26 min to read
HTTP Methods and Status Codes: A Complete Guide to RESTful API Design
Master HTTP fundamentals for building robust web applications and APIs
Overview
HTTP (Hypertext Transfer Protocol) forms the backbone of all web communication, from simple webpage requests to complex API interactions.
Understanding HTTP methods and status codes isn’t just academic knowledge—it’s essential for building secure, efficient, and maintainable web applications.
Every time you click a link, submit a form, or use a mobile app, HTTP methods are working behind the scenes to facilitate communication between clients and servers.
The choice of method and proper status code handling can dramatically impact application performance, security, and user experience.
This comprehensive guide explores HTTP methods in detail, covers the complete spectrum of status codes, and provides practical insights for implementing robust RESTful APIs.
Whether you’re building your first web service or optimizing enterprise applications, mastering these fundamentals will elevate your development practices.
HTTP Communication Fundamentals
HTTP operates on a simple request-response model where clients send requests to servers and receive responses. Understanding this fundamental interaction is crucial for effective API design.
sequenceDiagram
participant C as Client
(Browser/App) participant S as Server
(Web/API Server) Note over C,S: HTTP Request-Response Cycle C->>S: 1. HTTP Request
Method + URL + Headers + Body Note right of S: Server processes:
• Route matching
• Authentication
• Business logic
• Data operations S->>C: 2. HTTP Response
Status Code + Headers + Body Note over C,S: Complete Transaction C->>S: 3. Follow-up Request
(if needed) S->>C: 4. Subsequent Response
(Browser/App) participant S as Server
(Web/API Server) Note over C,S: HTTP Request-Response Cycle C->>S: 1. HTTP Request
Method + URL + Headers + Body Note right of S: Server processes:
• Route matching
• Authentication
• Business logic
• Data operations S->>C: 2. HTTP Response
Status Code + Headers + Body Note over C,S: Complete Transaction C->>S: 3. Follow-up Request
(if needed) S->>C: 4. Subsequent Response
HTTP Request-Response Cycle: The foundation of web communication
HTTP Request Structure Deep Dive
Every HTTP request follows a standardized format that conveys essential information about what the client wants to accomplish.
[METHOD] [URL] HTTP/[VERSION]
[Header-Name]: [Header-Value]
[Header-Name]: [Header-Value]
[blank line]
[Request Body - Optional]
Real-world Example:
POST /api/v1/users HTTP/1.1
Host: api.example.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
User-Agent: MyApp/1.0 (iOS 15.0)
Accept: application/json
Content-Length: 87
{
"name": "John Doe",
"email": "john@example.com",
"department": "Engineering"
}
HTTP Response Structure Analysis
HTTP responses provide clients with the requested data and crucial metadata about the operation’s success or failure.
HTTP/[VERSION] [STATUS_CODE] [STATUS_TEXT]
[Header-Name]: [Header-Value]
[Header-Name]: [Header-Value]
[blank line]
[Response Body - Optional]
Successful Response Example:
HTTP/1.1 201 Created
Content-Type: application/json
Location: /api/v1/users/12345
Cache-Control: no-cache
Set-Cookie: session_id=abc123; HttpOnly; Secure
X-Rate-Limit-Remaining: 99
Content-Length: 156
{
"id": "12345",
"name": "John Doe",
"email": "john@example.com",
"department": "Engineering",
"created_at": "2025-01-19T10:30:00Z"
}
HTTP Methods: The Verbs of Web Communication
HTTP methods (also called verbs) define the intended action for a given request. Each method has specific semantics, safety properties, and idempotency characteristics that impact how they should be used.
