What Is HTTP?

HTTP (HyperText Transfer Protocol) is a client-server application layer protocol used to transmit text, images, video, and other media across the World Wide Web. As the foundational protocol of the Internet, HTTP enables communication between web browsers and servers. Its stateless, request-response design allows simple yet efficient communication.

How to Pronounce HTTP

aitch-tee-tee-pee /ˌeɪtʃ.tiː.tiː.ˈpiː/

aitch-tee-tee-pee (/ˌeɪtʃ.tiː.tiː.ˈpiː/)

Definition and Basic Concepts

HTTP stands for HyperText Transfer Protocol and was developed by Tim Berners-Lee at CERN (European Organization for Nuclear Research) in 1991. While the initial HTTP/0.9 was extremely simple, subsequent improvements have made it the standard communication method for the modern Web. The protocol operates on a simple principle: a client (typically a web browser) sends a request to a server, and the server responds with the requested resource or an error message. This fundamental model has remained constant throughout HTTP’s evolution, proving its architectural elegance and robustness.

Key characteristics of HTTP:

Stateless: Each request is independent, and the server does not maintain client state. This means the server doesn’t remember previous requests from the same client unless additional mechanisms like cookies or sessions are implemented. This design simplifies server architecture and improves scalability.
Request-Response Model: Unidirectional communication where servers respond to client requests. The client initiates communication, and the server responds. This asymmetry ensures clear responsibility: clients request, servers provide.
Application Layer Protocol: Operates at the seventh layer of the OSI reference model, above the transport layer (TCP/UDP). This positioning allows HTTP to rely on reliable TCP connections without managing low-level network details.
Text-Based: Requests and responses are transmitted in text format (partially binary in HTTP/2 and later). This human-readable nature made HTTP easy to debug in early Web development, though binary formats in newer versions optimize performance.
Port 80: Typically uses TCP port 80 by default. This well-known port allows clients to automatically connect to HTTP servers without explicit port specification. HTTPS uses port 443.

History and Evolution

Understanding HTTP’s evolution is crucial to appreciating modern web architecture. Each version brought significant improvements addressing real-world performance and usability challenges.

HTTP/0.9 (1991)

The first version supported only the GET method and was extremely simple. There were no response headers, and only HTML text was returned. A typical HTTP/0.9 request consisted of a single line: “GET /resource”. The server would respond with HTML data and immediately close the connection. This simplicity made it easy to implement but severely limited functionality. No status codes existed to indicate success or failure—servers either returned content or closed the connection.

HTTP/1.0 (RFC 1945, 1996)

Introduced the concept of headers and added support for multiple media types and status codes. Methods were expanded to include GET, POST, and HEAD. Request and response headers became standardized, allowing servers to communicate content type, content length, and other metadata. Status codes (200, 404, 500, etc.) provided clear indication of request outcomes. Each request still required a new TCP connection, which created latency overhead for web pages with multiple resources.

HTTP/1.1 (RFC 2616, 1999; Updated as RFC 7230-7235, 2014)

Added numerous performance-enhancing features that remain standard today:

Keep-Alive connections (connection reuse) – Multiple requests could use the same TCP connection, dramatically reducing latency and improving throughput
Pipelining (sending multiple requests sequentially) – Clients could send multiple requests before receiving responses, though server support was inconsistent
Enhanced caching control mechanisms – Fine-grained control over what should be cached, for how long, and under what conditions
Content-Encoding compression – Servers could compress response bodies, reducing bandwidth consumption
Persistent connections for improved efficiency – TCP connections stayed open for multiple requests
Virtual hosting support – Multiple websites could operate on a single IP address using the Host header
Range requests – Clients could request specific byte ranges, enabling resume functionality for downloads

HTTP/1.1 became the dominant version for over 20 years, proving remarkably durable and adaptable.

HTTP/2 (RFC 7540, 2015)

Introduced binary framing for significant performance improvements, fundamentally changing how HTTP communication works:

Binary protocol implementation – Moved away from text-based to binary format, enabling more efficient parsing and transmission
Multiplexing (simultaneous processing of multiple requests) – Multiple streams could share a single TCP connection, eliminating head-of-line blocking issues
Header compression (HPACK) – Dramatically reduced header overhead through intelligent compression, crucial for mobile networks
Server push capability – Servers could proactively send resources to clients before being asked, optimizing page load times
Stream prioritization – Clients could indicate which resources were more important, allowing servers to allocate bandwidth accordingly
Flow control – Fine-grained control over data transmission rates

HTTP/2 addressed the limitations of HTTP/1.1’s single-threaded request processing, providing substantial performance improvements without requiring application changes.

