HTTP is an application-layer protocol for transmitting hypermedia documentssuch as HTML.
It was designed for communication between web browsers and web serversbut it can also be used for other purposessuch as machine-to-machine communicationprogrammatic access to APIsand more.
HTTP follows a classical client-server modelwith a client opening a connection to make a requestthen waiting until it receives a response from the server.
HTTP is a stateless protocolmeaning that the server does not keep any session data between two requestsalthough the later addition of cookies adds state to some client-server interactions.
The HTTP reference documentation contains detailed information about headersrequest methodsstatus responsesand lists relevant specifications and standards documents.
Request methods indicate the purpose of the request and what is expected if the request is successful.
The most common methods are GET and POST for retrieving and sending data to serversrespectivelybut there are other methods which serve different purposes.
Response status codes indicate the outcome of a specific HTTP request.
Responses are grouped in five classes: informationalsuccessfulredirectionsclient errorsand server errors.
The Content-Security-Policy (CSP) response header allows website administrators to specify which resources the user agent is allowed to load for a given page.
This section lists directives that can be used in a CSP headerwith individual documentation pages that describe how the directives work and how to use them.
The Permissions-Policy response header provides a mechanism to allow or deny the use of browser features in a document or within any <iframe> element in the document.
This section lists directives that can be used in a Permissions-Policy headerwith individual documentation pages that describe how the directives work and how to use them.
HTTP is an extensible protocol that relies on concepts like resources and Uniform Resource Identifiers (URIs)a basic message structureand client-server communication model.
On top of these conceptsnumerous extensions have been developed over the years that add functionality and updated semanticsincluding additional HTTP methods and headers.
The HTTP guides are listed in order from general overviews to specializeduse-case-driven topics.
Beginners are encouraged to start with the foundational guides before exploring more focused articles.
HTTP was created in the early 1990s and has been extended several times.
This article goes through its history and describes HTTP/0.9HTTP/1.0HTTP/1.1through HTTP/2 and HTTP/3as well as novelties introduced over the years.
HTTP messages transmitted as requests and responses have a defined structure.
This article describes this general structureits purposeand the different types of messages.
Since HTTP/1.0different types of content can be transmitted.
This article explains how this is accomplished using the Content-Type header and the MIME standard.
A shortlist of common types used by web developers can be found in Common MIME types.
Browsers and servers compress their messages before sending them over the network to reduce the amount of data that needs to be transmittedimproving transfer speed and bandwidth utilization.
Caching is a highly important mechanism for delivering fast experiences on the Web and for efficient use of resources.
This article describes different methods of caching and how to use HTTP headers to control them.
Authentication is a way to verify the identity of a client when making requests to a server.
It ensures that only authorized users or systems can access certain resources.
Although HTTP is a stateless protocola server can send a Set-Cookie header with the response.
The client then returns the cookie's value with every subsequent request to the server in the form of a Cookie request header.
This adds the ability to store and exchange a small amount of data which effectively adds state to some client-server interactions.
URL redirectionalso known as URL forwardingis a technique to give more than one URL address to a pagea forma whole websiteor a web application.
HTTP has a special kind of responsecalled a HTTP redirectfor this operation.
In conditional requeststhe outcome of a request depends on the value of a validator in the request.
This method is used heavily in caching and use cases such as resuming a downloadpreventing lost updates when modifying a document on the serverand more.
A range request asks the server to send a specific part (or parts) of a resource back to a client instead of the full resource.
Range requests are useful for cases when a client knows they need only part of a large fileor for cases where an application allows the user to pause and resume a download.
HTTP defines a set of message headersstarting with Accept as a way for a browser to announce the formatlanguageor encoding it prefers.
This article explains how this advertisement happenshow the server is expected to reactand how it chooses the most adequate response to a request.
HTTP/1.1 was the first version of HTTP to support persistent connections and pipelining.
This article explains both conceptsincluding the pros and cons of each.
HTTP/1.1 provides a mechanism to upgrade an already-established connection to a different protocol using the Upgrade header.
A client can upgrade a connection from HTTP/1.1 to HTTP/2or an HTTP(S) connection to a WebSocket (ws / wss).
A proxy can be on the user's local computeror anywhere between the user's computer and a destination server on the Internet.
This page outlines some basics about proxies and introduces a few configuration options.
Client Hints are a set of response headers that a server can use to proactively request information from a client about the devicenetworkuserand user-agent-specific preferences.
The server can then determine which resources to sendbased on the information that the client chooses to provide.
Network Error Logging is a mechanism that can be configured via the NEL HTTP response header.
This experimental header allows websites and applications to opt-in to receive reports about failed (or even successful) network fetches from supporting browsers.
It's very rarely a good idea to use user agent sniffing to detect a browserbut there are edge cases that require it.
This document will guide you in doing this as correctly as possible when this is necessarywith an emphasis on considerations to make before embarking on this route.
Permissions Policy provides mechanisms for web developers to explicitly declare what functionality can and cannot be used on a website.
You define a set of "policies" that restrict what APIs the site's code can access or modify the browser's default behavior for certain features.
Cross-site HTTP requests are requests for resources from a different domain than that of the resource making the request.
Web pages today very commonly load cross-site resourcesfor examplea page 'Domain A' (http://domaina.example/) requests an image on 'Domain B' (http://domainb.foo/image.jpg) via the img element.
CORS allows web developers to control how their site reacts to cross-site requests.
CSP allows website administrators to use the Content-Security-Policy response header to control which resources the client is allowed to load for a given page.
The CSP guide describes the overall Content Security Policy mechanism which helps detect and mitigate certain types of attacksincluding Cross-Site Scripting (XSS) and data injection attacks.
CORP lets websites and applications opt in to protection against specific requests from other origins (such as those issued with elements like <script> and <img>)to mitigate speculative side-channel attacks.
This guide covers a few server configuration changes that may be necessary for your web server to correctly serve Ogg media files.
This information may also be useful if you encounter other media types your server isn't already configured to recognize.