Skip to content
Fundamentals
HTTP Protocol Guide
HTTP Protocol — Complete Web Communication Reference

HTTP Protocol — Complete Web Communication Reference

DodaTech Updated Jun 6, 2026 7 min read

HTTP (Hypertext Transfer Protocol) is the foundation of data communication on the web — a request-response protocol that defines how HTML pages, JSON data, files, and images travel between browsers and servers.

What You’ll Learn

How HTTP requests and responses are structured, understand every HTTP method and status code, master request and response headers, implement caching strategies, differentiate HTTP vs HTTPS, and leverage HTTP/2 multiplexing.

Why HTTP Matters

Every AJAX call, every page load, every API request — it all runs on HTTP. Understanding HTTP is essential for debugging network issues, optimizing page speed, building secure applications, and working with REST APIs. DodaTech’s Durga Antivirus Pro inspects HTTP traffic to detect malicious payloads and man-in-the-middle attacks, using deep knowledge of HTTP headers and request patterns.

    graph LR
  A[Internet Basics] --> B[Request/Response Model]
  B --> C[Methods & Status Codes]
  C --> D[Headers & Caching]
  D --> E[Cookies & Sessions]
  E --> F[HTTPS & HTTP/2]
  style B fill:#4f46e5,color:#fff
Prerequisites: Basic understanding of the web and HTML. No programming experience required — this is a conceptual protocol guide.

Core Concepts Explained

Think of HTTP like sending a letter. The request is your letter asking for something. The response is the reply you get back. Both follow strict formats so that computers on either end understand each other perfectly. The “S” in HTTPS is like sealing the letter in a tamper-proof envelope.

HTTP Methods

MethodDescriptionIdempotentSafeCacheable
GETRetrieve a resourceYesYesYes
HEADGet headers only (no body)YesYesYes
POSTCreate a new resourceNoNoNo
PUTReplace an entire resourceYesNoNo
PATCHPartially update a resourceNoNoNo
DELETERemove a resourceYesNoNo
OPTIONSCheck which methods are allowedYesYesNo

Idempotent means sending the same request multiple times produces the same result (no side effects beyond the first). Safe means the request doesn’t change anything on the server — it’s read-only.

  • GET → Browsing a product page (read-only)
  • POST → Submitting a signup form (creates data)
  • PUT → Updating your entire profile (replaces)
  • PATCH → Changing just your email (partial update)
  • DELETE → Deleting an account (removes)
  • OPTIONS → Browser uses this for CORS preflight checks

Status Codes

CodeCategoryMeaningExample
1xxInformationalRequest received, processing101 Switching Protocols (WebSocket upgrade)
2xxSuccessRequest understood and accepted200 OK, 201 Created, 204 No Content
3xxRedirectionFurther action needed301 Moved Permanently, 304 Not Modified
4xxClient ErrorProblem with the request400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found
5xxServer ErrorServer failed to fulfill500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable

You’ll encounter these daily:

  • 200 OK — Everything worked
  • 201 Created — POST success (new resource created)
  • 301 Moved Permanently — URL has changed permanently (SEO impact!)
  • 304 Not Modified — Use cached version (performance optimization)
  • 400 Bad Request — You sent invalid data (fix your input)
  • 401 Unauthorized — You need to log in
  • 403 Forbidden — You’re logged in but not allowed
  • 404 Not Found — The URL doesn’t exist
  • 500 Internal Server Error — Something broke on the server (not your fault)
  • 503 Service Unavailable — Server is overloaded or down

Request Headers 

Accept: application/json
Authorization: Bearer <token>
Content-Type: application/json
Cookie: session=abc123
User-Agent: Mozilla/5.0
Origin: https://example.com
  • Accept — what format you want the response in (JSON, XML, HTML)
  • Authorization — credentials for protected resources (Bearer tokens, Basic auth)
  • Content-Type — what format the request body is in (sent with POST/PUT)
  • Cookie — session identifier stored by the browser
  • User-Agent — identifies your browser and OS
  • Origin — where the request came from (used for CORS)

Response Headers 

Content-Type: text/html; charset=utf-8
Cache-Control: max-age=3600, public
Set-Cookie: session=abc123; HttpOnly; Secure
Access-Control-Allow-Origin: *
X-Frame-Options: DENY
  • Content-Type — what format the response body is in
  • Cache-Control — how the browser should cache this response
  • Set-Cookie — tells the browser to store a cookie
  • Access-Control-Allow-Origin — which domains can access this via CORS
  • X-Frame-Options — prevents clickjacking by blocking iframe embedding

