惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
IT之家
IT之家
博客园 - 聂微东
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Privacy International News Feed
人人都是产品经理
人人都是产品经理
PCI Perspectives
PCI Perspectives
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 叶小钗
V
Vulnerabilities – Threatpost
美团技术团队
S
Secure Thoughts
N
News | PayPal Newsroom
L
LINUX DO - 最新话题
腾讯CDC
Application and Cybersecurity Blog
Application and Cybersecurity Blog
雷峰网
雷峰网
B
Blog
MyScale Blog
MyScale Blog
T
The Blog of Author Tim Ferriss
TaoSecurity Blog
TaoSecurity Blog
N
News and Events Feed by Topic
Blog — PlanetScale
Blog — PlanetScale
C
Check Point Blog
T
Tailwind CSS Blog
月光博客
月光博客
Simon Willison's Weblog
Simon Willison's Weblog
Hacker News: Ask HN
Hacker News: Ask HN
The Last Watchdog
The Last Watchdog
Google DeepMind News
Google DeepMind News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
MongoDB | Blog
MongoDB | Blog
S
Security @ Cisco Blogs
Jina AI
Jina AI
Engineering at Meta
Engineering at Meta
S
Security Affairs
Forbes - Security
Forbes - Security
P
Palo Alto Networks Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 司徒正美
博客园 - 三生石上(FineUI控件)
T
Tor Project blog
O
OpenAI News
L
Lohrmann on Cybersecurity
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
L
LangChain Blog
B
Blog RSS Feed
H
Hackread – Cybersecurity News, Data Breaches, AI and More

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
How the Web Actually Works: HTTP from the Ground Up
Sunil Kumar · 2026-06-14 · via DEV Community

I've been going through Jim Kurose's networking lectures lately, and I kept finding myself pausing to re-read the same sections. Not because they were confusing - because things I'd been using for years were finally clicking into place.

This post is me writing down what I learned, in the order it started making sense.

Before HTTP, there's a webpage

A webpage isn't one file.

When you open a URL, your browser fetches a base HTML file - and that file references other objects. Images. Scripts. Stylesheets. Each one lives at its own URL. Each one has to be fetched separately. So loading a single "page" might mean firing off 20+ individual requests.

This detail matters because the entire evolution of HTTP - from 1.0 to 3 - is basically the story of making those 20 fetches faster.

HTTP runs on TCP. That has consequences.

HTTP doesn't manage its own connections. It hands that job to TCP. When your browser wants something, it first opens a TCP connection to the server (port 80 for HTTP, 443 for HTTPS), and then asks for the object.

Opening a TCP connection isn't free. It takes a round-trip - your machine says "hello," the server says "hello back," and then you can actually talk. That's one RTT(Round Trip Time) just to shake hands, before a single byte of your webpage arrives.

So every HTTP request carries at least 2 RTTs of overhead: 1 to open the TCP connection, 1 for the actual request/response. Do that 20 times and you've spent 40 RTTs before the page renders.

HTTP/1.0 vs HTTP/1.1: one change that mattered a lot

HTTP/1.0 (non-persistent): open a TCP connection, fetch one object, close the connection. Repeat for every object.

HTTP/1.1 (persistent): open a TCP connection, fetch as many objects as you need, then close. The server leaves the connection open after each response.

That one change cuts subsequent fetches from 2 RTTs to 1 RTT each. For a page with 20 objects, that's real time saved - not microseconds, but hundreds of milliseconds that users actually feel.

What an HTTP message looks like

HTTP messages are plain text. You can read them. That's a deliberate design choice.

A request looks like this:

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Connection: keep-alive

The first line is the request line: method, path, version. Then headers. For POST requests, there's a body - that's where form data lives.

A response looks like this:

HTTP/1.1 200 OK
Date: Sun, 14 Jun 2026 10:00:00 GMT
Content-Type: text/html
Content-Length: 4821

<html>...

Status line first, then headers, then the actual content. Status codes tell you what happened: 200 means it worked, 301 means it moved, 404 means it's not there, 500 means the server broke.

Worth memorizing: HEAD does everything GET does but returns no body - useful when you just want to check metadata.

HTTP is stateless. Cookies exist because of that.

The server remembers nothing between requests. Each request arrives as if the client is brand new.

