-
Notifications
You must be signed in to change notification settings - Fork 43
/
draft-ietf-httpbis-semantics-latest.xml
13688 lines (13221 loc) · 589 KB
/
draft-ietf-httpbis-semantics-latest.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='lib/myxml2rfc.xslt'?>
<!DOCTYPE rfc [
<!ENTITY MAY "<bcp14>MAY</bcp14>">
<!ENTITY MUST "<bcp14>MUST</bcp14>">
<!ENTITY MUST-NOT "<bcp14>MUST NOT</bcp14>">
<!ENTITY NOT-RECOMMENDED "<bcp14>NOT RECOMMENDED</bcp14>">
<!ENTITY OPTIONAL "<bcp14>OPTIONAL</bcp14>">
<!ENTITY RECOMMENDED "<bcp14>RECOMMENDED</bcp14>">
<!ENTITY REQUIRED "<bcp14>REQUIRED</bcp14>">
<!ENTITY SHALL "<bcp14>SHALL</bcp14>">
<!ENTITY SHALL-NOT "<bcp14>SHALL NOT</bcp14>">
<!ENTITY SHOULD "<bcp14>SHOULD</bcp14>">
<!ENTITY SHOULD-NOT "<bcp14>SHOULD NOT</bcp14>">
<!ENTITY ID-VERSION "latest">
<!ENTITY mdash "—">
<!ENTITY nbsp " ">
<!ENTITY uuml "ü">
<!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
]>
<?rfc compact="yes"?>
<?rfc subcompact="no" ?>
<?rfc linkmailto="no" ?>
<?rfc editing="no" ?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc-ext allow-markup-in-artwork="yes" ?>
<?rfc-ext map-dfn="none" ?>
<?rfc-ext html-pretty-print="prettyprint https://cdn.rawgit.com/google/code-prettify/master/loader/run_prettify.js"?>
<?rfc-ext include-references-in-index="yes" ?>
<?rfc-ext xml2rfc-backend="202007"?>
<rfc obsoletes="2818, 7230, 7231, 7232, 7233, 7235, 7538, 7615, 7694"
updates="3864"
category="std" x:maturity-level="internet"
ipr="pre5378Trust200902" docName="draft-ietf-httpbis-semantics-&ID-VERSION;"
xmlns:x='http://purl.org/net/xml2rfc/ext'
xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'
version="3" tocDepth="4" sortRefs="true">
<x:feedback template="mailto:[email protected]?subject={docname},%20%22{section}%22&body=<{ref}>:"/>
<front>
<title>HTTP Semantics</title>
<author fullname="Roy T. Fielding" initials="R." surname="Fielding" role="editor">
<organization>Adobe</organization>
<address>
<postal>
<postalLine>345 Park Ave</postalLine>
<postalLine>San Jose, CA 95110</postalLine>
<country>United States of America</country>
</postal>
<email>[email protected]</email>
<uri>https://roy.gbiv.com/</uri>
</address>
</author>
<author fullname="Mark Nottingham" initials="M." surname="Nottingham" role="editor">
<organization>Fastly</organization>
<address>
<postal>
<postalLine>Prahran</postalLine>
<country>Australia</country>
</postal>
<email>[email protected]</email>
<uri>https://www.mnot.net/</uri>
</address>
</author>
<author fullname="Julian Reschke" initials="J." surname="Reschke" role="editor">
<organization abbrev="greenbytes">greenbytes GmbH</organization>
<address>
<postal>
<postalLine>Hafenweg 16</postalLine>
<postalLine>48155 Münster</postalLine>
<country>Germany</country>
</postal>
<email>[email protected]</email>
<uri>https://greenbytes.de/tech/webdav/</uri>
</address>
</author>
<date/>
<area>Applications and Real-Time</area>
<workgroup>HTTP Working Group</workgroup>
<keyword>Hypertext Transfer Protocol</keyword>
<keyword>HTTP</keyword>
<keyword>HTTP semantics</keyword>
<keyword>HTTP content</keyword>
<keyword>HTTP method</keyword>
<keyword>HTTP status code</keyword>
<abstract>
<t>
The Hypertext Transfer Protocol (HTTP) is a stateless application-level
protocol for distributed, collaborative, hypertext information systems.
This document describes the overall architecture of HTTP, establishes common
terminology, and defines aspects of the protocol that are shared by all
versions. In this definition are core protocol elements, extensibility
mechanisms, and the "http" and "https" Uniform Resource Identifier (URI)
schemes.
</t>
<t>
This document updates RFC 3864 and
obsoletes RFCs 2818, 7231, 7232, 7233,
7235, 7538, 7615, 7694, and portions of 7230.
</t>
</abstract>
<note title="Editorial Note" removeInRFC="true">
<t>
Discussion of this draft takes place on the HTTP working group
mailing list ([email protected]), which is archived at
<eref target="https://lists.w3.org/Archives/Public/ietf-http-wg/"/>.
</t>
<t>
Working Group information can be found at <eref target="https://httpwg.org/"/>;
source code and issues list for this draft can be found at
<eref target="https://github.com/httpwg/http-core"/>.
</t>
<t>
The changes in this draft are summarized in <xref target="changes.since.19"/>.
</t>
</note>
</front>
<middle>
<section title="Introduction" anchor="introduction">
<section title="Purpose" anchor="purpose">
<t>
The Hypertext Transfer Protocol (HTTP) is a family of stateless,
application-level, request/response protocols that share a generic interface,
extensible semantics, and self-descriptive messages to enable flexible
interaction with network-based hypertext information systems.
</t>
<t>
HTTP hides the details of how a service is implemented by presenting a
uniform interface to clients that is independent of the types of resources
provided. Likewise, servers do not need to be aware of each client's
purpose: a request can be considered in isolation rather than being
associated with a specific type of client or a predetermined sequence of
application steps. This allows general-purpose implementations to be used
effectively in many different contexts, reduces interaction complexity, and
enables independent evolution over time.
</t>
<t>
HTTP is also designed for use as an intermediation protocol, wherein
proxies and gateways can translate non-HTTP information systems into a
more generic interface.
</t>
<t>
One consequence of this flexibility is that the protocol cannot be
defined in terms of what occurs behind the interface. Instead, we
are limited to defining the syntax of communication, the intent
of received communication, and the expected behavior of recipients.
If the communication is considered in isolation, then successful
actions ought to be reflected in corresponding changes to the
observable interface provided by servers. However, since multiple
clients might act in parallel and perhaps at cross-purposes, we
cannot require that such changes be observable beyond the scope
of a single response.
</t>
</section>
<section title="History and Evolution" anchor="history.and.evolution">
<t>
HTTP has been the primary information transfer protocol for the World Wide
Web since its introduction in 1990. It began as a trivial mechanism for
low-latency requests, with a single method (GET) to request transfer of a
presumed hypertext document identified by a given pathname.
As the Web grew, HTTP was extended to enclose requests and responses within
messages, transfer arbitrary data formats using MIME-like media types, and
route requests through intermediaries. These protocols were eventually
defined as HTTP/0.9 and HTTP/1.0 (see <xref target="HTTP10"/>).
</t>
<t>
HTTP/1.1 was designed to refine the protocol's features while retaining
compatibility with the existing text-based messaging syntax, improving
its interoperability, scalability, and robustness across the Internet.
This included length-based data delimiters for both fixed and dynamic
(chunked) content, a consistent framework for content negotiation,
opaque validators for conditional requests, cache controls for better
cache consistency, range requests for partial updates, and default
persistent connections. HTTP/1.1 was introduced in 1995 and published on
the Standards Track in 1997 <xref target="RFC2068"/>, revised in
1999 <xref target="RFC2616"/>, and revised again in 2014
(<xref target="RFC7230"/> through <xref target="RFC7235"/>).
</t>
<t>
HTTP/2 (<xref target="HTTP2"/>) introduced a multiplexed session layer
on top of the existing TLS and TCP protocols for exchanging concurrent
HTTP messages with efficient field compression and server push.
HTTP/3 (<xref target="HTTP3"/>) provides greater independence for concurrent
messages by using QUIC as a secure multiplexed transport over UDP instead of
TCP.
</t>
<t>
All three major versions of HTTP rely on the semantics defined by
this document. They have not obsoleted each other because each one has
specific benefits and limitations depending on the context of use.
Implementations are expected to choose the most appropriate transport and
messaging syntax for their particular context.
</t>
<t>
This revision of HTTP separates the definition of semantics (this document)
and caching (<xref target="CACHING"/>) from the current HTTP/1.1 messaging
syntax (<xref target="HTTP11"/>) to allow each major protocol version
to progress independently while referring to the same core semantics.
</t>
</section>
<section title="Core Semantics" anchor="core.semantics">
<t>
HTTP provides a uniform interface for interacting with a resource
(<xref target="resources"/>) — regardless of its type, nature, or
implementation — by sending messages that manipulate or transfer
representations (<xref target="representations"/>).
</t>
<t>
Each message is either a request or a response. A client constructs request
messages that communicate its intentions and routes those messages toward
an identified origin server. A server listens for requests, parses each
message received, interprets the message semantics in relation to the
identified target resource, and responds to that request with one or more
response messages. The client examines received responses to see if its
intentions were carried out, determining what to do next based on the
status codes and content received.
</t>
<t>
HTTP semantics include the intentions defined by each request method
(<xref target="methods"/>), extensions to those semantics that might be
described in request header fields,
status codes that describe the response (<xref target="status.codes"/>), and
other control data and resource metadata that might be given in response
fields.
</t>
<t><iref item="content negotiation"/>
Semantics also include representation metadata that describe how
content is intended to be interpreted by a recipient, request header
fields that might influence content selection, and the various selection
algorithms that are collectively referred to as
<x:dfn>content negotiation</x:dfn> (<xref target="content.negotiation"/>).
