| Protocol | Port | Purpose |
|---|---|---|
| HTTP | 80 | Unencrypted web traffic |
| HTTPS | 443 | TLS-encrypted web traffic |
| DNS | 53 | Name-to-IP resolution |
| SMTP | 25 / 587 | Sending email |
| IMAP / POP3 | 143 / 110 | Retrieving email |
| FTP | 20 / 21 | File transfer |
| SSH | 22 | Secure remote shell |
| DHCP | 67 / 68 | Automatic IP assignment |
| SNMP | 161 / 162 | Device monitoring and management |
| NTP | 123 | Time synchronization |
Retrieve a resource — safe, no side effects, cacheable.
Create a resource or submit data — not idempotent.
Replace a resource entirely — idempotent.
Partially update a resource.
Remove a resource — idempotent.
Headers only, no body / discover allowed methods (CORS preflight).
| Range | Class | Common Examples |
|---|---|---|
| 1xx | Informational | 100 Continue |
| 2xx | Success | 200 OK · 201 Created · 204 No Content |
| 3xx | Redirection | 301 Moved Permanently · 302 Found · 304 Not Modified |
| 4xx | Client Error | 400 Bad Request · 401 Unauthorized · 403 Forbidden · 404 Not Found · 429 Too Many Requests |
| 5xx | Server Error | 500 Internal Server Error · 502 Bad Gateway · 503 Service Unavailable · 504 Gateway Timeout |
| Request Header | Purpose |
|---|---|
| Host | Target domain (enables virtual hosting) |
| Authorization | Credentials — Basic, Bearer token, etc. |
| Accept | Content types the client can handle |
| Accept-Encoding | Compression formats supported |
| User-Agent | Client software identification |
| Response Header | Purpose |
|---|---|
| Content-Type | Media type of the response body |
| Content-Encoding | Compression applied to the body |
| Set-Cookie | Issues a session/tracking cookie |
| Cache-Control | Caching rules for clients/proxies |
| Access-Control-Allow-Origin | CORS — which origins may read the response |
| Record | Purpose |
|---|---|
| A | Hostname → IPv4 address |
| AAAA | Hostname → IPv6 address |
| CNAME | Alias — points to another hostname |
| MX | Mail server for the domain, with priority |
| TXT | Arbitrary text — SPF/DKIM/domain verification |
| NS | Delegates the domain to authoritative name servers |
| SOA | Zone authority info — serial, refresh, TTL defaults |
| PTR | IP → hostname (reverse DNS) |
Resources over HTTP verbs, typically JSON. Simple, cacheable, widely understood.
Single endpoint, client specifies exactly what fields it needs — avoids over/under-fetching.
Binary (Protobuf) over HTTP/2, strongly typed contracts — fast, common for service-to-service calls.
| Scheme | How It Works |
|---|---|
| Basic Auth | Base64-encoded username:password in the header — must run over HTTPS |
| Bearer Token / JWT | Signed token sent in the Authorization header, verified without a server-side lookup |
| API Key | Static key identifying the calling application, often in a header or query param |
| OAuth 2.0 | Delegated authorization — user grants a third-party app limited access without sharing credentials |
| Session Cookie | Server-side session referenced by an opaque cookie value |
Browser resolves the hostname to an IP — checking local cache, then OS resolver, then recursive resolver, then authoritative name servers if needed.
Layer 7 · DNS3-way handshake to the resolved IP on port 443.
Layer 4Cipher suite negotiated, certificate validated, symmetric session key derived.
Layer 6Browser sends a GET request with headers (Host, Accept, cookies/auth tokens) inside the encrypted TLS session.
Layer 7 · requestWeb server/application checks auth, routes to the right handler, queries a database if needed, and builds a response.
Application logicStatus code, headers (Content-Type, Set-Cookie, Cache-Control), and body are compressed and encrypted, then delivered over the existing TCP/TLS session.
Layer 7 · responseHTML parsed, additional resources (CSS, JS, images) trigger their own DNS/TCP/TLS/HTTP cycles in parallel, and the page becomes interactive.
Application layer| Symptom | Likely Cause |
|---|---|
| DNS_PROBE_FINISHED_NXDOMAIN | Domain doesn't exist or DNS record missing/typo |
| Connection times out | Server down, firewall blocking, wrong DNS pointing elsewhere |
| 401 / 403 errors | Missing/expired/invalid credentials, insufficient permissions |
| CORS error in browser console | Server missing Access-Control-Allow-Origin for that origin |
| 502 / 504 from a proxy/load balancer | Upstream server down, slow, or unreachable |
| Check | Command |
|---|---|
| DNS resolution | dig example.com / nslookup example.com |
| Full request/response | curl -v https://example.com |
| Headers only | curl -I https://example.com |
| Response timing breakdown | curl -w "@timing.txt" -o /dev/null -s URL |
| Browser-level detail | DevTools → Network tab |