The browser breaks the URL into its parts: scheme (https), host (example.com), path (/), and implied port (443 for https, 80 for http). This decides everything that follows — especially whether TLS is required.
ParseBrowser cache, OS-level DNS resolver cache, and the local hosts file are all checked first. A DNS lookup costs a round trip, so nothing gets resolved over the network if a valid, unexpired answer already exists locally.
CacheIf nothing's cached, the OS resolver queries its configured DNS server over UDP/53. That server checks its own cache, and if empty, resolves recursively: root servers → .com TLD servers → example.com's authoritative nameserver, returning the A record: 93.184.216.34. Everything downstream now has a destination IP.
CheckpointThe browser opens a transport connection to 93.184.216.34:443: SYN → SYN-ACK → ACK. This establishes a reliable, ordered byte stream — with zero encryption and no awareness of HTTP yet.
TCPClientHello (supported cipher suites + SNI hostname, sent in cleartext) → ServerHello plus the server's certificate → the browser validates the certificate (chain of trust, expiry, hostname match) → key exchange derives shared session keys on both sides → Finished messages confirm it. From this point every byte on the connection is encrypted. (TLS 1.3 does this in one round trip; TLS 1.2 needed two.)
TLSNow — and only now — the browser sends the actual request over the encrypted channel: GET / HTTP/1.1 (or an HTTP/2 frame), with headers like Host, User-Agent, Accept, and any cookies for that domain.
HTTP RequestThe request hits the web server (often behind a load balancer/reverse proxy first), gets routed to the application, which builds the response — a static file, a rendered template, or the result of a database query.
ServerStatus line (200 OK), headers (Content-Type, Cache-Control, Set-Cookie), then the HTML body — streamed back over the same TLS-encrypted TCP connection.
HTTP ResponseThe browser starts building the DOM as bytes arrive — it doesn't wait for the whole response. As it parses, it discovers references to CSS, JS, images, and fonts.
ParseEach referenced resource is fetched — reused connections/multiplexing (HTTP/2) if it's the same domain, or a brand new DNS → TCP → TLS sequence if it's a different domain (e.g. a CDN or analytics script), all in parallel where possible.
ResourcesDOM + CSSOM combine into a render tree, the browser computes layout (geometry/position of every element), then paints pixels to the screen. Parser-blocking <script> tags can pause this entirely until they finish executing.
DOMContentLoaded fires once HTML is fully parsed and the DOM exists — without waiting for images. load fires only once every resource has finished. The gap between the two is often where perceived speed and "actually done" diverge.
Interactive| Term | Meaning |
|---|---|
| Recursive vs Authoritative DNS | A recursive resolver does the multi-hop lookup on your behalf; the authoritative server is the final source of truth for that domain |
| A / AAAA Record | DNS record mapping a hostname to an IPv4 (A) or IPv6 (AAAA) address |
| TCP 3-Way Handshake | SYN, SYN-ACK, ACK — establishes a reliable connection before any data is sent |
| SNI | Server Name Indication — hostname sent unencrypted in the TLS ClientHello so the right certificate can be selected |
| Certificate Chain of Trust | The link from a site's certificate up through intermediate CAs to a root CA the browser already trusts |
| HTTP/1.1 vs HTTP/2 | HTTP/2 multiplexes many requests over a single TCP connection instead of opening one connection per resource |
| DOM | Document Object Model — the browser's in-memory tree representation of the parsed HTML |
| Render Tree | DOM combined with computed CSS, used to calculate layout and paint the page |
| DOMContentLoaded vs load | HTML parsed vs every resource (images, CSS, JS) fully loaded |