</t>
</section>
<section title="Specifications Obsoleted by This Document" anchor="specifications.obsoleted.by.this.document">
<table align="left">
<thead>
<tr>
<th>Title</th>
<th>Reference</th>
<th>See</th>
</tr>
</thead>
<tbody>
<tr>
<td>HTTP Over TLS</td>
<td><xref target="RFC2818"/></td>
<td><xref target="changes.from.rfc.2818" format="counter"/></td>
</tr>
<tr>
<td>HTTP/1.1 Message Syntax and Routing [*]</td>
<td><xref target="RFC7230"/></td>
<td><xref target="changes.from.rfc.7230" format="counter"/></td>
</tr>
<tr>
<td>HTTP/1.1 Semantics and Content</td>
<td><xref target="RFC7231"/></td>
<td><xref target="changes.from.rfc.7231" format="counter"/></td>
</tr>
<tr>
<td>HTTP/1.1 Conditional Requests</td>
<td><xref target="RFC7232"/></td>
<td><xref target="changes.from.rfc.7232" format="counter"/></td>
</tr>
<tr>
<td>HTTP/1.1 Range Requests</td>
<td><xref target="RFC7233"/></td>
<td><xref target="changes.from.rfc.7233" format="counter"/></td>
</tr>
<tr>
<td>HTTP/1.1 Authentication</td>
<td><xref target="RFC7235"/></td>
<td><xref target="changes.from.rfc.7235" format="counter"/></td>
</tr>
<tr>
<td>HTTP Status Code 308 (Permanent Redirect)</td>
<td><xref target="RFC7538"/></td>
<td><xref target="changes.from.rfc.7538" format="counter"/></td>
</tr>
<tr>
<td>HTTP Authentication-Info and Proxy-Authentication-Info
Response Header Fields</td>
<td><xref target="RFC7615"/></td>
<td><xref target="changes.from.rfc.7615" format="counter"/></td>
</tr>
<tr>
<td>HTTP Client-Initiated Content-Encoding</td>
<td><xref target="RFC7694"/></td>
<td><xref target="changes.from.rfc.7694" format="counter"/></td>
</tr>
</tbody>
</table>
<t>
[*] This document only obsoletes the portions of
<xref target="RFC7230" format="none">RFC 7230</xref> that are independent of
the HTTP/1.1 messaging syntax and connection management; the remaining
bits of <xref target="RFC7230" format="none">RFC 7230</xref> are
obsoleted by "HTTP/1.1" <xref target="HTTP11"/>.
</t>
</section>
</section>
<section title="Conformance" anchor="conformance">
<section title="Syntax Notation" anchor="notation">
<iref primary="true" item="Grammar" subitem="ALPHA"/>
<iref primary="true" item="Grammar" subitem="CR"/>
<iref primary="true" item="Grammar" subitem="CRLF"/>
<iref primary="true" item="Grammar" subitem="CTL"/>
<iref primary="true" item="Grammar" subitem="DIGIT"/>
<iref primary="true" item="Grammar" subitem="DQUOTE"/>
<iref primary="true" item="Grammar" subitem="HEXDIG"/>
<iref primary="true" item="Grammar" subitem="HTAB"/>
<iref primary="true" item="Grammar" subitem="LF"/>
<iref primary="true" item="Grammar" subitem="OCTET"/>
<iref primary="true" item="Grammar" subitem="SP"/>
<iref primary="true" item="Grammar" subitem="VCHAR"/>
<t>
This specification uses the Augmented Backus-Naur Form (ABNF) notation of
<xref target="RFC5234"/>, extended with the notation for case-sensitivity
in strings defined in <xref target="RFC7405"/>.
</t>
<t>
It also uses a list extension, defined in <xref target="abnf.extension"/>,
that allows for compact definition of comma-separated lists using a "#"
operator (similar to how the "*" operator indicates repetition). <xref
target="collected.abnf"/> shows the collected grammar with all list
operators expanded to standard ABNF notation.
</t>
<t>
As a convention, ABNF rule names prefixed with "obs-" denote
obsolete grammar rules that appear for historical reasons.
</t>
<t anchor="core.rules">
<x:anchor-alias value="ALPHA"/>
<x:anchor-alias value="CR"/>
<x:anchor-alias value="CRLF"/>
<x:anchor-alias value="CTL"/>
<x:anchor-alias value="DIGIT"/>
<x:anchor-alias value="DQUOTE"/>
<x:anchor-alias value="HEXDIG"/>
<x:anchor-alias value="HTAB"/>
<x:anchor-alias value="LF"/>
<x:anchor-alias value="OCTET"/>
<x:anchor-alias value="SP"/>
<x:anchor-alias value="VCHAR"/>
The following core rules are included by
reference, as defined in <xref target="RFC5234" x:fmt="of" x:sec="B.1"/>:
ALPHA (letters), CR (carriage return), CRLF (CR LF), CTL (controls),
DIGIT (decimal 0-9), DQUOTE (double quote),
HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line feed),
OCTET (any 8-bit sequence of data), SP (space), and
VCHAR (any visible US-ASCII character).
</t>
<t>
<xref target="fields.components"/> defines some generic syntactic
components for field values.
</t>
<t>
This specification uses the terms
"character",
"character encoding scheme",
"charset", and
"protocol element"
as they are defined in <xref target="RFC6365"/>.