HTTP/3 (RFC 9114, 2022)

Based on QUIC (a protocol running over UDP), HTTP/3 represents the latest evolution:

UDP-based implementation for reduced latency – UDP avoids TCP’s three-way handshake overhead, reducing connection establishment time
0-RTT (zero round-trip time) connection establishment – Clients can send data immediately without waiting for server acknowledgment
Elimination of Head-of-Line Blocking – Lost UDP packets only affect individual streams, not the entire connection like in TCP
Connection migration support – Clients can switch networks (like moving from WiFi to cellular) without losing the connection
Faster recovery from packet loss – QUIC’s congestion control handles packet loss more gracefully than TCP

How HTTP Works

Understanding the HTTP workflow is essential for developers working with web applications.

HTTP is a simple request-response protocol operating through the following steps:

TCP Connection Establishment: The client connects to the server’s port 80 (or 443 for HTTPS). For HTTP/2 and later, this connection can be reused for multiple requests.
Request Transmission: Send request line with HTTP method and headers. The request includes the method (GET, POST, etc.), the resource path, HTTP version, headers, and optionally a body.
Server Processing: Server processes the request, performs any necessary operations (database queries, file access, etc.), and prepares a response.
Response Transmission: Server returns response with status code, headers, and body. The status code indicates success (2xx), redirection (3xx), client error (4xx), or server error (5xx).
Connection Closure: HTTP/1.0 closes the connection, or HTTP/1.1+ can reuse via Keep-Alive. Modern applications typically keep connections open for efficiency.

This cycle repeats for each HTTP interaction. Modern web applications make dozens of HTTP requests per page load, requesting HTML, CSS, JavaScript, images, fonts, and API data.

HTTP Methods

HTTP methods specify what operation to perform on a resource. Each method has specific semantics and expected behavior.

Method	Description	Safe	Idempotent
GET	Retrieve a resource without modifying it	Yes	Yes
POST	Create a resource or submit data for processing	No	No
PUT	Update or create entire resource	No	Yes
DELETE	Delete a resource	No	Yes
PATCH	Partially update a resource	No	No
HEAD	Same as GET but without response body	Yes	Yes
OPTIONS	Describe communication options for the resource	Yes	Yes
TRACE	Echo request back for debugging	Yes	Yes

Safe methods don’t modify server state and can be cached. Idempotent methods produce the same result when called multiple times, important for retry logic in unreliable networks.

HTTP Status Codes

HTTP responses use three-digit status codes to indicate results. These codes are standardized and widely recognized, allowing clients to make intelligent decisions about how to handle responses.

1xx (Informational): Processing continues (e.g., 100 Continue). The server is providing provisional information, and the client should expect the final response.
2xx (Success): Request successfully processed
- 200 OK: Successful request-response
- 201 Created: Resource successfully created
- 204 No Content: Success with no response body (useful for DELETE operations)
- 206 Partial Content: Server sent requested partial content (used for range requests)
3xx (Redirection): Further action required
- 301 Moved Permanently: Resource permanently moved to a new URL
- 302 Found: Temporary redirection
- 304 Not Modified: Client’s cached version is current (not a failure, but optimization)
- 307 Temporary Redirect: Like 302, but guarantees method won’t change
4xx (Client Error): Client-side issue
- 400 Bad Request: Invalid request syntax
- 401 Unauthorized: Authentication required
- 403 Forbidden: Authenticated but doesn’t have permission
- 404 Not Found: Resource doesn’t exist
- 429 Too Many Requests: Rate limiting in effect
5xx (Server Error): Server-side issue
- 500 Internal Server Error: Unexpected server error
- 502 Bad Gateway: Upstream server problem
- 503 Service Unavailable: Server temporarily unavailable
- 504 Gateway Timeout: Upstream server timeout

HTTP Request Structure

GET /path/to/resource HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml
Accept-Language: en-US,en;q=0.9
Connection: keep-alive

Request Line: Method, URI, HTTP version
Headers: Request metadata describing the request
Body: Optional data for POST/PUT requests

HTTP Response Structure

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1234
Cache-Control: max-age=3600
Set-Cookie: session_id=abc123; Path=/
Connection: keep-alive

<!DOCTYPE html>
<html>
<head><title>Example</title></head>
<body>Example content</body>
</html>

Status Line: HTTP version, status code, reason phrase
Headers: Response metadata
Body: Resource content (HTML, JSON, binary data, etc.)

HTTP Headers

Headers provide crucial metadata about HTTP requests and responses, enabling sophisticated communication patterns.

