What is the difference between HTTP and HTTPS?

The main difference between HTTP and HTTPS is security. HTTPS (HTTP Secure) is HTTP with encryption using TLS/SSL. HTTP sends data in plain text which can be intercepted, while HTTPS encrypts all data making it unreadable to attackers. HTTPS is essential for sensitive data like passwords and payment information. You can identify HTTPS by the padlock icon in your browser's address bar.

HTTP works on a request-response model in computer networks. The client (browser) sends an HTTP request to the server containing a method (GET, POST, etc.), URL, headers, and optional body. The server processes the request and sends back an HTTP response with a status code, headers, and body content. This communication happens over TCP/IP connections, typically on port 80 for HTTP or port 443 for HTTPS.

What are HTTP methods (HTTP request methods)?

HTTP methods (also called HTTP verbs or HTTP request methods) indicate the desired action to perform. GET retrieves data from the server, POST sends data to create new resources, PUT updates existing resources, DELETE removes resources, PATCH partially updates resources, HEAD retrieves headers only without body, and OPTIONS returns the supported HTTP methods for a URL.

What are HTTP status codes?

HTTP status codes are 3-digit numbers indicating the result of an HTTP request. 1xx codes are informational, 2xx means success (200 OK, 201 Created), 3xx means redirection (301 Moved Permanently, 302 Found), 4xx means client error (400 Bad Request, 404 Not Found), and 5xx means server error (500 Internal Server Error, 503 Service Unavailable).

What is HTTP in computer networks?

In computer networks, HTTP is an application-layer protocol that operates on top of TCP/IP. It enables communication between web clients and servers across the internet. HTTP is stateless, meaning each request is independent. It uses URLs to identify resources and supports various content types including HTML, JSON, XML, images, and more.

What is HTTP protocol explained simply?

HTTP protocol is like a conversation between your browser and a website's server. Your browser asks for something (request), and the server responds with what you asked for (response). Every time you click a link or load a webpage, HTTP handles the communication. It defines the rules for how this conversation should happen, what format to use, and what each message means.

HTTP - Complete Learning Guide

Q: What is HTTP (Hypertext Transfer Protocol)?

HTTP (HyperText Transfer Protocol) is the foundation of data communication on the World Wide Web. It's an application-layer protocol that defines how messages are formatted and transmitted between web browsers and servers. HTTP is the standard protocol for transferring web pages, images, videos, and other content across the internet.

Learn what HTTP is, how it works, the difference between HTTP and HTTPS - everything about web communication from basics to advanced.

What is HTTP HTTP vs HTTPS HTTP Methods Status Codes HTTP Headers

Google Search Keywords - Use these terms to find more resources

What is HTTP

HTTP explained simple

HTTP vs HTTPS difference

How HTTP works

HTTP request response

HTTP methods explained

HTTP status codes list

HTTP headers tutorial

HTTP protocol basics

HTTPS SSL TLS explained

HTTP/2 vs HTTP/1.1

HTTP cookies session

HTTP caching explained

HTTP authentication

HTTP for beginners

web protocol tutorial

Beginner - HTTP Fundamentals

What is HTTP and how does web communication work

Beginner

What is HTTP?

HTTP (HyperText Transfer Protocol) is the foundation of web communication. Learn what it is and why it matters.

what is HTTP HTTP meaning HTTP protocol

What is HTTP?

HTTP (HyperText Transfer Protocol) is the protocol used for transmitting data over the web. It defines how messages are formatted and transmitted between web browsers and servers.

Simple Analogy: Postal System

Think of HTTP like the postal system:

You (Client/Browser) - Write and send a letter
Postal Rules (HTTP) - Standard format for addressing, stamps, etc.
Post Office (Internet) - Delivers your letter
Recipient (Server) - Receives and responds to your letter

Just like postal rules ensure your letter reaches the destination, HTTP ensures your web requests reach the correct server!

What Happens When You Visit a Website?

