# Chapter 14: Web Basics and APIs

Modern software development increasingly revolves around web technologies. Whether building RESTful APIs, microservices, or web applications, understanding HTTP fundamentals and API architecture is essential. Python's ecosystem offers powerful tools for both consuming external APIs and building robust server-side applications.

This chapter establishes the foundational concepts of web development: the HTTP protocol that governs all web communication, the architectural principles of REST APIs, and Python's `requests` library for consuming web services. These concepts provide the theoretical foundation before we explore specific frameworks (FastAPI, Flask, Django) in subsequent chapters.

## 14.1 HTTP Fundamentals: The Language of the Web

The **Hypertext Transfer Protocol (HTTP)** is the application-layer protocol that powers the World Wide Web. Every web interaction—loading a page, submitting a form, calling an API—involves HTTP messages exchanged between clients and servers.

### The Request-Response Cycle

HTTP follows a request-response model:

1.  **Client** sends an HTTP **Request** to a server
2.  **Server** processes the request
3.  **Server** sends an HTTP **Response** back to the client

```
┌─────────────────┐                      ┌─────────────────┐
│                 │  HTTP Request        │                 │
│     Client      │ ───────────────────> │     Server      │
│   (Browser/API) │                      │   (Web Server)  │
│                 │ <─────────────────── │                 │
└─────────────────┘  HTTP Response       └─────────────────┘
```

### HTTP Request Structure

An HTTP request consists of three parts:

```
POST /api/users HTTP/1.1
Host: api.example.com
Content-Type: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

{
    "username": "alice",
    "email": "alice@example.com"
}
```

**1. Request Line:**
*   **Method**: The action to perform (`GET`, `POST`, `PUT`, `DELETE`, `PATCH`, etc.)
*   **Path (URI)**: The resource identifier (`/api/users`)
*   **HTTP Version**: Protocol version (`HTTP/1.1` or `HTTP/2`)

**2. Headers:**
Metadata about the request (key-value pairs):

| Header | Purpose |
|--------|---------|
| `Host` | Target server domain |
| `Content-Type` | Format of request body (`application/json`, `text/html`) |
| `Authorization` | Authentication credentials |
| `User-Agent` | Client identification |
| `Accept` | Acceptable response formats |

**3. Body:**
Data sent with the request (used with `POST`, `PUT`, `PATCH`). Empty for `GET` requests.

### HTTP Methods (Verbs)

HTTP methods indicate the desired action on a resource:

```python
from enum import Enum
from typing import Dict

class HTTPMethod(Enum):
    """HTTP methods and their semantics."""
    
    GET = "GET"
    # Retrieve resource. Safe, idempotent, cacheable.
    # Should NOT modify server state.
    
    POST = "POST"
    # Create new resource. NOT idempotent.
    # Multiple identical requests create multiple resources.
    
    PUT = "PUT"
    # Replace entire resource. Idempotent.
    # Updates or creates resource at specific URI.
    
    PATCH = "PATCH"
    # Partial update. NOT necessarily idempotent.
    # Modifies specific fields of a resource.
    
    DELETE = "DELETE"
    # Remove resource. Idempotent.
    # Once deleted, subsequent deletes return same status.
    
    HEAD = "HEAD"
    # Like GET but returns headers only. No body.
    # Useful for checking resource existence.
    
    OPTIONS = "OPTIONS"
    # Returns allowed methods for resource.
    # Used in CORS preflight requests.
```

**Idempotency Explained:**
An operation is **idempotent** if making the same request multiple times produces the same result as a single request. `GET`, `PUT`, `DELETE` are idempotent; `POST` is not.

```python
# Example: Idempotency matters for retry logic
def safe_retry_example():
    """
    Retrying idempotent operations is safe.
    Retrying non-idempotent operations can cause duplicates.
    """
    # GET: Safe to retry
    # GET /users/123 → Returns user
    # GET /users/123 again → Same result, no side effects
    
    # POST: NOT safe to retry without idempotency key
    # POST /orders → Creates order #1
    # POST /orders (retry) → Creates order #2 (DUPLICATE!)
    
    # PUT: Safe to retry
    # PUT /users/123 {"email": "new@example.com"}
    # PUT /users/123 (retry) → Same update, same result
    
    pass
```

