GUIDE

What does http:// mean? HTTP protocol explained

What is HTTP?.jpg

What is Hypertext Transfer Protocol (HTTP)?

HTTP is a set of rules that define how browsers and servers communicate to request and share data, like HTML, text, images, or videos. It works on a client-server model, where the browser (client) asks for resources (request), and the server sends them back (response). Each request is independent (HTTP is a stateless protocol), but tools like cookies and sessions help maintain continuity.

How Does HTTP Work?

The HTTP revolves around two main components: requests and responses.

HTTP communication process transfers data over the web. A client (e.g., a browser) sends an HTTP request to a server using methods like GET (retrieve data) or POST (submit data). The request includes headers (metadata) and sometimes a body (data payload). The server processes the request, then responds with a status code (e.g., 200 for success) and data, often in HTML, JSON, or other formats. HTTP operates statelessly, meaning each request-response pair is independent, though cookies or sessions can add state.

HTTP Request Syntax:

A Hypertext Transfer Protocol request typically includes the following elements: Request Method, URL, Headers, Body.

Request Methods:

Specifies the action to be performed. Common methods include:

  • GET The HTTP GET method is commonly used to retrieve data from a specified resource on a server without modifying it. It is considered safe and idempotent, meaning it should not have side effects and repeated requests yield the same result. A GET request consists of a URL, which can include query parameters for additional filters or options.

  • POST The HTTP POST method is used to send data to a server to create or update a resource. Unlike the GET method, which retrieves data, POST is designed for submitting data that changes the state of the server or creates new resources. A POST request typically includes a request line, headers, and a body containing the data to be sent.

  • PUT The HTTP PUT method is used to update or replace a resource on the server. Unlike the POST method, which is typically used for creating new resources, PUT is meant to send a complete representation of the resource to be updated or replaced. A PUT request includes a request line, headers, and a body that contains the data for the resource.

  • DELETE The HTTP DELETE method is used to remove a specified resource from a server. It instructs the server to dump the resource identified by the request URL.

  • PATCH The HTTP PATCH method is used to partially update a resource on the server, as opposed to the PUT method, which replaces the entire resource. The PATCH method is particularly useful when you only need to make small updates to a resource without affecting the rest of the data.

  • HEAD The HTTP HEAD method is used to retrieve the headers of a resource without fetching the actual body content. It is similar to the GET method but does not return the resource itself; instead, it provides meta-information about the resource.

  • OPTIONS The HTTP OPTIONS method is used to describe the communication options available for a specific resource or for the server as a whole. It allows clients to determine which methods (like GET, POST, PUT, etc.) are supported by the server for a given URL.

  • CONNECT The HTTP CONNECT method is used to establish a tunnel to a server identified by a given URI. This method is primarily used for proxy servers, allowing clients to create a tunnel through which they can communicate with another server over a secure connection (often HTTPS).

  • TRACE The HTTP TRACE method is used to echo back the received request for diagnostic purposes. It allows the client to see what is being received at the server, helping to troubleshoot issues such as intermediate proxies modifying requests.

HTTP request example: GET /index.html HTTP/1.1

URL (Uniform Resource Locator)

URL is an internet address that specifies a resource's location (like a webpage or file) and the protocol (in this case HTTP) to retrieve it. URLs are crucial for web navigation, enabling browsers to access files hosted on servers. URL is also an API endpoint.

Structure of a URL

A URL typically has the following structure:

scheme://host:port/path?query#fragment

Each part serves a specific purpose:

  1. Scheme: Specifies the protocol, such as http or https, used to access the resource.

  2. Host: Refers to the domain name or IP address of the server where the resource resides, like www.example.com.

  3. Port (optional): Specifies the network port used to connect to the server. The default port for HTTP is 80, and for HTTPS, it’s 443. When default ports are used, they’re usually omitted.

  4. Path: Indicates the specific location of the resource on the server ie. /about or /images/photo.jpg

  5. Query (optional): Contains keyword parameters (key-value pairs) in the form of key=value, often used for searches, filtering, or other specific instructions for the server. Multiple keyword parameters can be included, separated by & symbols, e.g., ?search=keyword&limit=10

  6. Fragment (optional): Identifies a specific section within a page, indicated by a #, like #section2

URL Example: https://www.example.com/search?q=keyword#results

  • Scheme: https://

  • Host (domain): www.example.com

  • Path: /search

  • Query (parameter): q=keyword

  • Fragment: results

This URL directs an HTTP client, like a web browser, to connect to example.com over HTTPS, navigate to the /search path, and retrieve the page with the query q=keyword at the #results section.

In the HTTP context, URLs enable browsers and other clients to interact with web resources by defining the locations and parameters for requests.

HTTP Headers

HTTP headers are key-value pairs sent between the client (like a web browser) and the server in an HTTP request or response. They convey additional information about the request or response, such as the type of data being sent, security details, and caching preferences. HTTP headers play a crucial role in controlling the communication and behavior of the request-response cycle in web applications.

