Networking · HTTP & HTTPS

HTTP & HTTPS

The protocol of the web: methods, status codes, headers, three protocol generations — and what TLS actually protects.

Networking Basics → Interview
01

HTTP is Just Text (Conceptually)

HTTP is a request/response protocol: the client sends a method + path + headers (+ optional body); the server answers with a status code + headers + body. HTTP/1.1 literally looks like this on the wire:

HTTP/1.1 — raw exchange
GET /api/users/42 HTTP/1.1
Host: api.example.com
Accept: application/json
Authorization: Bearer eyJhbGci...

— response —
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: max-age=60

{"id": 42, "name": "Ada"}

HTTP is stateless — each request stands alone. State (login sessions, carts) is layered on with cookies or tokens.

02

Methods & Status Codes

MethodMeaningSafe?Idempotent?
GETRead a resource
POSTCreate / trigger action
PUTReplace entirely
PATCHModify partially
DELETERemove
ClassMeaningOnes interviewers ask
2xxSuccess200 OK, 201 Created, 204 No Content
3xxRedirect301 permanent, 302 temporary, 304 Not Modified
4xxClient error400, 401 unauthenticated, 403 forbidden, 404, 429 rate-limited
5xxServer error500, 502 bad gateway, 503 unavailable, 504 gateway timeout
Idempotent = same effect whether run once or five times. It decides what a proxy or client may safely retry — PUT and DELETE yes, POST no.
03

1.1 → 2 → 3: What Actually Changed

VersionTransportBig ideaWeakness fixed
HTTP/1.1TCPKeep-alive, pipeliningOne request at a time per connection → browsers open 6
HTTP/2TCP + TLSMultiplexing: many streams, one connection; header compression1.1’s connection hunger — but TCP loss still stalls all streams
HTTP/3QUIC (UDP)Streams retransmit independently; 0-RTT resumptionTCP head-of-line blocking

Each generation attacks the previous one’s bottleneck. Know the arc — more requests per connection, fewer round-trips, less blocking — and you can derive the details.

04

HTTPS — What TLS Adds

HTTPS is HTTP inside a TLS tunnel. TLS gives three guarantees: confidentiality (eavesdroppers see noise), integrity (tampering is detected), and authentication (the certificate proves you reached the real example.com, vouched for by a CA your OS trusts).

Client Server ClientHello + key share ServerHello + key share + certificate 🔒 encrypted HTTP from here TLS 1.3 = 1 round-trip (TLS 1.2 needed 2)
TLS encrypts the path and headers too — an observer sees only the destination IP and (via SNI) the hostname. It does not hide traffic patterns, and it does nothing once data is at rest on the server.
05

Interview Questions

Why is HTTP stateless, and how do sessions work then?

Statelessness keeps servers simple and horizontally scalable — any server can answer any request. Sessions are rebuilt per-request from a cookie (session ID looked up server-side) or a signed token (JWT) carrying the state itself.

401 vs 403?

401 Unauthorized: we don’t know who you are — authenticate. 403 Forbidden: we know exactly who you are, and the answer is no.

What problem does HTTP/2 multiplexing solve, and what does it not solve?

It removes HTTP-level head-of-line blocking (many parallel streams on one TCP connection, no more 6-connection workaround). It cannot fix TCP-level blocking — one lost TCP segment still stalls every stream. That took HTTP/3 on QUIC.

What does the certificate in TLS actually prove?

That a certificate authority the client trusts has verified the server controls that domain, and that the server holds the private key matching the cert — via the handshake signature. It’s the defense against man-in-the-middle.

Quick Quiz

1. Which method is idempotent?
2. Status for “authenticated but not allowed”:
3. HTTP/2’s headline feature:
4. HTTP/3 fixes TCP head-of-line blocking by…
5. TLS does NOT provide…