HTTP (HyperText Transfer Protocol) is the foundational communication protocol of the web. It defines how clients and servers exchange requests and responses to transfer data such as HTML pages, images, JSON, and more.
HTTP is an application-layer protocol that operates on top of TCP/IP. A client (usually a browser) sends an HTTP request to a server, which processes it and returns an HTTP response. It is a stateless protocol, meaning each request-response cycle is independent with no built-in memory of previous interactions.
Every HTTP interaction begins with a client sending a request containing a method (e.g., GET, POST, PUT, DELETE), a URL, headers, and an optional body. The server receives the request, processes it, and replies with a status code (e.g., 200 OK, 404 Not Found), response headers, and an optional response body. This cycle completes one transaction; the connection may then be reused or closed.
Methods define the intended action: GET retrieves data, POST submits data, PUT replaces a resource, PATCH partially updates it, and DELETE removes it. Status codes are grouped by class — 2xx means success, 3xx means redirection, 4xx means a client error, and 5xx means a server error. Choosing the correct method and returning accurate status codes is critical for building predictable, standards-compliant APIs.
HTTP headers carry metadata about the request or response, such as Content-Type, Authorization, Cache-Control, and Accept-Encoding. Because HTTP is stateless, mechanisms like cookies, sessions, and tokens (e.g., JWTs) are layered on top to maintain state across multiple requests. Mismanaging state or leaking sensitive headers is a common source of security vulnerabilities.
HTTP/1.1 introduced persistent connections and chunked transfer encoding but suffers from head-of-line blocking when multiple requests queue over a single connection. HTTP/2 added multiplexing, header compression (HPACK), and server push, dramatically improving performance. HTTP/3 replaces TCP with QUIC (UDP-based), eliminating transport-level head-of-line blocking and reducing connection latency, especially on lossy networks.
Plain HTTP transmits data in cleartext, making it trivially interceptable by a man-in-the-middle attacker. HTTPS wraps HTTP inside TLS, which encrypts the data in transit, authenticates the server via certificates, and ensures integrity. Modern browsers actively warn users about non-HTTPS sites, and search engines penalize them — treat HTTPS as a non-negotiable baseline, not an optional upgrade.
© RM Full Stack & AI Engineer · All guides · Roadmaps · Open the app