Introduction to HTTP

Hypertext Transfer Protocol - The Foundation of Web Communication

Computer Networks Undergraduate Level Application Layer Protocol RFC 9114 (HTTP/3)

📋 Protocol Overview

Definition: HTTP (Hypertext Transfer Protocol) is an application-layer protocol (Layer 7 OSI, Layer 4 TCP/IP) designed to transfer information between networked devices and runs on top of other layers of the network protocol stack, most commonly TCP/IP. [^7^]

HTTP is the foundation of data communication on the World Wide Web. It follows a client-server model where a client (typically a web browser) sends a request to a server, which then processes the request and returns an appropriate response.

Basic HTTP Communication Flow

Client
Browser/App
HTTP Request
GET/POST/etc
Server
Web Server


Server
Web Server
HTTP Response
200 OK/etc
Client
Browser/App

Key Characteristics

💡 Key Concept: Request-Response Cycle

Every HTTP interaction consists of a single request from client to server followed by a single response from server to client. This simple model enables the entire web to function.

🔧 HTTP Fundamentals

HTTP Message Structure

GET /index.html HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Accept: text/html,application/xhtml+xml Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Connection: keep-alive [Optional Request Body]

Request Line: Contains the method (GET), path (/index.html), and HTTP version (HTTP/1.1)

Headers: Metadata about the request including host, client capabilities, and preferences

Body: Optional data sent with POST, PUT, PATCH requests

HTTP/1.1 200 OK Date: Mon, 13 Apr 2026 23:42:00 GMT Server: Apache/2.4.41 (Ubuntu) Content-Type: text/html; charset=UTF-8 Content-Length: 138 Connection: keep-alive <html> <body> <h1>Hello, World!</h1> </body> </html>

Status Line: HTTP version, status code (200), and reason phrase (OK)

Headers: Server information, content type, length, and caching directives

Body: The actual content (HTML, JSON, images, etc.)

URL Structure

https://www.example.com:8080/path/to/resource?key1=value1&key2=value2#fragment
Component Description Example
Scheme Protocol used (http or https) https://
Host Domain name or IP address www.example.com
Port Port number (optional, default 80/443) :8080
Path Resource location on server /path/to/resource
Query Parameters passed to resource ?key1=value1
Fragment Section within resource #section1

🛠️ HTTP Methods

HTTP defines several methods (verbs) that indicate the desired action to be performed on the identified resource. According to RFC specifications, methods are case-sensitive and should be uppercase. [^5^]

GET

Safe & Idempotent

Retrieves a resource from the server. Should not have side effects on server state.

GET /users/123 HTTP/1.1 Host: api.example.com
POST

Not Safe, Not Idempotent

Submits data to be processed (e.g., form submission, creating a resource).

POST /users HTTP/1.1 Content-Type: application/json {"name": "John", "email": "john@example.com"}
PUT

Idempotent

Updates or replaces an existing resource with the request payload.

PUT /users/123 HTTP/1.1 Content-Type: application/json {"name": "John Updated"}
DELETE

Idempotent

Removes the specified resource from the server.

DELETE /users/123 HTTP/1.1
PATCH

Not necessarily Idempotent

Applies partial modifications to a resource (unlike PUT which replaces entirely).

PATCH /users/123 HTTP/1.1 Content-Type: application/json {"email": "newemail@example.com"}
HEAD

Safe & Idempotent

Identical to GET but returns only headers, no body. Useful for checking existence.

HEAD /users/123 HTTP/1.1
Important: GET requests should never be used for sensitive data or actions that modify server state, as they may be cached, bookmarked, or logged in browser history.

Additional Methods

📊 HTTP Status Codes

Status codes are three-digit integers where the first digit defines the class and the last two digits do not have categorization roles. According to MDN Web Docs, there are five standard classes. [^2^]

200
OK
Request succeeded. Most common success code.
201
Created
Request succeeded and new resource created.
204
No Content
Success but no body to return (e.g., DELETE).
301
Moved Permanently
Resource relocated permanently. Update bookmarks.
302
Found
Temporary redirect. Continue using original URL.
304
Not Modified
Cached version is still valid. Use cache.
400
Bad Request
Server cannot process due to client error.
401
Unauthorized
Authentication required or failed.
403
Forbidden
Authenticated but not authorized for this resource.
404
Not Found
Resource does not exist at this URL.
429
Too Many Requests
Rate limit exceeded. Retry after delay.
500
Internal Server Error
Server encountered unexpected condition.
502
Bad Gateway
Invalid response from upstream server.
503
Service Unavailable
Server temporarily overloaded or down.
Status Code Classes:
  • 1xx (Informational): Request received, continuing process
  • 2xx (Success): Request successfully received, understood, and accepted
  • 3xx (Redirection): Further action needs to be taken to complete the request
  • 4xx (Client Error): Request contains bad syntax or cannot be fulfilled
  • 5xx (Server Error): Server failed to fulfill an apparently valid request

📨 HTTP Headers

HTTP headers provide additional information about the request or response, or about the object sent in the message body. They are key-value pairs separated by colons.

