HTTP and HTTPS
HTTP and HTTPS¶
Overview¶
HTTP (HyperText Transfer Protocol) is an application layer protocol for exchanging data between clients and servers on the web. HTTPS is a protocol that enhances security by adding TLS/SSL encryption to HTTP.
Difficulty: βββ
Learning Objectives: - Understand HTTP request/response structure - Master HTTP methods and status codes - Identify differences between HTTP versions - Understand HTTPS and TLS/SSL operation principles
Table of Contents¶
- HTTP Basics
- HTTP Methods
- HTTP Status Codes
- HTTP Headers
- HTTP Version Comparison
- HTTPS and TLS/SSL
- Certificates
- Practice Problems
- Next Steps
- References
1. HTTP Basics¶
HTTP Communication Structure¶
ββββββββββββββββ ββββββββββββββββ
β Client β β Server β
β (Browser) β β (Web Server) β
ββββββββββββββββ€ ββββββββββββββββ€
β β ββββ HTTP Request βββββββββΆ β β
β GET /index β (Method, URL, Headers, Body)β Nginx β
β β β Apache β
β β βββββ HTTP Response ββββββ β β
β HTML Page β (Status Code, Headers, Body)β β
ββββββββββββββββ ββββββββββββββββ
β β
β TCP Connection (Default Port 80) β
ββββββββββββββββββββββββββββββββββββββββββββββ
HTTP Characteristics¶
| Characteristic | Description |
|---|---|
| Connectionless | Connection closes after request-response (HTTP/1.0) |
| Stateless | Each request is independent, no previous state stored |
| Text-based | Human-readable format |
| Request-Response | Client requests, server responds |
HTTP Request Structure¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Request Line β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β GET /api/users HTTP/1.1 β
β βββ ββββββββββ βββββββββ β
β Method URI Version β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Headers β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Host: api.example.com β
β User-Agent: Mozilla/5.0 β
β Accept: application/json β
β Content-Type: application/json β
β Authorization: Bearer eyJhbGciOiJ... β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Blank Line (CRLF) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Body (Optional) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β {"name": "John", "email": "john@example.com"} β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
HTTP Response Structure¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Status Line β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β HTTP/1.1 200 OK β
β βββββββββ βββ ββ β
β Version Status Reason β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Headers β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Content-Type: application/json β
β Content-Length: 128 β
β Date: Mon, 27 Jan 2026 10:30:00 GMT β
β Server: nginx/1.24.0 β
β Cache-Control: no-cache β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Blank Line (CRLF) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Body β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β {"id": 1, "name": "John", "status": "active"} β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Checking HTTP Requests with curl¶
# Basic GET request
curl http://example.com
# Output with headers
curl -i http://example.com
# Verbose request/response details
curl -v http://example.com
# Headers only
curl -I http://example.com
# JSON POST request
curl -X POST http://api.example.com/users \
-H "Content-Type: application/json" \
-d '{"name": "John"}'
2. HTTP Methods¶
Main HTTP Methods¶
ββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββ
β Method β Description β
ββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββ€
β GET β Retrieve resource (read) β
β POST β Create resource (write) β
β PUT β Replace entire resource β
β PATCH β Partially modify resource β
β DELETE β Delete resource β
β HEAD β Retrieve headers only (no body) β
β OPTIONS β Check supported methods β
β TRACE β Loopback test (debugging) β
β CONNECT β Establish proxy tunnel β
ββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββ
Method Properties¶
ββββββββββββββ¬βββββββββββββ¬βββββββββββββββ¬βββββββββββββββ
β Method β Safety β Idempotency β Cacheable β
β β (Safe) β (Idempotent) β (Cacheable) β
