/ How The Web Works / By

The Client-Server Model (And How It All Fits Together)

If you’re diving into web applications, penetration testing, or just trying to understand how websites work, you have to understand the client-server model. It’s the foundation of everything online — every login form, every website, every web app runs on this concept.

Let’s break it down without overcomplicating things.

What Is the Client-Server Model?

At its core, the client-server model is just a fancy way of saying:

One machine (the client) makes a request, and another machine (the server) responds.

Think of it like ordering food at a restaurant:

  • You (the client) look at the menu and place an order.
  • The kitchen (the server) prepares your food and brings it back.

In the web world:

  • The client is usually your browser (Chrome, Firefox, etc.)
  • The server is a computer somewhere on the internet that stores and serves content

How They Communicate: HTTP

We use HTTP (or HTTPS) to send messages back and forth between the client and the server.

  • The client says: “Give me the homepage.”
  • The server replies: “Here’s the HTML, CSS, JavaScript, and images you need.”

Every time you click a link, submit a form, or open a web app — your browser is sending HTTP requests to a server and getting responses in return.

What Happens When You Visit a Website?

Let’s say you go to https://example.com in your browser. Here’s what typically happens:

  1. Your browser (client) sends an HTTP GET request to the server.
  2. The server replies with:
    • An HTML file that contains the structure of the page
    • A link to a CSS file that styles the page
    • A link to a JavaScript file that adds interactivity
  3. Your browser reads the HTML, downloads the CSS and JS files, and assembles everything into the full page you see on screen. Like this blog post you are reading now.

Technologies Involved (And Where They Fit)

Let’s map out what each piece does — and where it lives in the client-server relationship.

On the Client Side (Your Browser)

These are technologies that run in your browser, on your machine:

  • HTML – Builds the structure of the page (headings, paragraphs, links, forms)
  • CSS – Adds styling (colors, fonts, layout)
  • JavaScript – Makes things interactive (buttons, animations, form validation, API calls)

As a pentester, JavaScript is especially important. It’s often where you’ll find vulnerabilities like DOM-based XSS, client-side logic flaws, or sensitive API endpoints.

On the Server Side

These technologies run on the web server — the computer hosting the site:

  • Web server software – Like Apache, Nginx, or Node.js — listens for HTTP requests and sends back responses
  • Back-end code – Written in languages like Python, PHP, Ruby, Java, or JavaScript (Node.js). Handles logic, authentication, database interactions, etc.
  • Databases – Store user data, app content, login info, etc. (e.g., MySQL, PostgreSQL, MongoDB)

Server-side logic is where you’ll test for things like SQL injection, authentication bypass, and insecure direct object references (IDOR).

They Work Together Like This

Here’s a simplified view of the full stack:

[Client: Browser]
   ↓
 Sends HTTP Request
   ↓
[Server: Web App + Backend Code + Database]
   ↑
 Sends HTTP Response (HTML, CSS, JS, Data)
   ↑
[Client: Renders the Page]

And once the page loads, JavaScript can continue making background HTTP requests (using fetch() or XMLHttpRequest) to get more data — this is how modern apps work without refreshing the page.

Why Should You Care as a Pentester?

Understanding who does what — client or server — tells you where to look for vulnerabilities:

  • Client-side issues → XSS, broken scripts, exposed APIs, leaking tokens
  • Server-side issues → SQL injection, logic flaws, insecure auth, access control

You’ll often intercept and inspect both sides using tools like Burp Suite, so knowing how the client and server talk — and what each is responsible for — gives you the edge.

Recap

  • The client-server model powers all web communication.
  • Clients (browsers) make HTTP requests and receive responses from servers.
  • HTML, CSS, and JavaScript live on the client — they build and style what you see.
  • Servers handle the logic, databases, and content.
  • Understanding this flow is crucial for effective pentesting.

Related Posts

Scroll to Top