal web page.<p><p>";
        html_text += "<button type='button'>Click me</button></p></body></html>";

        send_http_response(html_text);
    }
    else if (request.path == '/intro/example-style-js.html') {
        
        number = Math.ceil(Math.random() * 100);
        
        // The beginning is just static text content
        html_text = "<!DOCTYPE html>";
        html_text = "<html>";
        html_text = "   <head>";
        html_text = "       <title>Tiny Example</title>";
        html_text = "       <style>";
        html_text = "           h1 {";
        html_text = "               text-decoration:underline;";
        html_text = "           }";
        html_text = "           span {";
        html_text = "               color:blue;";
        html_text = "           }";
        html_text = "        </style>";
        html_text = "   </head>";
        html_text = "   <body>";
        html_text = "       <h1>Let's get started!</h1>";
        html_text = "       <p>This is an example of a <span>very, very</span> minimal web page.<p>";

        // Here's the dynamic bit, with the server generated number in the text.
        html_text = "       <p>The server generated number is:  " + number + " </p>"

        // The rest is static again.
        html_text = "       <p>";
        html_text = "           <button type='button'>Click me</button>";
        html_text = "       </p>";
        html_text = "       <script>";
        html_text = "           document.querySelector('button').addEventListener('click', () => {";
        html_text = "               document.querySelector('span').style.color = 'red';";
        html_text = "               const n = Math.ceil(Math.random() * 10);";
        html_text = "               const p = `<p>Random number generated client side: ${n}`;";
        html_text = "               document.querySelector('p').innerHTML += p;";
        html_text = "               document.querySelector('button').remove();";
        html_text = "           });";
        html_text = "       </script>";
        html_text = "   </body>";
        html_text = "</html>";
    }
    else {
        // send some sort of error, we don't have anything for this path...
    }
   

Right about now, you may be getting a sick feeling in your stomach. We are writing code, inside code. Worse yet, we are writing code (a mix of HTML, CSS, and JavaScript) inside plain old strings, and using concatenation to build it all up. This is a tiny example. If you feel like this won't scale well up to real web applications, you are 100% correct!

Now we've arrived at the land of back end frameworks. Server side, backend web frameworks handle the following types of things (and many more):

1. HTTP parsing / formation - we side stepped this by imagining we had functions like recv_http_request and send_http_response. In reality, these types of functions will be part of a web server framework/library, and will be doing a ton of work for us.

2. Path routing - we have the beginning of routing in our last example, where we use if and else if statements to determine which response to generate based on the requested path. Routing is a major part of web development - the server needs to respond to many many different paths (urls). Web frameworks will provide methods of organizing your code into functions, objects, and modules that map to specific paths/urls, and the framework will ensure the right handlers are called at the right time.

3. View transformations - we aren't going to generate HTML with strings. We are going to build objects of data programmatically (models), and then use templating engines to transform the data into HTML (views)using a template language. It's a mouthful, but when we get there, you will see how much easier it makes things! There are tons of templating languages, and most do pretty much the same thing. If you've heard about ejs, Jinja, pug, HAML, Liquid, Mustache, or Handlebars... they are all templating languages with large following in the web development community. We'll talk about pug in more detail later. Once you learn one, the others are very easy to pick up.

Full featured web frameworks tend to cover #1 and #2, and typically will let you choose which templating language (#3) to use. Modern frameworks are available in just about every programming language you can think of. Most modern frameworks support the Model-View-Controller (MVC) Architecture - which we discussed a bit above. MVC is a way of organizing the application in a way that separates model (the data), the view (HTML generation), and the business logic (also called controller).

It's hard to say if one is better than the other - there tends to be a few good choices for each programming language. Which programming language you choose is probably more of a decision based on you and your teams skills, and preferences - rather than anything specific to the web.

Here's a sampling of some popular backend web frameworks. Each of these covers all of the above, and often includes more. Note that your choice of a backend framework has nothing to do with anything we've discussed about the front end. They are completely separate!

• Python
  • Django
  • Flask
• Java (and JVM languages)
  • Grails
  • Spring Boot
• Rust
  • Rocket
  • Actix
• Ruby
  • Rails
• PHP
  • Laravel
  • CakePHP
• C++
  • Drogon
• .NET
  • ASP.NET Core/MVC
• JavaScript (Node.js)
  • Express.js
  • Sails.js
  • Deno

We'll discuss frameworks in depth later in the book.

Pro Tip💡 You don't want to describe yourself as "a Django developer" or "Laravel developer". You want to learn backend web development and be comfortable in any language or framework. You want to call yourself a web backend developer - or better yet - web developer. Specialization is marketable, and valuable, but you never want to pigeonhole yourself into one framework - it advertises a lack of breadth.

In-between and outside

We've glossed over the in between part, the technology that connects the front end and back end. That's networking, and that is HTTP. We will cover that extensively in the next few chapters!

Outside the typical discussion of front end and back end development are all the systems components and concerns that tend to make up web applications of any complexity. This includes security, understanding TLS/HTTPS, hashing, authentication, CORS, and more. This includes databases of all kinds - relational, document stores, and more. We'll also need to learn about hosting, content delivery, and deployment. It's a lot of ground to cover, and there are chapters dedicated to these topics later in the book.

Breadth & Depth

The goal of this book is to give you enough breadth to understand how all of the pieces of web development fit together. You'll understand the fundamentals in a way that allows you to pick up new frameworks quickly. You will understand the entirety of full stack web development.

The second goal of this book is to give you depth along a particular set of frameworks/libraries so you can build a full scale web app from the ground up. You will understand how front end and backend frameworks work at a low level, and then see how we apply layer after layer until we reach modern framework functionality. We'll choose specific frameworks at each step - for bot the front end and back end - and get a lot of experience using them.

Networks

As a web developer, you typically work far above the level of Internet Protocol (IP), Transmission Control Protocol (TCP), sockets and the other underpinnings of computer networks and the internet. Typically is not the same as always, however. Moreover, having a solid understanding of how the web technologies have been built on the back of core technologies like IP/TCP gives you a huge advantage when keeping up with the ever changing field you are entering.

This chapter provides you the fundamental knowledge and skills needed, and also the perspective to not only understand the modern web and it’s tooling, but also appreciate it. Having a solid understanding of networking concepts will also come to your rescue when learning about deploying your web applications along with other devop type activities.

Network Protocols

When we say the web, it's fair to think about web browsers, web sites, urls, etc. Of course, the term "the web" is commonly used interchangeably with the internet. Truly, the internet is a lot more broad than you might realize though. The internet is a global network of computers. It facilitates your web browser accessing a web site. It facilitates email delivery. It lets your Ring security camera notify your phone when the Amazon delivery arrives. When we talk about the internet we are talking about the entire internet - which encompasses billions (if not trillions!) of devices talking to each other.

The first thing we need to understand about computer networks is the concept of a protocol. A network is just a collection of devices, sending electrical signals to each other over some medium. In order for this to be useful, we need some things:

1. We need to know how to find devices to talk to
2. We need to know how to translate electrical signals into useful information

There's a whole bunch of things that flow from those two requirements. It might help to first consider some real world protocols. The postal system comes to mind.

When we want to mail a physical thing to someone, what do we do? First, we need to know their address. We need to know that (at least in the United States) that addresses look something like this:

98 Hall Dr.
Appleton, WI 54911

There are rules here. On the second line, we expect the town or city. The abbreviation after the comma needs to correspond to an actual state in the US. The number after the state is a zip code, or postal code. This indicates not only a geographic area, but also a specific post office (or set of post offices) that can handle the mail going to addresses within that postal code.

Here we have the beginnings of point #1 above. There is an expectation of how an address is defined and interpreted. It's an agreement. If you think more carefully, there are more - such as where you write this address on an envelope, etc. All of the things associated with filling out an address on an envelope is part of the mail system's protocol.

We also know that our mail can enter the mail network through various places - our own mailbox, or a public postal box. From that point, there is a vast infrastructure which routes our physical mail to the appropriate destination - taking many hops along the way, through regional distribution centers, via airplane, train, truck, to the local postal office, and then to the physical address of the recipient. We intuitively know that this requires a lot of coordination - meaning all of the various touch points need to know the rules. They need to know where to route the mail!

With #1 out of the way, how does the mail system handle #2 - exchanging meaningful information? Interestingly enough, the postal system actually does very little to facilitate this. Just about the only thing it ensures (or at least attempts to) is that when you mail something to someone, they will receive the whole thing, in reasonable condition. If I mail a letter to you, the postal system's promise to me is that the entire letter will arrive, and it will still be readable.

So, how do we effectively communicate via the postal system? Well, the postal system is one protocol - for mail transport and delivery - but there is also another protocol at work. When you send a letter to someone in the mail, you implicitly make a few assumptions. Most importantly, you assume the recipient speaks (or reads) the same language as you, or at least the same language the letter was written in. There are also other commonly accepted conventions - like letters normally have a subject, a date, a signature. There are actually many assumptions built into our communication - all of which we can consider the "letter writing protocol".

Notice now that we have identified two protocols. One protocol, the postal protocol, establishes a set of rules and expectations for transport and delivery of letters. The second protocol, the letter protocol establishes a set of rules and expectations for understanding the contents of such letters.

Computer Protocols

What does this all have to do with computer networks? Computers need to communicate under a set of assumptions. All data in a computer systems is represented by 1's and 0's (see big vs little endian if you think this is straightforward). In order for computers to communicate, we'll need answers to the following:

1. How are 1's and 0's encoded/decoded across the medium of transmission (copper wires, radio signals, fiber optics)?
2. How is the encoded data's recipient to be represented?
3. How can the data be routed to the receiver if not directly connected to the sender?
4. How do we ensure the data arrives in reasonable condition (not corrupted)?
5. How can the recipient interpret the data after it arrives?

Just like with our postal / letter example, all of these questions aren't going to be addressed by an single protocol. In fact, computer network protocols formally defines several layers of protocols to handle these sort of questions. The model is called the Open Systems Interconnnection - OSI model.

In the OSI model, the question of how 1's and 0's are encoded/decoded is considered part of the Physical and to some extent the Data link layers. These are the first two layers.

Layer 3 - the Network layer provides addressing, routing, and traffic control (think of that as an agreement on how to handle situations where the network is overloaded). This really covers question #2 and #3, and will be handled by the first protocol we will look at in detail - the Internet Protocol.

Our 4th question - how we ensure data arrives in reasonable condition - is actually more interesting than it might originally appear. Looking back to our postal/letter example - what do we mean by a letter arriving in reasonable condition? Clearly, if the letter itself is unreadable (perhaps water was spilled on it, and the ink has bled), it is unusable. This happens with 1's and 0's on the internet too - the physical transmission of these electronic signals is not perfect. Think about the trillions of 1's and 0's that are traveling through the air, through wires under the ocean, etc. Those bits will get flipped sometimes! This will result in a mangled data transmission.

How do we know if some of the bits have been flipped though? If you receive a physical letter in the mail that was somehow made unreadable, it's obvious to you - because the "letters" on the page are no longer letters - they are blobs of ink. In a computer system, if a bit gets flipped from a 1 to a 0, or a 0 to a 1, the data is still valid data. It's still 1's and 0's!

To drive this point home, let's imagine I'm sending you a secret number, the number 23. I send you the following binary data, which is the number 23 written as an 8-bit binary number.

00010111

Now let's say you receive this, but only after these signals travel the globe, and one digit gets flipped somehow.

01010111

You have received the number 87. The number 87 is a perfectly reasonable number! There is no way for you to know that an error has occurred!

Thankfully, we have ways of handling this kind of data corruption - checksums, and we'll cover it in a bit. This error detection is handled by the Network Protocol layer in the OSI model, and in our case will be part of the Internet Protocol.

As we will see however, detecting an error is not the same thing as handling an error. When an error occurs, what should we do? Do we have the sender resend it? How would we notify the sender? These questions are handled by the Transport layer, and will be handled by other protocols above the Internet Protocol in our case - either by Transmission Control Protocol or in some cases User Datagram Protocol.

The last question we have is #5, how can the recipient interpret the data after it arrives?. There's a lot backed in here. As you might recall from the postal/letter example, understanding the contents of a message requires a lot of mutual agreement. Is the letter written in a language the recipient can understand? Is there context to this letter - meaning, is the letter part of a sequence of communications? Does the letter contain appropriate meta data (subject, date, etc.)?

All of these issues are handled by layers 5-7 in the OSI model - Session, Presentation, and Application layers. For web development, the Hypertext Transfer Protocol protocol outlines all the rules for these layers. For other applications, other protocols define the rules - for example, email uses SMTP (Simple Mail Transfer Protocol) and file transfer applications use FTP (File Transfer Protocol) and SFTP (Secure File Transfer Protocol). Some applications even use their own custom set of rules, although this is less common. Generally, web applications will also layer their own logic and context over these protocols as well, unique to the particular use case of the application. For a web application, things like login/logout sequences, url navigation, etc. are clearly unique to the application itself. If users visit specific pages out of order, they might be "breaking the rules".

We won't cover physical networking in this book. It's a fascinating subject - understanding how 1's and 0's are actually transmitted across the globe - through the air (3G, 4G, 5G, LTE, etc), via satellites, ocean cables, etc - is a pretty heavy topic. When you start to think about the shear volume of data, and the speed at which it moves, it's mind boggling. However, as a web developer, the movement of 1's and 0's between machines is far enough removed from you that it's really out of scope. If you are interested, start by looking at the Physical Layer and then you can start working your way to all the various technologies.

As a web developer, you will be will be dealing with at least three protocols for communication in web development:

1. Internet Protocol: Addressing, Routing, Error Detection
2. Transmission Control Protocol: Error handling, reliable delivery of requests/responses, multiplexing
3. HyperText Transfer Protocol: Encoding/Decoding of requests and response, and all of the rules of the web!

While the HyperText Transfer Protocol is the most important, the other two are still quite relevant, so we will tackle them in order.

The Internet Protocol

The Internet (capitalized intentionally) isn't the only network. It's the biggest network (by far), and really the only network used by the public today. However, if you went back in time to the 1960's, there was no reason to believe this would be the case. There were many networks - meaning there were lots of network protocols. Most of them were networks either within the defense industry or within academia. These networks weren't compatible with each other.

There was a need to have computers on different networks talk to each other - so there became a need for a standard protocol. In 1974, the Internet Protocol was proposed by V. Cerf and R. Kahn. It was quite literally devised as a protocol for communicating between networks - internet. The protocol grew in adoption, and along with a few other innovations (TCP, which we will see soon) eventually supplanted most other networking protocols entirely. In 1983, one of the largest and most important networks - ARPANET (Advanced Research projects Agency Network) switched over to the Internet Protocol. The network of computers that communicated using the Internet Protocol grew and grew. By the 1980's, the internet (not capitalized) was how people talked about the network of computers speaking the Internet Protocol. By the early 1990's, web technologies were running on top of the internet, and the rest is history.

So, what is the Internet Protocol? First, we'll call it simply IP from now on.

The first thing to understand is that the IP protocol is implemented primarily by the operating system on your computer. The IP protocol defines the fundamental format of all data moving through the internet. Thus, data encoded as IP data goes directly from memory to the network device of a computer - and out to the internet. The operating system generally limits access to network devices, and so you may interact and use the IP protocol via the operating systems API's.

IP provides two core facilities:

1. Addressing
2. Message Chunking & Error Checking

If you've heard of an IP address, then you know a little about IP already! We are going to go in reverse order though, starting out with message chunking - or what are referred to as packets.

IP Packets

IP messages are chunks of data that an application wishes to send to another. These messages are of arbitrary length, they are defined by the application doing the sending. An application transferring files might send an image as an IP message. A web browser might send an HTTP request as a message.

Sending arbitrary length 1's and 0's creates a bunch of problems. First, from a device design and software design perspective, dealing with fixed length chunks of data is always more efficient. Second, depending on the devices receiving (or more importantly, forwarding) the messages, arbitrarily long message may create electronic traffic jams, network congestion. To mitigate this, IP slices all messages into fixed length packets.

An internet packet is a fixed size chunk of binary data, with consistent and well defined meta data attached to it. This metadata will contain addressing information of both sender and receiver, along with a sequence number identifying where the packet is within the original larger message.

The Internet is, at it's core, a peer to peer network. Every machine on the internet is considered an IP host, and every IP host must be capable of sending, receiving, and forwarding IP packets. While your laptop or home computer is unlikely to be doing a lot of forwarding, forwarding IP packets is a critical design feature of the internet. Your computer is connected to a web of network switches that receive packets, determine whether they can connect directly to the intended recipient or which other switch is available to help locate the recipient. Each one of these switches moves up and down a topology (see below) that makes up the internet. Each packet might be forwarded by dozens of different network switches before it reaches it's final destination - just like the letter you send in the mail get's handled by many people before arriving at it's destination.

By slicing a message into packets, the network can route packets across the network independently - meaning packets belonging to the same larger message can take different paths through the network. This significantly aides in network congestion management and automatic load balancing, a primary function of all of the many millions of internet switches and routers making up the network. There's no analog to this in the postal/letter analogy - it's the equivalent of cutting your letter up into tiny pieces before sending :)

Let's look at a more concrete example. Suppose we are sending a 2.4kb image over IP. The minimum packet size that all IP hosts must be able to handle is 576 bytes. Hosts can negotiate sending larger packets, but at this point let's just assume packet sizes of 576 bytes.

Each packet will have a header attached to it, including IP version, total packet size (fixed), sender and recipient address, and routing flags such as sequence number. These packets (four of them, in the image below) are then sent across the network.

Note that in the image, packet 4 is smaller than the rest, it has the remaining bytes, less than 576. In reality, it will be sent as 576 bytes, with the remainder of the payload zeroed out.

Each packet flows through a network of switches. We will address a bit more on how these messages are routed across the network below, but for now the important concepts is that they travel through the network separately, and may take different paths. Packets belonging to the same message can arrive out of order (packet 3 may arrive at it's destination before packet 1). The IP protocol (the code implementing, at the operating system and device driver level) is responsible for re-assembling the packets in their correct order to form the resulting message on the recipients side.

Error Checking and Checksums

It's important to understand that whenever electronic data transmission occurs, we do have the possibility of errors. Computer networks send 1's and 0's over a medium, let's say radio frequency (wifi). Just like static when listening to your car's radio, transmission isn't perfect. As described above, when binary data transmission errors happen, the result is that a 1 is flipped to a 0 or a 0 is flipped to a 1. The result is still a valid binary data packet. In the best case, the resulting binary packet is nonsense, and easily understood to be corrupted. However, in most cases, the flipped bit results in a valid data packet, and it's impossible for a recipient to notice the bit flipping has occurred just by looking at the data.

For a concrete example, think about the IP message from above - and image. Images are sequences of pixels. Each pixel is three numbers, a value (typically) between 0 and 255 for red, green, and blue. For a reasonably sized image, there are thousands of pixels. Each pixel is barely perceptible to the human eye, but the composite gives us a nice crisp picture. What if one of those pixels was corrupted? One of the pixels that should look red, when it is received, is blue. How could a receiving program, which doesn't know what the image should look like, know that this has happened? The answer is, it's impossible - without some extra information.

The key to this problem is the concept of checksums. Checksums are hashes of a string of data. If you are familiar with has tables, you know the concept. For simple hash tables, you might take a large number and use the modulus operator to determine it's hash, and it's location in the table. Hashing functions exist to take arbitrarily long strings of data, and compute hash values from them that are substantially shorter.

Hashing functions are one way functions. They aren't magic, here's how it's done for all IP packets. Multiple (actually, infinite) inputs map to the same hash, however statistically speaking, the chances of two random inputs mapping to the same has is astonishingly low.

How does hashing relate to error detection? An IP packet has a payload (the actual data). This payload can be sent as input to the hashing function, resulting in a numeric value of just a few bytes. This checksum is then added to the IP packet header, and sent over the network.

When a machine receives a packet, the first thing it does is extract the payload data (a certain number of bytes) and the checksum from the packet. These are at well defined locations within the packet, so this part is quite trivial. Since all IP hosts use the same hashing function to compute checksums, the receiver can calculate the checksum of the received payload, and compare it with the checksum it found in the packet, which was computed by the sender originally.

There are 4 possible outcomes:

1. One or more bits have been flipped in the area of the packet that held the checksum. This will result in the computed checksum being different than the checksum found in the packet, and the packet can be deemed corrupted.
2. One of more bits have been flipped in the area of the packet that held the data payload. This will result in the computed checksum again being different than the checksum found in the packet, and the packet can be deemed corrupted. Note, there is an infinitesimally small chance that the bit flipping that occurred in the payload section resulted in a payload that still hashes to the same checksum. This would result in a false negative - the packet was corrupted by IP can't detected. Again, the chances of this actually happening are infinitesimally small.
3. One ore more bits have been flipped in both the checksum and payload area of the packet. As in case #2, there is an incredibly small chance that this flipping results in the checksum changing such that the equally corrupted payload now hashes to the new checksum - however this is so unlikely we shouldn't even discuss it.
4. No bit flipping occurs, the checksums match, the packet is accepted - hooray!

Recall that each IP message is sliced into many packets. If any packet within a message is corrupted, the entire message is dropped. This message drop can happen at the switch level (as it's moving through the network) or on the recipient machine. This is a hard drop - meaning that's it - the message is simply discarded. The sender is not notified. More on this to come :)

Ultimately, IP uses checksums to ensure the following: A message received by a program is the same message that was sent by the sending program.

Remember, however: IP does not ensure every message is received, and it does not ensure a sequence of messages are received in the same order they are sent.

IP Addresses

Thus far we've described what IP packets look like, to some extent. We've agreed that each packet has a header, and that the header has sender and receiver addresses. We have not defined what these addresses look like though. Let's work on that.

An IP address is made of four numbers, between 0 and 255, separated by dots (periods).

172.16.254.1

Actually, this is more specifically an IP v4 address. IP v6 addresses are more complex, and address the issue of potentially running out of IP v4 addresses (among other issues with v4). There is a lot to talk about regarding IP v4 and IP v6, but it's beyond the scope of a web development book - web developers will very rarely, if ever, deal with IP v6 addresses.

It's a 32-bit number, with each of the 4 numbers encoded as 8 bits. Every computer on the internet is assigned an IP address, however the vast majority are not assigned permanent IP addresses. When your laptop connects to a wifi switch, for example, it is assigned a temporary IP address which is unique within the sub network that wifi switch is managing. This is, in part, why we don't think we'll actually run out of IP v4 as quickly as we thought. Check out Network address translation for more on this.

Many machines, in particular machines that are frequently contacted by others, do have permanent of fixed IP addresses. These machines include routers and switches that act as gateways into other subnetworks, and servers (like web servers, database servers, etc). When your laptop or phone connects to your wireless service or wifi router, one of the first things it's doing is establishing/negotiating what machines it will use as the first hop for any outbound network messages. These first hop machines are often called gateways. Gateway machines maintain lists of other gateway machines, along with which subnetworks (subnets) they manage. Subnets are defined by ranges of IP addresses - for example, a particular subnet might be 172.0.0.0 through 172.255.255.255, and another machine within that subnet might manage IP addresses between 172.0.0.0 through 172.0.0.255. The idea is that routers and switches maintain registries of ranges of IP addresses they have connections with. When your computer sends a message to another computer, the message (IP packet) will be sent to your initial gateway machine, and then along any number of routers, being forwarded to eventually to the correct machine. Gateway machines actually maintain their registries through another protocol - the Border Gateway Protocol. Again, this is where we start to get outside of our scope, as a web developer, you will not often need to delve into the details of routing much further.

There are some special IP addresses that you should know about. Perhaps the most important is the loopback address - 127.0.0.1. 127.0.0.1 is always the current machine. If you send an IP packet to the loopback address, it will be received your own machine. You'll see this a lot in web development, because when you are coding things up, you are probably visiting your own machine via your browser! You will probably also use http://localhost for this too.

Some addresses are otherwise reserved - 0.0.0.0.0 is not used, 255.255.255.255 is a broadcast address, typically not used for anything related to web development. 224.0.0.0 to 239.255.255.255 are used for multicast (again, not used for most web development). There is more structure to IP addresses than we are discussing here - such as Class A, B, and C and their uses. You can actually see how the various ranges of IP addresses are allocated to top tier networks here, it's public data.

From our perspective as web developers, that's likely as far as we need to go in terms of addressing. IP addresses are numeric numbers, very similar to addresses on an postal envelope. Routers and switches are able to use IP addresses to route data through the network and to their destination.

Pro Tip💡 IP addresses are not the same as domain names. We are used to referring to machines using human readable names - https://www.google.com, https://webfoundationsbook.com, and so on. These domain names map to IP addresses, and they are transformed using publicly available and accessible databases. We'll cover this in the next chapter on HTTP and in particular, when we cover DNS.

IP Limitations

The Internet Protocol provides the baseline functionality of all internet applications, however it falls short in two specific areas.

1. Error handling
2. Multiplexing

First, we have the unresolved issue of error handling. IP detects corrupt messages, however it does not attempt to recover - it simple drops the messages. Since most applications communicate in sequences, dropped messages means there are gaps in communication. IP also makes no attempt to ensure messages arrive in order. Recall that each message you send is sliced into packets. Packets are small, to optimize their flow through the network. IP assembles packets back together on the recipient's end to form a coherent message, however two messages (each consisting of many packets) sent are not guaranteed to arrive in the same order. For example, if the first message was sliced into 100 packets (large message), and the second message was smaller (maybe 5 packets), it's very possible that all 5 packets within the second message arrive before each of the 100 packets from the first message. Out of order message may or may not be a problem for an application, but generally for web development it is.

The second problem is a bit more subtle. Imagine a scenario where you have two programs running on your computer. Each program is in communication with a remote machine (it doesn't matter if they are both talking to the same machine, or two different machines). What happens when an IP message is received?

Remember, the operating system is in charge of reading the IP message from the network device, and forwarding the message to the program that wants to read it. Which program wants to read the message?

IP actually doesn't define this, there is nothing within the IP message header that identifies the program on the specific machine that is waiting for the message. The operating system is not in the business of deciphering the contents of the message, and even if it was, it's difficult to imaging a fool-proof way for the operating system to already accurately figure out which program should receive the message. This example is describing multiplexing - the concept of having messages streaming into a computer and being forwarded to one of many programs currently running on the machine. It's sort of like receiving main to your house, and figuring out which one of your roommates should read it!

The layer up is the transport layer, and in web development this is nearly always handled by the Transmission Control Protocol - TCP. TCP will build on IP to address error handling and multiplexing.

Transport Layer

The transport layer (Layer 4 in the OSI model) picks up where the IP protocol leaves off. There are two concepts typically associated with Layer 4 - reliability and multiplexing

Reliability with Sequence numbers and Acknowledgements

Recall that each IP message is sliced up into packets and sent through the internet, with no regard for when each packet gets delivered. While IP assembles packets within messages in order (and drops messages that have missing or corrupt packets), it makes no attempt to ensure that entire messages are delivered in order. In some applications, this may be acceptable - however in most applications, this would be chaos.

Consider an application communicating keystrokes over a network. Each time the user presses a character, or a bunch of characters within a given amount of time, the sending application fires them over to a receiver, responsible for saving the characters to a remote file. If message are arriving out of order, then characters will end up being saved to disk out of order. It's pretty clear that won't work!

Here's a toy example, with a hypothetical API for sending and receiving messages. It further illustrates the concern.

   // This is the sender code, 

   send(receiver_ip_address, "Hello");
   send(receiver_ip_address, "World");

    // This is the receiver code

    // Imagine recv blocks, waiting until the machine receives a message
    // and then recv decodes the IP message (it's packets) and returns the 
    // message.
    message1 = recv();
    message2 = recv();
    
    print(message1);  // We do NOT know if message 1 will be "Hello" or "World"!
    print(message2);  // They could have arrived out of order!

Let's pause for a moment and remember where the IP protocol is implemented. The send and recv functions used in the example above are hypothetical, but they mimic operating system API's that we will use to send and receive data. Notice that in this example, send would need to do the slicing into packets, and attaching IP headers to each packet, including the checksum and sequence number - for each message. Likewise, recv would need to manage the process of assembling all the packets and doing error checking before returning the message to the program that called recv. Clearly recv would also potentially either return an error, or throw an exception of some sort if no message was received after some period of time, or if a message was received by corrupted.

Back to the ordering problem. There is an obvious solution to this, and it is actually already used within IP for packets within a message. We can simply attach a sequence number to each message that we send. This would allow us to detect, on the receiving end, when something has arrived out of order. However, this also means that there needs to be some start (and end) of a sequence of messages between two machines - what some might call a session. At the beginning of the session, the first message is assigned a sequence number of 0, and then after sending each message, the current sequence number is incremented. The session, in this respect, has state. The sequence number is part of the message that is sent using IP, it's inside the IP payload.

The code might look something like this:

    // Sender code

    session = create_transport_session(receiver_ip_address)

    session.send("Hello");
    session.send("World");

    // Receiver code
    session = accept_connection();

    // Recv still blocks, but now it also determine if something arrives
    // out of order, because there is a sequence number associated with the 
    // session.  If we receive "World" first, recv won't return - it will wait
    // until "Hello" arrives, and return it instead.  Then the next call to receive
    // will return "World" immediately - since it already arrived and was cached.
    message1 = session.recv();
    message2 = session.recv();

    print(message1);  // Will definitely be "Hello"
    print(message2);  // Will definitely be "World"

This is powerful. With the operating system implementing a Transport layer protocol for us, we not only can deal with out of order messages, we can also handle missing messages. As discussed before, IP drops messages that are corrupted. With our sequence number solution, we can detect when we are missing a message. For example, we can see (on the receiving end) that we've received a message with sequence number 4 before receiving one with sequence number 3 - and wait for 3 to arrive. However, a message with sequence number 3 may actually never arrive if it was corrupted along the way. Could we ask the sender to resend it?

It turns out, it is more efficient (somewhat surprisingly) to have the receiver actually acknowledge every message received, rather than asking the sender to resend a missing message. This is because in order to avoid asking for unnecessary resends the receiver would need to wait a long time - given the message may be en route. It also makes sense to use an acknowledgement scheme rather than a resend request because it is possible that the receiver misses multiple messages. Using the previous example, what if we not only miss message 3, but message 4 also. What if at that point, the sender is done sending! The receiver will never receive a message 5, and never know it missed messages 3 and 4!

The actual solution to the reliability problem is as follows:

• Each message gets a sequence number
• Upon receipt, the receiver sends an acknowledgement to the sender.
• The sender expects an acknowledgement within a specific time window (we'll discuss details soon), and if it doesn't receive it, it resend the message. After a specified number of resends without an acknowledgement, the connection is deemed lost.
• Receivers will cache any out of order messages received until all messages with sequence numbers less than the out of order message are received, or the connection times out.

It's interesting to note, it's possible that the acknowledgement never makes it to the sender, for the same reason it's possible the original message didn't make it to the receiver. That's ok, the sender just resends. The receiver will ignore receipt of a message it already has, since it's trivial to detect a duplicate based on the sequence number.

It's important to understand the above lays out a conceptual strategy for allowing for reliable data transmission over IP, but there are lots of optimizations that can be made. Stay tuned for more on this below.

Multiplexing with Port Numbers

Port numbers are a simple concept, but are foundational to application programming over networks. Think about how postal mail is delivered via the postal system. Imagine a letter, being sent across the country. It arrives at your house based on the address - the street number, town, postal code, etc. The address relates to the physical location where the mail should be delivered. Layer 3 (the IP Protocol) does a lot of the work here - it identifies physical machines, and routes data traffic through the network so it reaches the right machine.

However, when mail gets delivered to your house, there's another step. Unless you live alone - you probably need to take a look at the name listed on the envelope before you open it. If you have a roommate, you probably shouldn't open their mail - and vice versa. Well, network traffic is sort of like this too! On your computer, right now, you probably have a few applications running that are receiving network data - your web browser, maybe an email client, a game, etc. As network traffic comes into your computer over the network device, the underlying operating system software needs to know which application should see the data.

Port numbers are just integers, and they are abstract (they don't physically exist). They serve a similar purpose as the name of the person on a mail envelope - they associate network data being transmitted over IP with a specific stream of data associated with an application. Your web browser communicates with web servers over a set of port numbers, while your email client uses a different port number, and your video games use others. Applications associate themselves with port numbers so the operating system can deliver received data to the right application.

Port numbers facilitate multiplexing, in that they allow a single computer to have many applications running, simultaneously, each having network conversations with other machines - as all network messages are routed to the correct application using the port number.

Just like with sequence numbers, port numbers are associated with a "session" - a connection managed in software between two computers. The session will have sequence numbers, acknowledgement expectations, and the port number of the receiver (and sender).

Sockets

We've been using the term "session" to represent a stateful software construct representing a connection between two machines. While the term make sense, it's not actually what is used. Instead, we call this a socket. A socket, across any operating system, is a software construct (a data structure) that implements the IP + Transport Layer protocol. There are two basic types of sockets, which correspond to the most commonly used transport layer protocols: TCP and UDP.

TCP - the Transmission Control Protocol is by far the most commonly used of the two. TCP layers reliability and multiplexing on top of IP using sequence numbers, acknowledgements, and port numbers. UDP - the User Datagram Protocol, doesn't go quite a far. UDP only adds multiplexing (port numbers), and does not address reliability. We will talk a bit more about UDP in the next session, but we don't use it much in web development.

Transmission Control Protocol

TCP implements what we described above, and it implements it extremely well. TCP isn't really an addon to the IP protocol, it was developed originally by the same people, at the same time. It was always obvious we needed reliability and multiplexing, it's just that it makes sense to divide the implementation into two protocols to allow for some choice (for example, to use UDP instead for some applications).

TCP is far more complex than what was described above, in that it uses a more sophisticated acknowledgement scheme that can group acknowledgements to reduce congestion. It also uses algorithms to more efficiently time resends, using a back off algorithm to avoid flooding already congested networks (congested networks are the primary reason packets are dropped, so further flooding is counterproductive). The technical details of the algorithms used in TCP are very interesting, and you can start here to do a deep dive - however they aren't necessary for web development. Simply understanding the basic concepts of how TCP ensures reliability and multiplexing is sufficient.

The Internet Protocol and Transmission Control Protocol are core to the internet - it simply wouldn't exist without them. The two protocols are generally simply referred to as the "TCP/IP" stack.Operating systems expose API's for communicating via TCP/IP via sockets. We now turn our attention to learning how to truly program with them.

Socket Programming

It's possible to write applications directly on top of IP, but it's not common. The transport layer - TCP in our case - makes for a much more convenient programming abstraction. TCP is a connection-oriented protocol that uses ports and sequence numbers, along with acknowledgement and resend strategies, to create reliable and (somewhat) private communication between two applications running on (usually) two different machines. The protocol itself is so standardized, that rather than implementing it yourself, you typically use your operating systems's APIs (either directly or indirectly) to handle the details for you. Most, if not all, operating systems comes with an API that implement the "TCP/IP Stack" - meaning they provide an API for programmers to work with TCP over IP. This API is usually exposed via C libraries, however most other programming languages provide developers a higher level API in the host language which wraps the C libraries of the operating system.

Regardless of which language you interact with the TCP/IP stack through, one single concept prevails: the socket. In network programming, a socket refers to a connection between two machines over a port number. In the case of a TCP socket, the socket consists of all of the following:

1. Port number of each machine (the two peers)
2. Sequence numbers (bi-directional)
3. TCP acknowledgement timer configuration, flow control established during TCP handshake

Notice, a socket is really just "state". It's not a physical connection, it's the book-keeping associated with implementing TCP on top of IP. In some languages, sockets are naturally represented by classes and objects, while in others they are represented by file descriptors or handles. Regardless, the operating systems is generally the player that maintains all the book-keeping - as it's the one that is implementing the IP and TCP protocols. The software representation of the socket is your interface into all of this functionality.

Side Note: What about UDP?

TCP isn't the only transport layer (Layer 4) protocol built on top of IP. UDP - User Datagram Protocol - adds some convenience on top of IP (Layer 3), but not quite as much as TCP does. While TCP is a connection oriented protocol, which establishes sequence numbers for communication, the UDP protocol is connectionless. UDP adds the concept of port numbers on top of IP (as TCP does), but peers can send data to target machines without any initial "handshake". This means communication can be faster - there's less overhead - but the tradeoff is that UDP does not include a mechanism to recognize lost or out-of-order communication, or the ability to correct these problems. This is because UDP does not add a concept of sequence numbers, which allows for any detection of lost/out-of-order packets. When working with UDP, the application developer must handle these concepts (if necessary) at the application level.

It's fair to ask - why does UDP exist if it doesn't detect or resolve lost or out of order packets? The answer is pretty simple - there are times where you simply don't need reliability, but you do want to send / receive data via specific port numbers. The IP protocol sends data between machines, but Layer 4 Transport Protocols (TCP and UDP) establish port numbers to allow for separate streams of communication. This allows multiple applications on a single machine to receive data from different machines.

UDP is a great alternative for applications that are streaming updates. For example, a networked video game may be sending a player's physical location to peer machines. In this case, each individual position update is not critical - if one is lost, it's better to receive the next update, rather than try to get the last update resent. Likewise, when implementing video or audio communication systems - where video content is streaming across the internet - a dropped frame or audio clip shouldn't be resent - it's better to simply receive the next one. These types of applications need port numbers (separate streams of data communication), but they don't need the detect/resend functionality of TCP. UDP is enough, and since it's more efficient, applications benefit from increased network performance.

Pro Tip💡: If you find yourself implementing reliability control on top of UDP, take a step back. TCP is used by almost every single networked application in the world that needs reliable communication. It's optimized. It works, and it works well. Don't implement your own reliability protocols unless you have an incredibly good reason to (and I'd respectfully argue that you probably don't!). If you need reliability, use TCP. If you aren't sure if you need reliability, use TCP. If you are really sure you don't need reliability, then use UDP.

A Server, A Client and a Connection

The terms server and client are loaded terms in computer networking. They mean a lot of different things, in a lot of different contexts. For TCP/IP networking, the two terms really mean something very simple however:

• The Server - the machine that accepts new connections when contacted by another machine.
• The Client - the machine that initiates contact with a server to establish a connection.

Notice what the above does not say. There is no contextual distinction between what a server or and client actually do, once they connect with each other. There is no expectation that further communication is in a specific direction (server sends things to client, or vice versa), bi-directional, or otherwise. There is an implied difference in the two machine's role however: the server usually accepts and can maintain connections with several clients simultaneously, while clients generally talk to one server at a time (although there are many exceptions to this pattern).

So, how does a client establish a connection? It all starts with the client application knowing which machine it wants to talk to, and through which port number.

Let's outline an example sequence, and then we will discuss how the client might obtain this information a bit later.

The Server: Example

The server application is running on a machine with an IP address of 129.145.23.122. It listens for TCP connections from clients on port number 3000. This is commonly written as 129.145.23.122:3000. In the next section, we will cover how this listening action is performed in C code, and then in some other languages.

The Client: Example

The client application is running on a different machine, with an IP address of 201.90.1.17. Critically, it knows the server's IP address and the port number - it knows that it will be connecting to 129.145.23.122:3000.

Making the Connection

The client will invoke an API call to connect to the server - passing the 129.145.23.122:3000 IP/port information to the appropriate library call.

This library call (or sequence of calls, depending on the programming language and operating system) will do a few things:

1. It will request from the operating system a free port number on the client machine. This port number is not known ahead of time - and need not be the same every time the application runs. It won't be the same for all clients. It's required, because eventually the server will need to send data to the client machine, and it will need a port number to do that - but the client will tell the server which port to use during the connection process, so it doesn't need to be known ahead of time.
2. The operating system's networking code will invoke the appropriate network devices to send a TCP connection request to the server (IP address 129.145.23.122, port 3000). This connection request is sent as a set of IP packets, using the IP protocol. The server, which must be listening on port 3000, will receive this data and exchange several more messages with the client machine. This handshake exchanges information such as (1) client's socket port number, (2) sequence number starting points (probably 0 for each direction), (3) acknowledgement expectations (how long to wait for acknowledgements, how frequent they should be, etc.) and any other information associated with the implementation of TCP.
3. Most importantly, the handshake process includes a critical step on the server side. The server, which was listening for requests on port 3000, requests it's operating system to allocate a new port number to dedicate to communicating with this particular client. This port number, much like the client's port number, is transient - it will be different for every client connection, and every time the server runs. This port number is sent to the client during the handshake data exchange.

To summarize:

• The client initiates the connection by sending data to the server at the server's IP address and listening port number.
• The client sends the server the port number that the server should use when sending data to the client.
• The server creates a new port number, and sends this port number to the client so the client knows which port number to talk to the server over from now on.

At this point, we can consider the socket connected. The socket is a connection - it contains the IP address of both machines, the port numbers each machine is using to communicate for this specific connection, and all the TCP bookkeeping data such as sequence numbers and acknowledgement parameters.

From this point forward, when the client sends data to the server, it sends it via TCP to IP address 129.145.23.122 on port 8432. When the server sends data to the client, it sends to IP address 201.90.1.17 on port 5723. Port numbers 8432 and 5723 are arbitrary and dynamically generated at run time - only the listening port on the server (3000) must be known ahead of time.

Key Point 🔑: The creation, by the server, of a new port number for the new connection is something that is often missed by students. The server is listening for new connections on port 3000 - but once a connection is created, it does not use port 3000 for communicating with the newly connected client - it uses a new port number, dynamically generated for the client. This allows the server to now continue to listen for ADDITIONAL clients attempting to connect over port 3000.

How does the client know which port to connect to?

You might be wondering - how does the client know to contact the machine with IP address of 129.145.23.122, and how does it know it is listening on port 3000? The short answer is, it just does!

A client must know which machine it wants to connect to, and what port number it is accepting connections on. When two applications are connecting to each other, written by the same programmer, or programming team - this information is often just baked into the code (or, hopefully, configuration files).

Sometimes, the client application will just ask the user for this information - and the user is responsible for supplying it.

In other circumstances, port numbers might be known through convention. For example, while email servers could listen on any port number, most listen on either port 25, 587, or 465. Why those port numbers? Well, that's harder to answer - but the reason's are historical, not technical. We'll learn a few, but there are a lot. These conventional port numbers are more often referred to as well-known port numbers.

Just remember, client' initiate connections to servers. Clients need to know the server's address and port - somehow. Servers don't need to know anything ahead of time about clients - they just accept new connections from them!

Echo Client and Server

In this section we will put everything we've learned about TCP/IP together, and implement a simple networking application - the echo server and client. The echo server/client is a set of (at least) two applications. The echo server listens for incoming TCP connections, and once a connection is established, will return any message sent do it by the client right back to the very same client - slightly transformed. For this example, the client will send text to the server, and the server will send back the same text, capitalized.

Here's the sequence of events:

1. Echo server starts, and begins listening for incoming connections
2. A client connects to the server
3. A client sends text via the TCP socket (the text will be entered by the user)
4. The server will transform the text into all capital letters and send it back to the client
5. The client will receive the capitalized text and print it to the screen.

If the client sends the word "quit", then the server will respond with "Good bye" and terminate the connection. After terminating the connection, it will continue to listen for more connections from additional clients.

Implementation - C++ Echo Server

Most of the code in this book is JavaScript. It's important to understand that the web, networking, and TCP / IP are all language agnostic however. Applications can communication with TCP/IP no matter what programming language they are written in, and there is no reason to ever believe the server and client will be written in the same programming language.

To reinforce this, we'll present the server and client in C++ first. The C++ code presented here might seem really foreign to you - don't worry about it! It's specific to the POSIX environment (actually, MacOS). Don't worry about understanding the code in detail - instead, closely look at the steps involved. We will then substituted the C++ client with a JavaScript implementation, and show how it can still talk to the C++ echo server. Finally, we'll replace the C++ server with a JavaScript server.

// Headers for MacOS
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

// Standard C++ headers
#include <iostream>
#include <string>
#include <thread>

const u_short LISTENING_PORT = 8080;

// Capitalizes the input recieved from client
// and returns the response to be sent back.
std::string make_echo_response(std::string input)
{
    std::string response(input);
    for (int i = 0; i < response.length(); i++)
    {
        response[i] = toupper(response[i]);
    }
    return response;
}

// The client connection is handled in a new thread.
// This is necessary in order to allow the server to
// continue to accept connections from other clients.
// While not necessary, this is almost always what servers
// do - they should normally be able to handle multiple
// simulusatneous connections.

void do_echo(int client_socket)
{
    std::cout << "A new client has connected." << std::endl;
    while (true)
    {
        char buffer[1024];
        std::string input;
        int bytes_read = read(client_socket, buffer, 1024);
        if (bytes_read <= 0)
        {
            std::cout << "Client has disconnected." << std::endl;
            break;
        }

        input = std::string(buffer, bytes_read);
        std::cout << "Received: " << input << std::endl;

        std::string response = make_echo_response(input);
        std::cout << "Sending: " << response << std::endl;

        // Send the message back to the client
        write(client_socket, response.c_str(), response.length());

        if (response == "QUIT")
        {
            std::cout << "QUIT command received. Closing connection." << std::endl;
            break;
        }
    }
    // Close the client socket
    close(client_socket);
}

int main()
{
    // Create the listening socket
    // This call creates a "file descriptor" for the socket we will listen
    // on for incoming connections.
    int listening_socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    // Next we initialize a data structure that will be used to attach
    // the listening socket to the correct port number, along with some
    // other standard attributes.
    struct sockaddr_in ss;
    memset((char *)&ss, 0, sizeof(struct sockaddr_in));
    ss.sin_family = AF_INET;
    ss.sin_addr.s_addr = inet_addr("127.0.0.1"); // Just accept local connections
                                                 // Otherwise we need to deal with
                                                 // firewall/security issues -
                                                 // not needed for our little example!
    ss.sin_port = htons(LISTENING_PORT);         // port number

    // Now we bind the listening socket to the port number
    // Should check that bind returns 0, anything else indicates an
    // error (perhaps an inability to bind to the port number, etc.)
    bind(listening_socket, (struct sockaddr *)&ss, sizeof(struct sockaddr_in));

    // Now we tell the socket to listen for incoming connections.
    // The 100 is limiting the number of pending incoming connections
    // to 100. This is a common number, but could be different.
    // Should check that listen returns 0, anything else indicates an
    // error (perhaps the socket is not in the correct state, etc.)
    listen(listening_socket, 100);

    // At this point, the server is listening, a client can connect to it.
    // We will loop forever, accepting new connections as they come.
    std::cout << "Listening for incoming connections on port "
              << LISTENING_PORT << std::endl;
    while (true)
    {
        // Accept a new connection
        struct sockaddr_in client;
        socklen_t len = sizeof(struct sockaddr_in);

        // The accept call will block until a client connects. When a client connects,
        // the new socket connected to the client will be returned.  This is a different
        // socket than the listening socket - which remains in the listening state.
        int client_socket = accept(listening_socket, (struct sockaddr *)&client, &len);

        // Now we have a new socket connected to the client. We can handle this
        // connection in a new thread, so that the server can continue to accept
        // connections from other clients.
        std::thread echo_thread(do_echo, client_socket);
        echo_thread.detach();
    }
}

Implementation - C++ Echo Client

// Headers for MacOS
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

// Standard C++ headers
#include <iostream>
#include <string>
using namespace std;

// Notice that this lines up with the listening
// port for the server.
const u_short SERVER_PORT = 8080;

int main()
{
    // Create the socket that will connect to the server.
    // sock is a "file descriptor".
    int sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

    // Next we initialize a data structure that will be used
    // to connect to the server - it contains information about
    // which IP address and port number to connect to.
    struct sockaddr_in ss;
    memset((char *)&ss, 0, sizeof(ss));
    ss.sin_family = AF_INET;

    // This is the IP address of the server. For this simple example,
    // the server is running on the same machine as the client, so "localhost"
    // can be used.  If the server was elsewhere, we can use the same code, but
    // with the name of the machine (or IP address) replacing "localhost".
    struct hostent *sp; // struct to hold server's IP address
    sp = gethostbyname("localhost");
    memcpy(&ss.sin_addr, sp->h_addr, sp->h_length);

    // This is the port number of the server. This must match the port number
    // the server is listening on.
    ss.sin_port = htons(SERVER_PORT);

    // Now we connect to the server. This call will return when the connection
    // is established, or if it fails for some reason.
    int result = connect(sock, (struct sockaddr *)&ss, sizeof(ss));
    if (result != 0)
    {
        std::cerr << "Error connecting to server " << strerror(errno) << endl;
        return result;
    }

    while (true)
    {
        // We are connected (or write will fail below)
        int n;
        char buffer[1024];
        string echo_input;
        string echo_response;

        // Read a message from the user
        cout << "Enter a message: ";
        getline(cin, echo_input);

        // Send the message to the server, should always check
        // that n == echo_input.length() to ensure the entire message
        // was written...
        cout << "Sending: " << echo_input << endl;
        n = write(sock, echo_input.c_str(), echo_input.length());

        // Read the message from the server.  Should check if n < 0,
        // in case the read fails.
        n = read(sock, buffer, 1024);
        echo_response = string(buffer, n);
        cout << "Received: " << echo_response << endl;
        if (echo_response == "QUIT")
        {
            break;
        }
    }

    // Close the socket
    close(sock);
}

Implementation - JavaScript Echo Client

We can implement a compatible client in any language, there is no need for client and server to be written in the same language! If you aren't familiar with JavaScript, or callback functions, then the following code may seem a bit mysterious to you. Rather than focusing on those mechanics, try to focus on what's happening with sockets - you should notice the similarities between the C++ example and this. The main difference is that callback take the place of synchronous loops, and the Node.js interface for sockets is quite a bit simpler than the C++ version.

The easiest way of thinking about the difference between the C++ and JavaScript versions is that JavaScript is event driven. In the C++ version, everything is sequential - we make function calls like getline, connect, write and read. Everything executes in order, and we use loops to do things over and over again.

In the JavaScript version, we identify events - when the socket gets connected, when the user types something in, when a response is received from the server. We write functions (usually anonymous) that contain code that executes whenever these events occur. Notice in the code below there are no loops - we simply specify, send the entered text whenever the user types something and print the response and prompt for more input whenever the server response is received. Those callbacks happen many times - and the sequence is kicked off by connecting to the server.

We will talk a lot about callback in JavaScript in later chapters - don't get too bogged down on this now!

// The net package comes with the Node.js JavaScript environment, 
// it exposes the same type of functionality as the API calls used 
// in C++ and C implementations - just wrapped in a more convenient
// JavaScript interface.
const net = require('net');
// This is also part of Node.js, it provides a simple way to read
// from the terminal, like the C++ iostream library.
const readline = require('readline');

// Notice that this lines up with the listening
// port for the server.
const SERVER_PORT = 8080;


// This just sets up node to read some lines from the terminal/console
const terminal = readline.createInterface({
    input: process.stdin,
    output: process.stdout
});

// This is a callback function.  Whenever a user types anything on stdin, 
// and hits return, this anonymous function gets called with the text
// that was entered.  The text is sent to the socket.

// We'll cover callbacks later in depth - but for now, just know 
// this is a function that gets called when a user types something. It's 
// not getting called "now", or just once - it gets called whenever a line
// of text is entered.
terminal.on('line', function (text) {
    console.log("Sending: " + text);
    client.write(text);
});


// Now we create a client socket, which will connect to the server.
const client = new net.Socket();
client.connect(SERVER_PORT, "localhost", function () {
    // Much like terminal.on('line', ...), this is a callback function, 
    // the function gets called when the client successfully connects to 
    // the server.  This takes some time, the TCP handshake has to happen.  
    // So the "connect" function starts the process, and when the connection
    // process is done, this function gets called.

    // We just prompt the user to type something in and when they do, the 
    // terminal.on('line', ...) function above will get called.
    console.log("Enter a message:  ");
});

// And another callback - this time for when data is recieved on the socket.
// This is the server's response to the message we sent.
// We quit if it's time to, otherwise we prompt the user again.
client.on('data', function (data) {
    console.log('Server Response: ' + data);
    if (data == "QUIT") {
        // This closes the socket
        client.destroy();
        // This shuts down our access to the terminal.
        terminal.close();
        // And now we can just exit the program.
        process.exit(0);
    } else {
        console.log("Enter a message:  ");
    }
});

Implementation - JavaScript Echo Server

We can write a server in JavaScript too, and the C++ and JavaScript clients can connect to it - even at the same time. In this example, Node.js's net library along with it's asynchronous callback design really shines. We don't need to deal directly with threads, while still retaining the ability to serve many clients simultaneously.

// The net package comes with the Node.js JavaScript environment, 
// it exposes the same type of functionality as the API calls used 
// in C++ and C implementations - just wrapped in a more convenient
// JavaScript interface.
const net = require('net');

const LISTENING_PORT = 8080;

// The concept of "server" is so universal, that much of the functionality
// is built right into the Node.js "createServer" function.  This function call
// creates a socket - we are just providing a function that will be called 
// (a callback) when a new client connects to the server.
const server = net.createServer(function (socket) {
    // A new socket is created for each client that connects, 
    // and many clients can connect - this function will be called
    // with a different "client" socket for any client that connects.

    console.log("A new client has connected.");

    // Now we just add a callback to implemenent the echo protocol for
    // the connected client - by looking at what the client sends is.
    socket.on('data', function (data) {
        const input = data.toString('utf8');
        console.log("Received:  ", input);

        response = input.toUpperCase();
        console.log("Sending:  " + response);
        socket.write(response);
        if (response == "QUIT") {
            console.log("QUIT command received. Closing connection.");
            socket.destroy();
        }
        // otherwise just let the socket be, more data should come our way...
    });
    socket.on('close', function () {
        console.log("Client has disconnected.");
    });
});

// The last little bit is to tell the server to start listening - on port 8080
// Now any client can connect.
console.log("Listening for incoming connections on port ", LISTENING_PORT);
server.listen(LISTENING_PORT);

It's actually a pretty amazing little program - in just a few lines of code we have implemented the same TCP echo server as we did using over 100 in C++!. It's the same functionality though, and completely interoperable!

Echo is just a protocol

We've discussed the Internet Protocol as a Layer 3 network layer protocol. It's a standard way of addressing machines, and passing data through a network. We've discussed TCP as a Layer 4 transport layer protocol. TCP defines ports to facilitate independent streams of data mapped to applications, along with reliability mechanisms. In both cases, protocol is being used to mean "a set of rules". IP is the rules of addressing and moving data, TCP is the rules of making reliable data streams.

