Open in app

Sign in

Write

Sign in

An Extensive Overview of Web Applications for Beginners

Understanding Structure, Functionality, and Communication

Ritesh Sahu
15 min readMay 26, 2023

Hello, everyone…!!!

This blog post will provide you with a comprehensive introduction to web applications, specifically tailored for beginners. Throughout this journey, we will delve into various topics related to web applications, starting with the fundamental communication between clients and servers. We will explore intricate details such as HTTP request and response headers, HTTP request and response body, commonly used HTTP request methods, essential HTTP status codes, the significance of HTTP security headers, and the fundamental concepts of cookies and sessions.

Introduction web application.

A web application, also known as a web app, is a software application that runs on a web server and is accessed by users through a web browser. It is designed to provide specific functionality or services to users, similar to traditional desktop applications, but with the advantage of being accessible through a web browser on various devices.

The basic working principle of a web application involves client-server architecture and the use of standard web technologies.

The basic components of a web application typically include:

1. Front-end: This is the part of the web application that the user interacts with, such as the user interface (UI) and user experience (UX) design. It usually consists of HTML, CSS, and JavaScript, which are used to create the visual elements and enable user interaction.

2. Back-end: This is the part of the web application that runs on the server and is responsible for processing data and generating responses to client requests. It includes server-side scripting languages such as PHP, Python, or Ruby, and databases such as MySQL or PostgreSQL.

3. Web server: The web server is responsible for receiving and responding to HTTP requests from clients. Popular web servers include Apache, Nginx, and IIS.

4. APIs: Application Programming Interfaces (APIs) allow different software components to communicate with each other. Web applications may use APIs to integrate with other services or to enable third-party developers to build applications that interact with their data.

5. Security: Security is a critical component of any web application, as it helps protect user data and prevent unauthorized access. This includes measures such as SSL/TLS encryption, secure authentication, and access control.

How web application work…

  1. The user enters the URL for the web application or clicks a link to access it in a web browser.
  2. The web browser sends a request to the web server. The request contains information such as the HTTP method (e.g., GET, POST), the requested URL, and any additional data.
  3. The web server receives the request and determines the appropriate handler or controller based on the requested URL. This routing process is often managed by a web framework or server-side scripting language.
  4. Once the web server identifies the appropriate handler, it processes the request. This may involve fetching data from a database, performing computations, or executing various tasks based on the nature of the request.
  5. The web application’s business logic handles the processing of the request. It includes tasks such as handling user input, performing calculations, and interacting with databases or external systems.
  6. If the web application needs to retrieve or store data, it interacts with a database. User information, application data, and other relevant data are stored and managed in the database. A database management system (DBMS) like MySQL, PostgreSQL, or MongoDB may be used for data operations.
  7. Once the server has processed the request and obtained the necessary data, it generates a response. The response typically includes HTML, CSS, JavaScript, and other resources required to render the web page.
  8. The web server sends the response back to the user’s web browser.
  9. The user’s web browser receives the response and renders the web page based on the received HTML, CSS, and JavaScript.
  10. The user can now interact with the web application by clicking buttons, filling out forms, or performing other actions.
  11. User interactions trigger additional requests to the server, initiating a new cycle of processing. These requests follow the same client-server architecture and request-response cycle.
  12. Web applications often need to maintain user-specific data or state across multiple requests. Techniques like cookies, sessions, or local storage are used to manage and maintain this state.
  13. Web applications can utilize technologies like AJAX or WebSocket to provide real-time updates or enable bidirectional communication between the client and server. AJAX allows for dynamic content updates without requiring a full page reload, while WebSocket facilitates continuous communication for real-time notifications or live data streaming.

Basic communication for client and server.

