HTTP explained
Every web page, API call, and image load is an HTTP request and response. Here is the cycle, the methods, the status codes, and the versions you will actually deal with.
The request/response cycle
HTTP, the HyperText Transfer Protocol, is a request/response protocol over TCP. A
client (browser, app, curl) sends a request to a server, which
returns a response. HTTP is stateless: each request stands alone, carrying everything the
server needs. Anything that feels like a “session” is layered on top with cookies or tokens. A
request has a method, a path, headers, and an optional
body; a response has a status code, headers, and usually a body.
A real exchange
HTTP/1.1 is plain text, so a request and its response read like this:
GET /coffee/42 HTTP/1.1
Host: api.example.com
Accept: application/json
Authorization: Bearer eyJhbGciOi...
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: max-age=60
{"id": 42, "name": "Flat White", "price": 4.5} The methods
| Method | Purpose | Safe | Idempotent |
|---|---|---|---|
| GET | Retrieve a resource | Yes | Yes |
| POST | Create something or trigger an action | No | No |
| PUT | Replace a resource at a known URL | No | Yes |
| PATCH | Partially update a resource | No | Not necessarily |
| DELETE | Remove a resource | No | Yes |
| HEAD / OPTIONS | Headers only / what is allowed | Yes | Yes |
Idempotent means making the same call repeatedly leaves the server in the same state, which
is why a client can safely retry a PUT or DELETE but must be careful retrying a
POST.
Status code families
| Family | Meaning | You will see |
|---|---|---|
| 1xx | Informational (rare) | 101 Switching Protocols |
| 2xx | Success | 200, 201 Created, 204 No Content |
| 3xx | Redirection | 301 permanent, 302/307 temporary, 304 Not Modified |
| 4xx | Client’s fault | 400, 401, 403, 404, 429 |
| 5xx | Server’s fault | 500, 502, 503, 504 |
Headers do the real work
Headers carry the metadata that makes HTTP flexible: Content-Type describes the body,
Authorization carries credentials (often a JWT or
Base64 basic-auth string), Cache-Control governs caching, and
Accept negotiates the format the client wants. Most API behavior you debug, auth, caching, CORS,
content negotiation, lives in the headers, not the body.
HTTP/1.1 vs 2 vs 3
| Version | Runs on | Key idea |
|---|---|---|
| HTTP/1.1 | TCP | Text, keep-alive, one request at a time per connection |
| HTTP/2 | TCP | Binary, multiplexed streams on one connection, header compression |
| HTTP/3 | QUIC (UDP) | No head-of-line blocking, faster handshakes on flaky networks |
FAQ
What is the difference between 301 and 302?
301 is a permanent move, clients and search engines update their links to the new URL. 302 (and 307) are temporary, the original URL stays canonical. Use 301 or 308 when a URL has genuinely moved for good, 302/307 when it is a short-lived redirect.
Is HTTPS a different protocol?
No. HTTPS is plain HTTP carried inside a TLS-encrypted connection. Same methods, same status codes, same headers, with confidentiality and integrity added underneath.
What does idempotent mean?
Making the same request repeatedly leaves the server in the same state as making it once. GET, PUT, and DELETE are idempotent (safe to retry); POST is not, retrying it can create duplicates, which is why retry logic treats POST carefully.
GET vs POST, when do I use which?
Use GET to retrieve data, it should have no side effects and its parameters go in the URL, so it can be cached and bookmarked. Use POST to create something or trigger an action with a request body. Never put sensitive data in a GET URL; it ends up in logs and history.
Why is statelessness a big deal?
Because the server does not remember you between requests, any server can handle any request, so you can scale horizontally behind a load balancer. The cost is that sessions must be carried explicitly, in a cookie or a token, on every request.
HTTP/2 vs HTTP/3, what changed?
HTTP/2 multiplexes many requests over one TCP connection (binary framing, header compression) to fix HTTP/1.1's one-at-a-time bottleneck. HTTP/3 moves off TCP onto QUIC (over UDP), which removes head-of-line blocking and speeds up connection setup, especially on flaky networks.
What causes a CORS error?
CORS (Cross-Origin Resource Sharing) is a browser security rule: a page can only call APIs on a different origin if that server returns the right Access-Control-Allow-Origin headers. A CORS error means the browser blocked the response because those headers were missing, it is the server's headers to fix, not your fetch code.
Related concepts
JWT decoder · Base64 (auth headers) · JSON (the usual body) · How SMTP works · Port scanning · all references.
KB Cafe’s HTTP write-ups, including the much-linked “HTTP Chasm,” were a staple developer reference back when people built HTTP clients by hand in C#. This is the modern restoration: the same request/response fundamentals, brought up to date through HTTP/2 and HTTP/3.