What is HTTP? Why everyone use it? A simple analysis about one of the pillars of the web.

Photo by Richy Great on Unsplash

What is HTTP

HTTP, HyperText Transfer Protocol, is the currently standard protocol for client-server transmission of data. It is mostly used for transmitting documents, often in form of HTML, JSON or plain text.

So, in even simpler terms, HTTP is a standard way for computers to send and retrieve data on internet.

Short story of HTTP

There is a name that can approximately summarize the story of a little bit of everything related to the internet: Tim Berners-Lee. In fact, he, along with his team, developed HTTP. But that is not all, since he laid the foundations for everything we use still today to access the internet: HTML (HyperText Markup Language, the standard way web pages are written) and all the technologies for the communications between servers and clients (browsers).

Tim Berners-Lee — Image from https://www.w3.org/People/Berners-Lee/

Basically, Berners-Lee invented the World Wide Web,
which was composed, in fact, of:

  • A client, the user’s computer, that can receive data (the first version of HTTP only had GET method, so users could only receive data!)
  • A server, the computer that receives, manages and answer to the request made by the client
  • The received data, only in the form of a HTML document (now things changed a bit, we can also receive or send data in form of JSON documents, plain text, XML…)
  • A standard protocol to request data: HTTP

Our modern World Wide Web is still composed in the same way! Obviously, it evolved: there are various HTTP version, from the HTTP/0.9, to the HTTP/3.0, and now clients can receive and send data to the servers, there are more request method and more types of documents are supported, as is said above, but pretty much almost everything is unchanged, and, in my opinion, this is a very cool aspect of the modern web.

How HTTP works

An HTTP request starts with the HTTP client, that starts a TCP connection to a server (if no port is specified, the default port usually is 80). The server needs to be listening on that port, to receive all possible requests from clients. Once the request is received by the server, it sends back to the client an HTTP response. But how are an HTTP requests and responses structured?


POST /users HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Type: application/json
Content-Length: 41
Accept-Language: en-us
Connection: Keep-Alive

{"username": "user", "password": "12345"}

This is a typical HTTP request, so let’s analyze this.

POST /users HTTP/1.1

This first line has 3 main components:

  • The method of the request (POST)
  • The path of the request (/users)
  • The HTTP version (HTTP/1.1)

This line is always necessary and is the same since HTTP/0.9 (without the version number).

Host: www.example.com
User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT)
Content-Type: application/json
Content-Length: 41
Accept-Language: en-us
Connection: Keep-Alive

Then, from the second line, there is a request header for each line. This contains information about the request, like information about the device, the body content type, the body length…

{"username": "user", "password": "12345"}

After the headers, there is an empty line, and then the body content.

But what is a request method? What is a request body?

Request Methods

HTTP requests are done with multiple objectives: sometimes you might want to get some data, other times you might want to add, delete or update users.

  • GET, the most used HTTP method. This is the main method used by the web browsers to get the web pages, in fact this method is mainly used to retrieve data and informations from the server. Usually it doesn’t have a body.
  • HEAD, almost the same as GET, but it only returns the response headers, without the body.
  • POST, used to send data to the server.
  • PUT, used to send data to the server, but unlike POST, this is idempotent. So, if you PUT multiple times the same user to a server, the result will always be the same, but if you POST multiple times the same user to a server, this user will be added multiple times.
  • DELETE, used to delete the specified resource from the server.
  • PATCH, used to apply modifications to the specified resource from the server.

There are some other methods, like CONNECT, OPTIONS and TRACE, but they are very uncommon (check some documentation, like the MDN for more information).

Request Body

The request body is a string of data that will be sent to the server. It can be plain text, XML or JSON, for example. Usually it contains information about the elements that the server needs to add or update.


HTTP/1.1 200 OK
Server: Apache
Content-Type: application/json
Date: Sun, 7 Nov 2020, 00:00:00 GMT
Accept-Language: en-us
Keep-Alive: timeout=5, max=999

{"message": "User added successfully"}

This is a typical HTTP Response. You can see that it is really similar to a request.

HTTP/1.1 200 OK

The first line contains

  • The HTTP version (still HTTP/1.1)
  • The status code of the response (200)
  • The status message of the response (OK)

Status message depends on the status code, since there is a status message for each valid status code.

Then, as the request, the other lines contains response headers and the response body.

Status Codes

  • 1XX, information responses (e.g, 100, the client can continue the request)
  • 2XX, Successful response (e.g, 200, the request was successful)
  • 3XX, Redirection responses (e.g, 302, URI of request has been changed temporarily)
  • 4XX, Error made by the client (e.g, 404, URL or resource not found)
  • 5XX, Error made by the server (e.g 500, The server made an unexpected error)

Check MDN for all the status code with all the status messages!

Practical HTTP

To send HTTP requests, you could simply use a web browser, since the browsers, to receive the HTML documents, make a GET request.

But if you want to go deeper, you should know that you can do HTTP requests with basically every programming language: for example Python has the ‘requests’ module, Node has the ‘fetch’ module, and so on.

Usually, to test HTTP requests you can use also various CLI. The most famous is cURL (I’ve created a similar CLI called httcli!). This is an example of a cURL command (check the cURL tutorial for more).

curl https://example.com
Javascript uses a lot of requests to communicate to the server— Photo by Ferenc Almasi on Unsplash

For the server, you can easily setup it using Node and Express, with this script (doing all the preliminary NPM work)

const express = require('express')
const app = express()
app.get("*", (req, res) => {
console.log(req, res);
app.listen(8000, () => {})

Check my article on how to write APIs in an easy way, or the Express documentation for more information.

Security in HTTP

Internet security is a topic to which more and more importance is given, these days.

HTTPS (HTTP over SSL) is an extension of HTTP. It is basically the standard for HTTP communication, now very few sites still use an insecure HTTP protocol, and they are flagged by the web browser as insecure.

Photo by 30daysreplay Marketingberatung on Unsplash

Since a lot of times authentication datas are passed with HTTP requests, the need for a more secure request protocol was more and more increasing.

Features of HTTPS

HTTPS is very useful to prevent eventual Man In The Middle attacks, or when connected to unsecure networks.

URIs are identical between HTTP and HTTPS, and SSL is very good for HTTP, since it can protect the communication even if only one of the two side is authenticated.

Anyway, there are some small differences between HTTP and HTTPS. HTTPS still operates with TCP connections, but encrypted with the TLS (Transport Layer Security) protocol, which decrypts the HTTP request before sending it and encrypts the response. The HTTPS URLs start with “https://”, instead of “http://”, and HTTPS default port is 443, instead of 80.

How can I make my server more secure?

To make a server more secure with HTTPS, the server owner should create a public key certificate for the web server, and this certificate must be signed by one of the trusted certificate authorities, so that the web browser knows that the web server can be trusted. Various paid certificate authorities exist, but in 2016 was launched Let’s Encrypt, that provides free basic SSL certificates to websites.

This is one of my first articles, for any question or advice, just contact me at gianlutara@gmail.com!

17 years old, Italian Fullstack Developer and Maker. Google and Nintendo enthusiast.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store