Skip to content

HTTP / TLS protocols — Detailed#

flowchart TB
  subgraph V1[HTTP 1.1 - 1997]
    direction TB
    A1[Text framing]
    A2[Keep-alive connections]
    A3[Pipelining - rarely used]
    A4[Head-of-line block at app layer]
  end
  subgraph V2[HTTP 2 - 2015]
    direction TB
    B1[Binary framing]
    B2[Multiplexed streams over 1 TCP]
    B3[Header compression - HPACK]
    B4[Server push - deprecated 2022]
    B5[TCP HoL still possible]
  end
  subgraph V3[HTTP 3 - 2022, QUIC]
    direction TB
    C1[UDP transport]
    C2[Multiplexed streams - independent]
    C3[Built-in TLS 1.3]
    C4[0-RTT resumption]
    C5[Connection migration]
  end
  subgraph TLSv[TLS 1.3 - 2018]
    D1[1-RTT handshake]
    D2[0-RTT data replay risk]
    D3[ECDHE + AEAD only]
    D4[mTLS for service-to-service]
  end
  V1 --> V2 --> V3
  TLSv --- V1
  TLSv --- V2
  TLSv --- V3

    classDef client fill:#dbeafe,stroke:#1e40af,stroke-width:1px,color:#0f172a;
    classDef edge fill:#cffafe,stroke:#0e7490,stroke-width:1px,color:#0f172a;
    classDef service fill:#fef3c7,stroke:#92400e,stroke-width:1px,color:#0f172a;
    classDef datastore fill:#fee2e2,stroke:#991b1b,stroke-width:1px,color:#0f172a;
    classDef cache fill:#fed7aa,stroke:#9a3412,stroke-width:1px,color:#0f172a;
    classDef queue fill:#ede9fe,stroke:#5b21b6,stroke-width:1px,color:#0f172a;
    classDef compute fill:#d1fae5,stroke:#065f46,stroke-width:1px,color:#0f172a;
    classDef storage fill:#e5e7eb,stroke:#374151,stroke-width:1px,color:#0f172a;
    classDef external fill:#fce7f3,stroke:#9d174d,stroke-width:1px,color:#0f172a;
    classDef obs fill:#f3e8ff,stroke:#6b21a8,stroke-width:1px,color:#0f172a;
    class A1,A2,A3,A4,B1,B2,B3,B4,B5,C1,C2,C3,C4,C5,D1,D2,D3,D4 service;

Side-by-side#

HTTP/1.1 HTTP/2 HTTP/3
Transport TCP TCP QUIC over UDP
Framing text lines binary frames binary frames
Multiplex parallel TCP conns streams in one conn streams in one conn
Header compression none HPACK QPACK
Head-of-line block app + TCP TCP only none
Handshake 1-3 RTT (with TLS) 1-3 RTT 1 RTT, often 0-RTT
Server push no yes (now rare) discouraged

When does each matter#

  • Mobile + lossy networks → HTTP/3 wins (QUIC handles packet loss per-stream).
  • High-throughput backends → HTTP/2 is enough; gRPC uses it.
  • Legacy intermediaries / corporate proxies → may still need HTTP/1.1 fallback.
  • Anything internet-facing → terminate at edge with TLS 1.3 + HTTP/3.

TLS 1.3 anatomy#

sequenceDiagram
  participant C as Client
  participant S as Server
  C->>S: ClientHello + key share + ALPN
  S-->>C: ServerHello + key share + cert + finished
  C->>S: finished + application data
  Note over C,S: 1 round-trip total
  • ALPN selects HTTP/1.1 / 2 / 3 inside the TLS handshake.
  • 0-RTT data is replayable — only safe for idempotent requests.
  • mTLS adds a client cert; common for service-to-service inside a zero-trust mesh.

Common interview hooks#

  • "Why is HTTP/2 still vulnerable to head-of-line blocking?" → TCP loss stalls every stream.
  • "When would you keep HTTP/1.1?" → simple proxies, debugging, anything that can't speak h2.
  • "How does QUIC achieve connection migration?" → connection id, not 5-tuple; survives IP change.

Glossary & fundamentals#

Concepts referenced in this design. Each row links to its canonical page; the tag column shows whether it is a high-level (HLD) or low-level (LLD) concept.

Tag Concept What it is Page
HLD HTTP / TLS protocols HTTP 1.1/2/3, QUIC, TLS 1.3 http-protocols
HLD Service mesh sidecar mesh, mTLS, traffic policy service-mesh