HTTP Explained- How Hypertext Transfer Works
What HTTP Actually Is
HTTP stands for Hypertext Transfer Protocol. It's the foundation of how browsers and servers talk to each other. Every time you type a URL or click a link, HTTP is working behind the scenes to fetch what you asked for.
This isn't new technology. It's been around since 1991. Tim Berners-Lee designed it alongside HTML for the first web browser. The version most of the internet uses now is HTTP/1.1, though HTTP/2 and HTTP/3 are becoming standard.
Understanding HTTP matters because it's the baseline for web development, API work, and debugging. If you've ever stared at a 404 error and wondered why, that's HTTP telling you something specific.
How HTTP Actually Works
HTTP follows a simple pattern: request and response. A client (usually your browser) sends a request to a server. The server processes it and sends back a response.
The flow looks like this:
- You type a URL or click a link
- Browser resolves the domain name to an IP address via DNS
- Browser opens a TCP connection to the server on port 80 (HTTP) or 443 (HTTPS)
- Browser sends an HTTP request with a method, headers, and optional body
- Server receives the request and processes it
- Server sends back an HTTP response with a status code, headers, and body
- Browser renders the response or handles the error
Each request is independent. HTTP doesn't remember previous requests by default. That's why sessions and cookies exist—to maintain state across requests.
HTTP Methods You Need to Know
Methods tell the server what action you want to perform. Most developers only use a handful regularly.
GET
Retrieves data from the server. It's read-only. Your browser does this every time you load a page. GET requests should never modify server data.
POST
Sends data to the server to create something new. Forms typically use POST. It's also used for logging in, submitting data, and API calls that create records.
PUT
Updates or replaces existing data at a specific location. Send the complete resource with PUT. If the resource doesn't exist, it might create one depending on the server configuration.
PATCH
Partially updates existing data. Send only the fields you want to change. More efficient than PUT when you only need to update one or two properties.
DELETE
Removes a resource from the server. Straightforward—delete the file, database record, or resource at the specified location.
HEAD and OPTIONS
HEAD returns only headers, no body. Useful for checking if a resource exists or getting metadata without downloading the full response. OPTIONS asks the server which methods and headers it supports for a given URL.
HTTP Status Codes Explained
Status codes tell you what happened with your request. They're grouped by what they start with.
1xx: Informational
The request was received, continuing processing. You rarely see these. 100 Continue is the most common—it tells a client to proceed with sending a large request body.
2xx: Success
Your request worked. 200 OK is the standard success response. 201 Created means a new resource was successfully created (common with POST requests). 204 No Content is success with no response body—often used for DELETE operations.
3xx: Redirection
The browser needs to do something else. 301 Moved Permanently tells the browser and search engines this URL has permanently moved. 302 Found is temporary. 304 Not Modified tells the browser to use its cached version—saves bandwidth.
4xx: Client Errors
You messed up. 400 Bad Request means your request was malformed. 401 Unauthorized means you need to authenticate. 403 Forbidden means you're authenticated but don't have permission. 404 Not Found means the resource doesn't exist.
429 Too Many Requests is the rate limit hit. You'll see this when an API cuts you off for sending too many requests too fast.
5xx: Server Errors
The server messed up. 500 Internal Server Error is generic—the server crashed or hit an exception. 502 Bad Gateway means a proxy or gateway got an invalid response from an upstream server. 503 Service Unavailable means the server is down or overloaded. 504 Gateway Timeout means the upstream server took too long to respond.
HTTP Headers
Headers pass additional information with requests and responses. They're key-value pairs. There are dozens of them, but you only need to know a handful.
Common Request Headers
- Accept: Tell the server what content types you can handle (JSON, HTML, images)
- Authorization: Pass credentials or tokens for authentication
- Content-Type: Specify the format of data you're sending (application/json, multipart/form-data)
- User-Agent: Identify your browser or client
- Cookie: Send previously stored cookies back to the server
- Referer: Tell the server which page linked to this request
Common Response Headers
- Set-Cookie: Tell the browser to store a cookie
- Content-Type: Tell the browser what format the response is in
- Cache-Control: Tell the browser how to cache this response
- Content-Length: Tell the browser how big the response body is
- Location: Redirect the browser to a new URL (used with 3xx codes)
HTTP vs HTTPS
HTTPS is HTTP with TLS encryption on top. The S stands for Secure. Without it, everything you send and receive is plain text. Anyone between you and the server can intercept and read it.
HTTPS uses port 443 instead of 80. It requires an SSL/TLS certificate from a Certificate Authority (CA). Modern browsers will warn you or block HTTP sites entirely.
The performance gap between HTTP and HTTPS has largely closed. HTTP/2 and HTTP/3 only work over HTTPS in practice. The encryption overhead is minimal with modern processors.
If you're running a site without HTTPS, fix that first. It's not optional anymore.
HTTP/2 vs HTTP/3
HTTP/1.1 processes requests one at a time per connection. If one request takes time, everything else waits. HTTP/2 fixes this with multiplexing—multiple requests and responses can happen simultaneously over a single connection.
HTTP/2 also compresses headers, prioritizes important resources, and pushes data from the server without waiting for a request. Most modern browsers support it.
HTTP/3 uses QUIC instead of TCP. It's faster, especially on unreliable connections. It reduces latency by establishing connections faster and handling packet loss better. Browser support is good and growing.
HTTP Methods Comparison
| Method | Purpose | Idempotent | Safe |
|---|---|---|---|
| GET | Retrieve data | Yes | Yes |
| HEAD | Get headers only | Yes | Yes |
| POST | Create new data | No | No |
| PUT | Replace data | Yes | No |
| PATCH | Update part of data | No | No |
| DELETE | Remove data | Yes | No |
Idempotent means you can call it multiple times with the same result. DELETE is idempotent—deleting the same resource twice still results in deletion. POST is not—submitting a form twice creates two records.
Safe means the request doesn't modify server data. GET and HEAD are safe. Everything else modifies something.
Getting Started: Making HTTP Requests
You can test HTTP requests right now. Here are the simplest ways.
Using cURL
cURL comes with most systems. Make a GET request:
curl https://example.com
Make a POST request with JSON:
curl -X POST -H "Content-Type: application/json" -d '{"name":"test"}' https://api.example.com/endpoint
Include headers:
curl -H "Authorization: Bearer token123" https://api.example.com/protected
Using Browser DevTools
Open DevTools (F12), go to the Network tab, and reload the page. Click any request to see headers, status code, timing, and response body. This is how you debug real HTTP traffic.
Using Postman or Insomnia
These GUI tools let you construct requests visually, save them, and switch between methods easily. Essential for API development.
Common HTTP Terminology
- TCP/IP: The underlying connection protocol. HTTP sits on top of TCP.
- Port: A numbered endpoint. Port 80 is HTTP, port 443 is HTTPS.
- Packet: A chunk of data sent over the network.
- Latency: Time for data to travel from client to server.
- Throughput: How much data can move in a given time.
- Stateless: Each request is independent. The server doesn't remember you between requests.
- Pipeline: Sending multiple requests without waiting for each response. HTTP/2 supports this.
What You Should Actually Remember
HTTP is a request-response protocol built on TCP/IP. Clients send requests with methods and headers. Servers respond with status codes and bodies. That's it.
The methods are GET, POST, PUT, PATCH, DELETE. The status codes are grouped by type: 2xx for success, 4xx for your mistakes, 5xx for server mistakes. Headers pass metadata in both directions.
HTTPS is HTTP encrypted. Use it. HTTP/2 and HTTP/3 handle multiple requests better than HTTP/1.1. That's the practical difference that matters.