HTTP and HTTPS Explained: Methods, Status Codes, Headers, Caching and TLS

HTTP is the foundation of data communication on the web. Every API call, every page load, every image download uses it. Understanding HTTP deeply — not just the basics — is essential for any web developer and comes up constantly in interviews.

What Is HTTP?

HTTP (HyperText Transfer Protocol) is a stateless, text-based request-response protocol. A client (browser, app, curl) sends a request; a server sends a response.

Stateless means each request is independent — the server does not remember previous requests. Cookies and sessions are built on top of HTTP to add statefulness.

HTTP Request Structure

code
GET /api/users/42 HTTP/1.1
Host: api.example.com
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
User-Agent: Mozilla/5.0 ...

A request has:

• Request line — method, path, HTTP version
• Headers — key-value metadata
• Body (optional) — data sent to the server (POST, PUT, PATCH)

HTTP Response Structure

code
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 82
Cache-Control: max-age=3600
Set-Cookie: session=abc123; HttpOnly; Secure

{"id": 42, "name": "Alice", "email": "alice@example.com"}

A response has:

• Status line — HTTP version, status code, reason phrase
• Headers — metadata about the response
• Body — the actual content

HTTP Methods

Method	Purpose	Idempotent	Safe	Has Body
GET	Retrieve resource	Yes	Yes	No
POST	Create resource	No	No	Yes
PUT	Replace resource	Yes	No	Yes
PATCH	Partial update	No	No	Yes
DELETE	Delete resource	Yes	No	No
HEAD	Like GET, headers only	Yes	Yes	No
OPTIONS	Describe communication options	Yes	Yes	No

Safe = does not modify server state. Idempotent = same result if called multiple times.

Status Codes

1xx — Informational

code
100 Continue        -- server received headers, client should proceed
101 Switching       -- upgrading to WebSocket

2xx — Success

code
200 OK              -- standard success
201 Created         -- resource created (POST)
204 No Content      -- success, no body (DELETE)
206 Partial Content -- range request fulfilled

3xx — Redirection

code
301 Moved Permanently  -- resource moved, update your links
302 Found              -- temporary redirect
304 Not Modified       -- cache is still valid
307 Temporary Redirect -- same method, temporary
308 Permanent Redirect -- same method, permanent

4xx — Client Error

code
400 Bad Request        -- malformed request
401 Unauthorized       -- not authenticated
403 Forbidden          -- authenticated but not allowed
404 Not Found          -- resource does not exist
405 Method Not Allowed -- wrong HTTP method for this endpoint
409 Conflict           -- duplicate resource or version conflict
422 Unprocessable      -- valid syntax, invalid semantics
429 Too Many Requests  -- rate limit exceeded

5xx — Server Error

code
500 Internal Server Error -- unexpected server failure
502 Bad Gateway           -- upstream server returned invalid response
503 Service Unavailable   -- server down or overloaded
504 Gateway Timeout       -- upstream server timed out

Important HTTP Headers

Request headers

code
Host: api.example.com
Accept: application/json, text/html;q=0.9
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Authorization: Bearer <token>
Content-Type: application/json
Content-Length: 54
User-Agent: Mozilla/5.0 ...
Origin: https://app.example.com
Cookie: session=abc123
If-None-Match: "abc123etag"
If-Modified-Since: Wed, 01 Jan 2025 00:00:00 GMT

Response headers

code
Content-Type: application/json; charset=utf-8
Content-Length: 1234
Cache-Control: max-age=3600, must-revalidate
ETag: "abc123etag"
Last-Modified: Wed, 11 Mar 2025 10:00:00 GMT
Set-Cookie: session=abc123; HttpOnly; Secure; SameSite=Strict
Location: /api/users/42       (for 201 Created or redirects)
WWW-Authenticate: Bearer      (for 401 responses)
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 42
Access-Control-Allow-Origin: https://app.example.com

HTTP Caching

Caching is one of the most important performance mechanisms in HTTP.

