Mahmudul

The Secret Life of a Website Visit

A fun, story-style walkthrough of what really happens when you type a URL: DNS, TCP, TLS/SSL, HTTP, caching, rendering, CORS, cookies, CDNs, and more. - 18 Sept 2025

4 min read

views
Cover illustration for JWT storage best practices in frontend apps

The Secret Life of a Website Visit 🌍✨

(or: Why your browser is basically a detective, courier, and diplomat all at once)

You type www.example.com into your browser and hit Enter. A page appears in seconds.

Behind the scenes? A whirlwind of detectives, phonebooks, border guards, chefs, and bodyguards. Let’s follow the journey step by step.

πŸ—ΊοΈ Scene 1: Finding the Address β€” DNS

Your browser only knows names like example.com, but the internet works on numbers (IP addresses).

  1. Browser cache β†’ OS cache β†’ DNS resolver.
  2. Resolver queries root β†’ TLD (.com) β†’ authoritative server.
  3. Finally, we get example.com β†’ 93.184.216.34.
ℹ️

Some browsers now use DNS-over-HTTPS (DoH) or DNS-over-TLS for privacy, and CDNs often serve DNS to route you to the nearest server.

🚦 Scene 2: The Road Trip β€” IP Routing

Now that we have an IP, data packets travel like cars:

  • Hopping across routers, ISPs, and maybe undersea cables.
  • Each packet is wrapped like an onion: IP β†’ TCP β†’ HTTP β†’ Data.
  • Packets may take different routes but arrive and reassemble in order.

If the site uses a CDN, you’ll probably hit a nearby edge server instead of the origin.

πŸšͺ Scene 3: Knock Knock β€” TCP Handshake

Before talking, the browser knocks:

SYN β†’ SYN/ACK β†’ ACK

Connection is now open.

🀝 Scene 4: Secret Handshake β€” TLS/SSL

Before sending secrets, both sides agree on encryption.

  1. Server shows an SSL certificate (identity check).
  2. Browser verifies it (not expired, signed by trusted CA, matches hostname).
  3. Both agree on a cipher and exchange keys.
  4. Channel is now private β€” outsiders see only gibberish.
πŸ’‘

TLS 1.3 reduces round trips β†’ faster handshakes, better security.

πŸ“œ Scene 5: Ordering the Pizza β€” HTTP Request

Your browser speaks first:

GET / HTTP/2
Host: example.com
User-Agent: Chrome/126.0
Accept: text/html
Accept-Encoding: gzip, br
Cookie: session=abc123

The server responds with a status code, headers, and body:

  • 200 OK β†’ here’s your HTML.
  • 301/302 β†’ redirect.
  • 404 Not Found β†’ oops, no page.
  • 500 β†’ server broke.
πŸ“

Cookies and tokens identify you (logged in, preferences).
Modern apps often use JWTs or OAuth tokens in headers.

πŸ₯‘ Scene 6: Don’t Reorder the Same Toppings β€” Caching

Why redownload assets every time?

  • Browser cache stores logos, CSS, JS.
  • CDNs serve cached content closer to you.
  • Cache headers tell when to reuse vs revalidate:
Cache-Control: public, max-age=604800
ETag: "abc123"

If unchanged, server replies: 304 Not Modified (fast!).

πŸ‘©β€πŸ³ Scene 7: Kitchen Drama β€” Rendering

The browser is now the chef:

  1. Parse HTML β†’ DOM
  2. Parse CSS β†’ CSSOM
  3. Build Render Tree
  4. Layout β†’ Paint β†’ Composite

JavaScript can change things mid-flight (React/Vue updates the DOM).

πŸ’‘

Optimizations: minified assets, preloading, lazy loading, compression (Gzip/Brotli), HTTP/2 multiplexing.

πŸ•ΆοΈ Scene 8: The Overprotective Bouncer β€” CORS

Your page asks another domain for data. The browser checks:

Access-Control-Allow-Origin: https://example.com

If yes β†’ allowed. If not β†’ request blocked for safety.

That’s CORS β€” preventing shady cross-site tricks.

πŸͺͺ Scene 9: Memory Keeper β€” Cookies & Storage

Websites remember you using:

  • Cookies: session IDs, login state.
  • LocalStorage / IndexedDB: larger storage for apps.
  • Tokens: JWTs in headers for APIs.
ℹ️

Security flags matter:
HttpOnly, Secure, SameSite, Path, Max-Age.

πŸ›‘οΈ Scene 10: Hidden Bodyguards β€” Security Headers

Beyond TLS, sites add helmets:

  • HSTS: force HTTPS always.
  • CSP: stop rogue scripts (XSS).
  • X-Frame-Options: prevent clickjacking.
  • SameSite cookies: stop CSRF.

βš™οΈ Scene 11: Hidden Superpowers

  • Service Workers: offline caching, push notifications.
  • HTTP/2 + HTTP/3 (QUIC): multiplexing, fewer round trips.
  • Load Balancers: distribute traffic across servers.
  • CDNs: edge caching, DDoS protection.

❌ Scene 12: What If Something Goes Wrong?

  • DNS fails β†’ ERR_NAME_NOT_RESOLVED.
  • Timeout β†’ fallback server or retry.
  • Service worker may serve cached offline page.
  • If TLS cert is invalid β†’ scary browser warning.

✨ Scene 13: VoilΓ  β€” The Feast

After DNS lookups, IP routing, TCP, TLS, HTTP, caching, rendering, CORS, cookies, security checks, and optimizations… the final page appears in milliseconds.

What looked like a simple click was actually hundreds of tiny conversations happening worldwide.

πŸ” Recap in One Breath

  1. DNS finds the address.
  2. IP routing carries packets.
  3. TCP + TLS secure the lane.
  4. HTTP requests/serves content.
  5. Caching avoids duplicates.
  6. Rendering cooks pixels.
  7. CORS enforces boundaries.
  8. Cookies/tokens remember you.
  9. Security headers keep you safe.
  10. Optimizations + error handling make it smooth.

Next time you hit Enter on a URL, remember: it’s not magic β€” it’s a beautifully choreographed dance of networking concepts. πŸ’ƒπŸŒ