HTTP
Hypertext Transfer Protocol
The application-layer protocol that defines how browsers and servers communicate — every web page, image, and API response travels over HTTP (or its encrypted variant, HTTPS).
HTTP (Hypertext Transfer Protocol) is the language of the web. A browser sends an HTTP request — specifying a method, URL, headers, and optional body — and the server responds with a status code, headers, and the requested content. HTTP is stateless: each request-response pair is independent unless the application adds state via cookies or sessions.
HTTP request and response structure
Every HTTP request contains: a method (the action to perform), a request URL (the resource path), headers (metadata such as Host, Accept, Authorization, and User-Agent), and an optional body (data sent with POST or PUT requests). Every HTTP response contains: a status line with the three-digit status code and reason phrase, response headers (metadata such as Content-Type, Cache-Control, and Set-Cookie), and the response body (the HTML, JSON, image, or other content being returned).
HTTP methods
HTTP defines a set of verbs that indicate the intended action on the resource:
- GET — retrieve a resource; no body; must be safe and idempotent
- POST — submit data to create or trigger processing; has a body; not idempotent
- PUT — replace a resource entirely with the request body; idempotent
- PATCH — apply a partial update to a resource
- DELETE — remove a resource; idempotent
- HEAD — same as GET but returns headers only, no body; used to check resource existence or freshness
- OPTIONS — query which methods the server supports for a resource; used by browsers in CORS preflight requests
HTTP status codes
| Range | Category | Common examples |
|---|---|---|
| 1xx | Informational | 101 Switching Protocols (WebSocket upgrade) |
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirection | 301 Moved Permanently, 302 Found, 304 Not Modified |
| 4xx | Client error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | Server error | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable |
HTTP versions compared
| Version | Transport | Key improvement | Status |
|---|---|---|---|
| HTTP/1.0 | TCP | One request per connection | Legacy |
| HTTP/1.1 | TCP | Persistent connections, chunked transfer | Still common |
| HTTP/2 | TCP + TLS | Multiplexing, HPACK header compression, server push | Widely deployed |
| HTTP/3 | QUIC (UDP) | No TCP head-of-line blocking, 0-RTT reconnect | Growing fast |
HTTP/1.1 introduced persistent connections (keep-alive) so the TCP handshake is reused across multiple requests. However, requests on a single connection are processed in order — one slow response blocks all subsequent ones (head-of-line blocking). HTTP/2 multiplexes multiple requests over a single TCP connection using binary framing, eliminating application-layer blocking. HTTP/3 replaces TCP entirely with QUIC (built on UDP), which provides its own reliability per stream — a lost packet only blocks the one stream it belongs to, not all streams sharing the connection.
HTTPS and TLS
HTTPS is HTTP transmitted over a TLS (Transport Layer Security) encrypted connection. TLS provides confidentiality (data cannot be read in transit), integrity (data cannot be modified undetected), and authentication (the server's identity is verified by its certificate). All modern websites use HTTPS — browsers mark HTTP-only sites as "Not Secure" and block mixed content (HTTP resources loaded on an HTTPS page). TLS 1.3, the current version, reduces the handshake to one round trip before data can flow, versus two round trips for TLS 1.2.
HTTP caching headers
Cache-Control is the primary caching directive — max-age=3600 tells clients and CDNs to cache the response for one hour; no-store prevents caching entirely; must-revalidate requires checking with the origin before serving a stale copy. ETag is a fingerprint of the resource content — on subsequent requests the client sends If-None-Match: <etag> and the server returns 304 Not Modified (no body) if unchanged, saving bandwidth. Last-Modified serves the same purpose using a timestamp instead of a hash.
Cookies and HTTP
HTTP is stateless, but servers use cookies to maintain session state. A server sets a cookie with the Set-Cookie response header: Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=3600. The browser stores the cookie and sends it back on every subsequent request to that domain via the Cookie header. The HttpOnly flag prevents JavaScript from accessing the cookie (mitigating XSS theft). Secure limits transmission to HTTPS connections. SameSite=Strict prevents the cookie from being sent on cross-site requests, defending against CSRF attacks.
Frequently Asked Questions
What is the difference between HTTP and HTTPS?
HTTP sends everything in plaintext. HTTPS wraps HTTP in TLS encryption so only the client and server can read the content. All modern sites should use HTTPS — browsers now warn users when a page is HTTP-only.
What is HTTP/2 and how is it faster?
HTTP/2 multiplexes multiple requests over a single TCP connection, eliminating HTTP/1.1's blocking where one slow resource held up all others. It also compresses headers. The result is faster page loads for resource-heavy pages.
What is HTTP/3?
HTTP/3 moves from TCP to QUIC (UDP-based), eliminating TCP's head-of-line blocking at the transport layer and combining the TLS + transport handshakes into one round trip. Most major websites and CDNs support it today.