← Back to Networking

HTTP Request Structure

NetworkingEntrynetworking

The Question

What is the structure of an HTTP request?

What a Strong Answer Covers

  • Exact first line format
  • blank line before body

Senior-Level Answer

An HTTP/1.1 request is a plaintext message with four structural parts:

**1. Request line** — the first line containing three space-separated tokens: the HTTP method (GET, POST, PUT, DELETE, PATCH, etc.), the request target (path and query string, e.g., `/api/users?page=2`), and the HTTP version (`HTTP/1.1`). Example: `GET /api/users?page=2 HTTP/1.1`

**2. Headers** — a sequence of `Name: Value` lines, each terminated by CRLF. Headers carry metadata: `Host` (required in HTTP/1.1 and identifies the virtual host), `Content-Type` (media type of the body), `Content-Length` (byte count of body), `Authorization` (credentials, typically `Bearer <token>`), `Accept` (desired response format), `Cookie`, and many others. Header names are case-insensitive.

**3. Blank line** — a single CRLF sequence that separates headers from the body. This delimiter is mandatory regardless of whether a body is present.

**4. Body (optional)** — the request payload. For GET and HEAD requests, the body is conventionally empty. For POST and PUT, it carries the data being sent. The `Content-Type` header declares how to parse it: `application/json`, `application/x-www-form-urlencoded`, `multipart/form-data` (file uploads), etc.

**HTTP/2 differences**: HTTP/2 is binary, not text. It multiplexes requests over a single TCP connection using frames and streams, with header compression (HPACK). The conceptual structure (method, headers, body) is the same but the wire format is entirely different.

**Security relevance**: sensitive data must never go in the URL (it ends up in server logs and browser history). Credentials belong in the `Authorization` header or the body over HTTPS. Query strings are acceptable for filtering and pagination.

Knowing the structure matters for debugging — tools like curl -v, Wireshark, and browser DevTools all expose this raw format.

What Separates a 2/3 from a 3/3

2/3 — Passing but Incomplete

Correctly names all four parts in order and explains when a body is present vs absent.

3/3 — Strong Answer

Explains CRLF blank line delimiter, Content-Type/Content-Length semantics, HTTP/2 contrast, and the security implication of URL vs header placement.

Common Mistakes

  • Forgetting the blank line between headers and body
  • Putting credentials in query parameters instead of Authorization header
  • Conflating HTTP/2 wire format with HTTP/1.1 — they share concepts but not encoding
  • Not knowing that GET requests can technically have a body (though it is ignored by most servers)

Follow-Up Questions

  • What is the difference between query parameters and request body for passing data? — Query params are in the URL (logged, cached, length-limited); body is private, unlimited, and typed via Content-Type.
  • What does the Host header do and why is it required in HTTP/1.1? — It allows one IP/port to host multiple virtual hosts — the server uses Host to route to the right application.
  • How does HTTPS change the request structure? — TLS encrypts the entire HTTP message including headers — the TCP/IP layer sees only encrypted bytes.
  • What HTTP method would you use to partially update a resource? — PATCH — PUT replaces the entire resource, PATCH applies a partial update.

Related Questions

  • TCP — 3-Way Handshake
  • TLS — Certificate, DH, AES
  • TCP vs UDP
  • HTTP vs HTTPS
  • WebSockets

Can You Explain This Cold?

Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.

Get Graded — Free Assessment
GrindQuestionsAITechnical interview assessment
TermsPrivacyAbout