### HTTP Response Structure

```
HTTP/1.1 201 Created
Content-Type: application/json
Content-Length: 89
Location: /api/users/42

{
    "id": 42,
    "username": "alice",
    "email": "alice@example.com",
    "created_at": "2026-02-13T10:30:00Z"
}
```

**1. Status Line:**
*   **HTTP Version**: Protocol version
*   **Status Code**: Three-digit code indicating result
*   **Reason Phrase**: Human-readable status description

**2. Headers:**
Metadata about the response:

| Header | Purpose |
|--------|---------|
| `Content-Type` | Format of response body |
| `Content-Length` | Body size in bytes |
| `Location` | URI of newly created resource |
| `Set-Cookie` | Store data on client |
| `Cache-Control` | Caching directives |

**3. Body:**
The requested data (HTML, JSON, XML, binary, etc.)

### HTTP Status Codes

Status codes are grouped by their first digit:

```python
from enum import IntEnum

class HTTPStatus(IntEnum):
    """Common HTTP status codes."""
    
    # 1xx: Informational - Request received, continuing process
    CONTINUE = 100
    SWITCHING_PROTOCOLS = 101
    
    # 2xx: Success - Request successfully received, understood, accepted
    OK = 200                    # Standard success
    CREATED = 201               # Resource created successfully
    ACCEPTED = 202              # Request accepted for processing
    NO_CONTENT = 204            # Success but no body (for DELETE)
    
    # 3xx: Redirection - Further action needed to complete request
    MOVED_PERMANENTLY = 301     # Resource moved permanently
    FOUND = 302                 # Resource moved temporarily
    NOT_MODIFIED = 304          # Cached resource still valid
    PERMANENT_REDIRECT = 308    # Redirect with same method
    
    # 4xx: Client Error - Request contains bad syntax or cannot be fulfilled
    BAD_REQUEST = 400           # Malformed request syntax
    UNAUTHORIZED = 401          # Authentication required
    FORBIDDEN = 403             # Authenticated but not authorized
    NOT_FOUND = 404             # Resource doesn't exist
    METHOD_NOT_ALLOWED = 405    # HTTP method not supported
    CONFLICT = 409              # State conflict (duplicate resource)
    UNPROCESSABLE_ENTITY = 422  # Validation errors
    TOO_MANY_REQUESTS = 429     # Rate limit exceeded
    
    # 5xx: Server Error - Server failed to fulfill valid request
    INTERNAL_SERVER_ERROR = 500 # Generic server error
    NOT_IMPLEMENTED = 501       # Feature not implemented
    BAD_GATEWAY = 502           # Upstream server error
    SERVICE_UNAVAILABLE = 503   # Server temporarily unavailable
    GATEWAY_TIMEOUT = 504       # Upstream server timeout
```

**Best Practices for Status Codes:**
```python
# Good: Semantic status codes
def create_user_endpoint():
    user = create_user()
    return Response(user, status=201)  # CREATED

def delete_user_endpoint(user_id):
    delete_user(user_id)
    return Response(status=204)  # NO_CONTENT (no body needed)

def update_user_endpoint(user_id, data):
    errors = validate(data)
    if errors:
        return Response(errors, status=422)  # UNPROCESSABLE_ENTITY

# Bad: Using 200 for everything
def bad_endpoint():
    if error:
        return Response({"error": "Not found"}, status=200)  # WRONG!
```

### Statelessness

HTTP is a **stateless protocol**: each request is independent, and the server doesn't retain context between requests.

```python
# Stateless: Each request contains all necessary information
# Request 1
GET /api/profile HTTP/1.1
Authorization: Bearer token123

# Request 2 (Server doesn't remember Request 1)
GET /api/orders HTTP/1.1
Authorization: Bearer token123  # Must resend credentials

# State is maintained via:
# 1. Tokens (JWT, API keys) - sent with each request
# 2. Cookies - server sends Set-Cookie, client returns Cookie
# 3. URL parameters - session_id in query string (less secure)
```

## 14.2 RESTful Architecture: Designing Web APIs

**REST** (Representational State Transfer) is an architectural style for designing networked applications. RESTful APIs use HTTP's existing features (methods, status codes, URIs) to provide a uniform interface for resource manipulation.

### REST Principles

**1. Resource-Based:**
Everything is a **resource** identified by a URI (Uniform Resource Identifier).

```
Resources are nouns, not verbs:

Good:   GET /users/123          (User is the resource)
Bad:    GET /getUser?id=123     (Action in URL)

Good:   POST /orders            (Order is the resource)
Bad:    POST /createOrder       (Action in URL)
```

**2. HTTP Methods as Actions:**
Use HTTP methods to indicate operations on resources:

```python
# RESTful endpoint mapping

# Collection: /users
GET    /users           → List all users
POST   /users           → Create new user

# Item: /users/{id}
GET    /users/123       → Get specific user
PUT    /users/123       → Replace entire user
PATCH  /users/123       → Update user partially
DELETE /users/123       → Delete user

# Nested resources
GET    /users/123/orders           → List user's orders
POST   /users/123/orders           → Create order for user
GET    /users/123/orders/456       → Get specific order
```

**3. Representation:**
Resources can have multiple representations (JSON, XML, HTML). Clients specify preference via `Accept` header.

**4. Statelessness:**
Each request contains all information needed to process it.

**5. HATEOAS (Hypermedia as the Engine of Application State):**
Responses include links to related actions, allowing clients to navigate the API dynamically.

```json
{
    "id": 123,
    "username": "alice",
    "email": "alice@example.com",
    "_links": {
        "self": {"href": "/users/123", "method": "GET"},
        "update": {"href": "/users/123", "method": "PATCH"},
        "delete": {"href": "/users/123", "method": "DELETE"},
        "orders": {"href": "/users/123/orders", "method": "GET"}
    }
}
```

### Designing a RESTful API

Let's design a complete API for a blog platform:

```python
from dataclasses import dataclass
from datetime import datetime
from typing import List, Optional
from enum import Enum

# Domain Models
@dataclass
class Article:
    id: int
    title: str
    content: str
    author_id: int
    status: 'ArticleStatus'
    created_at: datetime
    updated_at: datetime
    tags: List[str]

class ArticleStatus(Enum):
    DRAFT = "draft"
    PUBLISHED = "published"
    ARCHIVED = "archived"

# API Design Documentation
"""
Blog API - RESTful Endpoints

Base URL: https://api.blog.com/v1

Authentication: Bearer Token (JWT)

Articles Collection:
┌────────┬─────────────────────────┬────────────────────────────────────┐
│ Method │ Endpoint                │ Description                        │
├────────┼─────────────────────────┼────────────────────────────────────┤
│ GET    │ /articles               │ List articles (paginated)          │
│ POST   │ /articles               │ Create new article                 │
│ GET    │ /articles/{id}          │ Get single article                 │
│ PUT    │ /articles/{id}          │ Replace entire article             │
│ PATCH  │ /articles/{id}          │ Partially update article           │
│ DELETE │ /articles/{id}          │ Delete article                     │
│ POST   │ /articles/{id}/publish  │ Custom action: publish article     │
└────────┴─────────────────────────┴────────────────────────────────────┘

Query Parameters for Collection:
  - page: Page number (default: 1)
  - limit: Items per page (default: 20, max: 100)
  - status: Filter by status (draft, published, archived)
  - author_id: Filter by author
  - search: Search in title/content
  - sort: Sort field (created_at, updated_at, title)
  - order: Sort order (asc, desc)

Example Request:
  GET /articles?page=2&limit=10&status=published&sort=created_at&order=desc

Example Response:
{
    "data": [...],
    "pagination": {
        "page": 2,
        "limit": 10,
        "total": 150,
        "total_pages": 15
    }
}
"""
```

