All blogs

Understanding HTTP: From Basics to Core Concepts

February 14, 2026·8 min read·Backend

Understanding HTTP

HTTP (HyperText Transfer Protocol) is the primary set of rules through which a client and server communicate. There are many other protocols for client-server communication, but mastering HTTP is essential to understand how modern web applications work.

Two Key Ideas of HTTP

Two Key Ideas of HTTP

1. Statelessness
It means the server has no memory of past interactions. Each HTTP request is treated as a new, unrelated event. Since the server doesn’t remember previous requests, every new request must carry all the necessary information for the server to process it — like URL, methods, headers, tokens, etc., for that specific interaction.

Benefits of Statelessness:

  • Simplicity: Server architecture remains very simple. There is no need to store and manage session information.
  • Scalability: Easy to distribute requests across multiple servers (load balancing).
  • Resilience: If a server crashes, it doesn’t affect the client’s state because there is no session memory that needs to be restored.

2. Client-Server Model
HTTP operates on a strict client-server model.

  • Client: Typically a web browser, mobile app, or another application. It initiates all communication by sending a request to a server and provides all the information that the server needs.
  • Server: The server (which hosts websites, APIs, or other content) waits for incoming requests, processes them, and then sends back an appropriate response.

The key thing is that communication is always initiated by the client.

The Evolution of HTTP Versions

  • HTTP/1.0:
    Opens a new TCP connection for every single request/response cycle. This was inefficient and slow.

  • HTTP/1.1:
    Introduced persistent connections, allowing multiple requests and responses over the same TCP connection. This dramatically improved performance and is still the most widely used version today.

  • HTTP/2.0:
    Introduced multiplexing, allowing multiple requests to be sent in parallel over a single connection. It uses a more efficient binary format instead of plain text.

  • HTTP/3.0:
    Built on the QUIC protocol (which runs over UDP instead of TCP) to further reduce latency and better handle packet loss.

Anatomy of an HTTP Message

1. The Request Message (Client → Server)

  • Request Line: Method (POST), Resource URL (/api/users), HTTP Version (HTTP/1.1)
  • Headers: Key-value metadata about the request
  • Blank Line: Separates headers from the body
  • Request Body: Data sent to the server
HTTP Request Example

2. The Response Message (Server → Client)

  • Status Line: HTTP version, Status code (200), Status text (OK)
  • Headers: Metadata about the response
  • Blank Line: Separates headers from the body
  • Response Body: Data returned to the client
HTTP Response Example

HTTP Headers

Headers provide essential metadata about requests and responses.

Simple Analogy:
If HTTP body = the package
HTTP headers = the shipping label instructions

Headers tell:

  • What’s inside
  • Where it’s going
  • How it should be handled
  • Whether it’s secure
  • Whether it can be cached

Categorizing HTTP Headers

1. Request Headers
Provide information about the request and the client
(e.g., User-Agent, Authorization, Accept)

2. General Headers
Apply to both requests and responses, providing context about the message itself
(e.g., Date, Cache-Control, Connection)

3. Representation Headers
Describe the body of the message (the resource itself), such as its format, size, or encoding
(e.g., Content-Type, Content-Length, Content-Encoding)

4. Security Headers
Enhance security by instructing the browser on how to behave
(e.g., Content-Security-Policy, Strict-Transport-Security)

The Ideas of Extensibility and Remote Control

Extensibility:
HTTP is powerful because new custom headers (often prefixed with X-) can be added without changing the protocol itself, allowing it to adapt to new technologies.

Remote Control:
Headers allow the client to act as a "remote control" for the server, influencing how it processes the request. For example, the Accept header tells the server what content format the client prefers (e.g., application/json).

HTTP Methods

  • GET: Retrieve data
  • POST: Create a new resource
  • PUT: Replace an existing resource
  • PATCH: Partially update a resource
  • DELETE: Remove a resource

Idempotency

An HTTP method is idempotent if making the same request multiple times produces the same result as making it once.

  • Idempotent Methods: GET, PUT, DELETE
  • Non-Idempotent Method: POST

The OPTIONS Method and CORS (Cross-Origin Resource Sharing)

We don’t use OPTIONS directly, but it’s crucial for how modern web works. It’s used by browsers to handle CORS.

Same-Origin Policy:
For security, browsers restrict web pages from making requests to a domain different from the one that served the page.

CORS is the mechanism that allows servers to safely relax this policy. For complex requests (like PUT, DELETE, or a request with custom headers like Authorization), the browser first sends an OPTIONS preflight request. This request asks the server for permission.

1. The Preflight Request (OPTIONS):
Before sending the real request, the browser asks:
"Hey server, am I allowed to send this request?"

Example:

OPTIONS /users/123 HTTP/1.1
Origin: https://myapp.com
Access-Control-Request-Method: PUT
Access-Control-Request-Headers: Authorization, Content-Type

2. The Preflight Response:
The server, if configured for CORS, responds with Access-Control-Allow-* headers, such as:

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400

If the server does NOT respond correctly, the browser blocks the request.

3. The Actual Request:
If permission is granted, the browser sends the real request.

HTTP Status Codes

HTTP status codes are 3-digit numbers indicating the result of a request.

1xx – Informational
Request received.

2xx – Success
200 OK
201 Created
204 No Content

3xx – Redirection
301 Moved Permanently
304 Not Modified

4xx – Client Error
400 Bad Request
401 Unauthorized
403 Forbidden
404 Not Found
409 Conflict

5xx – Server Error
500 Internal Server Error
503 Service Unavailable

P.S.
This is a personal note from the YouTube playlist "Backend From 1st Principles".
You can find it on the Sriniously YouTube channel.
A BIG SHOUTOUT TO HIM 🙌