  1. The client, which could be a web browser or a mobile application, sends a request to the server. This request is typically sent using the HTTP (Hypertext Transfer Protocol) protocol.
  2. The request contains information such as the URL of the requested resource, any parameters needed for the request, and other metadata such as cookies or authentication tokens.
  3. The server receives the request and processes it. This could involve retrieving data from a database, executing some business logic, or generating a response dynamically based on the request.
  4. The server then generates a response to the request. This response contains the requested data or confirmation that the requested action was completed, along with additional metadata such as status codes, headers, and cookies.
  5. The server sends the response back to the client, again using the HTTP protocol.
  6. The client receives the response and processes it. This could involve rendering the data on a web page or performing some other action based on the response.
  7. If necessary, the client may send additional requests to the server to retrieve more data or perform further actions, starting the process over again.

There are two ways for a server to get input from a user in a web application.

1. Header/URL Parameters: In this method, input is passed to the server through the URL of the requested web page. This is typically done by appending parameters to the end of the URL, separated by question marks and ampersands. For example, a URL with parameters might look like this: http://example.com/page?param1=value1&param2=value2. The server can then extract these parameters from the URL and use them to generate the appropriate response.

Understanding URLs

2. Body: The HTTP body, also known as the message body, is part of an HTTP request or response that carries the actual data being sent or received. It is located after the headers in an HTTP message and is separated from the headers by a blank line.

HTTP Request and Response Header…

1. HTTP Request Headers: HTTP request headers are sent by the client (typically a web browser or an application) to the server to provide additional information about the request.

HTTP Request Header

Some commonly used request headers include:

Host: Specifies the hostname of the server the client wants to communicate with.

User-Agent: Identifies the client application or browser making the request.

Accept: Indicates the media types or content formats that the client can handle or prefers in the response.

Content-Type: Specifies the media type of the content in the request body (if any).

Authorization: Provides credentials or authentication tokens for accessing protected resources.

Cookie: Contains cookies previously stored by the client for the server to identify the user or maintain session state.

2. HTTP Response Headers: HTTP response headers are sent by the server back to the client as part of the HTTP response. They provide information about the response and additional instructions to the client.

Some commonly used response headers include:

Content-Type: Specifies the media type or format of the content in the response body.

Content-Length: Indicates the size of the response body in bytes.

Cache-Control: Provides instructions for caching the response at the client or intermediary servers.

Set-Cookie: Sets cookies on the client to be stored for subsequent requests.

Location: Redirects the client to a new URL if the response is a redirection.

Server: Specifies the software or server name that generated the response.

HTTP Response Headers.

HTTP Request and Response Body…

  1. HTTP Request Body: The HTTP request body is part of an HTTP request where you can include additional data or information to be sent to the server. It is used in HTTP methods such as POST, PUT, and PATCH to send data to the server for processing or storage. The request body is typically used to send data in structured formats such as JSON (JavaScript Object Notation) or XML (eXtensible Markup Language).
  2. HTTP Response Header: The HTTP response body is the part of an HTTP response that contains the data or information sent by the server back to the client in response to an HTTP request. It is used to convey the requested resource, such as HTML content, JSON data, images, or any other type of data.
HTTP Request Message Example
HTTP Response Message Example

HTTP Request Methods…

1. GET: The GET method requests a representation of the specified resource. It retrieves data from the server without causing any modifications. GET is used for retrieving web pages, images, documents, or any other data from a server. It is safe, meaning it should not have any side effects on the server or the resource being retrieved.

2. POST: The POST method is used to submit data to the specified resource, often causing a change in state or side effects on the server. It sends data in the request body and typically creates a new resource on the server. POST requests are commonly used when submitting forms, creating new records, or uploading files.

3. HEAD: The HEAD method is similar to GET, but it requests only the headers of the response, without the response body. It is often used to retrieve metadata about a resource, such as content type, last-modified timestamp, or content length, without transferring the entire content. HEAD requests are useful when you need to check the status or headers of a resource before downloading the full response.

4. PUT: The PUT method replaces all current representations of the target resource with the request payload sent in the request body. It is used to update or create a resource with a specific URI. The entire representation of the resource should be included in the request, even if only a small change is intended. PUT requests are idempotent, meaning that making the same request multiple times should have the same effect as a single request.

5. CONNECT: The CONNECT method is primarily used to establish a network connection between the client and a server identified by the target resource. It is typically used in HTTP tunneling scenarios, such as establishing an HTTPS connection through a proxy server.