Caching Directives 

Cache-Control: no-cache              # Never use cached copy without revalidation
Cache-Control: no-store              # Don't cache at all (sensitive data)
Cache-Control: max-age=3600          # Cache for 1 hour (in seconds)
Cache-Control: public                # Cacheable by any cache (CDN, proxy, browser)
Cache-Control: private               # Cacheable only by browser (not CDN)
ETag: "33a64df5"                     # Version identifier for revalidation
Last-Modified: Wed, 21 Oct 2024     # Timestamp for revalidation

HTTPS vs HTTP

FeatureHTTPHTTPS
EncryptionNone (plain text)TLS/SSL (encrypted)
Port80443
CertificateNot neededRequired from a Certificate Authority
SEO rankingLowerHigher (Google ranking factor)
Data integrityNo (can be modified)Yes (tamper-proof)
Trust indicatorNonePadlock in address bar

HTTP/2 Features

  • Multiplexing: Multiple requests share one TCP connection (no more 6-connection limit)
  • Server push: Server sends resources before the browser requests them
  • Header compression (HPACK): Reduces overhead by compressing headers
  • Binary protocol: Machine-readable format (vs HTTP/1.1’s text protocol)
  • Stream prioritization: Critical resources load first

Common Mistakes

  1. Confusing GET and POST: GET is for retrieving data (visible in URL, cached). POST is for creating data (not cached, not visible in URL)
  2. Ignoring 304 responses: When a server returns 304, the browser uses its cached version — don’t treat this as an error
  3. Not understanding CORS: “No ‘Access-Control-Allow-Origin’ header” errors are the most common frontend issue — they’re server configuration problems, not client bugs
  4. Overlooking Cache-Control headers: Without proper caching headers, every page load fetches everything fresh, wasting bandwidth and slowing performance
  5. Using HTTP for sensitive data: Forms, logins, and API keys must never travel over plain HTTP — always enforce HTTPS
  6. Forgetting about 301 redirect permanence: Browsers cache 301 redirects aggressively — if you set one incorrectly, users and search engines may be stuck with it

Practice Questions

Q1: What is the difference between 401 Unauthorized and 403 Forbidden? A1: 401 means you’re not authenticated (logged in). 403 means you’re authenticated but don’t have permission to access the resource.

Q2: Why is PUT considered idempotent but POST is not? A2: Sending the same PUT request multiple times replaces the resource with the same data — result is identical. Sending the same POST request creates multiple copies of the resource.

Q3: What problem does HTTP/2 multiplexing solve? A3: HTTP/1.1 limits concurrent connections per domain (typically 6). Multiplexing allows many requests simultaneously over one TCP connection, eliminating head-of-line blocking.

Challenge: Use your browser’s Developer Tools (Network tab) to inspect HTTP traffic. Identify the method, status code, request headers, and response headers for a page load. Then find a resource returned with 304 and explain why the browser used the cache.

FAQ

What happens when you type a URL into a browser?
The browser performs DNS lookup (domain → IP), establishes a TCP connection, sends an HTTP GET request, receives the HTML response, parses it, and fetches additional resources (CSS, JS, images) with more HTTP requests.
What is the difference between HTTP/1.1 and HTTP/2?
HTTP/2 is binary (faster parsing), supports multiplexing (multiple requests over one connection), header compression, and server push. HTTP/1.1 is text-based with sequential request handling.
What is HTTPS and do I need it?
HTTPS encrypts all data between browser and server using TLS. Yes, every website needs HTTPS — it’s required for modern web features, SEO ranking, and user trust. Use Let’s Encrypt for free certificates.
What is CORS in simple terms?
CORS is a browser security feature that prevents websites from one domain (e.g., evil.com) from reading data from another domain (e.g., yourbank.com) unless that other domain explicitly allows it via headers.

Try It Yourself

▶ Try It Yourself Edit the code and click Run

What’s Next

TopicDescription
AJAXUse HTTP requests programmatically with JavaScript
REST APIDesign web APIs following HTTP best practices
JSONThe most common data format sent over HTTP

HTTPS and OAuth build on HTTP for secure communication. Explore WebSocket for real-time, bidirectional communication beyond HTTP’s request-response model.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse HTTP Protocol Guide