/
draft-ietf-httpbis-semantics-latest.xml
10730 lines (10312 loc) · 472 KB
/
draft-ietf-httpbis-semantics-latest.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type='text/xsl' href='lib/myxml2rfc.xslt'?>
<!DOCTYPE rfc [
<!ENTITY MAY "<bcp14>MAY</bcp14>">
<!ENTITY MUST "<bcp14>MUST</bcp14>">
<!ENTITY MUST-NOT "<bcp14>MUST NOT</bcp14>">
<!ENTITY OPTIONAL "<bcp14>OPTIONAL</bcp14>">
<!ENTITY RECOMMENDED "<bcp14>RECOMMENDED</bcp14>">
<!ENTITY REQUIRED "<bcp14>REQUIRED</bcp14>">
<!ENTITY SHALL "<bcp14>SHALL</bcp14>">
<!ENTITY SHALL-NOT "<bcp14>SHALL NOT</bcp14>">
<!ENTITY SHOULD "<bcp14>SHOULD</bcp14>">
<!ENTITY SHOULD-NOT "<bcp14>SHOULD NOT</bcp14>">
<!ENTITY ID-VERSION "latest">
<!ENTITY ID-MONTH "May">
<!ENTITY ID-YEAR "2018">
<!ENTITY mdash "—">
<!ENTITY nbhy "‑">
<!ENTITY nbsp " ">
<!ENTITY Note "<x:h xmlns:x='http://purl.org/net/xml2rfc/ext'>Note:</x:h>">
]>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes" ?>
<?rfc compact="yes"?>
<?rfc subcompact="no" ?>
<?rfc linkmailto="no" ?>
<?rfc editing="no" ?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc rfcedstyle="yes"?>
<?rfc-ext allow-markup-in-artwork="yes" ?>
<?rfc-ext html-pretty-print="prettyprint https://cdn.rawgit.com/google/code-prettify/master/loader/run_prettify.js"?>
<?rfc-ext include-references-in-index="yes" ?>
<rfc obsoletes="7230,7231,7232,7233,7235"
category="std" x:maturity-level="proposed"
ipr="pre5378Trust200902" docName="draft-ietf-httpbis-semantics-&ID-VERSION;"
xmlns:x='http://purl.org/net/xml2rfc/ext'
xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>
<x:feedback template="mailto:ietf-http-wg@w3.org?subject={docname},%20%22{section}%22&body=<{ref}>:"/>
<front>
<title>HTTP Semantics</title>
<author fullname="Roy T. Fielding" initials="R." surname="Fielding" role="editor">
<organization>Adobe</organization>
<address>
<postal>
<street>345 Park Ave</street>
<city>San Jose</city>
<region>CA</region>
<code>95110</code>
<country>USA</country>
</postal>
<email>fielding@gbiv.com</email>
<uri>https://roy.gbiv.com/</uri>
</address>
</author>
<author fullname="Mark Nottingham" initials="M." surname="Nottingham" role="editor">
<organization>Fastly</organization>
<address>
<email>mnot@mnot.net</email>
<uri>https://www.mnot.net/</uri>
</address>
</author>
<author fullname="Julian F. Reschke" initials="J. F." surname="Reschke" role="editor">
<organization abbrev="greenbytes">greenbytes GmbH</organization>
<address>
<postal>
<street>Hafenweg 16</street>
<city>Muenster</city><region>NW</region><code>48155</code>
<country>Germany</country>
</postal>
<email>julian.reschke@greenbytes.de</email>
<uri>https://greenbytes.de/tech/webdav/</uri>
</address>
</author>
<date month="&ID-MONTH;" year="&ID-YEAR;"/>
<area>Applications and Real-Time</area>
<workgroup>HTTP</workgroup>
<keyword>Hypertext Transfer Protocol</keyword>
<keyword>HTTP</keyword>
<keyword>HTTP semantics</keyword>
<keyword>HTTP payload</keyword>
<keyword>HTTP content</keyword>
<keyword>HTTP method</keyword>
<keyword>HTTP status code</keyword>
<abstract>
<t>
The Hypertext Transfer Protocol (HTTP) is a stateless application-level
protocol for distributed, collaborative, hypertext information systems.