You type www.google.com in browser
Browser creates an HTTP request
Request travels through the internet to Google's server
Server processes the request
Server sends back an HTTP response with the webpage
Browser displays the webpage

HTTP Request Example

GET /search?q=hello HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0
Accept: text/html

HTTP Response Example

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 45678

<!DOCTYPE html>
<html>
  <head><title>Google</title></head>
  <body>...</body>
</html>

Key Characteristics of HTTP

Property	Description
Stateless	Each request is independent, server doesn't remember previous requests
Text-based	Messages are human-readable text
Request-Response	Client sends request, server sends response
Application Layer	Works on top of TCP/IP

Try in HttpNinja

Open HttpNinja app
Enter URL: https://httpbin.org/get
Method: GET
Tap Send
See the complete HTTP request and response!

Beginner

HTTP vs HTTPS - What's the Difference?

The crucial difference between HTTP and HTTPS - why the 'S' matters for your security.

HTTP vs HTTPS HTTPS secure SSL TLS

The Simple Difference

HTTP = Data sent as plain text (anyone can read it)
HTTPS = Data is encrypted (only sender and receiver can read it)

Analogy: Postcard vs Sealed Letter

HTTP = Postcard - Everyone who handles it can read your message
HTTPS = Sealed envelope - Only the recipient can open and read it

Comparison Table

Feature	HTTP	HTTPS
Full Name	HyperText Transfer Protocol	HyperText Transfer Protocol Secure
Port	80	443
URL Prefix	http://	https://
Encryption	None	TLS/SSL
Security	Not secure	Secure
Certificate	Not required	SSL Certificate required
Speed	Slightly faster	Slightly slower (encryption overhead)
SEO	Lower ranking	Higher ranking (Google prefers HTTPS)

How HTTPS Works

TLS Handshake - Client and server agree on encryption method
Certificate Verification - Browser verifies server's SSL certificate
Key Exchange - Secure keys are exchanged
Encrypted Communication - All data is encrypted

HTTP Request (Plain Text - Anyone can see):
POST /login
username=john&password=secret123

HTTPS Request (Encrypted - Looks like):
POST /login
x7#kL9$mN2@pQ5... (gibberish to attackers)

When is HTTPS Essential?

Login pages (passwords)
Payment/banking sites
Personal information forms
Any site handling sensitive data
Actually, ALL websites should use HTTPS today!

How to Identify HTTPS

Padlock icon in browser address bar
URL starts with https://
Click padlock to view certificate details

Try in HttpNinja

Test HTTP: http://httpbin.org/get
Test HTTPS: https://httpbin.org/get
Both work, but HTTPS is encrypted!

Beginner

How HTTP Works - Step by Step

The complete journey of an HTTP request from your browser to the server and back.

how HTTP works HTTP flow request response cycle

The HTTP Request-Response Cycle


    CLIENT (Browser)                    SERVER (Website)
         |                                    |
         |  1. DNS Lookup                     |
         |  (Find server IP address)          |
         |                                    |
         |  2. TCP Connection                 |
         |----------------------------------->|
         |  (3-way handshake)                 |
         |                                    |
         |  3. HTTP Request                   |
         |----------------------------------->|
         |  GET /page.html HTTP/1.1           |
         |                                    |
         |  4. Server Processing              |
         |                    [Process Request]
         |                                    |
         |  5. HTTP Response                  |
         |<-----------------------------------|
         |  HTTP/1.1 200 OK                   |
         |  + HTML content                    |
         |                                    |
         |  6. Render Page                    |
         |  [Display in browser]              |

Step-by-Step Breakdown

Step 1: DNS Lookup

Browser converts domain name to IP address:

www.example.com → 93.184.216.34

Step 2: TCP Connection

Browser establishes connection with server (3-way handshake):

Client: SYN (Hey, want to connect?)
Server: SYN-ACK (Sure, let's connect!)
Client: ACK (Great, we're connected!)

