← Back

2026

HTTP and HTTPS: How the Web Talks

Every web request uses HTTP. HTTPS wraps it in TLS. Here is what the request and response cycle actually looks like, how TLS secures the connection and what the certificate chain is really doing.

Every time you load a webpage you are using HTTP. Every form submission, every API call your app makes, every image fetched from a CDN. It is everywhere. Most people who work in tech interact with it dozens of times a day without thinking about what is actually happening underneath the address bar.

The jump from HTTP to HTTPS is one of those things that gets summarised as “the padlock means it's secure” and left at that. That is true in the narrowest sense. But understanding what is actually being secured, how the trust gets established and what can still go wrong is the part that matters when you are building something rather than just browsing.

What HTTP actually is

HTTP stands for HyperText Transfer Protocol. It is an application layer protocol sitting at layer 7 of the OSI model. It runs on top of TCP, which handles reliable delivery, which in turn runs on top of IP, which handles routing. HTTP itself knows nothing about any of that. Its job is a simple exchange: a client sends a request and a server sends back a response.

The request and response are both plain text messages. A request says what the client wants: which method it is using, which URL it is targeting, what headers it is sending along. The response tells the client what happened: a status code that summarises the outcome, a set of headers describing the response and usually a body containing the actual content.

Request

GET /blog/networking-http-https HTTP/1.1

Host: arcanaops.com

Accept: text/html

User-Agent: Mozilla/5.0

Response

HTTP/1.1 200 OK

Content-Type: text/html; charset=utf-8

Content-Length: 4821

Cache-Control: max-age=3600

<!DOCTYPE html>...

That exchange happens over port 80 for HTTP. HTTPS uses port 443. Both ports are well-known assignments that clients use by default when no explicit port appears in the URL.

HTTP methods

The method tells the server what the client wants to do with the resource at the given URL. Browsers only use GET for navigation. Everything else, the form submissions, the API calls, the deletions, come from JavaScript running on the page.

GET

Fetch a resource. No body is sent with the request. Safe to repeat as many times as you like because it should not change anything on the server.

POST

Submit data to create a new resource. The body carries the payload. Sending the same POST twice may create two separate things depending on how the server handles it.

PUT

Replace a resource at a specific location entirely. If the resource does not exist, some servers will create it. The full updated representation goes in the body.

PATCH

Apply a partial update to a resource. Instead of sending the whole thing, you describe only what changed. Useful when the resource is large.

DELETE

Remove the resource at the specified URL. After a successful response, that resource should no longer exist.

HEAD

Same as GET but the server returns only headers with no body. Useful for checking if a resource exists without downloading it.

Status codes

Every HTTP response starts with a three-digit status code. The first digit tells you the category. The remaining two digits narrow it down to the specific outcome. Knowing the five groups is usually enough to orient yourself quickly when something goes wrong.

2xxSuccess
200 OK

The request worked. The response body contains what you asked for.

201 Created

A new resource was created. Usually returned after a successful POST.

204 No Content

The request succeeded but there is nothing to return. Common after a DELETE.

3xxRedirects
301 Moved Permanently

The resource lives at a new URL now. Clients should update bookmarks.

302 Found

Temporary redirect. The client should keep using the original URL for future requests.

304 Not Modified

The cached version the client has is still valid. No body is sent.

4xxClient errors
400 Bad Request

The server could not understand the request. Usually a malformed body.

401 Unauthorized

Authentication is required. The client needs to provide credentials.

403 Forbidden

The server understood the request but refused it. Authentication will not help here.

404 Not Found

No resource exists at this URL. The most recognised status code on the internet.

429 Too Many Requests

The client has exceeded a rate limit. The server is asking it to slow down.

5xxServer errors
500 Internal Server Error

Something went wrong on the server. Rarely gives you much detail.

502 Bad Gateway

A proxy received an invalid response from an upstream server.

503 Service Unavailable

The server is not ready. Overloaded or undergoing maintenance.

The problem with plain HTTP

HTTP traffic is plain text. Every request, every response, every cookie, every form field travels across the network in a format that anyone positioned between the client and server can read without any special tools.

On a public Wi-Fi network this is straightforward to exploit. The router handling your traffic sees everything. Anyone else on the same network running a packet capture can see it too. An ISP routing your traffic sees it in full. A malicious node anywhere along the path between you and the server has complete visibility into both what you are requesting and what the server is returning.

The payload being readable is one part of the problem. The other part is that plain HTTP gives you no way to verify you are actually talking to the server you think you are. An attacker in a position to intercept traffic can also modify it in transit, sending back a different response to your request without either side noticing. This is known as a man-in-the-middle attack.

Worth noting

Even if you are only serving public content with no login forms or personal data, plain HTTP still lets a middleman inject content into your pages. Ads, malware, redirects. Your users see content you never sent. HTTPS prevents that entirely.

What HTTPS adds

HTTPS is HTTP with TLS underneath it. TLS stands for Transport Layer Security. It sits between the application layer and the TCP layer, wrapping the HTTP exchange in an encrypted tunnel before anything leaves the machine.

