Reference · Networking

HTTP explained

Every web page, API call, and image load is an HTTP request and response. Here’s the cycle, the methods, and the status codes you’ll actually deal with.

The request/response cycle

HTTP, the HyperText Transfer Protocol: is a request/response protocol over TCP. A client (browser, app, curl) sends a request to a server, which returns a response. HTTP is stateless: each request stands alone, carrying everything the server needs. Anything that feels like a “session” is layered on top with cookies or tokens.

A request has a method, a path, headers, and an optional body. A response has a status code, headers, and usually a body.

The methods

  • GET: retrieve a resource. Should have no side effects (safe).
  • POST: submit data; create something or trigger an action. Not idempotent.
  • PUT: replace a resource at a known URL. Idempotent.
  • PATCH: partially update a resource.
  • DELETE: remove a resource. Idempotent.
  • HEAD / OPTIONS: fetch just headers / ask what’s allowed.

Idempotent means making the same call repeatedly leaves the server in the same state, which is why clients can safely retry a PUT or DELETE but must be careful retrying a POST.

Status code families

  • 1xx: informational (rare; e.g. 101 Switching Protocols).
  • 2xx: success (200 OK, 201 Created, 204 No Content).
  • 3xx: redirection (301 permanent, 302/307 temporary, 304 Not Modified).
  • 4xx: the client’s fault (400, 401 unauthenticated, 403 forbidden, 404 not found, 429 too many requests).
  • 5xx: the server’s fault (500 internal error, 502/503/504 gateway/availability).

Headers do the real work

Headers carry the metadata that makes HTTP flexible: Content-Type describes the body, Authorization carries credentials, Cache-Control governs caching, and Accept negotiates the format the client wants. Most API behavior you debug, auth, caching, CORS, content negotiation, lives in the headers, not the body.

FAQ

What’s the difference between 301 and 302?

301 is a permanent move (clients and search engines update their links); 302/307 are temporary. Use 301/308 when a URL has genuinely moved for good.

Is HTTPS a different protocol?

No, HTTPS is HTTP carried inside a TLS-encrypted connection. Same methods, same status codes, with confidentiality and integrity added.

Why is “stateless” a big deal?

Because the server doesn’t remember you between requests, you can scale horizontally, any server can handle any request, and sessions must be carried explicitly via cookies or tokens.

Related

API tokens are often JWTs; auth headers use Base64. Email rides similar TCP plumbing, see SMTP.