Step 3: HTTP Request

Browser sends the actual request:

GET /index.html HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html
Accept-Language: en-US
Connection: keep-alive

Step 4: Server Processing

Server receives request, processes it, prepares response

Step 5: HTTP Response

Server sends back the response:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1234
Date: Fri, 24 Jan 2025 10:00:00 GMT

<!DOCTYPE html>
<html>...</html>

Step 6: Render

Browser parses HTML, loads CSS/JS, displays page

Connection Types

Type	Behavior
Non-persistent (HTTP/1.0)	New connection for each request
Persistent (HTTP/1.1)	Reuse connection for multiple requests
Multiplexed (HTTP/2)	Multiple requests on single connection simultaneously

Try in HttpNinja

Send any request
Check "Response" tab to see complete response
Check "Headers" to see all metadata
Check response time to see how fast it was

Beginner

HTTP Request and Response Structure

Detailed breakdown of what's inside an HTTP request and response message.

HTTP request HTTP response message format

HTTP Request Structure

┌─────────────────────────────────────────┐
│ Request Line                            │
│ GET /api/users HTTP/1.1                 │
├─────────────────────────────────────────┤
│ Headers                                 │
│ Host: api.example.com                   │
│ User-Agent: HttpNinja/1.0               │
│ Accept: application/json                │
│ Authorization: Bearer token123          │
├─────────────────────────────────────────┤
│ Empty Line                              │
├─────────────────────────────────────────┤
│ Body (optional)                         │
│ {"name": "John", "email": "j@test.com"} │
└─────────────────────────────────────────┘

Request Line Components

Component	Example	Description
Method	GET	What action to perform
Path	/api/users	Resource location
Version	HTTP/1.1	Protocol version

HTTP Response Structure

┌─────────────────────────────────────────┐
│ Status Line                             │
│ HTTP/1.1 200 OK                         │
├─────────────────────────────────────────┤
│ Headers                                 │
│ Content-Type: application/json          │
│ Content-Length: 256                     │
│ Date: Fri, 24 Jan 2025 10:00:00 GMT     │
│ Server: nginx/1.18.0                    │
├─────────────────────────────────────────┤
│ Empty Line                              │
├─────────────────────────────────────────┤
│ Body                                    │
│ {"id": 1, "name": "John"}               │
└─────────────────────────────────────────┘

Status Line Components

Component	Example	Description
Version	HTTP/1.1	Protocol version
Status Code	200	Numeric result code
Status Text	OK	Human-readable status

Complete Example

// REQUEST
POST /api/login HTTP/1.1
Host: api.example.com
Content-Type: application/json
Content-Length: 45

{"username": "john", "password": "secret"}

// RESPONSE
HTTP/1.1 200 OK
Content-Type: application/json
Set-Cookie: session=abc123; HttpOnly

{"success": true, "token": "eyJhbGc..."}

Try in HttpNinja

POST to: https://httpbin.org/post
Add JSON body: {"test": "data"}
See your request echoed back in response
Examine all headers in detail

Intermediate - HTTP Methods & Status Codes

Deep dive into HTTP methods, status codes, and headers

Intermediate

HTTP Methods (Verbs)

GET, POST, PUT, DELETE and more - understand what each HTTP method does and when to use it.

HTTP methods GET POST PUT DELETE HTTP verbs

What are HTTP Methods?

HTTP methods (also called verbs) indicate the desired action to perform on a resource. Different methods have different purposes and behaviors.