ββββββββββββββΌβββββββββββββΌβββββββββββββββΌβββββββββββββββ€
β GET β O β O β O β
β HEAD β O β O β O β
β OPTIONS β O β O β X β
β POST β X β X β Conditional β
β PUT β X β O β X β
β DELETE β X β O β X β
β PATCH β X β X β X β
ββββββββββββββ΄βββββββββββββ΄βββββββββββββββ΄βββββββββββββββ
* Safety: Does not change server state
* Idempotency: Multiple executions produce same result
* Cacheable: Response can be cached
GET vs POST Comparison¶
| Characteristic | GET | POST |
|---|---|---|
| Purpose | Data retrieval | Data transmission/creation |
| Data Location | URL query string | Request body |
| Data Size | URL length limit (~2KB) | No limit |
| Caching | Possible | Not by default |
| Security | Exposed in URL | Relatively safe |
| Bookmarkable | Yes | No |
Method Usage in RESTful APIs¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β RESTful API Examples β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Operation β Method β Endpoint β Description β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β List all β GET β /api/users β Retrieve all usersβ
β Get one β GET β /api/users/1 β Retrieve user ID=1β
β Create β POST β /api/users β Create new user β
β Full update β PUT β /api/users/1 β Full user update β
β Partial β PATCH β /api/users/1 β Partial update β
β Delete β DELETE β /api/users/1 β Delete user β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Method Examples¶
# GET - Retrieve resource
curl -X GET "http://api.example.com/users?page=1&limit=10"
# POST - Create resource
curl -X POST http://api.example.com/users \
-H "Content-Type: application/json" \
-d '{
"name": "John Doe",
"email": "john@example.com"
}'
# PUT - Full update
curl -X PUT http://api.example.com/users/1 \
-H "Content-Type: application/json" \
-d '{
"name": "John Doe",
"email": "john.new@example.com",
"status": "active"
}'
# PATCH - Partial update
curl -X PATCH http://api.example.com/users/1 \
-H "Content-Type: application/json" \
-d '{"status": "inactive"}'
# DELETE - Delete
curl -X DELETE http://api.example.com/users/1
# HEAD - Headers only
curl -I http://api.example.com/users/1
# OPTIONS - Check supported methods
curl -X OPTIONS http://api.example.com/users
3. HTTP Status Codes¶
Status Code Categories¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HTTP Status Code Categories β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Category β Range β Meaning β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β 1xx β 100-199 β Informational - Processing β
β 2xx β 200-299 β Success - Request succeeded β
β 3xx β 300-399 β Redirection - Further action needed β
β 4xx β 400-499 β Client Error β
β 5xx β 500-599 β Server Error β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
1xx - Informational Responses¶
| Code | Name | Description |
|---|---|---|
| 100 | Continue | Request can continue |
| 101 | Switching Protocols | Protocol switch (WebSocket, etc.) |
| 102 | Processing | Processing (WebDAV) |
2xx - Success Responses¶
| Code | Name | Description | Use Case |
|---|---|---|---|
| 200 | OK | Request successful | GET success |
| 201 | Created | Resource created | POST success |
| 202 | Accepted | Request accepted (async processing) | Async task |
| 204 | No Content | Success, no response body | DELETE success |
| 206 | Partial Content | Partial content | Range request |
3xx - Redirection¶
| Code | Name | Description | Cached |
|---|---|---|---|
| 301 | Moved Permanently | Permanent move | Cached |
| 302 | Found | Temporary move | Not cached |
| 303 | See Other | Different location (change to GET) | Not cached |
| 304 | Not Modified | No change (use cache) | - |
| 307 | Temporary Redirect | Temporary move (keep method) | Not cached |
| 308 | Permanent Redirect | Permanent move (keep method) | Cached |
4xx - Client Errors¶
| Code | Name | Description |
|---|---|---|
| 400 | Bad Request | Malformed request (syntax error) |
| 401 | Unauthorized | Authentication required |
| 403 | Forbidden | Access denied (no permission) |
| 404 | Not Found | Resource not found |
| 405 | Method Not Allowed | Method not allowed |