This document defines the semantics of HTTP: its architecture,
terminology, the "http" and "https" Uniform Resource Identifier (URI)
schemes, core request methods, request header fields, response status
codes, response header fields, and content negotiation.
</t>
<t>
This document obsoletes RFC 7231, RFC 7232, RFC 7233,
RFC 7235, and portions of RFC 7230.
</t>
</abstract>
<note title="Editorial Note" removeInRFC="true">
<t>
Discussion of this draft takes place on the HTTP working group
mailing list (ietf-http-wg@w3.org), which is archived at
<eref target="https://lists.w3.org/Archives/Public/ietf-http-wg/"/>.
</t>
<t>
Working Group information can be found at <eref target="https://httpwg.org/"/>;
source code and issues list for this draft can be found at
<eref target="https://github.com/httpwg/http-core"/>.
</t>
<t>
The changes in this draft are summarized in <xref target="changes.since.01"/>.
</t>
</note>
</front>
<middle>
<section title="Introduction" anchor="introduction">
<t>
The Hypertext Transfer Protocol (HTTP) is a stateless application-level
request/response protocol that uses extensible semantics and
self-descriptive messages for flexible interaction with network-based
hypertext information systems. HTTP is defined by a series of documents
that collectively form the HTTP/1.1 specification:
</t>
<ul>
<li>"HTTP Semantics" (this document)</li>
<li>"HTTP Caching" <xref target="Caching"/></li>
<li>"HTTP/1.1 Messaging" <xref target="Messaging"/></li>
</ul>
<t>
HTTP is a generic interface protocol for information systems. It is
designed to hide the details of how a service is implemented by presenting
a uniform interface to clients that is independent of the types of
resources provided. Likewise, servers do not need to be aware of each
client's purpose: an HTTP request can be considered in isolation rather
than being associated with a specific type of client or a predetermined
sequence of application steps. The result is a protocol that can be used
effectively in many different contexts and for which implementations can
evolve independently over time.
</t>
<t>
HTTP is also designed for use as an intermediation protocol for translating
communication to and from non-HTTP information systems.
HTTP proxies and gateways can provide access to alternative information
services by translating their diverse protocols into a hypertext
format that can be viewed and manipulated by clients in the same way
as HTTP services.
</t>
<t>
One consequence of this flexibility is that the protocol cannot be
defined in terms of what occurs behind the interface. Instead, we
are limited to defining the syntax of communication, the intent
of received communication, and the expected behavior of recipients.
If the communication is considered in isolation, then successful
actions ought to be reflected in corresponding changes to the
observable interface provided by servers. However, since multiple
clients might act in parallel and perhaps at cross-purposes, we
cannot require that such changes be observable beyond the scope
of a single response.
</t>
<t>
Each HTTP message is either a request or a
response. A server listens on a connection for a request, parses each
message received, interprets the message semantics in relation to the
identified request target, and responds to that request with one or more
response messages. A client constructs request messages to communicate
specific intentions, examines received responses to see if the
intentions were carried out, and determines how to interpret the results.
</t>
<t>
HTTP provides a uniform interface for interacting with a resource
(<xref target="resources"/>), regardless of its type, nature, or
implementation, via the manipulation and transfer of representations
(<xref target="representations"/>).
</t>
<t>
This document defines semantics that are common to all versions of HTTP.
HTTP semantics include the intentions defined by each request method
(<xref target="methods"/>), extensions to those semantics that might be
described in request header fields (<xref target="request.header.fields"/>),
the meaning of status codes to indicate a machine-readable response
(<xref target="status.codes"/>), and the meaning of other control data
and resource metadata that might be given in response header fields
(<xref target="response.header.fields"/>).
