HTTP Crash Course
Krishna prasad
Introduction π
HTTP is a HyperText Transfer Protocol that is designed for web applications to transfer hypermedia documents, like HTML pages, between the browser and server, but it can also be used for other purposes, such as machine-to-machine communication and hitting endpoints.
It is a stateless protocol
follows client-server model, opens a connection for the request, and waits for the server's response
human readable, we can inspect each request and response using inspect element, network tab, and page source
What is Protocol?
A protocol is the set of rules that defines a standard way for web applications to share information.
HTTP Headers βοΈ
HTTP headers are an additional piece of information shared along with the request and response, which contains metadata, such as content-type, cookies, request-type, status-code, user-agent, etc.
We can create our custom HTTP headers, in which each word is separated by - and must start with a capital letter. It is just a convention, not mandatory.
Example:
Powered-By: Express,
X-Owner-Name : Krishna
| Headers | Meaning |
| Content-Type | Specifies the type or format for the request body or payload |
| Cookie | key-value paired information |
| Accept-Type | specifies acceptable media type/types, like application/json, */* |
| Accept-Charset | character encoding type |
| Origin | Specify the current domain, used for CORS |
| From | email address of the user making the request |
For more standard HTTP headers
π HTTP request headers list π
HTTP Status Code π§βπ»
HTTP status code is a three-digit number that indicates whether an HTTP request has been completed or not, ranging from 100 to 599, which is further grouped into five classes.
Informational responses (
100β199)Successful responses (
200β299)Redirection messages (
300β399)Client error responses (
400β499)Server error responses (
500β599)
HTTP Verbs π€«
The type of HTTP request indicates what action has to be performed, and they are all HTTP verbs, which are given below.
GET - used to retrieve or request some information or resources
POST - to create some data on the server, such as posts, accounts, etc
PUT - to update or replace the existing row or document
DELETE - request server to delete some existing data
PATCH - to update a small portion or field of the data, such as the username of your account, etc
OPTION - used to request the server for all available communication options, and its best implication is a preflight request by the browser.
What is CORS?
CORS stands for Cross-Origin Resource Sharing. It is an HTTP header-based technique used by browsers to prevent web applications from an XSS attack. CORS allows the server to specify which origins are allowed to read the information from the response.
CORS standard works by adding an HTTP header in the response where the server can specify origins, request methods, headers, credentials, etc. The browser will make a preflight request to seek permission from the server using the OPTIONS request.
π The conditions when the browser preflights the request.
π Some genuine HTTP headers that are often used are given below
| Header | Description |
| Access-Control-Allow-Origin | Specifies allowed origin(s). Can be * (anyone) or a specific origin (e.g., https://yourapp.com). |
| Access-Control-Allow-Methods | Lists allowed HTTP methods (e.g., GET, POST, PUT). |
| Access-Control-Allow-Headers | Lists allowed custom headers (e.g., Authorization, Content-Type). |
| Access-Control-Allow-Credentials | true if you want to allow cookies or HTTP auth. Must not be used with * origin. |
| Access-Control-Expose-Headers | Allows client to access specific response headers (e.g., Content-Length, X-Custom-Header). |
| Access-Control-Max-Age | Number of seconds the preflight response can be cached. Reduces the number of preflights. |
Session and Cookies πͺ
As we know, HTTP is a stateless protocol, which means the server cannot store or remember the previous requests; each request is a new one.
Cookies πͺ β It is a small piece of information, which consists of key-value paired data. It is a mechanism used to make an HTTP server stateful, so the server can easily recognise the client. Cookies can have properties, such as expiry time, domain, secure, sameSite, and httpOnly.
Cookies can be classified into two types:
Persistent cookies - When we specify the expiry time for the cookie, the browser will persist the cookie even after closing the browser
non-persistence or session cookies - such cookies will disappear when we close the application or browser.
Sessionβ°β It is a technique used by the server to store information on the server instead of the client, which makes sessions more secure compared to cookies. The server sends the cookie that contains a session ID.
HTTP vs HTTPS
| Feature | HTTP | HTTPS (HTTP Secure) |
| Full Form | HyperText Transfer Protocol | HyperText Transfer Protocol Secure |
| Port | 80 (default) | 443 (default) |
| Security | Unencrypted β data is sent as plain text | Encrypted using SSL/TLS |
| Data Protection | Vulnerable to eavesdropping, MITM attacks | Protects against sniffing and tampering |
| Authentication | No guarantee you're talking to the right server | Uses SSL certificates to verify the server |
| URL Prefix | http:// | https:// |
| SEO/Ranking | Google deprioritizes unsecured sites | Slight SEO boost for using HTTPS |
| Browser Indicator | Often shows a warning (e.g., π or β οΈ) | Shows a padlock icon (π) |
| Use Cases | Internal tools, testing (not recommended for live apps), for example, AWS uses HTTP for internal communication because it requires additional computing power | Banking, login pages, and any production app |
| Computational overhead | It takes less time for computation | while it takes more time than HTTP because of additional encryption, decryption, and handshake |
What is HTTP/2?
HTTP/2 is the successor of HTTP/1.1, which was introduced to reduce latency and data compression. It also provides various features, such as multiplexing, low latency, and minimizing protocol overhead through efficient compression of HTTP header fields (HPACK). While HTTP/1.1 is used as a fallback for HTTP/2.
HTTP/2 does not modify the semantics of HTTP; therefore, the core concepts found in HTTP/1.1, such as methods, status codes, URIs, and header fields, remain unchanged. Instead, HTTP/2 modifies how the data is formatted (framed) and transported between the client and server, both of which manage the entire process, and hides protocol complexity within a framing layer. As a result, all existing applications can be delivered over the protocol without modification.
SSL and TLS certificate
π Security Cheat Sheet
SSL β it stands for Secure Socket Layer. It is an old technique that was used to create a secure communication channel between client and server. But now it is deprecated because it contains various security flaws.
TLS β It stands for Transport Layer Security. It is an upgraded version of SSL certificates, and now it has become the industry standard. The websiteβs origin server shares the certificate with the browser while establishing a connection. It is a simple data file that contains a public key and the website ownerβs identity, along with a signature from a trusted CA (certificate authority).
There are two types of TLS certificates: one is a self-signed certificate issued by the website owner itself, which is less trustworthy, and the second is issued by a trusted CA, which is more secure and trustworthy.
Subscribe to my newsletter
Read articles from Krishna prasad directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by