HTTP and HTTPS
HTTP is the lingua franca of the web. HTTPS adds encryption. Understanding methods, status codes, headers, and the TLS handshake will pay you back daily.
The protocol you talk every day
Every time you open a webpage, every time your phone refreshes its email, every API call between two microservices, almost all of it goes over HTTP. It is a request-response protocol that runs over TCP. Simple in concept, full of subtleties in practice.
The request, in three parts
An HTTP request has three pieces:
- A start line: the method, the path, and the version.
GET /users/42 HTTP/1.1 - Headers: metadata about the request. Authorization tokens, content type, caching hints, the user agent.
- An optional body: the payload, used for POST, PUT, PATCH. Often JSON.
The response has the same shape: a status line (with the code), headers, and an optional body.
The methods that matter
| Method | Purpose | Idempotent? | Has body? |
|---|---|---|---|
| GET | Read a resource | Yes | No |
| POST | Create a new resource or trigger an action | No | Yes |
| PUT | Replace a resource entirely | Yes | Yes |
| PATCH | Partially update a resource | Sometimes | Yes |
| DELETE | Delete a resource | Yes | No |
Idempotent means: doing the same operation multiple times produces the same result. PUT-ing the same data twice leaves the same final state. POST-ing twice creates two records. This matters for retry logic, which we will return to.
Status codes you should recognize on sight
- 2xx success. 200 OK. 201 Created. 204 No Content.
- 3xx redirection. 301 Permanent (browsers cache it). 302 Temporary. 304 Not Modified (cache hit).
- 4xx client error. 400 Bad Request. 401 Unauthorized (you are not logged in). 403 Forbidden (you are logged in but not allowed). 404 Not Found. 409 Conflict. 429 Too Many Requests.
- 5xx server error. 500 Internal Server Error. 502 Bad Gateway. 503 Service Unavailable. 504 Gateway Timeout.
The 4xx vs 5xx distinction is critical. 4xx means the client did something wrong; do not retry without changing the request. 5xx means the server messed up; retrying may work.
HTTPS: the same thing, with a coat of armor
HTTP is plaintext. Anyone who can read the network packets can read your password. HTTPS wraps HTTP in TLS (Transport Layer Security). It does three things:
- Encryption. Eavesdroppers see ciphertext. They cannot read your data.
- Authentication. The client verifies the server is who it claims to be, via a certificate signed by a trusted authority.
- Integrity. Any tampering with the data is detected.
The TLS handshake (simplified)
- Client says hello, lists the cipher suites it can use.
- Server responds with its certificate and chosen cipher.
- Client verifies the certificate against trusted root CAs.
- They use asymmetric crypto (RSA or ECDHE) to agree on a symmetric session key.
- From here on, everything is encrypted with that fast symmetric key.
The handshake adds 1-2 round trips before the first byte of data. TLS 1.3 cut that to one round trip and even zero in some resumption cases. Still, every new HTTPS connection has a cost. Connection pooling and keep-alive matter.
HTTP versions: the headline differences
HTTP/1.1. Text-based, one request at a time per connection. Browsers open 6 connections per host to parallelize. Headers are huge and uncompressed.
HTTP/2. Binary. Multiplexes many requests over one connection. Compresses headers (HPACK). Server can push resources before the client asks. Big improvement on TCP.
HTTP/3. Same multiplexing as HTTP/2 but on QUIC, which runs on UDP. Avoids TCP's head-of-line blocking. Faster on lossy networks (mobile). Increasingly common in production.
HTTP feels mundane until something breaks. Then knowing that 502 means upstream failure, that idempotent methods are safe to retry, and that a TLS handshake costs round trips will save you hours of debugging. Spend the time to get fluent with it.