Siksha Sarovar

Siksha Sarovar (sikshasarovar.com) is a free educational web application that helps students in India learn programming and prepare for academic and competitive exams. The platform offers structured coding courses (C, C++, Python, Java, HTML, CSS, PHP, Power BI, AI, Machine Learning, Data Science), complete university curriculum notes for BCA/MCA students with previous year question papers, Class 10 and Class 12 CBSE/HBSE school notes, and dedicated preparation material for SSC, UPSC, Banking, Railway and other government exams. Browsing the site is completely free and requires no account. Users may optionally sign in with Google solely to save their learning progress, quiz scores and personal preferences across devices.

Privacy Policy | Terms of Service | Contact Siksha Sarovar | About Siksha Sarovar

v4.0.9 · PWA
Siksha Sarovar logo
Siksha Sarovar
Your Learning Universe

Siksha Sarovar is a free e-learning platform for coding courses, BCA university notes and competitive exam preparation. Optional Google sign-in saves your learning progress across devices.

Initializing knowledge base…
Compiling modules 0%

11. HTTP Crash Course

Lesson 11 of 23 in the free Backend Development notes on Siksha Sarovar, written by Rohit Jangra.

What is HTTP?

HTTP (HyperText Transfer Protocol) is the foundation of data communication on the web. It is a stateless, request-response protocol where the client (browser, mobile app, React frontend) sends a request and the server returns a response. Every interaction you have with a website — loading a page, submitting a form, fetching data — uses HTTP.

HTTPS adds a layer of security using TLS (Transport Layer Security), formerly SSL. TLS encrypts the data in transit so attackers cannot read or modify it (man-in-the-middle attacks). All production websites must use HTTPS. Modern browsers show a "Not Secure" warning for HTTP sites.

---

HTTP Request Anatomy

A complete HTTP request has three parts:

1. Request Line: GET /api/users/123?include=profile HTTP/1.1

  • Method: GET
  • Path: /api/users/123
  • Query string: ?include=profile
  • HTTP version: HTTP/1.1

2. Request Headers (key-value metadata):

HeaderPurposeExample
HostTarget server domainHost: api.myapp.com
Content-TypeBody formatapplication/json
AuthorizationAuth credentialsBearer eyJhbGci...
CookieCookies to sendaccessToken=...
AcceptExpected response formatapplication/json
OriginCORS: request originhttps://myapp.com
User-AgentClient infoMozilla/5.0...

3. Request Body (optional — only for POST, PUT, PATCH):

{ "email": "user@example.com", "password": "secret123" }

---

HTTP Response Anatomy

1. Status Line: HTTP/1.1 200 OK

2. Response Headers:

HeaderPurpose
Content-TypeFormat of the response body
Set-CookieInstructs client to store a cookie
Access-Control-Allow-OriginCORS allowed origin
Cache-ControlCaching instructions
X-RateLimit-RemainingRate limit info
LocationRedirect URL (for 3xx responses)

3. Response Body:

{ "success": true, "data": { "id": "...", "name": "..." } }

---

HTTP Methods

MethodPurposeHas BodyIdempotentSafe
GETRetrieve resourceNo✅ Yes✅ Yes
POSTCreate new resourceYes❌ No❌ No
PUTFull replacement of resourceYes✅ Yes❌ No
PATCHPartial updateYesSometimes❌ No
DELETERemove resourceNo✅ Yes❌ No
OPTIONSCORS preflight, check capabilitiesNo✅ Yes✅ Yes
HEADSame as GET but no body (check existence)No✅ Yes✅ Yes

Idempotent: Making the same request multiple times has the same effect as making it once. GET, PUT, DELETE are idempotent. POST is not (each POST creates a new resource).

---

HTTP Status Codes

1xx — Informational:

  • 100 Continue: Server received request headers, client should send body

2xx — Success:

CodeNameWhen to Use
200OKSuccessful GET, PUT, PATCH, DELETE
201CreatedResource created (POST)
204No ContentSuccess but no body (DELETE)

3xx — Redirection:

  • 301 Moved Permanently: Old URL permanently redirected
  • 302 Found: Temporary redirect
  • 304 Not Modified: Cached version is still valid

4xx — Client Errors:

CodeNameWhen to Use
400Bad RequestMalformed or invalid request
401UnauthorizedNot authenticated
403ForbiddenAuthenticated but not authorised
404Not FoundResource does not exist
409ConflictDuplicate resource
422Unprocessable EntityValidation failed
429Too Many RequestsRate limited

5xx — Server Errors:

CodeNameWhen to Use
500Internal Server ErrorUnexpected crash, bug
502Bad GatewayProxy received invalid response
503Service UnavailableServer overloaded / maintenance
504Gateway TimeoutUpstream service timed out

---

HTTP/1.1 vs HTTP/2

FeatureHTTP/1.1HTTP/2
ConnectionOne request per TCP connectionMultiple requests on one connection (multiplexing)
Header compressionNoYes (HPACK)
Server pushNoYes
SpeedSlower (head-of-line blocking)Significantly faster
AdoptionUniversalWidely supported

---

CORS Headers Explained

When a browser makes a cross-origin request, it first sends an OPTIONS preflight request to check if the server allows it:

OPTIONS /api/users HTTP/1.1
Origin: https://myapp.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type, Authorization

Server responds with:

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400

---

Stateless Nature of HTTP

HTTP is stateless — each request is completely independent. The server does not remember anything from the previous request. This is why we need:

  • Cookies: Browser sends cookie automatically with every request to the same domain
  • JWT tokens: Client attaches the token manually in the Authorization header
  • Sessions: Server stores session data and client sends a session ID cookie

REST APIs leverage HTTP's stateless nature: each request must contain all information needed to process it.