Skip to main content
Web Application Vulnerabilities
CHAPTER 02

HTTP, HTTPS, and Web Fundamentals

Updated: May 15, 2026
20 min read

# CHAPTER 2

HTTP, HTTPS, and Web Fundamentals

1. Introduction

To defend a web application, you must understand the language it speaks. The entire internet operates on the Hypertext Transfer Protocol (HTTP). When a developer understands exactly how data flows between the browser and the server, they can pinpoint exactly where attackers will attempt to inject malicious payloads. In this chapter, we will dissect HTTP Requests and Responses, understand the critical difference between HTTP and HTTPS, and explore the stateless nature of the web.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Deconstruct the anatomy of an HTTP Request (GET vs. POST).
  • Understand HTTP Response codes (200, 403, 404, 500).
  • Explain why HTTP is a "Stateless" protocol.
  • Understand how Cookies solve the stateless problem.
  • Define the cryptographic protection provided by HTTPS.

3. Beginner-Friendly Explanation

Imagine ordering food at a drive-thru window.
  • The HTTP Request: You drive up and say, "I want a burger (GET request) and my name is Alice (Parameters)."
  • The HTTP Response: The cashier hands you a bag of food (The HTML web page) and says, "Here is your food (Status Code 200 OK)."
  • Statelessness: If you drive around the building and pull up to the window 5 minutes later to ask for ketchup, the cashier has total amnesia. They don't remember you bought a burger. To fix this, they gave you a receipt earlier (A Cookie). You show the receipt, and they remember who you are.
  • HTTPS: If you order using a megaphone, everyone in the parking lot hears your credit card number. HTTPS is like rolling up the window and passing a locked box back and forth.

4. The Anatomy of an HTTP Request

When you click a link or submit a form, your browser sends raw text to the server. Key Components:
  1. 1. The Verb (Method):
  • GET: "Give me this page." (Data is sent visibly in the URL, e.g., ?search=shoes). *Never use GET for sensitive data.*
  • POST: "Here is some data, save it." (Data is hidden in the body of the request, used for logins and form submissions).
  1. 2. The Headers: Metadata about the request (e.g., what browser you are using, or the Cookie header that proves you are logged in).
  1. 3. The Body: The actual payload (e.g., the username and password).

5. The HTTP Response

The server processes the request and sends back a response. Crucial Status Codes for Security:
  • 200 OK: Success. The page loaded.
  • 302 Found: Redirect. (Often used after a successful login to redirect to the dashboard).
  • 401 Unauthorized: You must log in to see this.
  • 403 Forbidden: You are logged in, but you don't have administrative permission to view this page.
  • 500 Internal Server Error: The application crashed. *(Security Risk: If poorly configured, a 500 error might print raw database code to the screen, helping hackers).*

6. The Stateless Web and Cookies

HTTP is Stateless. Every single request is treated as a brand new, isolated event. To create a seamless "logged in" experience, the server sends your browser a tiny text file called a Cookie after you log in. With every subsequent request (clicking a new page), your browser automatically attaches this Cookie. The server reads the Cookie, realizes it's you, and serves your personal dashboard. *If a hacker steals this cookie, they steal your account.*

7. Mini Project: Inspect HTTP Requests

Let's use the browser's built-in Developer Tools to look at raw HTTP traffic.

Step-by-Step Walkthrough:

  1. 1. Open Google Chrome or Firefox.
  1. 2. Right-click anywhere on the page and select "Inspect" (or press F12).
  1. 3. Click on the "Network" tab at the top.
  1. 4. Navigate to a website (e.g., http://example.com).
  1. 5. Watch the Network tab fill up. Click on the very first item at the top of the list.
  1. 6. Look at the right-hand panel under "Headers".
  • Find the Request Method (It should say GET).
  • Find the Status Code (It should say 200 OK).
  • Scroll down to Request Headers and see what your browser is telling the server about you!

8. Real-World Scenarios

A developer builds a password reset feature. They use a GET request instead of a POST request. When the user types their new password, the URL looks like this: https://app.com/reset?new_password=MySecret123. The user successfully resets their password. However, because it was a GET request, the plaintext password is now permanently saved in the server's access logs, the user's browser history, and potentially intercepted by proxy servers along the way. This is a massive data leakage vulnerability caused by misunderstanding HTTP verbs.

9. Best Practices

  • Enforce HTTPS Everywhere: HTTP traffic is sent in plaintext. Anyone on the same Wi-Fi network can use Wireshark to read passwords, session cookies, and private messages. HTTPS wraps the HTTP traffic in an encrypted TLS tunnel. In modern web development, Port 80 (HTTP) should ONLY be used to immediately redirect the user to Port 443 (HTTPS).

10. Legal and Ethical Notes

Intercepting HTTP traffic on a network you do not own (Packet Sniffing) is a violation of wiretapping laws. You should only inspect traffic on your own local machine (using Developer Tools or proxies like Burp Suite) against applications you are authorized to test.

11. Exercises

  1. 1. Explain why sensitive data, such as a login password, should never be transmitted using an HTTP GET request.
  1. 2. Describe how a web server uses a Cookie to overcome the stateless nature of the HTTP protocol.

12. FAQs

Q: What is a REST API? A: REST (Representational State Transfer) is an architectural style for building web services. It simply means using standard HTTP verbs logically. GET to read a user, POST to create a user, PUT to update a user, and DELETE to remove a user.

13. Interview Questions

  • Q: Differentiate between a 401 Unauthorized and a 403 Forbidden HTTP status code in the context of application access control.
  • Q: A developer stores a session identifier in local storage instead of a Cookie. Explain the architectural differences in how the browser handles the transmission of that identifier in subsequent HTTP requests.

14. Summary

In Chapter 2, we learned the language of the web. We dissected HTTP Requests and Responses, understanding that attackers manipulate HTTP parameters to trick the backend server. We recognized the stateless nature of HTTP and the vital role Cookies play in maintaining identity across requests. Finally, we established the absolute necessity of HTTPS to prevent the interception of this raw, plaintext communication.

15. Next Chapter Recommendation

Now that we know how browsers use cookies to remember who we are, we need to understand how to log in securely in the first place. Proceed to Chapter 3: Authentication and Session Security.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Introduction to Web Application Security
Next Chapter Authentication and Session Security

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5