</t>
<t><iref item="content negotiation"/>
This document also defines representation metadata that describe how a
payload is intended to be interpreted by a recipient, the request header
fields that might influence content selection, and the various selection
algorithms that are collectively referred to as
"<x:dfn>content negotiation</x:dfn>" (<xref target="content.negotiation"/>).
</t>
<t>
This document defines HTTP/1.1 range requests, partial responses, and the
multipart/byteranges media type.
</t>
<t>
This document obsoletes the portions of
<xref target="RFC7230" x:fmt="none">RFC 7230</xref> that are independent of
the HTTP/1.1 messaging syntax and connection management, with the changes
being summarized in <xref target="changes.from.rfc.7230"/>.
The other parts of <xref target="RFC7230" x:fmt="none">RFC 7230</xref> are
obsoleted by "HTTP/1.1 Messaging" <xref target="Messaging"/>.
This document also obsoletes
<xref target="RFC7231" x:fmt="none">RFC 7231</xref>
(see <xref target="changes.from.rfc.7231"/>),
<xref target="RFC7232" x:fmt="none">RFC 7232</xref>
(see <xref target="changes.from.rfc.7232"/>),
<xref target="RFC7233" x:fmt="none">RFC 7233</xref>
(see <xref target="changes.from.rfc.7233"/>), and
<xref target="RFC7235" x:fmt="none">RFC 7235</xref>
(see <xref target="changes.from.rfc.7235"/>).
</t>
<section title="Requirements Notation" anchor="intro.requirements">
<t>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119"/>.
</t>
<t>
Conformance criteria and considerations regarding error handling
are defined in <xref target="conformance"/>.
</t>
</section>
<section title="Syntax Notation" anchor="notation">
<iref primary="true" item="Grammar" subitem="ALPHA"/>
<iref primary="true" item="Grammar" subitem="CR"/>
<iref primary="true" item="Grammar" subitem="CRLF"/>
<iref primary="true" item="Grammar" subitem="CTL"/>
<iref primary="true" item="Grammar" subitem="DIGIT"/>
<iref primary="true" item="Grammar" subitem="DQUOTE"/>
<iref primary="true" item="Grammar" subitem="HEXDIG"/>
<iref primary="true" item="Grammar" subitem="HTAB"/>
<iref primary="true" item="Grammar" subitem="LF"/>
<iref primary="true" item="Grammar" subitem="OCTET"/>
<iref primary="true" item="Grammar" subitem="SP"/>
<iref primary="true" item="Grammar" subitem="VCHAR"/>
<t>
This specification uses the Augmented Backus-Naur Form (ABNF) notation of
<xref target="RFC5234"/> with a list extension, defined in
<xref target="abnf.extension"/>, that allows for compact definition of
comma-separated lists using a '#' operator (similar to how the '*' operator
indicates repetition).
<xref target="collected.abnf"/> shows the collected grammar with all list
operators expanded to standard ABNF notation.
</t>
<t>
As a convention, ABNF rule names prefixed with "obs-" denote
"obsolete" grammar rules that appear for historical reasons.
</t>
<t anchor="core.rules">
<x:anchor-alias value="ALPHA"/>
<x:anchor-alias value="CR"/>
<x:anchor-alias value="CRLF"/>
<x:anchor-alias value="CTL"/>
<x:anchor-alias value="DIGIT"/>
<x:anchor-alias value="DQUOTE"/>
<x:anchor-alias value="HEXDIG"/>
<x:anchor-alias value="HTAB"/>
<x:anchor-alias value="LF"/>
<x:anchor-alias value="OCTET"/>
<x:anchor-alias value="SP"/>
<x:anchor-alias value="CHAR"/>
<x:anchor-alias value="VCHAR"/>
The following core rules are included by
reference, as defined in <xref target="RFC5234" x:fmt="of" x:sec="B.1"/>:
ALPHA (letters), CR (carriage return), CRLF (CR LF), CTL (controls),
DIGIT (decimal 0-9), DQUOTE (double quote),
HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF (line feed),
OCTET (any 8-bit sequence of data), SP (space), and
VCHAR (any visible US-ASCII character).