6. OPTIONS: The OPTIONS method is used to request information about the communication options available for a particular resource or server. It allows the client to inquire about the allowed methods, headers, and other capabilities supported by the server.

7. DELETE: The DELETE method is used to delete the specified resource. It requests the server to remove the resource identified by the given URI. DELETE requests are used to delete records, files, or any other server-side resources. Like PUT, DELETE requests are also idempotent.

HTTP Status code…

HTTP status codes are three-digit numbers returned by a server in response to an HTTP request. They provide information about the status of the request and the corresponding response. These status codes are grouped into different categories, each indicating a particular type of response. Here are some commonly encountered HTTP status code categories and their meanings:

Informational (100 - 199):

  • 100 Continue: The server acknowledges the initial part of the request and asks the client to proceed with the rest of the request.

Success (200 – 299):

  • 200 OK: The request has succeeded, and the server sends the requested content as the response.
  • 201 Created: The request has been fulfilled, resulting in the creation of a new resource.
  • 204 No Content: The server successfully processed the request but does not return any content in the response body.

Redirection (300 – 399):

  • 301 Moved Permanently: The requested resource has been permanently moved to a new location. Clients should update their bookmarks or links.
  • 302 Found: The requested resource has been temporarily moved to a different location. Clients should continue to use the original URL for future requests.
  • 304 Not Modified: The client’s cached version of the requested resource is still valid, and the server has not modified it.

Client Errors (400 – 499):

  • 400 Bad Request: The server cannot process the request due to invalid syntax, malformed request, or other client-side errors.
  • 401 Unauthorized: The request requires authentication. The client must provide valid credentials to access the requested resource.
  • 404 Not Found: The server cannot find the requested resource or URL.

Server Errors (500 – 599):

  • 500 Internal Server Error: An unexpected error occurred on the server while processing the request.
  • 503 Service Unavailable: The server is temporarily unable to handle the request due to maintenance or overload. It asks the client to try again later.
Common HTTP Status Codes

HTTP Security Headers…

Security headers are HTTP response headers that provide instructions to a web browser on how to handle and protect the website’s content. These headers enhance the security of web applications by mitigating common security vulnerabilities and protecting against various types of attacks.

Here are some commonly used security headers:

1. Strict-Transport-Security (HSTS): The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS and that any future attempts to access it using HTTP should automatically be converted to HTTPS.

3. Content-Security-Policy (CSP): CSP defines a policy that specifies which content the browser should trust and load on a web page. It helps prevent cross-site scripting (XSS) and data injection attacks by allowing the website owner to whitelist trusted sources for scripts, stylesheets, and other resources.

3. X-Frame-Options: This header mitigates clickjacking attacks by specifying whether a web page can be embedded within an iframe on another domain. It helps prevent unauthorized framing of a website and protects against UI redressing attacks.

4. X-XSS-Protection: This header enables or configures the built-in cross-site scripting (XSS) protection mechanism in modern browsers. It helps detect and prevent XSS attacks by sanitizing user input and blocking malicious scripts from executing.

5. X-Content-Type-Options: This header prevents MIME-type sniffing, which is the browser’s tendency to override the declared content type of a resource. It helps protect against certain types of attacks, such as content spoofing and drive-by downloads.

6. Referrer-Policy: This header controls the information sent in the HTTP Referer header when a user navigates from one website to another. It helps protect user privacy by limiting the amount of referrer information shared with external websites.

What is Cookies…

A cookie is a small piece of data that is sent from a website to a user’s web browser (client) and stored on their device. When the user visits the website again in the future, the browser sends the cookie back to the website, allowing the website to recognize and remember the user.

  1. When a user visits a website, the website includes a “Set-Cookie” header in its response to the user’s browser.
  2. The cookie typically contains key-value pairs that hold specific data. For example, it might include information like a user ID, preferences, or a unique identifier.
  3. The browser receives the cookie and stores it on the user’s device. The cookie is associated with the specific website domain that sent it.
  4. For subsequent requests to the same website, the browser automatically includes the cookie in the request headers.
  5. The website can access the cookie data when the user interacts with it, allowing it to retrieve and utilize the stored information.
  6. The website can also modify or update the cookie by sending a new cookie with updated values or by instructing the browser to delete or overwrite the existing cookie.

