Sanial Das Logosanial.me

HTTP 101: Guide from engineering point of view

HTTP (Hypertext Transfer Protocol) is the lifeline of web communication, powering everything from simple page loads to complex API interactions. For backend engineers, a solid grasp of HTTP's core concepts is non-negotiable.

Sanial Das
September 19, 2025
4 min
backend
HTTP Response Codes Cheat Sheet - Complete Overview

HTTP (Hypertext Transfer Protocol) is the lifeline of web communication, powering everything from simple page loads to complex API interactions. For backend engineers, a solid grasp of HTTP's core concepts is non-negotiable. In this article, we'll break down HTTP's fundamentals: what it is, how headers and methods work, CORS, response codes, caching strategies, and the role of SSL, TLS, and HTTPS.

What is HTTP?

HTTP is an application-layer protocol that defines how clients (like browsers or apps) and servers communicate over the web. It is stateless — each request is independent, carrying all the data the server needs to process it. This design makes scaling easier but means any ongoing context (like user authentication) must be managed explicitly, often via tokens or cookies.

HTTP Headers

Headers are key-value pairs included in both requests and responses. They provide vital metadata, control behaviour, and enable features like authentication, content negotiation, security, and caching.

Key header types:

  • Request Headers: Sent by the client (e.g., User-Agent, Authorization, Accept).
  • General Headers: Used for both requests and responses (e.g., Cache-Control, Connection).
  • Representation Headers: Describe the body/content (e.g., Content-Type, Content-Length, ETag).
  • Security Headers: Enhance security (e.g., Strict-Transport-Security, Content-Security-Policy).

Headers are highly extensible, allowing new capabilities to be added without changing the protocol itself.

HTTP Methods

HTTP methods define the intended action for a request. The most common are:

  • GET: Retrieve data (should not modify server state; idempotent).
  • POST: Create new data (can produce different results on each call; non-idempotent).
  • PUT: Replace existing data (idempotent).
  • PATCH: Update part of a resource (idempotent).
  • DELETE: Remove data (idempotent).
  • OPTIONS: Discover server capabilities (crucial for CORS preflight).

Idempotency is an important property: methods like GET, PUT, and DELETE can be safely repeated without changing the server's state after the first request.

CORS (Cross-Origin Resource Sharing)

CORS is a browser security feature that controls how web pages can make requests to a different domain than the one that served them. By default, browsers enforce the same-origin policy, which blocks cross-origin requests for security. CORS allows servers to specify which origins are permitted to access their resources by sending specific headers in the response.

How it works:

When a browser makes a cross-origin request, it includes an Origin header. The server must respond with Access-Control-Allow-Origin (either a specific origin or * for all) to grant access. Without this header, the browser blocks the response.

Simple vs. Preflighted Requests:

  • Simple requests (GET, POST, HEAD with simple headers) are sent directly; the browser checks the response for CORS headers.
  • Preflighted requests (e.g., PUT, DELETE, or requests with custom headers like Authorization) trigger a preliminary OPTIONS request. The server must reply with allowed methods and headers before the actual request is sent.

Key headers: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials

CORS ensures that only trusted domains can access your APIs, balancing security and flexibility in modern web apps.

HTTP Headers and CORS Flow Diagram

HTTP Response Codes

Status codes are three-digit numbers in every HTTP response, indicating the result of the request:

2xx (Success):

  • 200 OK: Successful request
  • 201 Created: Resource created
  • 204 No Content: Success, no body

3xx (Redirection):

  • 301 Moved Permanently, 302 Found, 304 Not Modified

4xx (Client Errors):

  • 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 429 Too Many Requests

5xx (Server Errors):

  • 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout

These codes allow clients to programmatically handle responses and errors.

HTTP Caching

Caching reduces load times and bandwidth by storing reusable responses. Key mechanisms:

  • Cache-Control: Directs how and for how long content should be cached.
  • ETag: A unique identifier for a specific version of a resource.
  • Last-Modified: Timestamp indicating when the resource was last changed.

Browsers and proxies use these headers to decide whether to serve cached content or fetch a fresh version, improving performance and reducing server load.

HTTP Caching Flow Diagram

SSL, TLS, and HTTPS

  • SSL (Secure Sockets Layer): The original protocol for encrypting web traffic (now obsolete).
  • TLS (Transport Layer Security): The modern, secure replacement for SSL. It encrypts data exchanged between client and server, protecting against eavesdropping and tampering.
  • HTTPS: HTTP over TLS (or SSL). When you see https:// in a URL, your connection is encrypted and authenticated, ensuring privacy and integrity for sensitive data.

Conclusion

Understanding HTTP's essentials — its stateless nature, headers, methods, CORS, response codes, caching, and secure transport — is foundational for every backend engineer. Mastery of these concepts leads to more robust, scalable, and secure backend systems.

Back to blog