How the web works
Status: 🟩 COMPLETE Last updated: 2026-06-20 Plain-English tagline: Type a URL, get a page. Here’s exactly what happens in the half-second between those two events.
In plain English
The web is a conversation between computers. Your browser is one participant. A web server somewhere else is the other. They agree on a language (HTTP) for asking and answering. Your browser asks “give me this page”; the server answers with HTML, CSS, JavaScript, images. Your browser assembles all of that into the picture on your screen.
That’s the whole web. Everything else is detail.
The web is built on top of the internet (the network underneath that lets any two computers find each other) — but the two are not the same thing. The internet also carries email, video calls, online games, file transfers. The web is one particular pattern of conversation that happens on the internet.
Why it matters
If you’re building webapps, “the web” is your medium. Like a writer needs to know what a page is and what a book is, a webapp developer needs to know what a request is, what a response is, and what happens between them. Most production bugs trace back to a wrong assumption about something covered in this entry.
The cast of characters
Three actors and one phone book:
| Character | What it does |
|---|---|
| Browser (client) | The program on your device that requests pages and renders them. Chrome, Firefox, Safari, Edge. |
| Server | A computer somewhere that holds the website’s files and runs its code. |
| DNS | The phone book that maps human names (stmarkbible.com) to numeric addresses (IP addresses). |
| Network (the internet) | The wires, radios, and routers that carry messages between any two computers. |
The journey of a single page load
Let’s follow what happens when you type stmarkbible.com and press Enter.
Step 1: The browser parses the URL
A URL is a structured address:
https://www.stmarkbible.com/quiz?level=3
└────┘ └────────────────┘└────┘└──────┘
scheme host path query string
- Scheme:
https— use HTTPS (encrypted HTTP). Other schemes exist (ftp,mailto) but for the web it’shttporhttps. - Host: the website’s name. The bit the browser will ask DNS about.
- Path: the specific page or resource on the server.
- Query string: optional extra parameters.
Step 2: DNS lookup — turning the name into a number
Computers don’t talk to “stmarkbible.com.” They talk to IP addresses — numeric addresses like 76.76.21.21. The browser asks the DNS system: “what’s the IP address for stmarkbible.com?”
DNS lookups go through several levels of cache (your computer’s, your router’s, your ISP’s, the root servers). It’s surprisingly fast — typically tens of milliseconds, often less because the answer is cached somewhere along the chain.
The answer comes back: “stmarkbible.com is at IP 76.76.21.21” (one of Vercel’s servers).
Step 3: Open a connection
The browser opens a network connection to that IP address. For HTTPS, this involves:
- TCP handshake — three messages back and forth confirming both sides are ready to talk. (Imagine: “Hello?” “Hi.” “Great, let’s chat.”)
- TLS handshake — exchanging cryptographic keys so the rest of the conversation is encrypted. The server proves its identity by presenting a certificate (signed by a trusted authority). This is what produces the padlock icon in the browser.
After the handshakes, both sides have a secure, encrypted, two-way channel. This whole process takes ~50–200 milliseconds depending on distance.
Step 4: The HTTP request
Now the browser sends its actual request. It looks like this (cleaned up):
GET /quiz?level=3 HTTP/2
Host: www.stmarkbible.com
User-Agent: Mozilla/5.0 (Windows; Chrome/126)
Accept: text/html
Accept-Language: en-AU
Cookie: session_token=abc123The first line says “I want to GET the resource at /quiz?level=3 using HTTP version 2.” The lines below are headers — metadata about the request (what browser, what language preference, what cookies it’s carrying for this site).
The browser sends this whole thing over the encrypted connection. Done in microseconds.
Step 5: The server thinks
The server receives the request and figures out how to respond. For a static site, that might mean “look up this file on disk.” For a webapp, that might mean:
- Check the session cookie → who is this user?
- Run server-side code (e.g. a Next.js Server Component on Vercel)
- Query the database (e.g. Supabase) for the relevant data
- Render an HTML page with that data
- Send it back
This whole process — depending on the complexity — takes anywhere from 10ms (static page) to a few hundred milliseconds (database-backed, server-rendered page).
Step 6: The HTTP response
The server sends back a response that looks like this:
HTTP/2 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 12450
Cache-Control: max-age=300
Set-Cookie: session_token=abc123; Secure; HttpOnly
<!DOCTYPE html>
<html lang="en">
<head><title>Quiz · St Mark's Bible Quest</title></head>
<body>...</body>
</html>The first line says “version, status code, status text.” 200 OK means success. Other common ones:
| Code | Meaning | Real-world meaning |
|---|---|---|
| 200 | OK | All good |
| 301 | Moved Permanently | This URL has a new home; remember the new one |
| 302/307 | Found / Temporary Redirect | Go look over there instead, just this time |
| 304 | Not Modified | You already have this; use your cache |
| 400 | Bad Request | Your request was malformed |
| 401 | Unauthorized | You’re not logged in |
| 403 | Forbidden | You’re logged in but not allowed |
| 404 | Not Found | This page doesn’t exist |
| 500 | Internal Server Error | The server broke; not your fault |
| 503 | Service Unavailable | The server’s overwhelmed or down |
Then headers, then a blank line, then the body (the HTML).
Step 7: The browser renders
This is where it gets interesting. The browser doesn’t just slap the HTML on screen. It does several things in parallel:
- Parse the HTML into a tree (the DOM).
- Parse the CSS (linked from
<link>tags) into rules. - Run any blocking JavaScript in the order it appears.
- Apply CSS to the DOM to figure out how each element should look.
- Layout — calculate where every element actually goes on screen.
- Paint — draw the pixels.
- Continue downloading any images, fonts, lazy-loaded scripts, etc.