That's intentional. Stateless servers are simpler to build and easier to scale. But it creates an obvious problem: how does Amazon know you're still logged in between page loads?

Cookies solve this. When you first connect, the server generates a unique ID and sends it back:

Set-Cookie: user_id=8273645

Your browser stores that. On every future request to that domain, it sends:

Cookie: user_id=8273645

The server looks up that ID in its own database and now "remembers" you. The state lives server-side; the cookie is just the key.

This is also why GDPR exists. Cookies let companies track you across sessions and build profiles. EU law now requires explicit consent before non-essential cookies run.

Web caches: the math is more interesting than the concept

Web caches (proxy servers) sit between your browser and the origin server. If the object you want is cached, you get it from the proxy instead of the origin. Faster, cheaper, less load on the server.

Kurose walks through a concrete example I found genuinely clarifying. Say an institution's access link runs at 1.54 Mbps and is at 97% utilization. That's not "nearly full" - at 97% utilization, queuing delays go into the minutes. The link becomes the bottleneck even if every other hop is fast.

You have two options:

  1. Upgrade to a faster link (expensive)
  2. Install a local cache (cheap)

Assume a 40% cache hit rate - 40% of objects are served locally without touching the access link at all. That drops link utilization from 97% to about 58%. At 58%, queuing delays collapse. Average end-to-end latency drops from minutes to ~1.2 seconds.

Same raw bandwidth. Radically different user experience. Just by not fetching the same things twice.

Conditional GET: caches without stale data

Caches raise an obvious question: what if the cached version is out of date?

HTTP solves this with the Conditional GET. When your browser (or a proxy) has a cached copy, it includes a header with the last-modified date:

GET /image.jpg HTTP/1.1
If-Modified-Since: Wed, 10 Jun 2026 08:00:00 GMT

The server checks. If the file hasn't changed since that date, it sends back:

HTTP/1.1 304 Not Modified

No body. Just the status. The client uses its cached copy.

If the file has changed, the server sends a normal 200 with the new content.

The result: you never serve stale content, and you don't waste bandwidth re-downloading things that haven't changed.

HTTP/2: attacking head-of-line blocking

HTTP/1.1 is persistent, but it's still sequential within a connection. If the first response is a 50MB video, the three tiny images behind it wait in line.

This is called head-of-line (HOL) blocking. A big object blocks smaller objects that could have been delivered instantly.

HTTP/2 fixes this by breaking objects into frames and interleaving them. The large video doesn't block the images - they take turns at the byte level. The client can also tell the server which objects matter more, so critical assets arrive first.

HTTP/2 also introduced server push: the server can proactively send objects the client is likely to need next, without waiting to be asked.

HTTP/3: fixing the layer underneath

HTTP/2 solved HOL blocking at the application layer, but there's still a problem underneath: TCP itself.

If a single TCP packet is lost, TCP stops all streams on that connection and waits for retransmission. HTTP/2 has multiple streams, but they all share one TCP connection - so one lost packet freezes everything.

HTTP/3 replaces TCP with QUIC - a transport protocol built on UDP. QUIC implements its own reliability and congestion control, but independently per stream. A lost packet only stalls the stream it belongs to. Everything else keeps moving.

QUIC also bakes in encryption by default and reduces connection setup time (combining the TCP handshake and TLS handshake into fewer round trips). The web gets faster.

A rough mental model of the whole thing

HTTP/1.0  →  2 RTTs per object, new connection each time
HTTP/1.1  →  1 RTT for subsequent objects, persistent connections
HTTP/2    →  parallel streams, no HOL blocking at app layer
HTTP/3    →  QUIC replaces TCP, no HOL blocking at transport layer

Each version is a direct response to the bottleneck the previous version exposed. That's a pattern worth noticing: protocol design is mostly the history of people fixing the problems they created.

What I'd look at next

If this is interesting to you, the next concepts that make this all more concrete are:

  • TLS handshakes (what actually happens on port 443)
  • DNS (how example.com becomes an IP address before any of the above runs)
  • TCP congestion control (what QUIC replaced and why)

Kurose's lectures cover all of it. The textbook (Computer Networking: A Top-Down Approach) is the companion read.

Learning in public at @sunbuilds. Portfolio at sunilk02.vercel.app.