HTTP Request Lifecycle

Typehands-on
Duration2 hours
PrerequisitesUnit 1 — How the Internet Works

Learning Objectives

By the end of this unit, you will be able to:

  • Trace the complete lifecycle of an HTTP request
  • Understand request and response headers in depth
  • Work with different content types
  • Debug common HTTP issues using DevTools

When you interact with a web application, every action — clicking a button, submitting a form, loading a page — triggers HTTP requests. Understanding this lifecycle is crucial for debugging and optimization.

Try it: HTTP Request Lifecycle

CLIENT
SERVER

URL Anatomy

Every request starts with a URL. A full URL includes: Protocol (https), Host (domain), Port (443), Path (/users), Query String (?limit=10), and Fragment (#section). The fragment is client-side only and never sent to the server.

Interactive: URL Anatomy

https://api.glyphtic.com:443/v1/users?limit=10&sort=name#section
Hover over a URL part or button to learn more

Query Parameters

Query strings pass data to the server via the URL in the format ?key1=value1&key2=value2

  • Pagination: ?page=2&limit=20
  • Filtering: ?status=active&role=admin
  • Searching: ?q=javascript
  • Sorting: ?sort=created_at&order=desc

Request Headers Deep Dive

Headers are key-value pairs that provide metadata about the request. They include content negotiation (Accept), authentication (Authorization, Cookie), caching directives, and CORS information.

CategoryHeadersPurpose
Content NegotiationAccept, Accept-Language, Accept-EncodingWhat format the client wants
AuthenticationAuthorization, CookieIdentity verification
CachingCache-Control, If-Modified-Since, If-None-MatchCache management
CORSOrigin, Access-Control-*Cross-origin security
Content InfoContent-Type, Content-LengthBody details

Interactive: HTTP Headers Inspector

Content-Type:application/json
Body format
Content-Length:1234
Body size in bytes
Content-Encoding:gzip
Body compression

Content-Type Values

Content-TypeUsage
application/jsonJSON data (most common for APIs)
text/htmlHTML documents
application/x-www-form-urlencodedForm submissions
multipart/form-dataFile uploads
application/octet-streamBinary data

Response Headers

HeaderPurposeExample
Content-TypeResponse formatapplication/json
Cache-ControlCaching instructionsmax-age=3600
ETagResource version for conditional requests"abc123"
Set-CookieCreate browser cookiessession_id=xyz; HttpOnly
LocationRedirect targetUsed with 3xx status

Interactive: HTTP Status Codes

200OKRequest succeeded
201CreatedResource created (POST)
204No ContentSuccess but no body (DELETE)

HTTP Caching

Caching reduces server load and speeds up responses. The Cache-Control header controls how responses are cached.

DirectiveMeaning
publicCan be cached by anyone (CDN, browser)
privateOnly browser can cache (contains user data)
no-cacheMust revalidate before using cached copy
no-storeNever cache (sensitive data)
max-age=NCache for N seconds

Interactive: Cache Flow Visualizer

Browser
Cache
Step 1: Browser checks local cache
Fresh Cache: No network request needed

CORS (Cross-Origin Resource Sharing)

When your frontend tries to fetch from a different domain, the browser enforces Same-Origin Policy. CORS headers allow servers to specify which origins can access their resources.

For "complex" requests (non-GET with custom headers), browsers send an OPTIONS preflight request first. The server must respond with appropriate Access-Control-Allow-* headers.

ErrorCauseFix
No Access-Control-Allow-OriginServer doesn't allow your originAdd origin to server config
Preflight response failedOPTIONS request blockedConfigure server to handle OPTIONS
Credential not supportedCookies not allowed cross-originSet Access-Control-Allow-Credentials: true

Interactive: CORS Preflight Flow

CLIENT
glyphtic.com
OPTIONS
POST
SERVER
api.glyphtic.com
Click a button to simulate CORS flow

Request Body Formats

JSON (Most Common)

POST /api/users HTTP/1.1
Content-Type: application/json


{
  "name": "Alice",
  "email": "alice@example.com"
}

Form Data

POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded


username=alice&password=secret123

Hands-On: DevTools Network Analysis

Exercise: Analyze a Real API Request

  1. Open DevTools → Network tab
  2. Visit https://jsonplaceholder.typicode.com/posts
  3. Find the /posts request and examine request method, headers, response, and timing

Exercise: Watch CORS in Action

  1. Open the browser console
  2. Run: fetch("https://api.github.com/users/octocat").then(r => r.json()).then(console.log)
  3. Check the Network tab for CORS headers

Common Debugging Scenarios

  • Request Never Completes: Check Network tab for pending request, look for CORS errors, verify server is running
  • Wrong Data Returned: Inspect response body, verify endpoint URL, check for caching issues
  • 401/403 Errors: Check Authorization header, verify token hasn't expired, confirm header format

Key Takeaways

  1. Every HTTP request goes through: URL parsing → DNS → TCP → TLS → HTTP
  2. Headers carry metadata; Content-Type is crucial for proper handling
  3. Caching uses Cache-Control, ETag, and conditional requests
  4. CORS protects against cross-origin attacks with preflight checks
  5. DevTools Network tab is your best friend for debugging