TLS solves three separate problems at once. It encrypts the traffic so that eavesdroppers cannot read it. It authenticates the server through a certificate so the client knows it is talking to the right destination. It also checks the integrity of every message so that tampering in transit is detectable.

Confidentiality

Traffic is encrypted end to end. Someone intercepting packets sees ciphertext that is computationally infeasible to reverse.

Authentication

The server presents a certificate signed by a trusted Certificate Authority. The client verifies the signature before trusting the connection.

Integrity

Each TLS record includes a message authentication code. Any modification in transit changes the code. The receiving side detects it immediately.

The TLS handshake

Before any HTTP request can be sent over HTTPS, the client and server run a TLS handshake. This is a separate negotiation that happens after the TCP connection is established. Its purpose is to agree on encryption parameters and establish shared session keys that neither side ever transmits directly.

1

Client Hello

Browser → Server

The browser opens a TCP connection on port 443 then sends a Client Hello. It announces which TLS version it supports along with a list of cipher suites it can use. A random value called the client random is included in this message.

2

Server Hello

Server → Browser

The server picks a TLS version from the client's list. It also selects a cipher suite. It responds with its own random value called the server random along with its digital certificate.

3

Certificate verification

Browser checks

The browser inspects the certificate. It confirms the domain matches, checks the expiry date and verifies the certificate was signed by a Certificate Authority it trusts. If any check fails, the browser shows a warning.

4

Key exchange

Both sides

Both sides use the values exchanged so far to independently derive the same session keys. Modern TLS uses key exchange algorithms like ECDHE so that even if the server's private key were ever compromised, past sessions could not be decrypted.

5

Finished

Both sides

Both sides send a Finished message encrypted with the new session keys. If either side can decrypt the other's Finished message, the handshake succeeded. All HTTP traffic after this point is encrypted.

All of this happens before the first byte of HTTP data moves. In TLS 1.3, the current version, the whole handshake completes in a single round trip. Previous versions needed two. That extra round trip was one of the performance arguments against HTTPS in the early days. With TLS 1.3 that argument is gone.

Certificates and Certificate Authorities

A TLS certificate is a digital document. It contains the domain name it is valid for, a public key, an expiry date and a digital signature from a Certificate Authority. The signature is what makes the certificate trustworthy.

Certificate Authorities are organisations that have gone through a vetting process to have their own certificates included in the trust stores shipped with operating systems and browsers. When a server presents a certificate signed by one of these authorities, your browser can verify the signature using the CA's public key and confirm the certificate is genuine.

This creates a chain of trust. The CA vouches for the server. Your device trusts the CA. Therefore your device trusts the server. The browser checks that the domain in the certificate matches the domain in the URL. A certificate for one domain cannot be used to impersonate a different one.

What a certificate contains

SubjectThe domain the certificate was issued for. May include wildcards like *.example.com.
IssuerThe Certificate Authority that signed this certificate.
Valid from / toThe date range during which the certificate is valid. Browsers reject expired certificates.
Public keyThe server's public key. Used during the key exchange phase of the TLS handshake.
SignatureThe CA's cryptographic signature over the rest of the certificate data.

HTTP versions

HTTP has gone through several major versions. Each one kept the same request and response model while changing how that exchange travels across the network.

HTTP/1.1

1997

The version that carried the web through its most formative years. Persistent connections let browsers reuse a TCP connection for multiple requests instead of opening a new one every time. Still limited by head-of-line blocking: a slow response held up everything behind it in the same connection.

HTTP/2

2015

Introduced multiplexing. Multiple requests could travel over a single TCP connection simultaneously without blocking each other. Headers were compressed. Servers could push resources the client had not asked for yet. A significant performance improvement for sites loading many assets in parallel.

HTTP/3

2022

Dropped TCP entirely and switched to QUIC, a transport protocol built on UDP. QUIC bakes in encryption at the transport layer. It eliminates the head-of-line blocking that TCP itself caused in HTTP/2. Connection setup is faster because the TLS handshake happens in the same round trip as the transport setup.

From a developer perspective the differences are mostly invisible. You write the same HTTP request regardless of version. The browser negotiates which version to use during connection setup. Most modern servers support HTTP/2 at minimum. HTTP/3 adoption is growing but still not universal.

Why this matters in practice

Most of the time HTTP is invisible. You make a fetch call, you get a response, your application renders the data. That invisibility is a sign the protocol is doing its job. It only becomes visible when something breaks.

A 401 coming back from an API means something is wrong with how credentials are being sent. A 502 means a proxy upstream of your server is having trouble reaching it. A certificate error means either the cert is expired, the domain is wrong, the issuing CA is not trusted by the client. Each failure mode points somewhere specific. Knowing the vocabulary gets you to the cause faster.

HTTPS in particular is no longer optional in any meaningful sense. Browsers mark plain HTTP connections as not secure. Search engines favour HTTPS. Service workers, geolocation, camera access: all require a secure context. Let's Encrypt has made free certificates available to everyone. The barrier to serving over HTTPS is close to zero. The barrier to running without it is getting higher every year.

Understanding what is happening inside that padlock icon is the difference between treating HTTPS as a checkbox and actually being confident in the security properties of your connections. The trust chain, the handshake, the certificate fields: none of it is complicated once you see how the pieces fit together.