How Web Servers Work: From a URL in the Browser to a Page on Your Screen

Type a URL, hit Enter, and a page appears. But what actually happens inside the web server during those few hundred milliseconds? Walk through the full request lifecycle — listening, parsing, routing, responding — step by step, from zero.

Published September 28, 202612 min readBy ACY Partner Indonesia
How web servers work — a request flows in, a response flows back out
300 × 250Ad Space AvailablePlace your ad here

You type an address into your browser, press Enter, and a fraction of a second later a full page is sitting in front of you. It feels instant and effortless — which is exactly why almost nobody stops to ask what happened in between. But a surprising amount of careful work runs behind that moment, and most of it happens inside a single piece of software: the web server.

In this article we’re going to slow the whole thing down and watch it frame by frame. Not the high-level “the browser talks to the server” version, but the actual sequence of steps a web server takes from the instant a request lands on its doorstep to the instant it sends a reply back. Once you can picture that loop clearly, a lot of words you’ve heard in passing — ports, requests, headers, status codes — stop being jargon and start being parts of a machine you understand.

What a web server is doing all day

Before the step-by-step, it helps to know the web server’s one job. A web server is a program that sits and waits for requests over the network, and answers them with web content — HTML pages, images, stylesheets, JSON data, whatever was asked for. That’s it. It doesn’t go looking for work; it reacts. The request comes in, the server responds, and it goes back to waiting for the next one.

That “sit and wait” behavior is the key to the whole thing. A web server is a long-running process — it starts up once and keeps running for days or weeks, always listening, always ready. This is different from a script you run once and that exits when it’s done. If the web server program stops, your site goes down, because there’s nobody left to answer the door.

Web server: the program, not the building

Just like the word “server” gets used loosely, “web server” can mean two things. Most of the time it means the software — the program whose entire job is speaking HTTP and handing out content. It can also mean the physical machine that program runs on. In this article, “web server” means the software unless we say otherwise. If you want the bigger picture of how the underlying machine itself operates, the earlier piece on how a server works covers that ground.

The setup: listening on a port

A web server can’t answer requests it never hears, so the very first thing it does when it starts is bind to a port and begin listening. A port is a numbered doorway on the machine — think of the machine as an apartment building with one street address (its IP) and many numbered doors. Web traffic conventionally uses two of them: port 80 for plain HTTP and port 443 for encrypted HTTPS.

When the server “listens on port 443,” it’s telling the operating system: any request that arrives at this machine aimed at door 443, hand it to me. From that point on, the server is registered with the OS as the program responsible for that door, and it parks itself in a loop, waiting.

   THE MACHINE (one IP address)
   ┌─────────────────────────────────────┐
   │  port 22  → SSH                      │
   │  port 80  → web server (HTTP)        │
   │  port 443 → web server (HTTPS) ◄──── listening here
   │  port 5432 → database                │
   └─────────────────────────────────────┘

If ports and IP addresses feel fuzzy, the earlier article on IP addresses and ports walks through them properly. For now, just hold this picture: the server is a program standing at one specific door, waiting for someone to knock.

Step by step: one request, start to finish

Now the interesting part. Let’s follow a single request as it travels through the server. Imagine a visitor’s browser wants the homepage of ACY Partner Indonesia. Here’s everything that happens, in order.

1. The connection arrives

The browser has already figured out which machine to talk to (that’s the domain-name lookup, which happens before the server is even involved — see domains and DNS if you’re curious). Now it opens a network connection to that machine on port 443 and sends its request across.

The operating system receives the incoming connection and, because the web server registered itself for port 443 earlier, hands it straight over. The server’s long wait is over — it has a customer.

2. The request gets parsed

What actually arrives is just text, formatted according to the rules of HTTP. A bare-bones request looks something like this:

GET / HTTP/1.1
Host: acy-partner.com
User-Agent: Mozilla/5.0 ...
Accept: text/html
Connection: keep-alive

The server reads this and pulls it apart into pieces it can act on:

  • The method (GET) — what kind of action is wanted. GET means “give me something,” POST means “here’s some data, take it,” and there are a handful of others.
  • The path (/) — which resource is being asked for. / is the homepage; /about would be the about page.
  • The headers (Host, User-Agent, Accept, …) — extra context about the request: which site the browser wants, what kind of program it is, what content types it can handle.

Parsing turns a blob of text into structured information. Until this step finishes, the server doesn’t actually know what’s being asked for — afterwards, it does.

