HTTP Glossary

40 core HTTP and web development terms explained with definitions, context, and examples.

Caching4
Concepts5
Formats5
Networking6
Protocol10
Head-of-Line BlockingHead-of-Line (HoL) blocking is when the item at the front of a queue can't be processed, stalling every item queued behind it.HTTPHTTP (HyperText Transfer Protocol) is the request-response, application-layer protocol clients and servers use to exchange resources on the web.HTTPSHTTPS is HTTP traffic carried over an encrypted TLS connection — not a separate protocol but simply 'HTTP over TLS'.Keep-AliveKeep-Alive (persistent connection) reuses a single TCP connection for multiple HTTP request/response exchanges, eliminating the cost of opening and closing a connection per request.MultiplexingMultiplexing sends and receives multiple request/response streams concurrently over a single connection — the core improvement of HTTP/2.QUICQUIC is a transport protocol designed by Google and standardized by the IETF to run over UDP; it is the foundation of HTTP/3.RedirectA redirect is the mechanism by which a server, using a 3xx status code and a `Location` header, tells the client 'the requested resource lives at another URL, so re-request it there.'Server-Sent EventsSSE (Server-Sent Events) is a one-way real-time technique where the server keeps pushing events to the client over a single persistent HTTP response stream.WebhookA webhook is a 'reverse API' where, when an event occurs, a server sends an HTTP request (usually POST) to a pre-registered URL to proactively notify the other party.WebSocketWebSocket is a protocol that lets a client and server exchange messages freely in both directions over a single persistent connection.
Security10
Access TokenAn access token is a credential a client presents on a request to prove it is authorized to reach a protected resource (API).CORSCORS (Cross-Origin Resource Sharing) is the standard by which a server uses specific headers to say 'JavaScript from this origin is allowed to read my response,' letting the browser relax the Same-Origin Policy.CSRFCSRF (Cross-Site Request Forgery) is an attack where a logged-in user visits a malicious site that uses the user's auth cookie to send a state-changing request to the target site without the user's knowledge.HSTSHSTS (HTTP Strict Transport Security) is a policy where the server uses the `Strict-Transport-Security` response header to tell browsers 'from now on, only ever connect to this site over HTTPS.'JWTA JWT (JSON Web Token) is a URL-safe, self-contained token format made by signing a JSON set of claims.OriginAn origin is the fundamental unit of web security, defined by the tuple of scheme (protocol), host, and port.Preflight RequestA preflight request is a CORS pre-check in which the browser, before sending a 'complex' cross-origin request, uses the OPTIONS method to ask the server whether that request is allowed.Same-Origin PolicyThe Same-Origin Policy (SOP) is the browser's baseline security rule that prevents a script loaded from one origin from freely accessing resources from another origin.TLS / SSLTLS (Transport Layer Security) is the protocol that provides encryption, integrity, and authentication between two parties; it is the successor to the older SSL (Secure Sockets Layer).XSSXSS (Cross-Site Scripting) is a vulnerability where an attacker injects malicious JavaScript into a web page so it runs in the victim's browser with that site's privileges.