Types of HTTP Headers

  1. Request Headers: Sent by the client to provide information about the request and the client environment.

    • Example: User-Agent, Accept, Authorization

  2. Response Headers: Sent by the server to provide information about the response and the server environment.

    • Example: Content-Type, Set-Cookie, Cache-Control

  3. Entity Headers: These define metadata about the body of the request or response (such as the length or format of the content).

    • Example: Content-Length, Content-Encoding

  4. General Headers: Can apply to both requests and responses, providing general information about the message.

    • Example: Connection, Date

Host The domain name of the server.

User-Agent Information about the client software (browser, app, etc.).

Accept Specifies acceptable media types (e.g., application/json, text/html).

Authorization Used for passing authentication credentials.

Body (Optional) Used in requests like POST or PUT, carrying the data to be processed by the server. For example, form data or JSON payloads.

HTTP Response Syntax:

The server responds to an Hypertext Transfer Protocol request with the following components:

  • Status Line Indicates the HTTP version, a status code (e.g., 200 for success, 404 for not found), and a reason phrase explaining the outcome.

  • Headers Additional metadata about the response, such as content type, server information, or cookies.

  • Body Contains the actual content, such as HTML for web pages, JSON for APIs, or other formats based on the request.

HTTP Examples of Headers

  • Request:

    vbnetCopy codeGET /index.html HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 Accept: text/html

  • Response:

    yamlCopy codeHTTP/1.1 200 OK Content-Type: text/html Content-Length: 1234

HTTP and Web Servers

In HTTP, the interaction follows a request-response model:

  • The client sends a request for a resource (e.g., a web page, an image, or data from an API).

  • The server processes the request and sends back the appropriate response.

Web Servers Routing and Response Handling

Web servers like Apache, Nginx, and IIS play a critical role in handling HTTP requests. They determine how to route the incoming requests, manage resources, and return the appropriate response based on the requested URL or resource.

When a request hits the server, it processes it according to predefined routes and handlers. These handlers map specific URLs or endpoints to the corresponding functions or services, which generate the content or data to be returned in the response.

Status Codes

HTTP status codes provide a way to communicate the result of the request. These are categorized into five groups:

1xx (Informational): The request was received, and the process is continuing.

  • 100 Continue The server received the initial part of the request, and the client can proceed.

2xx (Success): The request was successfully received, understood, and accepted.

  • 200 OK Standard response for successful HTTP requests.

  • 201 Created Indicates that a resource was successfully created.

3xx (Redirection): The client must take additional action to complete the request.

  • 301 Moved Permanently The resource has been moved to a new URL.

  • 302 Found The resource is temporarily located at a different URL.

4xx (Client Error): The request contains bad syntax or cannot be fulfilled.

  • 400 Bad Request The server could not understand the request due to invalid syntax.

  • 401 Unauthorized Authentication is required.

  • 403 Forbidden The server understood the request, but refuses to authorize it.

  • 404 Not Found The requested resource could not be found.

5xx (Server Error): The server failed to fulfill a valid request.

  • 500 Internal Server Error A generic error message indicating the server encountered an unexpected condition.

  • 502 Bad Gateway The server received an invalid response from an upstream server.

Headers and Content Negotiation

HTTP headers are critical for conveying additional information about requests and responses:

  • Content-Type Specifies the format of the resource being returned (e.g., text/html, application/json).

  • Accept-Language Indicates the client’s preferred languages for the response.

Content negotiation allows the server to deliver the resource in the client’s preferred format, whether it’s a particular language, media type, or encoding.

Cookies and Sessions

HTTP Cookies are small pieces of data sent from a server and stored on the client’s device. They are widely used for maintaining session state (session management), tracking user activity, and personalizing user experiences. Types of cookies include:

  • Session Cookies Session cookies are temporary cookies stored in a user's browser for the duration of their visit to a website. They are primarily used to manage user sessions and enhance the browsing experience by retaining information such as login status and preferences. Unlike persistent cookies, session cookies are deleted automatically when the browser is closed and typically do not store personal data directly. Instead, they contain unique identifiers that link the session to user data stored on the server.

  • Persistent Cookies Persistent cookies are cookies that remain on a user's device for a specified period, even after the browser is closed, and are stored until they expire or are manually deleted by the user. These cookies typically contain data such as user preferences, login information, and tracking identifiers, allowing websites to remember users and their settings across multiple sessions. For example, a persistent cookie might remember a user's language preference or keep them logged into a site for future visits.

  • Secure Cookies Only transmitted over HTTPS to prevent interception.

  • HttpOnly Cookies Not accessible via JavaScript, preventing cross-site scripting (SQL injection and XSS) attacks.

First-party cookies are set by the website the user is visiting, while third-party cookies are set by external domains, often for advertising or analytics purposes.

http:// vs https://

http transmits data in plain text, which can be intercepted by malicious actors. https (HTTP Secure) addresses this by encrypting the communication using SSL/TLS. This ensures confidentiality, integrity, and authenticity of the data exchange. HTTPS is critical for securing sensitive transactions such as online banking, shopping, and protecting user privacy.

Key Differences Between HTTP and HTTPS:

  • Encryption HTTPS encrypts data using SSL/TLS, while HTTP does not.

