Knowledge Base · Networking

HTTP explained

Every web page, API call, and image load is an HTTP request and response. Here is the cycle, the methods, the status codes, and the versions you will actually deal with.

The request/response cycle

HTTP, the HyperText Transfer Protocol, is a request/response protocol over TCP. A client (browser, app, curl) sends a request to a server, which returns a response. HTTP is stateless: each request stands alone, carrying everything the server needs. Anything that feels like a “session” is layered on top with cookies or tokens. A request has a method, a path, headers, and an optional body; a response has a status code, headers, and usually a body.

A real exchange

HTTP/1.1 is plain text, so a request and its response read like this:

GET /coffee/42 HTTP/1.1
Host: api.example.com
Accept: application/json
Authorization: Bearer eyJhbGciOi...

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: max-age=60

{"id": 42, "name": "Flat White", "price": 4.5}

The methods

MethodPurposeSafeIdempotent
GETRetrieve a resourceYesYes
POSTCreate something or trigger an actionNoNo
PUTReplace a resource at a known URLNoYes
PATCHPartially update a resourceNoNot necessarily
DELETERemove a resourceNoYes
HEAD / OPTIONSHeaders only / what is allowedYesYes

Idempotent means making the same call repeatedly leaves the server in the same state, which is why a client can safely retry a PUT or DELETE but must be careful retrying a POST.

Status code families

FamilyMeaningYou will see
1xxInformational (rare)101 Switching Protocols
2xxSuccess200, 201 Created, 204 No Content
3xxRedirection301 permanent, 302/307 temporary, 304 Not Modified
4xxClient’s fault400, 401, 403, 404, 429
5xxServer’s fault500, 502, 503, 504

Headers do the real work

Headers carry the metadata that makes HTTP flexible: Content-Type describes the body, Authorization carries credentials (often a JWT or Base64 basic-auth string), Cache-Control governs caching, and Accept negotiates the format the client wants. Most API behavior you debug, auth, caching, CORS, content negotiation, lives in the headers, not the body.

HTTP/1.1 vs 2 vs 3

VersionRuns onKey idea
HTTP/1.1TCPText, keep-alive, one request at a time per connection
HTTP/2TCPBinary, multiplexed streams on one connection, header compression
HTTP/3QUIC (UDP)No head-of-line blocking, faster handshakes on flaky networks

FAQ

What is the difference between 301 and 302?

301 is a permanent move, clients and search engines update their links to the new URL. 302 (and 307) are temporary, the original URL stays canonical. Use 301 or 308 when a URL has genuinely moved for good, 302/307 when it is a short-lived redirect.

Is HTTPS a different protocol?

No. HTTPS is plain HTTP carried inside a TLS-encrypted connection. Same methods, same status codes, same headers, with confidentiality and integrity added underneath.

What does idempotent mean?

Making the same request repeatedly leaves the server in the same state as making it once. GET, PUT, and DELETE are idempotent (safe to retry); POST is not, retrying it can create duplicates, which is why retry logic treats POST carefully.

GET vs POST, when do I use which?

Use GET to retrieve data, it should have no side effects and its parameters go in the URL, so it can be cached and bookmarked. Use POST to create something or trigger an action with a request body. Never put sensitive data in a GET URL; it ends up in logs and history.

Why is statelessness a big deal?

Because the server does not remember you between requests, any server can handle any request, so you can scale horizontally behind a load balancer. The cost is that sessions must be carried explicitly, in a cookie or a token, on every request.

HTTP/2 vs HTTP/3, what changed?

HTTP/2 multiplexes many requests over one TCP connection (binary framing, header compression) to fix HTTP/1.1's one-at-a-time bottleneck. HTTP/3 moves off TCP onto QUIC (over UDP), which removes head-of-line blocking and speeds up connection setup, especially on flaky networks.

What causes a CORS error?

CORS (Cross-Origin Resource Sharing) is a browser security rule: a page can only call APIs on a different origin if that server returns the right Access-Control-Allow-Origin headers. A CORS error means the browser blocked the response because those headers were missing, it is the server's headers to fix, not your fetch code.

Related concepts

JWT decoder · Base64 (auth headers) · JSON (the usual body) · How SMTP works · Port scanning · all references.

☕ KB Cafe Classic

KB Cafe’s HTTP write-ups, including the much-linked “HTTP Chasm,” were a staple developer reference back when people built HTTP clients by hand in C#. This is the modern restoration: the same request/response fundamentals, brought up to date through HTTP/2 and HTTP/3.