System Design Article
Client-Server Model & HTTP/HTTPS
Difficulty: Easy
The client-server model is the foundational architecture of the modern internet. Every time you open a webpage, send a message, or stream a video, a client is making requests to a server. This lesson explains how this model works, how HTTP and HTTPS power web communication, and why understanding request-response cycles is essential for designing any distributed system.
Client-Server Model & HTTP/HTTPS
The client-server model is the foundational architecture of the modern internet. Every time you open a webpage, send a message, or stream a video, a client is making requests to a server. This lesson explains how this model works, how HTTP and HTTPS power web communication, and why understanding request-response cycles is essential for designing any distributed system.
469 views
5
What is the Client-Server Model?
The client-server model is a distributed computing architecture where work is divided between two roles:
- Client: The entity that initiates requests. This is typically a web browser, mobile app, or another service that needs data or processing.
- Server: The entity that listens for requests, processes them, and returns responses. This could be a web server, application server, or database server.
This is a request-response model: the client asks, the server answers. The server does not spontaneously push data to the client (that requires different patterns like WebSockets, which we cover in a later lesson).
A Simple Analogy
Think of a restaurant. You (the client) place an order with the waiter. The kitchen (the server) prepares the food and sends it back through the waiter. You do not walk into the kitchen yourself, and the kitchen does not start cooking for you until you order.
Key Characteristics
| Property | Client | Server |
|---|---|---|
| Initiates communication | Yes | No (listens and responds) |
| Number of instances | Many (millions of users) | Few (can be scaled horizontally) |
| State | Often stateless per request | May maintain session state |
| Network location | Anywhere (home, mobile, office) | Fixed IP or behind a load balancer |
| Trust level | Untrusted (user-controlled) | Trusted (developer-controlled) |
How HTTP Works
HTTP (HyperText Transfer Protocol) is the application-layer protocol that clients and servers use to communicate on the web. It runs on top of TCP (Transmission Control Protocol), which guarantees reliable, ordered delivery of data.
The Request-Response Cycle
Client Server
| |
| 1. TCP Handshake (SYN/SYN-ACK) |
|----------------------------------->|
|<-----------------------------------|
| |
| 2. HTTP Request |
| GET /api/users HTTP/1.1 |
| Host: api.example.com |
| Accept: application/json |
|----------------------------------->|
| |
| 3. Server processes request |
| (query DB, run logic, etc.) |
| |
| 4. HTTP Response |
| HTTP/1.1 200 OK |
| Content-Type: application/json |
| {"users": [...]} |
|<-----------------------------------|
| |HTTP Methods
HTTP defines several methods (also called verbs) that indicate the intended action:
| Method | Purpose | Idempotent? | Safe? |
|---|---|---|---|
| GET | Retrieve a resource | Yes | Yes |
| POST | Create a new resource | No | No |
| PUT | Replace a resource entirely | Yes | No |
| PATCH | Partially update a resource | No | No |
| DELETE | Remove a resource | Yes | No |
| HEAD | Like GET but returns headers only | Yes | Yes |
| OPTIONS | Discover allowed methods (CORS preflight) | Yes | Yes |
Idempotent means making the same request multiple times produces the same result. GET /users/42 always returns user 42. DELETE /users/42 deletes user 42 the first time; subsequent calls are no-ops.
Safe means the request does not modify server state. GET and HEAD are safe; POST and DELETE are not.
HTTP Status Codes
Status codes tell the client what happened:
| Range | Category | Examples |
|---|---|---|
| 1xx | Informational | 100 Continue, 101 Switching Protocols |
| 2xx | Success | 200 OK, 201 Created, 204 No Content |
| 3xx | Redirection | 301 Moved Permanently, 304 Not Modified |
| 4xx | Client Error | 400 Bad Request, 401 Unauthorized, 404 Not Found, 429 Too Many Requests |
| 5xx | Server Error | 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable |
HTTP Headers
Headers carry metadata about the request or response:
- Content-Type: What format the body is in (e.g.,
application/json,text/html) - Authorization: Authentication credentials (e.g.,
Bearer <token>) - Cache-Control: Caching directives (e.g.,
max-age=3600,no-cache) - Accept: What formats the client can handle
- User-Agent: Identifies the client software
- Set-Cookie / Cookie: Session management
HTTPS and TLS Encryption
HTTPS is HTTP over TLS (Transport Layer Security). It provides three critical security properties:
- Encryption: Data is encrypted in transit, so eavesdroppers cannot read it.
- Integrity: Data cannot be tampered with without detection (via MAC - Message Authentication Code).
- Authentication: The server proves its identity via a digital certificate, preventing impersonation.
The TLS Handshake (Simplified)
Client Server
| |
| 1. ClientHello |
| (supported cipher suites, TLS version) |
|---------------------------------------->|
| |
| 2. ServerHello + Certificate |
| (chosen cipher suite, server's cert) |
|<----------------------------------------|
| |
| 3. Client verifies certificate |
| (checks CA signature, expiry, etc.) |
| |
| 4. Key Exchange |
| (both derive shared session key) |
|<--------------------------------------->|
| |
| 5. Encrypted HTTP traffic begins |
|<========================================>|Why HTTPS Matters in System Design
- All production traffic should use HTTPS. Google Chrome marks HTTP sites as "Not Secure."