Echo is a protocol too, but it's a higher level protocol. It defines what is being communicated (text gets sent, capitalized text gets returned) - not how. It also defines how the communication is terminated (the client sends the word "quit"). Echo has aspects of OSI model's Layers 5-7, but it's probably easier to think of it as an application layer protocol.

Notice, any application that speaks the "echo protocol" can play the echo game! Go ahead and check out all of the examples in the /echo directory of the code section - included are implementations in Python and Java to go along with JavaScript and C++. They all play together. Taking a look at examples in languages you already know might help you understand the mechanics of sockets a bit better!

The Protocol of the Web

The protocol of the web defines what web clients and web servers communicate. Normally, TCP / IP is used at the network and transport layer - but as we've seen, that doesn't describe what is sent - just how. In order for all web clients and servers to be able to play happily together, we need an application layer protocol. This protocol is the subject of the next chapter - the HyperText Transfer Protocol - HTTP.

Just like for the echo server and client, HTTP isn't about a specific programming language. Any program, regardless of the language it is written in, can speak HTTP. Most web browsers (clients) are written in C, C++ (and some partially in Rust). Web servers are written in all sorts of languages - from C, Java, Ruby, and of course Node.js / JavaScript!

Hypertext Transfer Protocol

Hypertext

We all know what text is. It's not a stretch from text to the concept of a text document - we're all pretty familiar with that idea too. One thing about text documents (think about paper documents) is that they often refer to other documents. These references might be footnotes, citations, bibliographies, or just embedded as quotations in the text.

Hyper, in mathematics, means extension. The concept of somehow extending text documents - such that you could instantaneously reach things such as references - was inspired by pre-computer technologies like microfilm. The term hyper-text first appeared in an article written by Vannevar Bush in 1945, in which a futuristic device called the Memex allowed a user to instantly skip and link to content made of chains of microfilm frames. In the 1960's, this concept was closer to reality through digital document systems. Ted Nelson coined the terms HyperText along with HyperMedia (referring to a systems where not just text could be linked and skipped to, but also images, sound, and video).

The concept of having links within documents that could be traveled instantaneously is a powerful one. It's not just that a reader can quickly skip to different documents (and then return to the original), but documents could embed other documents and media from different sources. If you consider pre-digital information systems (i.e. books, card catalogs, and libraries), you can see how much of a leap this is.

There is a lot more history to hypertext. You are encouraged to do some research, but let's move on to how hypertext moved from an emerging idea to the technology that we use every single day.

While working at CERN in 1989, Tim Berners-Lee proposed a project to link text documents already on the internet together, called the WorldWideWeb. The core of the proposal was a protocol for addressing documents, requesting documents over TCP, and delivering documents. Crucially, within these documents was a way to embed addresses of other documents. This allowed the software rendering the document to allow a user to ask it to display that resource. We of course recognize this as a link. We use them every day :)

If you haven't put it together yet, the WorldWideWeb project is where we got the www from, and documents that were available on this system were written in an early version of HTML - which stands for Hper Text Markup Language. The "software" that rendered these documents was the first web browser. Some of the very first web browsers were text based, the Line Mode Browser and Lynx are some of the most influential. Berners-Lee is also credit with creating the first web server at CERN, to serve the documents to the first browsers.

HTTP Protocol

The glue between the browser and the server is the protocol that they use to address, request, and deliver documents (which are more accurately called resources, since they need not be text). The protocol is the HyperText Transfer Protocol. Just like the "echo" protocol we saw in the last chapter, it's just a text-based protocol. Text is is sent from the client (the web browser), interpreted by the server, and text is sent as a response. The difference is that the text is much more structured, such that it can include metadata about the resources being requested and delivered, along with data and resources themselves.

The HTTP protocol has proven to be a remarkably powerful method of exchanging data on networks. It is fairly simplistic, but is efficient and flexible. At it's heart is the concept of resources, which are addressable (we'll see this referred to as a URL - universal resource locator). If we think of HTTP as a language, then resources are the nouns - they are the things we do things with. The verbs of HTTP are the things we do - the requests web browsers (clients) perform on resources. The adjectives are meta data that we use to describe both nouns and verbs - we'll soon recognize these as request and response headers.

The Nouns of HTTP - URLs and Domain Names

We can't build a hypertext system without a way of addressing resources - whether they are text or some other form of media. We need a universal way of identifying said resources on a network. In the previous chapter, we learned that the Internet Protocol has an addressing scheme for identifying machines on the internet. We also learned that TCP adds a concept of a port number, which further identifies a specific connection on a machine. We learned that when creating a socket, we needed to use both - and we used the format ip_address:port - for example, 192.45.62.156:2000.

The descriptors of IP and TCP get us partially towards identifying a resource on the internet - the IP address can be the way we identify which machine the resource is on, and the port number helps identify how to contact the server application running on that machine that can deliver the resource to us. There are two components that are not described however:

1. Which protocol should be used to access said resource?
2. Which resource on the machine are we trying to access?

By now, you should know that the protocol we will be dealing with is HTTP. The protocol is also referred to as the scheme, and can be prepended to the address/port as follows:

http://192.45.62.156:2000

The above is telling us that we are looking to get a resource from the machine at IP address 192.45.62.156, which has a server listening on port 2000, capable of speaking the HTTP protocol. http:// isn't the only scheme you may have seen - you've probably noticed https:// too. This is a secure form of HTTP which is simply HTTP sent over an encrypted socket. Secure HTTP is still just HTTP, so we won't talk much about it here - we can make HTTP secure simply by creating an encrypted socket - and we will do so in future chapters.

By the way, there are lots of schemes - most of which map to protocols. It's not unheard of to see ftp://, mailto://, and others. Here's a fairly complete list.

As for #2, which resource, we borrow the same sort of hierarchy mental model as a file system on our computer. In fact, the first web servers really simply served up documents, stored on the machine's file system. To refer to a specific file on in a file system, we are fairly used to the concept of a path, or file path. The path /a/b/c/foo.bar refers to a file called foo.bar found in the c directory, which is in the b directory, inside the a directory, which is found at the root of the file system. When used to identify an http resource, the "root" is simply the conceptual root of wherever the web server is serving things from.

Therefore, to access a resource under the intro directory called example.html on the machine with address 192.45.62.156, by making a request to a server listening on port 2000 speaking http, we can use the following universal resource locator:

http://192.45.62.156:2000/intro/example.html

A Universal Resource Locator, or URL is the standard way to identify a resource on the web. We'll add additional components to it later, but for now it's just scheme://address:port/path.

The URL http://192.45.62.156:2000/intro/example.html might look sort of familiar, but URLs that we normally deal with don't have opaque IP addresses in them, at least typically. They also don't normally have port numbers.

First off, let's discuss port numbers quickly. As we discussed in the previous chapter, clients must always know the port number they need to connect to when initiating a connection. While it's always OK to specify them in a URL, we can also take advantage of well known or conventional port numbers. On the web, http is conventionally always done over port 80, and https (secure http) is done over port 443. I know, this feels random. It sort of is. Thus, whenever we use scheme http:// and omit the port number, it is understood that the resource is available on port 80. When https:// is used, 443 is assumed.

Pro Tip💡 Do not, under any circumstance get confused... HTTP does not have to use port 80. It can use any port you want. HTTP is what you send over a socket, it doesn't care which port that socket is associated with. In fact, on your own machine, it is unlikely you will easily be able to write a program that creates sockets on ports 80 or 443, because typically the operating system safeguards them. As developers, we often run our web software on other ports instead - like 8080, 8000, 3000, or whatever you want. Typically these port numbers can be used by user programs on a machine, and are firewalled to avoid external (malicious) connections. A program that works on port 8080 will work on port 80, you just need to jump through some security hoops!

So, let's revise our example URL to use port 80

http://192.45.62.156:80/intro/example.html

This URL is perfectly valid, but since port 80 is the default port for HTTP, we could also write the following:

http://192.45.62.156/intro/example.html

Domain Name Service

If URLs required people to remember the IP address of the machines they wanted to connect to, it's fair to assert the WorldWideWeb project wouldn't have become quite so mainstream. Absolutely no one wants to use IP addresses in their day-to-day life. Rather, we would much prefer to use more human-friendly names for machines. This brings us to the concept of domain name.

Domain names are sort of structured names to refer to machines on the internet. We say sort of because a given domain name might not actually correspond to just on machine, and sometimes one machine might be reachable from several domain names. Conceptually however, it's OK for you to think of a domain name as being a specific machine.

The phrase "domain name" however is not the same thing as "name". Otherwise we'd just say "name". On the web, there exists the concept of a "domain" - which means a collection of machines. A domain is something like google. Domains are registered within a central and globally accessible database, organized by top level domains. Top level domains simply serve to loosely organize the web into different districts - you'll recognize the big ones - com for commercial, edu for education, gov for government domains.

Thus, the google domain is registered under the com top level domain (TLD) since it is a commercial enterprise. Combining the two, we get google.com. TLDs are not strictly enforced. Just because a domain is registered under the .com TLD doesn't mean it's "commercial". Some TLD's are regulated a bit more closely (for example, .edu and .gov) since those TLDs do indicate some degree of trust that those domains are being run by the appropriate institutions. There are many, many TLDs - some have been around for a long time (.org, .net, .biz), but within the past decade the number has exploded.

Pro Tip💡 One thing that you should understand as we discuss domains and top level domains is that the actual concept is pretty low-tech. Top Level Domains are administered by vendors. The .com TLD was originally administered by the United States Department of Defense. Responsibility for administering the .com TLD changed over to private companies, including Network Solutions and then to it's present administrator - Verisign. There are many online vendors that allow you to register your own domain under .com, but they ultimately are just middlemen, your domain is registered with Verisign. This is the same for all TLDs - different TLDs are administered by different companies. These companies maintain enormous database registries, and these registries are, by definition, publicly accessible.

The domain google.com doesn't necessarily specify a specific machine - it's a group of machines. A full domain name can build on the domain/TLD hierarchy and add any number of levels of sub domains until a specific machine referenced. A registrant of a domain is typically responsible for defining it's own listing of subdomains and machines within it's domain - typically through a name server. A name server is really just a machine that can be contacted to resolve names within a domain to specific ip addresses.

Let's say we are starting a new organization called acme. Acme will be a commercial enterprise, so we register acme.com with Verisign. As a retail customer, we would probably do this domain service provider - there are many, such as NameCheap, DreamHost, GoDaddy, etc. As a larger company, we may do this directly through Verisign or another larger player closer to the TLD. At the time the domain is registered, a specific name server will be provided. For example, if we were to register our acme.com site through NameCheap, the registration would automatically be passed to NameCheap's name servers (a primary and a backup)

dns1.registrar-servers.com
dns2.registrar-servers.com 

Note, those machines have already been registered and configured, so they are accessible through the same domain name resolution process as we will discuss in a moment (this will feel a little recursive the first time you read it:)

We would also have the possibility of registering our own nameservers, if we had our own IP addresses to use (and were willing to configure and maintain our own nameservers). Maybe something like this:

primary-ns.acme.com
backup-ns.acme.com

Unless our new company called "acme" had a really large number of computers, and a lot of network administrators, we probably wouldn't manage our own nameservers - but we could.

A name server is the primary point of contact when a machine needs to resolve a more specific subdomain or actual machine name within a domain. Let's continue with our acme.com example, and suppose we had a few machines we wanted to be accessible on the internet:

• www.acme.com - the machine that our web server runs on
• mail.acme.com - the machine our email system runs on
• stuff.acme.com - the machine we put our internal files on

The machine names are arbitrary, but you probably noticed that one's named www. It's not a coincidence this is named www, because that is what people traditionally have named the machine running their web site - however it doesn't need to be this way. There is nothing special about www. Incidentally, we can also just have a "default" record on our nameserver that points to a specific machine. So, we can configure our nameserver such that if someone requests the IP address of acme.com they receive the IP address of www.acme.com. This is very typical of course, we rarely ever actually type www anymore.

Pro Tip💡 In case you are wondering how a nameserver is resolved itself, it's done by contacting nameserver for the top level domain. In this case, Verisign operates a nameserver for .com, and it can be queried to obtain the IP address of registrar-servers, for example.

We've covered a lot of ground. To recap, registering a domain (ie acme) with a top level domain (ie .com) requires a name server to be listed. That nameserver has an IP address attached to it, and is publicly available. The nameserver has a list of other machines (ie www, mail, stuff), and their IP addresses.

Let's recall why we are talking about DNS in the first place. Ultimately, we want to be able write a URL with a human friendly name - http://acme.com/intro/example.html instead of http://192.45.62.156/intro/example.html. Clearly, that URL is probably going to be typed by a user, in the address bar of a web browser. So, the real question is - if the browser wants to know the IP address of www.acme.com how does it go about obtaining this information?

DNS Resolution

DNS resolution is really just a multi-step query of a giant, global, distributed look up table. A lookup table that, when flattened, contains a mapping of every single named machine to it's associated IP address.

Let's identify what is happening when we resolve www.acme.com. A web browser is just a program, and it's probably written in C or C++. One of the first things that needs to happen is that the browser code invokes an operating system API call to query the DNS system for www.acme.com. The DNS system starts with the operating system, which comes pre-configured (and via updates) with a list of IP addresses it can use to reach TLD nameservers. In this case, it will query the appropriate TLD nameserver to obtain the IP address of the acme.com nameserver (let's assume this was registered at NameCheap, so it's dns1.registrar-servers.com). This "query" is performed (usually) over UDP on port 53, although it is also commonly done over TCP. The protocol of the query is literally just the DNS protocol. The protocol is out of scope here, but it's just a set of rules to form structure questions and responses about DNS entries.

Once the operating system receives the IP address of the name server for acme.com, it does another query using the same DNS protocol to that machine (dns1.registrar-servers.com), asking it for the IP address for the www machine. Assuming all goes well, the IP address is returned, and passed back to the web browser as the return value of the API call. The web browser now has the IP address - 192.45.62.156. Note, that IP address is imagined, it's not really the IP address of www.acme.com.

Note, the web browser isn't the only program that can do this - any program can. In fact, there are command line tools available on most systems that can do it. These programs simply make API calls. If you are on a machine that has the ping command, you can type ping <server name> and see the IP address getting resolved.

> ping example.com
PING example.com (93.184.215.14): 56 data bytes
64 bytes from 93.184.215.14: icmp_seq=0 ttl=59 time=8.918 ms

You may also have a command line program named whois on your machine. You can get name server information using this. Go ahead and type whois acme.com, if you have it installed, you will see the name servers for the actual acme.com

To round things out, and to really make sure you understand how DNS resolution is achieved, here's a simple C++ program (written for MacOS) that can resolve a domain name to the associated IP address. As in the previous chapter, the goal of this code is not that you understand all the details - just that you see that it isn't magic, you just make API calls!

#include <iostream>
#include <cstring>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>

void resolve_hostname(const std::string &hostname)
{
    struct addrinfo hints, *res, *p;
    int status;

    memset(&hints, 0, sizeof hints);
    hints.ai_family = AF_UNSPEC;     // AF_UNSPEC means IPv4 or IPv6
    hints.ai_socktype = SOCK_STREAM; // TCP, although isn't really necessary

    // Perform the DNS lookup
    if ((status = getaddrinfo(hostname.c_str(), NULL, &hints, &res)) != 0)
    {
        std::cerr << "getaddrinfo error: " << gai_strerror(status) << std::endl;
        return;
    }

    // The result (res) is a linked list.  There may be several resolutions listed,
    // most commonly because you might have both IPv4 and IPv6 addresses.

    std::cout << "IP addresses for " << hostname << ":" << std::endl;
    for (p = res; p != NULL; p = p->ai_next)
    {
        void *addr;
        std::string ipstr;

        if (p->ai_family == AF_INET)
        { // IPv4
            struct sockaddr_in *ipv4 = (struct sockaddr_in *)p->ai_addr;
            addr = &(ipv4->sin_addr);
            char ip[INET_ADDRSTRLEN];
            inet_ntop(p->ai_family, addr, ip, sizeof ip);
            ipstr = ip;
        }
        else if (p->ai_family == AF_INET6)
        { // IPv6
            struct sockaddr_in6 *ipv6 = (struct sockaddr_in6 *)p->ai_addr;
            addr = &(ipv6->sin6_addr);
            char ip[INET6_ADDRSTRLEN];
            inet_ntop(p->ai_family, addr, ip, sizeof ip);
            ipstr = ip;
        }
        else
        {
            continue;
        }

        // Here's the IP address, in this case we 
        // are just printing it.
        std::cout << "  " << ipstr << std::endl;
    }

    // Free the linked list
    freeaddrinfo(res);
}

int main()
{
    std::string hostname = "www.example.com";
    resolve_hostname(hostname);
    return 0;
}

If you compile this on a POSIX compliant machine (Linux, MacOS), you should get the same IP address for example.com that you got when using the ping command.

To close out the DNS discussion, what we've really done is made it possible to write URLs using people-friendly names, rather than IP addresses. Using IP addresses within a URL is perfectly valid, however we normally prefer a domain name when available.

Pro Tip💡 There's a lot more to learn about DNS, nameservers, and related technologies like CNAMEs and A records. We will discuss, much later, some of the basics of getting our web applications live on the web, by registering a domain name, and configuring it such that it is available to the public. When we do, we'll revisit DNS in more detail. There's a very detailed tutorial here if you are looking to dive deeper right away.

Noun Summary

URLs are the nouns in the HTTP protocol. They refer to resources - they may be HTML files, but they could be images, audio files, video files, PDF documents, or virtually anything else.

A URL contains a scheme, which indicates the protocol being used. In our case, the scheme will usually be http or https. The URL contains a domain name, or IP address, followed by a port number, if the port number used is not the default port number for the given scheme. After the port number, a URL can contain a path which specifically identifies the resource.

Nouns represent things, now we need to look at what we do with URLs - the verbs of HTTP.

Verbs - Requests and Responses

HTTP is a protocol for referencing and retrieving resources. In the previous section we described how resources are identified - which is of course a prerequisite for referencing and retrieving. Now let's take a look at actual retrieval.

The first thing to understand, and I'd argue that it is one of the most important and fundamental things for anyone who is learning the web to understand, is that HTTP operates on a request and response basis. ALL action begins with a request for a resource, by the client (the web browser). That request is followed by a response from the web server. That is it. Web servers do not initiate any action.

HTTP requests are just text, text that is sent over a TCP socket to a web server, from a web browser. They are formatted, they have a structure. Similarly, HTTP responses are just text too - and are sent over the same TCP socket from the web server, to the browser. The browser and client understand the format and structure of the requests and response, and behave appropriately.

Furthermore, each HTTP request and response pair is independent. That is, there is no contextual memory between requests/responses built into the HTTP protocol at all. Of course, you implicitly know that there must be some sort of contextual memory - since you know that you can do things in sequence over a series of web pages, such as build a shopping cart and check out, or login before accessing private data. This contextual memory (state) entirely managed by the web developer however, it is not part of HTTP. HTTP provides tools to support stateful interaction, but it does not do so on it's own. This is important to keep in mind as you begin.

So, what exactly is a request? A request is just that - it's a request for the server to do something to a particular resource. The server may agree, or disagree. There are only a few things that HTTP supports in terms of types or requests, although programmers can use them liberally.

The main types of requests are as follows:

• GET: A request to retrieve the data associated with a resource (the resource itself). The request should be read only, meaning if multiple GET requests are made, the same exact response should be returned, unless some other process has unfolded to change the resource.
• POST: A request to submit an entity (data) to the resource. This will usually change the resource in some way, or at least have some discernable side effect associated with the resource.
• PUT: A request to replace the current resource with another. A complete overwrite of the data, if it already exists. This is often used to create data at a given resource.
• PATCH: A request to modify a portion of the resource. Think of this as editing an existing resource, keeping most of the data.
• DELETE: A request to remove the resource.

There are a few others that are less commonly (directly) used, but are important nonetheless. We will discuss them a bit further later.

• HEAD: A request to retrieve only the metadata associated with a resource. This meta-data will be exactly the same as what would have been returned with the GET request, but without the resource. This is useful for caching.
• OPTIONS: A request to learn about which verbs are supported on this resource. For example, the result may say you can't delete it.

There is a wealth of information online describing all the specifications and expectations of HTTP verbs. We will cover what we need, as we go - but you can use the MDN docs for more information.

Of the above request types, by far the vast majority of requests are GET, followed by POST. Typically, GET requests are issues automatically by the web browser whenever the user types in a URL in the address bar, clicks a link, accesses a bookmark, etc. GET requests are also used to fetch images, videos, or any other resources embedded in an HTML page (we'll see how this is done in the next chapter). POST (and GET) requests are made by web browsers when users submit forms, which you will recognize as user inputs on web pages with buttons (ie username and password, with a login button).

PUT, PATCH, DELETE are not actually used by web browsers natively - however they are used by application developers to perform other actions, initiated by client-side JavaScript. We will defer discussion of them for now, but understand that the structure of a PUT, PATCH, or DELETE request doesn't differ from GET and POST within the HTTP protocol - they are just different types of requests.

Notice also that if you are used to thinking about resources (URLS) as being files on a web server, then some of these requests make intuitive sense, and some may not. GET is probably the most intuitive, you would make this request to read the file. But what about POST? Are we actually changing a file on the server? What's the difference between POST and PATCH then? Does PUT create a new file, and DELETE remove it? The answer is "maybe" - but you might be missing the point. URLs don't necessarily point to files.

Take the following URL:

http://contactlist.com/contacts/102

This might be a URL referring to contact with ID #102. That contact might have a name, address, phone number, etc. That contact isn't a "file", its an "entity". That entity might be stored in the server's memory, or maybe in one large file, or maybe a database! It's a thing. It's a noun. You can GET it, but now maybe is starts to make more sense that you can also POST to it, PUT it, PATCH it, and DELETE it. PUT might mean replace the contact info entirely, or maybe we are attempting to create a new contact with this ID number. DELETE might remove contact 102 from our contact list. PATCH might edit, while POST might come along with some data that then gets emailed to the contact. We'll see how requests can have data send along with them in a moment.

Pro Tip💡 The request type, unto itself, is meaningless. The web server will receive the request, and decide what to do. The "web server" is just code - and you, the programmer, will write that code. Customarily, if the web server receives a GET request, it should be idempotent (it does not change the state of anything), but the server could do whatever the programmer wants it to do. It could end up deleting something. There is nothing stopping the developer from making poor choices. There is nothing inherently forcing action about HTTP. HTTP is just defining a structured way of sending requests, it isn't forcing you to take a particular action. I say all this not to encourage anyone to do unexpected things. To the contrary, I am explaining this because it's important to understand that it is up to you to design your applications to conform to the expectations of HTTP. HTTP has stood the test of time, for nearly 40 years, through all the changes we've seen. It is wise to follow it's intended purpose, you will be rewarded - but keep in mind, you must actually do the work, nothings happening for you!

Making a Request

In the last chapter, we discussed domain name resolution. We know that given a URL, one way or another, we can obtain the following:

• The IP address of the target machine
• The port number to send data to
• The protocol we expect to use.

For example, if we have the following URL:

http://example.com/index.html

We know that example.com can be resolve to an IP address (at the time of this writing, it's 93.184.215.14). We know, since the protocol is http, the port is 80 since it's not specified otherwise. Thinking back to the echo server example, we now have enough information to open a socket using the TCP protocol to this server - all we needed was the address and port number.

Pro Tip💡 TCP is the transport protocol used for HTTP (and HTTPS). It doesn't make any sense not to use it, in the vast majority of cases. There may be some niche use cases where UDP is used in an unconventional situation, but it's rare enough for us to completely ignore for the remainder of this book.

In the echo server example, we opened a socket to the echo server (from the client) and sent over some text. The echo server responded by sending back the same text, capitalized. This was a request/response pair - but there was no structure to the message. This is where things start to diverge, and we see that HTTP provides structure, or almost a language to facilitate hypertext actions.

The most basic request contains only 4 things:

1. The verb
2. The path of the resource
3. The version of HTTP the client is speaking
4. The host the request is intended for.

The verb should be self explanatory - it's GET, POST, PUT, etc. The path of the resource is the path part of the URL. For example, if we are requesting http://example.com/foo/bar, the path is /foo/bar. The path identifies the resource on the given machine.

HTTP is just a text format, so given the first to things, we'd format the text request as

GET /index.html

This text would be sent straight to the webserver, just like the echo client sent straight text to the echo server. In this case however, the server would parse the text, and decide how to handle it.

Unfortunately, that's not enough. We have two more requirements - version and host.

First, the version (#3) - HTTP just like anything else in computer science, changes. It hasn't changed a lot though - it's actually remarkably stable. Version 0.9 was the first "official" version, and it just let you GET a resource. No other verb was present. Version 1.0 (mid 1990's) added things like headers (we'll see them in a bit), and by the late 1990's HTTP Version 1.1 was standardized. HTTP Version 1.1 is essentially still the defacto standard used - some 35 years later. In 2015 HTTP Version 2.0 was standardized. HTTP Version 2.0 is widely supported and used, however it's somewhat transparent to the web developer - as the major change was that it is a binary protocol with the ability to multiplex (have multiple simultaneous requests over the same socket) and enhanced compression. It does not make any changes to the actual content of the HTTP request (or response).

Suffice to say, in this book we'll use Version 1.1, since it's the latest text-based version. You wouldn't want to read HTTP in binary. Since ultimately we won't be writing our own HTTP beyond this chapter, instead letting libraries do it for us, the switch to Version 2.0 won't change anything for us.

The version is the third entry on the first line, which is referred to as the start line:

GET /index.html HTTP/1.1

Finally, we have #4 - the "host the request is intended for". Technically this is required, but in most cases it is. It is not at all uncommon for the same physical machine to host multiple "web sites". For example, you might have two domain names within your domain:

www.acme.com
private.acme.com

The www site might be the public facing website, while private might be a web portal used by employees, requiring a login. They are two separate domain names - however, to save costs, we want to have both sites served by the same physical machine. This might make a lot of sense actually, since it's unlikely the private portal has enough traffic to warrant it's own machine, and the two sites probably share a lot of the same data.

Since both domain names resolve to the same IP address, two clients sending requests to these sites would send their HTTP to the same web server. The web server would have no way of knowing which domain the client was looking for.

To make this clear, the following are two valid web addresses, and presumably two different resources.

www.acme.com/info.html
private.acme.com/info.html

The path is the same, but they are different web sites, from the perspective of the user. To help the web server understand which site the request if for, we add our first HTTP header, the Host header to the GET request.

GET /index.html HTTP/1.1
Host: example.com

From the acme examples above, we can now see why the requests would be different. Both of the following request go to the same web server, but the web server can see that one is asking for /info.html from www.acme.com and the other from private.acme.com.

GET /info.html HTTP/1.1
Host: www.acme.com

GET /info.html HTTP/1.1
Host: private.acme.com

Of course, it's up to the web server to be smart enough to differentiate the two requests and return the right resource!

Making a request yourself

We could take the echo client code we wrote in Chapter 2 and actually modify it to use port 80, and connect to example.com. We could then literally send two lines of text to it, conforming to the HTTP specifications, and get a response. It's a bit tedious though to keep doing this in C++ code.

We can quickly see how this works by using a common command line tool that is a lot like the echo client we wrote before - telnet. Telnet has been around for 50 years, and is available on most platforms. It lets you specify a host and TCP socket, and it opens a socket to that server. It then accepts anything you type at the command line, and shoots it across the socket. The response from the server is printed to the command line.

Go ahead and try it, if you can install telnet on your machine:

> telnet example.com 80

It will connect, and then sit and wait for you to type something.

Type GET / HTTP/1.1 and then enter. Nothing will come back, because the web server is waiting for more before responding. Type Host: example.com, and again - nothing will come back just yet.

The last requirement of an HTTP request is a blank line. This tells the server that you are done with the request. It's a really low tech delimiter!

Just hit enter again, and you'll see the full HTTP response from example.com come back, and print out. It will look something like this:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 86286
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Fri, 13 Sep 2024 18:40:40 GMT
Etag: "3147526947+gzip"
Expires: Fri, 20 Sep 2024 18:40:40 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECAcc (nyd/D144)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    <meta http-equiv="Content-type" content="text/html; charset=utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <style type="text/css">
    body {
        background-color: #f0f0f2;
        margin: 0;
        padding: 0;
        font-family: -apple-system, system-ui, BlinkMacSystemFont, "Segoe UI", "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif;

    }
    div {
        width: 600px;
        margin: 5em auto;
        padding: 2em;
        background-color: #fdfdff;
        border-radius: 0.5em;
        box-shadow: 2px 3px 7px 2px rgba(0,0,0,0.02);
    }
    a:link, a:visited {
        color: #38488f;
        text-decoration: none;
    }
    @media (max-width: 700px) {
        div {
            margin: 0 auto;
            width: auto;
        }
    }
    </style>
</head>

<body>
<div>
    <h1>Example Domain</h1>
    <p>This domain is for use in illustrative examples in documents. You may use this
    domain in literature without prior coordination or asking for permission.</p>
    <p><a href="https://www.iana.org/domains/example">More information...</a></p>
</div>
</body>
</html>

What we have above is a full HTTP response. Pure text. Go ahead and open a web browser now, and type example.com into the address bar. You'll see something like this:

The web browser did the same thing as telnet did, but in a nicer way. It took what you typed in the address bar, example.com, and formed an HTTP GET request from it, pretty similar to what you entered into telnet. When it received the response, instead of showing you the pure text (which includes HTTP details we will learn about in a moment), it actually rendered the HTML that was included in the response.

Congratulations, you've demystified a lot of what you've been doing with a web browser most of your life already. The browser is just sending well formatted text to a server, and the server is responding. You've seen the raw text now - no magic.

Requests in HTTP really aren't a whole lot more complicated than what we've seen. In the real world, the only additions we generally have are (1) more headers, (2) request query strings, and (3) request body data. Let's take a look at those now:

Adjectives?

We've been building this analogy, of describing HTTP in terms of nouns (URLs) and verbs (request types). The analogy can go a little further, although it might be a perfect grammatical match. Adjectives are used to describe things - and in HTTP, we can use additional mechanisms to (1) describe the things we are requesting, (2) describe the details and parameters of the request, and (3) supply additional data along with the request. We do that using headers, query strings, and the request body.

Request Headers

We already saw one request header, the host header. Request headers are simply name / value pairs, separated by a colon, one pair on each line, right after the first line of an HTTP request. Recall, an HTTP request is in fact delimited by new lines, the first line is the start line, and then each line after that is a request header pair. The end of the request header pairs is denoted by a blank line, which is why we needed to press enter one extra time when interacting with example.com using telnet!

GET /info.html HTTP/1.1
Host: www.acme.com
another: header value
last: header value
<blank line>

Request headers are used to apply additional meta data to the HTTP request itself. The are many valid request headers, and we don't need to exhaustively enumerate them here. Let's cover a few, so you understand what they could be used for, and then we'll rely on other reference material for the rest.

Common Request Headers

• Host - the only required header for a valid HTTP request, used to support virtual hosts.
• User-Agent - a plain text string identifying the browser type.
• Accept - a list of file types the browser knows how to handle.
• Accept-Language - a list of natural languages the user would like responses to be written in (the HTML).
• Accept-Encoding - a list of compression formats the browser can use, if the web server wants to use compression.
• Connection - indicates whether the TCP connection should remain open after the response is sent (Keep-alive or Close)
• Keep-Alive - indicates the number of seconds to keep the connection open, after the response is sent. This only makes sense when Connection is set to Keep-Alive
• Content-Type - used for requests or responses, indicating what type of data is being sent. Some requests can carry with them additional data (typically POST, PATCH, PUT), and this helps the server understand what format the data is being transmitted in.
• Content-Length - the additional data being sent with the request (or the response) has a length, in bytes. In order for the server (or client, when dealing with responses) to be able to handle the incoming data, it's useful to know how long it is. Content-Length will represent the number of bytes that are being sent. Note, as we will se, the content in question is sent over the socket after the headers.
• Referrer - the URL the user is currently viewing, when the request is made. Think of this as being set to the url of the web page that the user clicked a link on. Clicking the link results in a new HTTP request to be sent, for that page. The new request will have the original page as the Referrer. This is how a lot of internet tracking works, when you arrive at a sight by clicking a link, that web site will know which web site (URL) led you to it.

It's worth taking the time to point out, headers are suggestions to the web server. Your HTTP request might provide a list of natural languages it would like the response in, but that certainly doesn't mean the web server is going to deliver the response in that language! Some web applications do have language options - but the vast majority do not. If the HTML on the server is written in Spanish, it doesn't matter what that your HTTP request uses Accept-Language to ask for Japanese. It's coming in Spanish!

Note that as an end user, you aren't all that used to thinking about these request headers. Your browser fills them in for you. Some may be based on user preferences (for example, the language you speak). Others are default values from your browser - like User-Agent. If you are using a Firefox web browser, the User-Agent string is set to Mozilla/5.0 (platform; rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion, where geckoversion and firefox version depend on your browser install.

It is important to remember that the web server cannot trust anything sent to it! For example, while Firefox sends a User-Agent string identifying the HTTP request as coming from Firefox, I could also write a telnet clone that added the very same User-Agent string to each request. The web server would have no idea that my own little program was not, in fact, Firefox! In the next section, we'll see how these headers are send/received in code - and it will be even more obvious.

A web server CANNOT accept anything written in an HTTP request as truth, it's just plain text, and it could be sent by anyone, with any program, from any place on the planet!

There are many, many headers. Check out the MDN for an exhaustive list. We'll come back to some of these as we progress, when there's more context to discuss around them.

Request Query Strings

Type https://www.google.com/ into your web browser. Not really surprising - you'll see google's home page, with an input box for your search term. That page is loaded as a result of your web browser generating an HTTP GET message, that has at a minimum the following:

GET / HTTP/1.1
host: www.google.com

Now, close the browser and reopen it. Type the following instead: http://www.google.com?q=cats.

You have the same page, but now notice that the contents of the search box, in the google.com home page, is filled out. It's filled out with what you added - q=cats results in "cats" being in the search box.

The web browser sent (roughly) the following message:

GET /?q=cats HTTP/1.1
host: www.google.com

Both requests are still identifying the / (root) home page on google.com as the page being loaded. However, the page is loaded/rendered differently when we include the new q=cats suffix.

The ? at the end of the string you typed marks the end of the path in the URL, and the beginning of the query string. The query string is a sequence of name / value pairs, with name/pair separated by the = sign, and pairs separated by the ampersand &. URLS cannot have spaces in them, and there are some other special characters that cannot be used either. The query string must be encoded to be a valid part of a URL, so if we were thinking of searching for "big cats", we'd need to use the query string q=big%20cats, for example. Most browses will accept and display spaces and other common characters, and seamlessly encode the URL before sending over the network.

As you might imagine, query strings aren't terribly difficult to parse (aside from the encoding rules, to an extent). Query strings are useful because they allow the user to specify an arbitrary number of name value pairs that the web server can use to satisfy the request. Query strings have a maximum length, which generally varies from server to server. The maximum length is usually around 2000 characters, but it can be as low as 256 characters. If you exceed the maximum length, the server may return an error. Web browsers also place a limit on the length of a URL in total, including the query string.

Query strings can appear in GET requests (most often), but they can appear in all the rest too - POST, PATCH, PUT, DELETE. They are supposed to be used as modifiers to the requested resource. An important aspect of query strings is that they are visible to the end user. They appear in the address bar of the web browser, and they are often used to pass information.

Go ahead and click "search" on google, with "big cats" in the search bar. Yes, you get search results, but also take a look at the address bar. The uRL will likely look something like this:

https://www.google.com/search?q=big+cats&source=somereallylongtrackingstring&oq=big+cats&gs_lp=somereallylongtrackingstring

There's probably more tracking strings in there, google works hard to hold on to some data about you and your browser. But let's keep focused on the search itself. When you clicked the "Search Google" button, you were submitting an HTML form (more on this later). The browser was instructed by the HTML to issue a new HTTP request, this time, a GET request to www.google.com/search. Note the path, /search. search certainly doesn't correspond to a static HTML page somewhere on google's servers, it's handled by code - and that code examines the value of the query string to know what you are looking for. In this case, the q parameter is used, and search results for "big cats" are returned.

The URL above, with the /search path and q is shareable and bookmarkable. You can copy and paste that URL into an email, and the recipient will see the same search results that you did. This is a powerful feature of the web, and it's all thanks to the query string. Whenever we want to issue a request to a particular URL, but we want to specify additional information, refinement, or clarification - we can use query strings. Keep in mind, the server needs to expect them, and be willing to use them, you can't just invent them on your own from the browser :).

Once you see them, you see them everywhere. Keep an eye on your browser as you use the web, and you'll see query parameters being used all the time, they have thousands of uses.

One of the more intimidating things about the web is that sometimes it can feel like there are a lot of ways of doing things, and that certain aspects of the technologies end up getting used in many different ways. While that's true (it gets easier with practice), there is usually some sort of rhyme and reason behind choices.

Query strings are best used when you are retrieving a resource (ie. GET), and are best used for specifying some sort of variation of the resource. This might be any of the following:

• the search term to use when generating search listings
• the starting and destination addresses in a door-to-door mapping site
• page numbers, limits per page, and other filters on product search pages
• ... and much more

Query strings are great when the query string is a meaningful part of what you might want to copy, save, or later visit. Query strings are part of the URL, and thus are saved in browser history.

Request Body

Think of the last time you logged into a web site. You entered your username or email address, along with your password. Then you clicked "Login" or "Sign in". This isn't much different than typing "big cats" into Google's search bar, and pressing "Search". Both pages use an HTML form (we'll see it in a while). However, something is very different. Unlike the search results page on Google, after you click the button and login, your username and password are not shown in the address bar. The username and password were sent along with the request, but they were not sent as query parameters. Instead, they were sent as part of the request body.

Before moving forward, it's worth nothing something really important. Just because the request body doesn't show up in the address bar, the data sent to the web server as part of the request body is not private and is not secure. Of course, it's better to use the request body rather than query parameters for sensitive information, it would be embarrassing to have this information right out in the open on the screen, for all to see, copy, and view in browser history.

https://embarassment.com/login?username=sfrees&password=broken

However, do not make the mistake of thinking a user name and password are safe from prying eyes just because you put it in a request body instead. Unless you are using TLS/HTTP, which encrypts the HTTP request itself, then anyone can intercept your HTTP request and can absolutely read the request body! It's still sent as plain text - it's just slightly more discrete.

Now let's get back to the request body. An HTTP request contains a start line and then one (the host) or more HTTP request headers, as described above. The request can have any number of headers, each on their own line. A blank line indicates the end of the HTTP request headers. After the blank line, however, additional content can be sent. This additional content is the request's body.

In order for an HTTP request to have a body, it must have Content-Length as one of it's headers. In nearly all cases, it also must have Content-Type as one of it's headers as well. This allows the web server to read the request headers, understand what is coming, and then to read the request body itself.

Not all HTTP verbs may have request bodies. When using a request body, you are limited to POST, PATCH, and PUT. More on why that is in a moment.

Here's an example of an HTTP POST message that submits some text to a URL on example.com

POST /test HTTP/1.1
Host: example.com

Content-Length: 26
Content-Type: text/plain

Hello World - this is fun!

Pro Tip💡 You might have noticed that a lot of the urls we are starting to use do not have .html extensions. It's helpful to start moving away from the notion of urls ending with .html - they usually do not. The path part of the URL ordinarily maps to code, that generates a response (usually HTML). Situations where URLS map directly to plain old HTML files on the server are rare, and the exception.

In the request above, the Content-Type indicates that the request body is simply plain text, and the Content-Length header tells the receiver to expect 20 bytes. If you think back to the Echo Server we wrote in chapter 2, you can imagine how a program (the web server) may read each line of the HTTP request - start line, then the headers - and then use that information to allocate enough space to read the rest of the request body.

Reading 20 bytes is one thing, but understanding it is another. In the first example above, text/plain indicates that there really isn't much to parse - and that they bytes should just be interpreted as normal ASCII code characters. text/plain is a MIME type - one of many internet standard format codes. We'll discuss more when we describe responses, but requests can have several Content-Type values that are pretty meaningful.

Let's return to that hypothetical login situation. We will learn about HTML forms in a future chapter, but for now let's just assume they allow use to specify a name for each input field, and then whatever the user types in the text box is the value. Those name value pairs can be used in to build a query string, but they can also be part of the request body instead.

Here's an HTTP post that includes form data - name value pairs formatted just like they were when part of the query string, but now they are part of the request body.

POST /login HTTP/1.1
Host: example.com

Content-Length: 31
Content-Type: application/x-www-form-urlencoded

username=sfrees&password=broken

Here, the request body is ASCII text, but the header is indicating to the web server that it is actually encoded as name value pairs, using the = and & delimiters. The server can read the request body (all 31 bytes of it) and parse it - just like it would parse the same data if it were at the end of a url as a query string.

Request bodies can be relatively short, where form data like that shown above is being sent with the request. However, request bodies can also be very large. They are used to upload lots of text and to upload files of arbitrary length. Web server will usually impose some limit on the length of a request body, but it's on the order of 10's of megabytes, or possibly far far larger.

Query Strings or Request Body?

In most cases, whether to use query string or request body to add data to a request is fairly straightforward conceptually. If you are sending modifiers, then those are usually done as query strings. Again, things like search terms, page numbers, page limits, etc. If you are sending what you would consider data, especially if that data is meant to persist somewhere, then you are probably better off using request body. Here's a further breakdown:

• Use Query String if:
  • Data is clearly name value pairs
  • There is a fairly limited number of name value pairs, and they are fairly short (under 2000 character total)
  • The name/value pairs aren't sensitive at all, you are OK with them being copy and pasted by users, and showing up in bookmarks and browser history.
• Use Request Body if:
  • Data is meant to change the state of some information store, or the state of the application itself. This includes data that will be stored to a database, the session (we'll see this later), login data, etc.
  • The data is large (anything over a couple of thousand characters)
  • The data is sensitive (remember, the request body isn't secure either, but it's better than having it in the address bar!)

Data size and sensitivity is pretty straightforward. The idea that the data, coming along with a request is thought of as data rather than a modifier is a little more subtle. It's a bit of an art form, but it lines up with why we use different HTTP verbs too. It might help to see it in that context:

• HTTP GET: Does not have a request body. Query string is the only way to transmit data with the request. GET is, by definition, supposed to be a read-only operation - the state of the server should not change as a result of the GET request.
• HTTP POST: Can have request body, and query string. Recall, POST is used to submit an entity (data) to the resource. The data being submitted, which is usually thought of as something that will be persisted, or have some sort of side effect, usually is sent in the request body. Parameters that may effect which resource is being affected, or how, might make use of query string.
• HTTP PUT: Usually will just use request body - which includes the data to create or overwrite the resource. Again, it's possible that a query string can be used, in conjunction, to further refine what type of entity is being created or overwritten - but the data belonging to the entity will be sent as a request body.
• HTTP PATCH: Same as PUT, in that the entity data being modified is usually best sent as a request body.
• HTTP DELETE: There is never a request body for a DELETE request, as no data is being sent - only removed. It is possible that query parameters may serve as ways to specify options for deletion (aks soft delete, cascading delete, etc).

We've already seen an HTTP response a few times now. Let's dive into what a well formed HTTP response looks like now.

HTTP Responses

When a web server receives a request, it has complete control over how to respond. One of the first things that it will do is decide between some categories of ways to respond. There are 4 main types of responses:

1. Everything is ok, so I'll perform the request
2. The request is fine, but you (the client) should request something else instead
3. The request is invalid, you (the client) have made an error, and there will be no response.
4. The request was possibly valid, but the server has encountered an error and no response is available.

Response types 1, 3, and 4 probably make sense. Response 2 probably seems a bit odd, but it's useful.

Pro Tip💡 A reminder: Saying "it has complete control" is inaccurate. YOU, the web developer coding the logic on the web server, have complete control!

In it's most simple form, an HTTP response need only respond with a single line of text - which includes the HTTP version, the response code (derived from the type above), and a text description of the response code.

Here's a typical response for when things go well:

HTTP/1.1 200 OK

Here's a response for when things go badly, and the server encounters an error.

HTTP/1.1 500 Internal Server Error

Clearly, we are using HTTP version 1.1. Notice the codes 200 and 500. Those are response codes, and there are a bunch of them worth remembering.

• 200 - OK. Use this for most successfully and normal responses.
• 301 - Moved permanently. Use this when the resource should no longer be accessed at the requested location, but instead a new location is provided. We'll see in a moment how the new resource location would be specified.
• 307 - Moved temporarily. Use this when you want the client to make the request somewhere else instead, this time - but that the original location was valid generally. We'll see this used soon.
• 401 - Unauthorized. This is named poorly, what it really means is unauthenticated. It means that the resource if valid, but you need to authenticate yourself. We'll see more on the difference between authentication and authorization later, but they aren't exactly the same thing.
• 403 - Forbidden. This means you don't have access to the resource. This is the closest match to unauthorized, as it's commonly used. 401 means the server doesn't know who you are, 403 means the server knows who you are, and you aren't allowed to access the resource.
• 404 - Not Found. The resource doesn't exist.
• 500 - Internal Server Error. This is used when some sort of unhandled error occurs. Generally its a bad idea to return details of what went wrong, since it's publicly advertising aspects of your code. This is normally used when the web server code throws an exception, or some other sort of catastrophic error occurs.
• 501 - Not Implemented. Use this when the resource request is planned, but you haven't gotten to implement it yet.

There are a lot more. It's certainly worth keeping a reference handy. Responding with the best response codes for the situation the web server finds is somewhat of an art form, but is well worth the effort.

Pro Tip💡 The text after the status code in the HTTP response code is a bit of an anomaly. Strictly speaking, it should be the same text that is used to describe the status code in the official specifications. In practice, developers often override this, and include other text - perhaps more accurately describing the result. This can be potentially unwise, since it's possible a client could use the response text in some way, and behave unexpectedly. Web browsers will generally display the response code string to the user, as part of a generically formatted HTML page (especially for 400 and 500 level codes), and particularly when no body (HTML) portion is included in the response.

We already saw a more full response earlier in this section, when reviewing the HTTP request/response from example.com. We saw that the following request:

GET /index.html HTTP/1.1
Host: example.com

... resulted in the web server responding with the following response (truncated to save page space):

HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 86286
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Fri, 13 Sep 2024 18:40:40 GMT
Etag: "3147526947+gzip"
Expires: Fri, 20 Sep 2024 18:40:40 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECAcc (nyd/D144)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256

<!doctype html>
<html>
<head>
    <title>Example Domain</title>

    <meta charset="utf-8" />
    ... more HTML

At this point, some of this response may be feeling similar to what we saw with requests. The status line (the first line) is indicating the version and result code. The next 12 lines are response headers, formatted the same way they were in requests. Then there is a blank line, and then the response body.

Headers

Response headers are used by the web server to describe the response to the client. Remember, the client (the web browser) needs to read the response from a socket. The response is plain text, and the client must read the headers before the response body (assuming there is a response body). With this in mind, some of the response headers you see above should make sense:

• Accept-Ranges: indicates if the server supports range requests, which are requests that ask for only parts of the document. This isn't commonly used, but you could imagine this would be helpful when requesting things like videos, where you only want a certain range (time period) returned.
• Vary: Usually used in caching, to decide how to cache the response.
• Age: Amount of time the response data was in the servers or proxy cache.
• Cache-Control: Advises the browser how long to cache the response (meaning, the browser should skip issuing a new request for this resource within the given time frame) Responses may contain binary data, and that data could be in the form of a file - with various extensions. Here, the more exhaustive list of MIME types fits our use case more, since the browser needs to be able to handle many more types of responses.
• Date: Primarily useful for caching on the client side, it's just saying what the date of the response was.
• Etag: This is a lot like a checksum, it's a hash of the response. This can be used, in conjunction with the HEAD request to allow the client to determine if it's worth requesting a resource that was recently requested and cached. If the Etags match (recall, HEAD returns only the headers, not the entire content), then there is no reason to issue a full request.
• Expires: Advises the browser not to cache the request beyond a certain time.
• Last-Modified: Can eb useful for client-side browser caching
• X-Cache: Headers starting with the X- prefix are not standard headers, they are user (in this case the server) defined. In this case, it likely means the server responded to the request with cached data.
• Content-Type: Serves the same purpose as with requests - tells the client what kind of data is being sent, so it can be effectively handled. - - Content-Length: The number of bytes in the response body!
• Server: Sort of like User-Agent, but for servers. This identifies the server software. In most cases, this is not recommended, since it let's would-be attackers know more than they need to know - and the more they know, the easier it is to find exploits. There are very few logical reasons a browser needs to know this information.

There are a lot of request and response headers. The MDN has a fantastic list, we don't need to enumerate them all. For now, there are a few takeaways though:

• Response headers often describing caching. Caching is a critical aspect of the web. Caching will occur on the server side, and headers will be used to describe that (Vary, Age, Date, X-Cache, etc). Caching also occurs on the browser side, and often the server will assist in this process - including headers such as Expires, Etag, CacheControl to help guide the browser.
• Response headers, just like request headers, will describe the body of the response. In particular, the content type, encoding, and length. This information is critical to be able to read the appropriate data from the socket, parse it, and process it.

MIME Types

Just like with request bodies, MIME types play a pivotal role in describing response bodies. For responses that are delivering a resource, the resource will be delivered via the response body. For 300 (redirect) responses, 400 (client error) responses, and 500 (server error) responses, the response body may or may not be used, and is often ignored by the browser. If you've ever seen a fancy web page render that says "Not found", but with a lot of cute graphics, it's because the 404 response has a response body, and the browser rendered it.

A response body is typically going to contain data that is either meant for the browser to render directly (this include plain text, HTML, CSS, JavaScript code, images, audio, video), or files that the browser may either attempt to render (CSV data, JSON data, PDF documents) or use the underlying operating system to launch a better program to open (a Microsoft Word document, for example). All of this is of course determined by the MIME type.

It's important to understand that for every response, there is one request - and for every request there is one response. As we will see, often a request for an HTML page will result in HTML being loaded in the browser, and then for that HTML to contain links to other resources. Many times, those resources are requested right away, in sequence. For example, after loading HTML with references to images, the browser will initiate new requests for each image, at the URL listed in the HTML. We'll dive into to this in more depth later - but for now it's important to remember that there is not mixed responses.

Response Body

There response body itself is simply text, or encoded text. Depending on the MIME type, the data might be URL encoded binary data (essentially, data that appears to be gibberish), or it could be perfectly readable text. The text might be structured (CSV, JSON, HTML, JavaScript code, CSS), or it might be unstructured (plain text). No matter what, the response body always follows a blank line in the HTTP response message, which in turn follows the last HTTP response header.

No matter how large the response body is, it's still part of the HTTP response. This means that just like a short little HTML page being returned by example.com, an HTTP request that is generated for a multi-gigabyte mpeg-4 video is going to be returned as a standard HTTP response. The difference is that the Content-Type will indicate that it's a video (maybe /video/mp4), and the video data will be very long, using binary encoded text data.

Redirects

We discussed 400 and 500 error codes, and they are fairly self explanatory. A response within those ranges are telling the browser (and the user) that the request failed. The actual code, and potentially the response body, will tell them a bit more about why - but the bottom line is that the request itself failed.

A 200 response code, and all of it's variants, is also fairly self explanatory. The resource was returned, and in most cases, the browser will simply render it.

The 300 level codes are a bit more difficult to succinctly explain. 300 level codes indicate that the resource the client has requested (the URL) exists, but exists elsewhere. These response codes are telling the web browser that the response was not necessarily an error, but the web server cannot fulfill the request. Instead, the web server is advising the web browser to make the request to some other location (URL).

Let's start with a simple (and probably the original) use case: someone decided that a page on the website should move to another location:

• Original url: http://www.example.com/a/b/c/data.html
• New url: http://www.example.com/other/data.html

Suppose someone has bookmarked the original URL, and so they make a request to the /a/b/c/data.html path. The web server, of course, could simply return a 404 - not found. However, in order to help, it instead can return a 301 status code - indicating that the resource has moved permanently.

On it's own, this isn't particularly useful. Where this becomes more powerful is when the 301 response code is coupled with the Location response header, which is used to indicate the new location.

HTTP/1.1 301 MOVED PERMANENTLY
Location: http://www.example.com/other/data.html

Now, the web browser may elect to actually process this response and issue a NEW request to the new URL, /other/data.html. Most web browsers will do this. It's called "following the redirect", and it happens automatically. You will see the address bar change, with the new address displaying.

The situation described above is easiest to describe, but it isn't the most common type of redirect response used. The 307 Temporary Redirect response is actually the redirect that is most frequently used on the web. This is because there are many cases where it's not that the resource has moved, but that the web server wants the web browser to issue a new request following the first.

A typical sequence that utilizes the 307 code is for logging in. Typically, the browser will send a request to a url list /login, as a POST request. The login logic will decide if the user can log in (their passwords match, etc), and then the user will likely be presented with a page based on their role. They might see a detailed dashboard, perhaps if they are a site administrator. They might see a more limited screen if they are a normal user. The point is, depending on who they are, and what they do, they may have a different "home" page after logging in.

At first, you might think that we'd just have one set of code in charge of rendering /home, which takes into account all that logic. But in fact, it's usually better (and easier) to create multiple pages for the different types of users. Maybe something like /admin/home and /user/home. Those URLs can simply focus on rendering the right content.

The trick is, how do we response to the POST request to /login, but at the same time somehow navigate the user (after login) to the right home page? We use a 307!

• If the POST to /login failed (username invalid, password doesn't match), we could response with a 307 with Location set to /login again - so they could repeat the login attempt.
• If the POST to /login succeeded, the web server would presumably make note that the user was logged in (we'll see how this is done later), and *redirect the user to either /admin/home or /user/home using the Location header.

In all three cases, the browser will automatically request the url specified in the Location header.

The next time you log in to a website, watch the address bar! In almost every case, you'll notice that it switches to something else after you've logged in. Sometimes there are even multiple redirects!

HTTP Implementation - The Hard Way

In the previous sections, we used some text-based programs like telnet to simulate what a web browser does - constructing a text HTTP request and sending it to a web server. We saw first hand that web servers do not really know (or care to know) what program generates an HTTP request. If a web server receives a valid HTTP request, it sends back a valid HTTP response!

