Back to all posts

How HTTP Works: A First Principles Guide

2025-07-29

HTTP Banner

This blog was converted from a medium.com blog to mdx using the mdify.

If you’ve ever wondered how your browser fetches websites or how APIs send and receive data, the answer lies in a powerful, simple protocol: HTTP (HyperText Transfer Protocol).

This blog breaks down how HTTP works, from first principles to modern features like caching, CORS, and HTTPS. No fluff. Just what you need to deeply understand the web’s backbone.

Imagine you’re visiting https://example.com. You type the address into your browser, hit Enter, and a webpage appears.

Behind the scenes, your computer is having a structured conversation with another computer (a server). That conversation happens through HTTP.

Let’s explore how this works from first principles.

What is HTTP?

HTTP is a protocol—a set of rules—that defines how clients (like browsers) communicate with servers over the web.

1. Why do we need HTTP?

Problem: Two computers connected by the Internet can send packets, but they lack a standard language to request and deliver documents.

Solution: Define a text-based application-layer protocol that:

  • Identifies what is being requested (a method + a path).
  • Describes how to interpret the response (metadata headers).
  • Carries the actual content (the body).

2. Evolution Of HTTP

HTTP has gone through multiple versions:

  • HTTP/0.9 — Basic GET only, no headers.
  • HTTP/1.0 — Introduced headers and status codes.
  • HTTP/1.1 — Persistent connections, chunked transfer.
  • HTTP/2 — Binary format, multiplexed streams, faster.
  • HTTP/3 — Uses QUIC over UDP, built-in encryption.

Evolution of HTTP

3. Core Ideas Behind HTTP

Core Ideas

4. HTTP Messages: Requests and Responses

HTTP communication happens through messages, which are either requests or responses.

4.1 A Request from client to server

GET /index.html HTTP/1.1
Host: example.com
User-Agent: curl/8.0
Accept: text/html

4.2 A Response from server to client

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1256
Date: Tue, 29 Jul 2025 08:30:00 GMT

<html>...1256 bytes...</html>

5. Key HTTP Mechanisms

5.1 Headers: Why and What

Headers provide meta-information. They define:

  • What kind of data is being sent (Content-Type)
  • What response formats are acceptable (Accept)
  • Authentication (Authorization)
  • Language preference, caching instructions, and more.

Headers are the control panel of an HTTP message.

5.2 Methods

Each HTTP request includes a method to describe what action is being performed:

Methods

5.3 Status Codes

  • 1xx Informational – Continue, Switching Protocols
  • 2xx Success – 200 OK, 201 Created
  • 3xx Redirection – 301 Moved Permanently, 307 Temporary Redirect
  • 4xx Client Error – 400 Bad Request, 404 Not Found
  • 5xx Server Error – 500 Internal Server Error, 502 Bad Gateway

Status Codes

6. Caching in HTTP

To avoid downloading the same data over and over, browsers rely on HTTP caching.

Key headers involved:

  • Cache-Control: defines caching policy
  • ETag: lets server determine if content changed
  • Last-Modified: another way to check freshness

Smart caching improves speed and reduces server load.

7. OPTIONS Method and the CORS Workflow

The OPTIONS method is used by browsers to determine what’s allowed before making certain cross-origin requests. This is known as a CORS preflight request.

It asks the server: "Can I send a POST request with JSON content from this origin?"

The server must respond with headers like:

Access-Control-Allow-Origin: https://client.com
Access-Control-Allow-Methods: POST, GET, OPTIONS
Access-Control-Allow-Headers: Content-Type

CORS

Without proper CORS headers, browsers will block the request even if the server responds.

8. Content Negotiation

HTTP allows clients to express preferences using headers like:

  • Accept: preferred content type (application/json, text/html)
  • Accept-Language: preferred languages (en, fr)
  • Accept-Encoding: compression formats (gzip, br)

The server uses this info to tailor the response.

GET /doc HTTP/1.1
Accept: application/pdf

9. SSL, TLS and HTTPS

HTTP alone is insecure — all data is transmitted in plain text.

HTTPS = HTTP + TLS (Transport Layer Security)

TLS encrypts the data, preventing:

  • Eavesdropping (privacy)
  • Tampering (integrity)
  • Impersonation (authentication)

Modern browsers require HTTPS for:

  • Accessing camera/mic
  • Storing cookies securely
  • Using advanced APIs (like service workers)

TL;DR: Why You Should Care

Understanding HTTP from the ground up helps you:

  • Debug network issues faster
  • Build secure and performant APIs
  • Master browser behavior (CORS, caching, headers)

If you build for the web, you speak HTTP, whether you know it or not.