• Caching

  How documents are cached can be controlled by HTTP. The server can instruct proxies and clients about what to cache and for how long. The client can instruct intermediate cache proxies to ignore the stored document.

• Relaxing the origin constraint

  To prevent snooping and other privacy invasions, Web browsers enforce strict separation between Web sites. Only pages from the same origin can access all the information of a Web page. Though such constraint is a burden to the server, HTTP headers can relax this strict separation on the server-side, allowing a document to become a patchwork of information sourced from different domains; there could even be security-related reasons to do so.

• Authentication

  Some pages may be protected so that only specific users can access them. Basic authentication may be provided by HTTP, either using the WWW-Authenticate and similar headers, or by setting a specific session using HTTP cookies.

• Proxy and tunneling

  Servers or clients are often located on intranets and hide their true IP addresses from other computers. HTTP requests then go through proxies to cross this network barrier. Not all proxies are HTTP proxies. The SOCKS protocol, for example, operates at a lower level. Other protocols, like FTP, can be handled by these proxies.

• Sessions

  Using HTTP cookies allows you to link requests with the state of the server. This creates sessions, despite basic HTTP being a stateless protocol. This is useful not only for e-commerce shopping baskets but also for any site allowing user configuration of the output.

• An HTTP method, usually a verb like GET, POST or a noun like OPTIONS or HEAD that defines the operation the client wants to perform. Typically, a client wants to fetch a resource (using GET) or post the value of an HTML form (using POST), though more operations may be needed in other cases.
• The path of the resource to fetch; the URL of the resource stripped from elements that are obvious from the context, for example, without the protocol (HTTP://), the domain (here, developer.mozilla.org), or the TCP port (here, 80).
• The version of the HTTP protocol.
• Optional headers that convey additional information for the servers. Or a body, for some methods like POST, similar to those in responses, which contain the resource sent.

• The version of the HTTP protocol they follow.
• A status code, indicating if the request was successful, or not, and why.
• A status message, a non-authoritative short description of the status code.
• HTTP headers, like those for requests.
• Optionally, a body containing the fetched resource.

1991

• Client-server, request-response protocol.
• ASCII protocol, running over a TCP/IP link.
• Designed to transfer hypertext documents (HTML).
• The connection between server and client is closed after every request.

1995

• Versioning information (HTTP/1.0) is now sent within each request
• HTTP headers: both request and response may consist of multiple newline-separated header fields.
• Response object is prefixed with a response status code line.
• Response object is not limited to plain HTML (thanks to the Content-Type header).
• The connection between server and client is closed after every request.

1997

• A connection can be reused.
• Pipelining has been added, allowing to send a second request before the answer for the first one is fully transmitted.
• An average limitation (depends on browser) is a maximum of 6 simultaneously connections per server.
• Chunked responses (split into 256 bytes) are now also supported.
• Additional cache control mechanisms have been introduced.
• Content negotiation, including language, encoding, or type, has been introduced and allows a client and a server to agree on the most adequate content to exchange.
• Thanks to the Host header, the ability to host different domains at the same IP address now allows server colocation.

2015

• It is a binary protocol rather than text.
• It is a multiplexed protocol. Parallel requests can be handled over the same connection. Frames are part of streams, and streams are identified by a number. The stream number is present in each frame as a binary field. Streams allow matching requests to responses.
• Due to multiplexing only 1 connection per server is allowed.
• It compresses headers. As these are often similar among a set of requests.
• Server push: mechanism, allowing the server to send the required resources before they are requested by the client. So by the time the browser finishes parsing HTML, the transfer of CSS or js would have already started or even completed.

2016

• Support of Alt-Svc allows the dissociation of the identification and the location of a given resource, allowing for a smarter CDN caching mechanism.
• The introduction of Client-Hints allows the browser, or client, to proactively communicate information about its requirements, or hardware constraints, to the server.
• The introduction of security-related prefixes in the Cookie header now helps guarantee a secure cookie has not been altered.

upcoming

• It is built over QUIC (Quick UDP Internet Connections). On the surface, QUIC is very similar to TCP+TLS+HTTP/2 implemented on UDP
• Dramatically reduced connection establishment time
• Improved congestion control
• Multiplexing without a head of line blocking
• Forward error correction
• Connection migration

2000

HTTPS is an extension of the HTTP protocol built not over HTTP but with a different underlying protocol. HTTP itself is built over TCP, HTTPS - over TLS (Transport Layer Security) protocol, which in its turn built over TCP. So despite its name, we can't say TLS is a Transport layer protocol because it's a TCP that works at this layer. Rather TLS works at layer 6 - Presentation Layer. So HTTPS in messages semantics is exactly the same as HTTP and can secure a connection thanks to the usage of TLS.

• HTTP lacks a security mechanism to encrypt the data, whereas HTTPS provides TLS Digital Certificate to secure the communication between server and client.
• HTTP operates at an Application Layer, whereas HTTPS operates at Presentation Layer.
• HTTP by default operates on port 80, whereas HTTPS by default operates on port 443.
• HTTP transfers data in plain text while HTTPS transfers data in ciphertext (encrypt text).
• HTTP is fast as compared to HTTPS because HTTPS consumes computation power to encrypt the communication channel.

1999

Former SSL protocol. Is a result of standardizing the proprietary SSL protocol by IETF.

Provides:

1. Encryption
   • A mechanism to obfuscate what is sent from one host to another.
2. Authentication
   • A mechanism to verify the validity of provided identification material.
3. Integrity
   • A mechanism to detect message tampering and forgery.

• The handshake begins when a client connects to a TLS-enabled server requesting a secure connection, and the client presents a list of supported cypher suites (cyphers and hash functions).
• From this list, the server picks a cypher and hash function that also supports and notifies the client of the decision.
• The server usually then provides identification in the form of a digital certificate. The certificate contains the server name, the trusted certificate authority (CA) that vouches for the authenticity of the certificate, and the server's public encryption key.
• The client confirms the validity of the certificate before proceeding.
• To generate the session keys used for the secure connection, the client either:
  • encrypts a random number (PreMasterSecret) with the server's public key and sends the result to the server (which only the server should be able to decrypt with its private key); both parties then use the random number to generate a unique session key for subsequent encryption and decryption of data during the session
  • uses Diffie–Hellman key exchange to securely generate a random and unique session key for encryption and decryption that has the additional property of the forward secrecy: if the server's private key is disclosed in the future, it cannot be used to decrypt the current session, even if the session is intercepted and recorded by a third party.

• HTTP
• TLS