### API Versioning Strategies

```python
# Strategy 1: URL Path Versioning (Most Common)
# Pros: Clear, easy to implement, cache-friendly
# Cons: URL changes between versions
GET /v1/articles
GET /v2/articles

# Strategy 2: Header Versioning
# Pros: Clean URLs, single endpoint
# Cons: Harder to test, less visible
GET /articles
Accept: application/vnd.blog.v2+json

# Strategy 3: Query Parameter
# Pros: Optional for default version
# Cons: Mixed with other query params
GET /articles?version=2

# Strategy 4: Hostname Versioning (Rare)
GET https://v2.api.blog.com/articles
```

### Error Response Design

Consistent error responses improve API usability:

```python
from dataclasses import dataclass
from typing import List, Dict, Any

@dataclass
class APIError:
    """Standardized error response structure."""
    code: str                 # Machine-readable error code
    message: str              # Human-readable message
    details: List[Dict[str, Any]]  # Additional context
    
    def to_dict(self) -> Dict:
        return {
            "error": {
                "code": self.code,
                "message": self.message,
                "details": self.details
            }
        }

# Example error responses

# Validation Error (422)
validation_error = APIError(
    code="VALIDATION_ERROR",
    message="The request data is invalid",
    details=[
        {"field": "email", "message": "Invalid email format"},
        {"field": "password", "message": "Must be at least 8 characters"}
    ]
)
# Response: 422 Unprocessable Entity
# Body: validation_error.to_dict()

# Authentication Error (401)
auth_error = APIError(
    code="AUTHENTICATION_REQUIRED",
    message="Authentication credentials were not provided",
    details=[]
)

# Not Found Error (404)
not_found_error = APIError(
    code="RESOURCE_NOT_FOUND",
    message="Article with ID 999 not found",
    details=[{"resource": "Article", "id": 999}]
)

# Rate Limit Error (429)
rate_limit_error = APIError(
    code="RATE_LIMIT_EXCEEDED",
    message="API rate limit exceeded. Please retry after 60 seconds.",
    details=[{"retry_after": 60}]
)
```

### Pagination Patterns

```python
from dataclasses import dataclass
from typing import Generic, TypeVar, List

T = TypeVar('T')

@dataclass
class PaginatedResponse(Generic[T]):
    """Standard pagination response wrapper."""
    data: List[T]
    page: int
    limit: int
    total: int
    total_pages: int
    
    @classmethod
    def create(
        cls, 
        items: List[T], 
        page: int, 
        limit: int, 
        total: int
    ) -> 'PaginatedResponse[T]':
        return cls(
            data=items,
            page=page,
            limit=limit,
            total=total,
            total_pages=(total + limit - 1) // limit
        )
    
    def to_dict(self) -> dict:
        return {
            "data": [item.__dict__ if hasattr(item, '__dict__') else item 
                     for item in self.data],
            "pagination": {
                "page": self.page,
                "limit": self.limit,
                "total": self.total,
                "total_pages": self.total_pages
            }
        }

# Offset-Based Pagination (Most Common)
# GET /articles?page=2&limit=10
def get_articles_paginated(page: int = 1, limit: int = 10) -> PaginatedResponse:
    offset = (page - 1) * limit
    # SQL: SELECT * FROM articles LIMIT {limit} OFFSET {offset}
    articles = query_articles(limit=limit, offset=offset)
    total = count_total_articles()
    return PaginatedResponse.create(articles, page, limit, total)

# Cursor-Based Pagination (Better for large/real-time datasets)
# GET /articles?cursor=eyJpZCI6MTAwfQ&limit=10
# Response includes next_cursor instead of page number
```

## 14.3 API Consumption: The requests Library

While frameworks help you build APIs, the `requests` library is the industry standard for consuming them. Its elegant API makes HTTP calls straightforward while providing powerful features for sessions, authentication, and error handling.

