The HTTP protocol defines how clients and servers exchange requests and responses on the web — every browser page load, API call, and service-to-service request runs on it. Its building blocks are consistent across versions: request and response messages, methods, status codes, and headers. Knowing how they work together, and how to inspect them on the wire, is what makes HTTP issues fast to diagnose.
What Is the HTTP Protocol?
The HTTP protocol (Hypertext Transfer Protocol) is the application-layer protocol the web is built on. It defines how a client and a server exchange messages to request and deliver resources — HTML pages, JSON from an API, images, scripts, or any other content. HTTP is a stateless, text-oriented, client-server protocol that normally runs over a TCP connection on port 80, or over TLS on port 443 for HTTPS.
"Stateless" means the server keeps no memory of previous requests: each request carries everything the server needs to handle it. State that feels persistent — being logged in, items in a cart — is layered on top using cookies, tokens, and headers, not by the protocol itself.
How an HTTP Request and Response Work
HTTP follows a request/response model. The client (usually a browser, but also a mobile app, a backend service, or a command-line tool) opens a connection and sends a request; the server processes it and returns a response. Loading a single URL over HTTPS involves several steps:
- DNS lookup — resolve the hostname to an IP address.
- TCP handshake — establish a connection to the server's port (80 or 443).
- TLS handshake — negotiate encryption keys (HTTPS only).
- HTTP request — the client sends a request line, headers, and an optional body.
- Server processing — the server routes, authorizes, and builds a response.
- HTTP response — the server returns a status line, headers, and usually a body.
- Connection reuse or close — the connection is kept alive for more requests or closed.
The request itself is a single HTTP request message, and the reply is a single HTTP response message. Both share the same basic shape: a start line, a block of headers, a blank line, and an optional body.
Anatomy of an HTTP Request
A request starts with a request line — the method, the target path, and the protocol version — followed by HTTP headers, a blank line, and an optional body:
GET /api/users/42 HTTP/1.1
Host: api.example.com
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
User-Agent: curl/8.4.0 GET requests have no body. Methods that send data — such as
an HTTP POST — place the payload after
the blank line and describe it with Content-Type and
Content-Length headers:
POST /api/users HTTP/1.1
Host: api.example.com
Content-Type: application/json
Content-Length: 38
{"name":"Ada Lovelace","role":"admin"}Anatomy of an HTTP Response
A response starts with a status line — the protocol version, a numeric status code, and a reason phrase — then headers, a blank line, and the body:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 46
Cache-Control: max-age=3600
ETag: "a1b2c3"
{"id":42,"name":"Ada Lovelace","role":"admin"}The status code tells the client how to interpret the rest of the message before it even reads the body — whether the request succeeded, needs to be redirected, was rejected, or failed on the server.
HTTP Methods
The method states the action the client wants to perform on the target resource. These are the methods you'll use most, and two properties separate them: a safe method does not change server state, while an idempotent method produces the same result whether it runs once or many times.
| Method | Purpose | Safe | Idempotent |
|---|---|---|---|
GET | Retrieve a resource | Yes | Yes |
HEAD | Retrieve headers only, no body | Yes | Yes |
POST | Submit data, create a resource | No | No |
PUT | Replace a resource entirely | No | Yes |
PATCH | Apply a partial update | No | No |
DELETE | Remove a resource | No | Yes |
HTTP also defines OPTIONS (CORS preflight),
CONNECT (proxy tunneling), and TRACE
(diagnostics), but those come up far less often in everyday work.
HTTP Status Codes
Status codes are grouped into five classes by their first digit. The class alone tells you the category of outcome; the specific code narrows it down.
| Class | Meaning | Common codes |
|---|---|---|
| 1xx | Informational — request received, continuing | 100 Continue, 101 Switching Protocols |
| 2xx | Success — the request was handled | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirection — further action needed | 301 Moved Permanently, 302 Found, 304 Not Modified |
| 4xx | Client error — the request was faulty | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | Server error — the server failed to fulfill a valid request | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout |
HTTP Versions: From 0.9 to HTTP/3
HTTP has evolved far beyond the text-only protocol it started as. Each major version is a distinct revision — which is why developers sometimes talk about different "HTTP protocols" — yet they share stable message semantics: methods, status codes, and headers. What changed dramatically between versions is the way bytes move on the wire, to cut latency and remove bottlenecks.
| Version | Year | Transport | Key change |
|---|---|---|---|
| HTTP/0.9 | 1991 | TCP | One-line GET only; no headers, no status codes. |
| HTTP/1.0 | 1996 | TCP | Headers, status codes, and methods; a new connection per request. |
| HTTP/1.1 | 1997 | TCP | Persistent connections, chunked transfer, mandatory Host header. Still suffers head-of-line blocking. |
| HTTP/2 | 2015 | TCP | Binary framing, request multiplexing over one connection, and HPACK header compression. |
| HTTP/3 | 2022 | QUIC (UDP) | Multiplexing without TCP head-of-line blocking, TLS 1.3 built in, connection migration across networks. |
Most production traffic today runs over HTTP/1.1 and HTTP/2, with HTTP/3 adoption growing on major CDNs. A practical consequence for debugging: HTTP/1.1 is plain text you can read directly, but HTTP/2 sends HPACK-compressed binary frames and HTTP/3 runs over encrypted QUIC. From HTTP/2 onward you cannot just eyeball the bytes — you need a tool that reassembles and decodes the frames into readable requests and responses.
Protocols Built on HTTP: WebSocket, SSE, and gRPC
HTTP is no longer only about one-shot request/response exchanges. Several widely used protocols layer real-time and streaming behavior on top of it, which is what makes modern apps feel live rather than page-by-page.
WebSocket
upgrades an ordinary HTTP/1.1 connection into a persistent, full-duplex
channel. The client sends an Upgrade request and the server
answers with 101 Switching Protocols; after that both sides
exchange messages freely over the same connection — the basis for chat,
live dashboards, and multiplayer apps.
GET /chat HTTP/1.1
Host: example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
Sec-WebSocket-Version: 13 Server-Sent Events (SSE)
keep a single HTTP response open and stream events one way, from server to
client, as text/event-stream. SSE is simpler than WebSocket,
reconnects automatically, and suits notifications, progress updates, and
live feeds.
HTTP/1.1 200 OK
Content-Type: text/event-stream
Cache-Control: no-cache
data: {"event":"update","value":42}
data: {"event":"done"}gRPC runs remote procedure calls over HTTP/2, using binary Protocol Buffers instead of JSON and HTTP/2 streams for unary or bidirectional streaming, with the call status returned in HTTP/2 trailers. It is common for high-throughput service-to-service communication.
Because these protocols are binary or streamed, browser dev tools and simple proxies reveal little of what actually happens. HTTP Debugger reconstructs WebSocket frames, SSE events, and gRPC messages in a dedicated messages and events view, so you can inspect each frame, event, and payload individually.
How AI Agents Use HTTP
Modern AI agents and LLM-powered apps run almost entirely over HTTP. An agent calls model and tool endpoints as ordinary HTTPS APIs, usually sending and receiving JSON, and the same methods, status codes, and headers described above apply unchanged.
What is distinctive is streaming. Model responses are typically streamed token by token using SSE or chunked transfer, so output appears as it is generated rather than after the full answer is ready. Tool and function calling — and emerging standards such as the Model Context Protocol (MCP) — define how an agent discovers and invokes external tools over HTTP-based transports.
When an agent misbehaves — a malformed tool call, a truncated stream, an expired token — the fastest way to find the cause is to read the actual HTTP requests and streamed events. Many agents run as CLI tools, SDKs, or background services that ignore system proxy settings, so capturing their traffic at the network level is often the only way to see it.
HTTP vs HTTPS
HTTPS is not a separate protocol — it is HTTP carried inside a TLS encrypted channel. Plain HTTP uses port 80 and sends everything in clear text, so anyone on the network path can read or tamper with it. HTTPS uses port 443 and encrypts the entire HTTP message, including headers and body. Roughly 95% of web traffic is now served over HTTPS, and browsers flag plain-HTTP sites as "Not Secure."
