HTTP Protocol: Architecture, Methods, and Implementation
The Hypertext Transfer Protocol serves as the foundation of data communication on the World Wide Web. Operating as a stateless request-response protocol at the application layer of the TCP/IP model, HTTP establishes connections through TCP and facilitates the retrieval of web page content through browser interactions.
HTTP Message Structure
An HTTP message consists of four primary components: the request line or status line, headers, a blank line, and the message body.
Request Message Format
GET /index.html HTTP/1.1
Host: example.com:8080
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cache-Control: no-cache
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Response Message Format
HTTP/1.1 200 OK
Server: Apache/2.4.52 (Ubuntu)
Date: Sat, 15 Mar 2025 10:30:00 GMT
Content-Type: application/json;charset=utf-8
Content-Length: 245
Connection: keep-alive
Set-Cookie: session=abc123; Path=/; HttpOnly
Cache-Control: max-age=3600
ETag: "abc123def456"
{"status":"success","data":{"userId":1001,"username":"john_doe"}}
HTTP Request Methods
Standard Methods
| Method | Description |
|---|---|
| GET | Retrieves data from the specified resource. Requests should only retrieve data and have no other effect. |
| POST | Submits data to be processed to a specified resource. May create new resources or modify existing ones. |
| PUT | Uploads a representation of the specified resource with updated content. |
| DELETE | Removes the specified resource from the server. |
| HEAD | Similar to GET but retrieves only headers without the response body. |
| OPTIONS | Returns the HTTP methods supported by the server for the specified URL. |
| PATCH | Applies partial modifications to a resource. |
| CONNECT | Establishes a tunnel to the server identified by the target resource. |
GET versus POST
GET Method Characteristics:
- Considered safe and idempotent for information retrieval
- Responses may be cached by browsers
- URL length limitations vary by browser and server implementation
- Sends headers and data in a single TCP packet
POST Method Characteristics:
- May modify server state, therefore not idempotent
- Request body has no inherent size limitations
- Transmits headers first, awaits 100 Continue response, then sends data
- Generates two TCP packets during transmission
HTTP Status Codes
| Category | Range | Meaning |
|---|---|---|
| 1xx | 100-199 | Informational responses |
| 2xx | 200-299 | Successful operations |
| 3xx | 300-399 | Redirection messages |
| 4xx | 400-499 | Client error responses |
| 5xx | 500-599 | Server error responses |
Common status codes include 200 (OK), 201 (Created), 301 (Moved Permanently), 304 (Not Modified), 400 (Bad Request), 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), 500 (Internal Server Error), and 503 (Service Unavailable).
HTTP Protocol Versions
HTTP/1.0
The original version employs short-lived connections by default. Each request establishes a new TCP connection that terminates after the response completes. Persistent connections require explicit Connection: keep-alive headers.
HTTP/1.1
This version enables persistent connections by default, maintaining a single TCP connection for multiple requests. It introduced essential features including chunked transfer encoding, pipelining, and cookie management.
HTTP/2.0
HTTP/2 implements multiplexing through a single TCP connection, allowing simultaneous request and response streams without blocking. The protocol utilizes binary framing instead of text-based formatting, incorporating header compression via HPACK. Server push enables proactive resource delivery to clients.
HTTP/3.0
Built upon QUIC (Quick UDP Internet Connections), HTTP/3 operates over UDP while providing reliability comparable to TCP. Key advantages include elimination of head-of-line blocking through independent streams and connection migration using connection identifiers rather than IP address and port combinations.
HTTPS Implementation
HTTPS encrypts HTTP traffic using TLS (Transport Layer Security) to protect against eavesdropping and tampering. The protocol combines asymmetric encryption for key exchange, symmetric encryption for data encryption, and hash functions for integrity verification.
Handshake Process
- Client sends a ClientHello message with supported cipher suites and random bytes
- Server responds with ServerHello, certificate, and server key exchange
- Client verifies the certificate, generates a pre-master secret, and encrypts it with the server's public key
- Both parties derive the session key through cryptographic transformations
- Client sends Finished message encrypted with the session key
- Server validates and responds with its Finished message
- Secure communication begins using the established symmetric key
Spring Boot HTTPS Configuration
Generating a Keystore
keytool -genkey -alias springhttps -keyalg RSA -keysize 2048 -keystore /path/to/keystore.p12 -validity 365
Parameters explained:
- genkey: Generate a new key pair
- alias: Identifier for the keystore entry
- keyalg: Asymmetric encryption algorithm (RSA)
- keysize: Key length in bits
- keystore: Output file path
- validity: Certificate validity period in days
Application Configuration
server:
port: 8443
ssl:
key-store: classpath:keystore.p12
key-alias: springhttps
key-store-password: changeit
key-store-type: PKCS12
enabled: true
HTTP to HTTPS Redirection
@Configuration
public class SecurityConfig {
@Bean
public WebServerFactoryCustomizer<TomcatServletWebServerFactory> redirectConfig() {
return factory -> {
Connector connector = new Connector(TomcatServletWebServerFactory.DEFAULT_PROTOCOL);
connector.setScheme("http");
connector.setPort(8080);
connector.setSecure(false);
connector.setRedirectPort(8443);
factory.addAdditionalTomcatConnectors(connector);
};
}
}
HTTP/2 Configuration in Spring Boot
Dependency Configuration
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
</dependency>
</dependencies>
HTTP/2 Enabled Configuration
server:
port: 8443
http2:
enabled: true
ssl:
enabled: true
key-store: classpath:server.p12
key-store-password: changeit
key-store-type: PKCS12
protocol: TLSv1.3
Note that HTTP/2 over TLS requires a valid SSL certificate. Tomcat 9.0 or latter supports HTTP/2, while Undertow provides broader HTTP/2 compatibility.
HTTP Version Selection
# HTTP/1.0
server.http-version: "1.0"
# HTTP/1.1 (default)
server.http-version: "1.1"
Additional HTTP Headers
Common request headers include Accept, Accept-Encoding, Accept-Language, Authorization, Cache-Control, Cookie, Host, If-Modified-Since, Referer, and User-Agent. Response headers commonly include Allow, Cache-Control, Content-Encoding, Content-Length, Content-Type, Date, ETag, Expires, Location, Server, and Set-Cookie.