</t>
</section>
<section title="Requirements Notation" anchor="requirements.notation">
<t>
The key words "&MUST;", "&MUST-NOT;", "&REQUIRED;", "&SHALL;", "&SHALL-NOT;",
"&SHOULD;", "&SHOULD-NOT;", "&RECOMMENDED;", "&NOT-RECOMMENDED;",
"&MAY;", and "&OPTIONAL;" in this document are to be interpreted as
described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they
appear in all capitals, as shown here.
</t>
<t>
This specification targets conformance criteria according to the role of
a participant in HTTP communication. Hence, requirements are placed
on senders, recipients, clients, servers, user agents, intermediaries,
origin servers, proxies, gateways, or caches, depending on what behavior
is being constrained by the requirement. Additional requirements
are placed on implementations, resource owners, and protocol element
registrations when they apply beyond the scope of a single communication.
</t>
<t>
The verb "generate" is used instead of "send" where a requirement applies
only to implementations that create the protocol element, rather than an
implementation that forwards a received element downstream.
</t>
<t>
An implementation is considered conformant if it complies with all of the
requirements associated with the roles it partakes in HTTP.
</t>
<t>
A sender &MUST-NOT; generate protocol elements that do not match the grammar
defined by the corresponding ABNF rules.
Within a given message, a sender &MUST-NOT; generate protocol elements or
syntax alternatives that are only allowed to be generated by participants in
other roles (i.e., a role that the sender does not have for that message).
</t>
<t>
Conformance to HTTP includes both conformance to the particular messaging
syntax of the protocol version in use and conformance to the semantics of
protocol elements sent. For example, a client that claims conformance to
HTTP/1.1 but fails to recognize the features required of HTTP/1.1
recipients will fail to interoperate with servers that adjust their
responses in accordance with those claims.
Features that reflect user choices, such as content negotiation and
user-selected extensions, can impact application behavior beyond the
protocol stream; sending protocol elements that inaccurately reflect a
user's choices will confuse the user and inhibit choice.
</t>
<t>
When an implementation fails semantic conformance, recipients of that
implementation's messages will eventually develop workarounds to adjust
their behavior accordingly. A recipient &MAY; employ such workarounds while
remaining conformant to this protocol if the workarounds are limited to the
implementations at fault. For example, servers often scan portions of the
User-Agent field value, and user agents often scan the Server field value,
to adjust their own behavior with respect to known bugs or poorly chosen
defaults.
</t>
</section>
<section title="Length Requirements" anchor="length.requirements">
<t>
A recipient &SHOULD; parse a received protocol element defensively, with
only marginal expectations that the element will conform to its ABNF
grammar and fit within a reasonable buffer size.
</t>
<t>
HTTP does not have specific length limitations for many of its protocol
elements because the lengths that might be appropriate will vary widely,
depending on the deployment context and purpose of the implementation.
Hence, interoperability between senders and recipients depends on shared
expectations regarding what is a reasonable length for each protocol
element. Furthermore, what is commonly understood to be a reasonable length
for some protocol elements has changed over the course of the past three
decades of HTTP use and is expected to continue changing in the future.
</t>
<t>
At a minimum, a recipient &MUST; be able to parse and process protocol
element lengths that are at least as long as the values that it generates
for those same protocol elements in other messages. For example, an origin
server that publishes very long URI references to its own resources needs
to be able to parse and process those same references when received as a
target URI.
</t>
<t>
Many received protocol elements are only parsed to the extent necessary to
identify and forward that element downstream. For example, an intermediary
might parse a received field into its field name and field value components,
but then forward the field without further parsing inside the field value.
</t>
</section>
<section title="Error Handling" anchor="error.handling">
<t>
A recipient &MUST; interpret a received protocol element according to the
semantics defined for it by this specification, including extensions to
this specification, unless the recipient has determined (through experience
or configuration) that the sender incorrectly implements what is implied by
those semantics.
For example, an origin server might disregard the contents of a received
<x:ref>Accept-Encoding</x:ref> header field if inspection of the
<x:ref>User-Agent</x:ref> header field indicates a specific implementation
version that is known to fail on receipt of certain content codings.
</t>
<t>
Unless noted otherwise, a recipient &MAY; attempt to recover a usable
protocol element from an invalid construct. HTTP does not define
specific error handling mechanisms except when they have a direct impact
on security, since different applications of the protocol require
different error handling strategies. For example, a Web browser might
wish to transparently recover from a response where the
<x:ref>Location</x:ref> header field doesn't parse according to the ABNF,
whereas a systems control client might consider any form of error recovery
to be dangerous.
</t>
<t>
Some requests can be automatically retried by a client in the event of
an underlying connection failure, as described in
<xref target="idempotent.methods"/>.
</t>
</section>
<section title="Protocol Version" anchor="protocol.version">
<t>
HTTP's version number consists of two decimal digits separated by a "."
(period or decimal point). The first digit (major version) indicates the
messaging syntax, whereas the second digit (minor version)
indicates the highest minor version within that major version to which the
sender is conformant (able to understand for future communication).
</t>
<t>
While HTTP's core semantics don't change between protocol versions, their
expression "on the wire" can change, and so the
HTTP version number changes when incompatible changes are made to the wire
format. Additionally, HTTP allows incremental, backwards-compatible
changes to be made to the protocol without changing its version through
the use of defined extension points (<xref target="extending"/>).