Common Request Headers:

Host: Target hostname (required in HTTP/1.1)
User-Agent: Client type and version for server statistics and compatibility
Accept: Acceptable media types (e.g., application/json, text/html)
Accept-Encoding: Acceptable compression methods (gzip, deflate, br)
Authorization: Authentication credentials (Bearer tokens, Basic auth, etc.)
Cookie: Client-side stored data sent to server
Content-Type: Type of request body data
Content-Length: Size of request body in bytes
If-Modified-Since: Conditional request – send only if modified since date
If-None-Match: Conditional request – send only if ETag doesn’t match

Common Response Headers:

Content-Type: Response body media type
Content-Length: Response body size
Content-Encoding: Compression used (gzip, deflate, br)
Cache-Control: Caching directives
ETag: Unique identifier for resource version (for caching)
Last-Modified: When resource was last changed
Set-Cookie: Instruct client to store cookie data
Location: Redirect destination URL
Server: Server software information
Vary: Indicates what request headers affect response caching

HTTP Cookies and Sessions

Although HTTP is stateless, cookies allow servers to track client information across requests, enabling user authentication and personalization.

// Response header
Set-Cookie: sessionId=abc123; Path=/; HttpOnly; Secure; SameSite=Strict

// Automatically sent in subsequent requests
Cookie: sessionId=abc123

Cookie Attributes:

Path: Valid path for the cookie (e.g., / for entire site)
Domain: Valid domain for the cookie
HttpOnly: Prevents JavaScript access, improving security
Secure: Send only over HTTPS connections
SameSite: CSRF attack prevention (Strict, Lax, or None)
Expires/Max-Age: When the cookie should be deleted

Caching Mechanism

HTTP caching significantly improves performance by reducing unnecessary requests to servers. Browsers and intermediate caches can store responses for reuse.

// Cache control examples
Cache-Control: max-age=3600          // Cache for 1 hour
Cache-Control: no-cache              // Validation required before using cached copy
Cache-Control: no-store              // Don't cache at all
Cache-Control: public                // Public proxies can cache
Cache-Control: private               // Only browser cache, not proxies

// Conditional request with ETag
If-None-Match: "abc123"              // Send full response only if ETag changed
Last-Modified: Wed, 21 Mar 2025 10:00:00 GMT
If-Modified-Since: Wed, 21 Mar 2025 10:00:00 GMT

ETags and Last-Modified headers enable efficient cache validation. When a resource hasn’t changed, servers can respond with 304 Not Modified, saving bandwidth.

HTTP vs HTTPS Comparison

Item	HTTP	HTTPS
Protocol	HyperText Transfer Protocol	HTTP + TLS/SSL
Port	80	443
Encryption	None – plaintext	TLS encryption
Authentication	None	Digital certificates verify server identity
Security	Low – data can be intercepted	High – encrypted and authenticated
Performance	Slightly faster (no encryption overhead)	Slightly slower (encryption computational cost)
SEO Impact	Less favorable	Google ranks HTTPS higher
Browser Indicator	No padlock, may show warning	Padlock indicates secure connection
Certificate Required	No	Yes (public certificate)
Best For	Non-sensitive content only	All websites (default standard)

HTTPS is now the mandatory standard for all websites. Web browsers increasingly warn users about unencrypted HTTP connections, and certificate authorities offer free certificates (Let’s Encrypt), removing cost barriers.

Implementation Examples

Node.js Basic HTTP Server:

const http = require('http');

const server = http.createServer((req, res) => {
  res.writeHead(200, { 'Content-Type': 'text/html; charset=UTF-8' });
  
  if (req.method === 'GET' && req.url === '/') {
    res.end('<h1>Hello, World!</h1>');
  } else if (req.method === 'POST' && req.url === '/api/data') {
    let body = '';
    req.on('data', chunk => body += chunk);
    req.on('end', () => {
      console.log('Received:', body);
      res.end(JSON.stringify({ status: 'received' }));
    });
  } else {
    res.writeHead(404);
    res.end('Not Found');
  }
});

server.listen(3000, () => console.log('Server running on port 3000'));

Python HTTP Requests:

import requests

# GET request
response = requests.get('https://api.example.com/users')
print(response.status_code)  # 200
print(response.json())       # JSON body

# POST request
data = {'name': 'John', 'email': 'john@example.com'}
response = requests.post('https://api.example.com/users', json=data)
print(response.status_code)

# Headers and cookies
headers = {'Authorization': 'Bearer token123'}
cookies = {'session': 'abc123'}
response = requests.get(
    'https://api.example.com/users',
    headers=headers,
    cookies=cookies
)

cURL Requests:

# Simple GET request
curl https://example.com

# POST request
curl -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d '{"name":"John","email":"john@example.com"}'

# With headers
curl -H "Authorization: Bearer token123" https://api.example.com/users

# With cookies
curl -b "session=abc123" https://api.example.com/users

Common Misconceptions

Misconception 1: “HTTP is secure”

HTTP is not encrypted and is vulnerable to eavesdropping, man-in-the-middle attacks, and data tampering. Always use HTTPS for sensitive information including passwords, credit cards, and personal data. Network sniffing tools can easily capture unencrypted HTTP traffic.

