HTTP Protocol Deep Dive — Methods, Headers, Status Codes & Caching

The Hypertext Transfer Protocol (HTTP) is the foundation of data communication on the World Wide Web — defining how messages are formatted, transmitted, and responded to between clients and servers.

What You’ll Learn

In this tutorial, you’ll learn HTTP methods, headers, status codes, caching mechanisms (ETag, Cache-Control), cookies, and the differences between HTTP/1.1, HTTP/2, and HTTP/3 with Python examples.

Why It Matters

HTTP is the protocol your browser, REST API clients, and almost every networked application uses. Understanding it helps you debug network issues, optimize performance, and build better web applications.

Real-World Use

When Doda Browser loads a page, it sends HTTP GET requests, processes response headers (Content-Type, Cache-Control), handles redirects (301/302), and manages cookies. Without understanding HTTP, you can’t diagnose why a page loads slowly or why an API returns errors.

sequenceDiagram
  participant Client
  participant Server
  participant Cache
  Client->>Server: GET /page
  Server->>Client: 200 OK + ETag: "abc123"
  Client->>Cache: Store /page (ETag: abc123)
  Client->>Server: GET /page (If-None-Match: abc123)
  Server->>Client: 304 Not Modified
  Client->>Cache: Serve from cache

HTTP Methods

HTTP Status Codes

1xx — Informational

• 100 Continue: Server received headers, client can send body
• 101 Switching Protocols: Upgrading to WebSocket

2xx — Success

• 200 OK: Standard success response
• 201 Created: Resource was created (usually after POST)
• 204 No Content: Success, no response body (DELETE often returns this)

3xx — Redirection

• 301 Moved Permanently: Resource has a new permanent URL
• 302 Found: Temporary redirect
• 304 Not Modified: Cached version is still valid (conditional GET)
• 307 Temporary Redirect: Like 302 but preserves HTTP method

4xx — Client Error

• 400 Bad Request: Malformed request syntax
• 401 Unauthorized: Authentication required
• 403 Forbidden: Authenticated but not authorized
• 404 Not Found: Resource doesn’t exist
• 405 Method Not Allowed: Wrong HTTP method
• 409 Conflict: Resource state conflict (e.g., duplicate)
• 429 Too Many Requests: Rate limit exceeded

5xx — Server Error

• 500 Internal Server Error: Generic server failure
• 502 Bad Gateway: Upstream server returned invalid response
• 503 Service Unavailable: Server overloaded or down
• 504 Gateway Timeout: Upstream server timed out

HTTP Headers

Request Headers

GET /api/users HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGciOi...
Accept: application/json
Accept-Encoding: gzip, deflate, br
Cache-Control: max-age=0
If-None-Match: "abc123"
Cookie: session_id=xyz789
User-Agent: DodaBrowser/1.0

Response Headers

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 342
Cache-Control: public, max-age=3600
ETag: "abc123"
Set-Cookie: session_id=xyz789; HttpOnly; Secure; SameSite=Strict
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

Caching

HTTP caching reduces server load and speeds up page loads.

ETag

An ETag is a unique identifier (usually a hash) for a resource version. The client sends If-None-Match: <etag> in subsequent requests. If the resource hasn’t changed, the server returns 304 Not Modified.

Cache-Control

HTTP/2 vs HTTP/3

Sending HTTP Requests with Python

import requests

# GET request
response = requests.get("https://api.github.com/users/octocat")
print(f"Status: {response.status_code}")
print(f"Headers: {dict(response.headers)[:5]}")

# POST request
new_user = {"name": "Alice", "email": "alice@example.com"}
response = requests.post(
    "https://jsonplaceholder.typicode.com/users",
    json=new_user,
    headers={"Authorization": "Bearer token123"}
)
print(f"Created: {response.status_code} - {response.json()['id']}")

# Check caching headers
response = requests.get("https://example.com")
print(f"Cache-Control: {response.headers.get('Cache-Control')}")
print(f"ETag: {response.headers.get('ETag')}")

# Conditional request with ETag
etag = response.headers.get("ETag")
if etag:
    response = requests.get(
        "https://example.com",
        headers={"If-None-Match": etag}
    )
    print(f"Conditional status: {response.status_code}")

Expected output:

Status: 200
Headers: {'Server': 'GitHub.com', ...}
Created: 201 - 11
Cache-Control: public, max-age=3600
ETag: "abc123"
Conditional status: 304

Common Mistakes

1. Confusing PUT and PATCH: PUT replaces the entire resource. PATCH applies partial updates. Using PUT for partial updates can delete fields you didn’t include.
2. Ignoring HTTPS: HTTP sends data in plaintext. Always use HTTPS in production — HTTP/2 requires it anyway.
3. Caching sensitive data: Never cache responses with Cache-Control: public for authenticated content. Use private or no-store.
4. Not handling redirects: requests follows redirects by default, but urllib doesn’t. Always check for 3xx responses.
5. Forgetting CORS: Browsers enforce the same-origin policy. Your API needs Access-Control-Allow-Origin headers for cross-origin requests.

Practice Questions

1. What is the difference between 301 and 302 redirects? 301 is permanent (browsers cache the redirect, search engines update URLs). 302 is temporary (next request goes to the original URL).

2. How does ETag-based caching work? The server sends an ETag (resource hash). The client sends If-None-Match with that hash. If unchanged, server returns 304 (no body).

3. What problem does HTTP/2 multiplexing solve? HTTP/1.1 limits to 6 concurrent connections. Multiplexing allows many streams in one TCP connection, reducing latency.

4. Why does HTTP/3 use QUIC instead of TCP? QUIC eliminates TCP head-of-line blocking, reduces handshake latency (0-RTT), and handles connection migration better.

5. What is a 429 Too Many Requests response? The server is rate-limiting the client. The response should include a Retry-After header.

Challenge

Build an HTTP client that handles redirects, conditional requests with ETags, and exponential backoff for 429 responses. Test it against a public API.

Real-World Task

Open your browser’s DevTools → Network tab. Load a page and examine the request/response headers for each resource. Find examples of caching headers, cookies, and status codes.

Mini Project: HTTP Debugger

Write a Python proxy server that logs all HTTP requests and responses passing through it. Display methods, URLs, status codes, and response times.

Security angle: HTTP request inspection is fundamental to web security. Tools like Durga Antivirus Pro intercept and analyze HTTP traffic to detect malicious requests and block malware downloads.

What’s Next

Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro.

What’s Next

Congratulations on completing this HTTP Deep Dive tutorial! Here’s where to go from here:

• Practice daily — Consistency is more important than long study sessions
• Build a project — Apply what you learned by building something real
• Explore related topics — Check out other tutorials in the same category
• Join the community — Discuss with other learners and share your progress

Remember: every expert was once a beginner. Keep coding!