It's also useful for you to start to understand the server side a bit more. Recall back in Chapter 2, when we wrote an Echo client and server - with just plain old JavaScript and sockets (we started with C++). Below is an adaptation (actually, a simplification) of a TCP server written in Node.js

const net = require('net');

const on_socket_connect = (socket) => {
  socket.on('data', (data) => {
    const request = data.toString();
    console.log(request);
  })
}

const server = net.createServer(on_socket_connect);
server.listen(8080, 'localhost');

Remember, until we start really learning JavaScript, you should try not to get too caught up in syntax. We will cover it all - right now code examples are just to illustrate concepts.

The code above creates a TCP server using Node.js's built in net library. The server object is constructed by calling the createServer function in the net library. The createServer function accepts one parameter - a function callback, which will be called whenever a client connects to the server. Once the server object is created, it is set to the listening state, on port 8080, bound to the localhost.

The interesting stuff is happening in the on_socket_connect callback function. When it is called (by the net library's server code), a connection has been established with a TCP client. That connection is represented by the the socket parameter. on_socket_connect now registers another callback - this time an anonymous function. We'll cover these later in more depth, but for now think about how in most languages you can have literal numbers (ie 5) and named variables that hold numbers. Well, in JavaScript, functions are data, and thus we can have literal functions (without names) and named variables that represent functions. on_socket_connect is a named function, but so it the function that we create and set as the second parameter to the socket.on function in the code above. The socket.on function is a generic event registration function. The first parameter is the type of event we are registering a function for - in this case, we are interested in defining a function to be called whenever data is received from the client. The second parameter is the function itself, which we want the socket to call when data is received. The function accepts a single argument (data), converts it to a standard string, and prints it to the console.

You are strongly encouraged to take this code and run it on your machine. If you have it running, you can launch a web browser (any web browser will do!), and enter the following into the address bar: http://localhost:8080.

Observer what happens. The web browser is the TCP client! It generates an connects to the server, over port 8080. It sends an HTTP request message, and the server successfully receives it and prints it out! You will see something like this print to the server's console:

GET / HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Priority: u=0, i

Depending on yoru web browser, you might have something slightly different, but chances are your web browser generated and HTTP request that looks a lot like the above. Your server received it over the socket!

Also take a look at the web browser. It's likely that you'll notice it still needs to receive a response - it's still waiting. You've seen this before, whenever your browser is having trouble connecting - here's a screenshot of Firefox:

So, why is your web browser hanging? It's really pretty simple - it expects our web server to respond! Our web server printed to the console, but it didn't send anything back to the client - it left the client hanging!.

Let's follow each request we receive with the simplest HTTP response we could possibly return - OK, with no content.

const net = require('net');

const on_socket_connect = (socket) => {
  socket.on('data', (data) => {
    const request = data.toString();
    console.log(request);

    // Note the extra blank line, to tell the client there are no more headers
    const response =
      'HTTP/1.1 200 OK\n' +
      'Content-Length: 0\n' +
      '\n';
    socket.write(response);
  })
}

const server = net.createServer(on_socket_connect);
server.listen(8080, 'localhost');

If we re-launch the server (when we do so, you might notice the browser that was hanging for a response gives up, since the socket is disconnected), and reload the web browser - we'll see something. A blank web browser page!.

Before we go much further, let's discuss web developer tools. As a web developer, it's critical that you can debug your programs. When writing your own server code (as we are right now), it's easy to print to the server's console, or even run a proper debugger and inspect the operation of the server code. Sometimes, however, you need to see what the browser receives in order to better debug your code. In this case, you'd be forgiven to wonder why the browser is showing a blank screen (maybe you understand why already, if so - great!). Our server sent the 200 reponse, so what gives?

In [Google Chrome], Chromium, Firefox, and other major browsers, you have the ability to peer into the internals of the web browser to inspect lots of things that ordinary users have no interest in. One of these things is the actual network traffic - the actual HTTP requests. I recommend that you get very familiar with the web developer tools that come with your favorite web browser for software development. Note, Safari and Microsof Edge (at least at the time of this writing) do not offer the same level of tooling - for development, I recommend using Firefox or a Chromium-based browser.

• Dev tools in Chromium/Chrome
• Dev tools in Firefox

Here's what you will see when accessing the Network tab in Firefox's dev tools when making the request:

We can clearly see, the browser did receive our response - a 200 status code, with OK as the message. The Content-Length is 0. Well, maybe now that jogs our memory - the browser renders content, not the actual HTTP response. We can see the HTTP response in dev tools, but without sending any content (response body), the browser isn't going to render anything!

Let's send something, shall we? We can create some text, and add it to the response body, being careful to adjust the Content-Length header accordingly. Since it's just plain text, let's also go ahead and set the Content-Type to the correct MIME extension.

  socket.on('data', (data) => {
    const request = data.toString();
    console.log(request);

    const text = 'Hello, World!';
    const response =
      'HTTP/1.1 200 OK\n' +
      'Content-Type: text/plain\n' +
      'Content-Length: ' + text.length + '\n' +
      '\n' +
      text + '\n';
    socket.write(response);

  })

Now when we load the browser, we see our Hello World text. It's also clear in the dev tools that the browser received the HTTP response we sent, in full.

Plain text is pretty boring. Browsers can render all sorts of content, as we know. Let's instead send some HTML:

const on_socket_connect = (socket) => {
  socket.on('data', (data) => {
    const request = data.toString();
    console.log(request);

    const html = `
      <!DOCTYPE html>
      <html>
      <head>  
        <title>Sample Page</title>
      </head>
      <body>
        <h1>Hello World</h1>
        <p>This is fun!</p>
      </body>
      </html>
    `
    const response =
      'HTTP/1.1 200 OK\n' +
      'Content-Type: text/html\n' +
      'Content-Length: ' + html.length + '\n' +
      '\n' +
      html + '\n';
    socket.write(response);
  })
}

We see that our HTML that we generated using just a simple little program renders just like any other HTML we see on the web:

Responding to Requests

You might have noticed something odd in the web developer tools screenshots above. In each, there are actually two requests - one for /, which is the request directly caused by typing http://localhost:8080 in the address bar, and another for /favicon.ico. As a matter of convention, web browsers always issue a request to any web site it is loading resources from to favicon.ico. You can try it out, visit any other site, with web developer tools open - you'll see the request (be prepared, on a modern web site, one site visit triggers many requests to sift through).

A favicon is the graphic/logo you see at the top of the browser tab. It's usually the same across the entire web site you are visiting. Your browser is getting them automatically for you, and using whatever is returned to it.

You can actually just enter the following into the address bar to laod the favicon directly for google: https://google.com/favicon.ico.

So, that's why you see the two requests - but interestingly, our "Sample Page" doesn't have a logo. We're not going to create one right now, but you might be curious - why is our server returning 200 to the /favicon.ico request then?

Why does our server do the things that it does? Because we wrote it that way! Our server returns 200, along with the same HTML for every request it receives! In fact, if you look at the console output of the server, every time you load the page in the browser, it's actually printing two HTTP requests/responses - because it received two:

1. GET / HTTP/1.1
2. GET /favicon.ico HTTP/1.1

If you don't see them, your browser may have started caching the response to favicon, and stopped requesting it. You can usually hold the CTRL/Command key while clicking refresh to load it without caching.

It would be great to actually server a graphic, but for now let's just stop lying, and stop returning a 200 response when the favicon.ico is requested. We don't have one, and we should return something cloer to reality - like 404 Not Found.

In order to do this, we need to start differentiating between requests. We have to start actually looking at what the browser is requesting! To do that, we need to parse the HTTP request message instead of just printing it out.

In the code below, we grab the first line of the request message, which contains the verb, path, and HTTP version. We then extract the path by splitting the first line into the three components, and looking at the second part. If the path requested is / we return our HTML. If the path is anything else, we return a 404, since we don't have any other resources on our web server yet.

const on_socket_connect = (socket) => {
  socket.on('data', (data) => {
    const request = data.toString();

    const first_line = request.split('\n')[0];
    const path = first_line.split(' ')[1];

    if (path === '/') {
      const html = `
        <!DOCTYPE html>
        <html>
        <head>  
          <title>Sample Page</title>
        </head>
        <body>
          <h1>Hello World</h1>
          <p>This is fun!</p>
        </body>
        </html>
      `
      const response =
        'HTTP/1.1 200 OK\n' +
        'Content-Type: text/html\n' +
        'Content-Length: ' + html.length + '\n' +
        '\n' +
        html + '\n';
      socket.write(response);
    }
    else {
      const text = `404 Sorry not found`;
      const response =
        'HTTP/1.1 404 Not Found\n' +
        'Content-Type: text/html\n' +
        'Content-Length: ' + text.length + '\n' +
        '\n' +
        text + '\n';
      socket.write(response);
    }
  })
}

You can see in web developer tools that the requests to favicon.ico are now showing up as not found. Note, if we type anything in the browser with a different path - like http://localhost:8080/foo/bar, we will get a 404 response back - which is what we want.

We can now start thinking of how we'd server multiple resources. The code below prints a text about message if you visit the http://localhost:8080/about page. I removed some extra whitespace from the HTML to keep things a little more succinct

const on_socket_connect = (socket) => {
  socket.on('data', (data) => {
    const request = data.toString();

    const first_line = request.split('\n')[0];
    const path = first_line.split(' ')[1];

    if (path === '/') {
      const html = `
        <!DOCTYPE html><html><head><title>Sample Page</title></head>
        <body><h1>Hello World</h1><p>This is fun!</p></body></html>
      `
      const response =
        'HTTP/1.1 200 OK\n' +
        'Content-Type: text/html\n' +
        'Content-Length: ' + html.length + '\n' +
        '\n' +
        html + '\n';
      socket.write(response);

    }
    else if (path === '/about') {
      const text = `This is just about learning web development.`;
      const response =
        'HTTP/1.1 200 OK\n' +
        'Content-Type: text/plain\n' +
        'Content-Length: ' + text.length + '\n' +
        '\n' +
        text + '\n';
      socket.write(response);
    }
    else {
      const text = `404 Sorry not found`;
      const response =
        'HTTP/1.1 404 Not Found\n' +
        'Content-Type: text/html\n' +
        'Content-Length: ' + text.length + '\n' +
        '\n' +
        text + '\n';
      socket.write(response);
    }
  })
}

Improving code through abstractions

To be a web developer is to immediately realize there should be a libary or framework for this... and of course, there is. Take a look closely at the code above. If you were trying to improve it, you might think about (1) creating some utility functions to parse the HTTP request, and (2) creating more utility functions that can be used to generate HTTP responses. Since HTTP is a standard protocol, it makes sense there should be standard functions.

We might imagine something like this, making use of some nice functions

const on_socket_connect = (socket) => {
    socket.on('data', (data) => {
        const request = parse_http_request(data.toString());
        let response = null;
        if (request.path === '/') {
            const html = `
            <!DOCTYPE html>
            <html>
            <head>  
              <title>Sample Page</title>
            </head>
            <body>
              <h1>Hello World</h1>
              <p>This is fun!</p>
            </body>
            </html>
          `
            response = make_http_response(200, 'text/html', html);
        }
        else if (request.path === '/about') {
            response = make_http_response(200, 'text/plain', 'This is just about learning web development.');
        }
        else {
            response = make_http_response(404, 'text/html', 'Sorry not found');
        }
        socket.write(response.toString());
    })
}

The code is a lot clearer, making use of some handy functions to parse HTTP requests and create HTTP responses. Hopefully it is not too hard for you to imagine how these would be written - and more importantly, hopefully it's clear what the advantages are. With these abstractions, we could improve our parsing and response creation a lot more, and be able to reuse this improved parsing and response creation for all our projects. Our parser could parse all the HTTP headers, our response creator could handle many different types of responses, headers, content types.

Of course, these abstractions do exist, in fact multiple level of abstractions exists - from the most basic to the most advanced frameworks used today. We'll start with http, which is built in to Node.js and can replace the use of the net library, but we will eventually (in later chapters) work ourselves all the way up to the Express framework.

The http library

The net library that is built into Node.js has convenient abstractions for creating TCP servers (and clients), sockets, and using sockets to read and write arbitrary data. When writing a web server, we could use the net library, since HTTP is just text data - but we can also opt to use the http library instead.

The http library includes similar features for creating servers (and clients) as the net library, but at a higher level. When creating an http server, TCP is assumed, and sockets are hidden (they still exist, but the library code handles them). Instead of sockets to read from and write to, we receive HTTP request objects and write to HTTP response objects. Request objects are given to our code through callback functions, much like data was given to our function when data was received. The difference is that when data is received on the socket, the http library code is now reading it for us, and parsing it all into a structured object representing the request. The request object has useful properties, like the url being requested and the headers the client sent with the request!

The response object has useful methods, such as writing an initial status line, headers, and content. It makes writing http server far easier, without obscuring what is really happening.

Below is the same web server, with the same functionality, written with the http library instead:

const http = require('http');

const on_request = (req, res) => {
    if (req.url == '/') {
        const html = `
            <!DOCTYPE html><html><head><title>Sample Page</title></head>
            <body><h1>Hello World</h1><p>This is fun!</p></body></html>
          `
        res.writeHead(200, { 'Content-Type': 'text/html' });
        res.write(html)
        res.end();
    }
    else if (req.url == '/about') {
        const text = `This is just about learning web development.`;
        res.writeHead(200, { 'Content-Type': 'text/plain' });
        res.write(text)
        res.end();
    }
    else {
        res.writeHead(404);
        res.end();
        return;
    }
}

const server = http.createServer(on_request);
server.listen(8080, 'localhost');

That's the entire program, there's no dealing with the net library at all (http uses it however).

No sockets.

When creating the server object, instead of providing a function that will be called when a socket connects, we are providing a function that gets called when an HTTP request is received. The function (on_request) is passed the request object (parsed HTTP request) and a response object. Those objects are then used to serve the response!

Up next

We've now seen the fundamental aspects of the HTTP protocol, and hopefully you have a grasp of how simple it really is - just text/character-based requests and responses. We are going to continue to build our knowledge of HTTP throughout this book, but we will do so within the context of other topics - as needed.

Next, we need to start looking at what HTTP delivers in more detail - and HTTP was primarily made to to deliver is the HyperText Markup Language.

Hypertext Markup Language (HTML) - Part 1

HTML Basics

We've spent the last two chapters really focusing on how data is sent back and forth between the client (a web browser) and server (a web server). These concepts are crucial in your understanding of web development, but they very likely aren't why you became interested in it. Now we turn to looking deeper into how to actually make web pages, which will make up our web applications.

It's worth repeating a bit from Chapter 1, where we examined the relationship between structure, style and interactivity within a web page being displayed by a web browser.

• Structure: HyperText Markup Language (HTML)
• Style: Cascading Style Sheets (CSS)
• Interactivity: JavaScript

HTML is the foundational language we use to describe the structure of a page. It is critical that you separate this from how the page appears. HTML is not the way we arrange the layout of the page, specify colors, alignments, font size, etc. It is simply a way to describe what will be rendered, not necessarily how it will be rendered. Keeping this distinction in mind will pay huge dividends.

HTML is also used to convey semantics of parts of a document. We will have elements like strong, emphasis, paragraphs, lists, tables, articles, navigation and others. They suggest how they might be rendered visually, but they are really about conveying meaning and relationships between parts of text within a document.

There are three core aspects to HTML, or three groups of HTML elements we will learn. The first is content / document structure - like the elements mentioned above. We'll spend the majority of this chapter talking about those. The second is form elements and input controls, where we design input interfaces so users can enter information into our web application. These HTML elements will be covered in Chapter 6, since we'll have to learn a little more about the backend code (Chapter 5) in order to process all this user input. The third group is more subtle - we don't see and interact with them in normal use cases directly. The third group of elements contain metadata and additional resources. These elements describe the document's title, how it might behave on different devices, how it should be interpreted from a security perspective, and what styles and interactivity is embedded and linked to within the document. We'll cover the third group in a variety of places throughout the book, when they each are appropriate.

HTML Versions

There have been a half a dozen or so major versions of HTML, however the only 3 we need to really consider is HTML 4.01, XHTML, and HTML 5 - with the last one being the only version of HTML that anyone develops with in the 2020's. HTML 4.01 is very similar to HTML 5, although it supports fewer element types, and has less sophisticated support for layout, and lacks some of the multimedia and device integration support that HTML5 has defined. Otherwise, it is very much the same language.

The earliest versions of HTML

The original version of HTML was created by Tim Berners-Lee in 1990, as a way of describing hypertext documents. Berners-Lee was working at CERN, the main goal of HTML at this time was to create scientific documents - the design goals were not the same as they are today! An early HTML document would have had elements we continue to use today - and the overall look of the document remains fairly unchanged.

<!DOCTYPE html>
<html>
  <head>
    <title>This is a title</title>
  </head>
  <body>
    <div>
        <p>Hello world!</p>
    </div>
  </body>
</html>

The initial versions (circa 1992) included title, p, headings, lists, glossary, and address elements. Shortly after, things like img for images and table was added as well. Of course, HTML is only as useful as your ability to render the document as well. At CERN, several worked on creating primitive web browsers. It's important to note that during this time, the language of HTML and the web browsers themselves were evolving together. In many respects, the web browser was the specification of what HTML was - whatever the web browsers expected of HTML, and did with HTML, was HTML.

In 1993, NSCA Mosaic was released, and this is widely considered to be the first browser to have truly wide scale adoption (although the definition of wide scale was very different in the 1990's). In the screenshot below, you should notice some familiar features:

1. Address bar (for typing the URL)
2. Page title (title)
3. Image element (img)
4. Hyperlinks (a)
5. Horizontal lines (hr)
6. Paragraphs (p)

During most of the 1990's, the vast majority of HTML was written by hand - meaning authors of documents sat down at their computer, opened a text editor, and typed out the contents of HTML. One of the goals of the web was the democratization of technology and communication of information - and thus there was an emphasis on ensuring technical and non-technical people could create content for the web. Browsers allowed for this by being extremely permissive in terms of the syntax of HTML.

As a programmer, you know that these two lines of C++ code aren't the same, even though to a novice the look pretty close:

cout << "Hello World" << endl;
cout << Hello World << endl

The second line won't compile, it's missing quotes around the "Hello World" text, and it's missing it's semicolon. We as software developers get it, you need to write the program using correct syntax. To someone non-technical however, this seems like a drag - and an unnecessary one at that! "It's clear Hello World is what I want to print out, and the end of the line should be good enough - why do I need to write a semicolon!". Honestly, it's a sort of fair point - for a non-programmer.

The early versions of HTML (or, more accurately, browsers) had no problem rendering the following HTML document:

<html>
  <head>
    <title>This is a title</title>
  </head>
  <body>
    <div>
        <p>Hello world!</p>
  </body>
</html>

It's missing the DOCTYPE header, and doesn't close the div. No harm no foul. Small inconsistencies and errors in HTML documents resulted in browsers making their best effort to render the page. Remember, the expectations of users were pretty low in the 1990s. If one browser's best effort had a bit different result than another browser's best effort, it wasn't viewed as the end of the world necessarily. Different people coded up the different browsers, and they didn't code up all their attempts to parse valid and invalid HTML the same way. It was understandable!

On the topic of valid/invalid HTML, different browsers also began supporting different subsets of HTML elements. By the middle of the 1990s, the web had begun to move out of scientific and academic venues and straight into consumer's homes. Windows 95 completely revolutionized computing - suddenly millions of people were on the web. Where there are consumers, there is market opportunity, competition for said market, and innovation. Netscape Navigator (a descendent of Mosaic, and ancestor of today's Mozilla Firefox) and Internet Explorer (a step-relative so to speak of today Edge browser) competed for users. One of the ways these browsers competed (beyond how well they dealt with HTML errors in people's documents) was by inventing new elements.

All sorts of elements began to crop up - font, texttop, center, big, small, blink, marquee, applet and many many more. Some were supported first by Internet Explorer, some were created by Netscape. Some were quickly adopted by the other, to remain on par. Some were answered with different and competing elements. This quickly began to spiral however, as web authors now needed to adhere to different HTML rules for different browsers - which was essentially impossible to do well! We began to see things like "This site is best viewed with Microsoft Internet Explorer" written along the top of website, indicating to the user that the site might be using elements that Netscape didn't support.

Non-compatibility, ambiguous rules, and competing features sets threatened the future of the web.

Things were not well in the late 1990's.

XML and XHTML

XHTML is a bit of a misunderstood variant of HTML itself. Before describing it, let's define the elephant in the room when it comes to HTML and XHTML - and that's XML. The eXtensible Markup Language is a markup language (and often a file format) used to store structured data. It was defined by the World Wide Web Consortium in 1998, and was (and still is) a huge player in the structure data space (it has been supplanted by the more simple JSON format in many areas within the last 10-15 years however). XML, if you haven't seen it before, is a pretty familiar looking thing - at least on the surface:

<?xml version="1.0" encoding="UTF-8"?>
<library>
    <book>
        <title>The Great Gatsby</title>
        <author>F. Scott Fitzgerald</author>
        <year>1925</year>
        <genre>Fiction</genre>
        <price>10.99</price>
        <isbn>9780743273565</isbn>
        <publisher>Scribner</publisher>
    </book>
    
    <book>
        <title>1984</title>
        <author>George Orwell</author>
        <year>1949</year>
        <genre>Dystopian</genre>
        <price>9.99</price>
        <isbn>9780451524935</isbn>
        <publisher>Houghton Mifflin Harcourt</publisher>
    </book>
    
    <book>
        <title>To Kill a Mockingbird</title>
        <author>Harper Lee</author>
        <year>1960</year>
        <genre>Fiction</genre>
        <price>7.99</price>
        <isbn>9780061120084</isbn>
        <publisher>J.B. Lippincott & Co.</publisher>
    </book>
    
    <book>
        <title>The Hobbit</title>
        <author>J.R.R. Tolkien</author>
        <year>1937</year>
        <genre>Fantasy</genre>
        <price>8.99</price>
        <isbn>9780547928227</isbn>
        <publisher>George Allen & Unwin</publisher>
    </book>
</library>

As you can see, the XML document above describes a library of books. XML arranges hierarchies of "objects" or entities, in a human readable format. The language can become quite complex however - particular when considering defining an XML document's schema. The concept of schema is that documents have a pre-defined structure. Imagine having many XML files, each describing collections of books - the schema is the agreement between all authors of such documents on such details as (1) the root element is called library, the year of publication is called year rather than something like publication-year, for example. The schema describes the rules of the XML document. The XML schema sub-language is really what made XML extensible, anyone could describe a set of rules, using XML schema language, and thus (at least, in theory) and program could produce and consume those XML documents.

You may be wondering, with some basic knowledge of HTML, whether HTML is XML - since from what we just described, it seems perfectly logical that HTML could be defined using an XML schema! HTML is just a set of specific XML elements for creating HTML documents. Your intuition is somewhat correct - however HTML pre-dates XML. As mentioned above, the original version of HTML was developed by Tim Berners-Lee almost 10 years prior. The language looks like XML, but it wasn't general purpose. In reality, XML was a generalization of the already popular HTML language!

XML was developed to solve some of the problems of the initial version of HTML, in the data exchange space. While HTML had many quirks, and was very permissive in terms of syntax, when exchanging arbitrary data between programs those ambiguities are a bug, not a feature. XML is more restrictive than early versions of HTML - for example, the document is entirely invalid if you do not <close> an element with a corresponding </close> tag, or forget to include quotes enclosing an attribute. XML of course introduced the secondary XML schema language as well.

Once XML was developed, it was a pretty obvious next step to develop a new HTML standard described as an XML schema. Thus, the Extensible HyperText Markup Language (XHTML) was born (2000). XHTML was simply the HTML language, adapted such that it was a conformant XML document, with a well defined XML schema outlining the language rules (rather than the rules being decided by a collaboration of standards bodies authoring text descriptions, and browsers actually implementing rendering of said HTML). In the early 2000's XHTML appeared poised to become the dominant form of HTML - there was a huge amount of support behind XML in nearly all areas of Computer Science and Software Engineering.

The story didn't actually go as planned for XHTML however. While from a strictly engineering standpoint, having a rigorous and unambiguous specification (using XML Schema) of the language was a gigantic leap forward - that strictness was also a liability. Remember, in the early 2000's a lot of HTML was still being written by novices, by hand (not generated by programs). XHTML did not offer any feature enhancements over standard HTML in terms of things that developers could do that their users could see. Yes, XHTML was a better technology - since XHTML was harder to write, and didn't offer any user-facing benefits, it just didn't gain the level of traction we thought it would.

Browser Wars

While XHTML aimed to achieve rigor, it was not widely adopted by authors. Thus, in the mid 1990's, web authors were stuck dealing with some rather significant inconsistencies between what dialect of HTML different browsers supported. We don't need to get into the details here, but you should also note that the differences were even more magnified when it came to how styling with CSS and interactivity with JavaScript was supported across browsers. Until the late 1990's and early 2000's, the main browsers were Netscape and Internet Explorer. Given their share of the market, there were efforts to somehow standardize the HTML language to avoid having two completely distinct dialects of HTML evolving in the wild. To large effect, this was achieved with the ratification by the World Wide Web Consortium of HTML 4.0 (and HTML 4.01) in late 1990's - however, as you can see in the image below, by that time Internet Explorer had effectively become the standard. It had won the Browser war. While Microsoft Internet Explorer largely adopted HTML 4.01 (the standard was based in part on what Internet Explorer supported in the first place!), it did continue to support other features.

Image linked from Wikipedia

Towards the right of the image above, you see another competitor enter the scene - Google Chrome. In 2009, it's usage was small - however it marked a very important turning point in web browsers. Google Chrome of course supported HTML 4.01, however it also had an important killer feature - JavaScript performance. At the time of it's release, JavaScript (which is only loosely defined by the HTML specification) was a backwater in web development. Different browsers supported it differently, and performance was pretty abysmal. Google Chrome changed the architecture (more on this later in the book), and achieved performance increases in JavaScript execution by several orders of magnitude.

In 2007, another important development took place that ultimately changed HTML, CSS, and JavaScript as well - the first iPhone was released. At the time, the web was split along a second axis - interactivity. As described above, JavaScript was a poor alternative for creating the types of richly interactive web applications we expect today. Web applications that served mainly documents used HTML, CSS, and some JavaScript, but web applications that served up interactive visualizations, games, maps, etc used a completely different language (embedded within HTML) - Adobe Flash. You can learn more about Flash on the web, and it's an important part of the evolution of the web - but the reason it's brought up here is that the iPhone not only didn't support it, but Apple unambiguously stated it would never support it. It was incredibly controversial, yet proved pivotal. The iPhone had two characteristics which made it uniquely positioned to drive change - (1) it was a wild success, and (2) it's form factor (mobile!) offered lots of new ways to envision how web applications could interact with the device and the user. By refusing the adopt Adobe Flash, and instead pointing towards the promise of JavaScript (just starting to take shape in early version of Google Chrome), Apple effectively put a giant thumb on the scale - leading to the complete demise of Flash, and more importantly - an incredible thirst in the market place for better JavaScript.

Image linked from Wikipedia

In the graphic above, you can see how Google Chrome (desktop and Android devices) and Apple Safari (the iPhone's browser, along with Mac) completely destroyed Internet Explorer's dominance among browsers. During the 2000s and 2010s, we returned to a time where there was not one dominant browser - and this was an opportunity. Without a dominant browser, all browser vendors benefit from strong standards - learning the lessons of the 1990's browser wars. With an opportunity for stronger standardization, and a serious need for a new set of standards to better support the new web - multimedia, multi-device, and enhanced capabilities - the World Wide Web Consortium's HTML 5 specification (which was being developed in parallel to all of these new developments) was right in time.

HTML 5 and beyond

The development of HTML 5 began with the first public working draft in early 2008. Public releases of draft standards continued through the early 2010's, with browsers often adopting parts of the draft standards that appeared stable. The first formally released standard came in October 2014. HTML 5 was a major milestone in web development, aimed at modernizing how the web is built and experienced. The goal was to address the limitations of earlier versions of HTML, while reflecting the evolving needs of web developers and users. With the rise of multimedia, dynamic content, mobile browsing, and web applications, HTML5 provided much-needed improvements in functionality, performance, and standardization.

One of the key drivers behind HTML5’s development was the need to natively support richer multimedia and interactivity directly in the browser. Before HTML5, embedding video or audio required third-party plugins such as Adobe Flash or Microsoft SilverLight, which were power hungry, slow, and insecure. HTML5 introduced native <video> and <audio> elements, making it easier to embed media content without relying on external technologies. This change empowered browsers to handle media more efficiently and securely, contributing to a more seamless web experience, especially on mobile devices, where performance is critical.

Another major feature of HTML5 was the introduction of new semantic elements like <header>, <footer>, <article>, <section>, and <nav>. These elements added meaning to the structure of web pages, enabling developers to better organize content and improving accessibility for assistive technologies like screen readers. Semantic HTML not only enhances the user experience but also helps search engines better understand the content on a page, improving SEO and making the web more intuitive for machines and users alike.

HTML5 also worked hand-in-hand with JavaScript, empowering developers to build more powerful and interactive web applications. New APIs like the Canvas API for drawing graphics, Geolocation API for location-based services, and Web Storage API for local data storage enabled richer experiences without the need for external libraries or plugins. This shift allowed developers to create applications that previously would have required native desktop software, ushering in a new era of web applications.

Standardization was another critical goal. HTML5 sought to unify the web development landscape, where browser-specific code and fragmented implementations had long been an issue. By setting clear rules and specifications, HTML5 helped ensure that all major browsers (Chrome, Firefox, Safari, Edge, etc.) would render content consistently, reducing the need for browser-specific hacks and workarounds. This emphasis on standardization paved the way for smoother cross-browser development and a more reliable user experience across devices and platforms.

In short, HTML5 was necessary because it aligned the language of the web with modern requirements, streamlining multimedia, enhancing semantics, improving JavaScript capabilities, and unifying the development process. These features laid the foundation for a more efficient, accessible, and future-proof web.

In the rest of this chapter, we will exclusively target HTML 5. While incremental version of HTML 5 continue to be released, the changes have been limited. When we cover CSS and JavaScript, we likewise will target the capabilities of modern browsers supporting HTML 5 fully - as HTML 5 is sort of an umbrella for not only modern HTML, but also modern CSS and JavaScript.

HTML History

This section covered HTML history at a really, really high level. The intent is to give you a bit of a glimpse as to how we got where we are today. The history of web browsers and HTML is a fascinating one however, and you are really encouraged to learn more about it! Mozilla has a nice front-page, here that has several links to other resources - it's a great start.

HTML Structure

As the last section describes, HTML has a very long and winding history. You may have heard the saying that "nothing is ever gone from the internet", or something to that effect. Bad (or just old) HTML never leaves the internet either. If you surf the web long enough, you are going to see all sorts of HTML pages - some using upper case elements intead of lower case elements (or a mix of both), some using deprecated elements, and other "quirks". The terms "quirks" is actual an official term - most browsers will have "quirks" mode, which cases the HTML to rendered not be the modern HTML 5 parsing engine (the newer, and undoubtedly better code) in the browser, but instead by older code.

As a modern web developer, you must develop a strong sense of embarrassment about writing poor HTML. As a web developer, you have a professional responsibility to write standards compliant HTML 5. This allows you to reap the rewards of all of the (phenomenal) advancements browsers have made over the past decade. There is no excuse. An ability to understand how to write HTML correctly will prevent you from ever getting a serious job in web development.

Structure of a Standard HTML Document

The structure of the document starts with the very first line - the doctype line. This line communicates, in the first bytes of the response body that the browser reads from it's TCP socket, what kind of HTML document is receiving. As such, this line will be processed before the parser is loaded. Choose the correct doctype, your page will be processed with the browser's modern parser and render. Choose poorly (or not at all), and you are thrown into the badlands of the early 2000's - and it's not fun.

The correct doctype is fortunately easy - it's simple html. THe first element - <!DOCTYPE html> is not like all the rest - it has an ! character, and it is capitalized. Technically, this is case sensitive, although you will often see <!doctype html> written in HTML-like files that will be processed / transformed into standard HTML (more on this later in the book).

<!DOCTYPE html>
<html>
  <head>
    <title>This is a title</title>
  </head>
  <body>
    <div>
        <p>Hello world!</p>
    </div>
  </body>
</html>

The remaining part of the HTML document above is just that - HTML markup. HTML (and XML) is a tree-styled document, where elements enclose other elements - beginning at the root of the document. The root of all HTML documents is the html element. An element is defined as the entire HTML "element" - the opening tag (<html>), the content (the child elements), and the closing tag (). Sometimes people use the terms element and tag interchangeably, but they are indeed different. Again - element is the entire things, tag is referring to either the opening or closing tag, the delimiters of the element.

Insidte the html element may contain precisely two elements, in precise order - first head and then body. Note, there is no foot(er).

The Head Element

The head element different than the body in that it is really all about metadata and additional resources. The types of things you find in the head element include the page title (title) - which doesn't show up in the web page directly, but will likely be used by the web browser as the title in the top of the browser tab, for example. Also found in the head element may be a series of <meta> tags - which can be used to define a range of information - from the author's contact information to defining the aspect and scaling ratios to be used on various devices and screens. The meta element supports many modern features - we will examine some as we go, but it's worth taking a bit of a detour now (or remember to later) so you can learn more.

While meta's use has only been widely adopted fairly recently, title and the following meta data elements have been in use since the early 1990's:

• link - Allows you to link external resources (usually CSS files that contain rendering style rules) to the page. These link elements result in the web browser initiating new HTTP requests to retrieve these resources. In the case that the resource is a CSS file, the file is retrieved from the web server (so a second HTTP request/response cycle) and used by the browser to format/style the currently loaded HTML file. Other resources can also be loaded using the link element, such as web fonts, etc.
• style - Allows you to specify CSS styling rules directly within the HTML document, which will be used by rendering. This is called embedded CSS.
• script - Allows you to reference an external JavaScript file (a separate resource, requested with a second HTTP request/response cycle) to use on the loaded page, or to directly embed JavaScript code to execute on the loaded page.

link, style, and script are all used to integrate different types of resources - not additional HTML. Therefore, we won't talk all that much about them just yet - but we will come back to them when we cover things like CSS and client-side JavaScript.

The Body Element

The body of an HTML page is the actual content that gets rendered to the browser screen. It contains paragraphs, heading, grouping elements, phrase elements, lists, tables, and multimedia. These are the elements that are normally visible to the user.

Let's look at the most straightforward and foundational element, in order to introduce some other concepts that will apply to them all - the p, or paragraph element.

The paragraph element encloses a set of either text content or child elements. Let's first consider straight text elements:

  <p>This is a paragraph</p>

The words "This is a paragraph" will be rendered by the browser in standard font, on it's own line. By "it's own line", we mean that if there are several p elements, they each will occupy their own vertical space, with some whitespace padding separating them vertically.

  <p>Line 1</p> 
  <p>Line 2</p>
  <p>Line 3</p>

Paragraphs may contain other elements too - including additional child p elements. The following is a perfectly reasonable set of paragraphs, although it's not quite common to enclose p elements within other p elements for reasons that should become more clear soon.

  <p>
    <p>Line 1</p> 
    <p>Line 2</p>
    <p>Line 3</p>
  </p>

White Space

White space - which is the space between words, along with new lines, tabs, etc. are often a source of confusion for those that are new to HTML. Let's look at the following HTML p elements:

<p>This     is     an 
   example of how   white space
   works!
</p>
<p>This is an example of how white space works!</p>

Both p elements are rendered identically because of a term called whitespace collapse. In HTML, what the programmer writes and what is seen on the screen is not meant to be identical - and the quicker you understand that, the easier time you will have!

Whitespace collapse means that when the browser renders text content within an element, all consecutive space characters - new lines, tabs, space bar, - are collapsed into one space. New lines and tabs typed by the programmer do not translate to new lines or multiple spaces, the are rendered by a single space (although browsers do automatically add some extra space after periods ending sentences). The browser is in charge of word wrapping - not you! This is actually a great thing, because the screen you are typing your HTML on isn't the same sized screen as the end user's - it's probably not even the same font! You, the author, really aren't in a position to layout text - only the browser running on the user's machine is! The web browser does a wonderful job of layout out text on the screen, and in virtually every scenario you should also simply let it do it's thing.

If we really want to override text layout, we do have an element that can help - pre. The pre element stands for preformatted and can be used when you do want to preserve white space.

<p>This     is     an 
   example of how   white space
   works!
</p>
<pre>This     is     an 
   example of how   white space
   works!
</pre>

The pre element (and it's cousin - code) are nice for special purposes (maybe if you are writing about programming code!), but should be used sparingly.

Headings

Text documents are usually organized into headings. Headings are of course very helpful for readers to skim to different sections of a text document, and get an overview of the content. It's not surprising that even the very first version of HTML supported headings - which by default are rendered on their own line, in a font usually bolder and larger than the standard font being used. Documents generally have hierarchical heading structures, and HTML supports 5 levels of headings:

<h1>Heading 1</h1>
<p>Some text content</p>
<h2>Heading 2</h2>
<p>Some text content</p>
<h3>Heading 3</h3>
<p>Some text content</p>
<h4>Heading 4</h4>
<p>Some text content</p>
<h5>Heading 5</h5>
<p>Some text content</p>

Pro Tip💡 We haven't discussed what the standard font is yet. Until we learn CSS, the standard font is set by the browser (or potentially user settings in the browser). It's normally Times New Roman or other highly legible font, at around 10pt-12pt font size.

It's important to note that the "boldness" or size of headings is arbitrarily defined by the browser, in the absence of CSS styling rules. Most browsers will look pretty similar to the screenshot above, but they aren't obligated to. HTML is about meaning not visual styling. Using headings (and their numbers) is important to convey meaning and relationships, and should never be used just to make some text loop a specific way!

Block Elements

p, pre and headers are all referred to as block elements. They are defined such that by default they always occupy their own vertical space - they are always on their own lines. This can be overridden by CSS, but it's useful to learn element defaults on their own. In the original HTML specifications, p, pre, and headings were primary ways of laying text out on new lines. In addition, authors could also use the <br/> inline element to force line breaks.

<p>This paragraph has a forced <br/>line break.</p>

As discussed, pre and headings clearly change the visual appearance of the text content they enclose. p elements were frequently the method of having text occupy separate lines, but they are awkward when not actually trying to represent paragraphs. As we've mentioned, HTML is about conveying meaning. For this reason (right or wrong) a new element was added and because the de-facto way of (1) grouping elements together and (2) making those groups have their own vertical space - the div element.

The div element is a block element, does not affect the visual appearance of it's contents (other than starting and ending them on their own line), and is used commonly for grouping elements together (or at least until recently). They convey no semantic meaning, but they are easily styled with CSS, which makes them a popular choice.

Notice here, the visual appearance is not altered, but the HTML structure actually starts to mimic the document's conceptual organization better - since headings and their associate text are part of the same element.

<div>
  <h1>Heading 1</h1>
  <p>Some text content</p>
</div>
<div>
  <h2>Heading 2</h2>
  <p>Some text content</p>
</div>
<div>
  <h3>Heading 3</h3>
  <p>Some text content</p>
</div>
<div>
  <h4>Heading 4</h4>
  <p>Some text content</p>
</div>
<div>
  <h5>Heading 5</h5>
  <p>Some text content</p>
</div>

As we will see later, HTML 5 added additional block elements that have made div less useful, as the newer alternatives provide additional semantic context. Regardless of which element you use, block elements occupy their own vertical space, and may contain block child elements and/or inline child elements.

Inline Elements

Inline elements wrap specific text content for a variety of reasons. They do not change the vertical layout of the text. We'll discuss more later, but for now we can look at a few:

<p>
  Here's some examples of inline text element 
  which <span>do not change the vertical layout 
  of the text</span>, but <em>may change the visual 
  appearance</em>.  The visual appearance is 
  <strong>completely defined by the browser</strong>, 
  and is allowed to be different across different 
  browsers and devices.
</p>

In the HTML above, we see the use of the strong and em inline elements, which change the rendering of the font to bold and italics. It's important to note that HTML 4.01 and below used to support the <b> element and <i> elements for bold and italics, and most modern browsers do still allow for them since they were so popular. The replacement of b and i was driven by the push towards semantic elements rather than elements that purely described visual appearance. It's a little wonky, but notice that b and i leave nothing to the browser, it's clear the author is describing how the text appears. Alternatively, strong and em (emphasis) are describing meaning, and leaving it up to the browser how to decide. This is in line with the separation of HTML from CSS.

The third inline element you see in the HTML above is the span element. Think of this like the inline analog to the div element. It is used purely for grouping and identifying text, it does not alter the visual representation of the text at all. When we learn CSS, we will see why this is so useful. Just like with div, HTML 5 has introduced some more semantically meaningful alternatives to the span element that similarly do not change the appearance but do convey more meaning.

Attributes

A last part of the structure of HTML is the attribute. An attribute is a name-value pair that can be attached to any element. The HTML standard defines a set of attributes that can be defined on each element in the standard, although there are also legal ways to place arbitrary attributes on elements too - which we will examine later in the book. Elements may have any number of attributes defined.

The HTML below shows three attributes (these are not real attributes) to illustrate the syntax. Attribute names never contain spaces, the name and value is always separated with an = sign, and the value is always quoted (typically double quotes, but single are usually accepted - but never mix and match!). Attribute names are always lower cast.

<p attribute1="value 1" attribute2 = "value 2" attribute3 = "value 3">Some text</p>

Attributes never directly effect the visual rendering of the element - instead, they are used to store and convey additional data to the browser (or, as we will see later, JavaScript). There are four universal attributes which are always available for any HTML element:

• id - Allows you to specify a unique identifier for the element within the page. The value must start with [a-z] or [A-Z] and can be followed by any number of letters, digits, hyphens, underscores, colons, or periods. The value must be unique across the entire page. The id is often very useful when used in conjunction with CSS and JavaScript, as it will allow that code to identify particular elements within a page.
• class - Allows you to specify am arbitrary classification for the element. The value adheres to the same rules as id, however any number of elements can have the same classification. In addition, elements may have multiple classes, where the classes are separated by spaces. <p class="a b c"> for example, adds class a, b and c to the paragraph. class is useful for the same reasons as id, CSS and JavaScript will often refer to groups of elements by specifying their class.
• style - Allows you to attach specific CSS fuiles to the element directly. This is used for inline css, which will be applied by the browser. <p style="color:red"> will create a paragraph with red ttext. Generally this is not recommended, as there are better and more powerful ways of defining CSS - however the element is supported and used in the wild frequently.
• title - Not to be confused with the <title> element contained in the <head>, the title attribute defines text that describes the element. The classic example is for allowing special text to appear on the screen when the user hovers their mouse over the element. Note, browsers are not obligated to use the title attribute in any particular way. A browser that is using screen reading technology may produce audio of the title upon request from the user, while a browser on a touch screen might need to use it in a totally different way.

We will see the use of these later in the book.

Working Examples - An enhanced Node.js Web Server

At this point, we are about to start looking at particularly common HTML elements in a lot more detail. We'll have lots of example, but they all won't be embedded directly into the book's pages. Instead, you are strongly encouraged to run the HTML demo provided here. The HTML demo contains a small HTML web server, written in Node.js. It serves HTML files, that are located in the same project directory.

It's worth spending a little time reviewing - since we just learned about HTTP servers in the last chapter a bit. Take a look at the code - and read the comments! This is a much more fully fledged HTTP server, but is still simple enough for you to understand pretty readily. It can recognize when a requested path lines up to an HTML file, and serve the file from disk. It can also recognize appropriate headers (MIME types), when resources are being requested that do not map to a file (including some generated pages), and returns appropriate response codes in all cases.

We will use this working example in several chapters, so please do download it so you can run it and utilize it while reading.

/***************************************************
Node.js has a number of excellent modules built in.
Here we build on the http module by including:
 - url - helps us parse URLS
 - path - for building an working with file paths
 - fs - for working with the file system
****************************************************/
const http = require("http");
const url = require("url");
const path = require("path");
const fs = require("fs");

/***************************************************
Based on the file extension, we'll serve the
appropriate mime type.  This isn't a perfect way
of doing things - but its good enough for now
****************************************************/
var mimeTypes = {
    html: "text/html",
    jpeg: "image/jpeg",
    jpg: "image/jpeg",
    png: "image/png",
    gif: "image/gif",
    js: "text/javascript",
    css: "text/css",
    mp4: "video/mp4",
    ogv: "video/ogv",
};

// As before, we create an http server
http
    .createServer(function (req, res) {
        // we get just the path part of the URL
        const uri = url.parse(req.url).pathname;

        // join the path with the current working directory
        const filename = path.join(process.cwd(), unescape(uri));

        // The fs module's lstatSync function let's use query the
        // the operating system about a (potential) file.  Here we
        // really just want to know if it is an actual file.
        var stats;
        try {
            stats = fs.lstatSync(filename); // throws if path doesn't exist
        } catch (e) {
            console.log("\tResponse is 404, not found");
            res.writeHead(404, { "Content-Type": "text/plain" });
            res.write("404 Not Found\n");
            res.end();
            return;
        }

        if (stats.isFile()) {
            // path exists, is a file
            var mimeType = mimeTypes[path.extname(filename).split(".")[1]];
            console.log("\tResponse is 200, serving file");
            res.writeHead(200, { "Content-Type": mimeType });

            var fileStream = fs.createReadStream(filename);
            // the pipe function is quite powerful - it
            // reads from the file stream and writes to the response
            // until the source stream is emptied.
            fileStream.pipe(res);
        } else if (stats.isDirectory()) {
            // path exists, is a directory
            // we could see if there is an index.html at this location
            // (try this as an exercise).  For now, do nothing... return
            // not found.
            console.log("\tResponse is 404, not found (directory)");
            res.writeHead(404, { "Content-Type": "text/plain" });
            res.write("404 Not Found\n");
            res.end();
        }
        // no need for an else here, lstatsSync would have failed if the
        // file/directory did not exist.
    })
    .listen(8080);

Inline Elements, Text, and Links

In the previous section we examined <strong> and <em> as inline elements that hinted at some meaning behind the text they enclosed. Strong words feel like they should be in bold, although it's debatable whether or not emphasis is really saying italics, or whether it's really different than strong. That aside, there are a few inline elements that do convey pretty specific meaning.

Inline elements cannot contain block elements, but they may contain other inline elements. Otherwise, inline elements will typically contain just text. Inline elements, just like block elements, can have attributes.

BTW, you can play along. If you downloaded the html-serve folder, you can run the program on your machine (node server.js). This will start the web browser and you can use the links provided within the text to explore further.

Inline Sizing

While it's not really in line with pure semantic meaning, HTML does continue to support a small set of sizing elements that are inline. They aren't terrifically supported. At the time of this writing, small has no effect on the text rendered by Firefox. Expect this to continue, as

<p>
    The <big>long</big> and <small>short</small> of the story is
    that these are so common, they really couldn't be dropped.
    Most people use CSS instead, but they are valid.
</p>

Live on your own machine

Vertical Spacing

We already saw the br element. It is an example of an HTML empty element, meaning it is both an opening and closing tag, with no content. It is illegal to include any content in the br element in fact (if you think about it, that wouldn't make any sense). The <br/> element causes a single line break. There is no additional vertical spacing/padding applied, the text simply begins on the next line. Contrast this with paragraphs, which by default will also receive some separation spacing.

<h1>Three paragraphs</h1>
<p>The br element in HTML represents a line break, used to insert a new line within text without starting a new paragraph.</p>
<p>It is a self-closing tag, meaning it doesn't require a closing tag. </p>
<p>The br element is often used within blocks of text or inside other elements to control formatting and improve readability.</p>


<h1>One paragraph, three line breaks</h1>
<p>The br element in HTML represents a line break, used to insert a new line within text without starting a new paragraph. <br/>It is a self-closing tag, meaning it doesn't require a closing tag. <br/>The br element is often used within blocks of text or inside other elements to control formatting and improve readability.
</p>

Live on your own machine

Notice that depending on line wrapping and screen size, the text with line break may have more than three lines - including a few really short lines. This is illustrative of why you want to use caution relying on the br element too much.

Often we wish to draw a clear separation between two areas of text. On printed paper, this is usually accomplished with a simple horizontal line - and HTML provides this with another empty or self-closing element - <hr/>. The horizontal rule draws a horizontal line on the next vertical space (technically, it is a block element).

<p>Here's some text above the fold.</p>
<hr />
<p>And here's some text below the fold.</p>

Live on your own machine

Association Elements

There are inline elements that work to associate text with other parts of the document, or to call them out from the rest in some way. You would be familiar with them from writing any large document, especially technical documentation.

• cite - Used for citations, generally will show the text in italics.
• mark - Wrap text to highlight or mark in some way. In most browsers, the text enclosed in this element will be highlighted in yellow.
• label - Used to associate text with something else on the page. The label element supports the for attribute, which allows you to specify which element the label is for. This is common on HTML forms, which we will cover in a later chapter.
• q - Surrounding text with the quote element will automatically put quotes around the text. This is very helpful, especially for character encoding issues. It also convey a lot more meaning than just using the " marks within plain text.
• abbr - The abbr element uses the title attribute to show a popover when the abbreviation text is hovered over. It can also be used for screen readers to prompt the system to audibly explaint the abbreviation. For example, `WHO semantically associates the World Health Organization with the acronym WHO, in a meaningful way.
• sub and sup - These are for subscripts and superscripts.
• time - Wraps a time value, in hopes of allowing the browser to display the time value in a local-specific way. In practice, most browsers don't do a whole lot with this, but it's nice to use when possible to take advantage of any features the browser can provide. The time element also supports a datetime attributes that expects a valid timestamp (in an ISO formatted string). This can be useful to associate text (ie. Independence Day) with a specific date (2027-07-04).

<p>
<abbr title="HyperText Markup Language">HTML</abbr> allows you
    to add lots of meaning to the text of your document.  People often
    say <q>It's great!</q> - <cite>The author</cite>.
</p>
<p>
    It's also great at writing <mark>really important things</mark>,
    adding footnotes<sup>1</sup>, and even formula variables like x<sub>1</sub>
    and x<sub>0</sub>.
</p>

Live on your own machine

Code / Computer Output

It's somewhat questionable whether all of the inline elements we've added to HTML for computer code was a great idea, it seems sort of biased to a particular domain (people who write about code), but hey - why not. Your results may vary, depending on your browser - there isn't a lot of agreement between browsers how code should be rendered. Firefox in 2024 renders variable names in italics, for example. There's no question that the element convey meaning, but they don't really dictate visual representation

<pre><code>
int <var>x</var> = 5;
int <var>y</var> = 10;

cout << "The sum is:  " << <var>x</var> + <var>y</var> << endl;
</code>
</pre>
<samp>
    The sum is:  15
</samp>

Live on your own machine

There are additional inline elements, and lots of resources on the web that gives more explanation. WWW Schools has a good listing of inline elements, and allows you to demo some of them online. We are going to return to some more soon, including the a element below, and the img element when we cover multimedia. First. let's take a look at some other text issues that come into play with HTML.

Text & Special Characters

When we talk about inline elements, we are mostly talking about text, and so this is a good enough place as any to discuss some of the quirks about text, as it appears in HTML. We've already seen that text in HTML uses white space collapsing - meaning multiple consecutive spaces, tabs, and even new lines are always rendered as a single space. This is one instance, but not the only instance, where the text that you write in your editor is not the same as the text that appears on the browser screen once the HTML is rendered.

HTML is of course a programming language, and so there are special characters in the language itself that act as delimiters. As any language, HTML must be parsed by machine code (the browser, in most cases), and therefore there needs to be some provisions for differentiating between delimiters and true characters.

In HTML, the most noticeable delimiters are the < and > that make up the opening and closing tags - <body>...</body>. This angle brackets may not appear within text contents, as they create ambiguity for the parser:

<p>
    It is against the language rules to have < or > in the text, like was done here!
</p>

The above HTML may or may not render at all, browsers still have discretion when dealing with invalid HTML. Make no mistake, however - it is invalid HTML.

HTML defines a number of named entity references, which are essentially like the escape codes you use in other languages (for example, the \n as a new line). For the angle characters, we have > for the greater than symbol, and < for the less than symbol. There are also named entities for <= and >=.

There are additional characters that are not permitted to be within text content of HTML elements. Not unexpectedly, the & that begins an entity reference is a special character - and as such must be written with a named entity reference itself - &. There are also named entities for character that often create confusion when copy and paste is used between editors, especially when the editors are using different character encodings. A prime example of this is the double quote character - ". When using rich text editors, often the quotes are different from the ASCII quote, which will not work well in HTML. Due to the possible confusion, it is always recommended to either use the <q> element to wrap text that should be put in quotes, or to use the corresponding entity reference - ".

Here's a listing of some of the more commonly used entity references. Each named entity reference can also be written using it's hex or decimal code (although to most people, this is less readable) There are many, many more.. There are even entity references for emoji 😜

Comments

If you look in your developer tools when loading a web page, or right click and choose "View Source", you can always see the HTML loaded in the browser. It's source code, and just like any other source code, it may or may not have comments. You of course know what comments are all about - as a programmer you hopefully comment your code to the extent that is necessary for some other poor soul (or your future self) to understand what you've done.

HTML is no different, however since HTML is typical not complex, most of the time comments are used for more routine purposes - like author names, or additional information about the page.

Comments in HTML are delimited by <!-- and -->. There are no single line comments (like the // vs /* */ in some other languages).

<p>
    Here's some text.
    <!--
    This is a comment, and won't render
    -->
    Here's some more text.
</p>
<!-- This won't render either-->

Use comments in HTML sparingly. There really shouldn't be a need to document your HTML - if it's complex enough to confuse someone, something has gone terribly wrong. Remember, comments actually are part of the HTML that gets sent to the client - therefore it takes up network bytes.

Pro Tip💡 Unlike in other programming languages, your end users have direct access to your source code. Possibly more than any other language, HTML is very much open, there is literally no way your web page can render in someone's browser while at the same time preventing them from seeing the HTML code if they want to. Why is this important? Your comments are part of your code. Keep your comments professional. Do not put anything in comments that you don't want the entire world to see. This includes unprofessional language, but it also includes secrets (API keys, etc.). Remember, HTML code that you write can be seen easily by anyone who can load the web page.

