Module 2: Programming for the Web

NSWSoftware EngineeringSyllabus dot point

Inquiry Question 1: How are secure web applications developed?

Explain the HTTP protocol, including request methods, status codes and headers, and the role of HTTPS in securing web traffic

A focused answer to the HSC Software Engineering Module 2 dot point on HTTP. Request methods, status codes, headers, the role of HTTPS and TLS, the worked example, and the traps markers look for.

Generated by Claude OpusReviewed by Better Tuition Academy5 min answer

Have a quick question? Jump to the Q&A page

What this dot point is asking

NESA wants you to know the structure of HTTP requests and responses, the standard methods and status codes, the role of headers, and how HTTPS layers encryption and identity on top.

The answer

Anatomy of an HTTP request

Every HTTP request starts with a request line that names the method and path, then carries any number of headers, then optionally a body. The example below shows a POST request submitting a JSON payload.

POST /api/comments HTTP/1.1
Host: blog.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
Content-Type: application/json
Content-Length: 32

{"article_id": 7, "text": "Hi"}
  • Method: POST
  • Path: /api/comments
  • Version: HTTP/1.1 (or HTTP/2, HTTP/3)
  • Headers: key-value metadata
  • Body: optional, present for POST/PUT/PATCH

Anatomy of an HTTP response

Every HTTP response starts with a status line that names the version, status code and a short reason phrase, then headers, then optionally a body. The example below shows a successful resource creation that returns the new resource as JSON.

HTTP/1.1 201 Created
Content-Type: application/json
Location: /api/comments/91
Content-Length: 27

{"id": 91, "status": "ok"}
  • Status code: 201
  • Status text: Created
  • Headers: response metadata
  • Body: optional, contains the resource representation

Methods

Method Purpose Idempotent Safe
GET Retrieve Yes Yes
POST Create / submit No No
PUT Replace Yes No
PATCH Partial update No No
DELETE Remove Yes No
HEAD Like GET but headers only Yes Yes
OPTIONS Inspect supported methods Yes Yes

Idempotent means calling the request many times has the same effect as calling it once. Safe means the request does not change server state.

Status codes

  • 1xx: informational (rarely seen).
  • 2xx: success. 200 OK, 201 Created, 204 No Content.
  • 3xx: redirect. 301 Moved Permanently, 302 Found, 304 Not Modified.
  • 4xx: client error. 400, 401, 403, 404, 429 Too Many Requests.
  • 5xx: server error. 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable.

Headers

Headers carry metadata. Useful examples:

  • Content-Type: application/json describes the body format.
  • Authorization: Bearer ... carries an authentication token.
  • Cache-Control: no-store instructs caches not to retain the response.
  • Set-Cookie: session=... issues a cookie to the browser.
  • Strict-Transport-Security: max-age=31536000 forces future requests to use HTTPS.

HTTPS

HTTPS is HTTP carried over TLS. It provides three guarantees:

  • Confidentiality: traffic is encrypted so eavesdroppers see only ciphertext.
  • Integrity: tampering with the request or response is detected.
  • Server authentication: the certificate proves the browser is talking to the legitimate server (not a man-in-the-middle).

The TLS handshake combines asymmetric and symmetric encryption: asymmetric for key exchange and certificate verification, symmetric (AES) for the bulk session traffic.

A worked example

A Python script using requests:

import requests

response = requests.post(
    "https://api.example.com/comments",
    headers={
        "Authorization": "Bearer eyJhbGciOiJIUzI1NiIs...",
        "Content-Type": "application/json",
    },
    json={"article_id": 7, "text": "Hi"},
)

print(response.status_code)  # 201
print(response.headers["Content-Type"])  # application/json
print(response.json())  # {"id": 91, "status": "ok"}

requests handles the TLS handshake automatically. The HTTP wire format - method, path, headers, body - is what is actually sent across the network.

Past exam questions, worked

Real questions from past NESA papers on this dot point, with our answer explainer.

2025 HSC5 marksDescribe the structure of an HTTP request and response. Identify two request methods and two status codes, and explain the role of HTTPS in web traffic.
Show worked answer →

An HTTP request has a method (GET, POST, PUT, DELETE), a path (/api/users/42), a version (HTTP/1.1), headers (key-value metadata: Host, Accept, Authorization), and an optional body (for POST/PUT requests).

An HTTP response has a version, a status code with text (200 OK, 404 Not Found), headers (Content-Type, Cache-Control), and a body containing the resource (HTML, JSON, an image).

Methods (any two):

  • GET: retrieve a resource. Safe, idempotent. No request body.
  • POST: create a resource or submit data. Not idempotent.
  • PUT: replace a resource. Idempotent.
  • DELETE: remove a resource. Idempotent.

Status codes (any two):

  • 200 OK: success.
  • 201 Created: success, new resource created.
  • 400 Bad Request: client sent malformed input.
  • 401 Unauthorized: authentication missing or invalid.
  • 403 Forbidden: authenticated but not allowed.
  • 404 Not Found: resource does not exist.
  • 500 Internal Server Error: a bug on the server.

HTTPS is HTTP over TLS (Transport Layer Security). It encrypts the request and response, verifies the server's identity via a digital certificate, and protects against eavesdropping and tampering. Browsers display a padlock when HTTPS is active and warn or block plain HTTP for sensitive sites.

Markers reward correct structure of both message types, valid methods and codes (with grouping by 2xx success, 4xx client error, 5xx server error), and identifying the three properties HTTPS provides: confidentiality, integrity, server authentication.

Related dot points