| 408 | Request Timeout | Request timeout |
| 409 | Conflict | Conflict (concurrent modification) |
| 413 | Payload Too Large | Request body too large |
| 414 | URI Too Long | URI too long |
| 415 | Unsupported Media Type | Unsupported media type |
| 422 | Unprocessable Entity | Unprocessable entity |
| 429 | Too Many Requests | Rate limit exceeded |
5xx - Server Errors¶
| Code | Name | Description |
|---|---|---|
| 500 | Internal Server Error | Server internal error |
| 501 | Not Implemented | Not implemented |
| 502 | Bad Gateway | Gateway error |
| 503 | Service Unavailable | Service unavailable |
| 504 | Gateway Timeout | Gateway timeout |
Status Code Flow¶
βββββββββββββββ
β HTTP Requestβ
ββββββββ¬βββββββ
β
ββββββββΌβββββββ
β Validation β
ββββββββ¬βββββββ
β
βββββββββββββββββββββΌββββββββββββββββββββ
β β β
ββββββββΌβββββββ ββββββββΌβββββββ ββββββββΌβββββββ
β Syntax Error β β Auth Check β β Permission β
ββββββββ¬βββββββ ββββββββ¬βββββββ ββββββββ¬βββββββ
β β β
ββββββββΌβββββββ ββββββββΌβββββββ ββββββββΌβββββββ
β 400 β β 401 β β 403 β
β Bad Request β βUnauthorized β β Forbidden β
βββββββββββββββ βββββββββββββββ βββββββββββββββ
ββββββββββββββββ
β Find Resourceβ
ββββββββ¬ββββββββ
β
βββββββββββββββΌββββββββββββββ
β β β
ββββββββΌβββββββ βββββΌββββ ββββββββΌβββββββ
β Not Found β βSuccessβ βServer Error β
ββββββββ¬βββββββ βββββ¬ββββ ββββββββ¬βββββββ
β β β
ββββββββΌβββββββ βββββΌββββ ββββββββΌβββββββ
β 404 β β 200 β β 500 β
β Not Found β β OK β β Internal β
βββββββββββββββ βββββββββ βββββββββββββββ
4. HTTP Headers¶
Header Categories¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HTTP Header Categories β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Category β Description β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β General Headers β Used in both requests/responses β
β Request Headers β Client information (Host, User-Agent, etc.) β
β Response Headers β Server information (Server, Set-Cookie, etc)β
β Entity Headers β Body information (Content-Type, Length, etc)β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Main Request Headers¶
| Header | Description | Example |
|---|---|---|
| Host | Request host | Host: api.example.com |
| User-Agent | Client information | User-Agent: Mozilla/5.0 |
| Accept | Desired response type | Accept: application/json |
| Accept-Language | Preferred language | Accept-Language: en-US,en;q=0.9 |
| Accept-Encoding | Supported encoding | Accept-Encoding: gzip, deflate |
| Authorization | Authentication info | Authorization: Bearer token123 |
| Cookie | Send cookies | Cookie: session_id=abc123 |
| Content-Type | Request body type | Content-Type: application/json |
| Content-Length | Request body size | Content-Length: 256 |
| Referer | Previous page URL | Referer: https://google.com |
| Origin | Request origin | Origin: https://example.com |
Main Response Headers¶
| Header | Description | Example |
|---|---|---|
| Content-Type | Response body type | Content-Type: text/html; charset=utf-8 |
| Content-Length | Response body size | Content-Length: 1024 |
| Content-Encoding | Compression method | Content-Encoding: gzip |
| Cache-Control | Cache control | Cache-Control: max-age=3600 |
| Expires | Expiration time | Expires: Wed, 27 Jan 2027 10:00:00 GMT |
| ETag | Resource version identifier | ETag: "abc123" |
| Last-Modified | Last modified time | Last-Modified: Mon, 01 Jan 2026 00:00:00 GMT |
| Set-Cookie | Set cookie | Set-Cookie: id=abc; HttpOnly; Secure |
| Location | Redirect location | Location: https://example.com/new |
| Server | Server information | Server: nginx/1.24.0 |
Security-Related Headers¶
| Header | Description |
|---|---|
| Strict-Transport-Security (HSTS) | Force HTTPS |
| X-Content-Type-Options | Prevent MIME sniffing |
| X-Frame-Options | Prevent clickjacking |
| X-XSS-Protection | Enable XSS filter |
| Content-Security-Policy (CSP) | Content security policy |
| Access-Control-Allow-Origin | CORS allowed origins |
Caching-Related Headers¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HTTP Caching Flow β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Client] [Server] β