- Hydrate if this is a React/Next.js page — attach event handlers to the rendered HTML so it becomes interactive.
The “first contentful paint” — the moment something appears on screen — typically happens 200ms–1.5s after the click, depending on connection, server speed, page complexity. The “page fully interactive” can be much later, especially for JS-heavy apps.
Step 8: The follow-on requests
The initial HTML almost always references other resources — images, stylesheets, JavaScript files, fonts. The browser makes additional requests for each of them. These can be served from CDN edge nodes (close to the user, fast) rather than the origin server.
For each additional request, steps 4–7 repeat (skipping the TCP/TLS handshake because the connection is reused, and skipping DNS because the answer is cached).
Static vs dynamic vs server-rendered
Three flavours of “page” in the modern web:
| Flavour | What happens | Examples |
|---|---|---|
| Static | The HTML was pre-built and just gets served. Fast, cacheable, no server logic per request. | Most blogs, marketing sites, docs |
| Server-rendered (SSR) | The HTML is generated fresh for every request by code running on the server. | Logged-in dashboards, personalized homepages |
| Static + client-side data fetching (SPA-style) | A static shell loads; JavaScript then runs and fetches data, building the page in the browser. | Many React apps |
| Hybrid (Next.js App Router) | Different pages can be any of the above. Same project. | A modern Next.js webapp |
Next.js makes the choice per-page seamless. A blog post page might be static; the dashboard might be server-rendered; the search results might be client-side. Same codebase.
The web vs the internet
People conflate these constantly. They’re related but distinct:
- The internet is the underlying network — a global mesh of cables and radios and routers that lets any two connected computers exchange messages.
- The web is one particular kind of conversation pattern (HTTP / HTML / browsers) on top of the internet.
Other things that ride on the internet but aren’t the web:
- Email (SMTP, IMAP)
- Video calls (Zoom, WebRTC for the data channels, etc.)
- Online games (mostly custom protocols)
- File transfer (FTP, SFTP)
- Software updates
- The SSH connection you make when you log into a server
So: when somebody says “the web is broken,” they usually mean HTTP/HTML stuff. When somebody says “the internet is down,” they mean the underlying network connection. Different layers.
HTTPS — the padlock explained
Without HTTPS:
- Anyone on the network path (your ISP, the WiFi operator, governments) can read every request and response in plain text.
- Anyone can modify the responses on the fly (injecting ads, scripts, malware).
- You have no way to prove the server you’re talking to is the real one.
With HTTPS:
- The conversation is encrypted end-to-end. The network path sees gibberish.
- The server presents a certificate signed by a trusted authority, proving it really is
stmarkbible.com. - Browsers refuse plain HTTP for almost everything in 2026; the padlock is now the default expectation.
Modern hosting (Vercel, Netlify, Cloudflare) handles HTTPS certificates automatically — you don’t have to think about it. But understanding what’s happening helps when you debug “why does my custom domain say ‘not secure’?” (usually: certificate hasn’t been issued yet — wait 5 minutes).
A concrete example: what each step takes
Approximate timings for stmarkbible.com/quiz?level=3 from Sydney:
| Step | Time |
|---|---|
| DNS lookup | 5–20 ms |
| TCP + TLS handshake | 50–150 ms |
| HTTP request travels to server | 10–50 ms |
| Server-side processing + database query | 50–300 ms |
| HTTP response travels back | 10–50 ms |
| Browser parses + first paint | 50–300 ms |
| Page fully interactive | 200–1500 ms |
| Total perceived load time | 0.4 – 2.4 seconds |
For a fast site on a good connection, the total feels instant. For a slow site, every step adds up.
Common gotchas
-
Confusing the URL bar with the actual request. The URL bar is what you type. The request is what the browser sends to the server. They’re related but the browser may rewrite, add headers, follow redirects, or fall back to another URL before the actual request goes out.
-
Caching makes things look weird. “Why isn’t my change showing?” Almost always: the browser cached the old version. Hard refresh (
Ctrl+Shift+R) or DevTools “disable cache.” For real users, you control caching via response headers. -
HTTPS errors are sometimes the easiest to fix in the world. “Not secure” → certificate hasn’t been issued or has expired. On Vercel, this is usually fixed by waiting 5 minutes for DNS to propagate. Don’t panic.
-
DNS changes propagate slowly. When you change a domain’s DNS records, the change can take minutes to days to be seen everywhere (because DNS resolvers cache answers). Don’t repeatedly change records hoping for an instant fix — wait, then verify.
-
Mixed content errors. An HTTPS page that loads an HTTP image: the browser blocks the image with a “mixed content” warning. All resources must be HTTPS on an HTTPS page.
-
Same-origin policy and CORS. A page from
siteA.comcan’t make most kinds of requests tositeB.comunlesssiteB.comexplicitly allows it via CORS headers. This stops malicious sites from reading your bank balance — but also causes ~50% of “but it works in Postman!” confusion. -
The browser does a lot you don’t see. Service workers caching things, preloading, prefetching, brotli decompression, image format negotiation. Most of the time this helps; occasionally it confuses debugging.
See also
- What is the internet? 🟩 — the layer underneath
- Client vs server 🟩 — the fundamental relationship
- HTTP & HTTPS 🟩 — the protocol in detail
- DNS deep dive 🟩
- HTTPS 🟩
- The DOM 🟩 — what the browser builds from HTML
- HTML 🟩
- SPA vs MPA vs SSR vs SSG 🟩 — rendering strategies on top
Sources
- MDN — How the web works
- High Performance Browser Networking (free online) — the canonical deep-dive
- HTTP/1.1 RFC 9110 — the actual protocol spec
- web.dev — How browsers work