HTTP is the application protocol that powers the web. Understanding it — including the status codes, headers, and how HTTPS secures it — is essential for any cloud or backend engineer.
HTTP Basics
HTTP (HyperText Transfer Protocol) is a stateless, request-response protocol. A client sends a request, a server responds. The server doesn't remember previous requests (cookies and sessions work around this).
HTTP Request Structure
GET /api/users/123 HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGci...
Accept: application/json
User-Agent: Mozilla/5.0...HTTP Methods
| Method | Purpose | Idempotent? |
|---|---|---|
| GET | Retrieve resource | Yes |
| POST | Create resource / submit data | No |
| PUT | Replace resource entirely | Yes |
| PATCH | Partially update resource | Depends |
| DELETE | Remove resource | Yes |
| HEAD | GET but response body omitted | Yes |
| OPTIONS | Query supported methods (CORS preflight) | Yes |
HTTP Status Codes
| Range | Category | Common Examples |
|---|---|---|
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirect | 301 Moved Permanently, 302 Found, 304 Not Modified |
| 4xx | Client error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | Server error | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout |
Important HTTP Headers
| Header | Direction | Purpose |
|---|---|---|
| Content-Type | Both | MIME type of body (application/json, text/html) |
| Authorization | Request | Bearer token, Basic auth |
| Cache-Control | Both | Caching directives (max-age, no-cache) |
| X-Forwarded-For | Request | Original client IP (set by proxies and LBs) |
| CORS headers | Response | Access-Control-Allow-Origin etc. |
| Strict-Transport-Security | Response | Force HTTPS (HSTS) |
| X-Content-Type-Options | Response | Prevent MIME sniffing (nosniff) |
HTTP/2 and HTTP/3
- HTTP/1.1: One request per connection (or keep-alive with pipelining issues)
- HTTP/2: Multiplexing — multiple requests over one TCP connection; header compression; used by most modern APIs and CDNs
- HTTP/3: Based on QUIC (UDP) — eliminates TCP head-of-line blocking; faster on unreliable networks
TLS (Transport Layer Security)
HTTPS is HTTP over TLS. TLS provides three things:
- Encryption: Data is encrypted in transit — cannot be read by a network observer
- Integrity: Any tampering with data is detected
- Authentication: The server's certificate proves you're connected to the real server (not an impostor)
The TLS Handshake (TLS 1.3)
- Client sends ClientHello — supported cipher suites, random value, SNI (server name)
- Server responds with ServerHello — chosen cipher suite, certificate, random value
- Client verifies the certificate against trusted Certificate Authorities
- Both sides derive session keys using key exchange (ECDHE)
- Encrypted communication begins — all HTTP traffic is now encrypted
Certificates
A TLS certificate contains:
- The domain name(s) it's valid for (Common Name / Subject Alternative Names)
- The certificate owner's public key
- The issuing Certificate Authority (CA)
- Validity period
- The CA's digital signature
Certificate Authorities (CAs) like DigiCert, Let's Encrypt, and Sectigo verify you control the domain before issuing a certificate. Let's Encrypt provides free, auto-renewing certificates via the ACME protocol.
SNI (Server Name Indication)
SNI allows a single server IP to host multiple HTTPS domains. During the TLS handshake, the client sends the hostname it's connecting to, allowing the server to present the correct certificate. Without SNI, you'd need one IP per HTTPS domain.
Certificate Management in AWS
- AWS Certificate Manager (ACM): Free public TLS certificates for AWS resources (ALB, CloudFront, API Gateway). Auto-renews.
- ACM Private CA: For internal certificates and mTLS
- cert-manager on Kubernetes: Automates certificate issuance via Let's Encrypt or AWS PCA
Next: TCP and UDP — the two transport protocols, when to use each, and the common ports you need to know.