- TLS termination can happen at the load balancer or reverse proxy, reducing overhead on application servers.
- Certificate management (via services like AWS Certificate Manager or Let's Encrypt) is a real operational concern.
- TLS adds latency due to the handshake (1-2 extra round trips in TLS 1.2, reduced to 1 in TLS 1.3).
HTTP vs HTTPS
| Aspect | HTTP | HTTPS |
|---|---|---|
| Port | 80 | 443 |
| Encryption | None | TLS encryption |
| Speed | Slightly faster (no handshake) | Slight overhead (~1-5ms) |
| Use case | Internal microservice-to-microservice (behind firewall) | All public-facing traffic |
| SEO impact | Penalized by search engines | Preferred by Google ranking |
Full Request Lifecycle
When you type https://www.example.com/api/data in your browser, here is everything that happens:
Step-by-Step Breakdown
DNS Resolution: The browser resolves
www.example.comto an IP address (e.g.,93.184.216.34). This involves checking the browser cache, OS cache, and potentially querying DNS servers recursively. (We cover DNS in depth in the next lesson.)TCP Connection: The browser opens a TCP connection to the server's IP on port 443. This requires a 3-way handshake (SYN, SYN-ACK, ACK).
TLS Handshake: Since this is HTTPS, the client and server negotiate encryption parameters and exchange keys.
HTTP Request: The browser sends the HTTP request over the encrypted channel.
Server Processing: The server receives the request, routes it to the appropriate handler, executes business logic (database queries, computations), and constructs a response.
HTTP Response: The server sends back the response with a status code, headers, and body.
Rendering: The browser parses the response. If it is HTML, it may trigger additional requests for CSS, JavaScript, images, and fonts.
Connection Reuse: With HTTP/1.1 keep-alive or HTTP/2 multiplexing, the TCP connection stays open for subsequent requests, avoiding repeated handshakes.
[Browser] -> [DNS] -> [TCP 3-way handshake] -> [TLS handshake]
-> [HTTP Request] -> [Server Logic] -> [HTTP Response]
-> [Render Page] -> [Additional asset requests over same connection]Why This Matters for System Design
Every arrow in an architecture diagram represents one or more of these steps. When an interviewer asks "what happens when the user clicks Submit?", they expect you to articulate this lifecycle. Latency at each step compounds: a slow DNS lookup plus a cold TCP connection plus server processing time can degrade the user experience significantly.
HTTP Versions: 1.1, 2, and 3
HTTP has evolved significantly to address performance bottlenecks:
HTTP/1.1 (1997)
- Keep-alive connections: Reuse TCP connections for multiple requests (unlike HTTP/1.0 which opened a new connection per request).
- Pipelining (theoretical): Send multiple requests without waiting for responses. In practice, rarely used due to head-of-line blocking.
- Head-of-line blocking: If the first response is slow, all subsequent responses are delayed.
- Workaround: Browsers open 6 parallel TCP connections per domain.
HTTP/2 (2015)
- Multiplexing: Multiple requests and responses share a single TCP connection, interleaved as frames. No head-of-line blocking at the HTTP layer.
- Header compression (HPACK): Reduces overhead from repetitive headers.
- Server push: Server can proactively send resources the client will likely need (e.g., pushing CSS before the browser requests it).
- Binary framing: More efficient parsing than HTTP/1.1's text-based protocol.
- Limitation: Still uses TCP, so head-of-line blocking can occur at the TCP layer if a packet is lost.
HTTP/3 (2022)
- QUIC protocol: Replaces TCP with UDP-based QUIC, which eliminates TCP-level head-of-line blocking.
- Faster connection establishment: QUIC combines the transport and TLS handshakes into a single round trip (0-RTT for repeat connections).
- Connection migration: If a user switches from Wi-Fi to cellular, the QUIC connection survives (identified by connection ID, not IP:port).
| Feature | HTTP/1.1 | HTTP/2 | HTTP/3 |
|---|---|---|---|
| Transport | TCP | TCP | QUIC (UDP) |
| Multiplexing | No (workaround: parallel connections) | Yes | Yes |
| Header compression | No | HPACK | QPACK |
| HOL blocking | HTTP + TCP layer | TCP layer only | None |
| Connection setup | TCP + TLS = 3 RTTs | TCP + TLS = 3 RTTs | 1 RTT (0-RTT for repeat) |
| Adoption | Universal | ~60% of websites | ~30% of websites |
Trade-offs & Alternative Models
The client-server model is not the only architecture. Understanding its trade-offs helps you choose the right approach.