<cref>Range also uses CHAR, which is probably a bug.</cref>
</t>
<t anchor="imported.rules">
<x:anchor-alias value="obs-fold"/>
<x:anchor-alias value="protocol-name"/>
<x:anchor-alias value="protocol-version"/>
<x:anchor-alias value="request-target"/>
The rules below are defined in <xref target="Messaging"/>:
</t>
<figure><artwork type="abnf2616">
<x:ref>obs-fold</x:ref> = <obs-fold, see <xref target="line.folding"/>>
<x:ref>protocol-name</x:ref> = <protocol-name, see <xref target="header.upgrade"/>>
<x:ref>protocol-version</x:ref> = <protocol-version, see <xref target="header.upgrade"/>>
<x:ref>request-target</x:ref> = <request-target, see <xref target="request.target"/>>
</artwork></figure>
<t>
This specification uses the terms
"character",
"character encoding scheme",
"charset", and
"protocol element"
as they are defined in <xref target="RFC6365"/>.
</t>
</section>
</section>
<section title="Architecture" anchor="architecture">
<t>
HTTP was created for the World Wide Web (WWW) architecture
and has evolved over time to support the scalability needs of a worldwide
hypertext system. Much of that architecture is reflected in the terminology
and syntax productions used to define HTTP.
</t>
<section title="Client/Server Messaging" anchor="operation">
<iref primary="true" item="client"/>
<iref primary="true" item="server"/>
<iref primary="true" item="connection"/>
<t>
HTTP is a stateless request/response protocol that operates by exchanging
<x:dfn>messages</x:dfn> (<xref target="http.message"/>) across a reliable
transport- or session-layer
"<x:dfn>connection</x:dfn>" (<xref target="connection.management"/>).
An HTTP "<x:dfn>client</x:dfn>" is a program that establishes a connection
to a server for the purpose of sending one or more HTTP requests.
An HTTP "<x:dfn>server</x:dfn>" is a program that accepts connections
in order to service HTTP requests by sending HTTP responses.
</t>
<iref primary="true" item="user agent"/>
<iref primary="true" item="origin server"/>
<iref primary="true" item="browser"/>
<iref primary="true" item="spider"/>
<iref primary="true" item="sender"/>
<iref primary="true" item="recipient"/>
<t>
The terms "client" and "server" refer only to the roles that
these programs perform for a particular connection. The same program
might act as a client on some connections and a server on others.
The term "<x:dfn>user agent</x:dfn>" refers to any of the various
client programs that initiate a request, including (but not limited to)
browsers, spiders (web-based robots), command-line tools, custom
applications, and mobile apps.
The term "<x:dfn>origin server</x:dfn>" refers to the program that can
originate authoritative responses for a given target resource.
The terms "<x:dfn>sender</x:dfn>" and "<x:dfn>recipient</x:dfn>" refer to
any implementation that sends or receives a given message, respectively.
</t>
<t>
HTTP relies upon the Uniform Resource Identifier (URI)
standard <xref target="RFC3986"/> to indicate the target resource
(<xref target="target.resource"/>) and relationships between resources.
</t>
<t>
Most HTTP communication consists of a retrieval request (GET) for
a representation of some resource identified by a URI. In the
simplest case, this might be accomplished via a single bidirectional
connection (===) between the user agent (UA) and the origin server (O).
</t>
<figure><artwork type="drawing">
request >
<x:highlight>UA</x:highlight> ======================================= <x:highlight>O</x:highlight>
< response
</artwork></figure>
<iref primary="true" item="message"/>
<iref primary="true" item="request"/>
<iref primary="true" item="response"/>
<t>
A client sends an HTTP request to a server in the form of a <x:dfn>request</x:dfn>
message, beginning with a request-line that includes a method, URI, and
protocol version (<xref target="request.line"/>),
followed by header fields containing
request modifiers, client information, and representation metadata
(<xref target="header.fields"/>),
an empty line to indicate the end of the header section, and finally
a message body containing the payload body (if any,
<xref target="message.body"/>).