Common Request Headers

Header Purpose Example
Host Specifies the server domain (required in HTTP/1.1+) Host: www.example.com
User-Agent Identifies the client software Mozilla/5.0 (Windows NT 10.0...)
Accept Indicates preferred content types text/html, application/json
Content-Type Media type of request body application/json
Authorization Credentials for authentication Bearer eyJhbGciOiJIUzI1...
Cookie Sends stored cookies to server sessionid=abc123; user=john

Common Response Headers

Header Purpose Example
Content-Type Media type of response body text/html; charset=utf-8
Content-Length Size of response body in bytes 348
Location Redirect target URL /new-path/resource
Set-Cookie Sets a cookie on client sessionid=xyz789; Path=/
Cache-Control Caching directives max-age=3600, no-cache
WWW-Authenticate Authentication method required Bearer realm="api"
Best Practice: Always include appropriate Content-Type headers so clients know how to parse the response. For JSON APIs, use application/json.

🚀 Evolution of HTTP

HTTP has evolved significantly since its inception in 1991, with each version addressing performance and security limitations of its predecessor. [^1^][^7^]

1991 - HTTP/0.9

The one-line protocol. Only supported GET method, no headers, just raw HTML. Extremely simple but limited.

1996 - HTTP/1.0

Added headers, status codes, and additional methods (POST, HEAD). Still created new TCP connection for each request.

1999 - HTTP/1.1

Introduced persistent connections (keep-alive), pipelining, caching mechanisms, and chunked transfer encoding. Still suffers from head-of-line blocking. [^8^]

2015 - HTTP/2

Binary protocol with multiplexing, header compression (HPACK), server push, and stream prioritization. Runs over TCP but solves HTTP-level head-of-line blocking. [^4^]

2022 - HTTP/3

Uses QUIC over UDP instead of TCP. Eliminates transport-level head-of-line blocking, enables 0-RTT connections, and mandates TLS 1.3 encryption. [^6^]

Protocol Comparison

Feature HTTP/1.1 HTTP/2 HTTP/3
Transport TCP TCP QUIC (UDP)
Multiplexing ❌ No ✅ Yes ✅ Yes
Head-of-Line Blocking ❌ TCP & HTTP level ⚠️ TCP level only ✅ Eliminated
Header Compression ❌ No ✅ HPACK ✅ QPACK
Server Push ❌ No ✅ Yes ✅ Yes
Encryption ⚠️ Optional ⚠️ Optional (TLS) ✅ Mandatory TLS 1.3
Connection Setup Multiple RTTs 2-3 RTTs 0-1 RTT (0-RTT resumption)

Interactive: Protocol Performance Comparison

[HTTP/1.1 Simulation] Loading 6 resources (index.html, styles.css, app.js, img1.jpg, img2.jpg, api/data.json) Timeline: 0ms [====] TCP Handshake 50ms [====] TLS Handshake (if HTTPS) 100ms [====] Request 1: index.html 150ms [====] Response 1: index.html (50KB) 200ms [====] Request 2: styles.css 250ms [====] Response 2: styles.css (20KB) ... [====] Sequential loading continues 800ms [====] All resources loaded (6 round trips) Total Time: ~800ms Connection: 6 separate TCP connections (or pipelined on 1) Head-of-line blocking: YES - each request waits for previous
Why HTTP/3 Matters: HTTP/3's QUIC protocol handles packet loss better than TCP. If one stream loses a packet, other streams continue unaffected. This is crucial for mobile networks with high packet loss. [^4^]

🔒 Security in HTTP

HTTPS: HTTP over TLS/SSL

HTTPS (HTTP Secure) encrypts HTTP communications using Transport Layer Security (TLS). Modern versions:

HTTPS Handshake Process

Client Hello
Supported cipher suites
Server Hello
Selected cipher + Certificate

Key Exchange
Generate session keys
Encrypted HTTP
Secure communication

Security Headers

Header Purpose
Strict-Transport-Security (HSTS) Forces HTTPS connections for specified time
Content-Security-Policy (CSP) Prevents XSS by controlling resource loading
X-Frame-Options Prevents clickjacking attacks
X-Content-Type-Options Prevents MIME type sniffing
Referrer-Policy Controls referrer information leakage
Security Warning: Never send sensitive data (passwords, credit cards) over unencrypted HTTP. Always use HTTPS with valid certificates.

📝 Knowledge Check

Test your understanding of HTTP concepts with these practice questions:

1. Which HTTP method is both safe and idempotent?
A) POST
B) GET
C) PATCH
D) DELETE
2. What does HTTP status code 304 indicate?
A) Bad Request
B) Not Found
C) Not Modified
D) Unauthorized
3. Which transport protocol does HTTP/3 use?
A) TCP
B) QUIC over UDP
C) SCTP
D) WebSocket
4. What is the primary purpose of the Host header in HTTP/1.1?
A) To identify the client's IP address
B) To allow virtual hosting (multiple domains on one IP)
C) To specify the server's port number
D) To enable caching
Study Tip: Review the differences between 401 (Unauthorized - authentication required) and 403 (Forbidden - authenticated but not authorized). This is a common interview question!