DEV Community

Cover image for One Click, Fifteen Systems: The Secret Journey of Your HTTP Request
Arashad Dodhiya
Arashad Dodhiya

Posted on

One Click, Fifteen Systems: The Secret Journey of Your HTTP Request

You open a tab. You type a URL. You hit Enter.

Two hundred milliseconds later, a page appears — a dashboard, a login screen, a product page. You don't think about it. Why would you? It's just a webpage.

But in those two hundred milliseconds, your request did something most people never think about: it crossed an entire country's worth of infrastructure. It got interrogated by a firewall. It proved its identity to a system that's never met you. It passed through a mesh of invisible proxies babysitting hundreds of microservices, bounced off a cache, and touched a database — all before you even noticed the page had loaded.

To you, it's a webpage. To the engineers who built it, it's a fifteen-stop relay race, and every single stop exists because something, at some point, went wrong badly enough that someone decided "never again."

Let's follow one request on that journey. Not as a diagram you skim past — as a story, stop by stop, with two extra passengers riding along: an engineer explaining why each layer exists, and an attacker quietly looking for the one that doesn't.


The Route, at a Glance

Browser → DNS → CDN → DDoS Scrubbing → WAF → Load Balancer → API Gateway
   → Identity Provider → Reverse Proxy → Kubernetes Ingress → Service Mesh
   → Microservice → Redis Cache → Database → (and all the way back)
Enter fullscreen mode Exit fullscreen mode

Fifteen stops. Fifteen chances for something to slow you down, block you, or — if you're the wrong kind of visitor — catch you. Let's ride along.


Stop 1: Before You Even Leave the Browser

The truth is, most of your requests never even leave your machine. Your browser checks its own cache first — "have I already fetched this?" If yes, congratulations, the journey is over before it started.

If not, your browser needs an address. company.com means nothing to the internet's routing hardware; it needs a number. So before a single byte crosses the network, your machine checks its local DNS cache too, hoping someone already did this lookup recently.

No luck? Now the real trip begins — and it starts, fittingly, with a question: where do I even send this thing?


Stop 2: DNS — The Internet's Phone Book, and Its First Leak

Your browser asks a DNS resolver: "what's the address for company.com?" The resolver asks around — root servers, TLD servers, the company's own authoritative nameservers — until someone answers with an IP address.

It feels instant. It's actually a small negotiation happening across servers you'll never see, resolved in single-digit milliseconds.

How attackers see this layer: DNS records are public by design — that's the whole point of DNS. So the first thing a lot of attackers do, long before touching the application, is quietly enumerate every subdomain a company owns. dev.company.com. staging.company.com. old-admin.company.com. Somewhere in that list is usually a forgotten environment nobody patched. DNS doesn't leak secrets. It leaks forgotten things — and forgotten things are exactly what attackers go looking for first.


Stop 3: The CDN — Your Request Doesn't Actually Go to the Company Yet

Here's the part that surprises people: your request doesn't travel to the company's servers first. It stops at a CDN edge node — a data center that might be a few miles from your house, not a few thousand.

If the CDN already has what you asked for cached, it hands it back immediately and the company's real servers never even hear about your visit. If not, the CDN itself becomes the one talking to the origin on your behalf.

This is also where Anycast routing quietly does something clever: the same IP address is announced from dozens of locations worldwide, and the network itself routes you to the nearest one. It's also the first line of defense against the internet's oldest blunt-force tactic — a flood of junk traffic aimed at knocking a site offline.

How attackers see this layer: the CDN is a mask, and masks can be seen through. A patient attacker will try to find the real IP address hiding behind the CDN — an old DNS record that was never cleaned up, a server misconfigured to respond directly, a leaked header in an email system. Find the origin IP, and suddenly every protection the CDN offered is just... gone. You're talking straight to the source.

DevOps takeaway: cache headers aren't busywork — they're the difference between "handled at the edge" and "hit our servers a million times a minute." Get them wrong and you've built a very expensive way to serve the same file.


