HTTP & The Web: How It Actually Works

What happens when you type a URL and hit Enter

URL anatomy, DNS lookup, TCP connection, HTTP request, server response, browser rendering pipeline

How DNS resolution actually works step by step

DNS hierarchy, root nameservers, TLD nameservers, authoritative nameservers, recursive resolver, TTL, DNS caching

TCP vs UDP: which protocol and why it matters

TCP three-way handshake, connection-oriented vs connectionless, reliability guarantees, ordering, UDP use cases, latency trade-offs

OSI model explained simply for web developers

OSI seven layers, encapsulation, physical layer, network layer, transport layer, application layer, practical developer relevance

IP addresses, ports, and sockets explained

IPv4 vs IPv6, public vs private IP, NAT, ports 0-65535, well-known ports, socket definition, socket pair uniqueness

HTTP request and response structure explained

request line, response status line, HTTP headers, message body, CRLF, Content-Type, Content-Length, Host header

HTTP methods GET POST PUT PATCH DELETE: when to use each

GET idempotency, POST non-idempotency, PUT full replacement, PATCH partial update, DELETE, safe vs idempotent methods, HEAD and OPTIONS

HTTP status codes: what every code category means

1xx informational, 2xx success, 3xx redirection, 4xx client errors, 5xx server errors, 301 vs 302, 401 vs 403, 404 vs 410, 429 rate limiting

HTTP headers: which ones actually matter

Host, Content-Type, Accept, Authorization, Cache-Control, User-Agent, CORS headers, custom headers, header case-insensitivity

HTTP/1.1 vs HTTP/2 vs HTTP/3: real differences developers should know

HTTP/1.1 head-of-line blocking, HTTP/2 multiplexing, binary framing, server push, header compression, HTTP/3 QUIC, 0-RTT connection

How TLS handshake works and why HTTPS is secure

TLS 1.3 handshake, ClientHello, ServerHello, certificate exchange, key agreement, symmetric encryption, forward secrecy

SSL certificates: what they are and how the chain of trust works

X.509 certificates, Subject and Issuer fields, CA hierarchy, root CA, intermediate CA, leaf certificate, certificate chain validation, SAN fields

Common TLS errors and what they actually mean

ERR_CERT_DATE_INVALID, ERR_CERT_AUTHORITY_INVALID, ERR_SSL_PROTOCOL_ERROR, certificate mismatch, mixed content, HSTS, self-signed certificates

How HSTS prevents downgrade attacks

HTTP Strict Transport Security, HSTS header, max-age, includeSubDomains, preload list, HSTS preloading, downgrade attack, SSL stripping

How to set up HTTPS with Let's Encrypt for free

ACME protocol, certificate issuance, HTTP-01 challenge, DNS-01 challenge, certbot, certificate renewal, Nginx SSL configuration

How HTTP caching works: Cache-Control header explained

Cache-Control directives, max-age, no-store, no-cache, public vs private, s-maxage, stale-while-revalidate, cache hierarchy

ETags and conditional requests: how browsers avoid re-downloading unchanged files

ETag header, If-None-Match, Last-Modified, If-Modified-Since, 304 Not Modified, weak vs strong ETags, conditional GET

Cache busting: how to force browsers to load new files

content-based hashing, cache-busting fingerprinting, immutable directive, versioned filenames, CDN purge, URL-based versioning

CDN: what it is and how it caches your content at the edge

CDN architecture, edge nodes, PoP, origin pull, cache HIT and MISS, CDN headers X-Cache, Vary header, cache key, geographic latency reduction

Why Cache-Control no-cache doesn't mean what you think

no-cache revalidation, 304 Not Modified flow, must-revalidate, proxy-revalidate, pragma header legacy, cache directive combinations

REST API design: principles every developer must know

resource-based URLs, nouns not verbs in URLs, HTTP methods as actions, statelessness, HATEOAS, URL hierarchy, collection vs item endpoints

JWT authentication: how tokens work end to end

JWT structure, header payload signature, base64url encoding, HMAC vs RSA signing, token expiry, refresh tokens, bearer authentication, JWT validation

WebSockets vs Server-Sent Events vs polling: when to use each

WebSocket full-duplex, WebSocket handshake, SSE unidirectional, EventSource API, long polling, short polling, use case comparison, browser support

CORS explained: why it exists and how to fix it

same-origin policy, cross-origin resource sharing, preflight request, OPTIONS method, Access-Control headers, simple vs complex requests, credentials flag

API rate limiting and pagination: how to handle both correctly

rate limiting headers, 429 Too Many Requests, Retry-After, exponential backoff, cursor pagination, offset pagination, Link header, page size

Cross-site scripting (XSS): how it works and how to prevent it

reflected XSS, stored XSS, DOM-based XSS, HTML encoding, Content-Security-Policy, sanitization, innerHTML vs textContent, script injection

CSRF attacks: how attackers forge requests and how tokens stop them

cross-site request forgery, CSRF token, SameSite cookie attribute, double-submit cookie, CSRF with GET requests, state-changing operations protection

Security headers every web application needs

Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security, clickjacking protection

SQL injection and command injection: how they work and how to stop them

SQL injection anatomy, parameterized queries, prepared statements, ORM protection, command injection, input validation, allowlist vs blocklist, error message information leak

Cookie security: HttpOnly, Secure, SameSite attributes explained

HttpOnly cookie flag, Secure flag, SameSite Strict vs Lax vs None, cookie scope Domain and Path, session fixation, cookie theft via XSS, __Host- prefix