HTTP is how browsers and servers talk. HTTPS is the same thing but encrypted with TLS. Almost every web request we make uses one of these protocols.
HTTP Methods
Each method tells the server what we want to do.
| Method | Purpose | Idempotent? | Has Body? |
|---|---|---|---|
| GET | Read/fetch data | Yes | No |
| POST | Create something new | No | Yes |
| PUT | Replace entirely | Yes | Yes |
| PATCH | Update partially | No | Yes |
| DELETE | Remove something | Yes | No |
Idempotent means calling it 10 times has the same effect as calling it once. PUT /users/5 with the same data always sets the same state. POST /users creates a new user each time.
Status Code Families
1xx — Informational (rarely seen: 100 Continue, 101 Switching Protocols)
2xx — Success (the happy path)
3xx — Redirection (go look somewhere else)
4xx — Client Error (we messed up)
5xx — Server Error (the server messed up)The ones that come up constantly:
| Code | Meaning | When We See It |
|---|---|---|
| 200 | OK | Everything worked |
| 201 | Created | POST succeeded, resource created |
| 204 | No Content | DELETE succeeded, nothing to return |
| 301 | Moved Permanently | URL changed, update bookmarks |
| 302 | Found (temporary redirect) | Redirect but URL might come back |
| 304 | Not Modified | Cached version is still fresh |
| 400 | Bad Request | Malformed request (bad JSON, missing fields) |
| 401 | Unauthorized | Not authenticated (need to log in) |
| 403 | Forbidden | Authenticated but not allowed |
| 404 | Not Found | Resource doesn’t exist |
| 429 | Too Many Requests | Rate limited |
| 500 | Internal Server Error | Server crashed |
| 502 | Bad Gateway | Reverse proxy can’t reach the backend |
| 503 | Service Unavailable | Server overloaded or in maintenance |
| 504 | Gateway Timeout | Backend took too long to respond |
The difference between 401 and 403: 401 means “who are you?” (not logged in). 403 means “I know who you are, but you can’t do this.”
Key Headers
Content-Type: application/json # what format the body is in
Authorization: Bearer eyJhbGci... # auth token
Cache-Control: max-age=3600 # cache for 1 hour
Accept: application/json # what format we want back
X-Request-Id: abc-123 # tracking ID for debuggingHTTP/1.1 vs HTTP/2 vs HTTP/3
- HTTP/1.1 — One request per connection (or keep-alive for reuse). Text-based. Still widely used.
- HTTP/2 — Multiplexing (many requests over one connection), header compression, server push. Binary protocol. Much faster for websites with lots of assets.
- HTTP/3 — Uses QUIC (built on UDP instead of TCP). Faster connection setup, better for mobile/lossy networks. Still rolling out.
The only difference we usually care about: HTTP/2 is way faster for loading web pages because it doesn’t wait for one request to finish before starting the next.
TLS — How HTTPS Works
HTTPS = HTTP + TLS encryption. TLS (Transport Layer Security) ensures nobody can eavesdrop or tamper with the data in transit.
Here’s what happens in plain English:
- Client says “hello, here are the encryption methods I support and my key share”
- Server picks a method, sends its certificate (proof of identity) and its key share
- Both sides now have a shared secret — all further traffic is encrypted
Certificates
A TLS certificate proves “this server really is google.com.” Certificates are issued by Certificate Authorities (CAs).
- Let’s Encrypt — free, automated certificates (90-day validity, auto-renewed)
- Caddy — a web server that handles Let’s Encrypt certificates automatically with zero config
- Certificates contain: domain name, public key, issuer, expiration date
# Check a site's certificate
openssl s_client -connect pman47.cc:443 -servername pman47.cc </dev/null 2>/dev/null | openssl x509 -text -noout | head -20
# Quick expiry check
echo | openssl s_client -connect pman47.cc:443 2>/dev/null | openssl x509 -noout -datesIn simple language, HTTP is the language browsers and servers speak. TLS wraps that conversation in an encrypted envelope so nobody in the middle can read it. Together, they’re HTTPS — and that’s why we see the padlock icon in the browser.