graph LR
A[HTTP Methods] --> B[Safe Methods]
A --> C[Unsafe Methods]
B --> B1[GET
Read Data] B --> B2[HEAD
Get Metadata] B --> B3[OPTIONS
Check Capabilities] C --> C1[POST
Create Resource] C --> C2[PUT
Replace Resource] C --> C3[PATCH
Update Partially] C --> C4[DELETE
Remove Resource] B1 --> D1[Idempotent
Cacheable
No Side Effects] B2 --> D2[Idempotent
Cacheable
Headers Only] B3 --> D3[Idempotent
CORS Preflight
API Discovery] C1 --> E1[Not Idempotent
Creates Resources
Form Submissions] C2 --> E2[Idempotent
Replace Entire
Create or Update] C3 --> E3[Not Idempotent
Partial Updates
Field Modifications] C4 --> E4[Idempotent
Resource Removal
Cleanup Operations] style B fill:#d4f4dd,stroke:#333,stroke-width:2px style C fill:#ffd3b6,stroke:#333,stroke-width:2px style B1 fill:#95e1d3,stroke:#333,stroke-width:1px style B2 fill:#95e1d3,stroke:#333,stroke-width:1px style B3 fill:#95e1d3,stroke:#333,stroke-width:1px style C1 fill:#ffb3ba,stroke:#333,stroke-width:1px style C2 fill:#ffb3ba,stroke:#333,stroke-width:1px style C3 fill:#ffb3ba,stroke:#333,stroke-width:1px style C4 fill:#ffb3ba,stroke:#333,stroke-width:1px
Read Data] B --> B2[HEAD
Get Metadata] B --> B3[OPTIONS
Check Capabilities] C --> C1[POST
Create Resource] C --> C2[PUT
Replace Resource] C --> C3[PATCH
Update Partially] C --> C4[DELETE
Remove Resource] B1 --> D1[Idempotent
Cacheable
No Side Effects] B2 --> D2[Idempotent
Cacheable
Headers Only] B3 --> D3[Idempotent
CORS Preflight
API Discovery] C1 --> E1[Not Idempotent
Creates Resources
Form Submissions] C2 --> E2[Idempotent
Replace Entire
Create or Update] C3 --> E3[Not Idempotent
Partial Updates
Field Modifications] C4 --> E4[Idempotent
Resource Removal
Cleanup Operations] style B fill:#d4f4dd,stroke:#333,stroke-width:2px style C fill:#ffd3b6,stroke:#333,stroke-width:2px style B1 fill:#95e1d3,stroke:#333,stroke-width:1px style B2 fill:#95e1d3,stroke:#333,stroke-width:1px style B3 fill:#95e1d3,stroke:#333,stroke-width:1px style C1 fill:#ffb3ba,stroke:#333,stroke-width:1px style C2 fill:#ffb3ba,stroke:#333,stroke-width:1px style C3 fill:#ffb3ba,stroke:#333,stroke-width:1px style C4 fill:#ffb3ba,stroke:#333,stroke-width:1px
HTTP Methods Classification: Safe vs Unsafe operations and their characteristics
Method Properties Explained
| Property | Definition | Importance |
|---|---|---|
| Safe | Method doesn't modify server state | Enables aggressive caching and prefetching |
| Idempotent | Multiple identical requests have same effect | Enables safe retry mechanisms |
| Cacheable | Response can be stored and reused | Improves performance and reduces server load |
Comprehensive HTTP Methods Guide
GET - The Foundation of Web Browsing
GET is the most fundamental HTTP method, designed for retrieving resources without causing side effects.
| GET Method Characteristics | |
|---|---|
| Purpose | Retrieve data from a specified resource |
| Safety | Safe (no server state changes) |
| Idempotency | Idempotent (same result every time) |
| Request Body | Not typically used (though technically allowed) |
| Cacheability | Highly cacheable |
| URL Length Limit | Limited (2048 chars in most browsers) |
Example: User Profile Retrieval
GET /api/v1/users/12345?include=profile,permissions HTTP/1.1
Host: api.company.com
Accept: application/json
Authorization: Bearer token123
If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Successful Response:
HTTP/1.1 200 OK
Content-Type: application/json
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Cache-Control: private, max-age=300
Last-Modified: Fri, 17 Jan 2025 09:15:00 GMT
{
"id": "12345",
"username": "johndoe",
"profile": {
"firstName": "John",
"lastName": "Doe",
"email": "john@company.com"
},
"permissions": ["read", "write", "admin"]
}
Advanced GET Patterns:
- Filtering:
GET /api/products?category=electronics&price_max=500 - Sorting:
GET /api/users?sort=name:asc,created_at:desc - Pagination:
GET /api/orders?page=2&limit=20 - Field Selection:
GET /api/users/123?fields=name,email,created_at
POST - Creating New Resources
POST is the workhorse method for creating resources and performing operations that change server state.
