Chapter 07 — HTTP (Methods, Status Codes, Headers)

Chapter 07 — HTTP (Methods, Status Codes, Headers)

Hey everyone! Welcome back to Namaste Computer Networks! 🙏

HTTP is the language the web speaks. Every page you load, every API you call, every image that appears — it's an HTTP request and response underneath. As a developer, you'll use HTTP every single day, and interviewers will ask about methods, status codes, and statelessness. Let's make it second nature.

What we will cover:

  • What HTTP is (the request/response conversation)
  • Anatomy of a request & response
  • HTTP methods (GET, POST, PUT, DELETE...)
  • Status codes (2xx, 3xx, 4xx, 5xx)
  • Headers & why HTTP is stateless (cookies)
  • Interview Questions

1. What Is HTTP?

┌─────────────────────────────────────────────────────────────┐
│   HTTP (HyperText Transfer Protocol) = the request/response  │
│   protocol the web uses. A client asks (request), a server   │
│   answers (response). It runs on top of TCP.                 │
└─────────────────────────────────────────────────────────────┘
   [ Browser ] ──── HTTP REQUEST ("GET /home") ────▶ [ Server ]
   [ Browser ] ◀─── HTTP RESPONSE (200 OK + HTML) ── [ Server ]

   It's a strict turn-taking conversation: one request → one
   response. Simple, text-based, and universal.

2. Anatomy of a Request & Response

   HTTP REQUEST                    HTTP RESPONSE
   ────────────                    ─────────────
   GET /users/1 HTTP/1.1           HTTP/1.1 200 OK
   Host: api.site.com              Content-Type: application/json
   Accept: application/json        Content-Length: 45
   Authorization: Bearer xyz
                                   { "id": 1, "name": "Aisha" }
   (method)(path)(version)         (version)(status code)(body)
   + headers                       + headers + body
   Request has:  a METHOD, a PATH, HEADERS, and (sometimes) a BODY.
   Response has: a STATUS CODE, HEADERS, and (usually) a BODY.

3. HTTP Methods (Verbs)

MethodMeansSafe?Idempotent?
GETRead data (no changes)YesYes
POSTCreate a new resourceNoNo
PUTReplace/update a resourceNoYes
PATCHPartially update a resourceNoNo*
DELETERemove a resourceNoYes
   SAFE       = doesn't change server data (just reads).
   IDEMPOTENT = doing it N times = doing it once (same end state).
     • GET, PUT, DELETE are idempotent (repeat = same result)
     • POST is NOT (repeat = create duplicates!) — that's why
       refreshing a "submit order" page can double-charge you 😱

4. Status Codes (The Server's Answer)

┌─────────────────────────────────────────────────────────────┐
│   THE 5 FAMILIES (first digit tells the story):             │
├─────────────────────────────────────────────────────────────┤
│  1xx  INFORMATIONAL → "still processing" (rare)             │
│  2xx  SUCCESS       → "it worked!"                          │
│  3xx  REDIRECTION   → "go look over there instead"          │
│  4xx  CLIENT ERROR  → "YOU messed up the request"           │
│  5xx  SERVER ERROR  → "I (the server) messed up"            │
└─────────────────────────────────────────────────────────────┘
   THE ONES TO KNOW COLD:
     200 OK              → success
     201 Created         → new resource made (after POST)
     204 No Content      → success, nothing to return
     301 Moved Permanently → resource has a new URL forever
     302 Found           → temporary redirect
     304 Not Modified    → use your cached copy
     400 Bad Request     → malformed request
     401 Unauthorized    → you're not logged in / no valid token
     403 Forbidden       → logged in, but not allowed
     404 Not Found       → resource doesn't exist
     429 Too Many Requests → rate limited
     500 Internal Server Error → server crashed/bug
     503 Service Unavailable → server overloaded/down

401 vs 403 trap: 401 = "I don't know who you are" (authenticate!). 403 = "I know who you are, but you can't have this."


5. Headers & Statelessness

   HEADERS = key-value metadata about the request/response:
     Content-Type: application/json   → what format the body is
     Authorization: Bearer     → who you are
     Cache-Control: max-age=3600      → caching rules
     Cookie / Set-Cookie              → session data
┌─────────────────────────────────────────────────────────────┐
│   HTTP is STATELESS: each request is independent — the server│
│   remembers NOTHING about previous requests by default.      │
│                                                             │
│   Problem: so how do you stay "logged in"?                   │
│   Solution: send identity WITH each request — via COOKIES or │
│   a token in the Authorization header. The client carries the│
│   state, not the server. (This is why stateless servers      │
│   scale — recall the System Design series!)                  │
└─────────────────────────────────────────────────────────────┘

Interview Questions — Quick Fire!

Q: What is HTTP?

"HTTP is the request-response protocol used by the web. A client sends a request specifying a method and a path, and the server returns a response with a status code and usually a body. It runs on top of TCP, is text-based, and is stateless — each request is independent. It's the foundation of how browsers and APIs communicate."

Q: What does it mean that HTTP is stateless, and how do we keep users logged in?

"Stateless means the server doesn't remember anything about previous requests by default — each request is handled independently. To maintain a logged-in session, the client sends identity with every request, typically a cookie or a token in the Authorization header. So the state travels with the request rather than living on the server, which is also what lets servers scale horizontally."

Q: What's the difference between GET and POST?

"GET retrieves data and is safe and idempotent — it doesn't change server state and repeating it has no additional effect. POST creates or submits data, changing server state, and it's not idempotent — repeating it can create duplicates, which is why re-submitting a form can double an order. GET parameters go in the URL, while POST typically sends data in the request body."

Q: What do the HTTP status code families mean?

"The first digit categorizes the response: 1xx is informational, 2xx means success like 200 OK or 201 Created, 3xx is redirection like 301 or 304, 4xx is a client error like 400, 401, 403, or 404, and 5xx is a server error like 500 or 503. So 4xx means the client's request was wrong, while 5xx means the server failed."

Q: What's the difference between 401 and 403?

"401 Unauthorized means the request lacks valid authentication — the server doesn't know who you are, so you need to log in or provide a valid token. 403 Forbidden means you are authenticated but don't have permission for that resource. In short, 401 is about identity, 403 is about permission."

Q: What does idempotent mean for HTTP methods?

"An idempotent method produces the same end state no matter how many times it's called. GET, PUT, and DELETE are idempotent — calling DELETE twice leaves the resource deleted either way. POST is not idempotent, because each call typically creates a new resource, so repeating it has cumulative effects. Idempotency matters for safely retrying failed requests."


Key Points to Remember

ConceptKey Takeaway
HTTPRequest/response protocol on top of TCP; text-based; stateless.
MethodsGET (read) · POST (create) · PUT (replace) · PATCH (partial) · DELETE.
IdempotentGET/PUT/DELETE yes · POST no (repeats create duplicates).
Status codes2xx success · 3xx redirect · 4xx client error · 5xx server error.
StatelessServer remembers nothing → client carries identity via cookies/tokens.

What's Next?

HTTP sends everything in plain text — anyone snooping can read it. Chapter 08 adds the padlock: HTTPS and TLS, and how encryption keeps your data private on the way.

Keep learning, keep connecting! See you in the next one!