1.4 — Understanding HTTP & HTTPS: Quick Revision

Compact cheat sheet. Print-friendly.

How to use this material (instructions)

1. Skim in one pass before interviews or exams.
2. If anything is fuzzy — jump to the matching file: README.md → 1.4.a…1.4.g.
3. Drills — 1.4-Exercise-Questions.md.
4. Polished answers — 1.4-Interview-Questions.md.

---

HTTP versions (30-second version)

Ver	Transport (typical)	Big idea
1.1	TCP	Keep-alive, Host header, text headers
2	TCP	Multiplex streams, HPACK, binary framing
3	QUIC/UDP	Faster handshakes, stream independence vs TCP HOL

---

Status codes (must know)

Code	Meaning
200	OK
201	Created
204	No content
301	Permanent redirect
304	Not modified (cache)
400	Bad request
401	Unauthorized (authn)
403	Forbidden (authz)
404	Not found
429	Rate limited
500	Server error
502	Bad gateway
503	Unavailable

---

HTTP vs HTTPS

	HTTP	HTTPS
Encryption	No	TLS
Port	80	443
Tamper risk	High	Mitigated
Identity	Weak	Server certs + PKI

TLS gives: confidentiality + integrity + (server) authentication.

---

TLS / SSL naming

• Say TLS, not SSL (SSL deprecated/insecure).
• TLS 1.3 = modern best practice.
• Cert = binds public key ↔ names (SAN), signed by CA chain.

---

Proxies

Type	Sits near	Purpose
Forward	Client / org	egress control, filtering, anonymity patterns
Reverse	Server edge	TLS termination, LB, cache, WAF

CDN edge behaves like a reverse proxy + cache globally.

---

VPN (one diagram in words)

You → encrypted tunnel → VPN server → internet (sites see VPN IP).

• Does not replace HTTPS to websites (different hop).
• Watch for DNS leaks / misconfigurations.

---

One-liner distinctions

Term	One-liner
HTTPS	HTTP bytes inside a TLS tunnel
SNI	TLS extension indicating hostname (privacy nuance historically)
HSTS	Browser policy forcing HTTPS for a domain
mTLS	Both sides present client+server certs (less common on public web)

---

← Back to 1.4 — Understanding HTTP & HTTPS (README)