Several types of cookie attributes can be used to specify various properties and behaviors of cookies. Here are the commonly used cookie attributes:

  • Name and Value: Think of cookies as small pieces of information with a name (like a label) and a corresponding value (like the information itself). For example, a cookie named “username” could have the value “JohnDoe” to remember the username of a user.
  • Domain: The domain attribute tells the browser which websites can access the cookie. It’s like specifying a group of websites that are allowed to see and use the cookie. For example, if a cookie has the domain attribute set to “.example.com”, it can be accessed by all subdomains of “example.com”, such as “blog.example.com” or “shop.example.com”.
  • Path: The path attribute determines the specific pages or directories on a website where the cookie is valid. It’s like giving the cookie a specific address to work within. For instance, if a cookie has a path attribute set to “/products”, it will only be sent to requests made to URLs that start with “/products”, such as “example.com/products” or “example.com/products/shoes”.
  • Expiration: Cookies can have an expiration attribute that sets an expiration date for the cookie. It’s like setting a time limit for how long the cookie should be stored and used. Once the expiration date is reached, the cookie will be automatically deleted by the browser.
  • Secure: The secure attribute ensures that the cookie is only transmitted over secure connections, typically HTTPS. It’s like ensuring that the cookie is only sent over encrypted channels to protect sensitive information. If a cookie has the secure attribute and the website is accessed over a regular HTTP connection, the cookie won’t be sent.
  • HttpOnly: The HttpOnly attribute is a security measure that prevents client-side scripts (like JavaScript) from accessing the cookie. It’s like putting a lock on the cookie to keep it safe from certain types of attacks. Cookies with the HttpOnly attribute can only be accessed by the server.

What is Sessions…

A session is a mechanism that allows for stateful communication between a client (such as a web browser) and a server. It enables the server to maintain information about a user’s interactions across multiple requests, facilitating personalized and interactive communication.

Here’s an explanation of how sessions work for client-server session-based communication:

1. Session Initialization:

  • When a client initiates a connection with a server (e.g., by accessing a website), the server creates a new session for that client.
  • The server generates a unique session identifier, often referred to as a session ID or token, associated with that session.
  • The session ID is typically sent to the client through a response, such as setting it as a cookie or including it in the response body or URL.

2. Client Request:

  • When the client sends subsequent requests to the server (e.g., navigating to different pages or interacting with forms), it includes the session ID as part of the request.
  • The session ID can be transmitted through various means, such as cookies, URL parameters, or custom headers. Cookies are the most common method, where the session ID is automatically included by the client’s browser with each request to the same domain.

3. Server Session Management:

  • On the server side, the session ID received with each request is used to identify the corresponding session.
  • The server retrieves the session data associated with the session ID. This data may include user-specific information, session variables, or any other relevant data that needs to be maintained throughout the session.
  • The server can update the session data based on the client’s request, performing operations like storing form input, updating user preferences, or tracking user progress.

4. Server Response:

  • After processing the client’s request and updating the session data, the server generates a response.
  • The response may contain updated session data or other relevant information.
  • The session ID is typically included in the response to ensure that the client can maintain the session during subsequent interactions.

5. Session Termination:

  • Sessions can be terminated in various ways, such as when the user explicitly logs out, the session times out due to inactivity, or the server-side session is invalidated.
  • Upon termination, the server removes the associated session data, and the client’s subsequent requests will require a new session to be established.

The session mechanism allows for maintaining user-specific data and session state on the server, which enables personalized experiences, persistent logins, and continuity in the user’s interactions with the web application.

Thank you for taking the time to read this blog post. I hope you found it informative and engaging.

Happy exploring and learning…!!!

Web Applications
Http Request
Http Response
Cookies
Sessions

--

--

Ritesh Sahu

Written by Ritesh Sahu

45 Followers

Bug Bounty Hunter | Open Source Contributor. https://github.com/Mr-Secure-Code

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams