Chapter 4: HTTP & Web Servers
Metadata Card
| Field | Value |
|---|---|
| Difficulty | (Intermediate) |
| Prerequisites | Vol 4 Chapter 3 (TCP), basic socket programming |
| Keywords | HTTP/1.1, request/response format, methods, status codes, Cache-Control, Cookie, CORS, persistent connection, pipelining, mini web server |
| Core Skills | Read any HTTP message; fully implement an HTTP/1.1 server in Python; configure caching strategies and CORS headers |
Your Progress
"TCP has paved the way for reliable transmission; now you can run spell messages on the post road. HTTP is the universal letter format of the post road world — the mage's telescope uses HTTP to request spell scrolls, the beacon tower uses HTTP to return content. Your first beacon tower server starts here."
HTTP is the "application layer spell king" built on TCP's shoulders.
When you write a socket interface by hand, construct an HTTP message from scratch, and see the beacon tower respond with raw mana bytes which you parse line by line — that's when you truly understand HTTP.
Core Skills: Read and write raw HTTP request/response messages; understand the semantics of methods (GET/POST/PUT/DELETE), status code classes, and core headers.
HTTP Request Format
GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 ...
Accept: text/html,application/xhtml+xml,...
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: keep-aliveHTTP is plain text.
HTTP Methods & Semantics
| Method | Safe | Idempotent | Cachable | Body | Typical Use |
|---|---|---|---|---|---|
| GET | Shouldn't have | Retrieve resource | |||
| HEAD | Shouldn't have | Check metadata only | |||
| OPTIONS | Shouldn't have | Check CORS/server capabilities | |||
| POST | Depends on headers | Yes | Create resource (form submit) | ||
| PUT | Yes | Replace resource (full update) | |||
| PATCH | Yes | Partially update resource | |||
| DELETE | Varies | Delete resource |
Status Code Families
| Category | Range | Meaning | Classic Examples |
|---|---|---|---|
| 1xx | 100-199 | Informational | 100 Continue |
| 2xx | 200-299 | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | 300-399 | Redirection | 301 Moved Permanently, 302 Found, 304 Not Modified |
| 4xx | 400-499 | Client Error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | 500-599 | Server Error | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable |
Key Headers
Cache-Control: HTTP/1.1 caching directives:
| Directive | Meaning | Example |
|---|---|---|
| no-cache | Must validate before using cache. Every request asks "has this expired?" | Cache-Control: no-cache |
| no-store | Don't cache at all (sensitive data) | Cache-Control: no-store |
| max-age=<seconds> | How long cache is valid from response generation | Cache-Control: max-age=3600 |
| public | Any cache (including CDN/proxy) can store | Cache-Control: public, max-age=86400 |
| private | Only end-user cache can store (CDN can't) | Cache-Control: private, max-age=3600 |
| must-revalidate | Must validate after expiry, can't use stale cache directly | Cache-Control: must-revalidate |
Cookie & Set-Cookie: HTTP is stateless. Cookies attach "state" on HTTP headers.
| Cookie Attribute | Purpose |
|---|---|
Expires / Max-Age | Cookie lifetime |
Domain | Which domains receive this cookie |
Path | Which paths the cookie attaches to |
Secure | Only send over HTTPS |
HttpOnly | JavaScript can't read (XSS protection) |
SameSite=Lax|Strict|None | CSRF protection, controls cross-site cookie sending |
CORS: Cross-Origin Resource Sharing. Not a backend security mechanism — it's the browser's default restriction on non-same-origin requests.
Project Mini HTTP Server
The chapter includes a complete mini_httpd.py implementation supporting GET/POST/PUT/DELETE with JSON responses, CORS, persistent connections, and error handling. See the full source at the end of the chapter.
Traveler's Notes
I truly understood HTTP while writing this mini server. Before, using Flask/FastAPI/Django, I thought HTTP was just rest.get() → 200. The first time I received a raw request line GET / HTTP/1.1 using socket.bind + recv, I understood what frameworks actually hide.
Run your mini server and access it with curl. When you see the raw message match up, your understanding of HTTP will never be the same.
→ Next Stop Preview
Chapter 5: HTTPS & TLS: There are bandits on the post road. Your spell messages are plain text — any wild mage can peek. HTTPS and TLS add a sealing lock.