Skip to content

HTTP & HTTPS

HTTP is a stateless, request-response protocol for web communication. HTTPS adds TLS encryption for security. Key versions: HTTP/1.1 (persistent connections), HTTP/2 (multiplexing, binary, header compression, server push), HTTP/3 (QUIC over UDP). Methods: GET (read), POST (create), PUT (replace), PATCH (partial update), DELETE (remove). Status codes: 2xx success, 3xx redirect, 4xx client error, 5xx server error.

Key Concepts

Deep Dive: HTTP/1.1 vs HTTP/2 vs HTTP/3
Feature HTTP/1.1 HTTP/2 HTTP/3
Protocol Text Binary Binary
Multiplexing No (one request per connection) Yes (streams) Yes
Header compression No HPACK QPACK
Transport TCP TCP QUIC (UDP)
Head-of-line blocking Yes At TCP level No
Server push No Yes Yes
Deep Dive: HTTPS / TLS Handshake 
Client                              Server
  │── ClientHello (supported ciphers) →│
  │← ServerHello (chosen cipher)       │
  │← Certificate (public key)          │
  │← ServerHelloDone                   │
  │── Key Exchange (pre-master secret) →│
  │── ChangeCipherSpec                 →│
  │── Finished                         →│
  │← ChangeCipherSpec                  │
  │← Finished                          │
  │────── Encrypted Communication ─────│

TLS ensures: - Confidentiality — data encrypted - Integrity — data not tampered - Authentication — server identity verified

Deep Dive: HTTP Headers

Request headers: 

GET /api/users HTTP/1.1
Host: example.com
Authorization: Bearer eyJ...
Content-Type: application/json
Accept: application/json
Cache-Control: no-cache

Response headers: 

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: max-age=3600
Set-Cookie: sessionId=abc123; HttpOnly; Secure
X-RateLimit-Remaining: 99

Common caching headers: - Cache-Control — caching rules - ETag — content hash for validation - Last-Modified — timestamp of last change - If-None-Match — conditional request with ETag

Deep Dive: Cookies & Sessions

Cookies: Small data stored in browser, sent with every request. 

Set-Cookie: sessionId=abc123; HttpOnly; Secure; SameSite=Strict; Max-Age=3600

  • HttpOnly — not accessible via JavaScript (XSS protection)
  • Secure — only sent over HTTPS
  • SameSite — CSRF protection
Common Interview Questions
  • What is the difference between HTTP and HTTPS?
  • What is the TLS handshake?
  • What are HTTP methods? Which are idempotent?
  • What is the difference between HTTP/1.1 and HTTP/2?
  • What is head-of-line blocking?
  • What are common HTTP status codes?
  • What is the purpose of cookies?