### Installation and Basic Usage

```bash
pip install requests
```

```python
import requests
from typing import Dict, Any, Optional

# Simple GET request
response = requests.get('https://api.example.com/users')

# Response properties
print(response.status_code)    # 200
print(response.ok)             # True (status < 400)
print(response.headers)        # {'Content-Type': 'application/json', ...}
print(response.content)        # Raw bytes
print(response.text)           # Decoded string
print(response.json())         # Parsed JSON (dict or list)
print(response.url)            # Final URL (after redirects)
print(response.elapsed)        # Timedelta of request duration
```

### Request Parameters

```python
# Query Parameters
params = {
    'page': 1,
    'limit': 10,
    'status': 'active'
}
response = requests.get(
    'https://api.example.com/users',
    params=params
)
# Actual URL: https://api.example.com/users?page=1&limit=10&status=active

# Request Headers
headers = {
    'Authorization': 'Bearer token123',
    'Accept': 'application/json',
    'X-Custom-Header': 'value'
}
response = requests.get(
    'https://api.example.com/users',
    headers=headers
)

# Request Body (JSON)
data = {
    'username': 'alice',
    'email': 'alice@example.com'
}
response = requests.post(
    'https://api.example.com/users',
    json=data  # Automatically sets Content-Type: application/json
)

# Equivalent to:
response = requests.post(
    'https://api.example.com/users',
    data=json.dumps(data),
    headers={'Content-Type': 'application/json'}
)

# Form Data (application/x-www-form-urlencoded)
form_data = {
    'username': 'alice',
    'password': 'secret123'
}
response = requests.post(
    'https://api.example.com/login',
    data=form_data
)

# File Upload
files = {
    'document': ('report.pdf', open('report.pdf', 'rb'), 'application/pdf')
}
response = requests.post(
    'https://api.example.com/upload',
    files=files
)

# Multipart with mixed data
files = {'avatar': open('avatar.jpg', 'rb')}
data = {'username': 'alice'}
response = requests.post(
    'https://api.example.com/profile',
    files=files,
    data=data
)
```

### Handling Responses and Errors

```python
import requests
from requests.exceptions import (
    HTTPError, 
    ConnectionError, 
    Timeout, 
    RequestException
)
from typing import Any, Dict

def safe_api_call(url: str) -> Dict[str, Any]:
    """
    Make API call with comprehensive error handling.
    
    Demonstrates all common request exceptions.
    """
    try:
        response = requests.get(
            url,
            timeout=10  # Seconds (connect + read)
        )
        
        # Raise exception for bad status codes (4xx, 5xx)
        response.raise_for_status()
        
        # Check content type before parsing
        content_type = response.headers.get('Content-Type', '')
        if 'application/json' not in content_type:
            raise ValueError(f"Unexpected content type: {content_type}")
        
        return response.json()
    
    except Timeout:
        # Request timed out
        print(f"Request to {url} timed out")
        raise
    
    except ConnectionError:
        # Network problem (DNS failure, refused connection)
        print(f"Could not connect to {url}")
        raise
    
    except HTTPError as e:
        # HTTP error response (4xx, 5xx)
        status = e.response.status_code
        if status == 401:
            print("Authentication failed - check credentials")
        elif status == 404:
            print("Resource not found")
        elif status == 429:
            print("Rate limit exceeded")
        elif 500 <= status < 600:
            print(f"Server error: {status}")
        raise
    
    except ValueError as e:
        # JSON parsing failed
        print(f"Invalid JSON response: {e}")
        raise
    
    except RequestException as e:
        # Base exception for all requests errors
        print(f"Request failed: {e}")
        raise

# Usage with context manager
def download_file(url: str, filepath: str) -> None:
    """Download large file with streaming."""
    with requests.get(url, stream=True) as response:
        response.raise_for_status()
        with open(filepath, 'wb') as f:
            for chunk in response.iter_content(chunk_size=8192):
                f.write(chunk)
```