</t>
<t>
A server responds to a client's request by sending one or more HTTP
<x:dfn>response</x:dfn>
messages, each beginning with a status line that
includes the protocol version, a success or error code, and textual
reason phrase (<xref target="status.line"/>),
possibly followed by header fields containing server
information, resource metadata, and representation metadata
(<xref target="header.fields"/>),
an empty line to indicate the end of the header section, and finally
a message body containing the payload body (if any,
<xref target="message.body"/>).
</t>
<t>
A connection might be used for multiple request/response exchanges,
as defined in <xref target="persistent.connections"/>.
</t>
<t>
The following example illustrates a typical message exchange for a
GET request (<xref target="GET"/>) on the URI "http://www.example.com/hello.txt":
</t>
<figure><preamble>
Client request:
</preamble><artwork type="message/http; msgtype="request"" x:indent-with=" ">
GET /hello.txt HTTP/1.1
User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3
Host: www.example.com
Accept-Language: en, mi
</artwork></figure>
<figure><preamble>
Server response:
</preamble><artwork type="message/http; msgtype="response"" x:indent-with=" ">
HTTP/1.1 200 OK
Date: Mon, 27 Jul 2009 12:28:53 GMT
Server: Apache
Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT
ETag: "34aa387-d-1568eb00"
Accept-Ranges: bytes
Content-Length: <x:length-of target="exbody"/>
Vary: Accept-Encoding
Content-Type: text/plain
<x:span anchor="exbody">Hello World! My payload includes a trailing CRLF.
</x:span></artwork>
</figure>
</section>
<section title="Intermediaries" anchor="intermediaries">
<iref primary="true" item="intermediary"/>
<t>
HTTP enables the use of intermediaries to satisfy requests through
a chain of connections. There are three common forms of HTTP
<x:dfn>intermediary</x:dfn>: proxy, gateway, and tunnel. In some cases,
a single intermediary might act as an origin server, proxy, gateway,
or tunnel, switching behavior based on the nature of each request.
</t>
<figure><artwork type="drawing">
> > > >
<x:highlight>UA</x:highlight> =========== <x:highlight>A</x:highlight> =========== <x:highlight>B</x:highlight> =========== <x:highlight>C</x:highlight> =========== <x:highlight>O</x:highlight>
< < < <
</artwork></figure>
<t>
The figure above shows three intermediaries (A, B, and C) between the
user agent and origin server. A request or response message that
travels the whole chain will pass through four separate connections.
Some HTTP communication options
might apply only to the connection with the nearest, non-tunnel
neighbor, only to the endpoints of the chain, or to all connections
along the chain. Although the diagram is linear, each participant might
be engaged in multiple, simultaneous communications. For example, B
might be receiving requests from many clients other than A, and/or
forwarding requests to servers other than C, at the same time that it
is handling A's request. Likewise, later requests might be sent through a
different path of connections, often based on dynamic configuration for
load balancing.
</t>
<t>
<iref primary="true" item="upstream"/><iref primary="true" item="downstream"/>
<iref primary="true" item="inbound"/><iref primary="true" item="outbound"/>
The terms "<x:dfn>upstream</x:dfn>" and "<x:dfn>downstream</x:dfn>" are
used to describe directional requirements in relation to the message flow:
all messages flow from upstream to downstream.
The terms "inbound" and "outbound" are used to describe directional
requirements in relation to the request route:
"<x:dfn>inbound</x:dfn>" means toward the origin server and
"<x:dfn>outbound</x:dfn>" means toward the user agent.
