Web & Network8 min readLast updated: Fri Feb 02 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

HTTP and HTTPS Explained

HTTP stands for HyperText Transfer Protocol. It is the basic “language” a browser and a web server use to communicate.

A useful mental model is: HTTP is a polite request letter, and the server sends back a reply letter.
One request → one response.

The Big Idea: Request → Response

When you open a page like /about, your browser sends a request that looks roughly like this:

GET /about HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0...
Accept: text/html

Let’s translate it:

  • GET means: “I want to retrieve something.”
  • /about is the path on the server.
  • Host tells the server which site you meant (important when many sites share one server).
  • User-Agent says what kind of browser/device you are (often used for analytics or compatibility).
  • Accept indicates which formats your browser can handle.

Visual map (simple)

Browser Web Server HTTP Request HTTP Response

The Response

The server replies with something like:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5234

<html> ... </html>

Important parts:

  • 200 OK is the status code (more on this below).
  • Content-Type tells the browser what it is receiving.
  • Then comes the body (HTML, JSON, an image, etc.).

Common Content-Types

  • HTML page: text/html
  • JSON API: application/json
  • PNG image: image/png
  • CSS file: text/css

The 4 Most Important HTTP Methods

Most sites use only a few methods regularly:

  1. GET – “Give me the resource” (read-only)
  2. POST – “Create something / submit data” (forms, comments, login)
  3. PUT – “Replace a resource entirely” (common in APIs)
  4. DELETE – “Remove a resource” (common in APIs)

Example: a contact form usually does:

  • GET /contact to show the form
  • POST /api/contact to submit the message

Status Codes: The Server’s Mood

Status codes are grouped by the first digit:

  • 2xx = Success
  • 3xx = Redirect
  • 4xx = Client error (your request was wrong or not allowed)
  • 5xx = Server error (server failed)

The “Big Five” you see everywhere

  • 200 OK – Everything good
  • 301 Moved Permanently – Redirect (often HTTP → HTTPS)
  • 404 Not Found – Page doesn’t exist
  • 403 Forbidden – Exists, but you can’t access it
  • 500 Internal Server Error – Server crashed or misconfigured

Headers: Hidden Metadata

Headers are “extra information” about the request or response.

Useful request headers

  • Accept-Language: which language you prefer
  • Cookie: your session / login state
  • Authorization: API tokens (bearer tokens)

Useful response headers

  • Cache-Control: how long to cache
  • Set-Cookie: sets session cookie
  • Content-Encoding: compression like gzip/br

HTTP is Stateless (and that’s why cookies exist)

HTTP does not “remember” you between requests.

If you load a page, then click another page, the server sees a new request.
To “remember” sessions (logins), sites use:

  • Cookies (most common)
  • Tokens (common for APIs)
  • Server-side sessions keyed by cookie

That’s why you might see:

  • “You are logged in” (cookie/session found)
  • “Please log in” (cookie missing/expired)

HTTPS: HTTP + Encryption (TLS)

HTTPS is just HTTP traveling inside an encrypted tunnel called TLS.

What HTTPS protects:

  • Keeps others from reading your traffic on public Wi-Fi
  • Prevents simple “man-in-the-middle” tampering
  • Confirms you’re talking to the real site (certificate validation)

What HTTPS does not guarantee:

  • The website is honest or safe
  • The content is malware-free
    (It only means the connection is encrypted.)

HTTPS in one picture

Browser Web Server TLS Encrypted Tunnel HTTP messages inside

Practical Tips (the stuff you’ll actually use)

1) Use HTTPS everywhere

Even simple docs sites should be HTTPS (CapRover + Let’s Encrypt makes this easy).

2) Know when caching matters

For static pages, caching makes your site faster and cheaper.

3) Learn status codes first

If you understand 200 / 301 / 404 / 500, you can debug most web problems quickly.

Quick FAQ

Is HTTP only for web pages?
No. HTTP is used for APIs, mobile apps, microservices—anything that sends structured requests and responses.

Why does the browser make so many requests?
One HTML page often references CSS, JS, fonts, images… each is a separate request.

If I have HTTPS, am I safe from hacking?
You’re safe from eavesdropping on the connection. You still need secure code, good passwords, and patched servers.

Mini checklist

  • ✅ Request = method + path + headers
  • ✅ Response = status code + headers + body
  • ✅ Status codes tell you what went wrong
  • ✅ HTTPS = HTTP + TLS encryption