</t>
<t>
The protocol version as a whole indicates the sender's conformance with
the set of requirements laid out in that version's corresponding
specification(s).
For example, the version "HTTP/1.1" is defined by the combined
specifications of this document, "HTTP Caching" <xref target="CACHING"/>,
and "HTTP/1.1" <xref target="HTTP11"/>.
</t>
<t>
HTTP's major version number is incremented when an incompatible message
syntax is introduced. The minor number is incremented when changes made to
the protocol have the effect of adding to the message semantics or
implying additional capabilities of the sender.
</t>
<t>
The minor version advertises the sender's communication capabilities even
when the sender is only using a backwards-compatible subset of the
protocol, thereby letting the recipient know that more advanced features
can be used in response (by servers) or in future requests (by clients).
</t>
<t>
When a major version of HTTP does not define any minor versions, the minor
version "0" is implied. The "0" is used when referring to that protocol
within elements that require a minor version identifier.
</t>
</section>
</section>
<section title="Terminology and Core Concepts" anchor="terminology">
<t>
HTTP was created for the World Wide Web (WWW) architecture
and has evolved over time to support the scalability needs of a worldwide
hypertext system. Much of that architecture is reflected in the terminology
used to define HTTP.
</t>
<section title="Resources" anchor="resources">
<iref primary="true" item="resource"/>
<x:anchor-alias value="resource"/>
<t>
The target of an HTTP request is called a <x:dfn>resource</x:dfn>.
HTTP does not limit the nature of a resource; it merely
defines an interface that might be used to interact with resources.
Most resources are identified by a Uniform Resource Identifier (URI), as
described in <xref target="uri"/>.
</t>
<t>
One design goal of HTTP is to separate resource identification from
request semantics, which is made possible by vesting the request
semantics in the request method (<xref target="methods"/>) and a few
request-modifying header fields.
A resource cannot treat a request in a manner inconsistent with the
semantics of the method of the request. For example, though the URI of a
resource might imply semantics that are not safe, a client can expect the
resource to avoid actions that are unsafe when processing a request with a
safe method (see <xref target="safe.methods"/>).
</t>
<t>
HTTP relies upon the Uniform Resource Identifier (URI)
standard <xref target="URI"/> to indicate the target resource
(<xref target="target.resource"/>) and relationships between resources.
</t>
</section>
<section title="Representations" anchor="representations">
<iref primary="true" item="representation"/>
<x:anchor-alias value="representation"/>
<t>
A <x:dfn>representation</x:dfn> is information
that is intended to reflect a past, current, or desired state of a given
resource, in a format that can be readily communicated via the protocol.
A representation consists of a set of representation metadata and a
potentially unbounded stream of representation data
(<xref target="representation.data.and.metadata"/>).
</t>
<t>
HTTP allows "information hiding" behind its uniform interface by defining
communication with respect to a transferable representation of the resource
state, rather than transferring the resource itself. This allows the
resource identified by a URI to be anything, including temporal functions
like "the current weather in Laguna Beach", while potentially providing
information that represents that resource at the time a message is
generated <xref target="REST"/>.
</t>
<t>
The uniform interface is similar to a window through which one can observe
and act upon a thing only through the communication of messages to an
independent actor on the other side. A shared abstraction is needed to
represent ("take the place of") the current or desired state of that thing
in our communications. When a representation is hypertext, it can provide
both a representation of the resource state and processing instructions
that help guide the recipient's future interactions.
</t>
<t anchor="selected.representation">
<x:anchor-alias value="selected representation"/>
<iref primary="true" item="selected representation"/>
A <x:ref>target resource</x:ref> might be provided with, or be capable of
generating, multiple representations that are each intended to reflect the
resource's current state. An algorithm, usually based on
<x:ref>content negotiation</x:ref> (<xref target="content.negotiation"/>),
would be used to select one of those representations as being most
applicable to a given request.
This <x:dfn>selected representation</x:dfn> provides the data and metadata
for evaluating conditional requests (<xref target="conditional.requests"/>)
and constructing the content for <x:ref>200 (OK)</x:ref>,
<x:ref>206 (Partial Content)</x:ref>, and
<x:ref>304 (Not Modified)</x:ref> responses to GET (<xref target="GET"/>).
</t>
</section>
<section title="Connections, Clients, and Servers" anchor="connections">
<iref primary="true" item="client"/>
<iref primary="true" item="server"/>
<iref primary="true" item="connection"/>
<x:anchor-alias value="connection"/>
<t>
HTTP is a client/server protocol that operates over a reliable
transport- or session-layer <x:dfn>connection</x:dfn>.
</t>
<t>
An HTTP <x:dfn>client</x:dfn> is a program that establishes a connection
to a server for the purpose of sending one or more HTTP requests.
An HTTP <x:dfn>server</x:dfn> is a program that accepts connections
in order to service HTTP requests by sending HTTP responses.
</t>
<t>
The terms client and server refer only to the roles that
these programs perform for a particular connection. The same program
might act as a client on some connections and a server on others.
</t>
<t>
HTTP is defined as a stateless protocol, meaning that each request message's semantics
can be understood in isolation, and that the relationship between connections
and messages on them has no impact on the interpretation of those messages.
