Rai Notes

HTTP

8 min read

Reference notes.

HTTP (Hypertext Transfer Protocol) is the application-layer protocol for the web. It’s evolved from a simple text protocol to a binary, multiplexed, encrypted-by-default system.

Evolution

VersionYearTransportKey Feature
HTTP/1.01996TCPOne request per connection
HTTP/1.11997TCPPersistent connections, pipelining
HTTP/22015TCPBinary framing, multiplexing
HTTP/32022QUIC (UDP)No head-of-line blocking, 0-RTT

HTTP/1.1

Still widely used. Key features over 1.0:

  • Persistent connections (Connection: keep-alive) — Reuse TCP connections for multiple requests, avoiding the cost of repeated handshakes
  • Chunked transfer encoding — Stream responses of unknown length
  • Host header — Required, enabling virtual hosting (multiple domains on one IP)
  • Pipelining — Send multiple requests without waiting for responses. Rarely used in practice due to head-of-line blocking (a slow response blocks all subsequent ones)

Head-of-Line (HOL) Blocking

HTTP/1.1’s fundamental limitation. Responses must be returned in request order. If the first response is slow, all subsequent responses are blocked. Workarounds:

  • Domain sharding — Spread resources across subdomains to open more TCP connections (typically 6 per domain)
  • Bundling — Concatenate CSS/JS files to reduce request count
  • Spriting — Combine images into a single sprite sheet

These are anti-patterns in HTTP/2+ (actually harmful due to cache invalidation and unnecessary data transfer).

HTTP/2

Binary protocol defined in RFC 9113. Maintains HTTP semantics (methods, headers, status codes) but changes the transport framing.

Streams, Frames, and Multiplexing

Single TCP connection
  ├── Stream 1 (GET /index.html)
  │     ├── HEADERS frame
  │     └── DATA frames
  ├── Stream 3 (GET /style.css)
  │     ├── HEADERS frame
  │     └── DATA frames
  └── Stream 5 (GET /app.js)
        ├── HEADERS frame
        └── DATA frames

All requests and responses are interleaved as frames on streams within a single TCP connection. A slow response on stream 1 doesn’t block streams 3 or 5 at the HTTP layer.

However, TCP-level HOL blocking remains — if a single TCP packet is lost, all streams stall until it’s retransmitted. This is the fundamental problem HTTP/3 solves.

HPACK Header Compression

HTTP headers are repetitive (same cookies, user-agent, etc. on every request). HPACK compresses headers using:

  • Static table — 61 common header name-value pairs (:method: GET, :status: 200, etc.)
  • Dynamic table — Previously seen headers, indexed by both sides
  • Huffman encoding — Literal values are Huffman-encoded

Typical compression ratio: 85-95% for repeated requests.

Server Push

Server can proactively send resources before the client requests them (e.g., push style.css when /index.html is requested). Rarely used in practice — difficult to implement correctly, often wasteful (pushes resources already cached by the client). Deprecated in Chrome (2022).

Stream Prioritisation

Clients can assign priority and dependencies between streams, helping the server send critical resources first. Replaced in HTTP/2 with a simpler Extensible Priorities scheme (RFC 9218).

HTTP/3

Runs over QUIC instead of TCP. Defined in RFC 9114. Adoption as of 2025: ~35% of web traffic, supported by 95%+ of browsers.

QUIC Transport

QUIC is a general-purpose transport protocol running over UDP:

  • Integrated TLS 1.3 — Encryption is mandatory and built into the protocol, not layered on top. Reduces handshake from TCP + TLS (2-3 RTT) to 1 RTT (0-RTT on resumption).
  • Independent streams — Each QUIC stream has its own flow control. A lost packet on one stream doesn’t block others — eliminating TCP’s head-of-line blocking.
  • Connection migration — Connections are identified by a Connection ID, not the 4-tuple (source/dest IP+port). When a device switches from WiFi to cellular, the connection survives without re-handshaking.
  • Improved loss recovery — QUIC uses packet numbers (never reused, unlike TCP sequence numbers) and supports more precise RTT measurement.

QPACK Header Compression

Replaces HPACK. Designed for QUIC’s out-of-order delivery — HPACK assumed ordered delivery (TCP). QPACK uses separate unidirectional streams for the header table, avoiding HOL blocking from header compression state.

0-RTT

On repeat connections, QUIC can send application data in the first packet. Same replay caveats as TLS 0-RTT — only safe for idempotent requests.

When HTTP/3 Helps Most

  • High-latency connections — Fewer round trips to establish connection
  • Lossy networks (mobile, WiFi) — No HOL blocking on packet loss
  • Connection migration — Mobile users switching networks
  • Many small requests — 0-RTT saves a full round trip

Adoption

All major browsers support HTTP/3. CDNs (Cloudflare, Akamai, Fastly) enable it by default. Server support: nginx 1.25+, Caddy (default), HAProxy 2.6+. Standards: RFC 9114 (HTTP/3), RFC 9000 (QUIC), RFC 9001 (QUIC-TLS), RFC 9204 (QPACK).

Fallback: HTTP/3 is negotiated via the Alt-Svc header or HTTPS DNS record. If UDP is blocked (some corporate networks), clients transparently fall back to HTTP/2 over TCP.

Request and Response Structure

Request

METHOD /path HTTP/1.1
Host: example.com
Header-Name: Header-Value

[Optional body]

Response

HTTP/1.1 200 OK
Header-Name: Header-Value

[Optional body]

HTTP Methods

MethodIdempotentSafeUse
GETYesYesRetrieve resource
HEADYesYesGET without body
POSTNoNoCreate resource, submit data
PUTYesNoReplace resource entirely
PATCHNoNoPartial update
DELETEYesNoRemove resource
OPTIONSYesYesCORS preflight, capabilities
CONNECTNoNoEstablish tunnel (for proxies)
TRACEYesYesLoop-back diagnostic

Idempotent = repeating the request has the same effect. Safe = doesn’t modify server state.

Status Codes

1xx Informational

  • 100 Continue — Proceed with request body
  • 101 Switching Protocols — Protocol upgrade (e.g., WebSocket)

2xx Success

  • 200 OK — Request succeeded
  • 201 Created — Resource created (typically POST/PUT)
  • 204 No Content — Success with no response body

3xx Redirection

  • 301 Moved Permanently — Resource permanently relocated
  • 302 Found — Temporary redirect (may change method)
  • 304 Not Modified — Use cached version
  • 307 Temporary Redirect — Temporary, preserves request method
  • 308 Permanent Redirect — Permanent, preserves request method

4xx Client Errors

  • 400 Bad Request — Malformed request
  • 401 Unauthorized — Authentication required
  • 403 Forbidden — Authenticated but not authorised
  • 404 Not Found — Resource does not exist
  • 405 Method Not Allowed — Method not supported for resource
  • 409 Conflict — Request conflicts with current state
  • 422 Unprocessable Content — Semantic errors in request
  • 429 Too Many Requests — Rate limiting

5xx Server Errors

  • 500 Internal Server Error — Generic server failure
  • 502 Bad Gateway — Invalid response from upstream
  • 503 Service Unavailable — Server temporarily overloaded
  • 504 Gateway Timeout — Upstream server timeout

Headers

Request Headers

  • Host — Target host and port (required in HTTP/1.1+)
  • Accept — Acceptable response media types
  • Accept-Encoding — Acceptable compression (gzip, br, zstd)
  • Authorization — Credentials for authentication (Bearer tokens, Basic auth)
  • Cookie — Send stored cookies
  • User-Agent — Client application identifier
  • If-None-Match / If-Modified-Since — Conditional requests (caching)

Response Headers

  • Content-Type — Media type of the body (e.g., application/json)
  • Content-Length — Size of response body in bytes
  • Content-Disposition — Suggest filename for downloads
  • Set-Cookie — Store cookies on client
  • Location — Redirect target URL
  • Cache-Control — Caching directives
  • ETag — Resource version identifier

Security Headers

  • Strict-Transport-Security (HSTS) — Force HTTPS for all future requests
  • Content-Security-Policy (CSP) — Control which resources can be loaded
  • X-Content-Type-Options: nosniff — Prevent MIME type sniffing
  • X-Frame-Options — Prevent clickjacking (superseded by CSP frame-ancestors)
  • Permissions-Policy — Control browser features (camera, geolocation, etc.)

Compression

  • Accept-Encoding: gzip, br, zstd — Client’s supported compression
  • Content-Encoding: br — Server’s chosen compression

Brotli (br) typically achieves 15-25% better compression than gzip for text. Zstandard (zstd) offers similar ratios with faster decompression. Both are widely supported in modern browsers.

CORS (Cross-Origin Resource Sharing)

See CORS for full details.

Controls which origins can access resources:

  • Access-Control-Allow-Origin — Permitted origins
  • Access-Control-Allow-Methods — Permitted methods
  • Access-Control-Allow-Headers — Permitted headers

Preflight — Browsers send an OPTIONS request before “non-simple” cross-origin requests (custom headers, methods other than GET/HEAD/POST, non-simple content types). The server must respond with appropriate CORS headers.

Cookies and Sessions

HTTP is stateless — cookies provide session persistence.

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict; Path=/

Key attributes:

  • HttpOnly — Inaccessible to JavaScript (XSS protection)
  • Secure — Only sent over HTTPS
  • SameSite — Controls cross-site sending (Strict, Lax, None)
  • Max-Age / Expires — Cookie lifetime
  • Path / Domain — Scope of the cookie

Caching

Caching reduces latency and server load.

Cache-Control Directives

  • public — Cacheable by any cache (CDN, proxy, browser)
  • private — Only browser cache (personalised content)
  • no-cache — Must revalidate with server before use
  • no-store — Never cache (sensitive data)
  • max-age=N — Fresh for N seconds
  • immutable — Never changes (skip revalidation on reload)
  • stale-while-revalidate=N — Serve stale while fetching fresh in background

Validation

  • ETag — Hash-based validation via If-None-Match
  • Last-Modified — Timestamp validation via If-Modified-Since

Both return 304 Not Modified if unchanged, saving bandwidth.

Caching Strategies

  • Cache busting — Version URLs (e.g., app.v123.js) with long max-age + immutable
  • Stale-while-revalidate — Serve stale content immediately while fetching fresh in the background
  • CDN caching — Edge servers for geographic distribution. Use Vary and Cache-Control to control CDN behaviour.

See Also

  • TLS — Transport encryption for HTTPS
  • TCP — Transport protocol for HTTP/1.1 and HTTP/2
  • DNS — Name resolution before HTTP connection
  • Load Balancing — L7 load balancers operate at the HTTP layer
  • REST — RESTful API design over HTTP
  • CORS — Cross-Origin Resource Sharing details

References

Graph View

Backlinks