Misconception 2: “Using HTTP/2 always makes things faster”

HTTP/2 unlocks protocol potential, but application design, server configuration, and network conditions also matter significantly. TLS overhead must be considered, and older clients may not support HTTP/2. Performance gains depend on implementation details and use cases.

Misconception 3: “Stateless means unrelated requests can’t be connected”

Using cookies and sessions allows HTTP to maintain state across requests. Servers can track user sessions, preferences, and authentication status despite HTTP’s stateless nature. This is fundamental to modern web applications.

Misconception 4: “POST is always safer than GET”

POST sends data in the body rather than the URL, making it slightly less obvious, but without HTTPS encryption, it’s still vulnerable to interception. Both GET and POST require HTTPS for security. The security comes from encryption, not the method.

Misconception 5: “HTTP/3 completely replaces UDP”

HTTP/3 is based on QUIC, which runs over UDP but improves upon UDP’s characteristics through reliability, flow control, and congestion management. It doesn’t replace UDP; it enhances it for web protocols.

Related Technologies

HTTPS: Encrypted version of HTTP with TLS/SSL, essential for modern web
HTTP/2, HTTP/3: Next-generation HTTP versions with performance improvements
WebSocket: Bidirectional communication protocol for real-time applications
REST: Architectural pattern using HTTP methods effectively
GraphQL: Alternative query language for APIs (uses HTTP as transport)
gRPC: RPC framework on HTTP/2 for high-performance services
CORS: Cross-Origin Resource Sharing for secure cross-domain requests
TLS/SSL: Communication encryption protocol underlying HTTPS

Frequently Asked Questions

Q: What’s the difference between HTTP and HTTPS?

A: HTTPS combines HTTP with TLS/SSL encryption to secure communication. HTTP transmits plaintext and is vulnerable to eavesdropping. HTTPS encrypts data in transit and authenticates servers via digital certificates.

Q: Why does HTTP/3 use QUIC?

A: QUIC runs over UDP and avoids TCP constraints like Head-of-Line Blocking, offering lower latency and faster connection establishment. QUIC also enables connection migration when switching networks.

Q: How do you maintain state without cookies?

A: You can send session tokens in URL parameters or request headers, though cookies are recommended for security and usability. URL-based tokens are visible in browser history and referer headers.

Q: How many HTTP methods are there?

A: Seven primary methods (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS), plus extended methods like TRACE and CONNECT. Custom methods are technically allowed but uncommon.

Q: Are all non-2xx status codes errors?

A: No. 2xx means success, 3xx means redirection (additional action needed), 4xx means client error, and 5xx means server error. 3xx responses are normal and often optimizations (like 304 Not Modified).

Q: What is Keep-Alive?

A: A feature that reuses TCP connections, allowing multiple HTTP requests over a single connection for improved performance. Reduces connection overhead significantly.

Q: What’s the difference between POST and PUT?

A: POST creates new resources or submits data for processing (non-idempotent). PUT updates entire resources and is idempotent—calling it multiple times with the same data produces the same result.

References

RFC 7230 – HTTP/1.1: Message Syntax and Routing – Official IETF specification for HTTP/1.1 message format
RFC 7540 – HTTP/2 – Official HTTP/2 specification with detailed protocol mechanics
RFC 9114 – HTTP/3 – Official HTTP/3 specification based on QUIC
MDN – HTTP – Mozilla Developer Network comprehensive HTTP documentation
W3C – HTTP Semantics – Official W3C specification for HTTP semantics
WHATWG – Fetch Standard – Fetch API standard for modern HTTP requests in browsers

Summary

HTTP is the foundational protocol of the World Wide Web that has continually evolved since its 1991 debut. While HTTP/1.1 served as the long-standing standard for over two decades, HTTP/2 and HTTP/3 enable faster and more efficient communication. HTTP’s stateless design provides simplicity and extensibility, though HTTPS is essential for security. Understanding HTTP mechanics is crucial for REST API development and modern web applications. As the internet evolves, HTTP continues to adapt, with protocols like HTTP/3 optimizing for real-world network conditions. Whether you’re developing web applications, building APIs, or managing web infrastructure, thorough understanding of HTTP fundamentals remains indispensable.

Translation Information: This article is also available in Japanese. Select “Japanese” from the language options at the top to view it.

🌐
この記事の日本語版：
HTTPとは? →