For example, a CONNECT request (<xref target="CONNECT"/>) or a request with
the Upgrade header field (<xref target="field.upgrade"/>) can occur at any time,
not just in the first message on a connection. Many implementations depend on
HTTP's stateless design in order to reuse proxied connections or dynamically
load balance requests across multiple servers.
</t>
<t>
As a result, a server &MUST-NOT;
assume that two requests on the same connection are from the same user
agent unless the connection is secured and specific to that agent.
Some non-standard HTTP extensions (e.g., <xref target="RFC4559"/>) have
been known to violate this requirement, resulting in security and
interoperability problems.
</t>
</section>
<section title="Messages" anchor="messages">
<iref primary="true" item="messages"/>
<iref item="message"/>
<iref primary="true" item="sender"/>
<iref primary="true" item="recipient"/>
<iref primary="true" item="request"/>
<iref primary="true" item="response"/>
<t>
HTTP is a stateless request/response protocol for exchanging
<x:dfn>messages</x:dfn> across a <x:ref>connection</x:ref>.
The terms <x:dfn>sender</x:dfn> and <x:dfn>recipient</x:dfn> refer to
any implementation that sends or receives a given message, respectively.
</t>
<t>
A client sends requests to a server in the form of a <x:dfn>request</x:dfn>
message with a method (<xref target="methods"/>) and request target
(<xref target="target.resource"/>). The request might also contain
header fields (<xref target="header.fields"/>) for request modifiers,
client information, and representation metadata,
content (<xref target="content"/>) intended for processing
in accordance with the method, and
trailer fields (<xref target="trailer.fields"/>) to communicate information
collected while sending the content.
</t>
<t>
A server responds to a client's request by sending one or more
<x:dfn>response</x:dfn> messages, each including a status
code (<xref target="status.codes"/>). The response might also contain
header fields for server information, resource metadata, and representation
metadata, content to be interpreted in accordance with the status
code, and trailer fields to communicate information
collected while sending the content.
</t>
</section>
<section title="User Agents" anchor="user.agent">
<iref primary="true" item="user agent"/>
<iref primary="true" item="browser"/>
<iref primary="true" item="spider"/>
<t>
The term <x:dfn>user agent</x:dfn> refers to any of the various
client programs that initiate a request.
</t>
<t>
The most familiar form of user agent is the general-purpose Web browser, but
that's only a small percentage of implementations. Other common user agents
include spiders (web-traversing robots), command-line tools, billboard
screens, household appliances, scales, light bulbs, firmware update scripts,
mobile apps, and communication devices in a multitude of shapes and sizes.
</t>
<t>
Being a user agent does not imply that there is a human user directly
interacting with the software agent at the time of a request. In many
cases, a user agent is installed or configured to run in the background
and save its results for later inspection (or save only a subset of those
results that might be interesting or erroneous). Spiders, for example, are
typically given a start URI and configured to follow certain behavior while
crawling the Web as a hypertext graph.
</t>
<t>
Many user agents cannot, or choose not to,
make interactive suggestions to their user or provide adequate warning for
security or privacy concerns. In the few cases where this
specification requires reporting of errors to the user, it is acceptable
for such reporting to only be observable in an error console or log file.
Likewise, requirements that an automated action be confirmed by the user
before proceeding might be met via advance configuration choices,
run-time options, or simple avoidance of the unsafe action; confirmation
does not imply any specific user interface or interruption of normal
processing if the user has already made that choice.
</t>
</section>
<section title="Origin Server" anchor="origin.server">
<iref primary="true" item="origin server"/>
<t>
The term <x:dfn>origin server</x:dfn> refers to a program that can
originate authoritative responses for a given target resource.
</t>
<t>
The most familiar form of origin server are large public websites.
However, like user agents being equated with browsers, it is easy to be
misled into thinking that all origin servers are alike.
Common origin servers also include home automation units, configurable
networking components, office machines, autonomous robots, news feeds,
traffic cameras, real-time ad selectors, and video-on-demand platforms.
</t>
<t>
Most HTTP communication consists of a retrieval request (GET) for
a representation of some resource identified by a URI. In the
simplest case, this might be accomplished via a single bidirectional
connection (===) between the user agent (UA) and the origin server (O).
</t>
<figure><artwork type="drawing">
request >
<x:highlight>UA</x:highlight> ======================================= <x:highlight>O</x:highlight>
< response
</artwork></figure>
</section>
<section title="Intermediaries" anchor="intermediaries">
<iref primary="true" item="intermediary"/>
<t>
HTTP enables the use of intermediaries to satisfy requests through
a chain of connections. There are three common forms of HTTP
<x:dfn>intermediary</x:dfn>: proxy, gateway, and tunnel. In some cases,
a single intermediary might act as an origin server, proxy, gateway,
or tunnel, switching behavior based on the nature of each request.
</t>
<figure><artwork type="drawing">
> > > >
<x:highlight>UA</x:highlight> =========== <x:highlight>A</x:highlight> =========== <x:highlight>B</x:highlight> =========== <x:highlight>C</x:highlight> =========== <x:highlight>O</x:highlight>
< < < <
</artwork></figure>
<t>
The figure above shows three intermediaries (A, B, and C) between the
user agent and origin server. A request or response message that
travels the whole chain will pass through four separate connections.
