HTTP Methods
| Method | Safe | Idempotent | Use Case |
|---|
GET | ✓ | ✓ | Read resource — no side effects |
POST | ✗ | ✗ | Create resource — repeated calls create duplicates |
PUT | ✗ | ✓ | Full replace — same body same result |
PATCH | ✗ | ✗ | Partial update — non-idempotent by default |
DELETE | ✗ | ✓ | Remove resource — second call is 404 |
HEAD | ✓ | ✓ | Like GET but no body — check existence |
OPTIONS | ✓ | ✓ | CORS preflight — allowed methods/headers |
Status Code Ranges
| Range | Meaning | Key Codes |
|---|
| 1xx | Informational | 100 Continue, 101 Switching Protocols |
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirection | 301 Permanent, 302 Found, 304 Not Modified |
| 4xx | Client Error | 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests |
| 5xx | Server Error | 500 Internal, 502 Bad Gateway, 503 Service Unavailable, 504 Gateway Timeout |
Essential Headers
| Header | Direction | Purpose |
|---|
Content-Type | Both | Media type — application/json, text/html |
Authorization | Request | Bearer token, Basic auth, API key |
Cache-Control | Both | max-age, no-cache, no-store, private |
ETag / If-None-Match | Both | Conditional requests — 304 caching |
Access-Control-Allow-Origin | Response | CORS — which origins may read |
Set-Cookie | Response | HttpOnly, Secure, SameSite attributes |
HTTP/2 & HTTP/3
| Feature | HTTP/1.1 | HTTP/2 | HTTP/3 |
|---|
| Transport | TCP | TCP | QUIC (UDP) |
| Multiplexing | No (6 conn limit) | Streams per connection | Streams, no HoL blocking |
| Header Compression | None | HPACK | QPACK |
| Server Push | No | Yes (deprecated) | WebTransport |
| TLS | Optional | De facto required | Built-in (TLS 1.3) |
Pro Tip: Use HTTP/2 or HTTP/3 whenever possible — multiplexing eliminates head-of-line blocking and connection limits that plague HTTP/1.1.