HTTP and the Web
HTTP Versions
| Version | Year | Key Features |
|---|---|---|
| HTTP/1.0 | 1996 | One request per connection; no persistent connections |
| HTTP/1.1 | 1997 | Persistent connections (keep-alive), pipelining, chunked transfer, Host header |
| HTTP/2 | 2015 | Binary framing, multiplexing (multiple requests over one connection), header compression (HPACK), server push |
| HTTP/3 | 2022 | Built on QUIC (UDP-based), eliminates head-of-line blocking, faster connection setup, built-in TLS 1.3 |
HTTP Methods
| Method | Purpose | Idempotent | Safe |
|---|---|---|---|
| GET | Retrieve a resource | Yes | Yes |
| POST | Create a resource or submit data | No | No |
| PUT | Replace a resource entirely | Yes | No |
| PATCH | Partially update a resource | No | No |
| DELETE | Delete a resource | Yes | No |
| HEAD | Same as GET but returns headers only | Yes | Yes |
| OPTIONS | Describe communication options (used in CORS preflight) | Yes | Yes |
HTTP Status Codes
| Range | Category | Common Codes |
|---|---|---|
| 1xx | Informational | 100 Continue, 101 Switching Protocols |
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirection | 301 Moved Permanently, 302 Found, 304 Not Modified |
| 4xx | Client Error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | Server Error | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable |
Important HTTP Headers
| Header | Direction | Purpose |
|---|---|---|
Content-Type | Request/Response | Media type of the body (e.g., application/json, text/html) |
Authorization | Request | Credentials for authentication (Bearer token, Basic auth) |
Cache-Control | Request/Response | Caching directives (no-cache, max-age, private) |
Accept | Request | Media types the client can handle |
Location | Response | URL for redirects (3xx) or newly created resource (201) |
Set-Cookie | Response | Sets a cookie on the client |
CORS headers | Response | Access-Control-Allow-Origin, Access-Control-Allow-Methods |
HTTPS and TLS
HTTPS = HTTP + TLS (Transport Layer Security). TLS encrypts the HTTP communication to provide:
- Confidentiality: Data is encrypted - cannot be read by eavesdroppers
- Integrity: Data cannot be tampered with in transit (MAC)
- Authentication: Server identity verified via digital certificate (X.509)
TLS 1.3 (current standard) improvements over TLS 1.2: faster handshake (1-RTT vs 2-RTT), removed weak cipher suites, mandatory forward secrecy.
REST Architecture
REST (Representational State Transfer) is an architectural style for designing web APIs. Key constraints:
- Stateless: Each request contains all information needed; server stores no client state
- Client-Server: Separation of concerns between UI and data storage
- Uniform Interface: Resources identified by URIs; standard HTTP methods
- Cacheable: Responses must define themselves as cacheable or non-cacheable
- Layered System: Client doesn't know if it's talking to the actual server or a proxy
WebSockets
WebSockets provide full-duplex, persistent communication over a single TCP connection. Unlike HTTP (request-response), WebSockets allow the server to push data to the client at any time.
- Initiated with an HTTP Upgrade request (
Upgrade: websocket) - Uses
ws://(unencrypted) orwss://(encrypted) protocol - Ideal for: real-time chat, live notifications, collaborative editing, gaming
Cookies vs Sessions
| Feature | Cookies | Sessions |
|---|---|---|
| Storage | Client-side (browser) | Server-side |
| Security | Less secure (visible to client) | More secure (data on server) |
| Capacity | ~4 KB per cookie | Limited by server memory |
| Expiry | Set by server (persistent or session) | Expires when browser closes or timeout |
| Scalability | Stateless - scales easily | Stateful - requires sticky sessions or shared store (Redis) |
| Use case | Remember me, preferences, tracking | Login state, shopping cart |
Related Networking Topics