3. Decrypting (if it’s HTTPS)

If the connection came in on port 443, the request was encrypted in transit so nobody along the way could read it. Before the server can parse anything, it has to decrypt the incoming bytes using its TLS certificate, and on the way out it will encrypt the response too. This handshake-and-encrypt work is what the lock icon in your browser is quietly promising. It happens around the parsing step, transparently — the rest of the server logic works the same whether the request was encrypted or not.

4. Routing: deciding who handles this

Now the server knows the method and path, so it has to answer the central question: what should respond to this? This decision is called routing, and it’s where web servers split into two broad behaviors.

If the path points at a file that already exists — say a logo image at /images/logo.png — the server can often just find that file on disk and send it back as-is. Nothing needs to be computed; the file is the answer. This is static content.

If the path needs something to be built on the fly — a page personalized for the logged-in user, a search result, today’s order list — the server can’t just read a file. It has to hand the request off to a program that runs code, talks to a database, and assembles a fresh response. This is dynamic content.

   request for /images/logo.png   →  file exists on disk  →  send the file  (static)

   request for /dashboard         →  no ready-made file   →  run a program
                                                              that builds the
                                                              page  →  send it  (dynamic)

The web server doesn't always do the work itself

For dynamic pages, the web server frequently isn’t the thing that builds the response — it’s the traffic director that passes the request to a separate application program and then relays that program’s answer back to the browser. This separation (web server out front, application behind it) is one of the most common patterns in real deployments, and it’s why “web server” and “application server” are talked about as different roles. We’ve got a whole loop coming on the difference between static and dynamic content; for now just notice that the server has a choice to make here.

5. Building the response

However the content gets produced — read from disk or generated by a program — the server now has a body to send back, and it wraps it in a proper HTTP response. Like the request, the response is structured text (plus the content itself):

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5120
Cache-Control: max-age=3600

<!DOCTYPE html>
<html> ... the actual page ... </html>

Two things deserve a second look:

  • The status code (200 OK) — a three-digit number that tells the browser how it went. 200 means success. 404 means “I couldn’t find what you asked for.” 500 means “something broke on my end.” 301 means “this moved, go here instead.” You’ve seen 404 in the wild; now you know it comes straight from this step.
  • The response headers (Content-Type, Content-Length, Cache-Control, …) — instructions for the browser about what’s coming. Content-Type tells it whether to render this as a web page, an image, or raw data. Cache-Control tells it how long it’s allowed to remember the answer instead of asking again.

6. Sending it back, and going quiet again

The server writes the response onto the same connection the request came in on, and it travels back across the network to the browser. The browser reads the status code, checks the headers, and renders the body — and from the visitor’s side, the page simply appears.

For the server, the job is done. Depending on the headers, it might keep the connection open for a moment in case the browser asks for more (your typical page pulls in dozens of images, scripts, and stylesheets, each its own request), or it might close it. Either way, the server returns to its loop and waits for the next knock.

   BROWSER                              WEB SERVER
      │                                     │  (listening on :443)
      │  1. opens connection, sends request │
      │ ──────────────────────────────────► │
      │                                     │  2. parse  3. decrypt
      │                                     │  4. route  5. build response
      │  6. response: 200 OK + the page     │
      │ ◄────────────────────────────────── │
      │                                     │
   renders the page                      back to waiting

That entire round trip usually finishes in well under a second. And the server isn’t doing it once — it’s running this loop for every visitor, often many at the same time, which leads us to the part that makes web servers genuinely impressive.

Handling many requests at once

A real website doesn’t get one visitor politely waiting their turn. It gets hundreds or thousands of requests arriving in overlapping bursts. If the server could only handle one at a time — finish the whole loop, then accept the next — everyone after the first person would be stuck in a queue, and the site would feel frozen.

So web servers are built for concurrency: handling many requests during the same window of time. The exact technique varies, but the broad strategies are worth recognizing:

  • Many workers. The server keeps a pool of worker threads or processes, and hands each incoming request to a free worker. Twenty workers can be busy with twenty different visitors simultaneously.
  • Event-driven loops. Instead of dedicating a worker to each request and letting it sit idle while waiting on a slow database or disk, the server juggles thousands of connections in a single loop, doing a little work on each one whenever it’s ready. This is why some servers handle enormous numbers of connections on modest hardware.

You don’t need to choose or configure any of this to understand the web — but knowing that the server is constantly multiplexing many conversations at once explains how a single machine can serve a busy site, and why “how many requests per second can it handle” is such a common question when people talk about server performance.