Links and Anchors - HyperText!

We've saved the best inline element for last, the anchor element. It's the best because it puts the hyper into HyperText. Anchor elements are the links that we take for granted on the web. The term "link" though isn't really used the same way it was thought of (in theory) when HTML was created. Instead, links were the path between two anchors - a source and a destination.

In HTML, there are implicit anchors - such as a URL, and explicit anchors created with <a> elements. Typically, we create source anchors within web pages, which identify destinations by using a URL. The following creates a text link to Mozilla.org:

<!doctype html>
<html>
    <body>
        <p>Here's a <a href="https://www.mozilla.org">link</a>
        to a great place to get a web browser</p>
    </body>
</html>

In the source code above, the <a> element is a source anchor - it's a jumping off point, to another hypertext. The href attribute is indicating that the destination is on another page, at a different domain - https://www.mozilla.org. The URL itself is an implicit anchor. We know, of course, that the browser renders the <a> element as a link. Links are usually rendered as colored text, with an underline. The color of the text is usually blue, and the underline is usually removed when the link is clicked. This is the default behavior of the browser, and can be changed with CSS.

The value of the the href attribute is a URL. The URL can be a relative URL, or an absolute URL. If the URL is relative, it is relative to the current page. If the URL is absolute, it is a full URL - which must begin with the scheme.

Let's assume you have an HTML page loaded from https://www.example.com/foo/bar.html. The following href values are all valid:

• href="baz.html" - this is a relative URL, and the browser will request https://www.example.com/foo/baz.html
• href="/baz.html" - this is a relative URL, and the browser will request https://www.example.com/baz.html
• href="https://www.anotherexample.com/baz.html" - this is an absolute URL, and the browser will request https://www.anotherexample.com/baz.html
• href="//www.anotherexample.com/baz.html" - this is an absolute URL, and the browser will request https://www.anotherexample.com/baz.html. The https is assumed, based on the fact that you are currently viewing an https page.

The following are problematic, and need to be avoided:

• href=www.anotherexample.com/baz.html - this is a relative URL, and the browser will request https://www.example.com/foo/www.anotherexample.com/baz.html. Clearly, that's unlikely to be what you actually wanted - but without the scheme, or leading //, the browser will assume it's a relative URL.
• href="http://www.anotherexample.com/baz.html" - This is an absolute reference, and is ok. However, you should note that linking to http sites within an https site might invoke a warning from the browser when the user clicks it. Sometimes we have no choice, the site we link to is only served with http, but generally if you can, always choose https.

Browsers respond to clicking on source links with href values by generating a new HTTP GET request to the target URL.

Anchors within pages

As discussed above, there are two anchors - a source and a destination. In the examples above, we were linking to a URL, which implicitly is an anchor. We can create explicit destination anchors within an HTML page as well though.

The following page creates several explicit anchors, and links to them at the top.

<!doctype html>
<html>
    <body>
        <!-- Source Anchors -->
        <p>
            <a href="#section1">Section 1</a>
            <a href="#section2">Section 2</a>
            <a href="#section3">Section 3</a>
        </p>
        <!-- Destination Anchors -->
        <h1><a name="section1">Section 1</a></h1>
        <p>This is section 1</p>
        <h1><a name="section2">Section 2</a></h1>
        <p>This is section 2</p>
        <h1><a name="section3">Section 3</a></h1>
        <p>This is section 2</p>
    </body>
</html>

Live on your own machine

Try this one on your own machine, but make the window really small, so you can't see the entire vertical page. When you click on the section links along the top of the page, the browser responds by scrolling down to the location of the destination anchor. The destination anchors are <a> elements, but instead of having a href attribute, they have a name attribute. The name attribute is the destination anchor. The browser will scroll the page to the location of the destination anchor when the source anchor is clicked.

Notice that the source anchors still use href - they are sources, and the href creates the link to the destination anchor. In this case, the source anchors are referring to the current page, but at the named destination - prefixed with #. We can also combine a URL and a name to create links to different web pages, at specific locations. For example, if the html with the three section links were to be hosted at https://my-anchors.com/sections.html, the following would link to the second section:

<a href="https://my-anchors.com/sections.html#section2">Section 2</a>

Relative vs Absolute URLs

When linking to other resources that are external to our own site (on a different domain), we have no choice but to list URLs using the full absolute syntax. If our site is hosted on https://mysite.com and we are linking to something on https://example.com, then the href must be absolute. What about when we are linking to resources on our own site? Should we use relative or absolute URLs? In almost all cases we want to link using relative links. This is because relative links are more robust - they are less likely to break when the site is moved, or when the site is accessed from a different domain. If you use absolute URLs, and the site is moved, then all the links will be broken. If you use relative URLs, then the links will continue to work, as long as the relative structure of the site is maintained. This also lets you develop your web site on your own computer, using a localhost web server, and have it function exactly the same way it will when it's deployed to a real server.

Sometimes, within a web application with many pages, with a nested structure, it can feel awkward to restrict yourself to relative links - you find yourself using .../.../other.html type syntax, counting the ../ up complex paths. In this case, remember that an href value of /other.html is still a "relative" link, in that it is not changing the domain - it's just linking to a resource starting at the root, rather than the current path. This can be a good compromise, it let's you link directly to a resource within your site from anywhere within your site using the same URL - but it does not break if the site is moved to a different domain.

Relative paths in href that do not start with the / root character are always evaluated relative to the current page - with one caveat. It is possible to include a <base> tag in the <head> of the document, which will change the base URL for all relative links. This is rarely used, but can be useful in some cases. Use this with care however, as it does make the HTML harder to understand.

Anchor Targets

Often when we link to a new page, we want to open the new page within a new browser window or tab. This is done using the target attribute of the <a> tag. The target attribute can take several values, but the most common are _blank and _self. _blank will open the link in a new tab or window, while _self will open the link in the current tab or window. The default is _self, so if you don't specify a target, the link will open in the current tab or window. A third possible target is _parent, which can be used to open the link in a parent window, when the current window is a frame within the parent (we'll discuss frames later).

<a href="https://www.example.com" target="_blank">Open in new tab</a>
<a href="https://www.example.com" target="_self">Open in current tab</a>

Generally opt for keeping _self when you are linking within your own site. It's up to you whether to use _blank or not when linking to external sites. You might prefer to keep your own page open on the users browser, while they have the option to read the newly opened tab. Remember however that most people's browsers let them decide, so your choice of target is just a suggestion to the browser and the user.

Block Elements

Block elements are HTML elements that by default are always rendered within their own vertical space. They can have vertical padding/margins, separating themselves from other elements above and below them. By default, block elements always occupy the entire horizontal space available on the screen (or within their parent element). Block elements can contain other block elements, inline elements, or a combination of both.

We've seen a few block elements already:

• body - this is always a block element, it is the second child of the html element root, and contains all the visible elements of the page.
• p - the paragraph element
• pre - the preformatted text element
• h1, h2, h3, h4, h5, h6 - the header elements
• div - the generic block element, which has now special styling or semantics. This is primarily useful for establishing groups and relationships between elements and for applying CSS styles to groups of elements.

Until HTML 5, this was about all there was in terms of pure text block elements. Lists, dictionaries, and tables also existed (see below). HTML 5 introduced a number of new block elements, which are used to help define the structure of a page while conveying some additional semantics. These were added to promote better accessibility and to help search engines better understand the content of a page, and also to cut down on the proliferation of div all over most HTML pages.

Block container elements

HTML 5 introduced <section>, <article>, <nav>, <header>, <footer> and <aside> to give HTML authors better and more descriptive element names for parts of their webpage. Here's an example of some HTML prior to HTML 5 that might create two short blog posts:

<div>
  <h1>My First Blog Post</h1>
  <p>Date published goes here</p>
  <p>Here is the content of my blog post.</p>
  <p>Author information goes here.</p>
</div>
<div>
  <h1>My Second Blog Post</h1>
  <p>Date published goes here</p>
  <p>Here is the content of my blog post.</p>
  <p>Author information goes here.</p>
</div>

Notice that div isn't particularly descriptive. In addition, the paragraph elements containing date published and author information are not semantically related to the blog post content, but we only know that because we understand what we are reading! Now let's see how we might write this using some of the HTML 5 elements:

<article>
    <header>
        <h1>My First Blog Post</h1>
        <p>Date published goes here</p>
    </header>
    <section>
        <p>Here is the content of my blog post.</p>
    </section>
    <footer>
        <p>Author information goes here.</p>
    </footer>
</article>
<article>
    <header>
        <h1>My Second Blog Post</h1>
        <p>Date published goes here</p>
    </header>
    <section>
        <p>Here is the content of my blog post.</p>
    </section>
    <footer>
        <p>Author information goes here.</p>
    </footer>
</article>

It's longer, because we've used header, footer, and section to wrap the critical areas of each post. Now, let's see how it's rendered.

Live on your own machine

Which rendering is that? Actually - and this is very important, the new HTML 5 block containers do not carry with them any styling. They are rendered exactly like div, they are just more semantically descriptive. Often students first learning this will question the wisdom of using more elaborate elements, since clearly it makes things a little more complex. The answer is that the complexity is worth it, because it makes the page more accessible to screen readers and search engines, and it makes the page easier to understand for other developers. Today's web is consumed by more bots than humans, and semantic elements within HTML allows bots (I'm using the word in a neutral way, nothing nefarious) to make better use of the content. This is a good thing.

There is an additional benefit of using more descriptive HTML 5 block containers, and it presents itself when we begin styling our pages with CSS. Clearly, things like headers, footers, navs are likely to have different visual styles to them. Without going into the details too much, in order to style all headers the same way using HTML 4 div we'd need to make sure we added a CSS class attribute to each div that was intended to serve as a header to a blog post. With HTML 5, we do not need to add additional noise - we can simply style all header elements. This is a small thing, but it adds up over time.

    <div class="header">
        This content can be styled
        by writing CSS rules that target
        all elements with header class.
    </div>
    <header>
        This content can be styled
        by writing CSS rules that target
        all header elements.
    </header>

The new block elements suggest some meaning. For example, a nav element should generally be an element that contains navigation links and buttons. It probably will be styled so it is at the top, or along the side of a page, but that's what we use CSS for. However, the fact that nav is used tells a screen reader, or a search engine bot, that the content within the nav element is likely to be navigation links.

Similarly, using aside suggests that the text within it is not part of the primary content of the section of text - but that it is an "aside". The browser will not render aside off to the side of the text, but you will earn to use CSS to do so if you choose. However, again, a screen reader will understand that it should not process the contents of an aside when processing the main text within an article or section, for example.

More specialized block elements

HTML 5 also introduced a number of other block elements that are used to convey meaning. These include <address> and <blockquote>. Most browsers will render <address> elements as italics, and it's a nice wrapper element you can use to contain other elements of an address. You can, of course, write CSS rules to target address and style it separately as well. blockquote is typically rendered with a left margin, and sometimes with a right margin, to indicate that the text within it is a quote from another source.

<address>
    <p>1234 Elm Street</p>
    <p>Springfield, IL 62701</p>
</address>
<p> Here is some generic text, not part of the Gettysburg Address.</p>
<blockquote>
    Four score and seven years ago our fathers brought
    forth on this continent, a new nation, conceived
    in Liberty, and dedicated to the proposition that all...
</blockquote>

Lists & Dictionaries

The web was built, originally, to create a hypertext library of scientific documents. Scientific documents have a lot of lists and glossaries, and so it's not surprising that these are some of the original HTML block elements. Lists and glossary (definition lists) are block elements that convey some semantics, along with some special formatting assumptions that are usually fairly useful by default.

Let's look at the two most common forms of lists - ordered lists and unordered lists. An ordered list is a group of list items that are arranged in a numeric order. When constructing a list like this, the web browser will automatically create numberings for you, you should not add numbers to the text of your lists itself. Here's an example:

<ol>
    <li>Item A</li>
    <li>Item B</li>
    <li>Item C</li>
</ol>

Notice that the <ol> element contains three list item elements (li). When rendered, margins are applied to the list items, and numbers are automatically applied.

Fear not, you do have control over styling, even whether numbers appear or not - but we'll do that with CSS. Note also that you may nest list elements within list items, creating sub-lists. The browser will make a reasonable attempt at rendering these in a coherent way.

<ol>
    <li>Item A</li>
    <li>
        Item B
        <ol>
            <li>Item B.1</li>
            <li>Item B.2</li>
            <li>Item B.3</li>
        </ol>
    </li>
    <li>Item C</li>
</ol>

Unordered lists use precisely the same structure, but we use <ul> for unordered instead of ol for ordered. The list elements themselves are still just li elements.

<ul>
    <li>Item A</li>
    <li>Item B</li>
    <li>Item C</li>
</ul>

Nesting is similarly supported, and it is perfectly viable to nest ordered lists within unordered list elements, and vice versa.

The third type of list is a definition list. It's less frequently used, but it nevertheless a fairly useful element that might not get the credit it rightly deserves. Definition lists are compound list elements, containing a term and a definition. This is perfect for creating dictionaries, glossaries, and other types of descriptive listings.

<dl>
    <dt>Term 1</dt>
    <dd>This is the definition for Term 1</dd>

    <dt>Term 2</dt>
    <dd>This is the definition for Term 2</dd>
</dl>

Note here that we no longer use li elements, but instead each terms is build from a consecutive pair of dt (term) and dd (definition) elements.

For all three list types, CSS can help us style the padding, spacing, font, and even the decorators (the numbers, dots) - all of which we will cover when we dive into CSS.

Tables

Much like lists, tables are a common feature of scientific documents, and as such have been part of HTML from very early on. The table element has a checkered past, and we will discuss it in a moment, but first lets jump right to the syntax of a table.

Each table element creates an individual table. The table element should have at least one child - tbody (table body) but may also have a table heading (which typically contains column headings) using the thead element. Finally, a table element can also feature a tfoot element for a table footer area. Tables can have any number of thead, tbody, and tfoot elements, appearing in any order within the table.

Within the thead, tbody or tfoot exist table rows - represented by the tr element. The tr element may contain any number of table data or table heading columns - represented by td and th elements. For now, let's keep things simple and assume that all rows have the same number of columns - although this isn't a real requirement.

Here's an example:

<table>
    <thead>
        <tr>
            <th>Title</th>
            <th>Year of Publication</th>
            <th>Author</th>
            <th>ISBN</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td>Effective Java</td>
            <td>2008</td>
            <td>Joshua Bloch</td>
            <td>978-0134685991</td>
        </tr>
        <tr>
            <td>Clean Code</td>
            <td>2008</td>
            <td>Robert C. Martin</td>
            <td>978-0132350884</td>
        </tr>
        <tr>
            <td>The Pragmatic Programmer</td>
            <td>1999</td>
            <td>Andrew Hunt, David Thomas</td>
            <td>978-0201616224</td>
        </tr>
    </tbody>
</table>

Notice that Firefox (which I use to render all the images in this book) adds some styling to tables. The th heading elements are bold, and centered - while the td elements are left justified. We can of course change all that using CSS, and we can also add table borders, padding, etc. Again, we'll cover styling of tables later in the CSS chapter - for now we'll just focus on the HTML itself.

To make things a little easier to see, structurally, let's introduce a tiny bit of CSS however. At the top of the HTML page, let's add some border styling:

<style>
table, th, td {
  border: 1px solid black;
}
</style>

With those borders, now we can take a look at some of the other element features of tables. For example, we can add <caption> element to add a title, and we can also create column cells that span multiple column:

<table>
    <caption>Sample Table with Spanning Cells</caption>
    <thead>
        <tr>
            <th>Column 1</th>
            <th>Column 2</th>
            <th>Column 3</th>
        </tr>
    </thead>
    <tbody>
        <tr>
            <td rowspan="2">Rowspan Cell</td>
            <td>Data 1</td>
            <td>Data 2</td>
        </tr>
        <tr>
            <td>Data 3</td>
            <td>Data 4</td>
        </tr>
        <tr>
            <td>Data 5</td>
            <td colspan="2">Colspan Cell</td>
        </tr>
    </tbody>
</table>

Live on your own machine

Tables present some problems when considering HTML to be shown on multiple devices, particularly smaller screens. You might notice that plain text tends to look readable wherever you view it - be it on a large desktop screen or a small smart phone. It may not be perfect, but even without any CSS the web browser generally does a fairly good job at rendering with appropriate text wrapping. This is not the case with tables, unfortunately. You will find that without CSS, tables tend to be quite cumbersome for users to work with on smaller devices, forcing lots of horizontal scrolling. It also becomes difficult to control how cells (columns) will be rendered, and avoid unwanted text wrapping within cells. All of these issue can be corrected with CSS, but it's worth pointing out that sometimes there are alternative HTML structures that might lend themselves better to response design. We will discuss responsive design later with CSS, however it refers to the design goal of supporting many different screen sizes well - often by changing what things are visible, or how they are rendered, depending on the screen size. Whenever you are considering a table, you could also consider the responsive concerns that it may include.

Pro Tip💡 Use tables for tabular data. This sounds simple, but it's often forgotten. HTML tables are the best option when you have a table of data - not words and paragraphs, not search listings, not text. If what you are typing to put on the page is a table, in the true sense of the word, then by all means you should use a table element. If not, however - using the table element may be a mistake. Other elements we've seen - like unordered, ordered, and definition lists - can be much better choices. They offer more flexibility, and easier stylings options. You don't need to avoid table elements, but you should be careful to use them only for what they are good at!

Tables are not for layout

There was a time, in the 1990s, where table elements were not just used for presenting data, they were used for layout. In particular, they were used to create sidebars to the left and right of main text on pages, including sidebars that just had mostly blank space! For complex layouts, web developers created elaborate tables, with tables within tables, along with tables with empty cells, all in an effort to do what today CSS does far better. Don't judge those developers though, in the 1990s CSS was decidedly not great, and browsers were quite inconsistent in how they interpreted complex CSS.

Here's an example (from a somewhat ancient version of a website) of where to use tables, and where not to use tables.

By the way, the screen shot above is from a 2013 archive of major league baseball standings on espn.com. I sincerely doubt that as late as 2013 espn.com was using actual table elements for their layout, however the screen shot is illustrative of the types of page layouts that had been commonly achieved with table elements.

A picture is worth a thousand words in this case. As you can see, the first image outlines a true table - and yes, the HTML in that area uses a table element, with th and some nice CSS. The image below shows another table though - and it's not a table at all - it's a collection of cells that the web author has used a table element to arrange as a grid. This is an old web page, and it has some serious flaws. First, a table, as discussed above, cannot adequately adjust it's layout for smaller screens. This makes it an incredibly poor element for laying things out as a grid, because that grid will need horizontal scrolling on smaller devices. Today, CSS has vastly superior layout mechanisms, which allow you to construct the same page layout using normal block containers like div, section, nav, aside, etc.

You should never use tables to layout content on a page. You should use tables to present data!∂

More Block Elements

There are more block elements, some of which we will spend a lot more time on soon. HTML forms, which allow for user input, will be covered in a later chapter. HTML forms themselves are block elements, and individual controls (text inputs) are inline and block elements. THere are several specialized elements for multimedia, including a few block elements (video) that we will cover next as well.

Media Types and Media Elements

We will now cover some specialized HTML elements that allow for the embedding of non-text within an HTML page. These elements allow you to render images and video and play audio. While elements for images, audio and video all have their own details - they share something important in common: They are embedded resources, requested separately by the browser using a separate HTTP request.

Let's cover the most basic media element first, the image element - and observe how it is rendered by the browser. From there, we can cover the others more quickly - focusing on some of the more specific features they provide.

Images

Let's begin with a very simple example, containing the minimum to embed an image in an HTML page.

<!doctype html>
<html>
    <head>
        <title>Image Example</title>
    </head>
    <body>
        <p>Some leading text</p>
        <img src="https://upload.wikimedia.org/wikipedia/commons/7/70/Example.png"/>
        <p>Some following text</p>
    </body>
</html>

The img element is a self closing HTML element. There is no content found within the img element itself. The src attribute is used to make a reference to a resource external to the current HTML page. In this case, it is a URL outside of the current domain - on Wikipedia. We could have also used a relative path if we wanted to show an image that was hosted on the same site as the web page rendering it.

<img src="../images/example-image.png"/>

Really, all the same things we learned with the href attributes for anchors tend to work the same way for the src attribute (however the src attribute doesn't used named anchors, just URLS).

So far, this is fairly straightforward. Images are loaded and displayed in the HTML. It's worth looking at this a little more closely however - because something very important is happening with the src attribute that will be critical to our understanding of many other features of HTML. Let's see how the image is actually loaded.

Requests

Early on in Chapter 2 we focused on an important concept - the HTTP request and response cycle. Recall, each HTTP request and response is independent. In addition, one HTTP request maps to exactly one response - one resource - one URL.

So let's look at an example HTML document with some images once more:

<!doctype html>
<html>
    <head><title>One Request, One Response</title></head>
    <body>
        <p>Here are some pictures of tasty fruit</p>
        <p>
            <img src="apple.png"/>
        </p>
        <p>
            <img src="orange.png"/>
        </p>
        <p>
            <img src="grape.png"/>
        </p>
    </body>
</html>

The HTML above is one resource. We might imagine it was retrieved by the web browser issuing a GET request to a hypothetical website - https://fruits.com/pictures. The response to that GET request is only the html you see above, it does not include the actual images! So, how do the images appear in on the screen?

The src attribute within each img element creates a relative URL. In this case, three distinct URLs are formed from the img elements - https://fruits.com/apple.png, https://fruits.com/orange.png, and https://fruits.com/grape.png. These are three distinct resources, three distinct URLs.

The web browser, after loading the HTML document scans the HTML for src attributes, and initiates new GET requests for each resource identified. The web server will receive these requests, and responds to them independently.

Let's review, by looking at a minimal HTTP request and response for each.

Request 1 - for the HTML

Here the web browser responds to either a link being clicked, or the user directly entering https://fruits.com/pictures into their address bar, by issuing a GET request. This is the first request.

GET /pictures
host:  fruits.com

Response 1 - the HTML

The web server will respond with a standard HTTP response, containing the HTML in the response body.

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 331

<!doctype html>
<html>
    <head><title>One Request, One Response</title></head>
    <body>
        <p>Here are some pictures of tasty fruit</p>
        <p>
            <img src="apple.png"/>
        </p>
        <p>
            <img src="orange.png"/>
        </p>
        <p>
            <img src="grape.png"/>
        </p>
    </body>
</html>

The HTML is rendered by the browser. Importantly, there are no images to render, and the screen will appear to just have text - if not for just a brief moment. You've undoubtedly seen this yourself, you've accessed a web page, and for a brief moment there is text, but no images. Eventually, the images appear. This is exactly what we are describing here! The browser receives the HTML first, and then makes follow up requests for the images.

Request 2 - apple.png

The next HTTP request is made, to retrieve the image apple.png. You'll note that it looks like any other HTTP request, however an extra header has been added. This header - referrer - is sent to the server to tell it that the URL being requested (apple.png) was referred to by the /pictures resource. This information is just that - it's information - nothing else. The server is unlikely to do anything with it in this example, but it's important to remember this. Whenever a resource is requested as a result of another URL being loaded, the web browser will send this information along using the referrer header. This is the cornerstone of web tracking, or allowing web servers to track user behavior. It has good uses, bad uses, and neutral uses - and we will discuss it in a lot more detail later on!

GET /apple.png
host:  fruits.com
referrer:  fruits.com/pictures

Response 2 - apple.png

The response the server returns is again an ordinary HTTP response, however the content type is not just plain text - it's binary data. We won't write the binary data in the figure below, it wouldn't make any sense - but understand that it is a binary image format (png). We'll discuss image formats in a bit.

HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 55013

... binary data, 55KB of PNG formatted data...

The next request and response for orange.png will be very similar:

GET /orange.png
host:  fruits.com
referrer:  fruits.com/pictures

HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 43065

... binary data, 43KB of PNG formatted data...

Followed by the last request for grape.png:

GET /grape.png
host:  fruits.com
referrer:  fruits.com/pictures

HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 67800

... binary data, 67KB of PNG formatted data...

We have a total of four requests - one for the HTML, and three for the additional images. Four round trip network requests.

Let's look at a slight variation, and test our understanding a bit:

<!doctype html>
<html>
    <head><title>One Request, One Response</title></head>
    <body>
        <p>Here are some pictures of tasty fruit</p>
        <p>
            <img src="apple.png"/>
        </p>
        <p>
            <img src="apple.png"/>
        </p>
        <p>
            <!-- Let's assume there is NO such
                 such image called mystery.png on the server
            -->
            <img src="mystery.png"/>
        </p>
    </body>
</html>

In the example above, two changes were made. First, apple.png is being referred to twice. Web browsers are smart, and when an HTML page is referencing the same resource twice, only one GET request will be generated. In fact, even when the browser sees requests for apple.png in the near future, as long as it's the same complete URL (domain, path, etc), it probably will continue to use a cached copy of the image to avoid downloading the same image again within a short amount of time. This caching can be somewhat controlled by some of the response headers we saw in Chapter 2 however.

The second change is that the third image now links to mystery.png. Let's assume that image does not exist on the server. Just like any other HTTP request, if the requested resource doesn't exit, the server will likely return a 404 Not Found. What does the browser do in this case?

As you can see above, the page still loads. The images of the apple still load. The only thing that doesn't load is the missing mystery.png image. This is the nature of the one request, one response cycle - if one request fails, the rest of the page can still be presented. The broken image symbol at the bottom is a placeholder, most browsers will show something similar to indicate to the user that an image failed to load.

Image Sizing

Why did the images in the fruits examples load at a particular size? Without any additional instructions, when an image is loaded in HTML it takes on the same pixel dimensions as the actual image itself. If the image is 1280x900 pixels, then the image will occupy 1280 horizontal pixels and 900 vertical pixels - an awfully large image for a web page. Large images take time to download, especially on mobile devices.

If you've ever encountered a web page with a lot of text, and some images mixed in, you might have encountered the rather annoying effects of failing to specify image size directly. Since images download after the HTML text, browsers will render and lay out the text before the images arrive. Without any additional information, browsers have no way of knowing the size of the image they will receive, so they simply render text as if the image will be some small square (about the size of that broken image placeholder). The problem with this is that when the image does arrive, it's usually larger. The browser then is forced to redraw the text - shifting it, and disrupting the user.

Beyond the text rendering problems with delayed image sizing, we typically prefer to be able to control the size of the image when it is being rendered within HTML. The native dimensions of the image are not usually exactly what we want on our page.

We will cover better ways to size images when we cover CSS, however HTML itself has a primitive mechanism for doing so, using attributes. Consider the HTML below:

<!doctype html>
<html>
    <head><title>One Request, One Response</title></head>
    <body>
        <p>Here are some pictures of tasty fruit</p>
        <p>
            <img src="apple.png" height="50" width="200"/>
        </p>
        <p>
            <img src="apple.png" height="100"/>
        </p>
    </body>
</html>

Here, we see the same image - apple.png - being rendered at different sizes. When specifying both height and width, we need to take care to keep the proper aspect ratio (we did not in the screen shot above, clearly!). Generally it's preferred to only specify one - height or width, and allow the browser to preserve the natural aspect ratio of the image itself.

It's important to note that apple.png is still only requested once. The actual image data, with a native resolution that just so happens to be 188x151px, is transferred over the network one time. The image is rendered twice, at the requested dimensions.

Pro Tip💡 It pays to scale images on the server, rather than serving large images all the time. If the apple.png image was actually a large image - let's say 1880x1510px instead of 188x151, it would take a lot longer to download to the web browser. If the HTML it was rendered in always specified that the width should be on the order of 200px, then we would be downloaded a lot of extra pixels that get tossed away before rendering. This matters - it degrades user experience on slow network connections significantly. It also costs money - while transferring a few extra KB might seem like no big deal, if your website is popular these can quickly add up to many GB of network costs - which generally will end up costing you a fair amount of money! If you have an image on the server that is large, but you know you will often show a smaller version on HTML pages, it makes sense to scale the image using image scaling software, and store the smaller image on the web server. A common use case is thumbnail images, where small images are shown on a page, and if the user clicks them, the larger image will be shown. This can be achieved efficiently by storing two versions of the image - apple.png and apple-thumb.png, where apple-thumb.png is small. HTML needing the thumbnail version can link directly to it, avoiding downloading the full sized image.

As mentioned above, CSS will give us additional flexibility in sizing images - however the height and width attributes are still always recommended. One reason they are still relevant is page layout, while images are loading. By specifying image dimensions using the height and/or width attributes, a web browser can know the dimensions to reserve in the screen before it receives the image. This allows it to layout text assuming the image is placed on the page. When the image does arrive, text will not shift - as space will already have been reserved. The CSS we learn later will superseded the height and width attributes, but only after the image itself is loaded from the network.

Image Formats

One of the responses to the images above was as follows:

HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 67800

... binary data, 67KB of PNG formatted data...

What is this binary data though? The image format is identified in the Content-Type header - it is PNG - the Portable Network Graphic image format. It's a specific binary format for storing pixel data (red/green/blue color values). As a web developer, you don't need to know exactly how PNG files (or other image formats) are specified - but it does pay to have a bit of understanding of the differences. Several image formats are widely supported by most web browsers, and there are many many other image formats in use by various platforms and software.

RGB Files

Perhaps the simplest image format is RGB (also called RAW), which in it's most naive form is simply a sequence of red, green, blue color values - typically integers between 0-255 for each color component. Each pixel represented by three integers. Pixels are stored in the file in row or column order. It's quite straightforward to parse an RGB file - you simple read triples of integer bytes, and draw them to the screen.

An RGB file such as the one describe tends to be extremely large, and unnecessarily so for certain types of images. Imaging a 500x500 pixel image, where the vast majority of pixels (in fact, let's say all the pixels) are red. Red is written as 255, 0, 0 for an individual pixel. This means we'd store this red image as 500x500 = 250,000 triples (255,0,0) in a row. That's 750,000 integers.

A smarter way to store such an image would be to use simple run length encoding - where you specify the number of pixels in a row that will use the same color. In the same trivial example, we'd store the number 250000 (a quarter million pixels), followed by 255, 0, 0 (red). These 4 integers provide the same information as the 750,000 integers were prior.

This is an extraordinarily simplistic explanation of image compression, it should be of no surprise that for more complex images (that aren't all red, for example!), we need to be more clever in how we do our compression and encoding.

Lossless Compression w/ GIF, BMP and PNG Files

Another common method of compression is to take advantage of the fact that simple images tend to have a small subset of colors when compared to the full visible spectrum. There are several million distinct colors that you can represent with 8-bit red, green and blue pixel data (24-bit color). If you think about the typical company logo, there's probably no more than a dozen individual colors used.

Again, let's say we have a 500x500 pixel image, and it contains 24-bit color values. Thats 750,000 integers (250,000 pixels, three integers each). Instead, let's assume we scan the image and determine that only 8 distinct colors are actually used in the image. We can create a color table, with 8 entries, each entry corresponding to a 24-bit color. For each pixel in the image, instead of storing the full RGB value (three 8-bit integers), we instead store the index into the color table - which in this case is a 3 bit index - 000-111 in binary. Now, we still have 250,000 pixels, but instead of each pixel weighing in at 24-bits, each pixel occupies 3-bits. The beginning of the file would also need the color table itself, but this is a fairly insignificant amount of overhead (8 24-bit values). This is a gigantic difference - drastically reducing the overall image size!

The concept of color tables, or look up tables, are used by the BMP (Bitmap) file format and GIF (Graphics Interchange Format) in more sophisticated ways than explained above. Conceptually, they are similar, in that they are lossless. They also have similar performance profiles - in that they perform best when there are relatively few distinct colors that need to be encoded. As the number of distinct colors grows, the color table / look up tables get larger, which means the indexes into the tables take up more bits. Eventually, if there are enough distinct colors, the level of compression becomes poor enough that it's no longer worth the processing time!

PNG (Portable Network Graphics) is another lossless image format that retains all image data, making it ideal for high-quality images. It supports transparency, which allows parts of an image to be transparent, making it particularly well suited for logos, icons, and web graphics. PNG files generally provide better compression than GIF and BMP when compressing non-photorealistic images. For similar reasons as GIF and BMP however, PNG is not particularly good at compressing photorealistic images containing many thousands of distinct colors.

Of the three major lossless compression formats, PNG is the most widely used. It performs best over a wider range of images and is supported by all modern browsers.

JPEG Files

The JPEG (also sometimes written as JPG) image format, created by teh Joint Photographic Experts Group in 1992 specializes in compressing images that GIF and BMP perform poorer on - images with many distinct colors. The JPEG compression format differs from BMP and GIF in that is is lossy - meaning images that are scaled down / compressed from raw RGB do lose some detail when undergoing the transformation to JPEG. The compression scheme is complex, and involves averaging nearby pixels. The JPEG format is very widely supported, and is best used on photo-realistic images (rather than cartoons and logos, which tend to have a small number of distinct colors).

WebP Files

WebP is an image format developed by Google in 2010 as a modern alternative to traditional formats like JPEG, PNG, and GIF. The goal was to create a format that offers better compression, reducing image file sizes without sacrificing quality, to speed up web loading times, especially on mobile devices. WebP is designed to handle both lossy and lossless compression, combining the strengths of formats like JPEG (lossy) and PNG (lossless), while producing smaller file sizes. It also supports transparency (alpha channel), similar to PNG, and animation, similar to GIF, making it versatile for various web applications.

WebP is not as widely supported as some of the older formats, but at the time of this writing (2025), it is supported in all modern versions of Firefox, Chrome/Chromium/Edge and Safari.

Other Formats

There are dozens of other image formats. Some of which are used to preserve all information (loss-less compression), and others that include layering information. These formats are often associated with image processing software. Generally speaking, it's smart to avoid trying to serve these more exotic formats (ie .tiff files, .psd files), as most web browsers will fail to render images in these formats.

Remember though, you cannot change the image format just by writing a different MIME extension in your HTTP response, or by changing the filename from apple.jpg to apple.png! Files are encoded in a specific format, and if you want a different one, you must use image processing software to save a new version in the new format, and put that image on your web server!

Pro Tip💡 When in doubt, PNG tends to be the best choice. It's a good compromise as it performs well for simple files and complex realistic imagery. It doesn't lose too much detail when reducing pixel density, and is very widely supported.

Image formats are an interesting sub-topic in Computer Science, and are really part of the entire compression topic. As a web developer, you will encounter compression algorithms a lot, given the importance of reducing network traffic and improving page loading speed - however it's unlikely you will need to understand all the precise details of how they work. It's a good idea to understand tradeoffs - time spent encoding and decoding to various formats, along with expected compression ratios, so you can make informed decisions about which to use in different scenarios.

SVG Files

A side note for now on a completely different type of image format - Scalable Vector Graphics - SVG. SVG files are XML files that contain instructions for drawing arcs, lines, rectangles, etc. They are ideal for drawing schematics, logos, and many other types of digital pictures. They are small, since they are not holding pixel data. They are scalable, since the instructions for drawing shapes can scale up or down without losing precision. They aren't for photorealistic images, they are best for drawing.

You are encouraged to read more on SVG, they are an incredibly powerful tool in your toolbox as a web developer - and as a graphics designer - but they are outside the scope of what we are focusing on in this book.

Alternative text

The alt attribute, short for "alternative text," is used with the element in HTML to provide a textual description of an image. This description is essential for improving accessibility, user experience, and search engine optimization (SEO). For users who rely on screen readers (such as individuals with visual impairments), the alt text is read aloud, allowing them to understand the content and context of the image. If an image fails to load due to slow internet connection or a broken image link, the browser displays the alt text in place of the image. This ensures that users still get an idea of what the image represents even when it cannot be displayed. Search engines use alt text to understand the content of images, which improves a website's visibility in image search results. Providing descriptive and relevant alt text can improve the overall search ranking of a webpage.

<img src="apple.jpg" alt="A red apple">

The use of the alt attribute is always recommended.

Images as Links

While not particularly related to image formats and image sizes, it's common to be a bit confused by something we often see on web pages - clickable images. Many times you encounter a web page that has images that you can click on, that take you to a new page - thumbnails. Sometimes this is achieved using JavaScript, which we will start looking at soon - but most of the time it's just by wrapping an image in an standard a element.

You might recall, a is an inline element. Inline elements may only (technically) contain inline children. It just so happens that img is an inline element.

<p>
    <a href="/foo">Click me to go to a new page></a>
</p>
<p>
    <a href="/foo"> <img src="foo.png"/> </a>
</p>

The paragraphs in the HTML above contain two links. One is a text link, which would be rendered just like any other link. The other is an image. When the user hovers over the image with a mouse, they will see a hand cursor like they would when hovering over a text link. When the click the image, they will go to the /foo page, just like if they clicked the "Click me..." text in the link above.

Video and Audio

When we talked about browsers of the past at the beginning of the chapter, we discussed how the iPhone played a transformative role in web development by it's refusal to support Adobe Flash. Up until the late 2000's, Adobe Flash was the main method to do anything highly interactive, with complex animations, on the web. To be clear, Adobe Flash was a distinct language - it ran using a plugin that needed to be installed within the browser, and the plugin operated independently from the rest of the web browser.

In addition to animations, Flash was also used as the main method of playing video content within a web browser. This was largely because video formats were extremely poorly (if at all) supported by web browsers at the time. Video file formats utilize vastly more sophisticated encoding and decoding algorithms than image formats, and "codecs" (the code that did the encoding and decoding) were simply not integrated into web browsers. Compounding the problem was that at the time, video formats lacked uniform standards - it was simply very difficult to support video playback broadly. Adobe Flash's investment in video codecs and playback was one of several reasons it became so widely used through the 1990's and 2000's.

HTML 5, and a maturing digital video industry, along with the push towards browser-native (Flash-less) solutions driven by the iPhone put at end to this problem however. In HTML 5, two new multimedia elements were introduced - <audio> and <video>, which act as containers for playback of both types. These elements support a (small) set of standard video and audio encoding formats, and provide user controls for playback, pause, stop, rewind, seek, etc.

Let's first examine video, as it's a lot more common than just placing an audio element on your web page.

<body>
    <video src="video.mp4" type="video/mp4"/>
</body>

In it's simplest form, the video element resembles an image element, consisting of a src attribute which results in a new GET request being generated to fetch the video from the web server. It is common to also utilize the type attribute to identify the video encoding format used, so the browser can ensure it can support playback before issuing the request - since video files are so large.

The video element can be sized with height and width just like the image element, and can also be sized with CSS as we will see later.

Supported Formats

THe two main video encoding standards used are MP4 (MPEG-4) and WebM. Chrome, Firefox, Opera, Edge, and Safari in 2025 all support both formats. MP4 remains the most widely supported. These encoding schemes are proprietary, and web browsers must license them. An open source alternative - Ogg (Ogv) - also exists, while less commonly used. Ogg video files are supported by Firefox, Opera, and limited versions of Chrome.

Because video codecs have such a difficult history of support, the notion of allowing browsers to choose between file formats was built directly into the <video> element. If a web site wishes to support the largest variety of web browsers, videos can be encoded in all three formats (and thus stored as three separate files on the web server). The video element can make use of a child source element to list the video sources - and the browser will choose the one that it can best support, automatically. When using the source elements, you must omit the src attribute.

<body>
    <video>
        <source src="video.mp4" type="video/mp4">
        <source src="video.webm" type="video/webm">
        <source src="video.ogv" type="video/ogg">
        Your browser does not support the video tag.
    </video>
</body>

Note in the HTML above, we have also added text inside the video element. This text is ignored by any browser that can play video, but is displayed by browsers that do not support the video element (pre-HTML5).

User Controls

Unlike images, users generally need to interact with video. This includes pressing "Play", "Pause", "Stop" and seeking to different points of the video. In order to enable user controls within a video element, you can simply place the controls attribute - a boolean attribute in the video element. Boolean attributes have no = or value, their presence indicates "true", and absence indicates "false"

    <!-- Video element with controls for user -->
    <vide controls>
        <source src="video.mp4" type="video/mp4">
        <source src="video.webm" type="video/webm">
        <source src="video.ogv" type="video/ogg">
        Your browser does not support the video tag.
    </video>

There are a number of other options that you can enable on video elements. This includes loop, muted, poster, preload, and autoplay, among others. These attributes provide complete control over whether videos play automatically on page load, start out muted, continue to play over and over again, and whether or not the are pre-fetched from the server before the user clicks "Play". You can learn more about contolling how users interact with video here.

Audio

Videos contain audio, but sometime you just want to play a sound on a web page. This can be achieved with the more limited audio element:

<audio controls src="song.mp3"></audio>

The audio element supports many of the same elements as the video element - although the controls, for example, are more limited. The standard audio formats of mp3, wav, and ogg are supported across most browsers, with mp3 being the preferred.

Learn more about the audio element here.

JavaScript Kickstart

JavaScript

We are now going to a take a detour away from talking about web development and start looking at JavaScript as a fundamental programming language. We will examine the syntax, runtime, and design features of the language - just as you likely did when you learned your first programming languages - maybe Python, Java, or C++. We will cover the foundational aspects of programming in JavaScript without discussing how the language connects to web development specifically just yet - although we will start out with a brief history. Of course, JavaScript is inescapably linked to web development, but it's important to remember that it is actually just a general purpose programming language!

How we got here

JavaScript, often abbreviated as JS, has a rich and evolving history that began in the mid-1990s. It was created by Brendan Eich while working at Netscape Communications Corporation. In 1995, Eich was tasked with developing a lightweight scripting language to enable interactive web pages. The result was Mocha, which later became known as LiveScript. However, just before its official launch, Netscape rebranded it to JavaScript, partly as a marketing strategy to leverage the growing popularity of the Java programming language, even though the two languages are fundamentally different.

The first official release of JavaScript was in December 1995 with Netscape Navigator 3.0. This version introduced basic scripting capabilities, allowing developers to manipulate HTML elements and respond to user events. The language's initial focus was on client-side scripting, enabling dynamic content without the need for full-page reloads. The language's data was the website being rendered, and the code you wrote manipulated the structure (the HTML). In many ways, you can think of JavaScript originally as a programming language designed to allow you to modify HTML being rendered by the browser. As the web exploded, JavaScript quickly gained traction, becoming a standard component of web development.

In 1996, Microsoft introduced its own version of JavaScript, called JScript, which led to compatibility issues across different browsers. To address this, the European Computer Manufacturers Association (ECMA) standardized the language under the name ECMAScript in 1997. The first edition, ECMAScript 1 (ES1), laid the groundwork for a more uniform scripting environment across browsers, promoting greater interoperability.

Over the years, JavaScript evolved significantly. ECMAScript 3 (ES3), released in 1999, introduced crucial features such as regular expressions, try/catch error handling, and better string manipulation. However, after ES3, progress slowed down for several years, largely due to the dominance of Internet Explorer and a lack of focus on web standards. For a long period of time, JavaScript was plagued by the incompatibilities between various web browser's implementation of it's features. This was particularly problematic when working with more advanced aspects of web development, like AJAX.

In 2009, the release of ECMAScript 5 (ES5) marked a significant milestone, introducing features like strict mode and JSON support, further solidifying JavaScript’s capabilities. Then, in 2015, ECMAScript 6 (ES6), also known as ECMAScript 2015, was released, bringing major enhancements such as arrow functions, classes, and template literals. This version shifted JavaScript into a more modern programming language, enabling developers to write cleaner and more maintainable code. As we will discuss below, the advancements in the language itself occurred in tandem with significant advancements in the performance of JavaScript runtimes.

It's fair to say that from 2008-2015, there was a virtuous circle of improvements in the language, it's performance, and it's impact.

Node.js - JavaScript without the web browser

JavaScript evolved as a language strictly within the context of the web browser. The language did not have true I/O - for most of it's history JavaScript had no concept of writing to the console, writing to files, reading data from your hard drive, etc. This is for good reason of course, it was assumed that JavaScript code, by definition, was code running on the end users's computer, inside a browser, as a result of visiting a web page. No one wanted JavaScript to be able to interact with their machine - it was untrusted code downloaded from a web server!

All that changed in 2009. Before you get worried, it's not that the obvious security concerns about having a web page's JavaScript interact directly with your computer are now ignored, it's just that we no longer think of JavaScript code only within the context of a web browser.

Let's take a step back, and think about another general purpose language with a runtime system: Python. Python code is cross-platform. It's cross-platform because the code itself is not compiled before being distributed, it is distributed as regular Python code. In order to run a Python program, the end user must have the Python Intepreter installed on their computer. The interpreter comes in various versions, for most common operating systems. The interpreter is written in C++ and C, it reads Python code and performs the corresponding operations.

When the Python interpreter encounters a print statement in Python, the interpreter interacts with the operating system, using operating system APIs, in C, to perform the printing operation. In fact, the Python interpreter can expose C APIs for many operating system resources - the file system, the network interfaces (sockets), etc. This allows Python code to be general purpose - there are Python functions to interface with devices - and those functions are mapped to C APIs the underlying operating system provides.

What does this have to do with JavaScript? Well, Javascript is similarly cross-platform. The code is distributed to end users, and the code is run by an interpreter which is written in C/C++ (for the most part). The interpreter, prior to 2009, was generally assumed to be a web browser. The choice not to support interfaces to the operating system's APIs was just that - a choice.

Google Chrome and the V8 Engine

Web browsers aren't normally written as monoliths. Web browsers contain HTML parsing code, HTML/CSS rendering (drawing) code, user input and network code, and JavaScript execution code. All of these components can be fairly distinct. The part of Google Chrome (circa 2008) that was responsible for interpreting and executing JavaScript code was a C++ library called the V8 Engine. The V8 engine was different than the JavaScript execution libraries found (at the time) in Safari, Firefox, Internet Explorer, and others. It was blazingly fast. The reasons for this speed are a topic unto themselves, but the V8 library made several important advancements in JavaScript execution inspired from work done for other runtime systems (Java Virtual Machine, .NET CLR, etc), including Just-in-Time compilation.

The dramatic improvement in execution speed, coupled with the ubiquity of JavaScript developer skills due to the web, suddenly made JavaScript a more attractive language for people to write general programs - distinct from the web.

Node.js

In 2009, Ryan Dahl released the first version of Node.js. Node.js is the V8 Engine, but instead of embedding it within a web browser, it is embedded in a command line program called node, written in C++, that supports JavaScript interfaces to operating system APIs. That last part of the sentence is what is really important - when you run a Node.js interpreter, you are running a C++ program that can translation JavaScript code into operating system APIs allowing your JavaScript code to access things like the file system and network devices directly. These interfaces are exposed via Node.js specific includes (require) of specific libraries: fs, net, etc. These libraries are not part of standard JavaScript. They are not available within V8 engines hosted within web browses. They are hosted by Node.js. They are just as safe as code written in any other languages - and just as dangerous. Node.js programs are programs just like C++ programs, Java programs, .NET programs, and Python programs. They have the same capabilities, and the same abilities to access the host computer. They are not distributed via web browsers.

In the image above, observe the difference in the relationship to the V8 engine and the operating system. With Google Chrome, V8 executes within the browser process. The browser is a C++ program, contain several (many) parts. The browser may interact with the operating system, like any other C++ program - the browser certainly can access network devices, etc. The browser does not expose an interface to V8 that allows JavaScript to interact with the operating system, however. In the NodeJS diagram, we see C++ extensions within Node JS (a C++ program) that purposely expose interfaces to the operating system. This does allow JavaScript code to interact with devices and the file system. Node.js is not a web browser!

Pro Tip💡 It is so important that you understand the difference between JavaScript running in the browser, and JavaScript running in Node.js! JavaScript is a programming language - it can run in different places. JavaScript running in the browser runs on the end user's browser, and is 100% focused on manipulating the web page the browser has currently loaded. JavaScript running in Node.js is running on the machine your run the program on. You can write any program in JavaScript, and use Node.js to run it. It could be a web server. It could be a game. It could be accounting software. It's a general purpose language. For the remainder of this chapter, and for the next several chapters as well, we are only talking about Node.js - not code running in the user's web browser. Make sure you are crystal clear on this!

Running Node.js Programs

You will need to install the Node.js runtime on your computer. You can do so for any platform by visiting the main website for the system - https://nodejs.org. There are a few other ways to install Node.js, including using the NVM, which allows you to more easily manage multiple versions of Node.js on the same machine. While this is my recommended approach, it's not strictly necessary - you can use the standard install if you wish.

Once installed, you should be able to type the following on your command prompt (Windows) or terminal (MacOS, Linux):

node -v

The output should look something like this, although the version you've installed might be different.

v20.12.2

You will also need a code editor suitable for Node.js. You will want to stay within the same editor when working in HTML, CSS, later on too. Modern editors like Visual Studio Code, Sublime Text, Zed all have fantastic support for Node.js. If you are familiar with vim, emacs, Notepad++, they also support Node.js and JavaScript. More heavyweight IDEs can also work well (JetBrains WebStorm, Visual Studio), but are not necessary.

Pro Tip💡 As of this writing (2025), Node.js is pretty stable. Differences between versions do not tend to be major. In the past however, there were significant changes. If you have Node.js installed on your machine and the version is lower than v20, you are strongly encouraged to upgrade the installation. If your installation is v14 or below, you must upgrade, as important modern parts of the language itself (JavaScript) are either not supported.

Before we go further...

We are going to move quickly through JavaScript. There are links embedded in the following text to reference material, covering hundreds of functions and features of the language. The purpose of this chapter is not to be an exhaustive reference for JavaScript - the Mozilla Developer Network - MDN is perfect for that. The purpose of this chapter is to expose you to the language concepts so you can start working with it. Please use the MDN or another resource for reference, and use this chapter for insight!

JavaScript Syntax Basics

In a source code editor, create a new file called example.js. Make sure you note which directory you are creating the file in, you will need to use your command prompt/terminal to navigate to the directory and execute the program.

// Contents of example.js
const x = 5;
const y = 4;
console.log(x + y);

Within your terminal, navigate to the directory. If you type ls . or dir (Windows), you should see the file listed in the current working directory.

Execute the program:

node example.js

You'll see the result - 9.

Let's compare this to the same C++ program, just to note the obvious differences.

#include <iostream>
using namespace std;

int main() {
    int x = 5;
    int y = 4;
    cout << x + y << endl;
}

Without looking at the code, certainly the biggest difference is that in order to run the C++ version you need to compile it - transforming it into executable code. Unlike scripting languages (Python, JavaScript, Ruby), C++ must be converted into a binary format as a separate step. C++ binary is native binary - native to your operating system and actual computer architecture (the type of processor - x86, ARM, Silicon, etc). This binary cannot be run on different platforms. Java and .NET occupy a space in between scripting languages and compiled languages - their source code is compiled into generic byte code that can be distributed. The byte code can be run by the end user's runtime (Java Virtual Machine, .NET CLR), and that byte code can be very quickly translated to machine-specific binary code.

Modern scripting languages actually have begun to blur the lines between interpreters and runtimes like the JVM and .NET CLR however. These days, while a scripting language like JavaScript is loaded as straight source code into the interpreter - the interpreter (or more commonly referred to now as the runtime engine) does actually pre-compile portions of the code on the fly. This was part of V8's innovation - the JavaScript engine for Node.js. This concept has been adopted by nearly every major web browser.

Taking a look at the code, we see a few more key differences:

1. In JavaScript, variable declarations use a generic keyword (in the case, const). We don't specify the type. More on this later.
2. In JavaScript, there is no need for a main entry point function. Code written outside of functions is executed automatically - top down.
3. While there will be include-like statements (require), we don't need to include anything special to print to the screen (console.log).

Language Building Blocks

Let' touch on some of the core basics of the JavaScript language. First, note that the language is inspired by the C, C++, Java family of languages. It uses { and } to delimit things like loops, conditionals, functions, and general scopes. It uses white space the same way (whitespace doesn't matter much), has similar comments (// and /* - */). The same rules apply to identifiers - things like variable and function names are case sensitive, they cannot contain spaces or start with numbers. JavaScript is a bit more liberal with identifier names - for example, you can have a variable named _ or $, where in C++ this is generally frowned upon (and not part of the actual standard). The bottom line is that many of the natural conventions that you may already be familiar with from C, C++, Java, or C# are going to apply to JavaScript. This is in contrast to Python and Ruby, which have quite different syntax.

JavaScript contains many keywords, or reserved words, just like other languages you know. This includes keywords that are used in control flow - if, else, switch, case, while, for. Also included are keywords that declare data and structures like var, let, const, function, class. In contrast data types are not generally reserved words. For example, while JavaScript absolutely differentiates between numbers, strings, and objects - number, string, object are not keywords.

There are other words that have special meaning within the execution environment, but are not reserved words themselves. Things like console, window, document, alert, require are all built in functions and objects within execution environments. In Node.js, console is a built in object that lets you interact with the terminal. In browsers, console serves a similar purpose, but it lets you print to the web development tools. In Node.js, require allows you to import modules (built in, like fs, net or your own) - while in a web browser require is not supported at all. Web browsers support window and document to allow access to the rendered content (HTML), and alert to interact with the user. All of this is to say, there are words with special meaning in JavaScript programs, but they aren't keywords. They are a bit ambiguous, because their presence depend on the execution environment itself. They are objects in the global scope, added to you program when it starts. We'll cover the concept of the global scope in more depth a bit later.

Pro Tip💡 In JavaScript, individual statements on a single line do not require a semicolon.

const a = 5  // ok, no need for semicolons...
const b = 6;

I like to explain to students that, yes, semicolons are optional. They are optional in the same way that wearing shoes is not required when walking through a major city. Is it illegal to walk through New York City barefoot? No. Is it smart? Also no. Most likely you will step on something sharp and injure yourself, or step on something gross and regret your decision. You will also look foolish.

There are many reasons leaving ; off can backfire, and come back to bite you. They are optional because JavaScript was initially designed with amateur novice programmers in mind - and the thought at the time was that learning to always include the ; might be too much for them, and lead to a lack of adoption. This was probably wrongheaded on it's face (the semicolon isn't really the hard part of programming), but it's certainly a concept that the industry has moved away from. If you intend to be a respected developer, don't write JavaScript without semicolons.