| POST Method Characteristics | |
|---|---|
| Purpose | Create new resources or process data |
| Safety | Not safe (modifies server state) |
| Idempotency | Not idempotent (multiple requests may create multiple resources) |
| Request Body | Contains resource data |
| Cacheability | Only if explicitly specified |
| Security | Requires CSRF protection |
Example: Creating a New Order
POST /api/v1/orders HTTP/1.1
Host: api.ecommerce.com
Content-Type: application/json
Authorization: Bearer user_token_xyz
X-CSRF-Token: csrf_token_123
Content-Length: 245
{
"customer_id": "customer_789",
"items": [
{
"product_id": "prod_001",
"quantity": 2,
"price": 29.99
}
],
"shipping_address": {
"street": "123 Main St",
"city": "New York",
"zip": "10001"
}
}
Success Response:
HTTP/1.1 201 Created
Content-Type: application/json
Location: /api/v1/orders/order_456
X-Request-ID: req_abc123def456
{
"id": "order_456",
"status": "confirmed",
"total": 59.98,
"estimated_delivery": "2025-01-22",
"tracking_number": "1Z999AA1234567890"
}
POST Use Cases:
- User registration and login
- File uploads
- Form submissions
- Payment processing
- Triggering server-side operations
PUT - Complete Resource Replacement
PUT is designed for replacing entire resources or creating resources with client-specified identifiers.
| PUT Method Characteristics | |
|---|---|
| Purpose | Replace entire resource or create if doesn't exist |
| Safety | Not safe (modifies server state) |
| Idempotency | Idempotent (same effect when repeated) |
| Request Body | Contains complete resource representation |
| Cacheability | Not cacheable |
| Overwrite Behavior | Replaces entire resource |
Example: Updating User Profile
PUT /api/v1/users/12345 HTTP/1.1
Host: api.company.com
Content-Type: application/json
Authorization: Bearer token123
If-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
{
"username": "johndoe",
"firstName": "John",
"lastName": "Doe",
"email": "john.doe@company.com",
"department": "Engineering",
"role": "Senior Developer"
}
PUT vs POST Decision Matrix:
flowchart TD
A[Need to modify resource?] --> B{Know resource ID?}
B -->|Yes| C{Replace entire resource?}
B -->|No| D[Use POST
Server assigns ID] C -->|Yes| E[Use PUT
Idempotent replacement] C -->|No| F[Use PATCH
Partial update] D --> G[POST /api/users
Creates new user] E --> H[PUT /api/users/123
Replaces user 123] F --> I[PATCH /api/users/123
Updates specific fields] style D fill:#ffb3ba,stroke:#333,stroke-width:2px style E fill:#95e1d3,stroke:#333,stroke-width:2px style F fill:#ffd3b6,stroke:#333,stroke-width:2px
Server assigns ID] C -->|Yes| E[Use PUT
Idempotent replacement] C -->|No| F[Use PATCH
Partial update] D --> G[POST /api/users
Creates new user] E --> H[PUT /api/users/123
Replaces user 123] F --> I[PATCH /api/users/123
Updates specific fields] style D fill:#ffb3ba,stroke:#333,stroke-width:2px style E fill:#95e1d3,stroke:#333,stroke-width:2px style F fill:#ffd3b6,stroke:#333,stroke-width:2px
Decision tree for choosing between POST, PUT, and PATCH methods
PATCH - Efficient Partial Updates
PATCH enables efficient partial updates, reducing bandwidth and processing overhead.
| PATCH Method Characteristics | |
|---|---|
| Purpose | Apply partial modifications to a resource |
| Safety | Not safe (modifies server state) |
| Idempotency | Depends on implementation |
| Request Body | Contains partial resource changes |
| Efficiency | More efficient than PUT for small changes |
| Complexity | More complex to implement correctly |
JSON Patch Format (RFC 6902):
PATCH /api/v1/users/12345 HTTP/1.1
Host: api.company.com
Content-Type: application/json-patch+json
Authorization: Bearer token123
[
{ "op": "replace", "path": "/email", "value": "newemail@company.com" },
{ "op": "add", "path": "/skills/-", "value": "Kubernetes" },
{ "op": "remove", "path": "/permissions/read-only" }
]
Simple JSON Format:
PATCH /api/v1/users/12345 HTTP/1.1
Host: api.company.com
Content-Type: application/json
Authorization: Bearer token123
{
"email": "newemail@company.com",
"department": "DevOps"
}
DELETE - Resource Removal
DELETE is specifically designed for removing resources from the server.
