Mastering HTTP: Methods, Headers, and Status Codes Explained

HTTP Overview

HTTP uses the connection‑oriented TCP as its transport layer, while the protocol itself is stateless.

Request Message

Each request line ends with CRLF (carriage return + line feed). Example GET request:

Example POST request:

Methods

OPTIONS : Returns all supported HTTP methods for a resource; using "*" tests server functionality.

HEAD : Like GET but returns only headers, not the body.

GET : Retrieves a resource; should be safe and idempotent.

POST : Submits data to be processed, creating or modifying resources.

PUT : Uploads a new version of a resource.

DELETE : Removes the specified resource.

TRACE : Echoes the received request for testing.

CONNECT : Used by proxies to establish a tunnel, typically for SSL.

In practice, GET and POST are the most frequently used methods.

URL Structure

A typical URL follows <scheme>://<host>:<port>/<path>. Common schemes include:

http – Hypertext Transfer Protocol

https – HTTP over TLS/SSL

ftp – File Transfer Protocol

mailto – Email address

ldap – Lightweight Directory Access Protocol

file – Local or shared file

news – Usenet newsgroup

gopher – Gopher protocol

telnet – Telnet protocol

Components:

Host – domain name on the Internet.

Port – optional, often omitted.

Path – absolute URLs show the full path; relative URLs are resolved against the current document’s location.

Example of an absolute URL (homepage) and a relative URL (file 1742817.html) are shown below:

Version Numbers

HTTP/1.0 uses non‑persistent (short) connections; each request requires a new TCP handshake, costing roughly 2*RTT + transmission time. HTTP/1.1 introduces persistent (long) connections, reducing overhead. Persistent connections can be pipelined (multiple requests sent without waiting for responses) or non‑pipelined.

Connection header values such as Keep-Alive or close control whether the connection stays open.

Header Fields

HTTP defines four categories of header fields.

General Header Fields

Cache – controls caching behavior.

Connection – manages hop‑by‑hop connection options.

Date – date and time the message was generated.

Pragma – implementation‑specific directives.

Trailer – lists header fields present in the message trailer.

Transfer-Encoding – specifies the transfer coding.

Upgrade – requests protocol upgrade.

Via – information about intermediate proxies.

Warning – additional error information.

Request Header Fields

Accept – media types the client can handle.

Accept-Charset – preferred character sets.

Accept-Encoding – preferred content encodings.

Accept-Language – preferred natural languages.

Authorization – credentials for authentication.

Expect – expectations for server behavior.

From – email address of the user.

Host – target server host.

If-Match, If-Modified-Since, If-None-Match, If-Range, If-Unmodified-Since – conditional request controls.

Max-Forwards – maximum number of proxy hops.

Proxy-Authorization – credentials for proxy authentication.

Range – byte range request for the entity.

Referer – URL of the referring page.

TE – transfer‑coding preferences.

User-Agent – client software identification.

Response Header Fields

Accept-Ranges – indicates support for range requests.

Age – time the resource has been in a proxy cache.

ETag – entity tag for cache validation.

Location – URL for redirection.

Proxy-Authenticate – authentication challenge from a proxy.

Retry-After – time after which to retry the request.

Server – server software information.

Vary – indicates which request headers affect the response.

WWW-Authenticate – authentication challenge from the server.

Entity Header Fields

Allow – HTTP methods supported by the resource.

Content-Encoding – encoding applied to the entity body.

Content-Language – natural language of the entity.

Content-Length – size of the entity body in bytes.

Content-Location – alternate URI for the same resource.

Content-MD5 – MD5 checksum of the entity.

Content-Range – byte range of the entity.

Content-Type – media type of the entity.

Expires – expiration date and time of the entity.

Last-Modified – last modification date of the resource.

HTTP Operation Process

The typical flow when a user enters a URL:

Browser parses the URL.

DNS resolves the domain name to an IP address.

Browser establishes a TCP connection to the server (IP + port 80).

Browser sends a request line such as GET /question/1742817.html HTTP/1.1.

Server responds with the requested resource.

TCP connection is closed (or kept alive for further requests).

Browser renders the HTML content.

Response Message Example

Status Codes and Reason Phrases

Classes of status codes:

1xx – Informational (request received, continue processing).

2xx – Success (request successfully received, understood, and accepted).

3xx – Redirection (further action needed to complete the request).

4xx – Client error (syntax error or request cannot be fulfilled).

5xx – Server error (server failed to fulfill a valid request).

Common codes:

200 OK – request succeeded.

400 Bad Request – malformed request.

401 Unauthorized – authentication required.

403 Forbidden – server refuses to fulfill.

404 Not Found – resource does not exist.

500 Internal Server Error – unexpected server condition.

503 Service Unavailable – server temporarily unable to handle the request.

GET vs POST Differences

GET appends data to the URL (after a ?), making it visible in the address bar; POST sends data in the request body, keeping the URL unchanged.

Data size limits: browsers and servers impose URL length limits for GET (e.g., IE limits to 2083 bytes). POST has no inherent size limit, but servers often configure maximum POST body sizes.

Security: POST is generally more secure because parameters are not exposed in URLs, reducing the risk of logging or history exposure.

Reference: Original article