Stop 4: The Web Application Firewall — The Bouncer Who Reads Every Line

Before anyone inside the company even sees your request, something inspects it, word by word, looking for trouble.

Imagine this shows up in a search box:

GET /search?q=' OR 1=1--
Enter fullscreen mode Exit fullscreen mode

To a database, that's not a search term — it's a command trying to trick it into returning everything it holds. A WAF's entire job is to recognize patterns like this and stop them before they ever reach an application that might actually be dumb enough to run them.

How attackers see this layer: a WAF isn't a wall, it's a pattern-matcher — and pattern-matchers can be tricked by anything that doesn't match the expected pattern but still means the same thing to the system underneath. Different encodings. Unusual capitalization. Splitting a malicious payload across a request in a way a human reader would still understand but a rule-based filter wouldn't flag. This is exactly why "we have a WAF" is never the whole security story — it's one filter, not a guarantee.


Stop 5: The Load Balancer — Because One Server Was Never Going to Cut It

Picture a popular streaming service on a Friday night. Millions of people press play in the same ten minutes. No single server on Earth handles that alone — so a load balancer sits in front of an entire fleet of them, deciding, request by request, who handles yours.

It also quietly does something less glamorous but arguably more important: it checks whether each backend server is actually healthy before sending anyone its way. A server having a bad day gets pulled from rotation before it can ruin anyone's afternoon.

DevOps takeaway: health checks and auto-scaling live here, and they're the reason a traffic spike turns into "we handled it" instead of "the site's down." Get sticky sessions wrong, though, and you get the classic bug where a user gets logged out mid-checkout because their next request landed on a server that's never heard of them.


Stop 6: The API Gateway — Where Developers Start Paying Attention

This is the point where the request stops being "traffic" and starts being "a conversation with an application." The gateway checks: does this request have a valid token? Is this client allowed to call this endpoint? Have they called it too many times in the last minute?

This is home turf for JWTs (compact, signed tokens that prove who's making a request), OAuth flows (the standard way apps grant each other limited access without handing over a password), and rate limiting (the polite way of saying "slow down").

How attackers see this layer: broken authentication logic here is a goldmine, because a mistake at the gateway can undermine every service behind it at once. A classic example is JWT confusion — tricking a system into trusting a token it should have rejected, because the code checking it made an assumption it shouldn't have.


Stop 7: The Identity Provider — Proving You Are Who You Say You Are

Somewhere around here, your request gets handed off to a specialist whose only job is identity — an Entra ID or Okta, checking your session, your device posture, maybe asking for a second factor if something looks unusual.

Browser → Identity Provider → signed token → Application
Enter fullscreen mode Exit fullscreen mode

This is Zero Trust in action: nobody gets trusted just because they're "already inside the network." Every request proves itself, every time, on its own merits.

How attackers see this layer: identity is the new perimeter, so it's also the new target. MFA fatigue attacks (bombarding someone with approval requests until they tap "yes" just to make it stop), OAuth consent abuse (tricking a user into approving a malicious app's access), session token theft — none of these need a vulnerability in code. They need one distracted human, which is a much softer target than a well-patched server.


Stop 8 & 9: The Reverse Proxy and the Ingress — The Traffic Cops Nobody Notices

An NGINX, Traefik, or HAProxy instance quietly routes your request to the right place internally, often handling TLS termination along the way — the point where encrypted traffic gets decrypted so the application can actually read it.

Then, if the company runs on Kubernetes, an Ingress controller decides which of potentially hundreds of services should actually receive this request. The interesting thing to understand here isn't Kubernetes itself — it's why there's no such thing as "the server" anymore. There isn't one machine running the application. There are dozens of disposable, identical copies, any of which might handle your request, none of which matter individually.

DevOps takeaway: rolling updates and readiness probes live here — the mechanism that lets a company deploy new code fifty times a day without anyone's request ever hitting a half-deployed, broken version.


Stop 10: The Service Mesh — The Layer Most Articles Never Get To

Here's where most explainers stop. Yours doesn't, because this is where things get genuinely interesting.

