Chapter 07 — HTTP (Methods, Status Codes, Headers)
Chapter 07 — HTTP (Methods, Status Codes, Headers)
Hey everyone! Welcome back to Namaste Computer Networks! 🙏
HTTP is the language the web speaks. Every page you load, every API you call, every image that appears — it's an HTTP request and response underneath. As a developer, you'll use HTTP every single day, and interviewers will ask about methods, status codes, and statelessness. Let's make it second nature.
What we will cover:
- What HTTP is (the request/response conversation)
- Anatomy of a request & response
- HTTP methods (GET, POST, PUT, DELETE...)
- Status codes (2xx, 3xx, 4xx, 5xx)
- Headers & why HTTP is stateless (cookies)
- Interview Questions
1. What Is HTTP?
┌─────────────────────────────────────────────────────────────┐ │ HTTP (HyperText Transfer Protocol) = the request/response │ │ protocol the web uses. A client asks (request), a server │ │ answers (response). It runs on top of TCP. │ └─────────────────────────────────────────────────────────────┘
[ Browser ] ──── HTTP REQUEST ("GET /home") ────▶ [ Server ]
[ Browser ] ◀─── HTTP RESPONSE (200 OK + HTML) ── [ Server ]
It's a strict turn-taking conversation: one request → one
response. Simple, text-based, and universal.
2. Anatomy of a Request & Response
HTTP REQUEST HTTP RESPONSE
──────────── ─────────────
GET /users/1 HTTP/1.1 HTTP/1.1 200 OK
Host: api.site.com Content-Type: application/json
Accept: application/json Content-Length: 45
Authorization: Bearer xyz
{ "id": 1, "name": "Aisha" }
(method)(path)(version) (version)(status code)(body)
+ headers + headers + body
Request has: a METHOD, a PATH, HEADERS, and (sometimes) a BODY. Response has: a STATUS CODE, HEADERS, and (usually) a BODY.
3. HTTP Methods (Verbs)
| Method | Means | Safe? | Idempotent? |
|---|---|---|---|
| GET | Read data (no changes) | Yes | Yes |
| POST | Create a new resource | No | No |
| PUT | Replace/update a resource | No | Yes |
| PATCH | Partially update a resource | No | No* |
| DELETE | Remove a resource | No | Yes |
SAFE = doesn't change server data (just reads).
IDEMPOTENT = doing it N times = doing it once (same end state).
• GET, PUT, DELETE are idempotent (repeat = same result)
• POST is NOT (repeat = create duplicates!) — that's why
refreshing a "submit order" page can double-charge you 😱
4. Status Codes (The Server's Answer)
┌─────────────────────────────────────────────────────────────┐ │ THE 5 FAMILIES (first digit tells the story): │ ├─────────────────────────────────────────────────────────────┤ │ 1xx INFORMATIONAL → "still processing" (rare) │ │ 2xx SUCCESS → "it worked!" │ │ 3xx REDIRECTION → "go look over there instead" │ │ 4xx CLIENT ERROR → "YOU messed up the request" │ │ 5xx SERVER ERROR → "I (the server) messed up" │ └─────────────────────────────────────────────────────────────┘
THE ONES TO KNOW COLD:
200 OK → success
201 Created → new resource made (after POST)
204 No Content → success, nothing to return
301 Moved Permanently → resource has a new URL forever
302 Found → temporary redirect
304 Not Modified → use your cached copy
400 Bad Request → malformed request
401 Unauthorized → you're not logged in / no valid token
403 Forbidden → logged in, but not allowed
404 Not Found → resource doesn't exist
429 Too Many Requests → rate limited
500 Internal Server Error → server crashed/bug
503 Service Unavailable → server overloaded/down
401 vs 403 trap: 401 = "I don't know who you are" (authenticate!). 403 = "I know who you are, but you can't have this."
5. Headers & Statelessness
HEADERS = key-value metadata about the request/response:
Content-Type: application/json → what format the body is
Authorization: Bearer → who you are
Cache-Control: max-age=3600 → caching rules
Cookie / Set-Cookie → session data
┌─────────────────────────────────────────────────────────────┐ │ HTTP is STATELESS: each request is independent — the server│ │ remembers NOTHING about previous requests by default. │ │ │ │ Problem: so how do you stay "logged in"? │ │ Solution: send identity WITH each request — via COOKIES or │ │ a token in the Authorization header. The client carries the│ │ state, not the server. (This is why stateless servers │ │ scale — recall the System Design series!) │ └─────────────────────────────────────────────────────────────┘
Interview Questions — Quick Fire!
Q: What is HTTP?
"HTTP is the request-response protocol used by the web. A client sends a request specifying a method and a path, and the server returns a response with a status code and usually a body. It runs on top of TCP, is text-based, and is stateless — each request is independent. It's the foundation of how browsers and APIs communicate."
Q: What does it mean that HTTP is stateless, and how do we keep users logged in?
"Stateless means the server doesn't remember anything about previous requests by default — each request is handled independently. To maintain a logged-in session, the client sends identity with every request, typically a cookie or a token in the Authorization header. So the state travels with the request rather than living on the server, which is also what lets servers scale horizontally."
Q: What's the difference between GET and POST?
"GET retrieves data and is safe and idempotent — it doesn't change server state and repeating it has no additional effect. POST creates or submits data, changing server state, and it's not idempotent — repeating it can create duplicates, which is why re-submitting a form can double an order. GET parameters go in the URL, while POST typically sends data in the request body."
Q: What do the HTTP status code families mean?
"The first digit categorizes the response: 1xx is informational, 2xx means success like 200 OK or 201 Created, 3xx is redirection like 301 or 304, 4xx is a client error like 400, 401, 403, or 404, and 5xx is a server error like 500 or 503. So 4xx means the client's request was wrong, while 5xx means the server failed."
Q: What's the difference between 401 and 403?
"401 Unauthorized means the request lacks valid authentication — the server doesn't know who you are, so you need to log in or provide a valid token. 403 Forbidden means you are authenticated but don't have permission for that resource. In short, 401 is about identity, 403 is about permission."
Q: What does idempotent mean for HTTP methods?
"An idempotent method produces the same end state no matter how many times it's called. GET, PUT, and DELETE are idempotent — calling DELETE twice leaves the resource deleted either way. POST is not idempotent, because each call typically creates a new resource, so repeating it has cumulative effects. Idempotency matters for safely retrying failed requests."
Key Points to Remember
| Concept | Key Takeaway |
|---|---|
| HTTP | Request/response protocol on top of TCP; text-based; stateless. |
| Methods | GET (read) · POST (create) · PUT (replace) · PATCH (partial) · DELETE. |
| Idempotent | GET/PUT/DELETE yes · POST no (repeats create duplicates). |
| Status codes | 2xx success · 3xx redirect · 4xx client error · 5xx server error. |
| Stateless | Server remembers nothing → client carries identity via cookies/tokens. |
What's Next?
HTTP sends everything in plain text — anyone snooping can read it. Chapter 08 adds the padlock: HTTPS and TLS, and how encryption keeps your data private on the way.
Keep learning, keep connecting! See you in the next one!
Post a Comment