  • Certificates HTTPS requires an SSL/TLS certificate to verify the server’s identity.

  • SEO Benefits Search engines like Google or Bing prioritize HTTPS-enabled sites in their rankings.

The HTTP Extension Framework

Extension Framework often referred to in the context of web development, is a set of standards and protocols that allows developers to extend the capabilities of Hypertext Transfer Protocol beyond its traditional functions. Here are some key points about it:

  1. HTTP Extensions includes things like additional headers, methods, or status codes that can be used to convey more information or provide new functionalities.

  2. Use Cases: Examples include:

    • WebDAV An extension that allows clients to perform remote web content authoring operations.

    • RESTful APIs While REST (Representational State Transfer) is not an extension itself, it utilizes HTTP methods (GET, POST, PUT, DELETE) and status codes effectively. Used for building web services that expose resources for CRUD operations (Create, Read, Update, Delete), commonly used in mobile and web applications.

    • OAuth 2.0 An authorization framework that allows third-party applications to obtain limited access to user accounts without exposing passwords. Used for social media logins (e.g., using Google or Facebook accounts), secure access to APIs.

  3. Modular Approach: The framework promotes a modular design, where developers can implement specific extensions as needed without affecting the core HTTP functionalities.

HTTP Security Best Practices

Secure Configuration Web servers should be configured to disable outdated protocols like SSLv3 and TLS 1.0, and enforce strong cipher suites. Security headers examples:

  • Content-Security-Policy (CSP) to restrict the sources from which resources can be loaded.

  • X-Frame-Options to prevent clickjacking attacks.

  • X-Content-Type-Options to prevent MIME-type sniffing.

  • Strict-Transport-Security (HSTS) to enforce secure (HTTPS) connections.

  • Content Security Policy (CSP) Restricts the types of resources that can be loaded by the browser, helping prevent cross-site scripting (XSS) attacks.

  • HTTP Strict Transport Security (HSTS) Forces browsers to communicate with the server only over HTTPS.

  • Anti-CSRF Tokens Protects against Cross-Site Request Forgery (CSRF) by ensuring requests come from legitimate users.

HTTP Versions History

HTTP was first introduced in 1991 as part of the World Wide Web project created by Tim Berners-Lee and is standardized by the Internet Engineering Task Force (IETF). The IETF is responsible for developing and maintaining communication protocols such as TCP/IP, DNS, and many others that they document in RFCs or “Request for Comments.”

The HTTP protocol has evolved over time to improve efficiency, performance, and security:

  • HTTP/0.9 The earliest version, limited to basic text-based hypertext documents.

  • HTTP/1.0 Introduced in 1996 with features like request/response headers, status codes, and media types.

  • HTTP/1.1 Released in 1999, Added persistent connections, chunked transfer encoding, and better caching.

  • HTTP/2 released in 2015, introduced multiplexing (multiple requests over a single connection), header compression, and server push, which enhances performance.

  • HTTP/3 (over QUIC) Moves away from TCP, using User Datagram Protocol (UDP) instead to reduce latency and improve speed, using zero-RTT connection establishment. This version is preferred especially for mobile and high-latency networks.

PubNub and HTTP

PubNub is a real-time data streaming and messaging platform that enables the exchange of data and messages between various clients and applications. While PubNub does not use HTTP as its underlying protocol, it can be integrated with HTTP-based systems to enable real-time communication.

Here are a few ways PubNub can work in conjunction with HTTP:

  1. Real-Time Notifications: By integrating PubNub with an HTTP-based system, you can leverage PubNub's realtime messaging capabilities to send notifications, updates, or alerts to clients or applications. This can be achieved by making an HTTP request from your application to PubNub's API, which would then distribute the message to the subscribed clients over PubNub's WebSocket or other transport protocols.

  2. Webhooks: PubNub can mediate between your HTTP-based and external systems by using webhooks. Webhooks allow you to configure PubNub to send requests to a specific endpoint whenever a certain event or message is received. This enables you to trigger actions in your system based on real-time events or updates received through PubNub.

  3. REST API Integration: PubNub provides a comprehensive RESTful API, allowing you to control various aspects of the PubNub service programmatically. You can use HTTP-based requests to interact with the PubNub API, such as subscribing to channels, publishing messages, retrieving historical data, or managing PubNub resources.

  4. Authentication and Security: While PubNub does not rely on HTTP for its underlying transport, it does provide authentication mechanisms that can be integrated with HTTP-based authentication systems. PubNub allows you to authenticate clients using various methods, including tokens, JWT (JSON Web Tokens), or custom authentication schemes. These authentication mechanisms can be used alongside your existing HTTP-based authentication infrastructure.

PubNub is programming language-agnostic and provides developers with a scalable, secure, and feature-rich platform for building realtime features into their web development projects. By leveraging our infrastructure, APIs, SDKs, and extensive library of step-by-step tutorials, developers can focus on creating innovative and engaging user experiences. At the same time, PubNub takes care of the underlying complexities of real-time communication so you can focus on building sticky apps that engage users.

Check out our Github or sign up for a free trial you’ll get up to 200 MAUs or 1M monthly transactions for free.