β β β β
β βββββ GET /image.png βββββββββββββββββΆ β β
β β β β
β βββββ 200 OK βββββββββββββββββββββββββββ β
β β Cache-Control: max-age=3600 β β
β β ETag: "abc123" β β
β β Last-Modified: Mon, 01 Jan... β β
β β β β
β [Cache Stored] β β
β β β β
β βββββ GET /image.png βββββββββββββββββΆ β β
β β If-None-Match: "abc123" β β
β β β β
β βββββ 304 Not Modified βββββββββββββββββ β
β β (No body, use cache) β β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Cache-Control Directives¶
| Directive | Description |
|---|---|
no-store |
Prohibit cache storage |
no-cache |
Validation required before cache use |
max-age=N |
Valid for N seconds |
s-maxage=N |
Valid for N seconds in shared cache |
private |
Private cache only |
public |
Shared cache allowed |
must-revalidate |
Must revalidate after expiration |
5. HTTP Version Comparison¶
HTTP Version Evolution¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HTTP Version Evolution β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β HTTP/0.9 (1991) β
β βββ GET only, no headers β
β β β
β βΌ β
β HTTP/1.0 (1996) β
β βββ Headers added, status codes, POST/HEAD β
β β β
β βΌ β
β HTTP/1.1 (1997) β
β βββ Persistent connections, pipelining, Host header required β
β β β
β βΌ β
β HTTP/2 (2015) β
β βββ Binary protocol, multiplexing, header compression β
β β β
β βΌ β
β HTTP/3 (2022) β
β βββ QUIC (UDP-based), improved connection setup β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
HTTP/1.1 vs HTTP/2 vs HTTP/3¶
| Feature | HTTP/1.1 | HTTP/2 | HTTP/3 |
|---|---|---|---|
| Protocol | Text | Binary | Binary |
| Transport Layer | TCP | TCP | QUIC (UDP) |
| Multiplexing | X | O | O |
| Header Compression | X | HPACK | QPACK |
| Server Push | X | O | O |
| Requests per Connection | Sequential | Concurrent multiple | Concurrent multiple |
| HOL Blocking | Present | Present at TCP level | None |
HTTP/1.1 Connection Methods¶
HTTP/1.0 (Non-persistent) HTTP/1.1 (Persistent)
Request 1 βββββββΆ Request 1 βββββββΆ
βββββββ Response 1 βββββββ Response 1
[Connection closed] Request 2 βββββββΆ
Request 2 βββββββΆ βββββββ Response 2
βββββββ Response 2 Request 3 βββββββΆ
[Connection closed] βββββββ Response 3
Request 3 βββββββΆ [Connection maintained then closed]
βββββββ Response 3
[Connection closed]
β» 3 TCP connections β» 1 TCP connection
HTTP/2 Multiplexing¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HTTP/2 Multiplexing β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β HTTP/1.1 (Sequential) β HTTP/2 (Concurrent) β
β β β
β Request1 βββββββββββββββΆ β Request1 βββββΆ β
β Response1 βββββββββββββ β Request2 βββββΆ (simultaneous) β
β Request2 βββββββββββββββΆ β Request3 βββββΆ (simultaneous) β
β Response2 βββββββββββββ β Response2 ββββ β
β Request3 βββββββββββββββΆ β Response1 ββββ β
β Response3 βββββββββββββ β Response3 ββββ β
β β β
β ββββββββββββββββββββββ€ β ββββββββββββββββ€ β
β Long time β Short time β
β β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
HTTP/3 and QUIC¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HTTP/3 (QUIC-based) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββ βββββββββββββββ β
β β HTTP/2 β β HTTP/3 β β
β βββββββββββββββ€ βββββββββββββββ€ β
β β TLS β β QUIC βββ TLS 1.3 built-in β
β βββββββββββββββ€ β (encryption)β β
β β TCP β βββββββββββββββ€ β
β βββββββββββββββ€ β UDP β β
β β IP β βββββββββββββββ€ β
β βββββββββββββββ β IP β β
β βββββββββββββββ β
β β
β QUIC Advantages: β
β - 0-RTT connection (when reconnecting) β
β - Packet loss doesn't affect other streams β
β - Connection migration (connection maintained on IP change) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
6. HTTPS and TLS/SSL¶
HTTPS Overview¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HTTP vs HTTPS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β HTTP (Port 80) β HTTPS (Port 443) β
β β β
β βββββββββββββββ β βββββββββββββββ β
β β HTTP β β β HTTP β β
β βββββββββββββββ€ β βββββββββββββββ€ β
β β TCP β β β TLS/SSL βββ Encryption layer β
β βββββββββββββββ€ β βββββββββββββββ€ β
β β IP β β β TCP β β
β βββββββββββββββ β βββββββββββββββ€ β