</t>
<t><iref primary="true" item="proxy"/>
A "<x:dfn>proxy</x:dfn>" is a message-forwarding agent that is selected by the
client, usually via local configuration rules, to receive requests
for some type(s) of absolute URI and attempt to satisfy those
requests via translation through the HTTP interface. Some translations
are minimal, such as for proxy requests for "http" URIs, whereas
other requests might require translation to and from entirely different
application-level protocols. Proxies are often used to group an
organization's HTTP requests through a common intermediary for the
sake of security, annotation services, or shared caching. Some proxies
are designed to apply transformations to selected messages or payloads
while they are being forwarded, as described in
<xref target="message.transformations"/>.
</t>
<t><iref primary="true" item="gateway"/><iref primary="true" item="reverse proxy"/>
<iref primary="true" item="accelerator"/>
A "<x:dfn>gateway</x:dfn>" (a.k.a. "<x:dfn>reverse proxy</x:dfn>") is an
intermediary that acts as an origin server for the outbound connection but
translates received requests and forwards them inbound to another server or
servers. Gateways are often used to encapsulate legacy or untrusted
information services, to improve server performance through
"<x:dfn>accelerator</x:dfn>" caching, and to enable partitioning or load
balancing of HTTP services across multiple machines.
</t>
<t>
All HTTP requirements applicable to an origin server
also apply to the outbound communication of a gateway.
A gateway communicates with inbound servers using any protocol that
it desires, including private extensions to HTTP that are outside
the scope of this specification. However, an HTTP-to-HTTP gateway
that wishes to interoperate with third-party HTTP servers ought to conform
to user agent requirements on the gateway's inbound connection.
</t>
<t><iref primary="true" item="tunnel"/>
A "<x:dfn>tunnel</x:dfn>" acts as a blind relay between two connections
without changing the messages. Once active, a tunnel is not
considered a party to the HTTP communication, though the tunnel might
have been initiated by an HTTP request. A tunnel ceases to exist when
both ends of the relayed connection are closed. Tunnels are used to
extend a virtual connection through an intermediary, such as when
Transport Layer Security (TLS, <xref target="RFC5246"/>) is used to
establish confidential communication through a shared firewall proxy.
</t>
<t>
The above categories for intermediary only consider those acting as
participants in the HTTP communication. There are also intermediaries
that can act on lower layers of the network protocol stack, filtering or
redirecting HTTP traffic without the knowledge or permission of message
senders. Network intermediaries are indistinguishable (at a protocol level)
from a man-in-the-middle attack, often introducing security flaws or
interoperability problems due to mistakenly violating HTTP semantics.
</t>
<t><iref primary="true" item="interception proxy"/>
<iref primary="true" item="transparent proxy"/>
<iref primary="true" item="captive portal"/>
For example, an
"<x:dfn>interception proxy</x:dfn>" <xref target="RFC3040"/> (also commonly
known as a "<x:dfn>transparent proxy</x:dfn>" <xref target="RFC1919"/> or
"<x:dfn>captive portal</x:dfn>")
differs from an HTTP proxy because it is not selected by the client.
Instead, an interception proxy filters or redirects outgoing TCP port 80
packets (and occasionally other common port traffic).
Interception proxies are commonly found on public network access points,
as a means of enforcing account subscription prior to allowing use of
non-local Internet services, and within corporate firewalls to enforce
network usage policies.
</t>
<t>
HTTP is defined as a stateless protocol, meaning that each request message
can be understood in isolation. Many implementations depend on HTTP's
stateless design in order to reuse proxied connections or dynamically
load balance requests across multiple servers. Hence, a server &MUST-NOT;
assume that two requests on the same connection are from the same user
agent unless the connection is secured and specific to that agent.
Some non-standard HTTP extensions (e.g., <xref target="RFC4559"/>) have
been known to violate this requirement, resulting in security and
interoperability problems.
</t>
</section>
<section title="Caches" anchor="caches">
<iref primary="true" item="cache"/>
<t>
A "<x:dfn>cache</x:dfn>" is a local store of previous response messages and the
subsystem that controls its message storage, retrieval, and deletion.
A cache stores cacheable responses in order to reduce the response
time and network bandwidth consumption on future, equivalent
requests. Any client or server &MAY; employ a cache, though a cache
cannot be used by a server while it is acting as a tunnel.