Encryption is exactly why inspecting HTTPS is harder: on the wire the traffic is ciphertext. To read the underlying request and response you need to decrypt the TLS session, which means a tool that is trusted to sit inside the encrypted channel.
How Modern HTTPS Security Is Evolving
HTTPS itself keeps advancing, and several changes are reshaping how the encrypted channel is established and trusted:
- TLS 1.3 — a faster handshake with fewer round trips, forward secrecy by default, and legacy ciphers removed. HTTP/3 over QUIC requires it.
- HSTS — the
Strict-Transport-Securityheader forces browsers to use HTTPS and refuse plain-HTTP downgrades. - Encrypted Client Hello (ECH) — encrypts the ClientHello, including the server name (SNI), so the destination hostname is no longer exposed during the handshake.
- Post-quantum key exchange — browsers and servers are rolling out hybrid schemes such as X25519MLKEM768 to protect today's traffic against future quantum attacks.
- Mutual TLS (mTLS) — both client and server present certificates, a common building block of zero-trust networks and service meshes.
- Certificate automation — short-lived certificates issued via ACME (Let's Encrypt and others) have made HTTPS the default rather than the exception.
How to Inspect HTTP Traffic
When a request behaves unexpectedly, the fastest way to find the cause is to look at the actual HTTP messages rather than the code that produced them. Three approaches cover most situations:
- Browser developer tools: Open the Network tab to see every request the page makes, with headers, timing, and status codes. This covers browser traffic only.
- curl:
Use
curl -vto print the full request and response, orcurl -Ito fetch headers only — ideal for reproducing an API call from the command line. - HTTP sniffer: For traffic from desktop apps, background services, or any process that ignores system proxy settings, a network-level tool captures what browser tools and proxies miss.
HTTP Debugger captures HTTP and HTTPS traffic system-wide on Windows without configuring a proxy or browser extension, so it sees requests from browsers, APIs, microservices, and desktop applications alike. It decrypts HTTPS using its own local root certificate, and its HTTP analyzer decodes HTTP/2 into a readable connection tree — exactly the binary, compressed traffic that plain packet captures can't show. You can then inspect headers, cookies, bodies, and timings for every request in one place.
HTTP Protocol FAQ
- What does HTTP stand for? HTTP stands for Hypertext Transfer Protocol. It is the application-layer protocol that defines how clients and servers exchange requests and responses on the web.
- Is HTTP stateless? Yes. The server keeps no memory of previous requests; each request is self-contained. Persistent state such as login sessions is added on top using cookies and tokens, not by HTTP itself.
- What is the difference between HTTP and HTTPS? HTTPS is HTTP wrapped in a TLS encrypted channel. HTTP sends data in clear text on port 80; HTTPS encrypts the entire message on port 443, protecting it from eavesdropping and tampering.
- What port does HTTP use? HTTP uses TCP port 80 by default, and HTTPS uses port 443. A URL can specify a different port explicitly, for example
http://localhost:8080. - What is the current version of HTTP? HTTP/3 is the newest version and runs over QUIC. In practice most traffic still uses HTTP/2 and HTTP/1.1, which remain fully supported and widely deployed.
- Why can't I read HTTP/2 traffic the way I read HTTP/1.1? HTTP/1.1 is plain text, but HTTP/2 sends HPACK-compressed binary frames and HTTP/3 runs over encrypted QUIC. You need a tool that reassembles and decodes the frames — and decrypts TLS for HTTPS — to see readable requests and responses.
- Are WebSocket, SSE, and gRPC part of HTTP? They are built on top of HTTP. WebSocket starts as an HTTP/1.1 upgrade handshake before switching to its own framing, Server-Sent Events stream over a normal HTTP response, and gRPC runs over HTTP/2 using binary Protocol Buffers.
- How do AI agents communicate over HTTP? AI agents call model and tool endpoints as HTTPS APIs, usually exchanging JSON. Responses are commonly streamed token by token using server-sent events or chunked transfer, and tool-calling standards such as the Model Context Protocol define how agents invoke external tools over HTTP.