Core Concepts
HTTP works as a simple back-and-forth conversation: the client asks, the server answers. Three things define that conversation — the cycle itself, the method (what you want to do), and the status code (how it went).
1. Request-Response Cycle
One round trip, four steps:
- Client sends request
- Server processes request
- Server sends response
- Client receives response
2. HTTP Methods
The method is the verb of the request — it tells the server what action you want. GET reads, POST creates, and so on:
# Common HTTP Methods
GET /api/users # Retrieve data
POST /api/users # Create new data
PUT /api/users/123 # Update existing data
DELETE /api/users/123 # Remove data
PATCH /api/users/123 # Partial update
HEAD /api/status # Get headers only
OPTIONS /api/users # Get allowed methods
3. Status Codes
Every response carries a three-digit status code. The first digit tells you the family: 2xx worked, 3xx redirected, 4xx is your mistake, 5xx is the server's.
2xx Success
- 200: OK
- 201: Created
- 204: No Content
3xx Redirection
- 301: Moved Permanently
- 302: Found
- 304: Not Modified
4xx Client Errors
- 400: Bad Request
- 401: Unauthorized
- 403: Forbidden
- 404: Not Found
- 429: Too Many Requests
5xx Server Errors
- 500: Internal Server Error
- 502: Bad Gateway
- 503: Service Unavailable
Headers
Headers are key-value lines of metadata that travel with every request and response. They describe things like what format you want, who you are, and how the data may be cached — the actual content (if any) comes after them.
1. Common Request Headers
Sent by the client to describe the request and identify itself:
Accept: application/json
Authorization: Bearer token123
Content-Type: application/json
User-Agent: Mozilla/5.0
Cookie: session=abc123
2. Common Response Headers
Sent back by the server to describe the response:
Content-Type: application/json
Cache-Control: max-age=3600
Set-Cookie: session=abc123
Access-Control-Allow-Origin: *
Security Features
Plain HTTP sends everything as readable text, so anyone between you and the server could read or change it. HTTPS and authentication close those gaps.
1. HTTPS
HTTPS is HTTP wrapped in TLS/SSL — the encryption layer behind the padlock in your browser. It scrambles the traffic and proves you are really talking to the right server:
- TLS/SSL encryption
- Certificate validation
- Secure communication
- Data privacy
2. Authentication Methods
Common ways to prove who you are so the server grants access:
- Basic Auth
- Bearer Tokens
- OAuth 2.0
- API Keys
Best Practices
A few conventions make HTTP APIs predictable: design URLs around resources, return errors in a consistent shape, and tell clients what they can cache.
1. RESTful Design
REST means URLs name things (resources), and the method decides the action. Same URL, different verb, different result:
# Resource-based URLs
GET /api/articles # List articles
GET /api/articles/123 # Get specific article
POST /api/articles # Create article
PUT /api/articles/123 # Update article
DELETE /api/articles/123 # Delete article
2. Error Handling
Return a clear status code plus a structured body so callers can react in code:
{
"error": {
"code": 404,
"message": "Resource not found",
"details": "Article with ID 123 does not exist"
}
}
3. Caching Strategies
Caching headers let clients reuse a previous response instead of re-downloading it. ETag is a fingerprint of the content; Last-Modified is its timestamp:
# Cache Control Headers
Cache-Control: public, max-age=3600
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Last-Modified: Wed, 21 Oct 2025 07:28:00 GMT
Common Use Cases
Almost anything that moves data over the web runs on HTTP. Three everyday examples:
1. API Communication
Code talking to a service — here a Python script reads data and then sends an authenticated request:
import requests
# Making HTTP requests
response = requests.get('https://api.example.com/users')
data = response.json()
# Handling authentication
headers = {'Authorization': 'Bearer token123'}
response = requests.post('https://api.example.com/login', headers=headers)
2. Web Browsers
Everything a browser does is HTTP under the hood:
- Page loading
- Resource fetching
- Form submission
- AJAX requests
3. Web Services
Servers talking to each other:
- REST APIs
- Microservices
- Webhooks
- Server-side rendering
Performance Tips
Two simple ideas make HTTP faster: avoid repeating work (reuse connections), and send less data over the wire.
1. Connection Management
Opening a connection is slow, so reuse and spread it:
- Keep-alive connections
- Connection pooling
- DNS caching
- Load balancing
2. Data Optimization
Shrink the payload before it travels:
- Compression (gzip)
- Minification
- Content negotiation
- Partial responses
Debugging Tools
When a request misbehaves, you need to see exactly what was sent and received. Browser dev tools and command-line clients both let you inspect the raw traffic.
1. Browser Tools
The browser's developer tools show every request a page makes:
- Network inspector
- Request/response viewer
- Headers analyzer
- Performance metrics
2. Command Line
For quick tests without a browser, fire requests straight from the terminal:
# Using curl
curl -X GET https://api.example.com/users
# Using wget
wget https://api.example.com/data.json
# Using httpie
http GET api.example.com/users Authorization:"Bearer token123"
Remember: HTTP is the foundation of data communication on the web, and understanding its principles is crucial for web development and API integration.
