Web Protocols: HTTP, HTTPS, and DoH

The web runs on a stack of protocols that enable browsers, servers, and applications to communicate. Understanding how HTTP, HTTPS, HTTP/2, HTTP/3, WebSocket, and DoH work is essential for diagnosing connectivity issues, optimizing performance, and securing communications.

1. HTTP Request and Response

HTTP (Hypertext Transfer Protocol) is a stateless, request-response protocol. A client sends a request, and the server returns a response. Each exchange is independent, though mechanisms like cookies and sessions provide statefulness at the application layer.

HTTP Request:

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html
Accept-Language: en-US
Connection: keep-alive

HTTP Response:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1256
Date: Mon, 30 Jun 2025 12:00:00 GMT
Server: nginx/1.24.0

<!DOCTYPE html>
<html>...</html>

Every HTTP message consists of a start line, headers, an empty line, and an optional body. Requests include the method, path, and HTTP version. Responses include the status code and reason phrase.

2. HTTP Methods

MethodPurposeIdempotentHas BodySafe
GETRetrieve a resourceYesNoYes
POSTSubmit data / create resourceNoYesNo
PUTReplace a resource entirelyYesYesNo
PATCHPartially update a resourceNoYesNo
DELETERemove a resourceYesOptionalNo
HEADSame as GET but no body returnedYesNoYes
OPTIONSDescribe communication optionsYesNoYes
TRACELoop-back testYesNoYes

Idempotent means multiple identical requests produce the same result. Safe means the request does not modify server state. Understanding these properties is important for designing reliable APIs and handling retries correctly.

3. HTTP Status Codes

CodeCategoryMeaningCommon Use
200SuccessOKStandard success response
201SuccessCreatedResource created (POST)
204SuccessNo ContentSuccess with no body
301RedirectMoved PermanentlyPermanent URL change
302RedirectFoundTemporary redirect
304RedirectNot ModifiedCache validation
400Client ErrorBad RequestInvalid syntax
401Client ErrorUnauthorizedAuthentication required
403Client ErrorForbiddenAccess denied
404Client ErrorNot FoundResource does not exist
429Client ErrorToo Many RequestsRate limiting
500Server ErrorInternal Server ErrorGeneric server failure
502Server ErrorBad GatewayInvalid upstream response
503Server ErrorService UnavailableServer overloaded or down
504Server ErrorGateway TimeoutUpstream server timeout

4. Common HTTP Headers

Request headers:

HeaderPurposeExample
HostTarget hostname (required in HTTP/1.1)Host: www.example.com
User-AgentClient software identifierUser-Agent: Mozilla/5.0 ...
AcceptPreferred response content typesAccept: text/html, application/json
AuthorizationAuthentication credentialsAuthorization: Bearer eyJhb...
CookieStored cookiesCookie: session=abc123
If-None-MatchCache validation (ETag)If-None-Match: "etag123"

Response headers:

HeaderPurposeExample
Content-TypeResponse body typeContent-Type: text/html; charset=UTF-8
Cache-ControlCaching directivesCache-Control: max-age=3600
Set-CookieStore a cookieSet-Cookie: id=abc; HttpOnly; Secure
Strict-Transport-SecurityForce HTTPSStrict-Transport-Security: max-age=31536000
Access-Control-Allow-OriginCORS policyAccess-Control-Allow-Origin: https://app.com
ETagResource version identifierETag: "etag123"

5. HTTPS and the TLS Handshake

HTTPS is HTTP over TLS (Transport Layer Security). It encrypts the communication between client and server, providing confidentiality, integrity, and authentication.

TLS 1.3 handshake (1-RTT):

Client                                Server
  |--- ClientHello + KeyShare --------->|
  |    (supported ciphers, ECDHE key)   |
  |<-- ServerHello + KeyShare ----------|
  |    + EncryptedExtensions            |
  |    + Certificate                    |
  |    + CertificateVerify              |
  |    + Finished                       |
  |--- Finished ----------------------->|
  |<========= Application Data ========|

What happens during the handshake:

  1. ClientHello: Client sends supported cipher suites, TLS version, and a random number.
  2. ServerHello: Server selects cipher suite, sends its certificate and ECDHE key share.
  3. Certificate verification: Client validates the server's certificate chain against trusted CAs.
  4. Key derivation: Both parties derive the same session keys from the ECDHE shared secret.
  5. Finished: Both parties confirm the handshake completed successfully.

All data after the handshake is encrypted with symmetric keys derived during key exchange. TLS 1.3 achieves this in a single round trip (1-RTT), compared to 2-RTT in TLS 1.2.

6. HTTP/2

HTTP/2 (RFC 7540, 2015) is a major revision that improves performance while maintaining backward compatibility with HTTP/1.1 semantics.

Key features:

  • Multiplexing: Multiple requests and responses over a single TCP connection simultaneously, eliminating head-of-line blocking at the HTTP layer.
  • Binary framing: Messages are split into binary frames, which are more efficient to parse than text.
  • Header compression (HPACK): Reduces overhead by compressing repeated headers.
  • Server push: Server can proactively send resources the client will need (e.g., CSS, JS for an HTML page).
  • Stream prioritization: Clients can indicate which resources are more important.

Limitation: HTTP/2 still runs over TCP, so packet loss at the TCP level blocks all streams (TCP head-of-line blocking). HTTP/3 addresses this.

7. HTTP/3 and QUIC

HTTP/3 (RFC 9114, 2022) replaces TCP with QUIC (RFC 9000), a UDP-based transport protocol designed by Google.

Key advantages:

  • No TCP head-of-line blocking: Each stream is independent; packet loss on one stream does not affect others.
  • Built-in encryption: TLS 1.3 is integrated into QUIC, not layered on top.
  • 0-RTT connection establishment: Returning clients can send data immediately.
  • Connection migration: Connections survive IP address changes (e.g., switching from Wi-Fi to cellular).
  • Improved congestion control: More responsive to network conditions.

Adoption: HTTP/3 is supported by Chrome, Firefox, Safari, Edge, Cloudflare, Google, Facebook, and most major CDNs. Over 30% of web traffic uses HTTP/3 as of 2025.

8. WebSocket and DoH

WebSocket (RFC 6455) provides full-duplex, persistent communication over a single TCP connection. Unlike HTTP's request-response model, either side can send messages at any time.

WebSocket handshake:

GET /chat HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13

HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=

After the handshake, the connection switches from HTTP to the WebSocket protocol. Messages are framed with minimal overhead (2–14 bytes of framing per message).

Use cases: Real-time chat, live dashboards, multiplayer games, collaborative editing, stock tickers, IoT device communication.

DNS over HTTPS (DoH): DoH (RFC 8484) sends DNS queries as HTTPS requests, encrypting them to prevent surveillance and tampering. It uses standard HTTP/2 or HTTP/3 connections to DNS resolvers like https://cloudflare-dns.com/dns-query. Browsers like Firefox and Chrome support DoH natively, and operating systems are increasingly adding support.