Gyaan

HTTP Basics (Methods, Status Codes, Headers)

beginner http methods status-codes headers web

HTTP (HyperText Transfer Protocol) is the language browsers and servers use to talk. Every webpage we open, every API we call from our app — it’s HTTP under the hood.

In simple language: a client says “give me this thing” or “here’s some data, do something with it,” and the server replies with a status and a body.

Methods (Verbs)

Methods describe what we want to do with a resource.

  • GET — fetch a resource. Read-only. Safe and idempotent.
  • POST — create something new, or trigger an action. Not idempotent.
  • PUT — replace a resource entirely. Idempotent.
  • PATCH — partially update a resource.
  • DELETE — remove a resource. Idempotent.
  • HEAD — same as GET but no response body. Useful for checking if something exists.
  • OPTIONS — ask the server what methods/headers it allows (used by CORS preflight).
# Fetch a user
curl -X GET https://api.example.com/users/42

# Create a user
curl -X POST https://api.example.com/users \
  -H "Content-Type: application/json" \
  -d '{"name":"Manish"}'

# Replace a user
curl -X PUT https://api.example.com/users/42 \
  -d '{"name":"Manish","email":"m@example.com"}'

# Partial update
curl -X PATCH https://api.example.com/users/42 -d '{"email":"new@example.com"}'

# Delete
curl -X DELETE https://api.example.com/users/42

Status Codes

The server replies with a 3-digit code. The first digit tells us the category.

  • 1xx Informational100 Continue, 101 Switching Protocols (used for WebSocket upgrade).
  • 2xx Success200 OK, 201 Created, 204 No Content.
  • 3xx Redirection301 Moved Permanently, 302 Found, 304 Not Modified (cache hit).
  • 4xx Client Error — we messed up. 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests.
  • 5xx Server Error — server messed up. 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout.

Quick mnemonic: 1 = hold on, 2 = here you go, 3 = look elsewhere, 4 = your fault, 5 = my fault.

Common Headers

Headers carry metadata. Sent on both requests and responses.

Request headers:

  • Host — which domain we’re hitting (mandatory in HTTP/1.1).
  • User-Agent — what client is making the request (browser, curl, app).
  • Accept — what content types we can handle (application/json).
  • Authorization — credentials, usually a bearer token.
  • Cookie — session info from a previous response.
  • Content-Type — type of the body we’re sending (application/json).

Response headers:

  • Content-Type — type of body the server is returning.
  • Content-Length — body size in bytes.
  • Set-Cookie — server asks the client to store a cookie.
  • Cache-Control — caching rules (no-cache, max-age=3600).
  • Location — where to redirect to (for 3xx responses).

A Full Request and Response

Here’s what actually goes over the wire when we hit a URL:

GET /users/42 HTTP/1.1
Host: api.example.com
User-Agent: curl/8.1.2
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...

And the server replies:

HTTP/1.1 200 OK
Date: Sat, 03 May 2026 10:00:00 GMT
Content-Type: application/json
Content-Length: 58
Cache-Control: max-age=60

{"id":42,"name":"Manish","email":"manish@example.com"}

Notice the blank line — that separates headers from body. Always there.

Interview Tip

Don’t memorize every status code. Remember the categories and the famous ones (200, 301, 304, 400, 401, 403, 404, 500, 502, 503). For methods, be ready to explain idempotency — calling PUT/DELETE multiple times has the same effect as once, POST does not.

References