</t>
<t>
The effect of a cache is that the request/response chain is shortened
if one of the participants along the chain has a cached response
applicable to that request. The following illustrates the resulting
chain if B has a cached copy of an earlier response from O (via C)
for a request that has not been cached by UA or A.
</t>
<figure><artwork type="drawing">
> >
<x:highlight>UA</x:highlight> =========== <x:highlight>A</x:highlight> =========== <x:highlight>B</x:highlight> - - - - - - <x:highlight>C</x:highlight> - - - - - - <x:highlight>O</x:highlight>
< <
</artwork></figure>
<t><iref primary="true" item="cacheable"/>
A response is "<x:dfn>cacheable</x:dfn>" if a cache is allowed to store a copy of
the response message for use in answering subsequent requests.
Even when a response is cacheable, there might be additional
constraints placed by the client or by the origin server on when
that cached response can be used for a particular request. HTTP
requirements for cache behavior and cacheable responses are
defined in <xref target="caching.overview"/>.
</t>
<t>
There is a wide variety of architectures and configurations
of caches deployed across the World Wide Web and
inside large organizations. These include national hierarchies
of proxy caches to save transoceanic bandwidth, collaborative systems that
broadcast or multicast cache entries, archives of pre-fetched cache
entries for use in off-line or high-latency environments, and so on.
</t>
</section>
<section title="Uniform Resource Identifiers" anchor="uri">
<iref primary="true" item="resource"/>
<t>
Uniform Resource Identifiers (URIs) <xref target="RFC3986"/> are used
throughout HTTP as the means for identifying resources (<xref target="resources"/>).
URI references are used to target requests, indicate redirects, and define
relationships.
</t>
<x:anchor-alias value="URI-reference"/>
<x:anchor-alias value="absolute-URI"/>
<x:anchor-alias value="relative-part"/>
<x:anchor-alias value="authority"/>
<x:anchor-alias value="uri-host"/>
<x:anchor-alias value="port"/>
<x:anchor-alias value="path"/>
<x:anchor-alias value="path-abempty"/>
<x:anchor-alias value="segment"/>
<x:anchor-alias value="query"/>
<x:anchor-alias value="fragment"/>
<x:anchor-alias value="absolute-path"/>
<x:anchor-alias value="partial-URI"/>
<t>
The definitions of "URI-reference",
"absolute-URI", "relative-part", "authority", "port", "host",
"path-abempty", "segment", "query", and "fragment" are adopted from the
URI generic syntax.
An "absolute-path" rule is defined for protocol elements that can contain a
non-empty path component. (This rule differs slightly from the path-abempty
rule of RFC 3986, which allows for an empty path to be used in references,
and path-absolute rule, which does not allow paths that begin with "//".)
A "partial-URI" rule is defined for protocol elements
that can contain a relative URI but not a fragment component.
