HTTP & HTTPS — The Web Protocol
Every webpage, API call, and file download uses HTTP. Understanding its structure, headers, and the TLS layer that makes it secure lets you debug anything from a broken API to a performance bottleneck.
HTTP Basics
HTTP is a request-response protocol. A client sends a request; the server replies with a response. Each exchange is independent — HTTP is stateless (the server doesn't remember previous requests by default).
HTTP Methods
| Method | Semantics | Idempotent | Safe |
|---|---|---|---|
| GET | Retrieve resource | Yes | Yes |
| POST | Create resource / trigger action | No | No |
| PUT | Replace resource entirely | Yes | No |
| PATCH | Partial update | No | No |
| DELETE | Remove resource | Yes | No |
| HEAD | GET but only headers, no body | Yes | Yes |
| OPTIONS | List allowed methods (CORS preflight) | Yes | Yes |
Idempotent = calling it multiple times has the same effect as calling it once.
Safe = doesn't modify server state.
Status Codes
| Range | Meaning | Common codes |
|---|---|---|
| 1xx | Informational | 100 Continue, 101 Switching Protocols |
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirect | 301 Moved Permanently, 302 Found, 304 Not Modified |
| 4xx | Client error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | Server error | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable |
Important Headers
Request headers:
Response headers:
Cookies
Cookies are key-value pairs the server sets on the client (Set-Cookie). The browser sends them back on every subsequent request to the same domain.
| Flag | Meaning |
|---|---|
HttpOnly | JavaScript cannot access this cookie — XSS protection |
Secure | Only sent over HTTPS |
SameSite=Strict | Not sent with cross-site requests — CSRF protection |
Max-Age=N | Expires in N seconds |
HTTP Versions
HTTP/1.0
New TCP connection per request — extremely slow for pages with many resources.
HTTP/1.1
Persistent connections: TCP connection reused for multiple requests. Pipelining: send multiple requests without waiting for responses — but responses must arrive in order (head-of-line blocking).
HTTP/2
- Multiplexing: multiple requests/responses interleaved over one TCP connection, no head-of-line blocking
- Header compression (HPACK): reduces overhead for large/repeated headers
- Server push: server proactively sends resources the client will need
- Binary framing instead of plain text
HTTP/3 (QUIC)
- Runs over QUIC (UDP-based) instead of TCP
- QUIC bakes TLS 1.3 into the handshake — 1 round-trip instead of 2
- Per-stream loss recovery: a lost packet in stream A doesn't block stream B
- Built-in connection migration (survive IP address changes, e.g., WiFi → 5G)
HTTPS = HTTP + TLS
TLS (Transport Layer Security) encrypts the connection. Without it, anyone on the network can read your passwords and data.
TLS 1.3 Handshake
Certificate Chain
The browser verifies each signature up to a trusted root. If any step fails, you see the "Your connection is not secure" warning.
CORS — Cross-Origin Resource Sharing
Browsers block JavaScript from making requests to a different origin (protocol + domain + port) than the page — the Same-Origin Policy.
CORS lets servers whitelist trusted origins:
Python: Making HTTP Requests
Key Takeaways
- HTTP is stateless and request-response; headers carry metadata about requests and responses
- Methods encode semantics (GET=read, POST=create, PUT=replace, DELETE=remove)
- Status codes: 2xx=success, 3xx=redirect, 4xx=client error, 5xx=server error
- HTTP/2 multiplexes requests; HTTP/3 eliminates TCP head-of-line blocking with QUIC
- HTTPS = HTTP + TLS; the certificate chain proves the server's identity
- Use
HttpOnly + Secure + SameSite=Strictcookies to harden auth sessions