Some HTTP communication options
might apply only to the connection with the nearest, non-tunnel
neighbor, only to the endpoints of the chain, or to all connections
along the chain. Although the diagram is linear, each participant might
be engaged in multiple, simultaneous communications. For example, B
might be receiving requests from many clients other than A, and/or
forwarding requests to servers other than C, at the same time that it
is handling A's request. Likewise, later requests might be sent through a
different path of connections, often based on dynamic configuration for
load balancing.
</t>
<t>
<iref primary="true" item="upstream"/><iref primary="true" item="downstream"/>
<iref primary="true" item="inbound"/><iref primary="true" item="outbound"/>
The terms <x:dfn>upstream</x:dfn> and <x:dfn>downstream</x:dfn> are
used to describe directional requirements in relation to the message flow:
all messages flow from upstream to downstream.
The terms <x:dfn>inbound</x:dfn> and <x:dfn>outbound</x:dfn> are used to
describe directional requirements in relation to the request route:
inbound means "toward the origin server", whereas
outbound means "toward the user agent".
</t>
<t><iref primary="true" item="proxy"/>
A <x:dfn>proxy</x:dfn> is a message-forwarding agent that is chosen by the
client, usually via local configuration rules, to receive requests
for some type(s) of absolute URI and attempt to satisfy those
requests via translation through the HTTP interface. Some translations
are minimal, such as for proxy requests for "http" URIs, whereas
other requests might require translation to and from entirely different
application-level protocols. Proxies are often used to group an
organization's HTTP requests through a common intermediary for the
sake of security services, annotation services, or shared caching. Some
proxies are designed to apply transformations to selected messages or
content while they are being forwarded, as described in
<xref target="message.transformations"/>.
</t>
<t><iref primary="true" item="gateway"/><iref primary="true" item="reverse proxy"/>
<iref primary="true" item="accelerator"/>
A <x:dfn>gateway</x:dfn> (a.k.a. <x:dfn>reverse proxy</x:dfn>) is an
intermediary that acts as an origin server for the outbound connection but
translates received requests and forwards them inbound to another server or
servers. Gateways are often used to encapsulate legacy or untrusted
information services, to improve server performance through
<x:dfn>accelerator</x:dfn> caching, and to enable partitioning or load
balancing of HTTP services across multiple machines.
</t>
<t>
All HTTP requirements applicable to an origin server
also apply to the outbound communication of a gateway.
A gateway communicates with inbound servers using any protocol that
it desires, including private extensions to HTTP that are outside
the scope of this specification. However, an HTTP-to-HTTP gateway
that wishes to interoperate with third-party HTTP servers needs to conform
to user agent requirements on the gateway's inbound connection.
</t>
<t><iref primary="true" item="tunnel"/>
A <x:dfn>tunnel</x:dfn> acts as a blind relay between two connections
without changing the messages. Once active, a tunnel is not
considered a party to the HTTP communication, though the tunnel might
have been initiated by an HTTP request. A tunnel ceases to exist when
both ends of the relayed connection are closed. Tunnels are used to
extend a virtual connection through an intermediary, such as when
Transport Layer Security (TLS, <xref target="TLS13"/>) is used to
establish confidential communication through a shared firewall proxy.
</t>
<t>
The above categories for intermediary only consider those acting as
participants in the HTTP communication. There are also intermediaries
that can act on lower layers of the network protocol stack, filtering or
redirecting HTTP traffic without the knowledge or permission of message
senders. Network intermediaries are indistinguishable (at a protocol level)
from an on-path attacker, often introducing security flaws or
interoperability problems due to mistakenly violating HTTP semantics.
</t>
<t><iref primary="true" item="interception proxy"/>
<iref primary="true" item="transparent proxy"/>
For example, an
<x:dfn>interception proxy</x:dfn> <xref target="RFC3040"/> (also commonly
known as a <x:dfn>transparent proxy</x:dfn> <xref target="RFC1919"/>)
differs from an HTTP proxy because it is not chosen by the client.
Instead, an interception proxy filters or redirects outgoing TCP port 80
packets (and occasionally other common port traffic).
Interception proxies are commonly found on public network access points,
as a means of enforcing account subscription prior to allowing use of
non-local Internet services, and within corporate firewalls to enforce
network usage policies.
</t>
</section>
<section title="Caches" anchor="caches">
<iref primary="true" item="cache"/>
<t>
A <x:dfn>cache</x:dfn> is a local store of previous response messages and the
subsystem that controls its message storage, retrieval, and deletion.
A cache stores cacheable responses in order to reduce the response
time and network bandwidth consumption on future, equivalent
requests. Any client or server &MAY; employ a cache, though a cache
cannot be used while acting as a tunnel.
</t>
<t>
The effect of a cache is that the request/response chain is shortened
if one of the participants along the chain has a cached response
applicable to that request. The following illustrates the resulting
chain if B has a cached copy of an earlier response from O (via C)
for a request that has not been cached by UA or A.
