Browsers, HTTP/HTTPS and Security

Browsers

An application that allows users to access and view websites and information on the World Wide Web.

How a Browser Works: Real-Case Scenario

Requesting and Fetching Resources

When a user enters a web address (URL) or clicks a link:

The browser first queries the Domain Name System (DNS) to find the IP address of the given address.
After DNS responds, the browser sends requests to that IP using the HTTP or HTTPS protocol.
Through these requests, the following resources are obtained:
- HTML – structure of the content
- CSS – presentation style
- JavaScript – dynamic functionality
- Images, videos, and other media

Page Rendering

The browser parses HTML and CSS files received from the server to construct the DOM (Document Object Model) and CSSOM (CSS Object Model) trees.
Based on these trees, it builds the Render Tree.
Then, via the Layout and Painting stages, the web page seen by the user is visually created.

Rendering engine examples:

Chrome → Blink
Firefox → Gecko
Safari → WebKit

JavaScript Execution

JavaScript code is executed to enable site interactivity.
This code is run by the browser’s JavaScript Engine.

JavaScript engine examples:

Chrome → V8
Firefox → SpiderMonkey
Safari → JavaScriptCore

➡️ At this stage, the browser can establish asynchronous communication with the server using AJAX or the Fetch API.

Network Management

The browser manages the following network functions:

HTTP(S) requests and responses
DNS queries
Cookies
Caching
Secure connections (HTTPS, TLS/SSL)

Security and Policy Enforcement

The browser performs the following security functions:

Blocking malicious websites
Security policies:
- Same-Origin Policy – controls resource sharing across different domains
- CORS – specifies which domains the server allows
Verification of HTTPS certificates
Mixed content blocking

HTTP/HTTPS

HTTP and HTTPS are the fundamental communication protocols of the web. They are used to transfer data between the browser and the server.

Request/Response Model

The browser sends an HTTP request to the server.
The server receives this request and returns an HTTP response.

HTTP Methods

Methods used in RESTful APIs:

Method	Purpose
`GET`	Retrieve data
`POST`	Create new data
`PUT`	Fully update data
`PATCH`	Partially update data
`DELETE`	Delete data

Status Codes

Status codes sent by the server in response to a request:

Code	Meaning
`200 OK`	Successful response
`201 Created`	A new resource was created
`400 Bad Request`	The request is invalid
`401 Unauthorized`	No access permission
`404 Not Found`	Resource not found
`500 Internal Server Error`	Server error

Headers

Key-value pairs that carry additional information (metadata) related to the request and response.

Examples:

Content-Type: Type of content (application/json)
Authorization: Token or login information
Cache-Control: Caching behavior
User-Agent: Browser information

Body

Request bodies are sent with POST, PUT, and PATCH.
The server may also return a body (e.g., JSON, HTML, XML, image, etc.).

HTTPS and Security

HTTP + TLS (Transport Layer Security) = HTTPS

➡️ All transmitted data is encrypted.

Security Advantages of HTTPS

Function	Description
Confidentiality	Data cannot be tracked by third parties.
Integrity	Ensures data is not altered during transmission.
Authentication	Verifies the real server using an SSL/TLS certificate.

⚠️ In modern times, websites that do not use HTTPS are considered insecure.

Having your backend applications serve over HTTPS is now a standard requirement.