### Session Management

Sessions persist cookies and connection pooling across multiple requests:

```python
import requests
from typing import Optional

class APIClient:
    """
    Reusable API client with session management.
    
    Sessions provide:
    - Connection pooling (faster for multiple requests)
    - Cookie persistence
    - Default headers
    """
    
    def __init__(self, base_url: str, api_key: Optional[str] = None) -> None:
        self.base_url = base_url.rstrip('/')
        self.session = requests.Session()
        
        # Set default headers for all requests
        self.session.headers.update({
            'Accept': 'application/json',
            'User-Agent': 'MyApp/1.0'
        })
        
        if api_key:
            self.session.headers['Authorization'] = f'Bearer {api_key}'
    
    def get(self, endpoint: str, **kwargs) -> Dict:
        """Make GET request."""
        url = f"{self.base_url}/{endpoint.lstrip('/')}"
        response = self.session.get(url, **kwargs)
        response.raise_for_status()
        return response.json()
    
    def post(self, endpoint: str, data: Dict, **kwargs) -> Dict:
        """Make POST request."""
        url = f"{self.base_url}/{endpoint.lstrip('/')}"
        response = self.session.post(url, json=data, **kwargs)
        response.raise_for_status()
        return response.json()
    
    def close(self) -> None:
        """Close the session."""
        self.session.close()
    
    def __enter__(self) -> 'APIClient':
        return self
    
    def __exit__(self, *args) -> None:
        self.close()

# Usage
with APIClient('https://api.example.com', api_key='secret') as client:
    # Session persists cookies and connection
    users = client.get('/users')
    user = client.post('/users', {'name': 'Alice'})
```

### Authentication Patterns

```python
import requests
from requests.auth import HTTPBasicAuth, AuthBase
from typing import Dict, Any

# Basic Authentication
response = requests.get(
    'https://api.example.com/protected',
    auth=HTTPBasicAuth('username', 'password')
)

# Bearer Token
headers = {'Authorization': 'Bearer eyJhbGciOi...'}
response = requests.get('https://api.example.com/protected', headers=headers)

# API Key in Header
headers = {'X-API-Key': 'your-api-key'}
response = requests.get('https://api.example.com/protected', headers=headers)

# Custom Authentication
class BearerAuth(AuthBase):
    """Custom authentication handler for Bearer tokens."""
    
    def __init__(self, token: str) -> None:
        self.token = token
    
    def __call__(self, request: requests.PreparedRequest) -> requests.PreparedRequest:
        request.headers['Authorization'] = f'Bearer {self.token}'
        return request

response = requests.get(
    'https://api.example.com/protected',
    auth=BearerAuth('your-token')
)

# OAuth 2.0 Flow (Simplified)
class OAuth2Client:
    """OAuth 2.0 client credentials flow."""
    
    def __init__(
        self, 
        token_url: str, 
        client_id: str, 
        client_secret: str
    ) -> None:
        self.token_url = token_url
        self.client_id = client_id
        self.client_secret = client_secret
        self.access_token: str = ''
    
    def get_token(self) -> str:
        """Obtain access token from authorization server."""
        response = requests.post(
            self.token_url,
            data={
                'grant_type': 'client_credentials',
                'client_id': self.client_id,
                'client_secret': self.client_secret
            }
        )
        response.raise_for_status()
        token_data = response.json()
        self.access_token = token_data['access_token']
        return self.access_token
    
    def make_authenticated_request(
        self, 
        method: str, 
        url: str, 
        **kwargs
    ) -> Dict[str, Any]:
        """Make request with automatic token handling."""
        headers = kwargs.pop('headers', {})
        headers['Authorization'] = f'Bearer {self.access_token}'
        
        response = requests.request(method, url, headers=headers, **kwargs)
        
        if response.status_code == 401:
            # Token expired, refresh and retry
            self.get_token()
            headers['Authorization'] = f'Bearer {self.access_token}'
            response = requests.request(method, url, headers=headers, **kwargs)
        
        response.raise_for_status()
        return response.json()
```

