Back

The Anatomy of an HTTP Request

OpenReplay Team OpenReplay Team

Feb 14, 2026 · 4 min read

The Anatomy of an HTTP Request

Every time you click a link, submit a form, or fetch data from an API, your browser constructs an HTTP request and sends it across the network. But what actually makes up that request? Understanding the anatomy of an HTTP request gives you a mental model that applies whether you’re debugging network issues, optimizing performance, or building APIs.

This article breaks down HTTP request structure across protocol versions and highlights what frontend developers need to know about modern HTTP headers and their practical implications.

Key Takeaways

  • An HTTP request consists of three core parts: a request line (or pseudo-headers in HTTP/2+), headers, and an optional body.
  • The semantic structure of requests stays the same across HTTP/1.1, HTTP/2, and HTTP/3. What changes is the wire format and transport mechanism.
  • Modern headers like Fetch Metadata, Client Hints, and Priority give developers finer control over security, privacy, and performance.
  • Cookie behavior has shifted with SameSite=Lax defaults and partitioned cookies (CHIPS), affecting how cross-site state is managed.

HTTP Request Structure: The Core Components

An HTTP request consists of three parts: a request line (or its equivalent), headers, and an optional body.

In HTTP/1.1, a request looks like this:

POST /api/users HTTP/1.1
Host: api.example.com
Content-Type: application/json
Content-Length: 45

{"username": "dev", "email": "dev@example.com"}

The request line contains the method (POST), the target path (/api/users), and the protocol version. The headers provide metadata—content type, authentication, caching directives. The body carries the payload when needed.

This structure remains semantically identical across HTTP/1.1, HTTP/2, and HTTP/3. What changes is how these components are represented and transmitted.

HTTP/1.1 vs HTTP/2 vs HTTP/3 Requests

HTTP/1.1: Text-Based and Sequential

HTTP/1.1 transmits requests as plain text over TCP. Requests are processed sequentially per connection. While HTTP/1.1 supports persistent connections (keep-alive) and pipelining, browsers generally avoid pipelining due to head-of-line blocking. Instead, browsers work around the single-request limitation by opening multiple parallel connections, typically six per origin.

The Host header is mandatory in HTTP/1.1—it tells the server which virtual host should handle the request.

HTTP/2: Binary Framing and Multiplexing

HTTP/2 wraps messages in binary frames and introduces pseudo-headers that replace the request line:

  • :method — the HTTP method
  • :path — the path and query string
  • :schemehttp or https
  • :authority — the HTTP/2+ equivalent of the Host header, used to identify the target authority

Multiple requests share a single TCP connection through multiplexing. Headers are compressed via HPACK, eliminating the redundancy of repeating similar headers across requests.

HTTP/3: QUIC and Connection Resilience

HTTP/3 uses QUIC over UDP instead of TCP. This eliminates TCP’s head-of-line blocking at the transport layer—if one stream stalls, others continue unaffected. Connection migration lets requests survive network changes, which is particularly useful on mobile devices switching between Wi-Fi and cellular.

Header compression in HTTP/3 uses QPACK rather than HPACK, adapted to work correctly with QUIC’s independent streams.

The request semantics stay the same. Your code doesn’t change—the transport does.

Modern HTTP Headers That Matter

Beyond the basics like Content-Type and Authorization, several modern headers deserve attention:

Fetch Metadata headers (Sec-Fetch-Site, Sec-Fetch-Mode, Sec-Fetch-Dest) let servers understand the context of a request—whether it’s same-origin, cross-site, or triggered by navigation versus a script.

Client Hints (Sec-CH-UA, Sec-CH-UA-Platform, Sec-CH-UA-Mobile) provide device and browser information in a structured, privacy-conscious way, reducing reliance on the legacy User-Agent string for many use cases.

Priority header signals resource importance to the server, helping it decide what to send first over multiplexed connections, though real-world support varies across servers and CDNs.

Practical Implications for Frontend Developers

Performance Prioritization

The Priority header (defined in RFC 9218) influences how servers and CDNs order responses. It replaces the HTTP/2-era stream weight and dependency model with a simpler scheme using urgency and incremental parameters. Critical resources like fonts or above-the-fold images can be marked high priority to ensure they arrive first.

Security Considerations

Watch for conflicting Content-Length and Transfer-Encoding headers—this mismatch can enable request smuggling attacks. Servers should reject ambiguous requests, but understanding the risk helps when debugging unexpected behavior.

Cookies now default to SameSite=Lax in modern browsers, which restricts cookies from being sent on cross-site subrequests unless explicitly configured otherwise. Partitioned cookies (CHIPS) isolate third-party cookies per top-level site, affecting how embedded content manages state.

Conclusion

The anatomy of an HTTP request—method, target, headers, body—remains consistent across protocol versions. What changes is the wire format: text in HTTP/1.1, binary frames in HTTP/2, QUIC streams in HTTP/3.

For frontend work, focus on understanding pseudo-headers when debugging HTTP/2+, leverage modern headers like Fetch Metadata and Client Hints, and stay aware of security and cookie changes that affect how requests behave. The protocol handles the transport complexity. Your job is knowing what you’re actually sending.

FAQs

In HTTP/1.1, the method, path, and version appear in a plain-text request line. HTTP/2 replaces this with pseudo-headers like :method, :path, :scheme, and :authority, which are encoded in binary frames. They carry the same information but are transmitted more efficiently using HPACK compression. Regular headers still exist alongside pseudo-headers in HTTP/2.

HTTP/2 multiplexes streams over a single TCP connection, so a lost packet blocks all streams until retransmission completes. HTTP/3 uses QUIC over UDP, where each stream is independent at the transport layer. A stalled stream does not block others, resulting in better performance on unreliable networks.

The Priority header lets you signal which resources matter most. Servers and CDNs use this to decide delivery order over multiplexed connections. Marking critical assets like fonts or key images as high priority can reduce perceived load times. It uses urgency and incremental parameters defined in RFC 9218.

Modern browsers default cookies to SameSite=Lax, meaning cookies are not sent on cross-site subrequests like image loads or fetch calls from third-party contexts. They are still sent on top-level navigations. To send cookies cross-site, you must explicitly set SameSite=None along with the Secure attribute.

Gain control over your UX

See how users are using your site as if you were sitting next to them, learn and iterate faster with OpenReplay. — the open-source session replay tool for developers. Self-host it in minutes, and have complete control over your customer data. Check our GitHub repo and join the thousands of developers in our community.

OpenReplay

More articles from OpenReplay Blog