## 26. Rate limiting & 429 Too Many Requests

Public APIs often cap request rate per API key or IP to protect capacity. The server returns **429 Too Many Requests** with optional `Retry-After` header (seconds or HTTP date) indicating back‑off time.

Client etiquette:
1. Observe `Retry-After` or exponential backoff.
2. Batch requests when possible.
3. Cache responses to cut hits.

```http
HTTP/1.1 429 Too Many Requests
Retry-After: 30

{ "error": "rate_limit", "remaining": 0 }
```

### Quick check

1. `Retry-After: 120` means wait:
  a. 2 min  b. 120 ms

2. True / False 429 indicates a permanent ban.

<details><summary>Answer key</summary>

1. **a**.
2. **False** – temporary throttle.

</details>

## 27. Error payload conventions (RFC 7807 Problem Details)

Instead of ad‑hoc JSON, RFC 7807 standardises error bodies:
```json
{
  "type": "https://example.com/probs/out-of-credit",
  "title": "You do not have enough credit.",
  "status": 403,
  "detail": "Your current balance is 30, but that costs 50.",
  "instance": "/account/12345/msgs/abc"
}
```
`Content-Type: application/problem+json`.

```python
import requests, json
r = requests.get('https://httpbin.org/status/418')
problem = {
    "type": "about:blank",
    "title": "I'm a teapot",
    "status": 418
}
print(json.dumps(problem, indent=2))
```

### Quick check

1. RFC 7807 media type is:
  a. application/problem+json  b. text/problem

2. True / False `title` should be human‑readable, not code.

<details><summary>Answer key</summary>

1. **a**.
2. **True**.

</details>

## 28. HTTP/2 vs. HTTP/1.1 quick tour

* **Multiplexing** – many streams share one TCP connection → no head‑of‑line blocking.
* **Header compression** (HPACK) saves bandwidth.
* Binary framing layer; still request/response semantics.
Browsers negotiate via *ALPN* during TLS handshake.

```bash
curl -I --http2 https://www.google.com | head -5
```

### Quick check

1. HTTP/2 messages are:
  a. text  b. binary frames

2. True / False HTTP/2 mandates TLS.

<details><summary>Answer key</summary>

1. **b**.
2. **False** – though browsers require TLS.

</details>

## 29. Proxies: forward vs. reverse

* **Forward proxy** – client‑side, e.g., corporate firewall; set via `HTTP_PROXY` env.
* **Reverse proxy** – server‑side load‑balancer (Nginx, Envoy) hiding backend pool.
Environment variables `HTTP_PROXY`, `NO_PROXY` picked up by many libs (`requests`).

```bash
export HTTP_PROXY=http://proxy.lan:3128
curl http://example.com
```

### Quick check

1. Reverse proxy sits:
  a. near client  b. in front of origin servers

2. True / False `NO_PROXY=localhost` bypasses proxy for local calls.

<details><summary>Answer key</summary>

1. **b**.
2. **True**.

</details>

## 30. Toolbox tour: curl, httpie, Postman

* **curl** – Swiss‑army knife CLI; `-v`, `-I`, `--http2`, `--data @file.json`.
* **httpie** – human‑friendly: `http GET example.com X-API-Key:token`.
* **Postman / Insomnia** – GUI for saved collections, auth flows, tests.
Browser Network tab: right‑click → Copy as cURL.

```bash
http https://jsonplaceholder.typicode.com/posts title==foo userId==1
```

### Quick check

1. `curl -I` performs:
  a. GET  b. HEAD

2. True / False Postman can export requests as code snippets.

<details><summary>Answer key</summary>

1. **b**.
2. **True**.

</details>