Login
ChallengesLearn
Scoreboard
Teams
SPNZ

LearnWEB ProtocolsHTTP/1.1 Fundamentals
WEB Protocols·Lesson 1 of 8

HTTP/1.1 Fundamentals

Methods, headers, status codes, keep-alive, content negotiation, caching headers, chunked transfer encoding, and the request-response cycle. The protocol that defined the web.

Beginner14 min
HTTPProtocol
Loading lesson…
NextHTTP/2 & HTTP/3

© 2026 SPNZ.

Terms of ServicePrivacy PolicyCookie Policy

HTTP/1.1 is the protocol that still carries the vast majority of web traffic. Every API call, every page load, every image fetch begins as a plain-text request sent over a TCP connection. Understanding the wire format - methods, status codes, headers - is essential for debugging, security testing, and performance optimisation.

What you'll be able to do
  • List the common HTTP methods and their semantic purpose.
  • Interpret status code classes (1xx-5xx) from a raw response.
  • Explain how headers like Content-Type, Cache-Control, and Authorisation control the behaviour of a request.
  • Describe how persistent connections and keep-alive improve performance over HTTP/1.0.
Key terms
HTTP method
The verb in a request line (GET, POST, PUT, DELETE, PATCH, HEAD, OPTIONS) that tells the server what action to perform on the target resource.
Status code
A three-digit number in the response line that summarises the outcome of the request - 2xx for success, 3xx for redirect, 4xx for client error, 5xx for server error.
Header
A Name: Value pair in the request or response that carries metadata - content type, authorisation credentials, caching directives, and connection management.
Persistent connection
A TCP connection that is reused for multiple HTTP requests, avoiding the cost of repeated three-way handshakes. Controlled by the Connection: keep-alive header.
What is it?

The HTTP/1.1 protocol

HTTP/1.1, standardised in RFC 2616 (now RFC 7230-7235), is a text-based request-response protocol. Every interaction starts with the client opening a TCP connection to the server, sending a request line followed by headers and an optional body, and receiving a status line with headers and a body in return.

The request line has the simplest grammar in all of computing: METHOD path HTTP/1.1. The method tells the server the intent - GET retrieves a resource, POST submits data, PUT replaces a resource, DELETE removes one. PATCH applies a partial update, HEAD fetches only the headers, and OPTIONS discovers what methods are supported.

httprequest
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: curl/8.0
Accept: text/html,application/xhtml+xml
Accept-Language: en-GB,en;q=0.5
Connection: keep-alive

Status codes are grouped into five classes: 1xx (informational, the request is being processed), 2xx (success - 200 OK, 201 Created, 204 No Content), 3xx (redirect - 301 Moved Permanently, 302 Found, 304 Not Modified), 4xx (client error - 400 Bad Request, 401 Unauthorised, 403 Forbidden, 404 Not Found, 429 Too Many Requests), and 5xx (server error - 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable).

Headers are the nerve system of HTTP. Content-Type tells the client how to interpret the body. Content-Length tells it how many bytes to expect. Accept lets the client negotiate the response format - the server uses this for content negotiation. Authorisation carries credentials (often a Bearer token or Basic auth). Cookie carries session state. Cache-Control manages caching behaviour. User-Agent identifies the client software.

Chunked transfer encoding (Transfer-Encoding: chunked) allows the server to start sending a response before it knows the total size. Each chunk is prefixed with its length in hex; the transfer ends with a zero-length chunk. This is critical for streaming responses and dynamic content.

How an HTTP request reaches a response
Mini Map
Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.
Try it

Build and send HTTP requests

Use the simulator below to construct raw HTTP requests, choose methods and URLs, and inspect the full request-response cycle. Toggle keep-alive on and off to see how the Connection header changes.

devhttps://example.com
HTTP Client
Request
GET / HTTP/1.1
Host: example.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64)
Accept: text/html,application/xhtml+xml
Accept-Language: en-GB,en;q=0.5
Response
Send a request to see the response
How it works
  • The method tells the server what action to perform on the resource.
  • The Host header enables virtual hosting (multiple sites on one IP).
  • Keep-Alive reuses the TCP connection for multiple requests, avoiding the overhead of repeated three-way handshakes.
  • Each header is a Name: Value pair terminated by \r\n; an empty line separates headers from the body.
Real-world relevance

Why HTTP/1.1 still matters

HTTP/1.1 (RFC 7230-7235) is still the protocol that the majority of the web runs on. When you debug a failing API call, you are reading an HTTP/1.1 message. When you test for security vulnerabilities, you are crafting HTTP/1.1 payloads. The 99% of API calls that look like "just HTTP" are HTTP/1.1. Even HTTP/2 and HTTP/3 are optimisations on top of the same semantic model - methods, status codes, headers, and bodies all work the same way.

Understanding the wire format is essential for performance optimisation. Every extra round trip, every large header, every connection that could have been reused is a cost you can measure and fix. Tools like cURL, curl, and browser DevTools all expose the same underlying HTTP/1.1 conversation.

Mitigation

Security considerations in HTTP/1.1

Because HTTP/1.1 is a plain-text protocol, it is vulnerable to eavesdropping and tampering - which is why HTTPS (HTTP over TLS) is mandatory in production. Headers like Authorisation and Cookie carry sensitive data; they must never be sent over an unencrypted connection.

Request smuggling is an HTTP/1.1-specific attack that exploits discrepancies in how front-end and back-end servers parse Content-Length and Transfer-Encoding headers. An attacker can craft a request that one server interprets as a single request and another interprets as two, potentially poisoning the next user's response. Parameterised input handling and consistent header parsing are the primary defences.

Key takeaways

What to remember

  • HTTP/1.1 is a text-based request-response protocol with methods, status codes, and headers as its building blocks.
  • Status codes are grouped: 2xx success, 3xx redirect, 4xx client error, 5xx server error.
  • Persistent connections (keep-alive) reuse the TCP connection for multiple requests, avoiding the overhead of repeated handshakes.
  • Headers control caching, authorisation, content negotiation, and connection management - every important behaviour of the protocol.
Further reading
  • HTTP/1.1 - RFC 7230 (Message Syntax and Routing)(IETF)
  • HTTP/1.1 - RFC 7231 (Semantics and Content)(IETF)
  • MDN: HTTP documentation(MDN)

Knowledge check

0/3 answered · 0 correct

  1. 1.What does the status code 404 indicate?

  2. 2.What is the purpose of the Connection: keep-alive header?

  3. 3.Which header does a client use to tell the server what response format it prefers?