Unit 1 · Web Foundations

Lesson · Unit 1 · 9 min read

How the web actually works, from keystroke to rendered pixel.

Every web request takes a tour through seven layers of networking, hits at least three servers, and gets translated four times — in about 200 milliseconds. Here's the shape of that tour.

Section · 01

The request/response model

The web works because of one repeated transaction: a client (your browser) sends a request to a server, and the server sends back a response. That’s it. Loading a webpage is hundreds of these round-trips happening in parallel — one for the HTML, one for each image, one for each stylesheet, one for each script.

Client                                Server
  | --------- GET /index.html --------> |
  |                                     |  (looks up the file,
  |                                     |   runs any code,
  |                                     |   builds a response)
  | <-------- 200 OK + HTML ----------- |

That request and response travel as little packets of bytes across a network of routers, fibre, and (occasionally) literal copper wire. The next sections are about what the bytes look like and how they find their way.

Section · 02

The OSI model — in plain English

The OSI model splits a network into seven layers. Each layer is responsible for one job and trusts the layer below it to handle the rest. You will be asked about this in interviews. You will also use it to debug things at 2 a.m.

7. Application   — what you actually use (HTTP, SMTP, DNS, SSH)
6. Presentation  — encoding, compression, encryption (TLS lives here-ish)
5. Session       — opening and closing conversations
4. Transport     — chunking data into packets (TCP, UDP)
3. Network       — routing packets across networks (IP)
2. Data Link     — packet → frame for one hop (Ethernet, Wi-Fi)
1. Physical      — actual bits over wire, fibre, or radio

When you write web code, you live almost entirely at Layer 7. But every time you hit a CORS error, a connection timeout, or a “port already in use”, you just dropped into a lower layer.

Section · 03

TCP vs UDP

At Layer 4 you choose between two protocols. TCP is reliable — it numbers packets, confirms delivery, and re-sends ones that get lost. UDPis fast — it fires packets off and doesn’t care if they arrive.

TCP  →  HTTP, HTTPS, SSH, SMTP, FTP   (correctness matters)
UDP  →  DNS, video calls, gaming, VoIP (speed matters more)

Web traffic is almost all TCP, because a missing chunk of HTML would be unrecoverable. A missing frame in a video call is fine — you’d rather skip it than wait.

Section · 04

HTTP — the language of the web

At the top of the stack lives HTTP, the protocol your browser actually speaks. An HTTP request is mostly just text — you could literally type one out by hand:

GET /about HTTP/1.1
Host: yorksims.com
User-Agent: Mozilla/5.0 ...
Accept: text/html

The server responds with a status line, headers, and (usually) a body:

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 4823

<!doctype html>
<html> ...

The verbs

GET     → fetch a resource          (safe, idempotent)
POST    → create something          (not idempotent — twice = two records)
PUT     → replace a resource        (idempotent)
PATCH   → partially update          (not idempotent)
DELETE  → remove a resource         (idempotent)

REST APIs map these verbs to operations on data. A login form POSTs. A delete button DELETEs. Most pages you load are GETs.

Section · 05

Status codes

Every response carries a 3-digit status code. Memorize the families and a few specific ones — you’ll see them in DevTools every day.

1xx  Informational    (rare — keep going)
2xx  Success          (200 OK, 201 Created, 204 No Content)
3xx  Redirect         (301 Moved Permanently, 302 Found, 304 Not Modified)
4xx  Client error     (400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many)
5xx  Server error     (500 Internal Server Error, 502 Bad Gateway, 503 Unavailable)

Rule of thumb: 4xx is your fault (you sent something wrong); 5xx is their fault(the server blew up). 401 vs 403 trips up beginners: 401 means “you aren’t logged in”, 403 means “you are, but you can’t do this.”

Section · 06

HTTPS — HTTP with a lock on it

HTTPS is HTTP wrapped in TLS encryption. When you visit https://yorksims.com, your browser and the server do a quick handshake — exchange certificates, agree on an encryption key — and then run normal HTTP inside the encrypted tunnel.

You should never ship a public site without HTTPS in 2026. Most browsers flag plain HTTP as “Not Secure.” Search engines penalize it. And without TLS, anyone on the same Wi-Fi can read everything your users send and receive, including their passwords. Free certs from Let’s Encrypt, automated by almost every host. Just turn it on.

Section · 07

Ports

An IP address gets you to a machine. A port gets you to the right program on that machine. A web server listens on port 80 (HTTP) and 443 (HTTPS) by default.

http://yorksims.com         → port 80
https://yorksims.com        → port 443
ssh user@server             → port 22
http://localhost:3000       → port 3000  (dev servers)
http://localhost:5432       → port 5432  (postgres)

When you start a Next.js dev server and it says localhost:3000, that’s the port it picked to listen on. If it’s already taken (you forgot to kill the last one), it’ll grab the next free one.

The next lesson is about how your browser turns a name like yorksims.com into the numeric IP address it actually needs to open a connection to.

← PreviousA brief history of the internetNext →DNS, IP addresses & URLs