| DELETE Method Characteristics | |
|---|---|
| Purpose | Remove specified resource |
| Safety | Not safe (modifies server state) |
| Idempotency | Idempotent (deleting deleted resource has no effect) |
| Request Body | Optional (rarely used) |
| Response Body | Usually empty (204 No Content) |
| Reversibility | Typically irreversible |
Example: Deleting User Account
DELETE /api/v1/users/12345 HTTP/1.1
Host: api.company.com
Authorization: Bearer admin_token
X-Confirm-Deletion: true
Success Response:
HTTP/1.1 204 No Content
X-Request-ID: req_delete_user_123
Soft Delete Implementation:
PATCH /api/v1/users/12345 HTTP/1.1
Host: api.company.com
Content-Type: application/json
Authorization: Bearer admin_token
{
"status": "deleted",
"deleted_at": "2025-01-19T10:30:00Z"
}
HEAD - Metadata Retrieval
HEAD is identical to GET but returns only headers, making it perfect for metadata checks.
Example: Checking File Size
HEAD /api/v1/files/large-dataset.csv HTTP/1.1
Host: storage.company.com
Authorization: Bearer token123
Response:
HTTP/1.1 200 OK
Content-Type: text/csv
Content-Length: 52428800
Last-Modified: Thu, 16 Jan 2025 14:30:00 GMT
ETag: "checksum-abc123"
HEAD Use Cases:
- Checking if resource exists before expensive operations
- Getting file size before download
- Checking modification dates for caching
- Validating URLs without transferring content
OPTIONS - API Discovery and CORS
OPTIONS provides information about server capabilities and is crucial for CORS preflight requests.
CORS Preflight Example:
OPTIONS /api/v1/users HTTP/1.1
Host: api.company.com
Origin: https://admin.company.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type, Authorization
Response:
HTTP/1.1 200 OK
Allow: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS
Access-Control-Allow-Origin: https://admin.company.com
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
HTTP Status Codes: The Language of Response
Status codes provide immediate feedback about request processing results. Understanding them enables proper error handling and user experience optimization.
graph TD
A[HTTP Status Codes] --> B[1xx Informational
Processing] A --> C[2xx Success
Completed] A --> D[3xx Redirection
Further Action] A --> E[4xx Client Error
Client Mistake] A --> F[5xx Server Error
Server Problem] B --> B1[100 Continue
Keep sending data] B --> B2[101 Switching Protocols
WebSocket upgrade] B --> B3[102 Processing
Long operation in progress] C --> C1[200 OK
Standard success] C --> C2[201 Created
Resource created] C --> C3[204 No Content
Success, no data] C --> C4[206 Partial Content
Range request] D --> D1[301 Moved Permanently
SEO-friendly redirect] D --> D2[302 Found
Temporary redirect] D --> D3[304 Not Modified
Use cached version] E --> E1[400 Bad Request
Invalid syntax] E --> E2[401 Unauthorized
Authentication needed] E --> E3[403 Forbidden
Access denied] E --> E4[404 Not Found
Resource missing] E --> E5[429 Too Many Requests
Rate limited] F --> F1[500 Internal Server Error
Generic server error] F --> F2[502 Bad Gateway
Upstream problem] F --> F3[503 Service Unavailable
Temporarily down] style B fill:#e1f5fe,stroke:#01579b,stroke-width:2px style C fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px style D fill:#fff3e0,stroke:#ef6c00,stroke-width:2px style E fill:#ffebee,stroke:#c62828,stroke-width:2px style F fill:#fce4ec,stroke:#ad1457,stroke-width:2px
Processing] A --> C[2xx Success
Completed] A --> D[3xx Redirection
Further Action] A --> E[4xx Client Error
Client Mistake] A --> F[5xx Server Error
Server Problem] B --> B1[100 Continue
Keep sending data] B --> B2[101 Switching Protocols
WebSocket upgrade] B --> B3[102 Processing
Long operation in progress] C --> C1[200 OK
Standard success] C --> C2[201 Created
Resource created] C --> C3[204 No Content
Success, no data] C --> C4[206 Partial Content
Range request] D --> D1[301 Moved Permanently
SEO-friendly redirect] D --> D2[302 Found
Temporary redirect] D --> D3[304 Not Modified
Use cached version] E --> E1[400 Bad Request
Invalid syntax] E --> E2[401 Unauthorized
Authentication needed] E --> E3[403 Forbidden
Access denied] E --> E4[404 Not Found
Resource missing] E --> E5[429 Too Many Requests
Rate limited] F --> F1[500 Internal Server Error
Generic server error] F --> F2[502 Bad Gateway
Upstream problem] F --> F3[503 Service Unavailable
Temporarily down] style B fill:#e1f5fe,stroke:#01579b,stroke-width:2px style C fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px style D fill:#fff3e0,stroke:#ef6c00,stroke-width:2px style E fill:#ffebee,stroke:#c62828,stroke-width:2px style F fill:#fce4ec,stroke:#ad1457,stroke-width:2px
HTTP Status Code Categories: From informational messages to server errors
Comprehensive Status Code Guide
1xx - Informational Responses
These interim responses indicate that the request has been received and processing continues.