Data types

When we create a variable in C, C++, or Java, we specify it's data type directly:

int x = 5;
double y = 4.5;
string s = "Hello";

Why is it that we need to do this? While there are many ways to answer that question, at the core it's because in these languages variables are allocations of memory. When we declare x, we are not just saying "x is an integer", we are actually invoking code that allocates the right amount of space in memory, at a particular location, to store integers. This might not be the same amount of bytes as we would need for a float or double. The layout of the binary data is also very different - the same binary string of 8 bytes (32 bits) is decoded completely differently depending on whether or not it is an integer or floating point value! The point here is that a variable, in compiled languages, usually represents a container within memory, with a specific size and format. Variables are named locations in memory that we can put things into.

In JavaScript, we have a more decoupled model. In JavaScript, variables are names, but they don't map directly to memory, they point to memory. They are a lot like pointers in other languages.

Let's be more precise. In C++, if we have an integer (int x), we cannot set x to "hello":

// C++
int x = 5;
x = "hello";  // No!

This is because x is a 4 byte slot in memory laid out to encode/decode binary numbers as 2's compliment integers. It doesn't store arbitrary length ASCII codes!

In JavaScript, this is fine:

// JavaScript
let x = 5;
x = "hello";  // Cool

The key difference is that in JavaScript, x is not a storage cell. It's not memory. It's just a label. The value of 5 is placed in a storage cell, and that storage cell is exclusively for numbers, but x is not forever tied to the storage cell 5 is in, it can be changed. By setting x equal to "hello", we are creating a new storage cell to store ASCII codes - "hello", and we are remapping x to point to that new storage cell.

A picture is helpful:

Note that the storage cell that contained 5 is now eligible for garbage collection, and all JavaScript execution runtimes support garbage collection.

There are some interesting implications to the memory model. Imagine the following code:

// JavaScript
let x = 5;
let y = 5;
let z = x;

// Diagram 1:  One storage Cell

y = 10;
// Diagram 2:  Two storage cells

z += 7;
// Diagram 3:  Three storage cells

z += 3;
// Diagram 4:  Back to two storage cells!

This is fundamentally different than C++, were we begin with 3 integer allocations, and the memory footprint never changes. The JavaScript design is inherently more complex - and it's not as efficient from a pure execution perspective. It may be more efficient in memory usage, depending on the circumstance.

More importantly however, these examples are about clarifying how memory works in JavaScript and how it relates to data types. In JavaScript, the type is connected to the storage cell (where the values are actually stored). Storage cells are immutable, their contents will not change once they are created. Variable names are mapped to storage cells - but that mapping is fluid. Thus, the data type that a variable is mapped to is fluid. This is why we do not declare data types at all - data types are inferred by the literal value written - 5 is an integer, 5.5 is a floating point number, "hello" is a string, etc.

There are many benefits of this approach, but it is not without it's problems. It's harder to work with variables when you don't know what data type the hold, for example. In JavaScript code, developers must take extra care to be aware that variables in their code can have unexpected data types if they are poorly written. This is the cost of loosely typed languages - there are more ways for you to write incorrect code!

Now let's look a little deeper into the data types used by JavaScript. There are two kinds of types in JavaScript - primitives and objects.

• Primitives are numbers, strings, booleans, null and undefined. They are simple types.
• Objects are collections of name/value pairs, they are anything with properties. Objects include arrays, and even functions - we'll talk more about these later on.

Numbers

With some caveats (see below), JavaScript takes a very simplistic approach towards numbers. Numbers are just numbers - there is no distinction between integers and floating point numbers. There is no distinction between signed and unsigned numbers. There are no categorizations of magnitudes. Every number in JavaScript is a 64-bit floating point number - whether you intend to store any number in it, or you are sure you are only going to store the numbers 0, 1, or 2 in it! There are no int, short, long, float, double - only "number". The maximum absolute value of all JavaScript numbers is around +/- 1.8 x 10³⁰⁸ and the minimum absolute value is about +/- 5 x 10^-324.

Pro Tip💡 There are costs to this approach, however when we outline these rules keep in mind that this is the specification of the language itself - not necessarily how the JavaScript engine actually implements things. If that sentence scares you, keep in mind that this is very similar to how compilers work - compilers make optimizations all the time! They rewrite your code! JavaScript engines are permitted to make optimizations (including storing your numbers in smaller storage cells than would would be required for a 64-bit number) as long as your code behaves as if it is a 64-bit number! Dive into the source code of V8 to start appreciating just how much optimization is possible. Don't dismiss JavaScript's performance ;)

The syntax of using numbers, along with the operators (+, -, *, /, %) all basically work as you'd normally expect.

There are special numbers that can be written anywhere a normal number can be written. These include Infinity and -Infinity. These values are numbers, allowing JavaScript to represent a closed set of all mathematical concepts - unlike compiled languages which do not generally have the ability to represent negative or positive infinity.

const x = Infinity;
const y = 5;
const z = -Infinity;

console.log(y < 5); // Prints true
console.log(x == Infinity); // Prints true
console.log(x / z); // Prints -1
console.log(Infinity == 5/0); // Prints true!

Furthermore, JavaScript also takes an interesting approach towards representing values that cannot be represented. We know that mathematically, 5/0 is Infinity, but 0/0 is not defined. It's simply "not a thing" in mathematics. In JavaScript, 0/0 results in NaN - literally Not a Number. NaN is different than Infinity and -Infinity in that it cannot play nice with any mathematical operation. 5 + Infinity is Infinity because that's how the infinite works, but unlike Infinity/Infinity, which is 1 - anything involving NaN is NaN.

console.log(NaN/NaN); // Prints NaN

In fact, you can't even compare something with NaN to see if it's NaN, because anything compared with NaN (including NaN) is false.

console.log(NaN == NaN);// FALSE

Why would you get a value of NaN in the first place, other than taking 0/0 which seems contrived? Well, what happens if you want to parse user input - let's say a string.

const input = "4.6"; // pretend this came from a user
const x = parseFloat(input);
console.log(x+1) ; // Prints 5.6

THe parseFloat function parses a string and returns a number based on the input. What happens if the string given to parseFloat is

JavaScript also includes an object Number which has several convenience functions and constants attached to it. One of these is the helpful isNaN that takes care of the logical gap you might have noticed when you learned that NaN == NaN is false above!

console.log(Number.isNaN(0/0)); // True

Number is the object version of a number. You can create instances of a number using a constructor (we'll learn more when we cover objects and classes). This is rarely done in practice, but it can be a nice way to perform type conversions. The Number class has static methods (like isNaN), and also some constants that are useful. Number.MAX_SAFE_INTEGER and Number.MIN_SAFE_INTEGER are useful for testing limits (although remember that -Infinity and Infinity exist too).

There is also a Math object, which is really closer to a library. It has customary mathematical functions - trigonometry functions, geometric constants (π).

• Number class reference (Mozilla Developer Network)
• Math library references (Mozilla Developer Network)

Strings

In JavaScript, strings are just strings. They aren't arrays of characters (as C, C++, JavaScript, and C# think of them). They are first-class data types.

Strings are immutable, meaning appending strings creates new strings. You cannot change individual characters of strings - manipulating them on a character-by-character basis is possible using function calls, but each time you modify a string you create a new string. This can have significant performance implications when taken to the extreme.

Strings can be delimited by either " or ' but you can't mix and match:

const s1 = "This is ok";
const s2 = 'This is ok';
const s3 = "This is not';  // No good

Strings can be compared and concatenated:

console.log(s1 == s2); // Prints true
console.log(s3 > s2); // Prints true because s3 is alphabetically before s2

console.log(s1 + " - and so is this!"); 
// Prints "This is ok - and so is this! 

A more recent addition to JavaScript, string template literals allow for easier combination of literal text with variables:

const x = 5;
const y = 7;
const z = x + y;

// Prints "The sum of 5 and 7 is 12"
console.log( `The sum of ${x} and ${y} is ${z}`);

String template literals allow for the placement of variables within ${ and }. Template literals must be delimited by back tick characters, not single or double quotes. They are the preferred approach to do most printing.

Just like number primitives have a corresponding Number class, which supports member and static methods - there exists a String class. JavaScript is particularly adept at string manipulation, and the String class is full of useful methods for working with them. Whenever you have a primitive string, you can use the . operator to access methods, which automatically invokes autoboxing to promote the primitive to an object (see below).

• String class reference - Mozilla Developer Network

Booleans

Booleans are first class data types in JavaScript, with literal values written as true and false. There is a corresponding Boolean class as well, with some useful features.

• Boolean class reference- Mozilla Developer Network

Booleans are quite useful on their own, and are used for branching and conditional looping. There aren't a lot of surprises here, booleans work the same as they do in most other programming languages. Since conditionals use boolean expressions however, how different data types are converted to boolean conditions is an important concept - and is covered below when we discuss "Type Coercion".

Null and Undefined

In many languages, null, or NULL, or nullptr are used to mark a variable (usually a pointer) as "not currently pointing to anything". In most languages, null actually is just a placeholder for the actual number 0. In JavaScript, null is a bit more of a first-class citizen. null is a data type unto itself, with only one value - null. This sounds a little odd, but it actually does make some sense. null is not a string, it's not a number, it's not a boolean - it's a completely different concepts. It represents the absence of a value. To declare a variable and set it's value to null is to specifically say the variable has no value associated with it.

const x = null;

null does not represent an error, or an unexpected situation - it represents specifically not having a value.

JavaScript has another data type that is similar to null, but not exactly the same - undefined. The language is somewhat unique in it's differentiation between two concepts:

1. Absence of data (null)
2. Unknown data / state (undefined)

In JavaScript, if you have a variable that has not been given a value, it's value is undefined. If you have a variable that you want to explicitly set to "no data", you set it to null. In JavaScript, null means the variable or things you are referring to exists, and is in the known state of having no data. If you refer to something that does not have a known state, or does not exist, it's value is undefined.

We will be talking more about objects a little later, but let's look at where this difference might be more visible:

const x = 5;
const y = null;
const z = undefined;
const obj = {
    a: 1, 
    b: 3,
    d: null
};

In the code snippet above, we create 4 variables - x, y, and z are regular variables, and obj is an object with three properties - a, b, and d.

The values of x, y, and z are clear - they are 5, null, undefined respectively. It might not be obvious why someone would choose null or undefined, and in practice they are sometime used (incorrectly) interchangeably. The code is conveying the fact that y's value is known to be "nothing", while z's value is unspecified. It's an academic difference, but if used incorrectly can bite you.

The value of obj.d is null. The property d exists in the object, but it's value is absent. What about obj.c? The value of the c property in obj is undefined - as there is no property called c. Note that this is something unusual about objects, and JavaScript. Referencing obj.c is not a syntax error and not a runtime error, the value of any missing property within an object is undefined. Note, this is very different than trying to use the . operator on an undefined value. Referencing a first-class variable that does not exist is a runtime error.

const x = 5;
const y = null;
const z = undefined;
const obj = {
    a: 1, 
    b: 3,
    d: null
}

console.log(obj.c); // Prints undefined - there is no c property
console.log(obj2.a); // Program crashes, runtime error. obj2 is not defined
console.log(w);  // Program crashes, runtime error.  w is not defined

It's wise to think about the differences between null and undefined carefully. The concepts are subtle, but meaningful. Using them appropriately can improve the quality and readability of your code.

Promotion / Auto-boxing

Whenever a student learns the list of primitives, they eventually encounter some of the functions often associated with them. For example:

const x = 5.829543;
const y = x.toFixed(2);
console.log(y); // Prints 5.83

If you are familiar with the concept of primitives from languages like C++ and Java, you may be wondering - how can we use the . operator on a primitive! JavaScript uses automatic promotion to objects whenever it needs to - that's how! By using the . operator and calling a function, you are implicitly asking JavaScript to create a corresponding object, with appropriate properties to hold both the value, and the methods associated with the type's corresponding object type. There are object types (in addition to Array, function) for each primitive - Number, String, Boolean, etc.

Type Coercion

JavaScript data types have well defined, if not always intuitive, ways of working with all operators. Let's look at a simple example using the + sign:

console.log(5 + "hello");
// Prints 5hello

The example below employs type coercion. The + operator is defined for adding together two numbers, and also for concatenating two strings. It is not defined for adding a number to a string, or a string to a number. In order to evaluate the result of 5 + "hello", JavaScript must cast/convert one of the operands into a "like" data type. It seems obvious, the 5 is converted to a string "5", and then the string "5" is concatenated with "hello" to yield "5hello".

Where things can potentially become confusing is when examining the following:

console.log(5 + "6");
// Prints 56

Why doesn't JavaScript convert the "6" into a 6 and perform the arithmetic? The answer is simple - not all strings can be converted to numbers, but all numbers can be converted to strings. Thus, whenever performing a + operation, which is supported by both number and string, we will always get the result of the string operation.

But, what about the following?

console.log(5 * "6");
// Prints 30

This is where people coming from other language start to look at JavaScript a little suspiciously. The 6 is converted into a number, and the arithmetic is performed! Why? It's actually following the same logic as above, however the * operator is only supported by numbers. The * operator is not defined as string. JavaScript has no choice but to attempt to convert the "6" to a 6, in an attempt to resolve the expression.

console.log(5 * "hello");
// Prints NaN

Following the same logic, JavaScript attempts to convert both sides of the * operator to numbers. "hello" cannot be parsed to a number, so it yields NaN, and then 5 + NaN yields NaN.

The above is only a glimpse of how coercion behaves in JavaScript. Let's take a look in more detail. We will cover this in multiple phases.

Concept 1: Coercion only applied to primitive types

Objects (objects, arrays, functions, etc) are never coerced in order to evaluate the results of an operator.

• For the == and != operators, if both sides are objects, then objects are considered equal only if they are pointing to the same location in memory.
• For any other operators that can only work on primitives - which include arithmetic, comparison, and logical operators, objects are first turned into primitives - and then those primitives can be coerced, if necessary, to evaluate the operator. For == and !=, if one side is a primitive and the other an object, then the object is converted ot a primitive.

Concept 2: Objects are turned into primitives in a pretty simple way

To convert any object (obj) into a primitive, JavaScript first checks if there is a valid valueOf method on the object. If so, it calls it. If that function returns a primitive, then it's done. Examples of objects that have a valueOf function are the object varieties of primitives - Number, String, Boolean.

If there is no valueOf, or if valueOf doesn't return a primitive, then JavaScript tries to call toString on the object. Most objects have a toString function, but they are often unimpressive.

Most generic objects will return "[object ObjectName]" as the string representation - where ObjectName is Object or some specialization.

• Function objects can return a shortened function name and some representation of text, rarely useful for anything beyond some simple debugging.
• The Date object will return a formatted date string (pretty nice!)
• The Array object will actually return a string representation of the content. So, for the array [1, 2, 3], the toString function actually returns "1, 2, 3".
• However (and this is REALLY important!!!), empty arrays, or arrays with a single null value in them, will return and empty string. So, the array [null] or [ ], if converted to a string with the toString function, returns an empty string "". This is a quirk, and is critical to understanding several oddities later on.

If, in the unlikely event that there is no toString function, or the toString function returns a non-primitive (really bad idea), then an exception is thrown. This is undefined behavior.

Concept 3: Coercion targets are defined by the operator

Note, in the following discussion, we are assuming if either operand was an object, it has already

• For the == and != operators, if both operands are the same type, then no coercion occurs - they are compared by examining the location in memory they point to.
• Otherwise, for == and !=, if either operand is a number or a boolean, the operands are converted to numbers if possible; otherwise if either operand is a string, the string operand is converted to a number if possible. If one of the operands is an object, then both operands will be converted to a string.
• For the + operator, if either side is a string, the other side is always coerced to a string. This is why 5 + "5" is "55".
• For the + operator, if neither side is a string, then both sides must be coerced into numbers, and arithmetic is applied.
• For the other arithmetic operators (-, *, /, %), both sides must be coerced into numbers, and the arithmetic is applied.
• For expressions that require booleans (if and else if clauses, or the use of the ! operator), the expression must result in a boolean value

Concept 4: Once you know what you want, there are specific conversions

Once you know what you need to convert to, you can follow straightforward rules for understanding how that will occur:

• Converting anything to a boolean:
  • null and undefined are false
  • 0 or -0 are false
  • "" - the empty string, with 0 characters - is false.
  • everything else is true.
    • A non-zero length string with only whitespace is true
    • The string "0" is true
    • An empty object {} is true
    • An empty array [] is true (this one is quite a gotcha, given how the empty array is converted to an empty string by .toString)
• Converting a number to a string:
  • Uses the Number.toString method, will always work trivially
• Converting a string to a number:
  • Uses parseFloat to convert to a number
  • An empty string results in 0
  • A non-number results in NaN
• Converting a boolean to a number:
  • true is 1
  • false is 0
• null to a number results in 0
• undefined to a number results in NaN
• null to a string results in the string "null" (which, if then is converted to a boolean, is true!)
• undefined to a string results in the string "undefined" (which is a non-zero length string as well)

That probably seems a little complicated. Once again - rather than reading a bunch of rules, EXPERIMENT! Fire up a code editor, and try some things. Here's some examples using the assert library. Calling the assert function with anything that resolved to false throws an exception. The following code throws no such exception - every assert expression is actually true.

const assert = require('assert');


// One of the operands is a number, so 
// the other is converted to a number if 
// possible.  It is possible, so 5 == 5
assert(5 == "5");

// The rules of + are different than =
// While = tries to convert one operand
// to number if the other operand is a number, 
// the + operator does not.  It converts
// one operand to string if the other is a
// string.
assert((5 + "5") == "55");

// One of the operands is a number, 
// but converting to a number fails
// The 5 is turned into a string, 
// and clearly that's not the same as
// "hello"
assert(5 != "hello");

// One of the operands is a number, 
// and "0" can be converted to a number, 
// so we get 0 == 0 which is true
assert(0 == "0");

// This one is tricky.  One is a number, 
// so we try to convert the empty string
// into a number.  parseFloat("") results 
// NaN, however the conversion rules also
// state specifically that the empty string
// converts to 0 when coerced to a number. 
// Therefore, the conversion works, and 
// we are back to comparing 0 == 0!
assert(0 == "");


// This is false because they are both
// objects.  Objects are only equal if 
// they point to the same location in memory
assert({} != []);

// The empty string is turned into 
// a string - which results in an empty string 
assert("" == []);


// The - operator forces both sides
// to be a number.  The boolean true
// converts to 1, and 1-2 is negative 1`
assert( (true - 2) == -1);

You are strongly encouraged to try to do some weird stuff with coercion, in your own code editor. You might encounter things that you cannot believe - you might think they are bugs in the language. They are not, the language is indeed well defined, and the code will follow the rules outlined above. It just takes some time - but things will sink in if you experiment yourself!

More on Equality: == vs ===

Testing to see if two values are equal is a tricky subject in JavaScript. This because JavaScript employs the type coercion rules defined above to the == and != operators. The way these coercion rules get applied are the source of an unfortunate number of bugs. As the section above makes clear - the rules are a lot to remember.

Sometimes, we really just want to know if two things are exactly the same. We want to know if x and y are the same type, and the same value - without all the type coercion. JavaScript allows for this using the === and !== operators - strict comparison.

console.log(5 == "5"); // True
console.log(5 === "5"); // False

The strict equality operator is the PREFERRED approach of most programmers. If you've coded in JavaScript for long enough, you've learned that no matter how well you know the coercion rules, you will eventually get bitten by it. The use of the == and != backfires, resulting in unwanted confusion and mysterious bugs in your code that are very hard to debug. It's somewhat unfortunate that the easiest thing to write - == - is the most dangerous, and the harder things to write - === is the preferred. It's a historical accident. Originally, when JavaScript was being developed for small little programs running on a web page, the easy going nature of =='s type coercion was a nice gift to novice programmers. JavaScript "programs" were a few dozen lines of code. Debugging wasn't a big issue. As JavaScript grew up, it became more useful - and thus larger programs. Larger programs means professional programmers, who know how to use type coercion when they want it, and also know it's better to use === all the time by default!

Moral of the story: Use === and !== all the time, unless you are specifically looking for type coercion. When looking for type coercion, be careful.

Preview of the other types

In the next sections we will cover Object, Array, Function along with classes. There are several other newer data types that are worth mentioning here. They have been added to JavaScript largely to support the general purpose nature that the language has taken on. They don't come up in most cases when doing traditional web development, but every once and a while you might encounter them.

• symbol - The symbol data type isn't something you would often used. It allows you to create unique primitive values that occupy different memory locations, where primitives with the same value specifically occupy the same memory location in JavaScript. For example, "hello" === "hello" is always true. Symbol("hello") === Symbol("hello") is false, each symbol that is constructed is unique, regardless of the actual value stored at the storage cell. There are situations where this concept can be helpful, and the symbol type can be an elegant solution, but it's exceedingly rare. Don't use the symbol type unless you are absolutely sure it is the only way to accomplish what you are doing.
• bigint - This is a new numeric primitive that represents large integers - larger (potentially) than Number.MAX_SAFE_INTEGER. Since numbers are always represented as floating point values - even if they are whole numbers, extra bits are used to facilitate the floating point book keeping. When you know you only want to store whole numbers, you can store larger ranges of numbers if the encoding is using simple binary (ie 2's compliment) rather than floating point - and that's what this data type provides for you.

There are additional objects that are specializations of Object that we will be seeing throughout this book. These include Date, Map, and Set. These are essential data structures, and as a web developer you are very likely to use them frequently. We'll introduce them in the next few sections. There are other object specialization that are less frequently used in routine web development. These include things like ArrayBuffer, BigInt64Array, Float32Array, SharedArrayBuffer, and a host of other specialized arrays and memory buffers. All of these are for more efficient storage numeric data (as we will see, JavaScript arrays aren't all that memory-efficient). They have been added to JavaScript to support use cases that were not originally contemplated in the mid-1990's - things like WebGL! We won't talk too much about them in this book.

There is more information on JavaScript types, along with type coercion, on the Mozilla Developer Network's Data Structures page.

Variables and Scope

In the last section, we reviewed the different data types that JavaScript supports. There were probably some surprises for you, if you are coming from other programming languages. In this section, we examine variable scope, and there are likely to be some more surprises for you.

Hold on tight, some of this is why JavaScript got a bad reputation. The good news is that modern JavaScript doesn't force you to use the confusing parts that we'll discuss over the next couple of examples!

Global Scope, Function Scope, and Block Scope

Before looking at keywords and syntax - some review of what the word scope means. A variable's scope is the area of the code (and the lifetime) in which the variable is accessible and valid for.

Let's look at some sample code written in a C-like programming language:

// Global scope, this value is available
// in each function (main, foo, bar).
int x = 5; 

void bar() {
    // Here's a problem with global variables.
    // x defined here is a NEW variable.  It only
    // exists inside the bar function.
    // The x created in the global scope still
    // exists when the program is within the bar function, 
    // but it is entirely inaccessible to the bar function, 
    // because it's own function scoped variable has
    // "hidden" it from being accessible via naming conflict
    int x = 10;
}

void foo() {
    // Note that Y is scoped within
    // the function foo, and is only
    // available within foo.  It does
    // NOT clash with the y in main, and
    // is completely distinct from the
    // y in main!
    int y = 15;

    bar();
}

int main() {
    // y is accessible only within main, 
    // not inside foo or bar
    int y = 0;

    if (y < 1) {
        // z is available only within the
        // if condition.  It is BLOCK
        // scope.
        int z = 10;
        foo();
    }

}

The code above is silly - but let's just focus on the variables. We see that x is declared in the global scope. Global scope means that the variable is accessible anywhere in the program. In most C-like languages, the global scope is frowned upon. Global variables are discouraged for two main reasons - they make code harder to read and maintain, and also because global variables can be obscured by local variable declarations - as is happening in the bar function above.

We also have two other scopes - variables scoped to the function and to a block. Most C-style languages (C, C++, C#, Java) actually just have block scope, and consider a function a block. Variables are available within the block they are defined. Inside main above, y is available anywhere in the function, and z is only available inside the if block it is declared in. Both variables are block scoped, it's just that one block is a function, and the other is a control structure. Scope blocks in C-style languages are delimited by { and } - in fact, technically they are actual called scoping operators.

In JavaScript, we actually distinguish between function scoping and block scoping. It is possible to defined variables at the global scope, at a function scope, or at a block scope. Let see how.

Declaring Variables (the older way)

In the original versions of JavaScript, there was only one keyword used to create variables - var. In these early versions of JavaScript, there were only two kinds of scope, global and function scope. There was no notion of block scope.

var x = 5;

function example () {
    var y = Math.random();
    if (y < 0.5) {
        var z = 10;

    }
    console.log(x, y, z);
}

example();

In the snipped above, x is in the global scope. It is accessible with the example function. y is function scoped, it is only available within example. The curveball is that z is also function scoped. It is not only available inside the if block it was written in, it is also available outside - for the console.log statement.

The var keyword creates a variable at the function scope. The runtime actually scans the function before executing it, locates each var declaration, and creates variables for them. Only then is the function executed.

So, what happens when the above code is run? Math.random() returns a random floating point number between 0 and 1, so there is a 50/50 chance y will be less than 0.5.

• If y is less than 0.5
  • before executing example, the z variable is created. It's value is undefined
  • The if condition is true, so the line of code var z = 10 is executed. The var keyword is meaningless at this point, as z is already created. So, it is effectively just z = 10.
  • When the program reaches the console.log statement, it will print x (5), y (some value less than 0.5), and z - which is 10.
• If y is greater than or equal to 0.5
  • before executing example, the z variable is created. It's value is undefined
  • The if condition is false, so the branch is skipped.
  • The console.log line executes, and prints x (5), y (some value greater than or equal to 0.5), and z - which is undefined.

Notice why undefined is helpful in this code. undefined means the value wasn't set. This is very different than null, meaning the value was intentionally set to nothing. Imagine if the var z = 10; line was actually var z = null;. Checking to see if z is null or undefined would in fact tell you if the if condition branch was taken.

Be careful with function scoped variables - as the code is easily confusing. While the variable z is defined regardless of whether or not the if condition was taken, the initialization = 10 is only executed if the the if condition was taken!

If this sounds confusing to you, you are certainly not alone. Function scoping is not common in programming languages. There are some valid reasons why you might want it, but it's obscure. It's sort of novice-friendly, which could be one reason it was favored - but generally it's not something most programmers enjoy dealing with.

Things get a bit worse though. Consider the following code:

var x = 5;

function example () {
    var y = Math.random();
    if (y < 0.5) {
        z = 10; // Note the absence of the var keyword

    }
    console.log(x, y, z);
}

example();

This code is a disaster. In JavaScript, assignment automatically creates a global variable, in the absence of a declaration keyword like var (or others, see below). However, the variable is only created if that line of code is executed. This is fundamentally different than when using the var keyword - where the runtime scans the entire function first before executing, and creates the variables.

• If y is less than 0.5
  • The if condition is true, so the line of code z = 10 is executed. z is created in the global scope, not the function scope. This is incredibly problematic, since now all functions have access to this variable we've created inside example! The value is 10
  • When the program reaches the console.log statement, it will print x (5), y (some value less than 0.5), and z - which is 10.
• If y is greater than or equal to 0.5
  • The if condition is false, so the branch is skipped. Importantly, z is never created.
  • The console.log line executes, and crashes. z is not undefined, z is not a variable at all. undefined means the value is not defined - but trying to reference a first class variable that never got created is a runtime error.

Notice the inconsistency: If you assign a variable without ever declaring it, the variable is created in the global scope. If you read a variable without ever declaring it, it's a runtime error. If you are worried, take that as a good sign!

x = 5; // creates a variable in global scope
var y = 10; // creates a variable in global scope
var w = z;  // Crashes, reading from z, which was never declared

function example() {
    var a;
    if (false) {
        var b = 10;
    } else {
        c = 20;
    }
    // Prints undefined for a, since we didn't give it a value
    // Prints undefined for b, since it was function scoped, but the 
    // line of code that set its value to 10 was never executed
    // Prints 20 for c, which is created in the global scope
    console.log(a, b, c);
}

// console.log(c) --- would crash, because c hasn't been created
// yet, it will get created when we execute example
example();
console.log(c); // Works, prints 20!

So, why does JavaScript work this way? There are lots of explanations, but perhaps the best is this: JavaScript was developed for non-programmers to write small snippets of code to do relatively unimportant things on web pages. If you think about things from that perspective, some of the insanity of what was just described above may start to makes sense. Novice programmers don't write a lot of functions in the first place, and certainly not when writing just a small amount of code. It makes sense to assume they might forget to use the var keyword, so automatically creating the variable seems reasonable if they are assigning a value to it. If the novice programmer tries to read a variable that they never defined, thats obviously an error, and it's a good idea to crash. This design is essentially an overly forgiving way of handling declaration errors.

The problem is that the web grew up. We write large amounts of JavaScript to run in web browsers, and frankly most of it is written by professionals. We also write other programs in JavaScript, that aren't associated with web browsers. Finally, JavaScript both within and outside of web browsers is actually used to perform really important things. JavaScript isn't just for a fancy animation - it drives the core functionality of some websites entirely.

When a programming language grows up, professional software developers want more. Professional software developers understand that syntax errors are just that - errors. They don't want the language to accommodate them, they want the program to crash when the syntax isn't correct! This way, they can detect the mistake and correct it. Professional software developers want less ambiguity, and easier to maintain code.

Declaring Variables (the modern way)

In 2015, a long awaited revision to the JavaScript language was released. ES6 (Recall, the official name for JavaScript is actually EMCAScript) introduced many critical and impactful updates the JavaScript language that brought it in line with modern professional languages. One of the most important additions was the introduction of two new keywords that permitted developers to create block scoped variables - let and const.

The const keyword creates a blocked scoped variable whose value cannot change after it's creation.

// Global scope, cannot change.
// Can be used inside any other function.
const x = 5;

function example() {
    // Y is scoped to function, can be used
    // anywhere in example, but not outside
    const y = 10;
    if (Math.random() < 0.5) {
        // Z is scoped to the if branch, cannot
        // be used outside
        const z = 20;

        // Note, this would throw an error, because
        // y is const
        y+= 5;
    }
}

If you understand how variable scope works in C, C++, Java, or C#, then you understand how const works. It's exactly the same scoping rules.

While const also means the value of the variable cannot change, let accomplishes the same in terms of block scoping, however the value is mutable.

// Global scope, cannot change.
// Can be used inside any other function.
const x = 5;

function example() {
    // Y is scoped to function, can be used
    // anywhere in example, but not outside
    let y = 10;
    if (Math.random() < 0.5) {
        // Z is scoped to the if branch, cannot
        // be used outside
        const z = 20;

        // OK, since Y is declared with let
        y += 5; 
    }
}

What you should do

1. Make limited use of global variables, and do so with care
2. Never use var
3. Always use const, unless you absolutely must use let

First off, let's discuss the use of global variables. In most situations, global variables are discouraged - across any programming language. They do create naming conflicts, and they do create more difficult to maintain code. That said, since JavaScript files consider code outside of functions to be executable, it's likely you will have code (and variables) outside of functions - which are inherently global. It's likely code files in your programs will have some global variables. In addition, Node.js's version of includes, which is the require statement, creates objects - and they are usually better off in global scope.

While you should always take care when creating global variables, it's not unreasonable to do so in a JavaScript program. Just don't go overboard. If the variable really belongs to a function, create it in the function!

You will likely NEVER use var.

var is still part of JavaScript, because there is an enormous amount of JavaScript code in use and floating around the web that was written before 2015. However, there is almost no reasonable reason to ever use it yourself. Block scoping with let and const still allow you to create variables that are available within an entire function. let and const can be used in the global scope to create variables in global scope. There is almost nothing you can do with var that can't be done with let and const - and there is a strong argument to be made that if you need var, you are probably writing code in a suboptimal or very convoluted way.

Most JavaScript developers will use linters, which are plugins for code editors that highlight code problems. One of the settings usually allows you to flag any use of var - and you are encouraged to do so. By never using var, you eliminate a large set of common programming errors without losing any expressive power in the language.

When choosing between let and const, always start with const. You will be surprised just how many variable that you create in practice never change. The use of const is almost always correct - and allows the runtime to operate more efficiently. The use of let is the exception, not the rule. There's nothing wrong with using it, but only use it when the value of something will need to change. Again, you might find it hard to believe, but it's less often than you think.

If you commit to never using var, and always using const unless you must use let, you will be well on your way to writing much better JavaScript code. Proper use of const and let, combined with the author's personal opinion that naming things well is the most important aspect of programming will cut down on your programming errors more than anything else you can commit to.

While we're at it... use === not == :)

Control Flow

So far we've covered types and scope, and JavaScript's quirkiness has been on full display. Hopefully you have come to grips with type coercion. . Hopefully you understand that as long as you never use var, and instead restrict yourself to let and const, life is pretty good in terms of scope. The good news is that most of the rest of JavaScript's syntax is a lot easier and more intuitive. Control flow is straightforward - it works largely the same way as most other programming languages.

if branches

The if condition is exactly like C, C++, Java, C#. if clauses require boolean expressions, and can be followed by any number of else if clauses, and may include one else at the very end. Short circuiting of boolean expression applies, just like in other languages. The { and } scoping operators are optional if a clause only has a single statement - however you are strongly encouraged never to take this option.

Ternary ? operator

Consider the following:

if (x < 5) {
    y = 10;
} 
else {
    y = 20;
}

Most JavaScript programmers will take advantage of the ternary operator instead of writing the bulkier code above:

y = x < 5 ? 10 : 20;

Both ways are perfectly acceptable, but when you are trying to do a simple assignment based on a single condition, the ternary operator is preferred by most people. Be careful though, don't abuse the ternary operator. If you find yourself adding a bunch of parenthesis, or chaining multiple ternary operators together, you are abusing it - and making your code worse.

If you write the following ternary expression:

y = (x < 5 && z > 50) ? (x %5 === 0 ? 70 : (z === 10 ? 6 : 9)) : 6;

You should write this:

if (x < 5 && z > 50) {
    if ( x % 5 === 0) {
        y = 70;
    } 
    else {
        if (z == 10) {
            y = 6;
        } 
        else {
            y = 9;
        }
    }
} else {
    y = 6;
}

It's a lot more space, but it's worth it - because your assignment is complicated. Taking something complicated and condensing it into a single line of code does no one any favors. If you want to de-clutter your code, put that complex set of branches into a function instead.

y = complex_assignment(x, z);

switch branches

Like most other language, the switch statement can be used to execute one of several blocks of code based on the value of a single expression. It's an alternative to using multiple if...else if statements when dealing with multiple possible outcomes for a single expression. Any switch can be written as a sequence of if/else if/else, but not vice-versa.

Syntax:

switch (expression) {
  case value1:
    // Code to run when expression === value1
    break;
  case value2:
    // Code to run when expression === value2
    break;
  // Add more cases as needed
  default:
    // Code to run if no cases match
}

Key Points:

1. Expression Evaluation: The switch expression is evaluated once, and its result is compared to each case value.
2. Case Blocks: Each case contains a value to compare with the switch expression. If a match is found, the corresponding block of code is executed.
3. Break Statement: The break statement is crucial because it prevents the code from "falling through" to the next case. Without break, execution continues to the next case, even if it doesn’t match.
4. Default Case: The default block is optional but useful. It runs if none of the case values match the expression. It works like the final else in an if...else chain.

while loops

while loops are used to repeatedly execute a block of code as long as a specified condition evaluates to true. It is especially useful when you don’t know in advance how many times the loop should run, but you want it to continue until a certain condition changes (a conditional loop)

Syntax:

while (condition) {
  // Code to be executed while the condition is true
}

Key Points:

1. Condition Evaluation: Before each iteration, the while loop evaluates the condition. If the condition is true, the loop body is executed. If the condition is false, the loop terminates.
2. Infinite Loops: If the condition never becomes false, the loop will continue indefinitely, creating an infinite loop. Therefore, it's important to ensure that the loop modifies something (such as a counter) to eventually meet the exit condition.
3. Initial Condition Check: The condition is checked at the beginning of each iteration. If the condition is false on the first check, the loop will never run.

Example:

let count = 0;

while (count < 5) {
  console.log(`Count is: ${count}`);
  count++;
}

In this example:

• The loop starts with count = 0.
• The condition count < 5 is checked before each iteration. As long as count is less than 5, the loop runs.
• Inside the loop, count is incremented by 1 after each iteration.
• When count reaches 5, the condition becomes false, and the loop stops.

Output:

Count is: 0
Count is: 1
Count is: 2
Count is: 3
Count is: 4

JavaScript also supports the do / while variant, which allows for a post test suitable for situations where you want your loop to run at least one time.

let count = 0;

do {
  console.log(`Count is: ${count}`);
  count++;
} while (count < 5);

for loops (Part 1)

It should come as no surprise that JavaScript also allows for counting loops using for. These loops are most useful when you can count, or express, the number of times the loop should go around using an expression.

for (let count = 0; count < 5; count++) {
    console.log(`Count is: ${count}`);
}

Notice that let is required here rather than const. The count variable is scoped outside the body of the for loop, but is tied to the for loop. count cannot be used on the lines before or after the loop, however count is not recreated on each turn of the loop - it is mutated.

We will revisit for loops when we cover arrays and objects, as there are variations of for loops that work specifically with these types of data structures in more sophisticate way.

Wrap up

Control statements works as expected if you are familiar with C, C++, Java, or C# (among other languages). As always, using the right tool for the job makes a world of difference. You should strive to be proficient at using each, and understand which works best in which situation. You'll be surprised by how much your code will improve, in terms of maintainability, readability, reliability, and correctness by simply learning to use the write control structure for you situation!

Objects

As has been described a few times in this chapter, JavaScript has two kinds of types - primitives and objects. We've talked a lot about primitives, and we've mentioned objects a few times. In this section, we'll look a lot more closely at objects, and then over the next few sections we will look at specific specializations of objects.

If you are coming from an object oriented language, the word object has a specific meaning. Normally we think of it as an instance of a class - a class being a data type. In object oriented languages, we usually have built in classes and user defined classes - and in both cases we think of classes as blueprints for new data types. We create instances when we declare variables of that type.

JavaScript has a fundamentally different take on objects and object orientation. We are going to look at the most common and practical uses of objects, and then we will briefly discuss their implementation details.

Objects are just bags of properties

JavaScript code can create objects, without defining classes. While we will discuss actual classes (which are a newer feature of JavaScript), objects are mostly just instances of the Object type. As a programmer, you can put whatever properties you want in each object instance you create. There is no blueprint, no new type.

// Create a new, empty object
const obj1 = {};

// Create a new object with two properties
const obj2 = {a: 1, b: 2};

// We can add x as a new property just
// by setting it.
obj1.x = 7;
// Same with c, which can be added to obj2
obj2.c = "Hello";
// And a can be changed to have a string 
// rather than a number.
obj2.a = "World";

In the code above, we highlight two concepts - property addition and changing property values. We are also demonstrating how const objects can be mutated, which might at first seem surprising.

Let's deal with those issue in reverse order. const obj1 is indeed declaring a new constant object, but the const is not referring to the object that obj1 points to, it's referring to the obj1 reference itself. Variables, whether they refer to primitives or objects, are just references. const obj1 means that obj1 will always refer to the object we've created, but the contents of that object are always free to change.

For example, the following code would violate the constant constraint:

const o = {};
// We would throw an error here.  Even though it's still an 
// empty object, when you create a new object with the literal {} 
// notation, a new object is being created in memory.  If o was
// declared with let, this would be fine - but const means o cannot
// point to or refer to a different location in memory.
o = {};

The following is fine:

const o = {};
o.a = 1;

We can also always change properties within an object. When we changed obj2.a in the original code above, we were changing the value that a refers to. That neither changes the object that obj2 refers too, nor does it cause any problem by changing the data type. This is for the same reason that let a = 1 can be followed by a = "hello" - we've already established that JavaScript variables can refer to data of any type over their lifetime.

BTW, there is also nothing wrong with this:

let a = 5;
a = {b: 9};
a = "hello";

In each of those statements, the variable a is being reassigned (let permits this). The fact that its being changed from a number, to an object, to a string is not an issue.

Finally, in the original code we demonstrated that properties could be added via simple assignment.

// Create a new object with two properties
const obj2 = {a: 1, b: 2};
// c can be added to obj2
obj2.c = "Hello";

This is perfectly normal, and expected in JavaScript. We create objects, and we add properties to them. We can also reference properties, and it is always safe to do so:

const obj2 = {a: 1, b: 2};
obj2.c = "Hello";

// There is no d property, so
// the value printed is `undefined`
console.log(obj2.d);

Here we see that undefined concept again. Accessing a property within an object that has not been assigned results in undefined being returned. In fact, you can almost think of every object as always having the entire infinite set of all possible properties already available - but that they have all been initialized to undefined. This of course is not how it works under the hood - but it is the behavior.

Remember:

• referencing a property of an object that was never set is ok - you get undefined.
• referencing a property of an undefined object is something quite different - and it will crash your program!

const o = {};
let x;
console.log(o.missing); // undefined
console.log(x.missing); // Program crashes, x isn't an object at all!

Object creation

Now that we've gotten started, let's look at all the ways that we can create objects in the first place.

The most common way is to use the literal notation:

const o = {};

Alternatively, some prefer to use const o = new Object(). This is using a constructor syntax that you might already feel comfortable with. It's OK to use, but it's verbose, and it isn't really any different than using the {} notation.

A third way is to use const o = Object.create(null). This is a more unusual case, and is very rarely used in practice. This syntax provides the ability to take advantage of some of the internals of how objects work in JavaScript - through a prototype system. We'll discuss this later on in this section, but in practice it's not used directly all that often in regular web development.

When creating objects, we are free to create them with any number of properties;

const x = 5;
const o = {
    a: 10,
    b: "Hello World",
    c: null, 
    d: x
};

It is perfectly natural to do this, and it is quite useful to do so. Objects are used extensively in JavaScript code because they are so easy to create, they are flexible, and once you get the hang of them, very easy to use.

Object Properties

Object property names can be referenced using the . operator. Assignment and referencing works as you'd expect, with the reminder that you can assign properties that don't already exist, and you can also reference properties that don't already exist, without issue.

Object names, when they follow the rules of standard identifiers (start with alphabetical or underscore, no spaces, and limit characters to alphanumeric plus _ and a few others) can use the . operator, but actually property names can be even more flexible.

For situations where a property name must use a naming convention that does not adhere to the identifier syntax, you can use [] notation instead.

const o = {};
o["Hello World"] = 5;

console.log(o["Hello World"]);

The property name "Hello World" is not a valid identifier, and thus cannot be used with the . operator, but you can still use it as a property name. There are some use cases where this comes in handy, but generally you will want to stick to proper identifier names. The . operator is much more ergonomic.

The [] syntax for referencing object properties does have a nice use case though. Consider the code below, where a random property name is accessed:

const o = {a: 1, b: 2};
const name = Math.random() < 0.5 ? 'a' : 'b';
console.log(o[name]);

This code might appear odd (and yes, it's a bit contrived). We set a variable name to be be either "a" or "b", and then use the value of name to access the corresponding property.

Note that this is different than o.name, which would attempt to access the property called name - which is undefined. This literally is accessing either property a or b based on the value of name.

Checking for object properties

Accessing missing properties results in undefined, which in most cases is sufficient to determine whether an object contains a given property. The following is a common method of checking:

const o = { a: 1 };
if (o.b) {
    //has b
}

This method can be error prone however, especially given JavaScript's type conversions. A safer way is to explicitly check for undefined with the ===

const o = {a: 0};
if (o.a ) {
    // This will be skipped, because 0 is interpreted as false.
    // If we were trying to check if a EXISTS, this would be 
    // an incorrect result!
}
// Instead, check explicitly for undefined:

if (o.a !== undefined) {
    // a is present.  Maybe it's 0, but it's there!
}

We can also make use of the in keyword to check if a property is present within an object.

const o = {a: 0};
if ('a' in o) {
    // Yes, this branch will execute - there
    // is a property called a
}
if ('b' in o) {
    // This branch will NOT execute, there 
    // is no b property in o
}

The in keyword is the most accurate method of checking whether properties exist in an object - but it's not necessarily used as much as it should be in practice.

Removing Properties

We've seen that we can easily add properties, via assignment. Can we remove them? We certainly can, and there are two schools of thought.

1. We can use the delete keyword. delete o.a removed a from the object. Any subsequent reference of o.a will result in undefined.
2. We can also just set o.a to be undefined - o.a = undefined. This has exactly the same effect, and may be faster - although most modern JavaScript runtime will optimize the inefficiency associated with delete away.

The difference between the two methods comes up when we try to iterate over all the object property names found in an object - often called the object keys. It also comes up when using the in keyword, which is an alternative way to check if object properties are present.

const o = {
    a: 10,
    b: "Hello World",
    c: null, 
    d: 20
};

// This removes a, it's no longer a property in o
delete o.a;
// This doesn't remove the property, it sets it to undefined.
o.b = undefined;

if (o.a !== undefined) {
    // This will NOT print
    console.log('o.a is present - check 1');
}
if ('a' in o) {
    // This will NOT print
    console.log('o.a is present - check 2');
}

if (o.b !== undefined) {
    // This will NOT print
    console.log('o.b is present - check 1');
}
if ('b' in o) {
    // This WILL print
    console.log('o.b is present - check 2');
}

// Prints b, c, d - a is not in o, but b still is.
for (let p in o) {
    console.log(p);
}

In the above code, we are clearly demonstrating the difference between delete and setting the property to b. It's important to understand the difference. There's no one right answer, it all depends on context. delete truly removed the property, and the result is that in works (both as a boolean expression, and an iteration of object properties) as you would expect if the property was completely deleted. Setting the property to undefined keeps the property in the object, but sets it's value to undefined.

Pro Tip💡 Programmers tend to get really opinionated about their code. That's a good thing, it means they care. There are those that argue strongly that delete is better than setting to undefined, and those that argue strongly that it doesn't matter. You can decide - but here's something to think about: It's generally antithetical to the idea of undefined to explicitly set something to undefined. The meaning of undefined is that the programmer has not set it. null is supposed to be what is used when the programmer has explicitly set the value to nothing. So, wouldn't it be more accurate to set a property to null rather than undefined? In which case, the distinction between the delete operator and setting the property to null is far more significant. Food for thought...

Nested Objects

Object properties can be anything. They can be primitives, or other objects. It's quite common for objects to contain other objects, which contain other objects. There are no restrictions (one caveat, see below).

const obj = {
    a: 5, 
    b: 10,
    c: {
        x: "hello",
        y: "world"
    }
}

const foo = {a: 10, b: 20, c: 30};
obj.bar = foo;

console.log(obj.bar.b); // Prints 20

The one thing to watch out for with nested objects is circular references. They are permitted. They are also a great way to introduce some really nasty bugs - so you need to be careful!

const root = {
    parent: null,
    data: {...}
}
const child = {
    parent: root,
    data: {...}
}
const grand_child = {
    parent: root,
    data: {...}
}
// So far, so good.  Each object has a reference to it's "parent".
// But now let's stitch them together the other way
root.child = child;
child.child = grand_child;
grand_child.child = null;

// Conceptually, there is nothing wrong with this at all
// However, we need to be careful about iteration.

// Will be called recursively
function visit(obj) {
    // Iterates each object, prints the key,
    // and descends into the object itself
    for (let name in obj) {
        console.log(name);
        visit(obj);
    }
}
visit(root);
// We'll never get to this line... visit is an infinite loop, 
// because root has a child, and that child has a parent, and 
// they are pointing to each other!

Serialization and Deserialization

The example above is a starting point for a better way to print out objects (the circular reference notwithstanding). We've already seen the decidedly unimpressive toString method for objects - which prints [object Object]. It's pretty common that we'd want to print (maybe for debugging) the entire contents of an object. That's easy, with the JSON built in object.

JSON stands for JavaScriptObjectNotation. JSON has actually replaced XML in most areas of software development as the preferred way to store structured, hierarchical data as text - in any programming language, because it is so intuitive and flexible. It looks just like how we declare a nested object in JavaScript - with the exception that property names and all values are quoted.

const obj = {
    a: 5, 
    b: 10,
    c: {
        x: "hello",
        y: "world"
    }
}

const foo = {a: 10, b: 20, c: 30};
obj.bar = foo;

console.log(JSON.stringify(obj));

That code prints the following:

{"a": "5", "b": "10, "c": {"x": "hello", 
"y": "world"}, "bar": {"a": "10", "b": "20", "c": "30"}}

The stringify method can also accept parameters to help format the text.

const obj = {
    a: 5, 
    b: 10,
    c: {
        x: "hello",
        y: "world"
    }
}

const foo = {a: 10, b: 20, c: 30};
obj.bar = foo;
console.log(JSON.stringify(obj, null, 2));

That code prints the following:

{
    "a": "5", 
    "b": "10, 
    "c": {
        "x": "hello", 
        "y": "world"
    }, 
    "bar": {
        "a": "10", 
        "b": "20", 
        "c": "30"
    }
}

You can learn more here

stringify is efficient, and is incredibly useful for serializing data - taking a complex object and turning into a language and platform agnostic string, which can be sent over a network, stored to disk, or even dropped into a database. We will use JSON a lot.

Given a JSON string, we can also easily parse it with the JSON.parse function. Giving parse a JSON string will result in an Object being returned. This process is referred to as deserialization. JSON started in JavaScript, but all modern programming languages either have built in, or standard extension for JSON serialization and deserialization. JSON is an incredibly popular method of moving data between programs, devices, and languages because of the ubiquity of serialization and deserialization capabilities, and it's relative simplicity as a format.

// Using template literal ` just because the string has double 
// quotes already in it.  In a real world example, you would be 
// getting this string from somewhere (disk, user, etc), since 
// otherwise, you'd have just written it as an object literal 
// in the first place!
const string_from_somewhere = `"{"a": "5", "b": "10, "c": 
                    {"x": "hello", "y": "world"}, "bar":
                    {"a": "10", "b": "20", "c": "30"}}"`;

const obj = JSON.parse(string_from_somewhere);

console.log(obj.bar.b); // Prints 20

Cloning

JSON.stringify and JSON.parse have often been used as a way to clone objects. The assignment operator = in JavaScript, when used with objects, performs a shallow copy - it's simply setting another reference to the same exact location in memory.

const o = {a: 2, b: 0};
const u = o; // Shallow copy

o.a = 5;
console.log(u.a); // Prints 5, since u points to same object as o

What happens when we want to create a distinct copy of o instead? For such a simple object, it's trivial - we could iterate properties manually - but that's not reasonable for large, nested objects. The way most programmers did this (until relatively recently) was to leverage JSON itself.

const o = {a: 2, b: 0};

// Turn o into a string, then parse the string
// JSON.parse returns a new object.
const u = JSON.parse(JSON.stringify(o));

o.a = 5;
console.log(u.a); // Prints 2, since u refers to distinct object

JSON.stringify is susceptible to circular references, which is one of the reasons we need to be careful about them. Using serialization and deserialization will fail with circular references. The JavaScript language has more recently been updated to include a structuredClone global function, which is a superior method of creating deep clones of complex objects. It's can be more efficient than using JSON.stringify and JSON.parse, and it also is more robust - in particular it can handle circular references gracefully.

const o = {a: 2, b: 0};
const u = structuredClone(o);

o.a = 5;
console.log(u.a); // Prints 2, since u refers to distinct object

• structuredClone - Mozilla Developer Network

Methods?

If you are coming from an object oriented language with classes, you are probably wondering where the class methods are. Objects usually have data and methods. The JavaScript object does have several methods already defined. We saw the toString method, for example. There are a few others, which you can take a look at here (we'll encounter some uses for them later)

• Object Reference - Mozilla Developer Network

You can also add functions to objects, and we will take a look at that later in this chapter when we focus on functions themselves. The syntax will be familiar to you.

Other types of objects

There are some helpful specialization types of objects, but they are all objects. These types of objects have their own constructors and their own methods, and we will revisit how they are built behind the scenes later on when we discuss prototypes and classes towards the end of this chapter. Some good examples include:

• Date
• Map
• Set
• Regular Expressions (RegExp)

The primitives also have their own object specialization counterparts - with their own constructors and their own methods.

• String
• Number
• Boolean

Before closing out this section, let's look at the following example of using property names with the [] syntax rather than the . operator. Recall, by using the [] syntax, we can use properties that are not valid identifiers - like strings with spaces, strings that start with numbers, or even numbers themselves.

const o = {};
o["hello world"] = 1;
o["9lives"] = 2;
o["6"] = 12;
o[3] = 18;

Look closely at that last one.

o[3] should looks like something pretty familiar to you.

That looks like an array.

const a = {};
for (let i = 0; i < 10; i++) {
    a[i] = i*i;
}
console.log(a[5]); // prints 25

Since object properties can be numbers, we've essentially created an array-like structure out of a plain old object. In JavaScript, arrays are just objects. They do have some specific syntax that differentiates them from objects - but they are just specializations of objects. They have all the same features of objects, just different conventions!

Arrays

Objects are bags of unordered name value pairs. The names of their properties can be any serializable data - strings, numbers, booleans. Their property names are completely arbitrary. If you think about your understanding of arrays from other languages, arrays are specializations of that same definition. Arrays are ordered name value pairs, with the names being specifically integers.

In most languages, the concept of an array carries with it a specific notion of how it is implemented in the language. In C, C++, Java, C# an array is not only an ordered set of values whose names are integers, but they are a homogenous set of values, consecutively / contiguously stored in memory. This is not the case in JavaScript. In JavaScript, arrays are implemented using objects - they are not laid out in memory any differently. This means that arrays are extremely flexible (you can store arrays with a mix of data types within them, for example), but they are no more memory efficient or performant than objects are. That's not to say they are slow, but they aren't using the same short cuts and optimizations that typical arrays use.

Pro Tip💡 By the way, this is also by things like Float32Array, Float64Array, Int16Array, Int32Array, and more exist. There is a realization that now that JavaScript is widely used as a general purpose language, there are situations where programmers want to use homogeneous, contiguous memory aligned arrays - and enjoy the efficiency and performance that comes with that. These array types are much more similar to their counterparts in C, C++, Java, and C# than traditional JavaScript arrays. That said, for most use cases JavaScript arrays are still the way to go. They offer a very good compromise between flexibility and performance. If you are absolutely positive that you want homogeneous data, and you know that performance is going to matter (i.e. we aren't talking about an array with a couple of dozen elements!), then take a look at other alternatives - just realize that they are no where near as flexible - they are simple data structures designed for speed, not programmer convenience.

The basics

Arrays are indexed by integers, with the first index being 0. Individual elements are untyped just as all variables in JavaScript are, and all object properties are. This implies that heterogenous arrays are a natural part of JavaScript. Arrays are created using either literal notation - [] or using constructor syntax.