Primary Methods (CRUD Operations)

Method	Purpose	Has Body	Idempotent	Safe
GET	Retrieve data	No	Yes	Yes
POST	Create new data	Yes	No	No
PUT	Replace entire resource	Yes	Yes	No
PATCH	Partial update	Yes	No	No
DELETE	Remove resource	No	Yes	No

GET - Retrieve Data

GET /api/users/123 HTTP/1.1
Host: api.example.com

// Response: User data

Should only retrieve data, never modify
Can be cached and bookmarked
Parameters sent in URL query string

POST - Create New Data

POST /api/users HTTP/1.1
Content-Type: application/json

{"name": "John", "email": "john@test.com"}

// Response: Created user with new ID

Creates new resources
Data sent in request body
Not idempotent (calling twice creates two users)

PUT - Replace Entire Resource

PUT /api/users/123 HTTP/1.1
Content-Type: application/json

{"name": "John Updated", "email": "new@test.com", "age": 30}

// Replaces ALL fields of user 123

PATCH - Partial Update

PATCH /api/users/123 HTTP/1.1
Content-Type: application/json

{"email": "newemail@test.com"}

// Only updates email, keeps other fields

DELETE - Remove Resource

DELETE /api/users/123 HTTP/1.1

// Deletes user 123

Other Methods

Method	Purpose
HEAD	Same as GET but returns only headers, no body
OPTIONS	Returns allowed methods for a resource
TRACE	Echoes the request (for debugging)
CONNECT	Establishes tunnel (used for HTTPS proxy)

Key Terms

Safe - Doesn't modify data (GET, HEAD, OPTIONS)
Idempotent - Same result no matter how many times called (GET, PUT, DELETE)

Try All Methods in HttpNinja

GET: https://jsonplaceholder.typicode.com/posts/1
POST: https://jsonplaceholder.typicode.com/posts
PUT: https://jsonplaceholder.typicode.com/posts/1
DELETE: https://jsonplaceholder.typicode.com/posts/1

Intermediate

HTTP Status Codes Complete Guide

200, 404, 500 - learn what every HTTP status code means and when they occur.

status codes 200 OK 404 Not Found

Status Code Categories

Range	Category	Meaning	Color
1xx	Informational	Request received, processing	Blue
2xx	Success	Request successful	Green
3xx	Redirection	Further action needed	Yellow
4xx	Client Error	Bad request from client	Orange
5xx	Server Error	Server failed	Red

2xx Success Codes

Code	Name	Meaning	Common Use
200	OK	Request succeeded	GET, PUT success
201	Created	Resource created	POST success
204	No Content	Success, no body	DELETE success
206	Partial Content	Partial data returned	Video streaming

3xx Redirection Codes

Code	Name	Meaning
301	Moved Permanently	Resource moved to new URL forever
302	Found	Temporary redirect
304	Not Modified	Use cached version
307	Temporary Redirect	Redirect keeping method
308	Permanent Redirect	Permanent redirect keeping method

4xx Client Error Codes

Code	Name	Meaning	How to Fix
400	Bad Request	Invalid syntax	Check request format
401	Unauthorized	Authentication required	Login first
403	Forbidden	No permission	Check access rights
404	Not Found	Resource doesn't exist	Check URL
405	Method Not Allowed	Method not supported	Use correct method
408	Request Timeout	Request took too long	Try again
409	Conflict	Conflicting request	Resolve conflict
422	Unprocessable Entity	Validation error	Fix data
429	Too Many Requests	Rate limit exceeded	Wait and retry

5xx Server Error Codes

Code	Name	Meaning
500	Internal Server Error	Server crashed/bug
501	Not Implemented	Feature not supported
502	Bad Gateway	Invalid response from upstream
503	Service Unavailable	Server overloaded/maintenance
504	Gateway Timeout	Upstream server timeout

Test Status Codes in HttpNinja

https://httpbin.org/status/200 - Success
https://httpbin.org/status/301 - Redirect
https://httpbin.org/status/404 - Not Found
https://httpbin.org/status/500 - Server Error

Intermediate

HTTP Headers Explained

Content-Type, Authorization, Cache-Control - understand the most important HTTP headers.

HTTP headers Content-Type Authorization

What are HTTP Headers?

Headers are key-value pairs that provide additional information about the request or response. They're like metadata for HTTP messages.

