HTTP & HTTPS
The protocol of the web: methods, status codes, headers, three protocol generations — and what TLS actually protects.
HTTP is Just Text (Conceptually)
HTTP is a request/response protocol: the client sends a method + path + headers (+ optional body); the server answers with a status code + headers + body. HTTP/1.1 literally looks like this on the wire:
GET /api/users/42 HTTP/1.1 Host: api.example.com Accept: application/json Authorization: Bearer eyJhbGci... — response — HTTP/1.1 200 OK Content-Type: application/json Cache-Control: max-age=60 {"id": 42, "name": "Ada"}
HTTP is stateless — each request stands alone. State (login sessions, carts) is layered on with cookies or tokens.
Methods & Status Codes
| Method | Meaning | Safe? | Idempotent? |
|---|---|---|---|
GET | Read a resource | ✓ | ✓ |
POST | Create / trigger action | ✗ | ✗ |
PUT | Replace entirely | ✗ | ✓ |
PATCH | Modify partially | ✗ | ✗ |
DELETE | Remove | ✗ | ✓ |
| Class | Meaning | Ones interviewers ask |
|---|---|---|
2xx | Success | 200 OK, 201 Created, 204 No Content |
3xx | Redirect | 301 permanent, 302 temporary, 304 Not Modified |
4xx | Client error | 400, 401 unauthenticated, 403 forbidden, 404, 429 rate-limited |
5xx | Server error | 500, 502 bad gateway, 503 unavailable, 504 gateway timeout |
1.1 → 2 → 3: What Actually Changed
| Version | Transport | Big idea | Weakness fixed |
|---|---|---|---|
| HTTP/1.1 | TCP | Keep-alive, pipelining | One request at a time per connection → browsers open 6 |
| HTTP/2 | TCP + TLS | Multiplexing: many streams, one connection; header compression | 1.1’s connection hunger — but TCP loss still stalls all streams |
| HTTP/3 | QUIC (UDP) | Streams retransmit independently; 0-RTT resumption | TCP head-of-line blocking |
Each generation attacks the previous one’s bottleneck. Know the arc — more requests per connection, fewer round-trips, less blocking — and you can derive the details.
HTTPS — What TLS Adds
HTTPS is HTTP inside a TLS tunnel. TLS gives three guarantees: confidentiality (eavesdroppers see noise), integrity (tampering is detected), and authentication (the certificate proves you reached the real example.com, vouched for by a CA your OS trusts).
Interview Questions
Why is HTTP stateless, and how do sessions work then?
Statelessness keeps servers simple and horizontally scalable — any server can answer any request. Sessions are rebuilt per-request from a cookie (session ID looked up server-side) or a signed token (JWT) carrying the state itself.
401 vs 403?
401 Unauthorized: we don’t know who you are — authenticate. 403 Forbidden: we know exactly who you are, and the answer is no.
What problem does HTTP/2 multiplexing solve, and what does it not solve?
It removes HTTP-level head-of-line blocking (many parallel streams on one TCP connection, no more 6-connection workaround). It cannot fix TCP-level blocking — one lost TCP segment still stalls every stream. That took HTTP/3 on QUIC.
What does the certificate in TLS actually prove?
That a certificate authority the client trusts has verified the server controls that domain, and that the server holds the private key matching the cert — via the handshake signature. It’s the defense against man-in-the-middle.