| Code | Status | When to Use | Client Action |
|---|---|---|---|
| 100 | Continue | Large request bodies with Expect: 100-continue | Send request body |
| 101 | Switching Protocols | WebSocket upgrades, HTTP/2 upgrades | Switch to new protocol |
| 102 | Processing | Long-running operations (WebDAV) | Continue waiting |
| 103 | Early Hints | Preload resources while server prepares response | Start preloading resources |
2xx - Success Responses
These codes indicate that the client’s request was successfully received, understood, and accepted.
| Code | Status | Best Use Cases | Response Body |
|---|---|---|---|
| 200 | OK | GET, successful PUT/PATCH with content | Resource representation |
| 201 | Created | POST that creates resources | Created resource + Location header |
| 202 | Accepted | Asynchronous processing started | Status info + tracking details |
| 204 | No Content | DELETE, PUT/PATCH without content return | Empty |
| 206 | Partial Content | Range requests, resumable downloads | Requested byte range |
Advanced 2xx Usage Examples:
201 Created with proper headers:
HTTP/1.1 201 Created
Content-Type: application/json
Location: /api/v1/users/12345
ETag: "version-1"
{
"id": "12345",
"status": "active",
"created_at": "2025-01-19T10:30:00Z"
}
202 Accepted for async processing:
HTTP/1.1 202 Accepted
Content-Type: application/json
{
"job_id": "job_789",
"status": "processing",
"estimated_completion": "2025-01-19T10:35:00Z",
"status_url": "/api/v1/jobs/job_789"
}
3xx - Redirection Responses
These codes indicate that further action needs to be taken to complete the request.
| Code | Status | Use Case | Caching | Method Preservation |
|---|---|---|---|---|
| 301 | Moved Permanently | URL structure changes, domain migration | Cached indefinitely | May change to GET |
| 302 | Found | Temporary redirects | Not cached | May change to GET |
| 304 | Not Modified | Conditional requests with ETags | Use cached version | N/A |
| 307 | Temporary Redirect | Temporary redirect keeping method | Not cached | Preserved |
| 308 | Permanent Redirect | Permanent redirect keeping method | Cached | Preserved |
Smart Caching with 304:
GET /api/v1/users/12345 HTTP/1.1
Host: api.company.com
If-None-Match: "version-5"
HTTP/1.1 304 Not Modified
ETag: "version-5"
Cache-Control: private, max-age=300
4xx - Client Error Responses
These codes indicate that the client has made an error in the request.
| Code | Status | Common Causes | Client Action |
|---|---|---|---|
| 400 | Bad Request | Invalid JSON, missing required fields | Fix request format |
| 401 | Unauthorized | Missing/invalid authentication | Provide valid credentials |
| 403 | Forbidden | Insufficient permissions | Request access or use different account |
| 404 | Not Found | Resource doesn't exist | Check URL or create resource |
| 405 | Method Not Allowed | HTTP method not supported | Use allowed method (check Allow header) |
| 409 | Conflict | Resource state conflict | Resolve conflict and retry |
| 422 | Unprocessable Entity | Valid syntax but semantic errors | Fix business logic errors |
| 429 | Too Many Requests | Rate limit exceeded | Wait and retry (check Retry-After) |
Detailed Error Response Example:
HTTP/1.1 422 Unprocessable Entity
Content-Type: application/json
{
"error": "validation_failed",
"message": "The request data failed validation",
"details": [
{
"field": "email",
"code": "invalid_format",
"message": "Email address format is invalid"
},
{
"field": "age",
"code": "out_of_range",
"message": "Age must be between 18 and 120"
}
],
"documentation_url": "https://docs.api.com/errors#validation_failed"
}
5xx - Server Error Responses
These codes indicate that the server is aware that it has encountered an error or is otherwise incapable of performing the request.
