HyperText Transfer Protocol (HTTP)

HTTP (HyperText Transfer Protocol) is the foundation of data exchange on the web. Every web page, API call, image, stylesheet, and script reaches its destination through HTTP. Clients send requests to servers, servers return responses, and intermediaries like proxies and CDNs relay messages between them.

HTTP is part of the internet protocol suite alongside DNS, TLS, and TCP.

This page was delivered over HTTP

Every web page, including this one, reaches the browser through an HTTP request and response.

How HTTP works

HTTP follows a request-response model. A client sends a request specifying an HTTP method (the action), a URL (the resource), and Headers (metadata). The server processes the request and returns a response with a status code (the outcome), headers, and an optional body containing the resource data.

GET /api/products HTTP/1.1
Host: www.example.re
Accept: application/json

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 512

{"products":[...]}

HTTP is stateless by design: each request is self-contained and independent. Cookies and tokens maintain state across exchanges when needed.

HTTP versions

The original HTTP specification dates to the early 1990s with a single-line protocol supporting only GET requests. Each subsequent version addressed the performance and security limitations of its predecessor.

  • HTTP/1.0: added HTTP headers, status codes|HTTP status codes, and content types beyond HTML. Each request opened a new TCP connection.
  • HTTP/1.1: made persistent HTTP connections the default, allowing multiple request-response exchanges over a single TCP connection.
  • HTTP/2: introduced binary framing, multiplexing, and header Compression. Multiple HTTP requests and HTTP responses flow concurrently over one connection.
  • HTTP/3: replaced TCP with QUIC, a UDP-based transport with built-in encryption eliminating head-of-line blocking.

Core components

HTTP relies on three core building blocks working together in every exchange:

Security

Plain HTTP transmits data in cleartext. HTTPS layers HTTP over TLS, encrypting the exchange and providing confidentiality, integrity, and server authentication. HSTS enforces HTTPS for all future connections to a host. Modern browsers mark plain HTTP pages as insecure and restrict sensitive APIs to secure contexts.

To coordinate between clients, servers, and intermediaries, HTTP relies on:

  • CORS: controls which origins are permitted to read responses from a different origin. Servers declare allowed origins, methods, and headers through response headers.
  • Content Security Policy (CSP): restricts the sources a page loads scripts, styles, images, and other resources from. A strong CSP blocks cross-site scripting and data injection attacks.
  • Session cookies: the Secure, HttpOnly, and SameSite attributes on cookies prevent interception, script access, and cross-site request forgery.
  • Authentication: HTTP defines challenge-response authentication through WWW-Authenticate and Authorization headers. Token-based schemes like Bearer tokens and API keys build on this foundation.

Takeaway

HTTP defines how clients and servers exchange resources across the web. Its request-response model, extensible header system, and layered security mechanisms make every web interaction possible. Understanding HTTP internals is essential for building performant, secure, and crawlable websites.

See also

Last updated: March 6, 2026