β β β IP β β
β Plaintext transmission β βββββββββββββββ β
β Data exposure risk β β
β β Encrypted transmission β
β β Data protection β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TLS/SSL History¶
| Version | Year | Status |
|---|---|---|
| SSL 2.0 | 1995 | Deprecated (security vulnerabilities) |
| SSL 3.0 | 1996 | Deprecated (POODLE vulnerability) |
| TLS 1.0 | 1999 | Deprecation recommended |
| TLS 1.1 | 2006 | Deprecation recommended |
| TLS 1.2 | 2008 | In use |
| TLS 1.3 | 2018 | Recommended (current latest) |
TLS Handshake (TLS 1.2)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TLS 1.2 Handshake β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Client] [Server] β
β β β β
β βββ(1) ClientHello ββββββββββββββββββΆ β β
β β - Supported TLS version β β
β β - Supported cipher suites β β
β β - Client random β β
β β β β
β βββ(2) ServerHello βββββββββββββββββββ β β
β β - Selected TLS version β β
β β - Selected cipher suite β β
β β - Server random β β
β β β β
β βββ(3) Certificate βββββββββββββββββββ β β
β β - Server certificate (public key) β β
β β β β
β βββ(4) ServerHelloDone ββββββββββββββ β β
β β β β
β βββ(5) ClientKeyExchange ββββββββββββΆ β β
β β - Pre-Master Secret (encrypted) β β
β β β β
β βββ(6) ChangeCipherSpec βββββββββββββΆ β β
β βββ(7) Finished βββββββββββββββββββββΆ β β
β β β β
β βββ(8) ChangeCipherSpec ββββββββββββββββ β
β βββ(9) Finished ββββββββββββββββββββββββ β
β β β β
β ββββββββββ Encrypted Communication ββββΆβ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
TLS 1.3 Handshake (Simplified)¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TLS 1.3 Handshake (1-RTT) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [Client] [Server] β
β β β β
β βββ(1) ClientHello + KeyShare βββββββΆ β β
β β β β
β βββ(2) ServerHello + KeyShare ββββββββββ β
β β Certificate β β
β β Finished β β
β β β β
β βββ(3) Finished βββββββββββββββββββββΆ β β
β β β β
β ββββββββββ Encrypted Communication ββββΆβ β
β β
β β» Handshake complete in just 1 RTT (round trip) β
β β» 0-RTT: Can send data from first request when resuming β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Encryption Types¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Encryption Methods β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β Symmetric Encryption β
β βββββββββββββββββββββ β
β - Encrypt/decrypt with same key β
β - Fast speed β
β - Examples: AES, ChaCha20 β
β β
β Plaintext ββ[Key]βββΆ Ciphertext ββ[Key]βββΆ Plaintext β
β β
β Asymmetric Encryption β
β ββββββββββββββββββββββ β
β - Uses public/private key pair β
β - Slow speed, used for key exchange β
β - Examples: RSA, ECDSA β
β β
β Plaintext ββ[Public Key]βββΆ Ciphertext ββ[Private Key]βββΆ Plaintextβ
β β
β Usage in TLS β
β βββββββββββββ β
β 1. Asymmetric key for session key exchange β
β 2. Symmetric key (session key) for actual data encryption β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
7. Certificates¶
Certificate Structure¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β X.509 Certificate Structure β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Version: V3 β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Serial Number: 0x1234... β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Signature Algorithm: SHA256withRSA β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Issuer: CN=Let's Encrypt Authority X3 β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Validity β β
β β Not Before: 2026-01-01 00:00:00 β β
β β Not After: 2026-04-01 00:00:00 β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Subject: CN=www.example.com β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Public Key Info β β
β β Algorithm: RSA β β
β β Key Size: 2048 bits β β
β β Public Key: 30 82 01 0a 02 82 01 01 00... β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Extensions β β
β β Subject Alternative Names: www.example.com, β β
β β example.com β β
β β Key Usage: Digital Signature, Key Encipherment β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β Signature: 48 46 2b 88 2d... β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Certificate Chain¶