| Code | Status | Typical Causes | Resolution Strategy |
|---|---|---|---|
| 500 | Internal Server Error | Unhandled exceptions, bugs | Check logs, fix server code |
| 501 | Not Implemented | Feature not yet implemented | Implement feature or use alternative |
| 502 | Bad Gateway | Upstream server issues | Check upstream services |
| 503 | Service Unavailable | Overload, maintenance | Wait and retry (check Retry-After) |
| 504 | Gateway Timeout | Upstream timeout | Optimize upstream or increase timeout |
Advanced HTTP Concepts
Content Negotiation
HTTP supports content negotiation to serve different representations of the same resource.
Request with Accept Headers:
GET /api/v1/users/12345 HTTP/1.1
Host: api.company.com
Accept: application/json, application/xml;q=0.8
Accept-Language: en-US, en;q=0.9, fr;q=0.5
Accept-Encoding: gzip, deflate, br
Response with Content Headers:
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Language: en-US
Content-Encoding: gzip
Vary: Accept, Accept-Language, Accept-Encoding
Conditional Requests
Conditional requests help with caching and prevent lost updates.
ETags for Cache Validation:
GET /api/v1/documents/456 HTTP/1.1
Host: api.company.com
If-None-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
HTTP/1.1 304 Not Modified
ETag: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Optimistic Concurrency Control:
PUT /api/v1/documents/456 HTTP/1.1
Host: api.company.com
If-Match: "33a64df551425fcc55e4d42a148795d9f25f89d4"
Content-Type: application/json
{
"title": "Updated Document",
"content": "New content here"
}
Security Headers
Security headers protect against various attacks and vulnerabilities.
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Performance Optimization Strategies
HTTP/2 and HTTP/3 Benefits
graph LR
A[HTTP/1.1] --> B[HTTP/2]
B --> C[HTTP/3]
A --> A1[Single Connection
Head-of-line blocking
Text Protocol] B --> B1[Multiplexing
Server Push
Binary Protocol
Header Compression] C --> C1[QUIC Transport
Better Mobile Performance
0-RTT Connection] style A fill:#ffb3ba,stroke:#333,stroke-width:2px style B fill:#ffd3b6,stroke:#333,stroke-width:2px style C fill:#d4f4dd,stroke:#333,stroke-width:2px
Head-of-line blocking
Text Protocol] B --> B1[Multiplexing
Server Push
Binary Protocol
Header Compression] C --> C1[QUIC Transport
Better Mobile Performance
0-RTT Connection] style A fill:#ffb3ba,stroke:#333,stroke-width:2px style B fill:#ffd3b6,stroke:#333,stroke-width:2px style C fill:#d4f4dd,stroke:#333,stroke-width:2px
HTTP Protocol Evolution: From simple requests to advanced multiplexing
Caching Strategies
Cache-Control Directive Examples:
# Immutable resources (images, CSS with hashes)
Cache-Control: public, max-age=31536000, immutable
# API responses that change frequently
Cache-Control: private, max-age=300, must-revalidate
# Sensitive data
Cache-Control: private, no-cache, no-store
# CDN-friendly content
Cache-Control: public, max-age=3600, s-maxage=86400
Rate Limiting Implementation
Rate Limit Headers:
HTTP/1.1 200 OK
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1642678800
X-RateLimit-Window: 3600
# When rate limited:
HTTP/1.1 429 Too Many Requests
Retry-After: 3600
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 0
RESTful API Design Best Practices
Resource-Oriented Design
Good URL Design:
✓ GET /api/v1/users
✓ GET /api/v1/users/12345
✓ POST /api/v1/users
✓ PUT /api/v1/users/12345
✓ DELETE /api/v1/users/12345
✓ GET /api/v1/users/12345/orders
✓ POST /api/v1/users/12345/orders
Avoid These Patterns:
X GET /api/v1/getUsers
X POST /api/v1/createUser
X GET /api/v1/users/delete/12345
X POST /api/v1/users/12345/deleteOrder
API Versioning Strategies
| Method | Example | Pros | Cons |
|---|---|---|---|
| URL Versioning | /api/v1/users | Clear, cacheable | URL proliferation |
| Header Versioning | API-Version: 1.0 | Clean URLs | Less visible |
| Accept Header | Accept: application/vnd.api.v1+json | HTTP compliant | Complex |
| Query Parameter | /api/users?version=1 | Simple | Not RESTful |
Error Handling Standards