</t>
<figure><artwork type="drawing">
> >
<x:highlight>UA</x:highlight> =========== <x:highlight>A</x:highlight> =========== <x:highlight>B</x:highlight> - - - - - - <x:highlight>C</x:highlight> - - - - - - <x:highlight>O</x:highlight>
< <
</artwork></figure>
<t><iref primary="true" item="cacheable"/>
A response is <x:dfn>cacheable</x:dfn> if a cache is allowed to store a copy of
the response message for use in answering subsequent requests.
Even when a response is cacheable, there might be additional
constraints placed by the client or by the origin server on when
that cached response can be used for a particular request. HTTP
requirements for cache behavior and cacheable responses are
defined in <xref target="CACHING"/>.
</t>
<t>
There is a wide variety of architectures and configurations
of caches deployed across the World Wide Web and
inside large organizations. These include national hierarchies
of proxy caches to save bandwidth and reduce latency, content delivery
networks that use gateway caching to optimize regional and global distribution of popular sites,
collaborative systems that
broadcast or multicast cache entries, archives of pre-fetched cache
entries for use in off-line or high-latency environments, and so on.
</t>
</section>
<section title="Example Message Exchange" anchor="example">
<t>
The following example illustrates a typical HTTP/1.1 message exchange for a
GET request (<xref target="GET"/>) on the URI "http://www.example.com/hello.txt":
</t>
<t>
Client request:
</t>
<sourcecode type="http-message">
GET /hello.txt HTTP/1.1
User-Agent: curl/7.64.1
Host: www.example.com
Accept-Language: en, mi
</sourcecode>
<t>
Server response:
</t>
<sourcecode type="http-message">
HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Accept-Ranges: bytes
Content-Length: <x:length-of target="exbody"/>
Vary: Accept-Encoding
Content-Type: text/plain
<x:span anchor="exbody">Hello World! My content includes a trailing CRLF.
</x:span></sourcecode>
</section>
</section>
<section title="Identifiers in HTTP" anchor="uri">
<iref primary="true" item="URI"/>
<iref primary="false" item="resource"/>
<t>
Uniform Resource Identifiers (URIs) <xref target="URI"/> are used
throughout HTTP as the means for identifying resources (<xref target="resources"/>).
</t>
<section title="URI References" anchor="uri.references">
<iref primary="true" item="URI reference"/>
<x:anchor-alias value="URI-reference"/>
<x:anchor-alias value="absolute-URI"/>
<x:anchor-alias value="relative-part"/>
<x:anchor-alias value="authority"/>
<x:anchor-alias value="uri-host"/>
<x:anchor-alias value="port"/>
<x:anchor-alias value="path"/>
<x:anchor-alias value="path-abempty"/>
<x:anchor-alias value="segment"/>
<x:anchor-alias value="query"/>
<x:anchor-alias value="absolute-path"/>
<x:anchor-alias value="partial-URI"/>
<t>
URI references are used to target requests, indicate redirects, and define
relationships.
</t>
<t>
The definitions of "URI-reference",
"absolute-URI", "relative-part", "authority", "port", "host",
"path-abempty", "segment", and "query" are adopted from the
URI generic syntax.
An "absolute-path" rule is defined for protocol elements that can contain a
non-empty path component. (This rule differs slightly from the path-abempty
rule of RFC 3986, which allows for an empty path,
and path-absolute rule, which does not allow paths that begin with "//".)
A "partial-URI" rule is defined for protocol elements
that can contain a relative URI but not a fragment component.
</t>
<sourcecode type="abnf7230"><iref primary="true" item="Grammar" subitem="URI-reference"><!--exported production--></iref><iref primary="true" item="Grammar" subitem="absolute-URI"/><iref primary="true" item="Grammar" subitem="authority"/><iref primary="true" item="Grammar" subitem="absolute-path"/><iref primary="true" item="Grammar" subitem="port"/><iref primary="true" item="Grammar" subitem="query"/><iref primary="true" item="Grammar" subitem="segment"/><iref primary="true" item="Grammar" subitem="uri-host"/><iref primary="true" item="Grammar" subitem="partial-URI"><!--exported production--></iref>
<x:ref>URI-reference</x:ref> = <URI-reference, see <xref target="URI" x:fmt="," x:sec="4.1"/>>
<x:ref>absolute-URI</x:ref> = <absolute-URI, see <xref target="URI" x:fmt="," x:sec="4.3"/>>
<x:ref>relative-part</x:ref> = <relative-part, see <xref target="URI" x:fmt="," x:sec="4.2"/>>
<x:ref>authority</x:ref> = <authority, see <xref target="URI" x:fmt="," x:sec="3.2"/>>
<x:ref>uri-host</x:ref> = <host, see <xref target="URI" x:fmt="," x:sec="3.2.2"/>>
<x:ref>port</x:ref> = <port, see <xref target="URI" x:fmt="," x:sec="3.2.3"/>>
<x:ref>path-abempty</x:ref> = <path-abempty, see <xref target="URI" x:fmt="," x:sec="3.3"/>>
<x:ref>segment</x:ref> = <segment, see <xref target="URI" x:fmt="," x:sec="3.3"/>>
<x:ref>query</x:ref> = <query, see <xref target="URI" x:fmt="," x:sec="3.4"/>>