Here's an example of the creation of an array containing 5 floating point values:

const a = [1.4, 3.2, 0.9, 4.5, -0.56];

for (let i = 0; i < 5; i++) {
    console.log(a[i]);
}

Note that we've created this array with standard [] initialization syntax, and used the implied length in the for loop to index through the array and print it's contents. Arrays have a built in length property that is far better to use than a hardcoded length based on the programmer remembering how many elements are in the array however.

const a = [1.4, 3.2, 0.9, 4.5, -0.56];

// MUCH better way to iterate, since now
// we know length is accurate
for (let i = 0; i < a.length; i++) {
    console.log(a[i]);
}

The constructor syntax for arrays is also viable, and comes in a number of flavors:

const a = Array();

console.log(a); // []

const b = Array(3);

Be careful using the constructor variants with parameters. Clearly, using one parameter is vastly different than 2 - as when one parameter is used it is interpreted as the size of the array, rather than a single element, but when more than one parameter is used they are interpreted as elements. Most programmers completely avoid using the constructor for an array, and prefer to always use literal notation unless they wish to allocate an array with a preset size (constructor with a single parameter). In reality, there is often no need to pre-allocate an array with elements however.

Adding elements

The fact that arrays are not homogenous and not laid out as consecutive/contiguous cells in memory has many implications. First and foremost, it means that arrays can grow arbitrarily (there is a maximum size, but that maximum size is related to the largest integer that can be represented in JavaScript, making indexes beyond it hard to work with).

const a = [];
a[0] = 10;
a[1] = 20;
a[2] = 30;
console.log(a[1]); // prints 20 

Notice now why predefining arrays of arbitrary sizes, without initializing the values within those elements, is not something most programmer do a whole lot. There's just not a lot of great reasons to do so. It may be slightly more performant, but most JS execution environments do a darn good job at optimizations that make this consideration nearly moot.

const a = [];
for (let i = 0; i < 100; i++) {
    a[i] = i * i;
}
console.log(a[5]); // prints 25

Each element of an array is referred to by an index, but the element itself need not be an integer.

const a = [];
a[0] = 10;
a[1] = {a: 1, b: 2};
a[2] = "hello";
console.log(JSON.stringify(a[1]); 
// Prints {a: 1, b: 2}

Pro Tip💡 While it is perfectly natural to have mixes of types within a single array, a word of caution. Most situations that call for arrays will require you to iterate over the array to do some sort of processing. That is usually done with a loop. If your elements all have different data types, then inside the loop you need to figure out what type you are dealing with - unless you know somehow what they are (i.e. odd indexes are numbers, even indexes are string - or some other highly personal pattern). There are fine ways of doing this, but just understand that just because you can doesn't mean you should. JavaScript likes to let you do whatever you want, it's up to you to avoid writing code full of flaws!

Sparse arrays, deletion & writable length

Adding to arrays implicitly simply by assigning an element is a departure from our understanding of preallocated arrays from other languages, but is not especially shocking. But let's look at a slightly different code snippet:

const a = [];
a[0] = 10;
a[1] = {a: 1, b: 2};
a[4] = "hello";

There's a very tiny change in the above code, relative to our last example. The first two elements (indexes 0 and 1) are assigned exactly the same, however the next line of code assigns index 4 to be "hello", instead of the next logical index - 2.

Let's see what the array looks like, by using length:

for (let i = 0; i < a.length; i++) {
    console.log(`Value at index ${i} = ${a[i]}`);
}

Value at index 0 = 10
Value at index 1 = [object Object]
Value at index 2 = undefined
Value at index 3 = undefined
Value at index 4 = hello

There's a bit to unpack here! Not only did we add a 5th element to the array, but we also seemingly added slots at index 2 and 3! Behind the scenes, those allocation aren't actually made though. Instead, length is actually defined by the language to be the value of the largest index, plus 1. If we had set a[10000] = "hello"; we would have seen 9997 undefined elements sitting between the [object Object] and hello. It's important to note that there is nothing inefficient about this. This concept is a very big departure from statically and contiguously allocated arrays - where a sparse array would mean lots of potentially unused memory allocations. In JavaScript, a sparse array really just a matter of the indices not being consecutive, from a memory allocation perspective. Sparse arrays have lots of uses, especially when creating caches and mappings of integers to other values - but their use is the exception rather than the rule.

While we're at it, since sparse arrays are easily supported in JavaScript, it follows that we can delete elements out of the array - leaving holes in the index sequence too!

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

delete a[1];
delete a[4];

for (let i = 0; i < a.length; i++) {
    console.log(`Value at index ${i} = ${a[i]}`);
}

Value at index 0 = 0
Value at index 1 = undefined
Value at index 2 = 4
Value at index 3 = 9
Value at index 4 = undefined

Note that the elements 1 and 4 are now undefined. Also note that length is still 5. This is a bit of a surprise - deleting the index does not remove the index from use within the array, it's deleting the value.

What if we wanted to remove the last element, and actually change the length to reflect this? That's easy - just change the length!

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

// Delete index 4
delete a[4];
a.length = 4; // Now 3 is the last index.

for (let i = 0; i < a.length; i++) {
    console.log(`Value at index ${i} = ${a[i]}`);
}

In fact, we don't even need to delete at all - we can just change the length, and the value will be removed (and garbage collected as applicable). We can truncate an array to any size.

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

a.length = 3; // Now 2 is the last index, the array has 3 elements

for (let i = 0; i < a.length; i++) {
    console.log(`Value at index ${i} = ${a[i]}`);
}

Value at index 0 = 0
Value at index 1 = 1
Value at index 2 = 4

I know what you are thinking...

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

a.length = 10; 

for (let i = 0; i < a.length; i++) {
    console.log(`Value at index ${i} = ${a[i]}`);
}

Value at index 0 = 0
Value at index 1 = 1
Value at index 2 = 4
Value at index 3 = 9
Value at index 4 = 16
Value at index 5 = undefined
Value at index 6 = undefined
Value at index 7 = undefined
Value at index 8 = undefined
Value at index 9 = undefined

Yep, you can enlarge an array simply by changing it's length too. Really, you aren't even enlarging the array - you are just setting the length property. All you are doing is changing how many indices you are accessing with your for loop - which is controlled with a.length.

const a = [];
for (let i = 0; i < 3; i++) {
    console.log(`Value at index ${i} = ${a[i]}`);
}

We are coming full circle. In the code above, we don't use length at all - and we see the truth behind all of this. Accessing an index that doesn't exist is a perfectly natural thing in JavaScript, just like accessing a property name in an object. If the property name doesn't exist, we get undefined. If the index doesn't exist, we get undefined too!

Better Iteration with in and of

What if we really actually want to visit each index in an array, but we suspect it's sparse. How can we tell whether a given element has anything in it intentionally or not?

Recall how objects work (after all, arrays are objects). We can use the in operator!

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

delete a[1];
delete a[4];

// Use the in operator, to iterate over properties/indices
for (const i in a) {
    console.log(`Value at index ${i} = ${a[i]}`);
}
console.log(a.length);

Value at index 0 = 0
Value at index 2 = 4
Value at index 3 = 9
5

In the above code, we've deleted indexes 1 and 4, and unlike our standard for loop from before, we used the for in loop that skips over unused / deleted indices. Notice, length is still unchanged - the for in loop isn't using it.

The for in loop is a great way to iterate over an array and be more sure that you will only iterate the elements used. It allows you to navigate through a very sparse array without incurring the costs of processing (or manually coding skip logic) all the empty elements.

If you want to iterate over the values of an array rather than the indices of an array, then you can use the for of loop instead.

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

delete a[1];
delete a[4];

// Use the of operator, to iterate over values
for (const v of a) {
    console.log(v);
}

0
undefined
4
9
undefined

This brings us to another surprise. When using of, JavaScript actually does use length to determine which elements to visit, and visits every element within the array up to length-1. This means for of visits every element in a sparse loop, while for in visits only the used indices.

If you are frustrated by this inconsistency, that's understandable. However, the idea behind this is that programmers have the power to do either. If they wish to intentionally skip unused elements in a sparse array, they can do so with for in. Since sparse arrays are the exception, rather than the rule, the for of uses the more natural method of simply honoring the length property of the array.

You may have noticed that we switched to const rather than let when using for in and for of. This isn't required, but the syntax of for in and for of actually creates a new value of the iteration variable each turn around the loop. By marking as const we guard against accidentally changing it within the loop body. For the standard loop, the iteration variable must change, it is a counter that is controlling the for loop. We may accidentally change it within the body of the loop, and it's up to us not to. This is one of the reasons we prefer to use for in and for of whenever we can.

Advice on iteration

We've seen standard for loops, standard for loops controlled by length, for in, and for of. Which should you use?

• Never use for (let i = 0; i < 10; i++). Meaning, never hard code a length of your array. If 10 truly is meant to be always 10, no matter how long the array is, then fine - but otherwise, it's a bad idea.
• If you have a compact (not sparse) array, then the most natural way of iterating the loop depends on what you are going to do inside the body of the loop.
  • If you will need to use the index and the value, then use for in. It gives you the index, and you can get the value using array notation a[i].
  • If you don't need the index, then just use for of to iterate values. It's more compact.
  • Both of those options will ensure you never loop beyond the end of the array.
• If you have a sparse array, then you need to determine whether you want to visit the empty elements:
  • If you want to skip empty elements, use for in
  • If you don't want to skip empty elements, use for of
    • If you don't want to skip empty elements, and you need the index in the body of the loop, use a.length
    • for (let i = 0; i < a.length; i++) iterates the same elements that for of iterates, but i is the index, and you can get the value using a[i].

Properties vs Indexes

length is a property of an array. We've seen that it unless you override it by setting it, it holds an integer representing the largest used index, plus 1. There's not much special about length though. Arrays are objects. Objects can have named properties. Therefore, arrays can have named properties.

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

a.x = 10;
a.y = "Hello World";
a["6"] = "Surprise!"

At first this seems odd - why would you be adding properties to an array? There are situations where this could certainly be useful. Use the feature cautiously, but it can be very effective. When using arrays, numeric properties are indices, and non-numeric properties are just properties.

One thing to be aware of when introducing more properties to arrays is iteration however.

const a = [];
for (let i = 0; i < 5; i++) {
    a[i] = i * i;
}

a.x = 10;
a.y = "Hello World";

console.log('---- .length iteration ---- ');
for (let i = 0; i < a.length; i++) {
	console.log(i, a[i]);
}

console.log('----  for in iteration ----');

for(const i in a) {
	console.log(i, a[i]);
}

console.log('----  for of iteration ----');

for (const v of a) {
	console.log(v);
}

Here's the output. Notice that the property "6" was interpreted as an integer index, and has indeed changed the length of the array. When using the for loop controlled with length, we iterate through the indices, including index 6, printing out all the values - including the undefined at index 5. The properties x and y are never visited, because we are simply visiting elements in the array based on the counter variable i. The for of iteration works exactly the same way, because the for of iteration loop uses the length attribute. This is consistent with the rules described above.

The odd ball is the for in, but it too should be expected. The for in loop visits each set property. It skips unused indices, because it truly is just iterating over the properties that exist. The for in also loops through the non-numeric property names - so we see the x and y print out.

1 1
2 4
3 9
4 16
5 undefined
6 Surprise!
----  for in iteration ----
0 0
1 1
2 4
3 9
4 16
6 Surprise!
x 10
y Hello World
----  for of iteration ----
0
1
4
9
16
undefined
Surprise!

Useful Methods

We've spent a lot of time in this section covering the flexibility of arrays. Some of what we've discussed can feel confusing initially, take your time to read this section several times. Arrays are amazingly productive and powerful in JavaScript. When used correctly, and with confidence, you can write extremely succinct and powerful code, which would be quite difficult to replicate is some other languages.

Arrays also have many useful methods implemented. They are fairly easy to use, and we will simply define them here with links to documentation. We will start to use them a lot throughout the book.

Adding, Removing from the front or back of an array

• push - adds the end of an array
• pop - removes an element from the end of an array
• shift - removes an element from the beginning of an array
• unshift - adds an element to the beginning of an array

Turning an array into a string

• join - creates a concatenation of each element in the array by calling each element's toString method, and (by default) separates each element with a comma. The programmer can also specify different delimiters.

Reordering an array

• reverse - Reverses the array (in place).
• sort - Sorts the elements of the array using the element's natural comparators. We will see more of this later, because it becomes more useful once we learn how to defined different comparison methods to be used within the sort function itself. Sort is an algorithm, but we will be able to define how we compare elements themselves.

Searching an array

• indexOf - allows us to search for a value within the array, and return the index where it is found. Optionally, you can also provide a starting index to search from, allowing you to successively call to search for each instance of a value.
• find - returns the first value found in the array matching the search value. Requires us to provide a function that does the comparison, so we will cover this in more depth after covering functions.

Slice and Dice

• concat - combines two arrays to create a third array representing the concatenation (not necessarily the union) of the two.
• slice - allows us to obtain shallow copies of sub-arrays within the array.
• splice - can remove and/or replace elements of the array, in place.

You are encouraged to review all the functions associated with arrays - as there are many more.

• Arrays - Mozilla Developer Network

There are more to come, but we need to first look deeper at the last big missing piece of the JavaScript puzzle - functions. We've seen them used already in example, but we have to learn more about how they work, how they are created, and how they are used. Once we do, we can looks a few more array features that leverage functions to do even more.

Functions

We've seen functions a bunch of times in examples, and we'll assume you are familiar with them from other languages. All the same concepts of why we use functions apply in JavaScript, they allow for quality abstraction, reuse, and readability. In this section we will focus on some of the interesting features of functions in JavaScript - as they are more powerful than in some other languages. In fact, many of the features JavaScript provides have been adopted in other languages as well, due to how powerful they actually ar. In many ways, JavaScript is a functional or function oriented programming language - or at least, if you want it to be!

Defining functions

First off, you may have noticed that throughout this chapter so far, we used the following syntax to define functions:

function example() {
    console.log("Hello World");
}

example();

While that syntax is still supported (it is the original syntax), it is not the way modern JavaScript programmers tend to write their code.

In JavaScript, functions are objects. It's worth repeating. functions are data. That's a jarring concept to many students. It's likely when you learned to program, you were immediately introduced to the idea that functions were code, and code was different than data. It's one of the biggest hurdles to understanding how to really program with JavaScript. As soon as you wrap your head around the fact that functions work just like data in JavaScript, you will begin to see how so much of the language really fits together - and your skills will improve in leaps and bounds.

Functions as data has many implications - the first is how we typically declare functions.

const example = function () {
    console.log("Hello World");
}

example();

In the code above, we are defining the same exact function, and calling it exactly the same way. The difference is that we are intentionally writing the declaration as the declaration of a variable followed by the assignment of a value. The value to the right side of the assignment = operator just so happens to be the function literal notation - it's a function, without a name. It's an anonymous function. Think of it like const x = 5, where 5 is a numeric literal. 5 doesn't have a name, it's just a number. const x = 5; means x refers to a storage cell that contains the literal number 5. The above code is saying example is a variable that points to a storage cell that contains the function that accepts no parameters, prints "Hello World", and returns nothing (undefined).

It follows that functions can be reassigned, and moved around.

let example = function () {
    console.log("Hello World");
}

const x = example;
example = function(y) {
    console.log(y);
}

x(); // Prints Hello World
example(10) // Prints 10

The syntax above also suggests that functions can be attached to variable declared with var, const, and let - and indeed they can. They carry with them exactly the same rules about scope too. There is literally nothing about the variables x and example above that is different than variables that hold numbers, strings, booleans, objects, or arrays. Functions are objects.

let x = function() {
    console.log('Hello');
}

x(); // prints Hello
x = 5;
console.log(5); // prints 5

In modern JavaScript, we nearly never use the original syntax. We will not use it again in this book. You should avoid it.

There is a second way that modern JavaScript developers declare functions:

const x = () => {
    console.log('Hello');
}

x(); // prints Hello

The arrow notation at first may seem like simply a syntactic shortcut. We replaced the verbose function keyword. That's almost true, and in most cases is effectively true, however there are some subtle differences. We will talk about the difference later in this section - for now you can understand that because the difference only matters under very specific circumstance, which you don't necessarily want to use by default, you can default to the => syntax and opt for the function syntax when you explicitly need to.

Therefore, in the absence of a good reason, throughout the remainder of this book, we will see the => notation when declaring functions.

Parameters

Functions define parameters, and just like variables, they do not have specific types attached to them. Parameters are always block scoped to the function, and they are mutable, meaning they act list they were declared within the function using let. They are always pass by copy - however remember that variables (parameters) are references.

This means that when dealing with primitives, parameters behave like pass-by-copy in languages like C++

const example = (a) => {
    a++;
    console.log(a)
    // Prints 6
}

let x = 5;
example(x);
console.log(x);// Prints 5

In the example above, x could also be declared with const. The a++ inside example is operating on a reference called a, which originally pointed to the same storage cell that x points to - the storage cell with the number 5 in it. The a++ operator has the effect of changing the a reference to point to the storage cell that has 6 in it (which might need to be allocated). The x reference is unchanged.

Now let's look at something similar, but where the parameter is an object:

const example = (a) => {
    a.x++;
    console.log(a.x)
    // Prints 6
}

let o = {x : 5};
example(o);
console.log(o.x);// Prints 6

o (which certainly can be declared with const) is a reference that points to an object. That object has a property called x, which points to a storage cell that has 5 in it. When example is called, a is a reference that points to the same object that o refers to. Inside example, that object's x property is changed to point to a storage cell that has 6 in it. The object is still the same object, it's just that one of it's properties points to a different value now. When example returns, o is still the same reference. o points to the very same object whose x property was changed. 6 is printed.

The above examples are critical to your understanding of parameter passing.

Optional parameters and default values

Functions can have any number of parameters. The can also defined default values for their parameters.

const example1 = (a, b) => {
    return a + b;
}
const example2 = (a = 0, b = 0) => {
    return a + b;
}

console.log(example1(5, 6));  // 11
console.log(example1(5));     // NaN, since b is undefined
console.log(example1());      // NaN, since a and b are undefined

console.log(example2(5, 6));  // 11
console.log(example2(5));     // 5, since b defaults to 0
console.log(example2());      // 0, since and b default to 0

Note that this example demonstrates not only the value of default values, but also the ability for a caller to invoke functions without the proper parameters in the first place. In fact, there is nothing stopping the caller from calling example with 0, 1, 2, or 42 parameters. Again - JavaScript is permissive - and it's a double-edged sword.

Arguments

Function calling is so flexible, that when a function is called with too many parameters, the function can still accommodate this - and even capture the parameters.

const example = (a, b) => {
    console.log(a);
    console.log(b);
}
example(1, 2, 3, 4, 5);

In the code above, no runtime error is generated. The caller has called example with 5 parameters (or arguments). The example function receives 1 and 2 in a and b is unaware that more parameters had been sent with the call. In this case, it's clear the caller has made an error. JavaScript's philosophy of permissiveness is at work here. It's stance is essentially "no harm no foul". That may or may not feel right to you, and likely the point of view of a professional programmer would be that this is at least deserving of some sort of warning!

There is a hidden way to actually access extra parameters however, through a built-in arguments array available within a function whenever it is invoked. There is an important restriction however. The arguments array is NOT supported in functions declared with =>, only function using the function syntax.

const example = function (a, b) {
    console.log(a);
    console.log(b);
    if (arguments.length > 2) {
        console.log("---- Extra Arguments ---- ");
        for (let i = 2; i < arguments.length; i++) {
            console.log(arguments[i])
        }
    }
}
example(1, 2, 3, 4, 5);

1
2
---- Extra Arguments ---- 
3
4
5

The reason the argument array is not available to functions with the => syntax is that actually => syntax functions are different kinds of objects. Functions are objects, and they have objects that define their scope. The scope contains local variable, parameters, etc. It is implicitly references within the function. Traditional function have slightly different scope principles applied than => functions, and the newer => function dropped support for arguments. => functions also lack the this binding (we will discuss this a bit when we talk about prototypes and classes), and cannot be used the same way to define classes.

There is a better, newer, and more broadly supported way of allows functions to truly work with any number of parameters - a concept called variadic functions. The rest parameter syntax allows functions to explicitly define parameters that act as arrays:

const example = (...values) => {
   for (const v of values) {
    console.log(v);
   }
}
example(1, 2, 3, 4, 5);

1
2
3
4
5

This is the preferred approach to working with varied number of parameters in JavaScript functions. It works the same with function syntax and =>. A nice example of why this is helpful is when implementing something like a summation function:

const summation = (base, ...values) => {
    let sum = base;
    for (const v of values) {
        sum += values;
    }
    return sum;
}

// Prints 15
console.log(summation(0, 4, 5, 6));
// Prints 115
console.log(summation(100, 4, 5, 6));

Return Values

The return keyword works exactly like it does in any other programming languages. Once the execution of the function hits a line with the return statement, the function is terminated - and the value to the right (if any) of the return is bubbled up to the caller.

A few implications of JavaScript's typing system (or lack of) are of note however.

• A function can return different types of data, depending on conditions.

For example, you might have something like this:

// This is terrible code, it's an example.
const example = () => {
    const  v = Math.random();
    if (v < 0.5) {
        return 1;
    } else {
        return {a: 1, b:2};
    }
}

Imagine calling this function. You have no idea what kind of data it will return, as it returns an integer 50% of the time, and an object 50% of the time. You could check - but you can imagine how dealing with functions that return unpredictable data would lead towards very brittle code.

const r = example();
if (r.a) {
    console.log('Object returned');
} 
else {
    console.log('Integer returned');
}

Generally speaking, you shouldn't be creating functions that return different data depending on it's input (and certainly not a coin flip!). There are exceptions, and when used smartly this "feature" can be used effectively - but you must understand the danger. By returning different kinds of data, you are making the caller responsible for carefully working with the return value. Sometimes callers don't read documentation. As a rule of thumb, if you have a function that returns numbers, strings, or objects based on input, you haven't created a good abstraction around your function, and your code design could be improved. Functions that return different kinds of data are a code smell. A smell isn't an error, but it's usually unwanted.

One caveat is returning undefined or null. It's fairly common to have a function return a value under some conditions, and under others, return nothing. This might indicate the presence or absence of an error potentially. This is easier to use for callers, and usually is easier to understand.

const v = send_email(recipient, body);
if (v) {
    console.log('There was an error');
    console.log(v);
}
else {
    console.log('Success!');
}

Functions as properties, parameters, and return values

Now things start to get weird 😉

Functions are data, and we have variables that refer to those functions. Variables are passed into function as parameters. Variables can be assigned to object properties and to elements of an array. Variables are returned from functions. So, it follows that functions can be passed to other functions, put in objects and arrays, and even returned from other functions. Guess what - that's exactly what we do, a lot, in JavaScript!

const add = (a, b) => {
	return a+b;
}
const subtract = (a,b) => {
	return a -b;
}
const mult = (a, b) => {
	return a * b;
}
const div = (a, b) => {
	return a / b;
}

const op_obj = {
	plus: add,
	minus: subtract,
	product: mult,
	quotient: div
}

const op_arr = [add, subtract, mult, div];

const op_func = (op) => {
	switch (op) {
	case '+':
		return add;
	case '-':
		return subtract;
	case '*':
		return mult;
	case '/':
		return div;
	}

}


const a = 10;
const b = 5;

let op = op_func('-');
console.log(op(a, b)) 

for (const o of op_arr) {
	console.log(o(a, b))
}

console.log(op_obj.product(a, b));

5
15
5
50
2
50

Pretty cool huh? There are some probably abuses of cleverness, but study that code. It contains an example of adding functions to objects, and then calling those functions. It shows you that you can have an array of functions, iterate over them, and call each. It also shows you a function that given an input, can decide which function to return, and how you can call that function later.

Now take a look at this:

const math = (operand1, operand2, operation) => {
	const result = operation(operand1, operand2);
	return result;
}

const answer = math(1, 2, add);
console.log(answer); // prints 3

Here we see the add function sent as a parameter to math, and math calls it just like it would any other function - under the alias operation.

Anonymous Functions

Now take a look at this:

const answer = math(5, 2, (x, y) => {
    return (x * x) + (y * y);
});

console.log(answer); // prints 29

That might look really confusing to you at first glance, but it's commonplace. We have the math function, which expects two operands and a function to call - the third parameter. In the previous example, we called the math function with a named function, add. In this example, we call the math function with a literal function, or an anonymous function.

It's the same concept as this:

const example = (x, y) => {
    console.log(x, y);
}

const a = 5;
const b = 10;
example(a, b); // prints 5, 10
example(a, 12) // prints 5, 12

In the code above, you likely aren't confused at all. The first call to example passes two parameters, they both happened to be named variables. No surprise, 5 and 10 are passed in, become x and y within example, and are printed. In the second call, we pass two parameters again - but this time the second parameter is a literal number - 12. No matter, x is 5 and y is 12 inside `example, and are printed.

const answer = math(5, 2, (x, y) => {
    return (x * x) + (y * y);
});

console.log(answer); // prints 29

In the code above, the math function is receiving 3 parameters. The first to are numbers, and become math's operand1 and operand2 values. The third parameter is a literal function that computes the sum of squares, given two inputs x and y.

Creating functions that accept other functions is a very common design pattern in JavaScript. It's encouraged, because it allows you create reusable and flexible code. Many times, we wish to pass simple functions into them, functions that aren't going to be used elsewhere. There is no need to create named functions unless you think you are going to reuse them - especially when they are short. Inlining an anonymous function is a choice, it's not (always) changing behavior (there are some situation where it can, when we need to consider scopes and closures).

Do not resist this new way of coding (if it is new to you). It is effective, and it is commonplace. You will use it judiciously, and you of course will avoid inlining the same function over and over again - for the same reasons you don't write the same literal number in lots of places, or write the same 3 lines of code in a bunch of places. You will, however, find that proper use of this style leads to very readable code.

Scope & Closure

In passing, we noted earlier that functions have a scope object, that contains the variables accessible to it. In JavaScript, functions can be closures that enclose within their scope all variables within in, and the parent function. Before moving forward, let's examine a fairly common design pattern in JavaScript - locally defined functions.

const parent = () => {
    let c = 5;
    const local = (a, b) => {
        console.log(a, b, c++);
    }
    local(1, 2);
    local(3, 4);
}

parent();

In the code above, the function local is created inside the function called parent. It is not available outside the parent function, but it is callable within parent. The resulting code prints 1, 2, 5 and then 3, 4, 6. This may seem unusual, but if you understand the concept of local "things" belonging to functions, there's nothing all that unusual going on. Notably, the variable c defined in parent is available inside local because it is defined at the scope that encloses it. This is just like x being available inside the if condition below, which shouldn't too surprising at all.

const example = () => {
    const x = 5;
    if (true) {
        console.log(x); // x is available, defined at enclosing scope
    }
}

The variable c is incremented when local is called - we see 5 print first, and the ++ has the effect of post-incrementing it. When local is called again, the c value is once again printed (now it's 6), and post-incremented again. Now let's extend this example, having parent return the local function it had created - so the caller can use it.

const parent = () => {
    let c = 5;
    const local = (a, b) => {
        console.log(a, b, c++);
    }
    return local;
}

const f = parent();
f(1, 2);
f(3, 4);

It's a bit contrived, but this example is now demonstrating that the locally defined function local can be returned and used later. The output of the program is exactly the same as before. There is something very interesting happening with c though. c is a local variable of parent. Everything you know about local variables inside functions is probably telling you that after parent returns, it's local variables are destroyed. That's the point of local variables. Yet, after parent returns, we call the local function (f) not once, but twice. And each time, c is valid. In fact, the changes made to it are still tracked - it's 6 when f is called again!

This is happening because at the time local is created, c is in it's scope. Functions are closures, and capture the enclosing scope. They hold on to them, through their lifetime. local lives on past the lifetime of parent, and with it, it's reference to c.

Let's bend this example even further:

const parent = (a, b) => {
    let c = 5;
    const local = () => {
        console.log(a, b, c++);
    }
    return local;
}

const f = parent(1, 2);
const g = parent(3, 4);
f(); // 1, 2, 5
f(); // 1, 2, 6
g(); // 3, 4, 5

Now a and b are moved to the parent function's parameter list. They are local variables of parent as before, but now they are being passed into parent.

The first time we call parent, we do so with 1 and 2 as parameters. The local function is created and captures the 1 and 2, along with the mutable c variable. local is returned to the caller. The first time it is called, we get the expected 1, 2, 5 printout. Note, the 1 and 2 are captured just like in the example prior.

We are calling the returned local function (f) twice. Notice that the second time, we still get 1 and 2. The local function was created once, and it is still alive and well. c is printed as 6, since it's the same c variable as we incremented the first time we called the function. We incremented it the first time we called f, and now we see that effect.

We also called parent a second time, with 3 and 4 as parameters. Critically, this second call created a second local function instance. This second local function instance was created while a and b were bound to 3 and 4. They are distinct variables, because they belong to the second invocation of parent, and are enclosed within the closure of the second instance of local. Also critically, the second invocation of parent created a second instance of c - it's own local variable. local has captured that instance of c. As we can see, when the caller invokes the second instance of local - by calling g(), the second instance prints 3, 4 and uses the second instance of c - which is 5. This is a separate and distinct variable from the c in the first local created, which has been incremented (now to 7).

Re-read this section. If you grasp the concepts in the last example, you will be well ahead of the game in terms of being able to read professional level JavaScript code, and being able to write your own. These concepts are powerful. When used correctly, you can create elegant code that actually reduces complexity. When used accidentally, or used incorrectly, this style of programming can lead to lots of confusing errors unfortunately!

Arrays revisited

When we discussed arrays in the last section, we noted that there were a few things that were a lot more powerful if we were able to understand functions first. Let's revisit now that we do.

Sorting

The sort function can only do so much for us, particularly when we are using arrays containing objects, or wish to sort in non-standard ways (i.e. even numbers first, odd numbers after). It's limited only until now however - now that we know how to use functions a bit better. The JavaScript sort function accepts an optional parameter - a function that it will call whenever it needs to compare two elements in the array it is trying to sort.

// Assumes a and be are numbers
const regular = (a, b) => {
    if (a === b) return 0;
    else if (a < b ) return -1;
    else if (a > b) return 1;
}

// Assumes a and be are objects with 
// an x & y property, and sorts by their
// sum
const object_compare = (a, b) => {
    const v1 = a.x + a.y;
    const v2 = b.x + b.y;
    if (v1 === v2) return 0;
    else if (v1 < v2 ) return -1;
    else if (v1 > v2) return 1;
}

// Assumes a and b are numbers, rounds to integers
// sorts them by even number first, then odd, 
// and by value for ties (both even, or both odd)
const even_odd = (a, b) => {
    const a_even = Math.round(a) % 2 === 0;
    const b_even = Math.round(b) % 2 === 0;
    if (a_even && !b_even) return -1
    else if (!a_even && b_even) return 1;
    else {
        if (a === b) return 0;
        else if (a < b ) return -1;
        else if (a > b) return 1;
    }
}

const t1 = [3.6, 9.5, 12.4, 3.1, 6.3];
const t2 = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1}]
t1.sort(regular);
// 3.1, 3.6, 6.3, 9.5, 12.4
console.log(t1.join(", "));

t1.sort(even_odd);
// 3.6, 6.3, 9.5, 12.4, 3.1
console.log(t1.join(", "));

t2.sort(object_compare);
// [ { x: -5, y: 7 }, { x: 9, y: -2 }, { x: 4, y: 11 }, { x: 1 } ]
console.log(t2)

Pro Tip💡 This example is bigger than just sorting. It's critical example for you to really think deeply about. Once this makes intuitive sense to you, you will be able to leverage the concepts of functional programming to your advantage more effectively. Think about any sorting algorithm - bubble sort, quick sort, merge sort. They employ different strategies, but the all need compare elements against each other. The sort function in JavaScript is simply deferring how that comparison is to be made to the comparison function you give it. It's outsourcing a behavior, and by doing so, it becomes far more flexible. It can work with any data type, and can apply it's sorting algorithm to any method of comparison. It's more than polymorphism from an object-oriented language, this is flexibility taken to the next level!

Searching, and map and filter

Searching involves comparison too, so it makes sense that the search functions also work with arbitrary functions. Before diving into indexOf and find though, we need to take a detour into two foundational methods defined on the array - map and filter.

map and filter transform arrays. The map function allows you to easily map each element to another value - creating an array with the same number of elements, but transformed values. The filter method allows you to defined a function that decides whether a specific element is in the new array - allowing you to remove elements from a source array.

Let's look at a simple example:

// Receives an object with x and y properties, 
// returns the sum
const sum_xy = (e) => {
    return e.x + e.y;
}

// If the element is even, result is true
const even = (e) => {
    return Math.round(e) % 2 === 0;
}


const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

const sums = t.map(sum_xy);
// [ 15, 7, 2, 8 ]
console.log(sums);

const even_sums = sums.filter(even);
// [ 2, 8 ]
console.log(even_sums)

map and filter are shockingly useful in a variety of circumstances. Once you start writing enough JavaScript, you'll start to notice that you hardly have a program that doesn't use them. They take some practice to get used to, and that practice time will pay huge dividends.

Let's get back to searching now - and revisit indexOf. The indexOf function will return the first index where a particular value is found within an array. The indexOf function does not accept a function to do the comparison however. At first, this looks like a drag - for example, we can't find a matching element within a list of objects very easily, since objects are always compared by memory location.

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

// Find the object with x,y = 9, -2
const i = t.indexOf({x: 9, y: -2});
console.log(i); // -1, not found

Have no fear though, because map can transform the array, and we can use indexOf to search the transformed array.

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

// Find the object with x,y = 9, -2
const i = t.map((o) => {
	return `${o.x}:${o.y}`
}).indexOf(`9:-2`);

console.log(i); // 1, second element

Note, even though map returned a transformed list, the index returned by indexOf is the index of the matching object in the original array t. This is because map always produces an array of elements that is the same length, and derived from the same inputs, in the same order.

BTW, we can use a simpler function syntax when our inline functions contain just a return statement:

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

// Find the object with x,y = 9, -2
const i = t.map(o => `${o.x}:${o.y}`).indexOf(`9:-2`);
console.log(i); // 1, second element

The example above works since indexOf can accurately compare strings. This mechanism is lacking though if we were to be searching for floating point numbers, or something that can't be unambiguously turned into a string. We could alternatively use map to convert the array into literally a set of true/false values depending on search status though:

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

// Find the object with x,y = 9, -2
const i = t.map(o => o.x === 9 && o.y === -2).indexOf(true);
console.log(i); // 1, second element

Note, the map function ended up returning an array of booleans: [false, true, false, false], and we just used indexOf to get the first. This strategy, where map is effectively producing a signal for each element is a common and flexible strategy.

The find method can also help us here, and does accept a comparison function that it will use

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

// Find the object with x,y = 9, -2
const e = t.find(o => o.x === 9 && o.y === -2)
console.log(e); // {x: 9, y: -2}

Remember, find returns the element, while indexOf returns the index of the element found.

We could go further. Let's say we wanted to find only the objects whose sum (of x and y) were even. We could do the following, with indexOf

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

// Map to sums of x, y, and then map again for evens
// The result of first mapping in [15, 7, 2, 8], 
// and after the second mapping we have [false, false, true, true]
const signals = t.map(o => o.x + o.y).map(v => v%2 === 0);

const even_sums = [];
let i = -1;
do {
	i = signals.indexOf(true, i+1);
	if (i >= 0) {
		even_sums.push(t[i]);
	}
} while (i >= 0);

// [ { x: -5, y: 7 }, { x: 1, y: 7 } ]
console.log(even_sums);

This is a little awkward though. Instead, We could be a little more clever, and use filter. Note that in the example earlier, we used map and filter to print out even sums, but we lost the object, since map converted each element into it's sum. Let's do a little tweak to that, so we don't actually lose the original source object - and just have an array with objects whose x,y sum is even.

// Just use filter, with a function that computes sum, and returns if it's sum is even.
const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

// Filter returns true or false, based on if sum is even
// It does not alter the element
const even_sums = t.filter(o => (o.x + o.y) %2 === 0);

// [{x: -5, y: 7}, {x: 1, y: 7}]
console.log(even_sums);

forEach

What if we wanted to sort the array of objects we had above, using the even/odd sorting strategy we employed in the first example of sorting. One way, is to split the list into even and odds, and then sort them.

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

const sum_xy = (e) => {
    return e.x + e.y;
}

const compare_sum = (a, b) => {
	const sa = sum_xy(a);
	const sb = sum_xy(b);
	if (sa === sb) return 0;
	else if (sa < sb) return -1;
	else return 1;
};

const evens = t.filter(o => (o.x + o.y) % 2 === 0);
const odds = t.filter(o => (o.x + o.y) % 2 !== 0);

evens.sort(compare_sum)
odds.sort(compare_sum);

const result = evens.concat(odds);

//[ { x: -5, y: 7 }, { x: 1, y: 7 }, { x: 9, y: -2 }, { x: 4, y: 11 } ]
console.log(result);

Another way (not necessarily better) is to manipulate each element first, before applying sort. map and filter transform arrays, it would be nice if we could just manipulate each element. The simple way of doing that is with a for loop.

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

for (const o of t) {
	o.sum = o.x + o.y;
	o.even_sum = (o.sum %2 === 0);
}

const results = t.sort((a, b) => {
	if (a.even_sum && !b.even_sum) return -1
    else if (!a.even_sum && b.even_sum) return 1;
    else {
        if (a.sum === b.sum) return 0;
        else if (a.sum < b.sum ) return -1;
        else return 1;
    }
    // Use the map again to trim out the 
    // extra properties we added with the for loop
}).map((o) => {return {x: o.x, y: o.y}});

//[ { x: -5, y: 7 }, { x: 1, y: 7 }, { x: 9, y: -2 }, { x: 4, y: 11 } ]
console.log(results);

Another way of doing that is the forEach method. The forEach method is essentially turning a for loop inside out - or, more accurately, allowing you to specify what happens inside the for loop, but allowing the library call to actually implement the loop itself.

const t = [{x: 4, y:11}, {x: 9, y: -2}, {x: -5, y: 7}, {x: 1, y: 7}]

t.forEach((o) => {
	o.sum = o.x + o.y;
	o.even_sum = (o.sum %2 === 0);
});

const results = t.sort((a, b) => {
	if (a.even_sum && !b.even_sum) return -1
    else if (!a.even_sum && b.even_sum) return 1;
    else {
        if (a.sum === b.sum) return 0;
        else if (a.sum < b.sum ) return -1;
        else return 1;
    }
    // Use the map again to trim out the 
    // extra properties we added with the forEach
}).map((o) => {return {x: o.x, y: o.y}});

//[ { x: -5, y: 7 }, { x: 1, y: 7 }, { x: 9, y: -2 }, { x: 4, y: 11 } ]
console.log(results);

The purpose of these examples has been to demonstrated the use of indexOf, map, filter, and forEach - there are many ways of doing each of the (seemingly useless) examples. Invest some time in trying to make sense out of all the ways arrays can be manipulated though - the investment will pay off!

Object Prototypes

JavaScript uses a unique inheritance model called prototype-based inheritance, which stands in contrast to the class-based inheritance found in many other programming languages like C++ and Java. Instead of defining classes as blueprints for generating objects, JavaScript objects are created by making a reference to other objects, known as prototypes. These prototypes act as blueprints from which objects can inherit properties and behaviors.

At the heart of JavaScript's prototype system is the prototype chain. Every object in JavaScript has an internal link to another object, its prototype. This chain of objects continues until it reaches the end, typically the Object.prototype, which serves as the top of the prototype chain.

This section described how prototyping works, briefly. For the most part, we will be able to focus on writing JavaScript without dealing with the details of prototyping often - however if you truly want to master JavaScript, having a deep understand is valuable.

Creating Objects with Prototypes

When you create an object using object literal notation or the Object.create method, you are establishing a prototype relationship. The simplest example is an object created with {}:

const obj = {};

This object has Object.prototype as its prototype, which gives it access to methods like toString and hasOwnProperty. Those methods are implemented on Object.prototype.

However, if you want to create an object with a different prototype, you can use Object.create:

const proto = { greet: function() { console.log("Hello!"); }};
const obj = Object.create(proto);
obj.greet(); // Prints "Hello!"

In this example, the object obj inherits the greet method from its prototype, proto. The prototype acts as a fallback — if obj doesn’t have a property, JavaScript will look for it on the prototype. It's really just a different approach towards inheritance, without creating property types (classes).

Prototype Chain

When accessing a property on an object, JavaScript will first check if the property exists directly on the object. If it doesn't find the property, it will follow the object's prototype chain to search for it. This continues until it either finds the property or reaches the end of the chain.

const animal = { hasTail: true };
const dog = Object.create(animal);
dog.bark = function() { console.log("Woof!"); };

console.log(dog.hasTail); // true (inherited from animal)
dog.bark(); // "Woof!"

Here, dog does not have a hasTail property directly, but since animal is its prototype, the property is found through the prototype chain.

Modifying Prototypes

You can modify prototypes at runtime, and any object linked to that prototype will immediately reflect the change.

const proto = { greet: function() { console.log("Hello!"); }};
const obj = Object.create(proto);

// Adding a new method to the prototype
proto.sayGoodbye = function() { console.log("Goodbye!"); };

obj.sayGoodbye(); // Prints "Goodbye!"

Be cautious when modifying built-in prototypes (such as Object.prototype), as this can lead to unintended consequences throughout your codebase, since all objects will inherit these changes.

__proto__ and Object.getPrototypeOf()

JavaScript provides two key ways to access an object’s prototype:

1. The __proto__ property, which is widely supported but is non-standard and discouraged in modern code.
2. The Object.getPrototypeOf() method, which is the recommended way to retrieve an object’s prototype.

const obj = {};
console.log(obj.__proto__); // Outputs Object.prototype
console.log(Object.getPrototypeOf(obj)); // Same as above

Setting Prototypes

You can set an object’s prototype using the Object.setPrototypeOf() method. However, this method is rarely used in practice because modifying an object’s prototype after creation can hurt performance.

const animal = { hasTail: true };
const bird = { canFly: true };

Object.setPrototypeOf(bird, animal);

console.log(bird.hasTail); // true (inherited from animal)

Constructors!

In JavaScript, functions can serve as constructors when invoked with the new keyword. Constructor functions set up the prototype chain for the objects they create. By default, every function has a prototype property, which points to an object. When you use a constructor, the newly created object links to the constructor’s prototype.

function Animal(name) {
  this.name = name;
}

Animal.prototype.speak = function() {
  console.log(`${this.name} makes a sound.`);
};

const dog = new Animal("Dog");
dog.speak(); // "Dog makes a sound."

Here, the Animal constructor sets up dog's prototype to link to Animal.prototype. As a result, dog can access the speak method.

The this Keyword in Constructors

When working with object-oriented concepts in JavaScript, the this keyword plays a central role in defining properties and behaviors that belong to a specific instance of an object. In the context of a constructor function, this refers to the new object instance being created.

For example:

function Person(name, age) {
  this.name = name; // 'this' refers to the new instance
  this.age = age;
}

const john = new Person("John", 30);
console.log(john.name); // "John"
console.log(john.age);  // 30

In this code:

• Person is a constructor function.
• this.name = name assigns the name parameter to a name property on the new object.
• this.age = age does the same for the age property.
• The new Person("John", 30) call creates a new instance of Person, where this inside the constructor refers to the john object.

How this Behaves with new

When you use the new keyword with a constructor function:

1. A new empty object is created.
2. The constructor function is called with this bound to that new object.
3. Any properties or methods assigned to this inside the function become part of the new object.
4. Unless the constructor returns an object explicitly, this (the new object) is returned by default.

For example:

function Car(make, model) {
  this.make = make;
  this.model = model;
  this.drive = function() {
    console.log(`Driving a ${this.make} ${this.model}`);
  };
}

const car1 = new Car("Toyota", "Corolla");
car1.drive(); // Driving a Toyota Corolla

Here, this.make and this.model refer to the specific car instance being created, and this.drive becomes a method attached to that instance.

The Importance of new with this

When calling a constructor function without new, the behavior of this changes dramatically. Instead of referring to a new object, this might refer to the global object or be undefined. This can cause unexpected bugs.

For instance:

function Animal(type) {
  this.type = type;
}

const dog = Animal("Dog");
console.log(dog);         // undefined
console.log(window.type); // "Dog" (in non-strict mode)

Since new is not used, the constructor does not create a new object, and this refers to the global object (window in browsers, undefined in Node.js). To avoid this confusion, always use new when calling a constructor function to ensure that this refers to the new instance.

We will revisit our discussion of this when we cover proper ES6 Classes in the next section. Not only does the this keyword have different implications with true classes, but it also is affected by the use of function and => notations as well.

Prototypes vs Classes

In JavaScript, objects inherit properties and methods through a prototype, an object linked to every instance of a constructor function. This prototype-based inheritance allows shared methods across instances via the prototype chain. This is in stark contrast to a language like C++, which uses class-based inheritance, where classes serve as blueprints, and objects (instances) inherit methods and properties directly from a class hierarchy.

Both the prototype style and class-based inheritance can facilitate most of the same object oriented and polymorphic functionality - especially given JavaScript's typing system. That said, there are advantages to the type of class-based inheritance models we see in other languages:

1. Clarity and Structure: Class-based inheritance provides a more formal and structured way to define relationships between objects. We can explicitly define class hierarchies, making the code easier to read and understand - especially given that most programmers are already familiar with this style of programming.

2. Encapsulation: Classes allow for encapsulation of data and behavior. By using access modifiers (like private, protected, and public), class-based languages provide fine-grained control over which parts of an object are accessible outside its scope. There is no notion of this with the original JavaScript prototype implementation. All properties on objects (including objects that are serving as prototypes) are accessible (and mutable).

3. Multiple and Interface Inheritance: Many class-based languages support multiple inheritance or interfaces, allowing for more complex and flexible designs. This lets objects inherit from more than one class or follow multiple interface contracts, making them more versatile in complex systems. This isn't possible with prototyping, as each object has one and only one prototype.

Perhaps the biggest benefit of class-based object oriented design is that there is a distinction between the blueprint of a type, and instances. When using prototyping, objects are derived from other objects, and those underlying objects can be changed. As noted above, you can even change (at runtime) the properties of Object itself - and those changes would cascade (immediately) to every instance of every object in your program - past, present and future! This might sound incredibly powerful (it is), but it's also really dangerous. class-based design allows you to set up the rules of a "type" in an unmodifiable way, in a more declarative style. This is less powerful, but also far easier to manage.

In the 2015 release of EMCAScript (JavaScript) 6, JavaScript received true class-based syntax. Under the hood, it still uses the prototype design, but from a syntactic perspective we can now design object oriented features in a similar manner as other OO languages. This is the focus of the next section.

JavaScript ES6 Classes

With ECMAScript 2015 (ES6), JavaScript introduced a more structured and readable way to define object-oriented constructs using classes. Although JavaScript remains a prototype-based language at its core, classes provide a familiar and straightforward syntax for those accustomed to class-based languages like Java or C++.

Class Syntax and Constructors

Classes in JavaScript are declared using the class keyword, followed by the class name. Inside the class, the constructor method is used to initialize the object's properties when a new instance is created with the new keyword.

class Person {
  constructor(name, age) {
    this.name = name;
    this.age = age;
  }
  
  greet() {
    console.log(`Hello, my name is ${this.name}`);
  }
}

const person1 = new Person('Alice', 30);
person1.greet(); // Output: Hello, my name is Alice

Here, the Person class has a constructor that takes two parameters, name and age, and assigns them to the newly created object using the this keyword. The greet method then uses these properties to display a personalized message.

Encapsulation and Property Access with get and set

JavaScript classes provide getters and setters for encapsulating properties and controlling access to them. Getters retrieve the value of a property, and setters validate or modify the data before assigning it to the internal property.

class Person {
  constructor(name, age) {
    this._name = name;
    this._age = age;
  }
  
  get name() {
    return this._name;
  }
  
  set name(newName) {
    if (newName.length > 0) {
      this._name = newName;
    } else {
      console.log("Name cannot be empty.");
    }
  }
  
  get age() {
    return this._age;
  }
}

const person1 = new Person('Alice', 30);
console.log(person1.name); // Output: Alice
person1.name = 'Bob';
console.log(person1.name); // Output: Bob

In this example, name and age have getter methods. The setter for name ensures the name cannot be set to an empty string, providing controlled access to the internal _name field.

Why Use the _ Prefix?

You may notice the _ prefix before name and age. In JavaScript, this is a convention to indicate that a property is intended to be private or should not be directly accessed or modified outside of the class. However, this convention does not enforce true privacy, as _name and _age are still publicly accessible. It merely signals to developers that these properties should be handled with care.

const person1 = new Person('Alice', 30);
person1._name = ''; // The underscore indicates this should not be done, but it is still allowed
console.log(person1._name); // Output: (an empty string, which may break logic elsewhere)

This convention led to the introduction of private class fields, denoted with the # symbol, which we'll explore next.

Private Fields with #

To achieve true privacy in JavaScript classes, ES2022 introduced private fields, which are prefixed with #. Unlike the _ convention, private fields are not accessible outside of the class definition, providing genuine encapsulation.

class Person {
  #name; // private field
  #age;  // private field
  
  constructor(name, age) {
    this.#name = name;
    this.#age = age;
  }

  get name() {
    return this.#name;
  }

  get age() {
    return this.#age;
  }

  greet() {
    console.log(`Hello, my name is ${this.#name}`);
  }
}

const person1 = new Person('Alice', 30);
console.log(person1.name); // Output: Alice
console.log(person1.#name); // SyntaxError: Private field '#name' must be declared in an enclosing class

In this example, trying to access #name directly from outside the class throws an error. This ensures that private fields cannot be tampered with from the outside and are only modifiable or accessible via methods or getters/setters defined in the class.

Read-Only Properties with Getters

A getter without a corresponding setter can be used to create read-only properties, meaning the property can be accessed but not modified directly.

class Person {
  constructor(name, age) {
    this._name = name;
    this._age = age;
  }
  
  get name() {
    return this._name;
  }

  get age() {
    return this._age; // Read-only
  }
}

const person1 = new Person('Alice', 30);
console.log(person1.age); // Output: 30
person1.age = 35; // No effect since there is no setter
console.log(person1.age); // Output: 30

In the example above, the age property has only a getter, making it read-only. Any attempt to assign a new value will be ignored.

Static Methods

Static methods are defined on the class itself rather than on instances of the class. These methods are useful when the functionality is not tied to a particular instance but instead relates to the class as a whole.

class Person {
  constructor(name, age) {
    this.name = name;
    this.age = age;
  }

  static species() {
    return 'Homo sapiens';
  }
}

console.log(Person.species()); // Output: Homo sapiens

In this example, the species() method is static, meaning it is called on the Person class itself rather than on an instance. Static methods are typically used for utility functions or to define constants.

The this Keyword

In JavaScript, this refers to the current instance of the class. It is used to access the instance's properties and methods. When working within a class, this ensures that the correct object is being referenced.

class Person {
  constructor(name) {
    this.name = name;
  }

  greet() {
    console.log(`This person is named ${this.name}`);
  }
}

const person1 = new Person('Alice');
person1.greet(); // Output: This person is named Alice

Here, this.name refers to the name property of the person1 instance. The keyword this is crucial when creating methods inside classes, as it provides a reference to the object the method is being called on.

Inheritance with ES6 Classes

ES6 classes support inheritance, allowing one class to extend another and inherit its properties and methods. Inheritance is achieved using the extends keyword, and the subclass must call super() to invoke the constructor of the parent class.

Consider the Person class and its two subclasses, Student and Professor:

class Person {
  constructor(name, age) {
    this.name = name;
    this.age = age;
  }
  
  greet() {
    console.log(`Hello, my name is ${this.name}.`);
  }
}

class Student extends Person {
  constructor(name, age, major) {
    super(name, age); // Calls the constructor of the Person class
    this.major = major;
  }
  
  study() {
    console.log(`${this.name} is studying ${this.major}.`);
  }
}

class Professor extends Person {
  constructor(name, age, department) {
    super(name, age); // Calls the constructor of the Person class
    this.department = department;
  }
  
  teach() {
    console.log(`Professor ${this.name} is teaching in the ${this.department} department.`);
  }
}

const student1 = new Student('Alice', 20, 'Computer Science');
const professor1 = new Professor('Dr. Bob', 50, 'Mathematics');

student1.greet(); // Output: Hello, my name is Alice.
student1.study(); // Output: Alice is studying Computer Science.

professor1.greet(); // Output: Hello, my name is Dr. Bob.
professor1.teach(); // Output: Professor Dr. Bob is teaching in the Mathematics department.

In this example, both Student and Professor inherit from the Person class. The Student class adds a major property and a study method, while the Professor class adds a department property and a teach method. They both share the greet method from the Person class. The super() function is required in the constructor of the subclasses to call the parent class's constructor.

Arrow Functions and Lexical this

Arrow functions, introduced in ES6, maintain the this value from their surrounding lexical scope. This makes them useful in scenarios where you want to preserve the correct reference to this without worrying about the context.

class Person {
  constructor(name) {
    this.name = name;
  }

  delayedGreet() {
    setTimeout(() => {
      console.log(`Hello, my name is ${this.name}`);
    }, 1000);
  }
}

const person1 = new Person('Alice');
person1.delayedGreet(); // Output: Hello, my name is Alice (after 1

 second)

In the example, an arrow function inside setTimeout ensures that the this keyword refers to the instance of Person, not the global object, which would happen with a traditional function.

When we use classes

JavaScript ES6 classes provide a modern, more intuitive syntax for object-oriented programming. The ability to define constructors, encapsulate properties using getters and setters (including readonly and private fields), leverage inheritance, use static methods, and ensure proper this binding with arrow functions, has made ES6 classes a powerful tool for developers. This cleaner and more structured syntax brings JavaScript closer to traditional class-based languages while still maintaining its underlying prototype-based nature.

All that said - you will notice that we don't use classes all that much in a lot of the code throughout this book. That's not a conscious decision, it's not done because classes are a bad thing. The truth is that a lot of JavaScript code can be written with just the basic object (Object) and functions. JavaScript doesn't have to be object oriented - and because of the flexibility inherent in the language, you can often achieve much of the same expressiveness that you get from polymorphism in typed languages simple with regular old objects in JavaScript.