Consistent Error Response Format:
{
"error": {
"code": "VALIDATION_ERROR",
"message": "The request contains invalid data",
"details": [
{
"field": "email",
"issue": "must be a valid email address"
}
],
"request_id": "req_123456789",
"documentation_url": "https://docs.api.com/errors/validation"
}
}
HATEOAS Implementation
Hypermedia-driven API Response:
{
"id": "12345",
"name": "John Doe",
"email": "john@company.com",
"_links": {
"self": {
"href": "/api/v1/users/12345"
},
"edit": {
"href": "/api/v1/users/12345",
"method": "PUT"
},
"delete": {
"href": "/api/v1/users/12345",
"method": "DELETE"
},
"orders": {
"href": "/api/v1/users/12345/orders"
}
}
}
Security Considerations
Authentication and Authorization
Bearer Token Example:
GET /api/v1/users/profile HTTP/1.1
Host: api.company.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
API Key in Header:
GET /api/v1/data HTTP/1.1
Host: api.company.com
X-API-Key: your-api-key-here
CORS Configuration
Preflight Request Handling:
OPTIONS /api/v1/users HTTP/1.1
Host: api.company.com
Origin: https://app.company.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type, Authorization
HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://app.company.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400
Input Validation and Sanitization
Request Validation:
// Input validation example
const userSchema = {
name: { type: 'string', minLength: 2, maxLength: 50 },
email: { type: 'string', format: 'email' },
age: { type: 'integer', minimum: 18, maximum: 120 }
};
Modern API Development Tools
OpenAPI Specification
API Documentation Example:
openapi: 3.0.0
info:
title: User Management API
version: 1.0.0
paths:
/users:
get:
summary: List all users
responses:
'200':
description: Success
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/User'
post:
summary: Create new user
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/CreateUser'
responses:
'201':
description: User created
Testing and Monitoring
API Testing Checklist:
- Functional testing (happy path scenarios)
- Error handling testing (all 4xx and 5xx cases)
- Security testing (authentication, authorization)
- Performance testing (load, stress, spike)
- Contract testing (API schema validation)
Monitoring Metrics:
- Response time percentiles (P50, P95, P99)
- Error rate by status code
- Request volume and patterns
- API endpoint usage analytics
Conclusion
HTTP methods and status codes form the foundation of modern web communication. Mastering these concepts enables you to build robust, efficient, and user-friendly APIs that scale with your application’s growth.
The choice of HTTP method impacts not just functionality but also caching behavior, security posture, and performance characteristics. Similarly, proper status code usage provides clear communication between servers and clients, enabling better error handling and user experiences.
Key Implementation Guidelines:
- Use HTTP methods semantically - GET for reading, POST for creation, PUT for replacement, PATCH for updates, DELETE for removal
- Return appropriate status codes - Be specific and consistent in your status code usage
- Implement proper caching - Leverage HTTP caching mechanisms for performance
- Design for security - Use HTTPS, proper authentication, and security headers
- Version your APIs - Plan for evolution and backward compatibility
- Document thoroughly - Use OpenAPI specifications and provide clear examples
Looking Forward:
As web technologies evolve, HTTP continues to adapt. HTTP/3 brings performance improvements, GraphQL offers alternative query paradigms, and WebAssembly enables new application architectures. However, the fundamental principles of RESTful design and proper HTTP usage remain constant.
Understanding these fundamentals provides a solid foundation for exploring emerging technologies and building applications that stand the test of time. Whether you’re designing microservices, building mobile APIs, or creating web applications, these HTTP concepts will serve you throughout your development career.
Comments