### Rate Limiting and Retries

```python
import requests
from requests.adapters import HTTPAdapter
from urllib3.util.retry import Retry
from time import sleep
from typing import Dict, Any

def create_session_with_retries(
    retries: int = 3,
    backoff_factor: float = 0.3,
    status_forcelist: tuple = (500, 502, 503, 504)
) -> requests.Session:
    """
    Create session with automatic retry for transient failures.
    
    Args:
        retries: Maximum number of retries
        backoff_factor: Multiplier for delay between retries
        status_forcelist: Status codes that trigger retry
    """
    session = requests.Session()
    
    retry_strategy = Retry(
        total=retries,
        read=retries,
        connect=retries,
        backoff_factor=backoff_factor,
        status_forcelist=status_forcelist,
        # Don't retry POST (not idempotent)
        allowed_methods=["HEAD", "GET", "PUT", "DELETE", "OPTIONS", "TRACE"]
    )
    
    adapter = HTTPAdapter(max_retries=retry_strategy)
    session.mount("http://", adapter)
    session.mount("https://", adapter)
    
    return session

# Manual rate limit handling
def request_with_rate_limit(
    url: str, 
    max_requests: int = 10, 
    period: int = 60
) -> Dict[str, Any]:
    """Handle API rate limits with exponential backoff."""
    max_retries = 5
    
    for attempt in range(max_retries):
        response = requests.get(url)
        
        if response.status_code == 200:
            return response.json()
        
        if response.status_code == 429:
            # Extract retry-after header
            retry_after = int(response.headers.get('Retry-After', period))
            wait_time = min(retry_after, 2 ** attempt)  # Exponential backoff
            
            print(f"Rate limited. Waiting {wait_time} seconds...")
            sleep(wait_time)
            continue
        
        response.raise_for_status()
    
    raise Exception("Max retries exceeded")
```

### Timeout Configuration

```python
import requests

# Timeout formats
# Single value: applies to both connect and read
requests.get('https://api.example.com', timeout=5)

# Tuple: (connect timeout, read timeout)
requests.get(
    'https://api.example.com',
    timeout=(3.05, 27)  # 3.05s to connect, 27s to read response
)

# No timeout (DANGEROUS - can hang indefinitely)
# requests.get('https://api.example.com')  # NEVER do this

# Best practice: Always set timeout
DEFAULT_TIMEOUT = 10  # seconds

def get_with_timeout(url: str, timeout: float = DEFAULT_TIMEOUT):
    """Always use timeout to prevent hanging."""
    try:
        return requests.get(url, timeout=timeout)
    except requests.Timeout:
        print(f"Request timed out after {timeout} seconds")
        raise
```

## Summary

Web development fundamentals transcend specific frameworks and languages. You now understand **HTTP** as the protocol governing all web communication: the request-response cycle, methods that define operations, status codes that communicate outcomes, and headers that carry metadata. This knowledge enables you to debug network issues, optimize performance, and design robust APIs.

**RESTful architecture** provides a uniform, scalable approach to API design. By treating everything as resources identified by URIs and using HTTP methods semantically, REST APIs become intuitive, cacheable, and portable. You can design APIs that follow industry standards: clear resource hierarchies, consistent error responses, pagination strategies, and proper versioning.

The **requests** library equips you to consume APIs with production-ready patterns: session management for connection pooling, comprehensive error handling for network resilience, authentication schemes from basic to OAuth, and retry strategies for transient failures. You understand that timeouts are mandatory and that idempotency determines whether operations can be safely retried.

These foundations prepare you for framework-specific development. In the next chapter, we explore modern Python web frameworks—FastAPI for high-performance APIs, Flask for microservices, and Django for full-stack applications—building on the HTTP and REST concepts established here.

**Next Chapter**: Chapter 15: Modern Web Frameworks (FastAPI, Flask, and Django).

<div style='width:100%; display:flex; justify-content:space-between; align-items:center; margin: 1em 0;'>
  <a href='../5. advanced_python_features/13. concurrency_and_parallelism.ipynb' style='font-weight:bold; font-size:1.05em;'>&larr; Previous</a>
  <a href='../TOC.md' style='font-weight:bold; font-size:1.05em; text-align:center;'>Table of Contents</a>
  <a href='15. modern_web_frameworks.ipynb' style='font-weight:bold; font-size:1.05em;'>Next &rarr;</a>
</div>
