Understanding HTTP: Basics, Methods, Status Codes, Headers, Caching, and Evolution to HTTPS, HTTP/2, and HTTP/3

HTTP Basic Concepts

HTTP (HyperText Transfer Protocol) is a protocol that defines how two or more participants communicate by transferring hypertext (text, images, video, etc.) between points A and B, optionally passing through intermediate nodes.

GET and POST

GET requests retrieve resources and are safe, idempotent, and cacheable; parameters are placed in the URL. POST requests submit data in the request body, are not safe nor idempotent, and are generally not cached.

Safety and Idempotence

Safety means the request does not modify server resources.

Idempotence means repeated identical requests produce the same result.

Common HTTP Status Codes

Responses are grouped into five classes:

1xx – Informational (rarely used)

2xx – Success (e.g., 200 OK , 204 No Content , 206 Partial Content )

3xx – Redirection (e.g., 301 Moved Permanently , 302 Found , 304 Not Modified )

4xx – Client errors (e.g., 400 Bad Request , 403 Forbidden , 404 Not Found )

5xx – Server errors (e.g., 500 Internal Server Error , 502 Bad Gateway , 503 Service Unavailable )

Common HTTP Header Fields

Host : specifies the domain name of the server.

Content-Length : indicates the size of the response body.

Connection : controls whether the TCP connection is persistent (e.g., keep-alive ).

Content-Type : tells the client the media type of the response (e.g., text/html; charset=utf-8 ).

Accept : declares the media types the client can handle.

Content-Encoding : describes compression applied to the body (e.g., gzip ).

Cache-Control and Expires : control caching behavior.

HTTP Caching

Strong Caching

When the browser determines that a cached resource has not expired (using Cache-Control or Expires ), it serves the resource directly without contacting the server.

Negotiated Caching

Uses conditional requests with If-Modified-Since / Last-Modified or If-None-Match / ETag to let the server decide whether the cached copy is still valid (responding with 304 Not Modified when appropriate).

HTTP Features

Simple, flexible, and widely supported.

Stateless communication, which reduces server overhead but requires mechanisms like cookies for session state.

Plain‑text transmission leads to security risks (eavesdropping, tampering, impersonation).

HTTPS vs. HTTP

HTTPS adds TLS/SSL between TCP and HTTP, providing encryption, integrity verification, and server authentication via digital certificates, thus mitigating the three main risks of plain HTTP.

TLS Handshake (4 messages)

ClientHello – client proposes TLS version, cipher suites, and a random value.

ServerHello – server selects version, cipher suite, sends its random value and certificate.

ClientKeyExchange – client encrypts a pre‑master secret with the server’s public key.

ServerFinished – both sides derive the session keys and confirm the handshake.

TLS 1.3 reduces this to a single round‑trip.

Evolution of HTTP

HTTP/1.1 Improvements

Persistent connections (keep‑alive).

Pipeline support.

HTTP/2 Optimizations

Header compression with HPACK.

Binary framing.

Multiplexed streams with independent priorities.

Server push.

However, HTTP/2 still suffers from TCP‑level head‑of‑line blocking.

HTTP/3 Enhancements

Runs over QUIC (UDP) to eliminate TCP head‑of‑line blocking.

QUIC provides reliable, multiplexed streams with per‑stream loss recovery.

0‑RTT connection establishment and seamless connection migration.

Adoption is limited because some network devices drop unknown UDP traffic.

Reader Q&A

HTTPS adds TLS handshake and encrypts data (typically with symmetric encryption). SSL and TLS refer to the same family of protocols; SSL is the historic name, TLS is the modern standardized version.

The classic SSL/TLS handshake involves four messages (two round‑trips), while TLS 1.3 reduces it to one round‑trip.