Modern applications aren't one program — they're dozens of small services talking to each other constantly. And in a mature setup, they don't talk directly. Each one has a tiny proxy sitting next to it (commonly Envoy) handling the actual conversation:

Service A → Envoy → Envoy → Service B
Enter fullscreen mode Exit fullscreen mode

Why bother? Because this is where mutual TLS happens — every internal service proving its identity to every other internal service, the same way your browser proved its identity to the company. It's also where retries, timeouts, and traffic shaping quietly happen without a single line of application code knowing about it.

The moment a reader realizes this layer exists is usually the moment they go, "wait — there's another whole security layer in here I never knew about?" Yes. And it exists because "internal network" stopped meaning "trusted" a long time ago.

How attackers see this layer: if you can steal a service's identity — its certificate, its mesh credentials — you're no longer an outsider trying to break in. You're a trusted participant in a conversation that was never designed to question you again once you're in it.


Stop 11: The Microservices — Finally, Somebody Does the Actual Work

Your request now lands somewhere real. Maybe it hits an Authentication Service, which calls a User Service, which — if you're checking out — calls a Payment Service, which calls Inventory, which might quietly fire off a Notification Service to email you a receipt.

None of these services know or care about the other thirteen stops your request already survived. They just know: "a request arrived, already authenticated, already trusted by everything upstream — let's do our job."


Stop 12: Redis — The Shortcut Most Requests Never Need to Skip

Before touching a database — the slowest, most precious resource in the whole stack — most systems check a cache first.

Cache Hit → Return immediately (database never touched)
Cache Miss → Ask the database → Store the answer for next time
Enter fullscreen mode Exit fullscreen mode

Most requests, most of the time, are cache hits. It's the quiet workhorse nobody thanks.

How attackers see this layer: caches are often left exposed to the internet by mistake, with no authentication at all, because "it's just internal infrastructure" — until it isn't. An exposed Redis instance can leak session data directly, or in the worst cases, be abused to poison what gets served to other users.


Stop 13: The Database — Journey's End

Only now, after fourteen checkpoints, does your request finally reach the system holding the actual data. A query runs. A row comes back. And the entire trip immediately reverses — back through the mesh, back through the services, back through the gateway, back through the CDN — until it lands in your browser as a page that "just loaded."

How attackers see this layer: this is still, after everything, the endgame for a huge share of real breaches — because one unsanitized query, one over-permissioned service account, and all fourteen layers upstream become irrelevant. Defense in depth means every layer matters. It doesn't mean every layer is equally hard to bypass.


The Whole Trip, One More Time

Browser
  ↓
DNS
  ↓
CDN
  ↓
DDoS Scrubbing
  ↓
Web Application Firewall
  ↓
Load Balancer
  ↓
API Gateway
  ↓
Identity Provider
  ↓
Reverse Proxy
  ↓
Kubernetes Ingress
  ↓
Service Mesh
  ↓
Microservice
  ↓
Redis Cache
  ↓
Database
  ↓
Response, all the way back
Enter fullscreen mode Exit fullscreen mode

What This All Actually Means

A page that loads in 200 milliseconds might have crossed fifteen or twenty independent systems, each one built by a different team, for a different reason, at a different point in the company's history.

To a user, it's a webpage.

To a DevOps engineer, it's an orchestrated platform where every layer earns its keep in performance, availability, or resilience.

To a security engineer, it's a chain of trust — and chains are only as strong as the link nobody's checked recently.

And to an attacker, it's not an obstacle course. It's a map. Every stop on this journey is also somebody's job posting, somebody's documentation page, somebody's conference talk explaining exactly how it works — which means the map is public. What separates a secure company from a breached one usually isn't a secret technology the attacker didn't know about. It's a single stop, somewhere on this list, that quietly didn't get the same attention as the other fourteen.

Next time a page loads in a blink, it might be worth remembering: that blink had a whole journey behind it. You just weren't invited to watch.

Top comments (0)