Cache-Control

code
Cache-Control: max-age=3600              -- cache for 1 hour
Cache-Control: no-cache                  -- always revalidate with server
Cache-Control: no-store                  -- never cache (sensitive data)
Cache-Control: public, max-age=86400     -- cacheable by CDNs, 24 hours
Cache-Control: private, max-age=600      -- browser only, 10 minutes
Cache-Control: stale-while-revalidate=60 -- serve stale while refreshing

ETags and Conditional Requests

ETags let browsers cache responses and only re-download when content changes:

code
-- First request
GET /api/data
Response: 200 OK
          ETag: "v1abc123"
          Body: {...}

-- Subsequent request (browser sends cached ETag)
GET /api/data
If-None-Match: "v1abc123"

-- If unchanged
Response: 304 Not Modified (no body -- use your cached version)

-- If changed
Response: 200 OK
          ETag: "v2xyz456"
          Body: {...new data...}

This saves bandwidth — the server sends full content only when it has actually changed.

Cookies

Cookies store small pieces of data in the browser, sent automatically with every request to the same domain:

code
-- Server sets a cookie
Set-Cookie: session=abc123; Max-Age=86400; HttpOnly; Secure; SameSite=Strict

-- Browser sends it on every subsequent request
Cookie: session=abc123

Cookie attributes:

• HttpOnly — JavaScript cannot access this cookie (prevents XSS theft)
• Secure — only sent over HTTPS
• SameSite=Strict — not sent on cross-site requests (prevents CSRF)
• Max-Age — expiry in seconds; without it, it is a session cookie
• Domain — which domains receive the cookie
• Path — which paths receive the cookie

CORS

Cross-Origin Resource Sharing controls which origins can access your API from the browser:

code
-- Browser preflight request
OPTIONS /api/data HTTP/1.1
Origin: https://app.example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Authorization, Content-Type

-- Server response
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, DELETE
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 86400

CORS only applies to browser-based requests. Server-to-server requests are not restricted.

HTTPS and TLS

HTTPS is HTTP over TLS (Transport Layer Security). TLS encrypts the connection, providing:

• Confidentiality — data cannot be read in transit
• Integrity — data cannot be modified in transit
• Authentication — you are talking to the real server (via certificates)

TLS Handshake (simplified)

code
Client                          Server
  |-- ClientHello (supported TLS versions, cipher suites) -->
  |<-- ServerHello (chosen version, cipher suite) ----------
  |<-- Certificate (server's public key + identity) --------
  |-- (verify certificate against trusted CA) --
  |-- Key exchange material ------------------------------>
  |<-- Finished (encrypted) --------------------------------
  |-- Finished (encrypted) ------------------------------>
  |
  [Encrypted application data flows both ways]

The browser verifies the server's certificate was signed by a trusted Certificate Authority (CA) like Let's Encrypt, DigiCert, or Sectigo. This is why self-signed certificates trigger browser warnings.

HTTP/1.1 vs HTTP/2 vs HTTP/3

Feature	HTTP/1.1	HTTP/2	HTTP/3
Protocol	Text	Binary	Binary (QUIC/UDP)
Multiplexing	No (one request per connection)	Yes	Yes
Header compression	No	HPACK	QPACK
Server push	No	Yes	Yes
Connection	Keep-Alive	One TCP connection	UDP-based

HTTP/2 multiplexing solves HTTP/1.1's head-of-line blocking — multiple requests share one connection without waiting for each other.

Common Interview Questions

Q: What is the difference between GET and POST?

GET retrieves a resource — parameters go in the URL, request has no body. POST sends data to the server — data goes in the request body. GET is idempotent and safe; POST is neither. GET responses can be cached; POST responses generally cannot.

Q: What is the difference between 401 and 403?

401 means the client is not authenticated — provide credentials. 403 means the client is authenticated but does not have permission — valid credentials, but access is denied regardless.

Q: What is a preflight request?

A preflight is an HTTP OPTIONS request automatically sent by the browser before certain cross-origin requests. It asks the server if the actual request (with its method and headers) is allowed. The server responds with CORS headers. If allowed, the browser sends the actual request.

Practice on Froquiz

HTTP knowledge is tested in every web and backend developer interview. Explore our quizzes on Froquiz covering APIs, security, and backend fundamentals.

Summary

• HTTP is stateless request-response — each request is independent
• Methods: GET (read), POST (create), PUT (replace), PATCH (partial update), DELETE
• Status codes: 2xx success, 3xx redirect, 4xx client error, 5xx server error
• Cache-Control, ETag, and If-None-Match enable efficient browser caching
• Cookies: use HttpOnly, Secure, and SameSite=Strict for security
• CORS restricts which origins can call your API from the browser
• HTTPS adds TLS encryption, integrity, and server authentication over HTTP
• HTTP/2 multiplexes multiple requests over a single connection