Introduction to HTTP Message Structure
Every HTTP request and response follows a structured format. This structure ensures that both the client and server understand not only the data being sent, but also how that data should be handled.
At a high level, HTTP messages consist of:
- Headers – metadata and instructions
- Body – actual data
- Cookies – state information across requests
HTTP Headers: Metadata of Communication
HTTP headers contain information about the request or response, not the data itself. They guide how the message should be interpreted, processed, cached, or secured.
Headers are sent as key–value pairs.
Content-Type: application/json Authorization: Bearer token
Types of HTTP Headers
Request Headers
Request headers provide information about the client and the request being made.
- User-Agent
- Accept
- Authorization
Response Headers
Response headers provide information about the server and the returned data.
- Content-Type
- Cache-Control
- Set-Cookie
General Headers
General headers apply to both requests and responses.
- Date
- Connection
Why Headers Matter
Headers control critical behaviors such as:
- Authentication and authorization
- Content negotiation
- Caching and performance
- Security policies
Without headers, HTTP communication would lack context and control.
HTTP Body: The Actual Data
The HTTP body contains the main data being transmitted. It is optional and depends on the HTTP method being used.
GET requests typically do not have a body, while POST, PUT, and PATCH requests usually do.
{
"username": "john",
"password": "secret"
}
Common Body Formats
The format of the body is defined by the Content-Type header.
| Content-Type | Usage |
|---|---|
| application/json | APIs and modern web apps |
| application/x-www-form-urlencoded | HTML form submissions |
| multipart/form-data | File uploads |
Cookies: Solving HTTP’s Stateless Nature
HTTP is stateless by default. This means the server does not remember previous requests. Cookies are used to maintain state across requests.
A cookie is a small piece of data stored by the browser and automatically sent with future requests.
How Cookies Work
Server → Set-Cookie → Browser Browser → Cookie → Server (on next request)
Cookies allow the server to recognize returning clients.
Common Cookie Use Cases
- User authentication sessions
- Shopping cart persistence
- User preferences
- Tracking and analytics
Cookie Attributes Explained
Cookies include attributes that control their behavior and security.
| Attribute | Purpose |
|---|---|
| Expires / Max-Age | Defines cookie lifespan |
| HttpOnly | Prevents JavaScript access |
| Secure | Only sent over HTTPS |
| SameSite | Controls cross-site requests |
Headers vs Body vs Cookies
| Component | Purpose | Example |
|---|---|---|
| Headers | Metadata and control | Authorization, Content-Type |
| Body | Main data payload | JSON, form data |
| Cookies | State persistence | Session ID |
Real-World Example: User Login Flow
When a user logs in:
- The client sends credentials in the request body
- The server validates the data
- The server sends a session cookie in response headers
- The browser stores the cookie
- Future requests include the cookie automatically
Security Considerations
Improper handling of headers, body, or cookies can lead to serious vulnerabilities.
- Exposing sensitive data in headers
- Unencrypted cookies over HTTP
- Missing HttpOnly or Secure flags
Correct configuration is essential for secure applications.
Why This Topic Is Important
Understanding headers, body, and cookies helps you:
- Design secure authentication systems
- Build reliable APIs
- Debug frontend–backend communication
- Improve performance and caching
These components form the foundation of how real-world web applications communicate.