Request Headers

Header	Purpose	Example
Host	Target server	api.example.com
User-Agent	Client identification	Mozilla/5.0...
Accept	Acceptable response types	application/json
Accept-Language	Preferred language	en-US,en;q=0.9
Accept-Encoding	Acceptable compression	gzip, deflate
Content-Type	Body format	application/json
Content-Length	Body size in bytes	256
Authorization	Auth credentials	Bearer eyJ...
Cookie	Stored cookies	session=abc123
Cache-Control	Caching directives	no-cache

Response Headers

Header	Purpose	Example
Content-Type	Body format	text/html; charset=utf-8
Content-Length	Body size	1234
Content-Encoding	Compression used	gzip
Set-Cookie	Set a cookie	id=abc; HttpOnly
Cache-Control	Caching rules	max-age=3600
Location	Redirect URL	/new-page
Server	Server software	nginx/1.18.0
Date	Response timestamp	Fri, 24 Jan 2025...

Content-Type Values

// Common MIME types
text/html                 - HTML pages
text/plain                - Plain text
text/css                  - CSS stylesheets
application/json          - JSON data
application/xml           - XML data
application/javascript    - JavaScript
application/pdf           - PDF files
image/png                 - PNG images
image/jpeg                - JPEG images
multipart/form-data       - File uploads
application/x-www-form-urlencoded - Form data

Custom Headers

APIs often use custom headers (usually prefixed with X-):

X-API-Key: your-api-key
X-Request-ID: uuid-here
X-RateLimit-Remaining: 99
X-Custom-Header: value

Try in HttpNinja

GET: https://httpbin.org/headers
Add custom headers in Headers tab
See your headers reflected in response

Intermediate

URL Structure & Components

Understanding URLs - protocol, domain, path, query strings, and fragments.

URL structure query string URL encoding

URL Components

https://user:pass@api.example.com:8080/v1/users?page=1&limit=10#section

|_____|  |_______| |_____________| |__| |______| |_____________| |______|
   |         |            |         |      |            |           |
Scheme   Userinfo       Host      Port   Path     Query String  Fragment

Component Breakdown

Component	Example	Description
Scheme	https	Protocol (http, https, ftp)
Userinfo	user:pass	Authentication (rarely used)
Host	api.example.com	Domain name or IP
Port	8080	Port number (default: 80/443)
Path	/v1/users	Resource location
Query	?page=1&limit=10	Parameters
Fragment	#section	Page section (not sent to server)

Query String Format

// Basic format
?key1=value1&key2=value2

// Examples
?search=hello          // Single param
?page=1&limit=20       // Multiple params
?tags=js&tags=python   // Array (same key multiple times)
?filter[name]=john     // Nested params

URL Encoding

Special characters must be encoded in URLs:

Character	Encoded	Example
Space	%20 or +	hello%20world
&	%26	rock%26roll
=	%3D	1%2B1%3D2
?	%3F	what%3F
/	%2F	path%2Fto
#	%23	%23hashtag

Absolute vs Relative URLs

// Absolute URL (complete)
https://api.example.com/users/123

// Relative URLs (depends on current page)
/users/123           // From root
users/123            // From current path
../users/123         // Parent directory
?page=2              // Same path, different query

Try in HttpNinja

Use Params tab to build query strings
HttpNinja auto-encodes special characters
Test: https://httpbin.org/get?name=John Doe

Advanced - HTTP Versions & Security

HTTP/2, HTTP/3, caching, cookies, and security

Advanced

HTTP Versions - 1.0, 1.1, 2, 3

Evolution of HTTP protocol - from HTTP/1.0 to HTTP/3 with QUIC.