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Certificate Chain (Chain of Trust) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Root Certificate (Root CA) β β
β β - Self-signed β β
β β - Built into browser/OS β β
β β - Examples: DigiCert, GlobalSign β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β
β β Signs β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Intermediate Certificate (Intermediate CA) β β
β β - Signed by Root CA β β
β β - Example: Let's Encrypt R3 β β
β ββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ β
β β Signs β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Server Certificate (End-Entity) β β
β β - Signed by Intermediate CA β β
β β - Domain: www.example.com β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β Validation order: Server cert β Intermediate cert β Root cert β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Certificate Types¶
| Type | Validation Level | Issuance Time | Use Case |
|---|---|---|---|
| DV (Domain Validation) | Domain ownership only | Minutes | Personal, blogs |
| OV (Organization Validation) | Organization verification | 1-3 days | Companies, institutions |
| EV (Extended Validation) | Strict verification | 1-2 weeks | Financial, large corporations |
| Wildcard | Includes subdomains | Varies | *.example.com |
| Multi-Domain (SAN) | Multiple domains | Varies | Multiple domains |
Certificate Issuance Process (Let's Encrypt)¶
# Install Certbot (Ubuntu)
sudo apt install certbot python3-certbot-nginx
# Issue certificate (Nginx)
sudo certbot --nginx -d example.com -d www.example.com
# Issue certificate (Apache)
sudo certbot --apache -d example.com
# Renew certificate
sudo certbot renew
# Check certificate
sudo certbot certificates
# Auto-renewal (cron)
0 12 * * * /usr/bin/certbot renew --quiet
Certificate Verification Commands¶
# Check domain certificate
openssl s_client -connect example.com:443 -servername example.com
# Certificate details
echo | openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -text
# Check expiration date
echo | openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -enddate
# Check local certificate file
openssl x509 -in certificate.crt -text -noout
8. Practice Problems¶
Basic Problems¶
- HTTP Methods
- Explain 3 differences between GET and POST.
-
What is idempotency, and list all idempotent methods.
-
Status Codes
-
Choose appropriate status codes for these situations:
- User login failure (authentication failure)
- Page not found
- Internal server error occurs
- Resource created successfully via POST request
-
Headers
- What's the difference between Cache-Control: no-cache and no-store?
- What is the purpose of the ETag header?
Intermediate Problems¶
- HTTP Versions
- Explain HTTP/1.1's HOL (Head-of-Line) Blocking problem.
-
How does HTTP/2 solve this problem?
-
HTTPS/TLS
- What are 3 security benefits of using HTTPS?
-
What is the handshake RTT difference between TLS 1.2 and TLS 1.3?
-
Practical Problems
# Analyze the results of the following curl commands
# 1. What is included in the request headers?
curl -v http://example.com
# 2. What status code do you receive if this request succeeds?
curl -I -X DELETE http://api.example.com/users/1
# 3. What is the Content-Type in this request?
curl -X POST http://api.example.com/users \
-H "Content-Type: application/json" \
-d '{"name": "test"}'
Advanced Problems¶
- Certificate Chain
-
Why doesn't the root CA sign server certificates directly, using intermediate CAs instead?
-
Security Headers
- Suggest HTTP headers to prevent these security vulnerabilities:
- Clickjacking
- XSS (Cross-Site Scripting)
- MIME sniffing
9. Next Steps¶
In 14_Other_Application_Protocols.md, let's learn about other application layer protocols such as DHCP, FTP, SMTP, and SSH!
10. References¶
RFC Documents¶
- RFC 7230-7235 - HTTP/1.1
- RFC 7540 - HTTP/2
- RFC 9110-9114 - HTTP Semantics
- RFC 8446 - TLS 1.3
Online Resources¶
Tools¶
- curl - Command-line HTTP client
- Postman - API testing tool
- Charles Proxy - HTTP proxy/monitoring
- Wireshark - Packet analysis