What really happens when you visit a website
This is in the works! Would you like to help flesh it out? Let's do it!
1. The Browser & Request
-
User enters URL in the address bar (e.g., http://example.com).
-
Browser parses the URL into:
-
Protocol (http or https)
-
Domain (example.com)
-
Path (/about etc.)
-
-
DNS Lookup:
-
Checks local cache → ISP → recursive DNS → authoritative DNS
-
Returns the server’s IP address
-
-
TCP Connection (3-way handshake)
-
TLS/HTTPS Handshake (if https)
-
Certificate check
-
Encryption keys exchanged
-
2. The Server
-
Request reaches the server’s IP
-
Often through routers, firewalls, and load balancers
-
-
Web Server (Apache) receives the request
-
Checks virtual host config
-
Maps example.com/about to a directory or PHP file
-
-
PHP Interpreter executes if it’s a .php file
-
Optionally queries MySQL if dynamic content is needed
-
Assembles an HTML response
-
-
Response sent back over TCP → encrypted (if HTTPS)
3. The Browser Rendering Pipeline
-
Receives the HTML
-
Parses HTML:
-
Encounters <link> → fetch CSS
-
Encounters <script> → fetch JS
-
Encounters <img> → fetch images
-
-
Each request repeats the DNS + TCP + TLS steps (or uses keep-alive)
-
CSSOM + DOM → Render Tree → Paint
-
Runs JS
-
Applies CSS
-
Builds the final visible page
-
4. Extra Layers Students Might Notice
-
Caching:
-
Browser cache
-
CDN or proxy caching
-
Server cache (like opcache for PHP)
-
-
Compression & Optimization:
-
Gzip / Brotli
-
Minified assets
-
-
Security Checks:
-
HTTPS certificate verification
-
Mixed content warnings
-
-
Errors & Logging:
-
404, 500
-
Apache logs, PHP error logs
-
Browser → DNS → TCP/HTTPS → Apache → PHP → MySQL
↑ ↓
CSS/JS/IMG requests HTML Response
What we want you to find….
-
That a “simple page” is the tip of an iceberg of:
-
DNS resolution
-
TCP/HTTP(S) handshakes
-
Web server config
-
PHP execution
-
Database queries
-
Multiple asset requests
-
Rendering and scripting
-
-
That every layer can break or slow things down.
-
That “the web” is a stack of cooperating systems, not just a file being opened.
….
1. Open DevTools → Network Tab
-
Reload the page with Network tab open
-
Filter by “All”
-
Explain each column: Name, Status, Type, Initiator, Size, Time
-
What to notice:
-
First request = HTML
-
Then all the assets (CSS, JS, images)
-
Some requests have different domains (fonts, CDNs)
-
2. Step Through the Timeline
-
Click the first HTML request → Headers tab
-
Show Request URL (the full thing the browser sent)
-
Show Response Headers (server type, content-type)
-
Show Status Code (200 OK, 304, 404, etc.)
-
-
Then pick an image or CSS file
-
Compare the request/response
-
Reinforce that each one is a separate trip
-
3. Simulate Slow Networks
-
Use the Throttling dropdown (Slow 3G)
-
Reload the page
-
Students see waterfall bars crawl across
-
Every request becomes obvious
-
4. Show Links as New Requests
-
Click a link to another page
-
Clear the network tab first
-
Show that everything fires again
-
-
Even internal links are fresh requests (unless SPA or cached)
5. Key Lesson
-
A “simple” page is dozens of tiny conversations between browser and server
-
Every link = a new conversation
-
DevTools lets us see the dialogue
- ….
-
Part 2: Links
-
Show that every <a> tag creates a brand-new trip
-
Emphasize:
-
Even links on the same site can trigger a new request
-
Browser may reuse DNS and connections if possible (keep-alive, HTTP/2)
-
-
Visual: arrows looping back to “Browser → DNS → TCP…”
-
…
…
this is the perfect time to seed security awareness without scaring them or overwhelming them with advanced concepts. Even for pure HTML websites, there are a few practical ways to frame security so they start thinking like responsible developers.
Here’s how I’d approach it:
1. Separate Two Kinds of Security
-
System/Network Security (server, hosting, traffic)
-
Content/Client-Side Security (the files, the browser, the links)
Since they’re only making static HTML, the attacks are mostly system/network unless they do something silly like link to malicious resources.
2. Attacks They Can Understand Early
A. Denial of Service (DoS / DDoS)
-
What it is: Overwhelm your server with too many requests.
-
How it works for HTML sites:
-
Send thousands of requests → server can’t handle real users.
-
-
Takeaway: Even static sites rely on a server that can be swamped.
B. Defacement / Unauthorized Access
-
What it is: Hacker gets into your server and changes your HTML files.
-
How it might happen:
-
Weak password on FTP or hosting control panel
-
Poorly secured hosting
-
-
Takeaway: The site is “static,” but the server is dynamic and vulnerable.
C. Hotlinking / Resource Abuse
-
What it is: Someone embeds your images on their site, using your bandwidth.
-
Takeaway: Even if your site is safe, people can steal resources.
D. Clickjacking or Misuse
-
What it is: Someone loads your page in a hidden iframe and tricks users into clicking.
-
Takeaway: Even innocent pages can be abused in another context.
E. Social Engineering
-
What it is: If you post personal info or predictable admin URLs, attackers can exploit that.
-
Takeaway: Don’t expose private details even on static sites.
3. Framing Security Early
You don’t need to teach them cryptography yet—just cause and effect awareness:
-
Servers are real computers; people can attack them.
-
Static HTML isn’t bulletproof—security ≠ “I didn’t write PHP.”
-
Every website lives in a bigger ecosystem where traffic, hosting, and configuration matter.
-
Being a good web citizen means considering both user safety and system safety.
4. Optional Cool Demo
-
Spin up a test server → hit it with ab (ApacheBench) or similar
-
Show how even a small flood of requests can freeze a cheap shared host
-
Students viscerally understand DDoS in 30 seconds