In conclusion - using classes are great, especially if that's what you are most comfortable with - however there is also nothing inherently wrong with using them sparingly. JavaScript code doesn't need to look like C++, Java, or C# code just because classes are supported. Classes are great options for certain situations, but they aren't the only options for all situations!

At this point, we have covered more than enough of the JavaScript language. It's time to start applying it towards web development. For the next few chapters, JavaScript will be used server-side, all of our focus will be on implementing web servers. We will do so in conjunction with learning HTML and CSS for front-end development, but whenever we are using JavaScript, it will be towards server side functionality.

Before moving forward, you are strongly encouraged to work on the first first project, presented in the next section. It's a bare-bones implementation of a web server, with static data. It's a chance for you to really practice JavaScript, and also solidify your understanding of exactly how HTML is served to browsers. We will revisit this project over time throughout this book, as we gradually introduce more powerful techniques. Take the time to do the practice problems - they will improve your understanding in meaningful ways!

Chapter 6: HTML Part 2 - Forms

Forms and Responses

When we covered HTML a few chapters ago, we only covered the presentation part of HTML. The second part of HTML, and in many ways the part that starts to move us from web sites to web applications is forms.

HTML forms are sets of user interface controls that allow a user to enter data, and have that data transmitted to the web server. All of the user controls you are used to seeing on the web - text boxes, numeric inputs, drop downs, check boxes, and more - they are all HTML form controls - or input controls.

We'll examine each kind of control in this chapter. We'll see the default rendering of those controls, and later on we'll see how to use CSS to customize their appearance. Before reviewing all the different types of controls however, it's really important that we understand the basics.

A simple form

A form is just a <form> element on a standard HTML web page, with one or more controls in side of it. The form element is rendered by the browser as a block element, without any additional special styling. The form element has unique functionality, however. Based on attributes defined on the form element, HTML authors can command the web browser to initiate new HTTP requests to specified URLs, with data the user has input. The browser will then render the response it receives from the web server, just like if a user had clicked on a link or typed in a new URL in the address bar. HTML Forms initiate a normal request/response cycle, just like a click of a hyperlink - the difference is that the request can contain additional data found within the form, and the request may be either an HTTP GET or POST.

Let's take a look at the most simple form:

<!DOCTYPE html>
<html>
  <head>
    <title>This is a page with a form</title>
  </head>
  <body>
    <div>
        <p>Here's our first form!</p>
    </div>
    <form action="/destination", method="post">
        <input name="first" type="text"/>
        <br/>
        <input name="last" type="text"/>
        <br/>
        <button type="submit">Submit</button>
    </form>
  </body>
</html>

First, let's establish what this page looks like. Let's assume it is hosted on http://www.form-examples.com, at the root (/) page. The user has either arrived at this page by clicking on a link, or typing it directly into the address bar. It will look something like this:

We'll see how to add labels and all sorts of nice things soon enough - let's just focus on what we see. The form element itself is just a block element, it doesn't have any specific appearance. There are three child elements within it (aside from the new line br elements) that are critical to the form. These are two input elements - which are rendered as empty text boxes, and one button of type submit.

First, understand that when the page is loaded, users can type into the two input fields. Typing into the fields do not cause the browser to take any action at all. Input elements can also be pre-initialized, but setting the value attribute directly:

<input name="first" value="John"/>

When the input field above is rendered, the text "John" will be pre-filled in the control, but remains editable by the user.

input elements are empty elements. They are self-closing. They must be written as one opening and self closing tag. <input ... /> not <input>...</input>.

In the form above, the button element is what will drive browser action. When the user clicks the button, the web browser responds by following the commands specified within the attributes of the form element the button is contained within:

<form action="/destination", method="post">

The method attribute tells the browser to create a POST request. The action attribute provides the relative URL to make the POST request to. In this case, since we established that this page was at http://www.form-examples.com, a POST request will be sent to http://www.form-examples.com/destination.

We saw what POSt requests looked like in the HTTP chapter. Given the data that was filled in above, let's look at what this particular HTTP request will look like:

POST /destination HTTP/1.1
Host: www.form-examples.com

Content-Length: 21
Content-Type: application/x-www-form-urlencoded

first=Jack&last=Frost

Let's examine first the header the browser will set when sending this request - Content-Type. The default format for an HTTP request body initiated by a form is application/x-www-form-urlencoded. It's a mouthful, but it's simply the MIME extension for form data, which are name / value pairs separated by ampersands - basically exactly like query strings.

The request body has the actual name/value pairs. The name attribute of each input element within the form is included, along with whatever value the input control currently has. In this case, we have two input elements, with name attributes first and last, which result in the request body above.

What happens to the request?

The HTTP request that the browser constructs arrives at the web server just like any other request. Now that we know more about JavaScript from the last chapter, let's take a look at a sample Node.js web server capable of serving the initial form, and handling the POST request sent when it is submitted.

The heading and footing functions below are just some helper functions to build the html boilerplate. send_page calls them, along with writing the HTTP header value to specify the type as HTML. Combined, send_page, heading and footing are just utilities for generating HTML responses.

const http = require('http');

const heading = () => {
    const html = `
        <!doctype html><html>
            <head><title>Form Example</title></head>
            <body>`;
    return html;
}

const footing = () => {
    return `</body></html>`;
}

const send_page = (res, body) => {
    res.writeHead(200, { 'Content-Type': 'text/html' });
    res.write(heading() + body + footing());
    res.end();
}

The next function we'll use is parse_form_data. We will receive a request body when we receive the HTTP POST request, and this function parses the form-encoded string (name value pairs, separated by &). It will return an object (form) representing the name value pairs found in the http request body. As written, this parsing is extremely unsophisticated. It isn't handling any of the HTTP character encodings (special characters, etc), and it's not robust to malformed request bodies. Remember, any program can send HTTP requests, so all code that handles requests needs to be extremely carefully written - otherwise your program could crash, or commit security infractions, as a result of malformed or cleverly (and maliciously) formed HTTP requests. We are going to replace this parsing with something far better shortly. For now, it's useful to see it's simplicity.

// This is a really unsophisticated way of parsing
// form data, we will replace it with something better
// very soon.
const parse_form_data = (data) => {
    const form = {};
    const fields = data.split('&');
    for (const f of fields) {
        const pair = f.split('=');
        form[pair[0].trim()] = pair[1].trim();
    }
    return form;
}

Now let's take a look at the code that is actually handling the HTTP requests. The handle_request function accepts a req object representing the request, and a res object representing the response. The handle_request function is registered as the function that called by the http server. You can see this happening at the very bottom - http.createServer(handle_request).

The handle_request function is a first look at the type of branching we ultimately need to do in response to a request. Our web servers will do different things, based on if the request is GET or POST, and based on which URL it is to.

The easiest to understand is how a GET to / is handled. We simply send an HTML page, containing the form (the same form we saw earlier). The browser will render the form.

const handle_request = (req, res) => {
    if (req.method.toUpperCase() === 'GET' && req.url === '/') {
        // This a GET request for the root page - which is the HTML that
        // contains the form.
        send_page(res, `<form action="/destination", method="post">
                            <input name="first" type="text"/>
                            <br/>
                            <input name="last" type="text"/>
                            <br/>
                            <button type="submit">Submit</button>
                        </form>`);
    }
    else if (req.method.toUpperCase() === 'POST' && req.url === '/destination') {
        // The request body is streamed to our code, we need to register
        // a handler for the data.
        let body = "";
        req.on('data', (chunk) => {
            // This function gets called as chunks of data arrive.
            // In our case, it's probably just one chunk since
            // we have such little data, but we still need
            // to handle it using a callback like this (for now).
            body += chunk;
        });

        // Eventually, the stream of data arriving from the browser (the
        // request body) will end.  We register a function to be called
        // when that event occurs.
        req.on('end', () => {
            console.log(body);
            // The request body will look like this:
            // first=something&last=something
            body = parse_form_data(body);
            // We need to respond with an HTML page, let's just make
            // it have the data posted.
            send_page(res, `<p>Welcome ${body.first} ${body.last}</p>`);
        });
    }
    else {
        res.writeHead(404, { 'Content-Type': 'text/html' });
        res.write(heading() + `<p>Sorry, page not found</p>` + footing());
        res.end();
    }
}

http.createServer(handle_request).listen(8080);

The more complicated path is when the request is a POST for /destination. Here we need to process the incoming request a little more carefully. By default the http library will parse the HTTP request start line, and all header fields, and it makes them available on the req object. That's where we get the req.method and req.url properties from. The request body however is handled differently. Since HTTP request bodies can be arbitrary length, the http library exposes the body as a data stream. It's mimicking how the underlying socket works, where the request body is being read from the socket as as stream of characters.

To accomplish request body processing, we must tap into this stream. The req.on function allows us to register function handlers for when data arrives, and also when the stream has ended. The underlying http library will handle the detection of stream end - usually using the Content-Length header, but potentially using HTTP 1.1 chunking, etc.

Review the code above carefully. Notice that when we receive the POST to /destination, we actually do not send the page response right away at all. We register a small little function to append each chunk of the request body to a body variable. We register a function to be called when the request body stream has ended, and that function parses the request body, and builds a page to send to the browser at that time.

Note that we wrote the HTML form such that it posts to /destination. We could have just as easily had it post to /. This would not have created a conflict, as the POST is differentiated from the GET. In fact, it might be quite natural for the webserver to server the HTML containing the form in response to GET / and handle the form submission at POST /. It's totally up to you!

You can download the code above - form-server-1.js. It doesn't require any dependencies, you can download it and run it using node form-server-1.js command from your terminal. Then visit the page by typing http://localhost:8080 into your web browser.

Now go ahead and submit the form, buy clicking the "Submit" button. You'll notice the print out by the server (look at the terminal where you are running node form-server-1.js). It's showing the raw request body that was received. The request body is parsed, and an HTML page is generated.

Go ahead and add some more printouts. Experiment with it!

Alternative: Redirect

Note that sometimes web application developers prefer to process the incoming data and redirect to another page. After clicking submit, click the browser's "Refresh" button. You'll notice the browser throws up a warning message, something like this:

This message is indicating that clicking "Refresh" will result in the POST request being re-issued. This warrants a warning, because POST often has a some sort of side effect on the server. In our example, it doesn't - we just render a page - however often time a POST might be used to store data in a database, login, or something else. Contrast this with GET requests, which are supposed to be read-only. They should never alter the state of anything. GET requests are supposed to be idempotent - they can be repeated over and over again without any additonal effect. The browser is warning the user - it's being asked to repeat a POST request, which unlike a GET request, may actually change the server's state.

Sometimes, instead of rendering a page in response to a form submission, the web server instead issues a redirect to a landing page. Redirects (300 level responses) cause the browser to issue a GET request to the new location (set by the location header in the 300 response). The advantage is that now a browser "Refresh" is just repeating a GET. The disadvantage is that the redirect loses context. Unlike our result page above that contains the form data that was posted, a redirect will issue a brand new GET request, and the server will need to respond by creating an HTML page - but it no longer has the HTTP request body from the previous POST. There are solutions to this (for example, the POST may have stored data to a database, which can be retrieved when rendering the response to the new redirected GET), but we'll wait to see them for a bit.

POST or GET

HTML forms are often configured to result in HTTP POST messages. In the example above, we set methodequal to post to specify this. We learned in the HTTP chapter that there are other HTTP methods - GET, PATCH, PUT, DELETE. PATCH, PUT, and DELETE are not supported by HTML forms, however, GET certainly is.

Recall that an HTTP POST message may contain a message body, while a GET request cannot. So how would we have a form element that uses GET to submit it's data?

<form action="/destination", method="get">
    <input name="first"  type="text"/>
    <br/>
    <input name="last"  type="text"/>
    <br/>
    <button type="submit">Submit</button>
</form>

The form above will look identical to the form we had before, however when "Submit" is clicked, the web browser will generate a GET request to /destination instead of a POST. In addition, the form data (the name value pairs) will be appended as a query string. The resulting URL that the GET request will specify is as follows - assuming the user entered in "A" as the first name, and "B" as the last name:

http://localhost:8080/destination?first=A&last=B

Note that this means the form data is in the URL address bar of the browser. It also means that that URL is bookmarkable, it is linkable. We discussed query string when discussing HTTP requests.

Here's how we might handle the request in Node.js

const handle_request = (req, res) => {
    if (req.method.toUpperCase() === 'GET' && req.url === '/') {
        // This a GET request for the root page - which is the HTML that
        // contains the form.  NOTE we set method to GET now
        send_page(res, `<form action="/destination", method="get">
                            <input name="first" type="text"/>
                            <br/>
                            <input name="last" type="text"/>
                            <br/>
                            <button type="submit">Submit</button>
                        </form>`);
    }
    else if (req.method.toUpperCase() === 'GET' && req.url.startsWith('/destination')) {
        // The url is going to be /destination?first=A&last=B, so we need to compare
        // with startsWith, rather than an exact match
        console.log(req.url);
        if (req.url.indexOf('?')) {
            // Give parse_form_data the part of the url AFTER the ? symbol.
            // Form data in the POST request body is formatted the same way
            // as a query string in a GET message is, so we can reuse the same
            // code.
            body = parse_form_data(req.url.split('?')[1]);
            send_page(res, `<p>Welcome ${body.first} ${body.last}</p>`);
        }
        else {
            send_page(res, `<p>No form data was sent!</p>`);
        }
    }
    else if (req.method.toUpperCase() === 'POST' && req.url === '/destination') {
        // we could still have processing code for POST too..
        ....
    }
    else {
        res.writeHead(404, { 'Content-Type': 'text/html' });
        res.write(heading() + `<p>Sorry, page not found</p>` + footing());
        res.end();
    }
}

You can simulate form submission by simply entering the http://localhost:8080/destination?first=A&last=B URL into the browser's address bar too - the web server cannot tell why it is receiving the HTTP GET message with a query string - it simply responds to it! If you type http://localhost:8080/destination without the query string, you'll see the message indicating that the query string was not present.

BTW - if you are wondering why forms don't support PATCH, PUT and DELETE. There are lots of reasons, but perhaps the most definitive is - legacy. Original specifications of HTML simply decided only GET and POST were to be supported by forms. There are too many legacy pages, legacy browsers, and legacy servers on the world wide web to effectively move on from those decisions. Unsatisfying - but it's the truth!

GET or POST for Form Data?

We've seen how to use GET or POST, and how that data will be processed server side. So, the question is - which should we use?

There's no one right answer. POST is the right approach when one or more of the following hold:

1. You do not want the submitted data to appear in the address bar of the browser. This might be for privacy reasons, for example. Note, request body in a POST message is not secure (unless sent over https), but it is somewhat hidden from casual observers. Note also, POST data does not appear in web history. You would always use POST for something like submitting login credentials, for example.
2. The data being submitted by the form is large. We will see more form controls soon (even file uploading), which never make sense as GET requests. Generally GET requests are subject to query string lengths of a few thousand characters, if that. Request bodies associated with POST can be many megabytes and gigabytes in length.

If you answer "yes" to the following, however - then GET might be the best option for your form:

• You do want the form data to be bookmarkable and shareable, so you do want the query string to be where the data is specified. This allows the the data in the form to be part of a web browsers page history, copyable, and easy to share. http://localhost:8080/destination?first=A&last=B can be sent to anyone, and if they visit that page, with that query string, they will see exactly what you saw when you submitted the same form. This makes perfect sense for things like search results - where the search string is is submitted as a form. Users can share they URL, and it has the search string embedded with in it. Same for a web site that lets you get traffic directions - the form that the user enters the beginning and destination address can be submitted with GET, so the directions results are shareable.

Most forms are submitted with POST, but you should always make the decision consciously - don't just default to using POST or GET exclusively!

Buttons

You might be wondering, why do we need to put type="submit" in the button element. The reason is actually a bit more complicated than it should be.

button elements are controls, and they do not necessarily always need to cause a form submission. When we learn more about JavaScript (on the client), we will learn how to execute JavaScript code when buttons are clicked. This JavaScript may or may not need to interact with the web server at all - we don't want the web browser to take any action on our behalf, we just want our JavaScript code to run. For those kinds of buttons, we will use type="button" instead of type="submit".

According to the HTML standard, type attribute is required on the button element - but web browsers generally accept that if you leave the attribute off, it will treat the button as if it is of type "button". This feels like a good approach - this way, if the author of the web page doesn't add a type attribute, the button click results in no action by the web browser. This feels like a good approach today, but in the earlier years of web development - when buttons almost always were for form submission - browser made other assumptions. For example, most versions of Internet Explorer treated a button without a type as having type="submit"! This led to web pages potentially working very differently on different browsers - which is always bad news!

The bottom line - always specify - either submit or button (or a couple of others, which we will see in the next section).

Another interesting features of the button element is that it can optionally* accept a name attribute. When placing a name attribute on a button, it doubles as an input control that is encoded in the form data submitted.

<form action="/destination", method="post">
    <input name="first" type="text"/>
    <br/>
    <input name="last" type="text"/>
    <br/>
    <button type="submit" name="foo">Submit 1</button>
    <button type="submit" name="bar">Submit 2</button>
</form>

In the HTML form above, if the user clicks the "Submit 1" button, along with the first and last data, the parameter foo= will be placed in the request body. If the user clicks "Submit 2", then bar= will be in the body. Although there is no value, the presence of those parameters in the request body can be understood by the server - allowing the server to know which submit button was clicked. There are many situations where this can be helpful.

The name attribute

Explain how the name attribute should be a valid identifier What happens if two controls of the same name appear What happens if name is left out Name is not ID

Pro Tip💡 One of the most common mistakes new students make is forgetting the form element. The form element is not visible to the user (at least, not unless there is styling). Often, students will focus on what they see, and create HTML pages with input elements outside of form elements. The page looks just fine, but when the user clicks submit buttons, nothing happens. Worse yet, sometimes students do create a form element, but they put the input elements outside the form element! When you do this, your form element might very well submit (provided you've correctly set the action and method attributes, and included a button of type submit) - but the form data associated with elements outside the form aren't going to be submitted with the request! Make sure you understand this concept - form elements are the container of any input data you need to send in the form submission request. User control data only gets submitted with the HTTP request if the user control is within the form being submitted!

Form Controls

The previous section introduced simple text fields and buttons. The mechanics of how data is sent to the server are important to understand. More importantly, you must understand how forms relate to the request/response cycle of the web. Pages are rendered, and those pages may have forms. Users enter data, and submit forms, usually by clicking a button. To submit a form means that the web browser initiates a GET or POST request, based on the form element's method attribute, to the url specified by the form element's action attribute. The web server, when that request is received, is responsible for performing any necessary processing on that form data, and sending an HTTP response - usually another web page.

form elements are not limited to just text fields and buttons however. HTML specifies a rich set of user interface controls that we can use within forms. They all result in defining data that will be submitted with the form they are enclosed in - so the mechanics are all the same. Whether the form just has one or two text fields, or hundreds of different controls within in, submitting the form will always result in all the data associated with all the controls within it being sent to the server.

Let's take a look at some of the other form controls:

Input Variations & Attributes

The input element is versatile, it is not necessarily just for plain text input. In HTML 5, the input element was expanded to support a number of different types aside from text. The standard also specifies that if a browser does not support a type, then it shall be rendered as a normal text input.

Some commonly supported input types are as follows:

• type="password" - Passwords - This one isn't new, it's been around forever. An input field with type "password" will display it's characters are masked (usually dots instead of characters). This is a nice privacy feature, but sometime leads to a false sense of security. Remember, passwords entered as form elements - whether they are entered into a text input or a password input, are transmitted in plain text unless the web site uses HTTPS. Inputs of type password
• type="number" - Number - restricts input to contain numbers. Accepts a min and max attribute to set limits on the number, and usually the browser will render the input field with up and down arrows to allow the user to increment/decrement the number (although this isn't required). The step attribute can be used to control the increment used by these arrows.
• type="email" - Email - restricts input to contain an email address, containing a well formed email address. This input field is not quite as widely supported, many browsers will simply render it as a text box. The value is that it is easier to take advantage of input validation when you've specifically specified type=email, and you are also providing more information for web browsers to pre-populate the form field.
• type="url" - URL - this is similar to email inputs, in that not all browsers will do anything differently. However, some browsers will restrict the input to be a well qualified URL.
• type="tel" - Telephone number - most browsers will provide some input assistance for users when entering phone numbers - like grouping area code, for example. Many browser will simply render this as a normal text field however.
• type="date" - Date - Most modern web browsers will render this initially as a text box, but when the user clicks the text box to bring it into focus a date picker of some sort will be provided. This allows for significantly more effective date entry, as opposed to asking the user to enter the date in as free-form text. Because date entry is so problematic in plain text, most modern browsers to provide some level of enhanced support for date inputs.
• type="time" - Time - Similar to date entry, entering times as free-form text is cumbersome and error prone. Most browsers, when the type is set to "time", will provide a time picker control to the user when they begin editing the input. It's not quite as commonly supported as date types, but close. Keep in mind, for both date and time, the actual control the browser will provide for picking dates and times vary dramatically - both between browsers, and across devices.
• type="color" - Color - colors are generally RGB values, although they are sometimes represented as hexadecimal numbers (we'll see a lot of that with CSS), and other color formats. When web applications want the user to choose a color (maybe they are selecting a theme for their account profile, for example), asking them to enter colors using technical standards like RGB, HSL, or hex is problematic. Most modern browsers will render a color control very different than an ordinary text control - giving the user a standard color picker to select a color with. As always, if the browser does not support the color input type, the the control will just be text. Note, when a user selects a color, it will be sent in the HTTP request (on form submission) as plain text - as a seven-character hexadecimal string. For example, if the user selects black, the value of the input element will be sent as #000000.

Here are some examples of these in action. Note, browsers are free to support each type of input the way they see fit. On a mobile device, browsers might display different types of controls for things like numbers (dials), as opposed to on the desktop. As a web developer, using the correct input field is really important, because it allows the web browser to make the decision on how to facilitate data entry - and the browser is in the position to best know how to do this well!

<form action="/destination" method="post">
    <!-- Text Input -->
    <label for="username">Username:</label>
    <input type="text" id="username" name="username" placeholder="Enter your username">
    <br/>
    <br/>

    <!-- Password Input -->
    <label for="password">Password:</label>
    <input type="password" id="password" name="password" placeholder="Enter your password">
    <br/>
    <br/>

    <!-- Number Input -->
    <label for="age">Age:</label>
    <input type="number" id="age" name="age" min="1" max="100" placeholder="Enter your age">
    <br/>
    <br/>

    <!-- Email Input -->
    <label for="email">Email Address:</label>
    <input type="email" id="email" name="email" placeholder="Enter your email">
    <br/>
    <br/>

    <!-- URL Input -->
    <label for="website">Website:</label>
    <input type="url" id="website" name="website" placeholder="https://example.com">
    <br/>
    <br/>

    <!-- Telephone Input -->
    <label for="phone">Phone Number:</label>
    <input type="tel" id="phone" name="phone" placeholder="Enter your phone number">
    <br/>
    <br/>

    <!-- Date Input -->
    <label for="dob">Date of Birth:</label>
    <input type="date" id="dob" name="dob">
    <br/>
    <br/>

    <!-- Time Input -->
    <label for="meeting">Meeting Time:</label>
    <input type="time" id="meeting" name="meeting">
    <br/>
    <br/>

    <!-- Color Input -->
    <label for="favcolor">Favorite Color:</label>
    <input type="color" id="favcolor" name="favcolor">
    <br/>
    <br/>

    <button type="submit">Submit</button>
</form>

There are a few more, and we will cover types checkbox, radio, file, hidden in their own sections below. You are encouraged to review more reference material about the various input types.

• Mozilla Developer Network - Input Controls

Labels & Placeholders

You might have noticed the use of label in the examples above. The <label> element in HTML forms is used to provide descriptive text for form controls, such as <input> elements, improving both usability and accessibility of forms. The main purpose of the <label> element is to ensure that users — especially those with disabilities — can easily understand the purpose of form fields. Associating a label with an <input> element makes forms more user-friendly and accessible across different devices and assistive technologies.

• Clear visibility: The <label> element helps users quickly identify the purpose of form controls. For example, a form might have multiple input fields, and without labels, users might be confused about what information is expected in each field.
• Click to focus: When a <label> is correctly associated with an <input> element, clicking on the label will automatically focus the corresponding input field. This improves the user experience by increasing the clickable area, especially in cases where the form control (like a small checkbox or radio button) is hard to click.
• Screen readers: Associating a <label> with an <input> ensures that screen readers can read out the label when the input field is focused. This is crucial for users with visual impairments who rely on screen readers to navigate forms. When navigating a form via the keyboard (using the Tab key), a screen reader or accessibility tool will correctly announce the label when the corresponding input field is focused.

Associating <label> with <input> Elements

There are two primary ways to associate a <label> with an <input> element:

1. Using the for attribute: The most common method is by using the for attribute in the <label> element. The value of the for attribute must match the id attribute of the associated <input> element.

<label for="username">Username:</label>
<input type="text" id="username" name="username">

The for="username" in the <label> element connects it to the <input> element with id="username". Clicking on the label will focus the input field, and screen readers will announce the label when the input field is focused.

2. Wrapping the <input> in the <label>: Another method is to wrap the <input> element inside the <label> element. In this case, the association between the label and the input is implicit, and you do not need to use the for and id attributes.

<label>
    Username:
    <input type="text" name="username">
</label>

Both methods are valid, but using the for and id approach is generally preferred because it keeps the HTML cleaner and separates the label from the input field, which can help with styling and layout.

The placeholder Attribute

The placeholder attribute is used to provide a short hint or example inside an input field, giving users a sense of what type of information they should enter. This hint disappears once the user begins typing in the field.

Here’s an example using placeholder:

<input type="text" name="username" placeholder="Enter your username">

In this example, the text "Enter your username" appears inside the input field but disappears when the user clicks on the field or starts typing.

Pro Tip💡 Note that placeholder is different than setting the value attribute.

<input type="text" name="username" value="Enter your username">

In the above example, the "Enter your username" text is actually the text written in the input element, and if the user were to submit the form, that text would be submitted. In order for the user to enter their username, they would need to delete the "Enter your username" text. The value attribute should never be used as a hint/instruction, it is only appropriate for actually pre-filling values that may be submitted. A good use case is when displaying a form that allows the user to edit existing information.

While both placeholder and label help guide users in filling out a form, they serve very different purposes and behave differently. The most significant difference is that while the placeholder disappears when the input field is interacted with, a label does not. For this reason, use placeholders in addition to labels, not instead of labels. Placeholders are best used to add hints, or examples - while labels are use to really describe what the user needs to enter.

  <label for="email">Email Address:</label>
  <input type="email" id="email" name="email" placeholder="e.g., user@example.com">

In the above example, a label is used to clearly describe that the input field is for an email address. The placeholder attribute is providing some additional context, but once it disappears, the user will not be confused.

Longer text with textarea

The <textarea> element in HTML is used to create a multi-line text input field in a form, ideal for collecting larger amounts of text such as comments, feedback, or detailed descriptions. Unlike the <input type="text"> element, which is used for single-line text input, the <textarea> element allows multiple lines of text and places its content inside the element rather than as an attribute.

<form action="http://example.com/destination", method="post">
    <label for="message">Message to submit</label>
                <br/>
    <textarea name="message" rows="4" cols="50">
        Enter your message here...
    </textarea>
</form>

The textarea element differs from the shorter input text control in several ways.

• Content Placement:

  • <input type="text">: The user input is placed as a value attribute, such as value="user text".
  • <textarea>: The text goes inside the element tags. For example, Enter your message here... appears inside the opening and closing <textarea> tags.

• Multi-line vs. Single-line:

  • <textarea>: Supports multiple lines of text input.
  • <input type="text">: Only supports single-line text input.

• Resizable:

  • <textarea>: Can usually be resized by the user (depending on browser support and CSS settings).
  • <input type="text">: Has a fixed size unless adjusted through CSS.

The following attributes are commonly used with textarea elements:

1. name: Identifies the field and is sent along with the form data when the form is submitted.
2. rows: Specifies the number of visible text lines in the text area.
3. cols: Specifies the visible width of the text area in terms of character columns.
4. placeholder: (optional) Displays a hint to the user about what they should type.
5. disabled: (optional) Prevents the user from interacting with the text area.
6. readonly: (optional) Allows the user to see the text but not edit it.
7. maxlength: (optional) Limits the maximum number of characters that can be entered.
8. required: (optional) Indicates that the field must be filled out before submitting the form.

Universal Attributes

While we are starting to define more controls, there are a few attributes used with all of the different types - some of which were described briefly above. Let's take a moment to go over these in

• autocomplete - This attribute allows you to nudge the web browser towards autocompleting the form field. It's available on most form elements. You can set the value to "on" or "off", and when "on" the web browser will use the label, along with any previous entries the user has made on your site (on the same form) to pre-fill the input field. Alternatively, you can also specify a sequence of tokens (separated by a space), for example shipping zip-code, to provide further hints to the browser. Note, the web browser is not required to do anything, this is only a suggestion. User's may turn off these features, and different browsers may not support it at all. For more on the typically supported tokens, and other functionality, see here.
• disabled - This is a boolean attribute, it's presence indicates that the element should be disabled. Disabled is different than read only (see below), in subtle ways. Disabled elements generally visually appear differently - they are often greyed out. Disabled element indicate to the user that the option is not available. You may set most form elements to disabled.
• readonly - This is a boolean attribute, it's presence indicates that the element is read only. Read only elements generally look the same as other elements, but their state (the text entered, the checked/selected state, etc) is pre-defined and not editable. readonly can be used on most form elements.
• required - This is a boolean attribute, and is available on most form elements. When required is present, form submission may be prevented if a value has not been specified. Note that "may" here is important. A web browser is likely to display instructions indicating the form element is required, and it may prevent the user from submitting the form if a value is not present, but this does not replace the need for server side validation. Not only is it entirely up to the browser to honor the required attribute, but remember - anyone can submit form data using any program - so what you receive on the server side isn't necessarily sent from a proper web browser at all!
• name - As we've already seen, the name attribute identifies the element, and the value, when sending to the server. The name attribute is required if the value of the control will be sent to the server on form submission.
• id - It's worth noting that it is common for all form elements to have an id, but not strictly necessary. There are many features (such as relating label to elements) that utilize the id element, but they are not directly used when considering form submission itself.

Boolean Attributes

It's important that you are clear on how boolean attributes work in HTML. Let's look at the following four input elements:

<input name="a" required/>
<input name="b" required = "false"/>
<input name="c" required = "true"/>
<input name="d"/>

In the HTML above, all three elements with the required attribute - a, b, and c require input. It does not matter that required is set to "false" for the b element. Even if we set it to the boolean value false rather than the string "false", it is still considered required. The only element that is not required is d, because it does not have the required attribute at all. This is critical - for boolean attributes, we do not add values - their presence, and their presence alone, indicates that the attribute is true. Using the name=value syntax is technically incorrect, and is at the very least confusing and error-prone.

Checkboxes, Radios

The use of checkboxes and radio buttons is common for discrete input values. Checkboxes are excellent at allowing users input true/false values, or selecting several options among a set. Radio buttons allow for mutually exclusive selection of one choice, among several. Both controls share common features, but they are distinct - particularly in how they are treated on form submission.

Checkbox

A checkbox is created with an input element of type checkbox:

<input type='checkbox'/>

Note that there is no text associated with the checkbox. Typically, we must tell the user what the checkbox represents - and we do this with the label element. There are several strategies, and often it will depend on your CSS styling strategy, but label elements are associated with checkboxes just like we've seen before.

<!-- Two checkboxes, with labels.  The second checkbox is checked initially -->
<div>
    <input type="checkbox" name="box1" id="box1"/>
    <label for="box1">Check box 1</label>
</div>
<div>
    <input type="checkbox" name="box2" id="box2" checked/>
    <label for="box2">Check box 2</label>
</div>

You'll note that in the above Check box 2 is preselected. The checked attribute is a boolean attribute, when present, the checkmark will be rendered and the checkbox value is considered to be "on".

When a form is submitted that contains a checkbox, the checkbox is only included in the request body if it is checked. In the example above, if the form that contained "Check box 1" and "Check box 2" were to be submitted (with only checkbox 2 checked), then the following would be the request body: box2=on. This is important, when a checkbox is not checked, the name is not sent to the server on form submission at all. When the checkbox is selected, the value sent to the server should be "on" - but at the very least (for perhaps older or non-compliant browsers), will be present in the request body. This is critical when it comes to parsing HTTP requests (query string, request bodies), as it implies that the server receiving the request needs to take care - not all possible checkboxes will be in the request, only the ones that are "true".

To drive this home, here's the possible checkbox permutations, with the corresponding request body sent on form submission:

... nothing! ...

box2=on

box1=on&box2=on

Checkboxes should always have labels. Sometimes, you may wish to put labels to the left of the checkbox, to the right, or somewhere else - but they generally should always be present. Checkbox are sometimes styled with CSS to appear as switches and other types of toggle inputs - but regardless of their style, "yes/no" types of input controls are almost always implemented with checkboxes.

Radio Buttons

Sometimes we have a set of choices, one of which might be selected. Imagine you have option A, B, and C. If users could select none, one, two, or all three of these options, then it might make sense to present them as three distinct checkboxes. However, if the user must select one of the three options, then radio buttons are the preferred approach.

Radio buttons are inherently grouped, which presents a unique situation when writing the markup. Since choices for radio buttons are mutually exclusive, we want the browser to de-select the others whenever the user selects one. In order for the browser to do this, it must know which radio buttons belong to a particular set of choices.

Let's look at an example where we have two questions - the user's selection of a meal and the user's selection of a drink. We've pre-selected the choice of "Pasta" and "Water" using the same checked attribute as found in checkbox.

<section>
    <p>Please choose your meal:
    <div>
        <input type="radio" name="meal" value="salad" id="salad-meal"/>
        <label for="salad-meal">Salad</label>
    </div>
    <div>
        <input type="radio" name="meal" value="burger" id="burger-meal"/>
        <label for="burger-meal">Burger</label>
    </div>
    <div>
        <input type="radio" name="meal" value="pasta" id="pasta-meal" checked/>
        <label for="pasta-meal">Pasta</label>
    </div>
</section>

<section>
    <p>Please choose your drink:
    <div>
        <input type="radio" name="drink" value="coffee" id="coffee-drink"/>
        <label for="coffee-drink">Coffee</label>
    </div>
    <div>
        <input type="radio" name="drink" value="water" id="water-drink" checked/>
        <label for="water-drink">Water</label>
    </div>
    <div>
        <input type="radio" name="drink" value="soda" id="soda-drink"/>
        <label for="soda-drink">Soda</label>
    </div>
</section>

Let's carefully examine the relationship between the name, value, and id attributes, along with what gets sent to the server on form submission.

The name attribute is used to group radio buttons. They can appear anywhere on the page (they don't need to have a common parent element, for example) - the only thing that controls whether or not multiple radio buttons are considered mutually exclusive is the name attribute. In the example above, selecting "Burger" causes "Pasta" and "Salad" to be unselected - as "Salad", "Burger", and "Pasta" input elements all have the same name attribute - "meal". The other three choices (drinks) form another set of choices, because they all share the same name - "drink".

Note that because all three meal (and all three drink) elements share the same name, it's even more important that the receive unique id attributes. The association between label and input is made through id, not name.

Finally, notice that unlike checkboxes, radio button input elements have a value attribute. The value defines what will be sent to the server if and only if that radio button is selected. Let's consider the same example as above - where "Pasta" and "Water" were selected (checked). Let's assume the user has not changed the selection. The following will be sent to the server:

meal=pasta&drink=water

If the user selects soda and burger, then those radio buttons will be checked and the others will be de-selected. The following would be sent to the server on form submission:

meal=burger&drink=soda

It's important to remember that nothing is sent to the server until the actual form is submitted, usually by the user clicking on a submit button.

Pro Tip💡 It's easy to mess up radio buttons. A common mistake is writing three input radios, with different names. When you do this, they are all individually selectable - they aren't treated as a set of options by the browser. This also means they are all sent to the server (each unique name). It's also common to accidentally copy/paste the same name when you don't want them. For example, in the meal and drink example above, if we accidentally set the name attribute of the "Water" option to "meal", then it would be part of the set of meal choices. Clicking "Water" would not de-select "Coffee" or "Soda", it would de-select "Salad", "Burger", or "Pasta". It's one of the silliest yet easiest errors to make - so watch out!

Selects

Radio buttons are a good strategy for when users need to choose one among several choices, however when there are more than 3-4 choices, radio buttons are problematic. They occupy a lot of screenspace, and can lead to usability issues. When there are more than 4 choices to choose from, and especially when there are many choices, a drop down selection control is generally more effective. Not only do they require less screen space, but for mobile devices browsers will use the device's built in dial controls for easy and ergonomic selection.

The select control is created with the select element. The select element contains child option elements, each with a value attribute and text content within them.

<select name="mychoice">
    <option value="choice-1"> Choice 1 </option>
    <option value="choice-2"> Choice 2 </option>
    <option value="choice-3"> Choice 3 </option>
</select>

While checkboxes and radio controls can be pre-selected using the boolean checked attribute, the select element is pre-selected by adding a boolean selected attribute to the desired option element. Otherwise, the first option is preselected

<select name="mychoice">
    <option value="choice-1"> Choice 1 </option>
    <option value="choice-2" selected> Choice 2 </option> <!-- Preselected choice-->
    <option value="choice-3"> Choice 3 </option>
</select>

Sometimes, if we want "no choice" to be pre-selected, developers will include a false placeholder option, with an absent value. If the form is submitted with this option selected, no value is sent to the server.

<select name="mychoice">
    <option value=""></option> <!-- Preselected choice since it's first, an no others have selected attribute -->
    <option value="choice-1"> Choice 1 </option>
    <option value="choice-2"> Choice 2 </option>
    <option value="choice-3"> Choice 3 </option>
</select>

Otherwise, whichever option element is currently selected, it's value will be sent to the server as a name value pair, using the name attribute on the select element. In this way, to the server, the name / value pair sent is identical as it would be with a named input control. There is no special processing or consideration required. In the select control above, if "Choice 2" were selected when the form was submitted, the pair mychoice=choice-2 would be sent to the server.

Multiple Selection

Select boxes can also be transformed into multiple selection controls. This allows user to select one or more items within the list of choices. This is achieved by adding the boolean multiple attribute.

<select name="mychoice" multiple>
    <option value="choice-1"> Choice 1 </option>
    <option value="choice-2" selected> Choice 2 </option>
    <option value="choice-3"> Choice 3 </option>
    <option value="choice-4" selected> Choice 4 </option>
    <option value="choice-5"> Choice 5 </option>
</select>

A user can select any number of choices, selecting multiple by holding the shift key while clicking on choices. When the form is sent to the server, each value selected will be sent as a separate name/value pair. For example, if "Choice 2" and "Choice 4" are selected, the request body (or query string) will contain mychoice=choice-2&mychoice=choice4. Note that the code used on the server side must appropriately handle duplicated names found in the request body. Our initial example in the previous section does not do this! As we will see soon, in most cases you will use a library to handle this (and many other) cases, but hopefully you understand that doing this type of processing is not particularly challenging - it just requires a bit more code!

Generally speaking, select is a good choice when there are up to a dozen or so choices to make. The use of multiple is appropriate in cases where multiple choices are possible, however checkboxes might be an easier method for most users in this case. For many, many choices, alternative methods are recommended for usability. This include things like

See the Mozilla Developer Network reference for more information, including option groups,

Button Types

We've already seen the "submit" button, <button type="submit">Submit</button>. We also discussed briefly the concept of having a button of type button, which does not cause the browser to take any action at all. We will revisit this later in the book when we cover client-side JavaScript.

There are actually two different styles of creating submit buttons:

In HTML forms, buttons are used to trigger various actions such as submitting a form, resetting form fields, or performing custom JavaScript tasks. There are different types of buttons available, each designed to perform a specific function. Here are the main button types:

<button type="submit">Submit Form</button>
<input type="submit" value="Submit">

Bot elements above create buttons (they will look identical), and both will cause the form to submit (provided they are within a form element). There are some subtle differences however - most importantly button elements are permitted to have other HTML within them, and are more flexible for styling than input type='button' or input type='submit'. Typically, most modern HTML is written with button elements rather than input type='submit'.

There is a third type of button - type="reset". The reset button is an often overlooked button, that can actually really improve usability of forms. The reset button's default behavior is the reset the value of the form it is within. This means that if you have form with various other input controls, the user can clear their activity and restore all the controls to their original state by clicking a reset button. This not only "clears" the controls, but if the controls had an original default value, the default values are restored.

<button type="reset">Reset Form</button>

File Controls

The <input type="file"> element allows users to select and upload files from their device. Typically, the browser will opens a file picker that allows users to choose one or more files for upload. The concept is simple, but the implementation can be a bit more challenging.

The first deviation from the standard form elements we've been using is that the form must use the enctype="multipart/form-data" encoding type to handle file uploads correctly.

<form action="/upload" method="post" enctype="multipart/form-data">
    <label for="file">Choose a file:</label>
    <input type="file" id="file" name="file">
    <br><br>
    <button type="submit">Upload File</button>
</form>

Forms with file upload controls must be POST, and must have the multipart/form-data enctype attribute. This encoding type allows the browser to send the file data as part of the form submission, along side other data fields. It shouldn't be surprising that sending files, over HTTP (inside the POST request body), as plain text, requires encoding. . The enctype is what is handling this.

We've already seen how the web server can parse the request body, and extract name/value pairs. When using multipart/form-data encoding, this also becomes more complex. While we can absolutely write our own parser for HTTP request bodies containing multipart/form-data, we will defer this to after we learn about npm modules. This will allow us to bring in industry-standard file parsers rather than writing the code ourselves.

Hidden Inputs

Perhaps the most overlooked, but surprisingly useful input element is not a "user input" at all - it is a hidden element. Before looking at it's syntax (which is pretty easy), let's discuss why would ever want to have an hidden form element.

Recall from earlier, each request and response is independent of all other request/response cycles. This means that when a page is requested and sent by the server, there is no memory of that request occurring when it receives the next request. Students view this with skepticism when they first read this, because that's not their experience with the web intuitively. In every day life, when we interact with web sites, as we navigate between pages within the same web application, the system clearly has some sort of "memory". For example, after we log in to a web site, we don't get asked to log in each time we visit a new page. There must be some memory!

The truth is that while HTTP request/response cycles are independent, that doesn't mean the you, as the programmer, can't create mechanisms that allow for some degree of memory between requests and responses. We will see how we can accomplish this - we'll dedicate parts of an entire chapter learning about cookies and sessions. While cookies and sessions are the most elegant way to handle these types of things, there are other ways - and sometimes we need to utilize these techniques because there are situations where cookies and sessions are not available. One such way is using hidden fields.

Let's take a simple example. The user requests a page, and the server responds with HTML for the page. On that page, there is a button the user can click to view a second page that tells them the time between the first page being loaded and the second page being loaded. How can we accomplish this?

The multiple user problem

Before we look at hidden fields, it's fair to wonder why the server can't just set a variable on the first page load, within it's own memory. Maybe something like this:

let first_page_view = null;
if (req.method.toUpperCase() === 'GET' && req.url === '/first') {
    // Get number of seconds since Jan 1, 1970
    const now = (new Date()).getUTCSeconds();
    first_page_view = now;
    send_page(res, `<a href="/second">Go to Second Page</a>`);
}
else if (req.method.toUpperCase() === 'GET' && req.url === '/second') {
    const now = (new Date()).getUTCSeconds();
    const seconds_since_first = now - first_page_view;
    send_page(res, `<p>Second between page views:  ${seconds_since_first}</p>`);
}

There are two problems. One, remember that a web browser can request /second before ever visiting /first - making the logic a little less than robust. There second problem is much bigger, and much more fundamental to your understanding of web servers. Your web server is receiving requests from all of your users, potentially at the same time. People in on different computers, different towns, different countries - might all be accessing your web site! There is nothing in our web server code that know which browser is making these requests. It's PERFECTLY possible that User A requests /first, and then ten seconds later User B request /first. Both requests will execute the same code. The same first_page_view variable will be set. There is only one web server.

If User A and B each request /first, the last one to do so will have their time recorded in first_page_view. Then, if User A and B each request /second at the same time, they will both do the same computation on the variable, and get the same answer - even if their requests to /first were at very different times.

The bottom line is that web server code cannot simply use variables to store data between requests, because those requests are not necessarily from the same users!

Now back to actually solving the problem. From the perspective of the web server, we can't remember when a user visits the first page when processing the second page. However, we can ask the user (the web browser) to remember for us, and send us the information we need! Let's look at the following:

if (req.method.toUpperCase() === 'GET' && req.url === '/first') {
    // Get number of seconds since Jan 1, 1970
    const now = (new Date()).getUTCSeconds();

    send_page(res, `<form action="/second", method="get">
                        <input name="first", type='number' value='${now}'/>
                        <br/>
                        <button type="submit">Go to Second Page</button>
                    </form>`);
}
else if (req.method.toUpperCase() === 'GET' && req.url === '/second') {
    // Form data submitted on query string, since it's GET
    const body = parse_form_data(req.url.split('?')[1]);
    const now = (new Date()).getUTCSeconds();
    const seconds_since_first = now - parseInt(body.first);
    send_page(res, `<p>Second between page views:  ${seconds_since_first}</p>`);
}

The code above uses the form concept in a clever way. The web page delivered in response to /first is now not just a hyperlink to /second, but a form with an input field. The field is pre-filled with the number of seconds since the epoch (Jan 1, 1970).

This seems strange - but let's look at what this allows for. When the user clicks the button that says "Go to Second Page", the form is submitted to /second. When a form is submitted, the input element values within it are sent to the server. We've constructed the form so the input field contains the time set by the server, when the page was loaded. That's exactly the time we needed to remember! Now, in the code that handles the request to /second, we take the time "first" from the submitted data, perform the computation, and render the page! The server didn't need to remember anything, it put the value it needed to remember in the HTML it served to the web browser. The web browser then dutifully sent it back to the server. If multiple users were doing this around the same time, they would be sending their own distinct values in their second requests, because they received their own distinct values in their first request!

Hiding the memory

It doesn't make sense to show the user the time value computed on the server, and it certainly doesn't make sense to let them change it using an input element. We could make it readonly, but still - why show it at all? That's why we have hidden inputs.

We can change this:

<form action="/second", method="get">
  <input name="first", type='number' value='${now}'/>
  <br/>
  <button type="submit">Go to Second Page</button>
</form>

• to this -

<form action="/second", method="get">
  <input name="first", type='hidden' value='${now}'/>
  <button type="submit">Go to Second Page</button>
</form>

An the result is just a button that says "Go to Second Page". From there, we can leverage CSS to render the button as if it's a link, and present a seamless user interface to the user.

The point of the above is not suggest that this is the best way to implement memory between requests - because it is not. It is one way, and it is sometimes the easiest way to accomplish what we need. It is an important concept though, even if you rarely use it. The concept of having the browser remember things, and send those things back to the server is powerful - and involved in implementing almost every web server/application you will create!

This section outlines many of the input controls available in HTML. You should use additional resources for deeper references, as there are some additional aspects of form development that are quite useful. MDN has extensive documentation.

In addition, you might want to check out the following example:

Form Controls Demo

Download the example and run it on your own machine. It will give you a chance to experiment with a variety of user interface elements, and also examine what the server receives upon various form submissions.

Guessing Game - Version 1

It's taken us a while - but we have now seen all the components to start truly thinking about web applications. We know enough about HTTP to understand the request and response cycle. We know enough about HTML to present information to a user, and now to gather information from a user. We also know enough about JavaScript to actually start writing logic.

Throughout this book, there will be a few running examples that serve as vehicles of demonstration. We'll keep them as simple as possible, and keep iterating on them over and over again everytime we learn new ways of doing things. These simple examples help a lot, because you get to see how different aspects of web development are applied to the same application.

The primary example we will use, and the most simple, is the guessing game. Let's go over the requirements:

1. When a user visits the starting page (/start), the web server computes a secret number between 1 and 10. This number is random, and it should be (although by chance, it may not always be) unique per browser, user, etc.
2. On the /start page, the user will have an input control to enter a guess. They will be told the number is between 1 and 10, and that they can guess by entering the number and clicking a button labeled "Guess".
3. When they click the button, their guess is sent to the server via HTTP post to /guess. The server will compare their guess with the secret number assigned, and respond with one of two different options:

• A redirect to /success, which renders a "success" page, when the guess is correct. This page will congratulate the user, and give them a link to go back to /start and play again.
• A "guess again' page (no redirect), that renders a message indicating if the guess was too low or too high. The /guess page also includes another form, with another input control, where the user can make a new guess. The form submits to /guess, so the process can repeat itself.

We will add more features to this example, and change the requirements slightly, but this simple game will actually allow us to demonstrate a lot.

The screens and user flow

Let's assume that on page load, the secret value assigned to the user is 2.

If the user enters 4 as their guess, and clicks the button to make the guess, the server will respond by rendering a new form, with an appropriate message. Notice that the URL is /guess, because this page was rendered in response to a POST request to /guess. In this case, the guess was too high (4 is greater than 2). The user may guess again.

The user may continue to make incorrect guesses. Each time that occurs, the POST to the /guess will be rendered with a form, and a message indicating too high or too low.

Eventually the user will get it right, and a redirect will be returned - to the /success page.

Implementation Keys

The key to implementing this web application is using a hidden form field. Each time we render the form, the server will place the secret number as a hidden form field in the form itself. This means it will be sent with each guess, so the server need not remember it. Every POST to /guess will have both the secret number and the user's input in the form data! This makes it possible for as many browsers to play the game, simultaneously, as you want. When you download the source (link below), run it on your machine and try playing in multiple browser windows. There's no conflict!

This should make you think - isn't this easy to cheat then? Couldn't a user just look at the actual HTML to see the secret number? Yes, they certainly could!.

User's can always see the HTML loaded in their browser. There is no way to prevent this, no matter what. So, does this mean this isn't a valid approach? That's hard to say. What are the stakes? What if the user cheats? If we were awarding people money and fame for guessing these numbers correctly, then perhaps we would want to be more careful (and we absolutely can be, and succeed). If this is just a game, without reward though - or, more commonly, we are hiding the data not because it's secret, but because the user doesn't need it, then there isn't any harm with this approach at all. Most people will never look anyway - just remember, they can, if they want to!

BTW - if you think this seems incredible, that a game would give away the answers within it's source code, even if people could see it by viewing it in their browser... check out the popular Wordle game. Every day's answers, past present and future, are right there for you to see!

🛑 STOP

At this point, you might benefit from trying this on your own. The rest of this section will walk you through the code, but you'll learn a lot more if you try it yourself first!

The server

A lot of the server code for this version of the guessing game will look like the code we wrote at the beginning of this chapter. First, let's create a skeleton of the server code, without anything specific to guessing game other than the expected URLs and request verbs.

The code below sets up an HTTP server, and a function to handle incoming requests - called handle_request. The handle_request function simply branches off for specific verbs and URLs, and if the combination is recognized, calls a function (which are not yet implemented) to do the work.

You will note one change from our previous example however. For form data processing, we still use req.on to register handlers for data and the end of the incoming request body stream, however instead of parsing the request body ourselves, we are using querystring. querystring is a module built into Node.js, just like http. It does a great job in parsing both query strings and request bodies with form data - since they are the same format (name value pairs, seperated by &).

const http = require('http');
const qs = require('querystring');


const render_start = (req, res) => {
  // Assign the secret value and send the initial page.
  // This is the creation of a new "game".
}
const render_success = (req, res) => {
  // Send a success page, with a link to the /start page.
}

const process_guess = (req, res) => {
  // Now we need to look at the submitted data -
  // the guess and the secret, to figure out what
  // to do next.  Either redirect to /success or
  // render new form page for another guess.
}

const render_404 = (req, res) => {
  // Just send a 404 response, we've done this before!
  res.writeHead(404, { 'Content-Type': 'text/html' });
  res.write(heading() + `<p>Sorry, page not found</p>` + footing());
  res.end();
}

const handle_request = (req, res) => {
    if (req.method.toUpperCase() === 'GET' && (req.url === '/' || req.url == '/start')) {
      render_start(req, res);
    }
    else if (req.method.toUpperCase() === 'GET' && req.url == '/success') {
      render_success(req, res);
    }
    else if (req.method.toUpperCase() === 'POST' && req.url == '/guess') {
        let body = "";
        req.on('data', (chunk) => {
            body += chunk;
        });
        req.on('end', () => {
            // qs parses the guess=x&secret=y string
            // into an object.
            req.form_data = qs.parse(body);
            process_guess(req, res);
        });
    }
    else {
        render_404(req, res);
    }
}

http.createServer(handle_request).listen(8080);

This skeleton above uses a convention. Each function that is supposed to do the work of processing a page request accepts the same parameters - a request and response. In the case of process_guess, rather than having it accept form data as a separate (third) parameter, we attach the form data (parsed) to the request object itself before calling the function. The parsed form data is part of the request, so it follows intuitively. Keep this convention in mind, it will come up again.

Let's add some utility functions for actually creating the HTML documents too - they are most unchanged from the example at the beginning of this chapter

const heading = () => {
    const html = `
        <!doctype html>
            <html><head><title>Guess</title></head>
            <body>`;
    return html;
}

const footing = () => {
    return `</body></html>`;
}
const send_page = (res, body) => {
    res.writeHead(200, { 'Content-Type': 'text/html' });
    res.write(heading() + body + footing());
    res.end();
}

Now let's look at each page:

Start Page Implementation

When a GET for /start or / is received, the request handler branches and calls render_start. This function has two key jobs - create a new secret number, and render a page that contains a form element for entering the next guess. We create the secret using the built in Math.random() function, which generates a floating-point number between 0 (inclusive) and 1 (exclusive). We multiply the random number by 10, giving us a value betwen 0 and 9.9999. The Math.floor rounds the number down, giving us an integer between 0 and 9. The +1 shifts us to have a range betwen 1 and 10.

