Skip to content

HTTP - Hypertext Transfer Protocol

Some protocols move data.
HTTP moves meaning.
It is not about packets. It is about requests and responses, about asking for resources and receiving them.
HTTP is the protocol that makes the web work.

What this page covers

  • What HTTP is and what it does
  • How it fits into the TCP/IP stack
  • Where its data comes from
  • How it is structured and used
  • How it can be abused or defended
  • Tools I use to explore it

This page is my reference for understanding HTTP as an application protocol, a security surface, and a design pattern.

What HTTP Actually Is

HTTP is a stateless, text-based protocol used to exchange information between clients and servers.
It defines how browsers request web pages, how APIs deliver data, and how servers respond to those requests.

HTTP is used by:

  • Web browsers
  • REST APIs
  • Mobile apps
  • IoT devices
  • Command-line tools

It is the foundation of nearly all web communication.

How HTTP Lives in the TCP/IP Stack

  • OSI Layer: Application Layer (Layer 7)
  • Transport: Runs on top of TCP
  • Flow:
  • HTTP messages are sent over a TCP connection
  • TCP segments are wrapped in IP packets
  • IP packets are routed across the network

HTTP relies on TCP for reliable delivery.
TLS can be added between HTTP and TCP to create HTTPS.

Where HTTP Data Comes From

HTTP data is generated by:

  • User input in browsers or apps
  • Scripts and automation tools
  • System-generated headers and cookies
  • Server responses and content

HTTP carries both requests and responses.
It moves user intent and server output across the wire.

How HTTP Works

  • Request:
  • Method (GET, POST, PUT, DELETE)
  • URL or path
  • Headers (User-Agent, Cookie, etc.)

  • Optional body (for POST, PUT)

  • Response:

  • Status code (200 OK, 404 Not Found, etc.)
  • Headers (Content-Type, Set-Cookie, etc.)
  • Body (HTML, JSON, files)

HTTP is stateless.
Each request is independent unless sessions or cookies are used.

HTTP and Security

HTTP can be abused in many ways:

  • Injection attacks: SQLi, XSS, command injection
  • Header manipulation: Host header attacks, cache poisoning
  • Session hijacking: via cookies or tokens
  • Information leakage: verbose error messages, exposed headers

Defenses include:

  • Input validation and sanitization
  • Secure headers (Content-Security-Policy, X-Frame-Options)
  • TLS encryption (HTTPS)
  • Proper session management

Tools I Use to Explore HTTP

curl

  • Send HTTP requests from the command line
  • Example: curl -X GET https://example.com

Burp Suite

  • Intercept and modify HTTP traffic
  • Useful for testing web applications

httpie

  • Human-friendly HTTP client
  • Example: http GET https://example.com

These tools help me understand how HTTP behaves, how it communicates, and how it can be tested or abused.

Final Thought

HTTP is a conversation.
It is the protocol of intent and response, of asking and receiving.
It is simple, flexible, and everywhere.

This page is my study of that conversation.
Not just how HTTP works, but how it can be shaped, secured, and understood.