HTTP Request and Response Cycle Explained
HTTP (HyperText Transfer Protocol) is how browsers and servers talk. Every webpage, API call, image load, and form submission is one or more HTTP request/response pairs. The model is simple: client sends a request, server sends a response, then they’re done. No state by default.
Anatomy of a request
GET /articles/network HTTP/1.1
Host: sudoflare.com
User-Agent: Mozilla/5.0
Accept: text/html
Accept-Language: en-US
Cookie: session=abc123
[optional body]Three parts:
- Request line — method + path + HTTP version
- Headers — key:value pairs of metadata
- Body — optional payload (used by POST, PUT, PATCH)
Anatomy of a response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1234
Cache-Control: max-age=300
Set-Cookie: session=def456; HttpOnly; Secure
<html>...</html>Same three parts: status line, headers, body.
The 9 HTTP methods
| Method | Purpose | Has body? | Idempotent? |
|---|---|---|---|
GET |
Retrieve a resource | No | Yes |
POST |
Create a resource | Yes | No |
PUT |
Replace a resource | Yes | Yes |
PATCH |
Modify a resource | Yes | No |
DELETE |
Remove a resource | No | Yes |
HEAD |
GET but headers only | No | Yes |
OPTIONS |
CORS preflight, capabilities | No | Yes |
CONNECT |
Tunnel through a proxy | No | — |
TRACE |
Diagnostic loopback | No | Yes |
Status codes (the 5 ranges)
- 1xx Informational — rarely seen (100 Continue, 101 Switching Protocols)
- 2xx Success — 200 OK, 201 Created, 204 No Content
- 3xx Redirect — 301 Moved Permanently, 302 Found, 304 Not Modified
- 4xx Client Error — 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests
- 5xx Server Error — 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout
The most useful headers
Content-Type— MIME type of the body (text/html, application/json)Content-Length— bytes in the bodyAuthorization— credentials (Bearer tokens, Basic auth)Cookie/Set-Cookie— session stateCache-Control— caching directivesUser-Agent— what client is making the requestHost— which virtual host (required in HTTP/1.1)Accept/Accept-Encoding— what the client wantsLocation— where to redirect to (with 3xx)
Inspect HTTP traffic
# curl is your debugger
curl -v https://sudoflare.com
curl -I https://sudoflare.com # headers only
curl -X POST -d 'name=alice' https://api.example.com/users
curl -H 'Authorization: Bearer abc' https://api.example.com/me
# Browser: F12 → Network tab — see every request your page makesWhat to learn next
HTTPS and the TLS handshake — how HTTP becomes encrypted and authenticated. Up next.