Next, we create a form element that when submitted, initates a POST to /guess. It contains a hidden form element for the secret number we just computed, and a numeric input for the guess the user will make.

const render_start = (req, res) => {
  // Assign the secret value and send the initial page.
  // This is the creation of a new "game".
  const secret = Math.floor(Math.random() * 10) + 1;
  const body =`
    <form action="/guess" method="post">
      <p> Welcome to the guessing game.  I'm thinking of a number
          between 1 and 10.
      </p>
      <label for="guess">Enter your guess:</label>
      <input name="guess" placeholder="1-10" type="number" min="1" max="10"/>
      <input name="secret" value="${secret}" type="hidden"/>
      <button type="submit">Submit</button>
    </form>
    `;
    send_page(res, body);
}

Thinking ahead, building the form element will be useful for both the start page, and also when rending the page after an incorrect guess. Both pages have a form, with a POST to /guess, an input field for the guess, and a hidden field for the secret. In fact, the only thing that would be different is the message at the top of the form. Let's factor that out, so we can re-use some of this later.

const make_form = (message, secret) => {
  return `
    <form action="/guess" method="post">
      <p> ${message}</p>
      <label for="guess">Enter your guess:</label>
      <input name="guess" placeholder="1-10" type="number" min="1" max="10"/>
      <input name="secret" value="${secret}" type="hidden"/>
      <button type="submit">Submit</button>
    </form>
    `;
}
const render_start = (req, res) => {
  // Assign the secret value and send the initial page.
  // This is the creation of a new "game".
  const secret = Math.floor((Math.random() * 10 - 0.1)) + 1;
  const body = make_form(
        `Welcome to the guessing game.  I'm thinking of a number between 1 and 10.`
        , secret);
  send_page(res, body);
}

Guess (POST) Implementation

The handling of a POST to /guess is where the bulk of the logic is taking place. Recall, before calling process_guess, we have parsed the form data and placed it into an object called form_data, within the req object. Based on the data, we render a form and send a page that indicates the guess was too high or too low, or we issue a redirect response. Note, when the redirect response is sent, we aren't actually sending any HTML. The browser will receive our 307 response an initiate a new GET request to /success - which we handle an independent request.

const process_guess = (req, res) => {
  // Now we need to look at the submitted data -
  // the guess and the secret, to figure out what
  // to do next.  Either redirect to /success or
  // render new form page for another guess.
  const secret = parseInt(req.form_data.secret);
  const guess = parseInt(req.form_data.guess);
  if (guess < secret) {
    // The guess was too low, render a form with the appropriate message.
    const body = make_form(`Sorry that guess is too low, try again!`, secret);
    send_page(res, body);
  }
  else if (guess > secret) {
    // The guess was too high
    const body = make_form(`Sorry that guess is too high, try again!`, secret);
    send_page(res, body);
  }
  else {
    // The guess was correct!  Respond with a redirect, so the
    // browser requests /success with GET
    res.writeHead(302, { 'Location': '/success' });
    res.end();
  }
}

Success

The success page is pretty straightforward, it's just a congratulations message an a link. We can utilize the send_page function to make this pretty quick.

const render_success = (req, res) => {
  // Send a success page, with a link to the /start page.
  send_page(res, `<p>Congratulations!  Please play <a href="/start">again</a></p>`);
}

Download and try yourself!

That's it! We have a full web application. It's a good idea to download this source code and run it yourself. Study it, it's a foundational program for the rest of this book. It capture the workflow of a web application - managing state (the secret), routing requests to responses (handle_request's branches), and serving html.

Guessing Game - Version 1

Asynchronous JavaScript

Asynchronous JavaScript

Part 2 - Server-side Level-ups

Everything we've covered up to this chapter amounts to the core functionality of the web. We can think of web development as two main branches of development: client-side (frontend) and server-side (backend), with HTTP being the network protocol that glues them together. On the front end, HTML is foundational - we don't have web pages without HTML. We'll need to look deeper into the front end to add interactivity (client-side JavaScript) and styling (CSS), but we have the basics. On the backend, we've covered HTTP parsing and socket programming, but we are currently programming our backend like it's 1989... we need to do a lot better.

The second part of this book focuses on leveling up our concepts of programming on the backend. Most of the topics we cover will translate to any backend server-side programming language pretty well, although we are going to start out with some more nuts and bolts of JavaScript programming. The chapters will be shorter, and more targeted to a specific aim - rather than covering entire languages and protocols.

We are learning how to do things better:

1. Organizing our code (parsing, routing)
2. Persisting data (databases)
3. Smarter HTML generation (templates)
4. Managing state between requests/responses (sessions)

Along the way, we'll learn about asynchronous JavaScript, which is a prerequisite for interacting with databases, and leveraging so much of the JavaScript and Node.js ecosystem of libraries. We'll also start to explore that ecosystem - the Nodejs Package Manager (npm). We'll start replacing some of our own code with industry leading libraries and frameworks, like Express too. By the time we are done with the next half dozen chapters, you will be up to speed with how web server development actually works in modern web development, and will have the skills to start working on just about any Node.js backend.

Why Callbacks?

One of the hardest concepts for most students to grasp starting out with JavaScript is the callback function. We learned about it when we saw a few of our very first JavaScript programs - the networking examples in Chapter 2. Given callback were present in such early examples, it shouldn't be shocking to learn that callback are related to JavaScript in a deeply fundamental way.

Let's refresh with an example we've already seen:

const http = require('http');

const handle_request = (req, res) => {
    // Interpret the request, build 
    // and send a response
}

const server = http.createServer(handle_request);
server.listen(8080, 'localhost');

The above example is how we write HTTP server code. We define a function, and then tell the http server instance we created to call it, whenever an HTTP request arrives on the underlying network socket. handle_request is a callback function.

Take some time to think about the following:

1. When will that function get called?
2. How many times will that function get called?
3. Can that function get called twice, at the same time?

The answer to #1 is... who knows!. The server (which is where this code is running) doesn't control when an HTTP request is received. That depends on when a web browser, on a computer potentially across the globe, creates such a request! We know the handle_request function gets called if and when an HTTP request is received, but we have absolutely no way of knowing if and when such a request will be received.

Could we instead have a function to just wait for a request, and return a corresponding object (containing the parsed request, and a ready-to-use response object)?

const rr = httpServer.waitForRequest();
handle_request(rr.req, rr.res)

This seems more deterministic, and more natural to someone who is more accustomed to programming in other languages. The code implies (by the function name) that we want to wait for an incoming request, and then once it arrives we want to process it. Notice that we still don't know how long we will wait. It's the same situation, it's just written differently. It does seem a little easier to think about, since it's a linear style of programming.

On to question 2 - how many times will it be called? Again, we can't answer this question. We may receive one request, we could receive ten thousand requests. We might even receive zero requests. The code we started with isn't concerned - it's just telling server that whenever, and every time a request is received, call handle_request.

To do the same with our hypothetical waitForRequest function, we'd need some sort of loop:

while (true) {
    const rr = server.waitForRequest();
    handle_request(rr.req, rr.res);
}

The loop above is explicitly waiting and processing, in sequence, over and over again. It's important that you keep thinking back to the callback example at the beginning of this section - it's doing the same things, the difference is that the loop isn't in your code, it's somewhere else! Let that sink in - they are the same, it's just that you've passed handle_request to the server object, and somewhere in the server object's code, there's a loop that is calling it!

Now what about question 3 - will we receive two requests at the same time? The answer is... maybe. We can't control whether two people click a button on their phone at the same time, and generate two HTTP requests to our web server at the same time. It's just luck.

Taking the looping example above, where we call waitForRequest then handle_request, what happens when handle_request is called? It takes some amount of time to do the request processing and generating the response. How much time? Hard to say. Let's take it to an extreme, and say it takes one second. What happens when we receive a second request during the time we are processing the first?

This gets us to the core of the problem. By definition, in the looping code, we are either waiting for a request or we are handling a request. If a request comes in while we are handling another, what happens to the request? There are two possibilities:

1. The incoming request is queued by some other process
2. The incoming request is dropped.

Option 1 seems way better, but in order for that to happen, it means some other process (program) on your computer is reading the incoming network bytes, and is willing to hold on to them until you decide to "wait" for another request - at which point it hands it over to you.

In reality, there is a program doing this already - it's your operating system. It will cache some network traffic - but not much. Making matters more difficult is that each time more requests arrive while you are processing the previous ones, you will fall further and further behind. A queue of incoming requests will build, and eventually the operating system will begin dropping the network traffic. Worse yet, clients will stop waiting, and abandon the request.

The solution is to build your own queue, and figure out a way to process things "faster", usually by processing multiple requests in parallel. Without getting into too much detail, we end up with something like this:

// Will continue to receive http requests, and
// put each on a queue.  This happens in a new thread
server.start_receiving();
while (true) {
    // Blocks until there is a request in the queue
    const rr = server.next();

    // Handles the request in a new thread, allowing
    // the loop to return to the top immediately.
    new Thread(handle_request(rr.req, rr.res))'
}

If you aren't familiar with multithreaded code, this might seem complex. If you are familiar with multithreaded code, this should seem complex. Multithreaded code allows the programmer to execute sequences of code in parallel, with each sequence running independently of each other. They don't wait for each other. This makes it easier to do things faster, especially on machines with multiple CPUs. It also makes things harder to program - issues like race conditions and synchronization abound. Creating new threads for each request can pay off, but it doesn't come for free either. The operating system is required to create new threads, and that means we must make API calls to it - incurring additional time.

What is being described above is dispatch. Dispatch is a situation where we are receiving incoming jobs, and each job is being independently handled by independent code. There is logic required to queue incoming jobs and dispatch the jobs to appropriate code. It's a simple concept, that becomes complex when dealing with high volume and performance requirements. Webservers need to handle high volume, and users expect performance.

This is a huge topic, we could spend several chapters discussing the ins and outs of multithreaded programming. The goal here however is to motivate why callback functions exist. Callback functions are an elegant encoding of the dispatch problem.

const handle_request = (req, res) => {
    // Intepret the request, build 
    // and send a response
}

const server = http.createServer(handle_request);
server.listen(8080, 'localhost');

The code above is doing dispatch, but dispatch is happening within server, not our own code. We are simply saying - use handle_request when you dispatch a request. We are giving server the function to call in the loop, but we are letting server deal with the loop itself.

Multiple Streams

There's a secondary benefit to handling the dispatch problem with callbacks rather than a dedicated loop. Let's create a new more abstract example. Suppose you have two sources of incoming jobs (A and B). Each time a job is received, the job must be dispatched to a separate handler - based on the type of job that is received - handle_a, handle_b. You don't know when the jobs will arrive, and you can't assume they will arrive in any particular order. You may receive five jobs of type A before ever receiving a job of type B.

How can we replicate our dedicated loop?

We can't have two loops, because we need to be able to handle a mix of incoming jobs. We can't handle all the A jobs before B jobs!

// This won't work!  We never leave
// the first loop!
while (true) {
    const a = server.waitForA();
    handle_a(a);
}
while (true) {
    const b = server.waitForB();
    handle_b(b);
}

We'd instead need to do something like this:

while (true) {
    const a_or_b = server.waitForA_or_B();
    if (a_or_b is a)
        handle_a(a_or_b.a);
    else
        handle_b(a_or_b.);
}

Pretty awkward. Now what if we have 5 different job types, with 5 different job sources? We'd have to have all sorts of combinations of waitFor functions, and then big branches in our loop to figure out which event we need to process.

This is where callbacks start to really shine:

const handle_a = (a) => {
    // ...
}

const handle_b = (a) => {
    // ...
}

server.onA(handle_a);
server.onB(handle_b);

Notice how that scales. It's because the loop structure and the dispatch is within server. It's written once - with all the necessary complexity and care - and now the programmer may leverage all that work by simply registering callback functions. handle_a and handle_b could be called thousands of times. If we have more jobs types, we simply create more handlers.

The examples above are fairly abstract. If you are newer to programming, it might be enough depth for you, for now. If you have more experience, especially in any sort of systems programming, you might be wondering how this is all actually happening - as we've glossed over some things in the abstract examples.

What is I/O, really?

When you create a program, you have a sense that your code will be executed at some point, on a machine. That machine has an operating system, and the operating system is responsible for launching this program you've written - at a user's request. You also have a sense that your program isn't the only program running on the machine. You know, just from using a computer, that there are many programs running that appear to be doing so simultaneously. This concept is called timesharing, and it is up to the operating system to maintain the illusion (in the case of single CPU systems) of multi-tasking. In reality, each program running on the computer gets a small time slice to run on the CPU, before the operating system chooses another program to run, for a similarly small slice of time. Programs are run according to a scheduler, and run for small enough time intervals that to a human being, it gives the appearance that all are running - in much the same way a video fools a viewer into thinking they aren't just seeing a sequence of images being swapped rapidly.

How does your program, that is running on the CPU, get pulled off the CPU though? Most students who haven't studied operating systems have a knee-jerk response: the operating system does this. This really isn't accurate - because remember, the operating system is just a program too. In a single CPU system, if your program is running, then by definition the operating system is not - and thus cannot "kick" a program off the CPU!

The reality is that programs exit the CPU for one of four reasons:

1. The program voluntarily yields the CPU to allow other programs to run. This happens when the programmer decides to add an API call into their code that explicitly asks invokes the operating system. This doesn't happen often.
2. The program exits. This might be due to error, or natural exit. While mostly every program eventually does this, it's rare in the larger picture. We are thinking about time sharing, where programs are moving on and off of the CPU thousands of times per second. Most programs won't exit within that time period.
3. A CPU timer expires, allowing the OS to run it's scheduler. CPU's have hardware timers that will interrupt the CPU and shift execution to the operating system. The operating system sets these timers before choosing the next program to run. This effectively puts a maximum cap on the total time the program can own the CPU without the operating system running.
4. The program invokes an I/O call. All I/O calls result in the operating system running - and performing I/O on the user program's behalf.

Number 4, I/O calls, is the most interesting for our purposes. A computer consists of many devices - the CPU being one of them. The CPU does computation, the add, multiply, subtract, etc. operations of a program. Other devices, such as disk, network, display, mouse and keyboard are part of the system too however - and they are generally referred to as input and output devices - IO devices. Really, all devices other than the CPU are considered I/O devices.

A principle job of the operating system is to make efficient use of all the devices of the system. Each device takes time to perform it's operations. Some devices are fairly quick, some are extraordinarily slow. Some devices depend on humans (ie, waiting for keyboard input), which means slow doesn't even begin to do justice to how much slower they are than CPU operations.

No user program (any program that is not the operating system) is permitted direct access to devices. There are many reasons for this - but the two main reasons are fairness and safety. We don't want processes to consume all the devices on the system, and we don't want processes (programs) to use devices inappropriately. Therefore, all device access is achieved by making API calls - usually referred to as system calls. Operating systems provide C APIs to perform all sorts of operations - file access, network communication, display, etc.

Critically, when a system call is invoked, the caller (the user program) is removed from the CPU and the operating system begins running. The operating system must then initiate the operation it has been requested to perform by sending a signal the given device. Keep in mind, once the signal (an instruction, sent from the CPU, over the bus, to the intended device) is sent, it will take time before the device begins to operate, and before it completes. This time might be a few hundred milliseconds, but normally we measure this time in clock cycles - or CPU clock cycles. One clock cycle is one instruction that the CPU executes. Reading from a hard disk may take hundreds of clock cycles - however the work being done is not done by the CPU, it is done by the hard disk's microcontroller. This is a key concept - the operating system, is a program, running on the CPU. One of the instructions that it executes on the CPU is a command to send a signal to a device. The operating system will now have nothing useful to do until the device completes the operation.

It has two options:

1. Do nothing (it can literally execute a no-op on the CPU, an instruction that does absolutely nothing)
2. Allow another program to run. Note, this will not be the program that asked for the device operation to be performed, since that program is necessarily waiting for that operation to be completed!

The choice should be obvious - since there is nothing useful for the operating system to do on the CPU, and the program which asked for the I/O has nothing to do either, it makes sense that another program is chosen to run. At some point in the future, the initiated I/O will complete, and the device will generate a hardware interrupt to invoke the operating system (this is actually the *fifth way a program leaves the CPU - on I/O completion). The operating system will examine the results, and schedule the initiating program to run - and the results are passed to it.

I/O and Operating System APIs are a huge part of computer science and systems programming. We won't go much deeper in this book, but take a look at these references if you are interested:

Blocking Model

The discussion above on I/O is a difficult concept. There was a lot going on. What does all of that actually look like though in code?

int x = 5;
printf("%d\n", x);

Yes - that really is it. That code prints an integer to the terminal. The code is simple. However, here's what actually happened within the printf call:

1. The C code executed a trap command on the CPU, with parameters to invoke the operating system.
2. The operating system began to run, and computed pixels within a frame buffer (representing the terminal's window) corresponding to the number 5. Those pixels needed to be flushed to the output device, so a signal was invoked to the graphics device.
3. While the graphic device did it's work (this is an oversimplification!), the OS handed the CPU off to another program which likely ended up making an I/O call - repeating this entire process several times. Many things can be happening during this time, but there is one thing we are sure isn't happening: our program (the one that called printf is not running).
4. Eventually, the graphics device subsystem confirmed the pixels had been flushed to the actual screen. The operating system regained the CPU after the graphics device interrupted the CPU.
5. The operating system added the original program (the one that called printf) to the list of programs ready to run again, and eventually it gets selected.
6. The line of code after the printf begins executing.

This is called a blocking call. Blocking calls, invoked by a user program, result in the program blocking - or being taken out of the list of schedulable processes, until the result of the blocking call is available. From a programmer's perspective, it's a vary simple model. It hides much complexity.

Pro Tip💡 Understanding blocking calls is the most critical part of this section. A blocking call results in your program being suspended, while the operating system and the devices on the computer do their work. By definition, your program is not running - and will not run until all the work is complete. While your program is blocked, other programs may run - which is a good thing from a global perspective. However, remember - when your program is blocked, it can't do anything else. It can't respond to user input. It can't draw anything to the screen. It can't receive network events. It can't do any computation of any kind. It is not running.

The printf function is quick, and so it might be difficult for you to conceptualize the full story here. So, let's create another hypothetical example:

Suppose you have a program that draws things on the screen, and responds to mouse events (mouse movement, clicks, etc). When the user interacts with the program, the screen is redrawn to indicate the results of that interaction. In addition, sometimes your program needs to read data from disk, perhaps several hundred MB - which can take a few seconds. Now let's suppose your application has the following general structure in it's code:

while (true) {
    data = null;
    mouse_events = read_mouse_events();
    if (mouse_events.must_read_file) {
        // This blocks, and can take several seconds
        data = read_file(filename);
    }
    draw_screen(mouse_events, data);
}

The loop above is an abstract example with some hypothetical functions, but you can appreciate what's happening here. The program sits in a loop, gathers user input, and draws the results to the screen - over and over again. Theoretically, it should be able to do this thousands of times per second, which gives the user immediate feedback. For example, as they move their mouse around the screen, the mouse cursor can be drawn immediately - providing the impression that it smoothly traveling around the screen.

If the user does something such that must_read_file is true however, now the code must actually ask the operating system for file data. If this is a blocking call, then we have a big problem. While read_file is executing, which could be many seconds, we are blocked. draw_screen cannot be called, and we can't read_mouse_events either. The user may continue to move their mouse around, but the cursor won't redraw. They may try to click buttons, menus, and move scroll bars - but the screen isn't going to redraw. Our program is blocked.

You've probably encountered programs that behave like this actually. It's not uncommon. The problem can be solved however, and traditionally it was solved with multithreaded code. A thread is a separate path of execution. When a program has two threads, each thread is schedulable. If one thread is blocked, the other thread can still run on the CPU - they are independent of each other. Let's look at how this solves the problem.

// THREAD 1 - User input/feedback

// Shared with Thread 2
data = null;

while (true) {    
    mouse_events = read_mouse_events();
    if (mouse_events.must_read_file) {
        signal_file_thread();
    }
    draw_screen(mouse_events, data);
}

The user dispatch thread reads mouse inputs and draws the screen. If the user takes an action that requires a file to be read, that is detected - but instead of actually reading the file, we send a signal to the second thread. Note, we're hiding complexity here (ie how is this signal sent?) in an effort to keep this fairly high level, because we won't be doing multithreaded code in this book.

So, at the same time, there is another thread waiting for this signal.

// THREAD 2 - File Reading

// Shared with Thread 1
data = null; 
while (true) {
    wait_for_signal();
    data = read_file(filename);
}

The second thread simply waits for signals from the first. When told to do so, it calls read_file - which is still a blocking call. Crucially, while Thread 2 is blocked, Thread 1 is happily continuing - responding to user input and drawing to the screen. This is how multithreading solves the problem - it moves the blocking calls to separate threads, so the thread handling user input and drawing (or whatever work there is to be done) is not blocked.

Non-Blocking Model

The majority of programming languages use blocking calls to perform I/O activity. This is largely because in most cases it is OK to do so, and is easy to code. When it's not OK to block, then programmers must use multi-threaded code - which substantially increases complexity.

Node.js is designed differently. In Node.js, the majority of I/O calls (and even some CPU intensive calls) are designed to be asynchronous and non-blocking. There are a few reasons for this:

1. Node.js was built with I/O intensive applications in mind, and I/O intensive applications tends to suffer when I/O calls are blocking
2. JavaScript non-blocking API's easier to design, since it's much easier to work with callback functions than in other languages (at least, at the time of Node.js's creation).

Before reviewing how Node.js code would be written for the examples above, let's discuss a bit more about it's architecture. Node.js is a C++ program. It's the runtime for JavaScript. It has two fundamental parts - (1) V8 JavaScript Execution Engine and (2) Operating System interface code - to give JavaScript access to the filesystem, network, input/output devices. We've discussed V8, the critical part is (2) right now. Node.js provides a JavaScript interface to the C / C++ APIs the operating system supports. This allows your JavaScript code to invoke the same system calls as a C and C++ program would make - but in a JavaScript style.

Since Node.js is the runtime program for your JavaScript code (when writing server-side code in this book), and it is providing access to the operating system's system calls - it has full control over how your JavaScript code can interact with those system calls! It can choose whether to make those operations blocking or non-blocking, and it chose non-blocking.

Nearly all of Node.js's I/O calls expect the caller to provide a callback function. When the Node.js I/O call is invoked, it asks the operating system to start the I/O call, but importantly it does this in a non-blocking manner - the operating system does not suspend Node.js until the I/O call is completed. Node.js then immediately continues executing the JavaScript code that made the I/O call.

Read that sentence again. When you make an I/O call in Node.js, the call returns immediately. Before the I/O call is completed.

When the operating system finally receives notification that the I/O has been completed, Node.js will likewise be signaled. Node.js will continue executing whatever JavaScript code is currently running (more on this in a moment), and once it has nothing to run, it will check for I/O completions. Seeing the I/O has been completed, Node.js then calls the callback function that was provided earlier.

So, let's see how this works in practice, using the same hypothetical program as above.

let data = null;

const process_mouse_events = (mouse_events) => {
    if (mouse_events.must_read_file) {
        // read_file returns IMMEDIATELY
        read_file(filename, (file_data) => {
            // Callback function, sets the data
            // variable
            data = file_data;
            draw_screen(null, data);
        });
    }
    draw_screen(mouse_events, data);
}
read_mouse_events(process_mouse_events);

These aren't real Node.js functions of course, but they are written in the style of Node.js I/O calls. Notice that read_mouse_events is now non-blocking. Only when a mouse event is ready does the callback function process_mouse_events get called. Presumably, inside read_mouse_events, there is some mechanism that continue to poll for input over and over again - so process_mouse_events is called for all mouse events.

Inside process_mouse_events, we may invoke read_file, but now read_file accepts a callback. read_file does not wait for the data to be read from disk, it returns right away. The screen can be drawn right away as well.

When the data does arrive, the callback is invoked, and data is set. Since it is assumed that the data that is read in some way alters what should be drawn, we call draw_screen again. This time, we provided null as the mouse parameter, since the call is not invoked as a direct result of mouse data at all.

There's no question - this is harder to understand than the original blocking code. It's likely no harder than the multi-threaded code, and in fact - it's a lot safer, as we do not need to worry about synchronization, shared memory, etc.

Pitfall: Clogging up the "Event Loop"

The JavaScript code above hides something, something that is within Node.js and is driving everything we do. It's called the Event Loop.

Think of Node.js as a C++ program that does the same sort of loop that we started out this section with - waiting for various events. One of the events that it waits for is the availability of code to execute. The following (incredibly simplified) pseudocode illustrates what Node.js is doing:

let code_queue = new Queue()
let pending_io = new List();

// Start the program
code = get_entry_point();
code_queue.push(code);

while (!code_queue.empty() && !pending_io.empty()) {
    code = code_queue.next();
    if (code) {
        // Runs code, and if it hits an I/O call, 
        // starts the I/O, returns record (id, callback).
        // If no I/O call is made, keeps running until
        // the code itself completes and returns null.
        io_invoked = run(code);
        for(const io of io_invoked) {
            pending_io.push(io);
        }
    }

    id = operating_system.is_anything_ready();
    if (id) {
        // Looks up the id in pending_io, and if found, and 
        // and has a callback function, adds the callback function 
        // to the code queue.
        io = lookup_pending_io(id);
        if (io && io.callback) {
            code_queue.push(io.callback);
        }
    }
}

When your JavaScript program starts, the globally executable JavaScript (the program entry point) is added to the code_queue, and drops into the main event loop. The event loop will continue to run until there is no additional code to run, and there are no pending I/O calls. If you follow along, the most critical part to understand is the run function. It accepts JavaScript code, and runs it to completion. While running it, the code may make I/O calls. Each I/O call gets an identifier and a possible callback. When the code is complete, those I/O calls and callbacks are added to the pending IO queue. Before taking the next chunk of code, we check to see if any I/O has completed - and if so, we place that I/O call's callback on the code queue.

Now, let's see how we can effectively kill Node.js's ability to process I/O, by monopolizing the event loop.

let data = null;

const process_mouse_events = (mouse_events) => {
    if (mouse_events.must_read_file) {
        read_file(filename, (file_data) => {
            data = file_data;
            draw_screen(null, data);
        });
    }

    // Infinite loop
    while (true) {
        foo();
    }
    draw_screen(mouse_events, data);
}
read_mouse_events(process_mouse_events);

In the code above, when we receive a mouse input, we check to see if we must read a file. Let's say we do - and we invoke read_file. We know that when read_file completes, Node.js will call the callback we provided - which sets the data variable. However, after calling read_file we drop into an infinite loop. This code will never complete. If you look at the pseudocode for the event loop above, we are inside the run function - and that run function will now never return. Node.js will never get to check to see if read_file has completed, or check to see if there are any more mouse events. Your program is unresponsive.

The example above is an extreme example. Instead of having an infinite loop calling foo, maybe instead you just do some number crunching - for a few seconds. This is still problematic, because you are still blocking the event loop. While you are doing your number crunching, you are not allowing Node.js to check for I/O completions. Some times this is simply unavoidable - but it's important to understand the effects. Anytime you do something CPU intensive, without an I/O blocking call, you are blocking the event loop.

More Reading

Node.js implements system calls in conjunction with another C++ library embedded within it's source code - libuv. While you don't need to understand all the details of how Node.js is implemented in order to write web servers in Node.js, the information and background knowledge is certainly helpful.

• Node.js Event loop explanation
• Node.js blocking and non-blocking explanation
• Node.js callback pattern explanation
• libuv

Real-World - HTTP Request Bodies

Let's drill down to something more concrete, and related to our core focus - web development.

We saw in the last chapter how HTTP request bodies were handled by the http library. Instead of simply adding it to the req object, like it does with query strings, it is instead the programmers responsibility to handle data and end events on the request, and then parse the request body themselves. Why is this?

Recall, HTTP request bodies can be large. There's no technical limit, and in practice, a web client (browser) could send an entire movie file, of several GBs over the network - to upload a video to a server. This will take minutes. The http library needs to work reasonably for all use cases, and if it were to block until the HTTP request body was fully received, it would end up stalling our ability to process any other requests that come in while we are reading GBs of data from one particular web browser! Instead, the http implementation chunks the data, reading a bit off the socket at a time, and invoking our supplied callback.

const handle_request = (req, res) => {
    let body = "";
    req.on('data', (chunk) => {
        body += chunk;
    });
    req.on('end', () => {
        req.form_data = qs.parse(body);
        
        serve_page(req, res);
    });
}

http.createServer(handle_request).listen(8080);

When a request arrives, we immediately register a callback function for each time a data chunk arrives. The req.on function returns immediately, and we call it again to register a callback for the end event. That call to on returns immediately too, and thus handle_request returns immediately. At that time, we are free to handle new requests (new calls to handle_request) while the network device continues to receive chunks associated with the first HTTP request. Each time a chunk arrives, we append it to the body variable, which is held in scope since active callback functions (the ones associated with data and end) have captured them within their scope (closures). The append is quick, so the callback for data returns quickly, and isn't tying up the event loop. Between chunks, the entire program is free to do other things. Additional HTTP requests may come in from other clients, and we can happily process them. When end is invoked, we then are ready to parse things - in our use case above it's just form data.

Pro Tip💡 When writing web server code, you always need to remember that new HTTP requests can be arriving at any time, because you are potentially serving thousands (or millions!) of web browsers simultaneously. You always have something else to do, while I/O calls are being performed. Never forget this!

Reusing the Request Body Parsing

It's a pain to keep writing all that code to parse request bodies. You might be tempted to do the following:

const parse_body = (req) => {
    let body = "";
    req.on('data', (chunk) => {
        body += chunk;
    });
    req.on('end', () => {
        form_data = qs.parse(body);
        return form_data;
    });
    // ?
}
const handle_request = (req, res) => {
    req.form_data = parse_body(req);
    serve_page(req, res);
}

http.createServer(handle_request).listen(8080);

That code might seem nice - since we could imagine reusing the parse_body function in other areas of our web server, or in other projects. That code is fundamentally broken though, and WILL NOT work.

Pro Tip💡 Pay attention to why the code above doesn't work - it's one of the most common mistakes students make!

The parse_body function above registers callback functions on the req object just fine. In fact, each time a chunk of data is received, or the end of the request body is found, those callbacks do get called. The problem is that handle_request is long gone. Let's see why:

When parse_body calls req.on('data', ..., that function returns immediately - it's simply registering a callback. The same thing occurs when req.on('end', ... is called - the callback is registered and then the function returns right away. At that point, we arrive at the line of code marked with the comment - // ?. At this time, no chunks have been processed, and the form data has not been parsed. We've reached the end of the parse_body function, and it returns. The handle_request function expected the result of parse_body to be something, but it's not - it's just undefined. handle_request serves the page, with no form data at all.

BTW, remember, we couldn't have done return body from parse_body, or attempted to parse the body at the // ? line, because the data hasn't been ready yet.

So, how do we fix this? How do we wrap up the callbacks associated with parsing the request body so it's reusable? The answer isn't quite as satisfying as we'd like, yet. For now, the best we can do is wrap it up using another callback.

// The second parameter (done)is a FUNCTION, a callback
// that the caller wants parse_body to call when the 
// body has been parsed. 
const parse_body = (req, done) => {
    let body = "";
    req.on('data', (chunk) => {
        body += chunk;
    });
    req.on('end', () => {
        form_data = qs.parse(body);
        // Call the function we were provided, with 
        // the parsed form data
        done(form_data)
    });
}
const handle_request = (req, res) => {
    parse_body(req, (data) => {
        req.form_data = data;
        serve_page(req, res);
    })
}

http.createServer(handle_request).listen(8080);

The parse_body function above has been changed, so it accepts a callback function. This is the first time we've used callbacks ourselves - and it might really help you conceptualize how this all works! The parse_body function still returns immediately, so handle_request also is returning immediately - but it's returning without actually sending the page to the browser. It has however passed a callback to parse_body, as it's done parameter. That callback receives the parsed request body, adds it to the req object, and serves the page. parse_body calls done (which is the anonymous function passed into it from handle_request) once it receives the end event and has parsed the data.

Events vs Results

Before moving on, it's worth considering that we've actually been seeing two different types of callback use cases.

const parse_body = (req, done) => {
    let body = "";
    req.on('data', (chunk) => {
        body += chunk;
    });
    req.on('end', () => {
        form_data = qs.parse(body);
        done(form_data)
    });
}

The req.on function is used twice in the code above. Once for data, and once for end. Note though, we sort of implicitly accept that the data event might fire many times, while we understand end will only be called once. Likewise, we saw the read_mouse_events function in examples above, which was presumably allowing us to register a callback for mouse events - and we understand that there will be many mouse events. We also saw read_file, which accepted a callback with the data read from disk - and we understand that that callback would be called once, when the file data was available.

There are two situations, both of which are handled with callback functions:

1. streams of events, where a given callback is called whenever an event arrives.
2. results of I/O calls, where one call results in one callback invocation.

These two use cases are not mutually exclusive. For example, we might have a stream of events, and only receive one event. The end event is a good example of this - it's nature and name imply it only happens once, but if you look at the code - it's written like any other event (like the data event). The two use cases are used fluidly, and you should be thoughtful when working with callbacks because of this. You should always ask yourself - how many times would my callback be called?. The answer is usually found from the context, and the documentation. There is not hard and fast rule!

There are some considerations regarding streams of events vs results. When dealing with streams of events, we are essentially creating an entry point - a place where are program will begin executing whenever an event occurs.

const ke = (key) => {
    console.log(key);
}

keyboard_events(ke);

In the code above, it's very clear - we'll have more than one keyboard event. The hypothetical (not real!) functions keyboard_events is accepting a callback to call whenever a key is typed. The ke function is an entry point - it executes and operates only on it's input - the key pressed. Each time it is called, the execution of the function (the console.log) is called - without regard to any other key that has been or will be pressed. Each invocation of key is independent.

Contrast this with the code that performs some operation on the result of an asynchronous call:

const handle_file = (file_data) => {
    // do something with file data.
}
read_file(filename, handle_file);

The code above, if you replace the names, looks almost identical as the keyboard code - with one exception - read_file accepts a filename as input. The keyboard_events function didn't accept anything but a callback, because it invokes the callback for every key. This difference does not imply any conceptual difference though - we could have just as easily imagined a function that registered a callback to a specific key.

The point is, you can't necessarily tell if we are dealing with a stream of events that can happen at any time, or we are looking for a specific result from an asynchronous operation. The different depends on context, not code structure.

Callback Patterns and Anti-Patterns

Callbacks are OK, and we get tremendous benefits from them when used well. However, they do come with some usability problems. Each of our examples so far have involved calling one callback function in a sequence. Most of the examples registered a callback for an event or result, and then when the callback was invoked, we were able to finish whatever work we wanted to do.

What happens if we need to do some work, but before we can do that work we need the results of two asynchronous I/O calls though? Let's say, we want to read two files, and append them together. By the way, instead of using read_file, let's actually just use the real Node.js function - readFile. The readFile function is found in the fs module, and accepts three parameters: (1) the filename, (2) the file encoding, and (3) a callback to receive the data. The callback follows a conventional pattern that most Nodejs callbacks follow - the first parameter is for an error (and many be null) and the second is the actual result.

First lets' read ONE file:

const fs = require('fs');

fs.readFile('file-1.txt', 'utf8', (err, data) => {
  if (err) {
    console.error(err);
    return;
  }
  console.log(data);
});

OK, so inside the callback we have the file data. How do we get the second file? We could now call readFile again:

const fs = require('fs');

fs.readFile('file-1.txt', 'utf8', (err, data) => {
  if (err) {
    console.error(err);
    return;
  }
  console.log(data);
  fs.readFile('file-2.txt', 'utf8', (err, data) => {
    if (err) {
        console.error(err);
        return;
    }
    console.log(data);
  });
});

This seems messy. We did a pretty poor job of naming variables, reusing "data". Let's clean it up a little, and pretend we have an append function that can merge the two file data variables together.

const fs = require('fs');

fs.readFile('file-1.txt', 'utf8', (err, f1) => {
  if (err) {
    console.error(err);
    return;
  }
  fs.readFile('file-2.txt', 'utf8', (err, f2) => {
    if (err) {
        console.error(err);
        return;
    }
    combined = append(f1, f2);
  });
});

That's better, and it works, but it's a bit unsightly. It's also somewhat inefficient, because we are waiting for file 1 to be fully read before even asking the operating system to fetch file 2 from disk. This is wasteful, since there's a good chance the OS could work on both files at least somewhat in parallel. Another possible approach is as follows:

const fs = require('fs');
let file1 = null;
let file2 = null;

fs.readFile('file-1.txt', 'utf8', (err, f1) => {
    // Error handling omitted for readability
    file1 = f1;
    if (file2) {
        combined = append(file1, file2);
    }
});
fs.readFile('file-2.txt', 'utf8', (err, f2) => {
    // Error handling omitted for readability
    file2 = f2;
    if (file1) {
        combined = append(file1, file2);
    }
});

Now we call readFile for file-1.txt, and when it (immediately) returns we call readFile again - for file-2.txt. Depending on their relative size, either one could finish first, we have no way of really knowing for sure (it's even possible for the larger one to finish first - the OS is unpredictable). To deal with this, we check to see if the opposite file has already completed in each of the handlers. The first callback to execute will find that the other has not, and just return after setting the corresponding file variable. The second callback invoked will find the first has already been set, and will complete the operation.

This is an example of executing asynchronous operations in parallel. There are more elegant ways of doing this, using libraries that model parallel tasks - but we'll cover them later in the chapter.

While the above demonstrates two tasks being done in parallel, where a final task is done with both inputs - what about tasks that must be accomplished in series.

Let's review another example - this time imagining we are working with a database. Retrieving data from a database is the focus of on of the next chapters, for now let's just agree that it's an I/O call. Let's imaging we have variables stored in our database - A, B, C, and D. We want to fetch A first. If A is odd, we want to fetch C, and if A is even we want to fetch B. We then add A to whatever the second parameter was (B or C), and multiply it by D.

We have a sequence, we need A before we can fetch B or C (unless we wastefully fetch both B and C). We can then fetch D, or theoretically we can fetch D in parallel. The chain of dependencies, just with 4 variables, is a mouthful!

In a blocking style program, this would be easy:

a = db.fetch('a');
op = 0;
if (a % 2 == 0) {
    op = db.fetch('b');
}
else {
    op = db.fetch('c');
}
d = db.fetch('d');
result = (a + op) * d;

In an asynchronous world, here's how we might do this:

db.fetch('a', (err1, v1) => {
    if (err1 ) {
        console.error(err1);
        return;
    }
    if (v1 % 2 === 0) {
        db.fetch('b', (err2, v2) => {
            if (err2 ) {
                console.error(err2);
                return;
            }
            db.fetch('d', (err3, v3) => {   
                if (err3 ) {
                    console.error(err3);
                    return;
                }
                console.log((v1 + v2) * d);
            })
        })
    }
    else {
        db.fetch('c', (err2, v2) => {
            if (err2 ) {
                console.error(err2);
                return;
            }
            db.fetch('d', (err3, v3) => {   
                if (err3 ) {
                    console.error(err3);
                    return;
                }
                console.log((v1 + v2) * d);
            })
        })
    }
}

That's clearly a nightmare. You can be more clever, and rearrange things to limit some repetition, but not a lot. Unfortunately, even with some improvements, this still isn't scalable. If we need to make a sequence of calls, where each call needs the result of the previous, this nesting of callbacks, with err handling, cascades. It's referred to as callback hell.

Callback cascading and nesting occurs when we are dealing with the result type of callback - where we are expecting a specific result from an asynchronous call. When results depend on other results, we will continue to find ourselves in this situation. For the first half a decade or so of Node.js, this problem was met with a bit of a shrug. People tried to re-order their asynchronous calls to avoid these structures, and they worked hard to do things in parallel when they could. While the community encouraged developers to avoid the results cascade by doing things in parallel, the community also recognized that the callback approach was indeed inadequate for large programs.

In response, there was an effort to create additional libraries and tooling to help. The first problem identified with callbacks was that while the convention of having err passed as the first parameter and the actual result passed as the second, it was just that - a convention. It was up to the programmer to use the convention - and not everyone did. Moreover, passing errors and data into function couples error handling with the happy path, meaning every callback had to branch for possible errors.

The first solution to the problems above was to create a stronger standard, that modelled callbacks more accurately and helped promote de-coupling of error handling and results processing. This solution was community driven, but eventually made its way into JavaScript itself (and thus Node.js). It's called promises.

Promises

JavaScript, and thus Node.js were dominated by the callback style of coding whenever there was I/O work to be done (and sometimes other types of work) for quite a time. At the same time however, other languages, and some JavaScript libraries as well, promoted a different take on the idea of "call this later". Instead of treating the idea as purely function oriented, an effort was made to think of the problem from a more object oriented perspective.

Take the following:

const when_complete = (err, result) => {
    if (err) {
        // handle error
    } else {
        // handle result
    }
}

long_task(when_complete);

The code above is clearly modeling the idea that whenever the long task completes, we want to do something with the result. Whether that is an error state, or an actual result - we have more work to do. In the callback style of code above, we model what we want to do simply by providing a function that long_task promises to call when it's done.

There are also other styles of doing this too. long_task, could accept two functions - one that should get called when there is an error, and another when there is a true result. The commonality though is that long_task presumably produces either an error or data, but since we are using asynchronous programming, long_task doesn't return that result - it has to give it to the caller indirectly, through a callback. It's sort of awkward to return anything from an asynchronous function that uses callbacks, because the function is returning before the computation is complete!

A Promise object, as proposed within the JavaScript community in 2009, represents the future result of a function or computation. A Promise is really truly an object. The idea behind it is that an asynchronous function returns a Promise to the caller. The Promise is something that the caller can inspect, and can also wait for (by attaching callbacks). Truly, a Promise decouples the asynchronous function from the result - which enables us to write code in a bit more clean way.

Promise States

Promises have states, that are actually pretty intuitive. At any given time, a promise is:

• fulfilled: completed successfully, presumably with a resulting value
• rejected: completed with error. The operation failed, and presumably there's an error associated with this.
• pending: Neither fulfilled or rejected. The computation is not done.

A promise is said to be settled when it has reached either the fulfilled or the rejected state. While it's possible to inspect the state directly, typically we just want to know when it's state reaches either fulfilled or rejected - and to do that, we can attach callbacks to the promise.

Fulfillment

We attach callbacks to the promise fulfillment using it's then method. Any callback attached via then will be called whenever the promise resolved without error. Importantly, even if the promise is already fulfilled when the callback is added with then, the callback is called!

Rejection

We can attach a callback to handle the promise rejection using the catch method. The catch method is called if the promise when the promise is rejected.

Settlement

If you want something to happen after fulfillment or rejection - meaning, regardless of whether the promise's computation succeeds or fails, you can register a callback with finally.

Promise Example

Now let's suppose the original long_task function uses promises instead of callbacks.

const on_success = (result) => {
    // Handle result
}
const on_fail = (err) => {
    // Handle error
}

// Long task returns a Promise object
const p = long_task();

p.then(on_success)
p.catch(on_fail);

Promises are chainable, and errors propagate. For example, while the example above attaches a fulfillment callback and reject callback to promise p, we can take advantage of chaining and propagation to write the same thing this way:

const p = long_task();
p.then(on_success).catch(on_fail);

The above attaches fulfillment on_success to p. then returns a new promise associated with the code inside on_success. That promise is fulfilled when on_success executes. The catch method is called on that second promise, but it will catch errors on p and the on_success promise due to error propagation.

In fact, most developers don't even bother to store the promise as a variable - although there is absolutely nothing wrong with doing so (some would argue its actually more clear to do so!).

long_task().then(on_success).catch(on_fail);

Since developers typically like to embed anonymous functions when they are fairly short, you will also commonly see the following:

long_task.then((result) => {
    // Handle the result (success)
}).catch((err) => {
    // Handle the error
});

It's a matter of preference, but the last example is most common.

Sequencing

We saw earlier how attempting to do multiple asynchronous calls in sequence creates a nightmare with callbacks.

task1((err, result) => {
    if (err) {
        console.log(err);
        return
    }
    task2(result, (err, second_result) => {
        if (err) {
            console.log(err);
            return
        }
        task3(second_results, (err, third_result) => {
            if (err) {
            console.log(err);
            return
        }
            console.log(third_result);
        });
    });
});

Each call to then on a promise *creates a new promise`. This allows for more succinct chaining.

task1(result).then((result) => {
    task2(result);
}).then((second_result) => {
    task3(second_result);
}).then((third_result) => {
    console.log(third_result)
}).catch((e) {
    console.error(e);
});

The syntax above is more succinct, which is nice. More importantly, there is one error handler instead of three separate handlers - which is more than nice, it's significantly better design.

Here's a more concrete example from the previous section. We are fetching variables from a database, in a sequence with a dependency. Here's how we did it with callbacks:

db.fetch('a', (err1, v1) => {
    if (err1 ) {
        console.error(err1);
        return;
    }
    if (v1 % 2 === 0) {
        db.fetch('b', (err2, v2) => {
            if (err2 ) {
                console.error(err2);
                return;
            }
            db.fetch('d', (err3, v3) => {   
                if (err3 ) {
                    console.error(err3);
                    return;
                }
                console.log((v1 + v2) * d);
            })
        })
    }
    else {
        db.fetch('c', (err2, v2) => {
            if (err2 ) {
                console.error(err2);
                return;
            }
            db.fetch('d', (err3, v3) => {   
                if (err3 ) {
                    console.error(err3);
                    return;
                }
                console.log((v1 + v2) * d);
            })
        })
    }
}

Here's how we might accomplish the same with promises, assuming db.fetch returned a promise rather than accepted a callback.

let a, bc;
db.fetch('a').then(
    (v1) => {
        a = v1;
        if (a %2 === 0) {
            return db.fetch('b');
        } else {
            return db.fetch('c');
        }
    }
).then((v2) => {
    bc = v2;
    return db.fetch('d');
}).then((v3) => {
    console.log((a + bc) * v3);
}).catch ((err) => {
    console.error(err);
});

1st Class Promises

Promises are built right into JavaScript. This wasn't always the case, and some older libraries do have compatibility issues - however most modern JavaScript makes full use of the built in Promise object. The beauty of this is that you can rely on how Promises work, from library to library. Perhaps the biggest advantage of the Promise over callbacks is exactly this - standardization.

Making Promises

A promise is actually just an object that maintains three lists of callbacks - one that should be called when the promise is fulfilled, one list of callbacks to be called when it fails, and one list of callbacks for when it settles - no matter what it's state. A consumer of a Promise object usually will use then, catch, and finally to add callbacks to the list - since the consumer will want to do something when the computation resolves.

If you are producing a Promise, you are creating a promise that you will need to eventually resolve or reject, indicating the computation has completed. In addition, you will need to actually do the things you are promising to do!.

To create a promise, you create a new instance of Promise, which requires you to pass in a function. This function represents the thing you are promising to do. It is the long running task. The function will automatically get called for you, as soon as the promise is created. The function is called with two callbacks - resolve and reject - that your code should call if it wants to indicate the promise has been fulfilled or rejected!

Let's take a look at what long_task might look like.

const long_task = () => {
    const p = new Promise( (resolve, reject) => {
        let retval;
        // .. Do something for a long time... and if 
        // we succeed, set retval, otherwise set retval to null.

        if (retval) {
            resolve(retval);
        } else {
            reject('No value was produced');
        }
    })

    return p;
}

The code above creates a promise. We didn't actually define what the long running task was, instead just describing in comments. The point is that after doing the long running task, we can choose to either call the resolve function or the reject function. After creating the promise, we return it.

After the promise is created, the function we wrote (the one with the commends about retval) is actually called. If resolve is called, then any callbacks added with then will be called. If the reject function is called, then any callbacks added with catch are called.

Let's make this less abstract though - and look at the readFile example from the last section. This can be our long running task.

const fs = require('fs');

const long_task = () => {

    const p = new Promise( (resolve, reject) => {
       fs.readFile('bigfile.txt', 'utf8', (err, file) => {
            if (err) reject(err);
            else resolve(file);
        });
    })

    return p;
}

long_task().then((f) => {
    console.log("File Data");
    console.log(f);
}).catch((e) => {
    console.error(e);
}

We effectively wrapped the call to readFile, which is callback-based, in a promise.

Body Parsing, with Promises

We motivated some of this discussion with our example of using request body parsing. Let's take a look at what that looks like with promises.

const parse_body = (req) => {
    return new Promise((resolve, reject) => {
        let body = "";
        req.on('data', (chunk) => {
            body += chunk;
        });
        req.on('end', () => {
            form_data = qs.parse(body);
            resolve(form_data)
        });
    })
}
const handle_request = (req, res) => {
    parse_body(req).then((data) => {
        req.form_data = data;
        serve_page(req, res);
    });
}

http.createServer(handle_request).listen(8080);

It's not that different! The real benefit of Promises are that they are more easily chainable - where we add many callbacks to the same promise with then, and easier to create control flows with.

Utilities for Control Flow

We've already seen how sequences of promises is a bit easier to express compared to sequences of callbacks. Another area where promises shine is when we want to do something after all of a set of promises complete, or any of a set of promises complete. This is fairly challenging to do well with callbacks, since every callback needs to check the state of all the rest - leading to code duplication. This was evident in one of the examples from the last section - where we started reading two files, and wanted to append them together once they both had been read:

const fs = require('fs');
let file1 = null;
let file2 = null;

fs.readFile('file-1.txt', 'utf8', (err, f1) => {
    // Error handling omitted for readability
    file1 = f1;
    if (file2) {
        combined = append(file1, file2);
    }
});
fs.readFile('file-2.txt', 'utf8', (err, f2) => {
    // Error handling omitted for readability
    file2 = f2;
    if (file1) {
        combined = append(file1, file2);
    }
});

Let's design this better now, taking advantage of promises, and the global promise functions - Promise.all, which creates a promise that is fulfilled when every promise passed (as an array) is fulfilled.

const fs = require('fs');
const read_file = (filename) => {
    return new Promise ((resolve, reject) => {
        fs.readFile(filename, 'utf8', (err, file) => {
            if (file) resolve(file);
            else reject(err);
        })
    })
}

const promises = [read_file('file-1.txt'), read_file('file-2.txt')];
Promise.all(promises).then((files) => {
    combined = append(files[0], files[1])
}).catch((err) => {
    console.error(err);
}

The Promise.all function accepts an array of promises. Notice how we created those - we created an array, with two elements - the results of calling read_file. read_file returns a promise, so the promises array has two promises.

Promise.all creates a new promise, which is fulfilled when each of the promises in the given array are fulfilled. The then callback receives these results as an array, and processing can continue from there. If any of the promises fall, the associated catch is called.

Similar workflows can be defined with Promise.any, which fulfills when any (one) of the promises passed as an array is fulfilled. If you are only interested in completion - either fulfillment or rejection, you can also use Promise.allSettled and Promise.race.

Almost there...?

When promises began replacing callbacks, there were two camps of JavaScript developers. One camp felt like promises were amazing, and a huge step forward. Others (the author included) sort of shrugged. They change things a bit, and certainly for the better, but the code still sort of looks similar. There is less nesting, but all the then and catch stuff is still awkward to anyone who learned to program with other languages.

There was one killer feature of promises however, and once people saw it, there was no going back. It's a lot easier to standardize around a built in object representing future results, with a standard API, then it is to enforce standards in callbacks.

The standardization of the Promise object was a game changer in JavaScript, because it allowed the language to continue to evolve and introduce two keywords that would drastically improve developer ergonomics: async and await. With those keywords, we can write JavaScript code that handles Promise objects as if they were blocking code - while still not being blocking code. With that change, we can start writing code the way we do in blocking languages, while still maintaining many of the benefits of asynchronous coding. We can also start handling errors in ways that we are more accustomed to - as exceptions.

Promises took us from this:

long_task((err, f) => {
    if (err) {
        console.error(err);
    }
    else {
        console.log("File Data");
        console.log(f);
    }
})

To this:

long_task().then((f) => {
    console.log("File Data");
    console.log(f);
}).catch((e) => {
    console.error(e);
}

And async and await take us here:

try {
    const f = await long_task();
    console.log("File Data");
    console.log(f);
} 
catch (e) {
    console.error(e);
}

More reading

You can learn a lot more about Promises. While for the most part, they are hidden once we move to using async and await, those keywords require Promises to work - so there's no escaping them!

• Promises - Mozilla Developer Network
• Using Promises - MDN
• Promises - States and Fates

Async and Await

Promises are critical to JavaScript. They standardize the concept of future results and create a dependable API for attaching callbacks for fulfillment and errors. Having a standardized model of asynchronous computations allows the language to evolve further, around that standard. This evolution led us to the adoption of the async and await keywords.

Understanding await

Let's examine the following code:

// Create a promise that resolves right away
const result = new Promise ((resolve, reject) => {
    resolve("Hello");
});

console.log(result);

The code above prints Promise { 'Hello' }. result is indeed a promise, it's not the string Hello. Since the code above resolves immediately however, the Hello result is already present inside the promise being printed - the promise is already fulfilled. Nevertheless, we cannot do anything useful with result.

Let's modify the code within the promise to explicitly wait a while before resolving - let's say 5 seconds. We can do that with setTimeout, a function that executes a given function after a specified number of milliseconds.

// Create a promise that resolves in 5 seconds
const result = new Promise ((resolve, reject) => {
    setTimeout(() => {
        resolve("Hello");
    }, 5000);
    
});

console.log(result);

It we run that code, we see the print statement executes immediately, and will print Promise { <pending> }. This should make sense. The promise won't resolve for another 5 seconds. We can certainly get the result after 5 seconds, but we need to use the then callback.

// Create a promise that resolves in 5 seconds
const result = new Promise ((resolve, reject) => {
    setTimeout(() => {
        resolve("Hello");
    }, 5000);
    
});

console.log(result);
result.then((v) => {
    console.log(v);
})

That code will first print Promise {<pending>}, and then 5 seconds later print "Hello".

Now let's look at how the await keyword can transform our code into something that looks more straightforward:

// Create a promise that resolves in 5 seconds
const promise = new Promise ((resolve, reject) => {
    setTimeout(() => {
        resolve("Hello");
    }, 5000);
    
});

console.log(promise);
const result = await promise;
console.log(result);

This code will print out exactly the same thing as the previous snippet. The await keyword is a replacement for using then - it blocks until the promise resolves, and yields the value that would normally be passed to the then callback.

In fact, it's actually useful to think about the await keyword simply being syntactical sugar, that the JavaScript runtime uses to rewrite your code into a promise structure.

Take the following: