Rai Notes

HTTP

4 min read

HTTP (HyperText Transfer Protocol) is the foundation of data exchange on the Web. It is a stateless, application-layer protocol that operates over TCP/IP (or QUIC for HTTP/3), enabling client-server communication through a request-response model.

HTTP versions

HTTP/1.1

The most widely deployed version, standardised in 1997 (RFC 2616, updated in RFC 9112). Key features:

  • Persistent connections (connection reuse via Keep-Alive)
  • Chunked transfer encoding
  • Host header for virtual hosting
  • Pipelining (limited adoption due to head-of-line blocking)

HTTP/2

Binary protocol standardised in 2015 (RFC 9113). Improvements:

  • Multiplexing: multiple requests over a single TCP connection
  • Header compression (HPACK)
  • Server push: proactively send resources to clients
  • Stream prioritisation

HTTP/3

Uses QUIC over UDP instead of TCP (RFC 9114). Benefits:

  • Eliminates TCP head-of-line blocking
  • Faster connection establishment (0-RTT)
  • Built-in encryption (TLS 1.3)
  • Better performance on unreliable networks

Request structure

METHOD /path HTTP/1.1
Host: example.com
Header-Name: Header-Value

[Optional body]

Response structure

HTTP/1.1 200 OK
Header-Name: Header-Value

[Optional body]

HTTP methods

MethodDescriptionSafeIdempotent
GETRetrieve a resourceYesYes
HEADGET without response bodyYesYes
POSTSubmit data (create resource)NoNo
PUTReplace entire resourceNoYes
PATCHPartial resource modificationNoNo
DELETERemove a resourceNoYes
OPTIONSDescribe communication optionsYesYes
CONNECTEstablish tunnel (for proxies)NoNo
TRACELoop-back testYesYes

Safe methods do not modify server state. Idempotent methods produce the same result when called multiple times.

Status codes

1xx Informational

  • 100 Continue - proceed with request body
  • 101 Switching Protocols - protocol upgrade (e.g., WebSocket)

2xx Success

  • 200 OK - request succeeded
  • 201 Created - resource created (typically POST/PUT)
  • 204 No Content - success with no response body

3xx Redirection

  • 301 Moved Permanently - resource permanently relocated
  • 302 Found - temporary redirect
  • 304 Not Modified - use cached version
  • 307 Temporary Redirect - preserve request method
  • 308 Permanent Redirect - preserve request method

4xx Client errors

  • 400 Bad Request - malformed request
  • 401 Unauthorized - authentication required
  • 403 Forbidden - authenticated but not authorised
  • 404 Not Found - resource does not exist
  • 405 Method Not Allowed - method not supported for resource
  • 409 Conflict - request conflicts with current state
  • 422 Unprocessable Content - semantic errors in request
  • 429 Too Many Requests - rate limiting

5xx Server errors

  • 500 Internal Server Error - generic server failure
  • 502 Bad Gateway - invalid response from upstream
  • 503 Service Unavailable - server temporarily overloaded
  • 504 Gateway Timeout - upstream server timeout

Important headers

Request headers

  • Accept - acceptable response media types
  • Accept-Encoding - acceptable compression (gzip, br, deflate)
  • Authorization - credentials for authentication
  • Cookie - send stored cookies
  • Host - target host and port (required in HTTP/1.1+)
  • User-Agent - client application identifier
  • If-None-Match / If-Modified-Since - conditional requests

Response headers

  • Content-Type - media type of the body (e.g., application/json)
  • Content-Length - size of response body in bytes
  • Content-Disposition - suggest filename for downloads
  • Set-Cookie - store cookies on client
  • Location - redirect target URL
  • Cache-Control - caching directives
  • ETag - resource version identifier

Security headers

  • Strict-Transport-Security (HSTS) - enforce HTTPS
  • Content-Security-Policy - control resource loading
  • X-Frame-Options - prevent clickjacking
  • X-Content-Type-Options - prevent MIME sniffing

HTTPS and TLS

HTTPS is HTTP over TLS (Transport Layer Security), providing:

  • Encryption: data cannot be read in transit
  • Authentication: server identity verified via certificates
  • Integrity: data cannot be tampered with

TLS 1.3 is the current standard, offering faster handshakes and improved security over TLS 1.2.

Cookies and sessions

HTTP is stateless; cookies provide session persistence:

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict; Path=/

Key attributes:

  • HttpOnly - inaccessible to JavaScript (XSS protection)
  • Secure - only sent over HTTPS
  • SameSite - controls cross-site sending (Strict, Lax, None)
  • Max-Age / Expires - cookie lifetime
  • Path / Domain - scope of the cookie

Caching

Caching reduces latency and server load. Key directives:

Cache-Control

  • public - cacheable by any cache
  • private - only browser cache (personalised content)
  • no-cache - must revalidate before use
  • no-store - never cache
  • max-age=N - fresh for N seconds
  • immutable - never changes (skip revalidation on reload)

Validation

  • ETag: hash-based validation (If-None-Match)
  • Last-Modified: timestamp validation (If-Modified-Since)

Both return 304 Not Modified if unchanged.

Caching strategies

  • Cache busting: version URLs (e.g., app.v123.js) with long max-age
  • Stale-while-revalidate: serve stale content while fetching fresh
  • CDN caching: edge servers for geographic distribution

External resources

Graph View

Backlinks