What is the structure of an HTTP request?
An HTTP/1.1 request is a plaintext message with four structural parts:
**1. Request line** — the first line containing three space-separated tokens: the HTTP method (GET, POST, PUT, DELETE, PATCH, etc.), the request target (path and query string, e.g., `/api/users?page=2`), and the HTTP version (`HTTP/1.1`). Example: `GET /api/users?page=2 HTTP/1.1`
**2. Headers** — a sequence of `Name: Value` lines, each terminated by CRLF. Headers carry metadata: `Host` (required in HTTP/1.1 and identifies the virtual host), `Content-Type` (media type of the body), `Content-Length` (byte count of body), `Authorization` (credentials, typically `Bearer <token>`), `Accept` (desired response format), `Cookie`, and many others. Header names are case-insensitive.
**3. Blank line** — a single CRLF sequence that separates headers from the body. This delimiter is mandatory regardless of whether a body is present.
**4. Body (optional)** — the request payload. For GET and HEAD requests, the body is conventionally empty. For POST and PUT, it carries the data being sent. The `Content-Type` header declares how to parse it: `application/json`, `application/x-www-form-urlencoded`, `multipart/form-data` (file uploads), etc.
**HTTP/2 differences**: HTTP/2 is binary, not text. It multiplexes requests over a single TCP connection using frames and streams, with header compression (HPACK). The conceptual structure (method, headers, body) is the same but the wire format is entirely different.
**Security relevance**: sensitive data must never go in the URL (it ends up in server logs and browser history). Credentials belong in the `Authorization` header or the body over HTTPS. Query strings are acceptable for filtering and pagination.
Knowing the structure matters for debugging — tools like curl -v, Wireshark, and browser DevTools all expose this raw format.
Correctly names all four parts in order and explains when a body is present vs absent.
Explains CRLF blank line delimiter, Content-Type/Content-Length semantics, HTTP/2 contrast, and the security implication of URL vs header placement.
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment