Skip to main content
RESTful Principles
CHAPTER 03 Beginner

HTTP Basics for REST APIs

Updated: May 13, 2026
5 min read

# CHAPTER 3

HTTP Basics for REST APIs

1. Introduction

If REST is the architecture and an API is the waiter, then HTTP is the language the waiter speaks. Understanding HTTP (Hypertext Transfer Protocol) is absolutely crucial for any API developer. In this chapter, we will strip away the complexity of the web to understand how data actually moves. We will cover the request lifecycle, the importance of headers, and how data is packaged into request and response bodies.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Explain what HTTP is and how it powers the web.
  • Outline the lifecycle of an HTTP request.
  • Understand the role of Request and Response Headers.
  • Differentiate between the Request Body and Response Body.
  • Understand the basic necessity of HTTPS in modern APIs.

3. Beginner-Friendly Explanation

Imagine you are sending a letter through the post office.
  • The envelope has the destination address and return address (this is like an HTTP Header).
  • The letter inside contains your actual message (this is the HTTP Body).
  • The mail carrier who transports the envelope is HTTP.

When you type a URL into a browser or send an API request, you are formulating one of these "envelopes" and sending it across the internet. The server receives it, reads the envelope (headers), opens the letter (body), processes it, and mails a response back to you using the exact same system.

4. Real-World Examples

  • HTTP: Every time you visit http://google.com, your browser is sending an HTTP request.
  • Headers: When you log into an app, your device might send a header like Authorization: Bearer <token> to prove who you are.
  • HTTPS: When you see a "padlock" icon in your browser URL bar, it means you are using HTTPS, a secure, encrypted version of HTTP, ensuring hackers cannot read your "letters" in transit.

5. Detailed Code Examples

Let's look at how we can view the raw HTTP headers in PHP when our API is called.

Viewing Request Headers in PHP (api.php):

php
123456789101112 
<?php
// Get all headers sent by the client
$headers = getallheaders();

// We can check for a specific header, like a custom API key
if (isset($headers[&#039;X-Api-Key'])) {
    $apiKey = $headers[&#039;X-Api-Key'];
    echo "You sent an API key: " . htmlspecialchars($apiKey);
} else {
    echo "No API key found in the headers.";
}
?>

6. Request/Response Examples

Let's see what a full HTTP transaction looks like in plain text.

The Request (Client to Server):

http
123456789 
POST /submit-data HTTP/1.1
Host: api.example.com
User-Agent: Mozilla/5.0
Content-Type: application/json
Content-Length: 36

{
  "message": "Hello from client!"
}

The Response (Server to Client):

http
123456789 
HTTP/1.1 201 Created
Date: Mon, 27 Sep 2026 12:28:53 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: application/json

{
  "status": "success",
  "id": 105
}

7. HTTP Examples

A request lifecycle typically has 4 stages:
  1. 1. Connection: Client establishes a TCP connection with the server.
  1. 2. Request: Client sends the HTTP request (method, URL, headers, body).
  1. 3. Response: Server processes it and sends an HTTP response (status code, headers, body).
  1. 4. Close: The connection is closed (unless Connection: keep-alive is specified).

8. JSON Examples

Often, the HTTP Request Body and Response Body will carry JSON data.

Request Body (JSON):

json
1234 
{
  "username": "coder123",
  "password": "securepassword99"
}

Response Body (JSON):

json
1234 
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
  "expires_in": 3600
}

9. Best Practices

  • Always use HTTPS: Never use plain HTTP for APIs in production. Unencrypted data can easily be intercepted (Man-in-the-Middle attacks).
  • Use meaningful headers: Ensure you set Content-Type: application/json when sending JSON, so the server knows exactly how to parse your letter.
  • Don't put sensitive data in the URL: URLs are often logged by servers and internet service providers. Put sensitive data (like passwords) in the HTTPS Request Body instead.

10. Common Mistakes

  • Forgetting Content-Type: Sending JSON to a PHP server without setting Content-Type: application/json will result in $_POST being empty, causing immense confusion for beginners.
  • Ignoring Headers: Beginners often only look at the body of a response and ignore headers, missing out on important information like rate limits or caching instructions.

11. Mini Exercises

  1. 1. Open up an API testing tool like Postman (or use cURL).
  1. 2. Make a GET request to https://httpbin.org/headers.
  1. 3. Review the response. httpbin is a service that repeats back the headers you sent to it. Notice how many headers your tool sends automatically!

12. Coding Challenges

Challenge 1: Create a simple PHP script that reads the Content-Type header of an incoming request. If the content type is application/json, output "Valid format". If it is anything else, output "Invalid format".

13. MCQs with Answers

Question 1

What does the "S" in HTTPS stand for?

Question 2

In our post office analogy, what does the HTTP Header represent?

Question 3

If a client wants to send a large file to a server, where does the file data go?

14. Interview Questions

  • Q: Explain the lifecycle of an HTTP request from the moment a user clicks "Submit" to the moment data appears on the screen.
  • Q: What is the difference between an HTTP Header and an HTTP Body?
  • Q: Why is HTTPS critical for modern REST APIs?

15. FAQs

Q: Can I put anything I want in an HTTP header? A: Yes, you can create custom headers. It is a common convention to prefix custom headers with X-, such as X-Custom-Auth-Token, though modern standards suggest simply using descriptive names without the prefix.

Q: Is HTTP only used for websites? A: No, HTTP is used by mobile apps, IoT devices (like smart fridges), desktop applications, and server-to-server communication.

16. Summary

In this chapter, we unpacked the HTTP protocol, the universal language of the web. We learned that an HTTP message consists of headers (metadata and instructions) and a body (the actual data payload). We also highlighted the crucial request-response lifecycle and why securing these messages with HTTPS is mandatory for any serious API.

17. Next Chapter Recommendation

You now know the language (HTTP). Next, we will establish the fundamental rules of API design. Move on to Chapter 4: REST Architectural Principles to learn what truly makes an API "RESTful".

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Understanding APIs and Web Services
Next Chapter REST Architectural Principles

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5