The server is a process — and processes can stop

Because the web server is a long-running program, it’s only doing its job as long as that program is actually running. If it crashes, runs out of memory, or the machine reboots, the listening stops and your site goes dark until something starts it back up. On real servers, the web server is therefore run as a managed service that the system keeps alive and restarts automatically. If that idea is new, the earlier article on processes and services explains how that supervision works.

Why understanding this loop pays off

Once the request–parse–route–respond cycle is clear in your head, an enormous amount of web development stops being mysterious. When a page returns a 404, you know the routing step couldn’t match the path to anything. When you see a 500, you know the server did match a route but the code that was supposed to build the response blew up. When a developer talks about “setting a header” or “the request body,” you can place those words in the exact step where they live.

It also draws a clean line between the two halves of building for the web. Everything that happens in the browser — the layout, the clicks, the animations — is the front end. Everything we just walked through — listening on a port, parsing requests, routing, generating responses — is the server side. The web server is the hinge between them: the program standing at the door, turning every “I’d like this page” into “here it is.”

Wrapping up

Here’s the whole journey in one place:

  • A web server is a long-running program whose job is to listen for requests over the network and answer them with web content.
  • It starts by binding to a port (80 for HTTP, 443 for HTTPS) and waiting for connections.
  • For each request it runs a loop: accept the connection → parse the request → decrypt if HTTPS → route to find what should respond → build the response → send it back, then return to waiting.
  • The request carries a method, a path, and headers; the response carries a status code (200, 404, 500 …), headers, and the content itself.
  • Routing decides between static content (an existing file, sent as-is) and dynamic content (built on the fly, often by a separate program).
  • Real servers handle many requests at the same time through worker pools or event-driven loops, and they run as a supervised service so they stay up.

Next, it’s worth zooming in on that fork in the road we kept brushing past — the real difference between static and dynamic content, and why it shapes how every site is built and deployed.

Tags:serverweb-servershttpbackendbeginner
728 × 90Ad Space AvailablePlace your ad here

Related Articles

See All Articles

You Might Also Like

SSL and encryption at rest — data protected in transit and on disk
Server / Server Security

SSL and Encryption at Rest: Protecting Data Both in Transit and on Disk

Encryption protects your data in two places: while it travels the network (in transit) and while it sits on disk (at rest). Learn the difference, why you need both, how TLS, full-disk encryption, and key management actually fit together, and the practical mistakes to avoid — explained from the.

Nov 9, 202613 min read
Securing ports and services — closing the doors on a server you don't use
Server / Server Security

Securing Ports and Services: Closing the Doors You Don't Use

Every open port on a server is a door someone could try to walk through. Learn what ports and services really are, why an exposed service is your biggest risk, and the simple discipline of closing everything you don't need — explained from the ground up.

Nov 8, 202611 min read
Principle of least privilege — granting only the minimum access each user and process needs
Server / Server Security

The Principle of Least Privilege: Give Everything Only the Access It Truly Needs

Least privilege is the quiet rule behind almost every solid security setup: every user, process, and key gets the minimum access required to do its job, and nothing more. Learn what it means, why it limits the blast radius of any breach, and how to apply it across users, services, files, and keys.

Nov 7, 202613 min read
Fail2ban and intrusion basics — watching logs and automatically banning repeated abusers
Server / Server Security

Fail2ban and Intrusion Basics: Automatically Banning the Bots Hammering Your Server

Attackers don't stop after one failed guess — they keep hammering, thousands of times a day. Learn how intrusion attempts actually look, what fail2ban does, how it watches your logs and bans abusers automatically, and how to set it up sensibly without locking yourself out — explained from zero.

Nov 6, 202613 min read
Keeping software updated — closing known security holes before attackers use them
Server / Server Security

Keeping Software Updated: The Boring Habit That Stops Most Server Breaches

Most servers don't get hacked through clever new attacks — they get hacked through old, known holes that a simple update would have closed. Learn why updates matter, what to update, how to do it safely without breaking things, and how to make it a habit instead of a panic.

Nov 5, 202610 min read
Firewall configuration — a default-deny rule set that opens only the ports you need
Server / Server Security

Firewall Configuration: Setting Up Default-Deny Rules Without Locking Yourself Out

Knowing what a firewall is and actually configuring one well are two different skills. Learn how to write a default-deny rule set, order rules correctly, allow your own access first, handle IPv6 and cloud security groups, and test before you commit — a practical, vendor-neutral guide from zero.

Nov 4, 202615 min read