HTTP/2 HTTP/3 QUIC protocol

HTTP Version Timeline

Version	Year	Key Features
HTTP/0.9	1991	Simple GET only, no headers
HTTP/1.0	1996	Headers, status codes, POST
HTTP/1.1	1997	Keep-alive, chunked transfer, Host header
HTTP/2	2015	Multiplexing, header compression, server push
HTTP/3	2022	QUIC protocol, improved performance

HTTP/1.1 vs HTTP/2

HTTP/1.1 (Sequential):
Request 1 -----> Response 1
Request 2 -----> Response 2
Request 3 -----> Response 3

HTTP/2 (Multiplexed):
Request 1 --|
Request 2 --|---> All responses arrive together
Request 3 --|

HTTP/2 Features

Multiplexing - Multiple requests on single connection
Header Compression - HPACK reduces header size
Server Push - Server can push resources proactively
Binary Protocol - More efficient than text
Stream Prioritization - Important resources first

HTTP/3 and QUIC

QUIC Protocol - Built on UDP instead of TCP
Faster Connection - 0-RTT connection establishment
Better Mobile - Handles network changes better
No Head-of-Line Blocking - Lost packets don't block others

Feature Comparison

Feature	HTTP/1.1	HTTP/2	HTTP/3
Transport	TCP	TCP	QUIC (UDP)
Multiplexing	No	Yes	Yes
Header Compression	No	HPACK	QPACK
Server Push	No	Yes	Yes
Encryption	Optional	Required*	Built-in

Advanced

Cookies and Sessions

How cookies work, session management, and cookie security attributes.

HTTP cookies session Set-Cookie

Why Cookies?

HTTP is stateless - server doesn't remember you between requests. Cookies solve this by storing data on the client that's sent with every request.

Cookie Flow

1. First Request (No cookie)
   GET /login

2. Server Response (Sets cookie)
   Set-Cookie: session=abc123; HttpOnly

3. Subsequent Requests (Cookie sent automatically)
   GET /dashboard
   Cookie: session=abc123

Set-Cookie Syntax

Set-Cookie: name=value; attribute1; attribute2

// Example with all attributes
Set-Cookie: session=abc123;
    Expires=Thu, 01 Jan 2026 00:00:00 GMT;
    Max-Age=31536000;
    Domain=example.com;
    Path=/;
    Secure;
    HttpOnly;
    SameSite=Strict

Cookie Attributes

Attribute	Purpose	Example
Expires	Expiration date	Thu, 01 Jan 2026...
Max-Age	Lifetime in seconds	3600 (1 hour)
Domain	Valid domain	.example.com
Path	Valid path	/admin
Secure	HTTPS only	(flag)
HttpOnly	No JavaScript access	(flag)
SameSite	Cross-site policy	Strict/Lax/None

Session vs Cookie

Aspect	Cookie	Session
Storage	Client (browser)	Server
Size Limit	~4KB	No limit
Security	Less secure	More secure
Expiry	Can persist	Usually temporary

Try in HttpNinja

GET: https://httpbin.org/cookies/set?name=value
Check response headers for Set-Cookie
GET: https://httpbin.org/cookies
See your cookies reflected back

Advanced

HTTP Caching

Cache-Control, ETags, conditional requests - optimize performance with caching.

HTTP caching Cache-Control ETag

Why Caching?

Faster page loads
Reduced server load
Lower bandwidth usage
Better user experience

Cache-Control Header

// Response headers
Cache-Control: max-age=3600          // Cache for 1 hour
Cache-Control: no-cache              // Validate before using
Cache-Control: no-store              // Never cache
Cache-Control: private               // Only browser can cache
Cache-Control: public                // Any cache can store
Cache-Control: must-revalidate       // Must check if stale

Caching Flow

First Request:
GET /image.png
→ 200 OK
  Cache-Control: max-age=3600
  ETag: "abc123"

Within 1 hour:
GET /image.png
→ Served from cache (no network)

After 1 hour (Conditional Request):
GET /image.png
If-None-Match: "abc123"
→ 304 Not Modified (use cache)
OR
→ 200 OK (new content)

Validation Headers

Response Header	Request Header	Purpose
ETag	If-None-Match	Content hash comparison
Last-Modified	If-Modified-Since	Date comparison

Cache Locations

Browser Cache - Stored in user's browser
Proxy Cache - Shared cache (CDN, corporate proxy)
Gateway Cache - Reverse proxy at server

Try in HttpNinja

GET: https://httpbin.org/cache/60
Check Cache-Control header in response
GET: https://httpbin.org/etag/test
Add header: If-None-Match: "test"

Advanced

CORS - Cross-Origin Resource Sharing

Understanding CORS errors, preflight requests, and how to handle cross-origin requests.