Client-Server vs Peer-to-Peer (P2P)
| Aspect | Client-Server | Peer-to-Peer |
|---|---|---|
| Control | Centralized (server controls logic and data) | Decentralized (each node is client and server) |
| Scalability | Must scale servers as traffic grows | Scales naturally (more peers = more capacity) |
| Reliability | Single point of failure (mitigated by redundancy) | Resilient to individual node failures |
| Security | Easier to enforce (server-side validation) | Harder (trust distributed across peers) |
| Examples | Web apps, APIs, databases | BitTorrent, blockchain, WebRTC video calls |
| When to use | Most web applications, APIs, services | File sharing, decentralized apps, real-time P2P communication |
Stateless vs Stateful Servers
Stateless (preferred for scalability): Each request contains all information needed to process it. The server does not remember previous requests. This makes horizontal scaling trivial - any server can handle any request.
Stateful: The server maintains session state between requests (e.g., shopping cart stored in server memory). This creates sticky sessions - a client must always talk to the same server, which complicates load balancing.
Best practice: Keep servers stateless. Store session data in an external store (Redis, database) so any server can serve any request.
When Client-Server Breaks Down
- Real-time bidirectional communication: HTTP request-response is inherently one-directional (client initiates). For chat, live updates, or gaming, you need WebSockets or Server-Sent Events.
- Extremely high throughput between services: HTTP overhead (headers, text parsing in 1.1) can be too much. Internal microservices may prefer gRPC (binary protocol, multiplexed, strongly typed).
- Offline-first applications: If the client must work without a server (e.g., mobile apps in areas with poor connectivity), you need local-first architectures with sync protocols.
Real-World Examples
How real systems implement this in production
Netflix uses the client-server model at every layer: browser/app clients request API data over HTTPS from Netflix's backend, and video segments are fetched via HTTP from CDN edge servers using adaptive bitrate streaming (DASH/HLS).
Trade-off: Centralized API servers for control and personalization, distributed CDN servers for low-latency video delivery
AWS ALB sits between clients and backend servers, acting as a reverse proxy. It terminates TLS (handling HTTPS) and forwards requests to backend instances over HTTP, reducing cryptographic overhead on application servers.
Trade-off: TLS termination at the load balancer simplifies backend servers but means traffic between ALB and backend is unencrypted unless mTLS is configured
Chrome was the first major browser to implement QUIC (HTTP/3), reducing connection setup time from 3 round trips (TCP + TLS 1.2) to 1 round trip, with 0-RTT for repeat connections. This measurably improved page load times on mobile networks.
Trade-off: HTTP/3 over QUIC provides better performance on lossy networks but requires UDP support, which some corporate firewalls block
Quick Interview Phrases
Key terms to use in your answer
Common Interview Questions
Questions you might be asked about this topic
DNS lookup, TCP handshake, TLS negotiation (if HTTPS), HTTP request, server processing, response rendering. Mention each layer and potential bottlenecks.
Multiplexing eliminates head-of-line blocking, server push reduces round trips, header compression saves bandwidth. Best for many small requests (SPAs, APIs). Mention HTTP/3 for lossy networks.
TLS handshake establishes shared secret via asymmetric crypto, then uses symmetric encryption for data. Protects against eavesdropping, tampering, and impersonation via certificates.
HTTP is stateless - each request is independent. State is maintained via cookies, tokens, or session stores. Stateless is easier to scale horizontally. WebSockets are stateful - connection persists.
Interview Tips
How to discuss this topic effectively
When asked 'what happens when you type a URL in the browser', structure your answer as: DNS -> TCP -> TLS -> HTTP -> Server -> Response -> Render. Interviewers want to see you understand the full stack.
Always default to HTTPS in your designs. If an interviewer asks about HTTP for internal services, mention that many companies still use mTLS internally for zero-trust security.
Know the difference between idempotent and safe HTTP methods. This matters when designing retry logic: retrying a failed GET is always safe, but retrying a POST might create duplicate resources.
When discussing performance, mention HTTP/2 multiplexing as a way to reduce latency without application-level changes. This shows you think about infrastructure optimizations.
If your design has servers communicating with other servers (microservices), clarify that each server acts as both a client (when making outbound requests) and a server (when handling inbound requests). This shows architectural maturity.
Common Mistakes
Pitfalls to avoid in interviews
Saying HTTP is 'insecure' and should never be used
HTTP without TLS is insecure for public traffic, but it is commonly used for internal service-to-service communication within a private network or VPC where the overhead of TLS is unnecessary and the network is trusted.
Confusing authentication with encryption in HTTPS
HTTPS provides both, but they serve different purposes. Encryption prevents eavesdropping. Authentication (via certificates) prevents man-in-the-middle attacks by proving the server is who it claims to be. You need both.
Treating POST and PUT as interchangeable
POST creates a new resource (server assigns the ID). PUT replaces a resource at a known URI (client specifies the ID). PUT is idempotent; POST is not. This distinction affects retry safety and API design.
Assuming all HTTP communication is synchronous and blocking
While HTTP itself is request-response, clients can make concurrent requests (especially with HTTP/2 multiplexing), and servers can process requests asynchronously (accepting a request, returning 202 Accepted, and processing in the background).
