HTTP Fundamentals
Request/response, methods, status codes, headers, idempotency.
HTTP Fundamentals
HTTP is a text-based request/response protocol. A client sends a request; a server sends a response. That is the entire model. Everything on the web — APIs, browsers, webhooks — is built on this one pattern.
Analogy
HTTP is like ordering at a counter service restaurant. You walk up with a slip that says what you want (the method and path), who you are (the headers), and sometimes with extra instructions attached (the body). The cashier takes the slip, comes back, and hands you either your food, a "we're out of that" note, or a "wrong counter, try over there" slip — that's the status code. The receipt stapled to your bag (response headers) tells you when it was made, how long it's good for, and whether you can reheat it tomorrow. Each order is independent; the counter doesn't remember you between visits.
The request
An HTTP request has three parts: a request line, headers, and an optional body.
GET /users/42 HTTP/1.1
Host: api.example.com
Accept: application/json
Authorization: Bearer eyJ...
The first line contains the method, the path, and the HTTP version. Headers follow — one per line, Name: Value. The body (for POST and PUT) comes after a blank line.
The response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 47
{"id": 42, "name": "Sam", "role": "engineer"}
The first line is the status line: version, status code, and a human-readable reason phrase. Headers follow, then the body.
Methods
| Method | Meaning |
|---|---|
| GET | Retrieve a resource — no body, no side effects |
| POST | Create a new resource or trigger an action |
| PUT | Replace a resource entirely |
| PATCH | Partially update a resource |
| DELETE | Remove a resource |
| HEAD | Like GET but response body is omitted |
| OPTIONS | Ask what methods are allowed |
Status codes
Codes group into five classes by their first digit.
| Range | Class | Common codes |
|---|---|---|
| 1xx | Informational | 100 Continue |
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirect | 301 Moved Permanently, 302 Found, 304 Not Modified |
| 4xx | Client error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 422 Unprocessable |
| 5xx | Server error | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable |
The difference between 401 and 403: 401 means "I don't know who you are — authenticate first." 403 means "I know who you are, but you are not allowed."
Headers worth knowing
Request headers
Authorization: Bearer <token>— carry credentialsContent-Type: application/json— declare the body formatAccept: application/json— declare what format you want backCache-Control: no-cache— bypass the cache
Response headers
Content-Type: application/json; charset=utf-8— body formatCache-Control: max-age=3600— tell caches how long to storeLocation: /users/42— used with 201 and 3xx to point to the resourceRetry-After: 30— used with 429 (rate limit) to say when to retry
Idempotency
An operation is idempotent if calling it multiple times has the same effect as calling it once.
- GET, HEAD, DELETE, PUT: idempotent.
- POST: not idempotent. Submitting a form twice creates two records.
Idempotency matters for retries. If your network drops after you send a DELETE, you can safely retry it. If it drops after a POST, you need to check whether the first attempt went through.
Safe operations additionally have no side effects on the server. GET and HEAD are safe. DELETE is idempotent but not safe — it changes state (it removes something).
HTTPS
HTTP sends everything in plaintext. HTTPS wraps the HTTP connection in TLS so that the content is encrypted in transit. The URL prefix https:// tells the browser to perform a TLS handshake before sending any HTTP. The handshake authenticates the server (via a certificate) and establishes a shared encryption key.