HTTP and REST — The Client-Server Contract
HTTP and REST — The Client-Server Contract
What does the browser ask the server for, and how does the server reply? Almost everything on the web sits on top of that simple question. This article covers HTTP's origins, methods and status codes, headers, REST's original meaning, and the changes brought by HTTP/2 and HTTP/3.
1. About HTTP and REST
HTTP stands for HyperText Transfer Protocol. Tim Berners-Lee proposed it at CERN in 1989, and after the 0.9 version in 1991 (one-line requests, HTML only), it was standardized as RFC 1945 (HTTP/1.0) in 1996 and RFC 2068 (HTTP/1.1) in 1997 (revised as RFC 2616 in 1999). HTTP/2 followed as RFC 7540 in 2015, and HTTP/3 as RFC 9114 in 2022.
REST stands for Representational State Transfer. It was defined in Roy Fielding's 2000 doctoral dissertation "Architectural Styles and the Design of Network-based Software Architectures". It is a different layer of concept from HTTP itself — closer to "an API design style that follows the web's good properties faithfully".
2. Request-Response Model
The client sends a request and the server returns a response. HTTP/1.1's keep-alive reuses the same connection, but processing remains serial. From HTTP/2, multiple requests can flow concurrently over a single connection.
GET /api/users/42 HTTP/1.1
Host: example.com
Accept: application/json
Authorization: Bearer eyJhbGciOi...
(빈 줄)
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 87
{"id":42,"name":"lee","email":"lee@example.com"}
3. Methods
| Method | Intent | Idempotent | Request body |
|---|---|---|---|
GET |
Retrieve a resource | yes | Generally none |
POST |
Create a resource / general action | no | Yes |
PUT |
Replace a resource entirely | yes | Yes |
PATCH |
Partially update a resource | Generally no | Yes |
DELETE |
Delete a resource | yes | Generally none |
HEAD |
Just headers of GET |
yes | None |
OPTIONS |
Methods / CORS preflight | yes | None |
"Idempotent" means sending the same request multiple times yields the same outcome. Network retry policy depends on this property.
4. Status Codes
Three-digit numbers. The first digit categorizes:
| Category | Meaning | Common codes |
|---|---|---|
| 1xx | Informational | 100 Continue · 101 Switching Protocols |
| 2xx | Success | 200 OK · 201 Created · 204 No Content |
| 3xx | Redirection | 301 Moved Permanently · 302 Found · 304 Not Modified · 307 Temporary Redirect · 308 Permanent Redirect |
| 4xx | Client error | 400 Bad Request · 401 Unauthorized · 403 Forbidden · 404 Not Found · 409 Conflict · 422 Unprocessable Entity · 429 Too Many Requests |
| 5xx | Server error | 500 Internal Server Error · 502 Bad Gateway · 503 Service Unavailable · 504 Gateway Timeout |
The difference between 401 and 403 confuses people often. 401 is "I don't know who you are (need authentication)", 403 is "I know you, but you lack permission".
5. Headers
| Header | Side | Use |
|---|---|---|
Content-Type |
Both | Body format (application/json · text/html · multipart/form-data) |
Accept |
Request | Format the client wants |
Authorization |
Request | Auth (Bearer ..., Basic ...) |
Cookie / Set-Cookie |
Request / response | Cookie |
Cache-Control |
Both | Cache policy (no-store · max-age=3600) |
ETag / If-None-Match |
Response / request | Conditional request (304 if unchanged) |
Location |
Response | Redirect target |
User-Agent |
Request | Client identification |
Origin / Access-Control-Allow-Origin |
Request / response | CORS |
6. REST's Six Constraints
The original constraints as Fielding laid them out:
- Client-Server — separation.
- Stateless — the server stores no state between requests. Every request carries the info it needs.
- Cacheable — responses indicate whether they are cacheable.
- Layered System — intermediate gateways and proxies are allowed.
- Uniform Interface — resources, representations, and hypermedia present a uniform interface.
- Code-On-Demand (optional) — the server may send code.
Most of what we call "REST APIs" today follow only part of #5 — primarily resource-oriented URLs and HTTP method mapping. Fielding himself wrote "that is not REST" in a frequently-cited piece. In practical terms the name has stuck, and when stricter forms are needed, alternatives like GraphQL, gRPC, or JSON:API come up.
7. HTTP/2 and HTTP/3
- HTTP/2 (2015) — multiple streams multiplexed over a single TCP connection. Header compression (HPACK). Server push (now effectively deprecated). Binary framing.
- HTTP/3 (2022) — runs on QUIC, which is UDP-based, instead of TCP. Avoids TCP head-of-line blocking. TLS is integrated into the protocol.
Most modern browsers and CDNs support HTTP/2 and HTTP/3 together. Application code rarely needs to care directly.
8. API Styles Beyond REST
- GraphQL (Facebook, 2015) — single endpoint, the client specifies which fields it needs. Avoids over-fetching.
- gRPC (Google, 2016) — Protocol Buffers over HTTP/2. Type-enforced, bidirectional streaming, high performance. Direct calls from browsers are difficult, so gRPC-Web or a gateway is needed.
- WebSocket (RFC 6455, 2011) — bidirectional persistent connection. Chat, real-time.
- Server-Sent Events — server → client one-way stream. HTTP-based, so simple.
- JSON-RPC · XML-RPC — function-call style.
9. Common Shape
curl is the standard tool on both OSes. Built-in on macOS and Linux, and on Windows from 10 1803+:
# GET
curl -i https://httpbin.org/get
curl -i "https://httpbin.org/get?q=hello"
# POST JSON
curl -X POST https://httpbin.org/post \
-H "Content-Type: application/json" \
-d '{"name":"lee"}'
# 헤더 포함, 응답 헤더만 보기
curl -I https://example.com
# 인증 헤더
curl -H "Authorization: Bearer TOKEN" https://api.example.com/me
PowerShell also runs the same curl (by default it's an alias of Invoke-WebRequest, but Win10 1803+ ships the real curl.exe alongside). To avoid the distinction, write curl.exe explicitly.
10. Common Pitfalls
fetch not rejecting on 4xx / 5xx — check r.ok or r.status directly.
CORS — when calling another origin's API from the browser, the call is blocked unless the server permits it via Access-Control-Allow-Origin. This is purely a browser policy; the server-side call still happens.
Cache — the difference between Cache-Control: no-cache and no-store. no-cache means "revalidate before use", no-store means "do not store at all".
Redirects — 301 / 308 are permanent, 302 / 307 are temporary. Browsers cache permanent redirects, so once a wrong one is set, undoing it is awkward.
Authentication vs authorization — the difference between 401 and 403 affects user experience and security log analysis.
Closing thoughts
HTTP is a foundation built up over 35 years of method, status code, and header agreements on top of a simple request-response model. "REST APIs" that follow only part of the six constraints have become the de facto standard, with GraphQL and gRPC stepping in for stricter spots. As HTTP/2 and HTTP/3 settle in, the benefits of multiplexing and QUIC arrive automatically. What application developers handle daily comes down to four things: methods, status codes, headers, and REST's resource-oriented URLs.
Next
- url-anatomy
- internet-how-it-works
RFC 9110 HTTP Semantics · RFC 9112 HTTP/1.1 · RFC 9113 HTTP/2 · RFC 9114 HTTP/3 · Roy Fielding dissertation (2000) · REST API Tutorial · MDN HTTP · HTTP Cats · curl manual · HTTPie for reference.