CORS cross-origin preflight

What is CORS?

CORS (Cross-Origin Resource Sharing) is a security feature that restricts web pages from making requests to a different domain than the one serving the page.

Same-Origin Policy

Origin = Protocol + Host + Port

https://example.com:443

Same origin:
https://example.com/page1 → https://example.com/api ✓

Different origin (blocked by default):
https://mysite.com → https://api.example.com ✗
http://example.com → https://example.com ✗ (different protocol)
https://example.com:8080 → https://example.com ✗ (different port)

CORS Headers

Header	Purpose	Example
Access-Control-Allow-Origin	Allowed origins	* or https://mysite.com
Access-Control-Allow-Methods	Allowed methods	GET, POST, PUT
Access-Control-Allow-Headers	Allowed headers	Content-Type, Authorization
Access-Control-Allow-Credentials	Allow cookies	true
Access-Control-Max-Age	Preflight cache time	86400

Preflight Request

For "non-simple" requests, browser sends OPTIONS request first:

// Preflight
OPTIONS /api/data
Origin: https://mysite.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type

// Server Response
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://mysite.com
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: Content-Type

// Then actual request proceeds
POST /api/data
...

Why No CORS in HttpNinja?

CORS is enforced by browsers only. HttpNinja is a native app, not a browser, so CORS restrictions don't apply. This makes it perfect for testing APIs that might fail in browser!

CORS-Free Testing

Getting "CORS error" in browser? Test the same API in HttpNinja - it will work without CORS restrictions!

Advanced

HTTP Authentication

Basic Auth, Bearer tokens, and the WWW-Authenticate challenge.

HTTP authentication Basic Auth Bearer token

Authentication Flow

1. Client requests protected resource
   GET /api/secret

2. Server responds with 401 and challenge
   HTTP/1.1 401 Unauthorized
   WWW-Authenticate: Basic realm="API"

3. Client sends credentials
   GET /api/secret
   Authorization: Basic dXNlcjpwYXNz

4. Server validates and responds
   HTTP/1.1 200 OK

Basic Authentication

Username and password encoded in Base64:

// Format
Authorization: Basic base64(username:password)

// Example
username: admin
password: secret123
base64("admin:secret123") = "YWRtaW46c2VjcmV0MTIz"

Authorization: Basic YWRtaW46c2VjcmV0MTIz

Warning: Base64 is encoding, NOT encryption. Always use HTTPS with Basic Auth!

Bearer Token Authentication

// Format
Authorization: Bearer 

// Example with JWT
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Authentication Types Comparison

Type	Header	Security	Use Case
Basic	Basic base64	Low	Simple APIs
Bearer	Bearer token	Medium-High	Most APIs
Digest	Digest ...	Medium	Legacy systems
API Key	X-API-Key	Low-Medium	Public APIs

Try in HttpNinja

Basic Auth: https://httpbin.org/basic-auth/user/pass
Use Auth tab to set username: user, password: pass
Bearer: Add Authorization header manually

More Google Search Keywords for Learning

HTTP protocol RFC

HTTP/2 multiplexing

HTTP/3 QUIC explained

HTTPS TLS handshake

HTTP caching strategies

REST HTTP methods

HTTP cookies security

CORS preflight request

HTTP compression gzip

HTTP keep-alive

HTTP content negotiation

HTTP range requests