</t>
<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="URI-reference"><!--exported production--></iref><iref primary="true" item="Grammar" subitem="absolute-URI"/><iref primary="true" item="Grammar" subitem="authority"/><iref primary="true" item="Grammar" subitem="absolute-path"/><iref primary="true" item="Grammar" subitem="port"/><iref primary="true" item="Grammar" subitem="query"/><iref primary="true" item="Grammar" subitem="fragment"/><iref primary="true" item="Grammar" subitem="segment"/><iref primary="true" item="Grammar" subitem="uri-host"/><iref primary="true" item="Grammar" subitem="partial-URI"><!--exported production--></iref>
<x:ref>URI-reference</x:ref> = <URI-reference, see <xref target="RFC3986" x:fmt="," x:sec="4.1"/>>
<x:ref>absolute-URI</x:ref> = <absolute-URI, see <xref target="RFC3986" x:fmt="," x:sec="4.3"/>>
<x:ref>relative-part</x:ref> = <relative-part, see <xref target="RFC3986" x:fmt="," x:sec="4.2"/>>
<x:ref>authority</x:ref> = <authority, see <xref target="RFC3986" x:fmt="," x:sec="3.2"/>>
<x:ref>uri-host</x:ref> = <host, see <xref target="RFC3986" x:fmt="," x:sec="3.2.2"/>>
<x:ref>port</x:ref> = <port, see <xref target="RFC3986" x:fmt="," x:sec="3.2.3"/>>
<x:ref>path-abempty</x:ref> = <path-abempty, see <xref target="RFC3986" x:fmt="," x:sec="3.3"/>>
<x:ref>segment</x:ref> = <segment, see <xref target="RFC3986" x:fmt="," x:sec="3.3"/>>
<x:ref>query</x:ref> = <query, see <xref target="RFC3986" x:fmt="," x:sec="3.4"/>>
<x:ref>fragment</x:ref> = <fragment, see <xref target="RFC3986" x:fmt="," x:sec="3.5"/>>
<x:ref>absolute-path</x:ref> = 1*( "/" segment )
<x:ref>partial-URI</x:ref> = relative-part [ "?" query ]
</artwork></figure>
<t>
Each protocol element in HTTP that allows a URI reference will indicate
in its ABNF production whether the element allows any form of reference
(URI-reference), only a URI in absolute form (absolute-URI), only the
path and optional query components, or some combination of the above.
Unless otherwise indicated, URI references are parsed
relative to the effective request URI
(<xref target="effective.request.uri"/>).
</t>
</section>
<section title="Resources" anchor="resources">
<t>
The target of an HTTP request is called a "<x:dfn>resource</x:dfn>".
HTTP does not limit the nature of a resource; it merely
defines an interface that might be used to interact with resources.
Each resource is identified by a Uniform Resource Identifier (URI), as
described in <xref target="uri"/>.
</t>
<t>
One design goal of HTTP is to separate resource identification from
request semantics, which is made possible by vesting the request
semantics in the request method (<xref target="methods"/>) and a few
request-modifying header fields (<xref target="request.header.fields"/>).
If there is a conflict between the method semantics and any semantic
implied by the URI itself, as described in <xref target="safe.methods"/>,
the method semantics take precedence.
</t>
<t>
IANA maintains the registry of URI Schemes <xref target="BCP115"/> at
<eref target="https://www.iana.org/assignments/uri-schemes/"/>.
<cref>Although requests might target any URI scheme, the following schemes are
inherent to HTTP servers:</cref>
</t>
<texttable align="left" suppress-title="true">
<ttcol>URI Scheme</ttcol>
<ttcol>Description</ttcol>
<ttcol>Reference</ttcol>
<c>http</c>
<c>Hypertext Transfer Protocol</c>
<c><xref target="http.uri"/></c>
<c>https</c>
<c>Hypertext Transfer Protocol Secure</c>
<c><xref target="https.uri"/></c>
</texttable>
<section title="http URI Scheme" anchor="http.uri">
<x:anchor-alias value="http-URI"/>
<iref item="http URI scheme" primary="true"/>
<iref item="URI scheme" subitem="http" primary="true"/>
<t>
The "http" URI scheme is hereby defined for the purpose of minting
identifiers according to their association with the hierarchical
namespace governed by a potential HTTP origin server listening for
TCP (<xref target="RFC0793"/>) connections on a given port.
</t>
<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="http-URI"><!--terminal production--></iref>
<x:ref>http-URI</x:ref> = "http:" "//" <x:ref>authority</x:ref> <x:ref>path-abempty</x:ref> [ "?" <x:ref>query</x:ref> ]
[ "#" <x:ref>fragment</x:ref> ]
</artwork></figure>
<t>
The origin server for an "http" URI is identified by the
<x:ref>authority</x:ref> component, which includes a host identifier
and optional TCP port (<xref target="RFC3986" x:fmt="," x:sec="3.2.2"/>).
The hierarchical path component and optional query component serve as an
identifier for a potential target resource within that origin server's name
space. The optional fragment component allows for indirect identification
of a secondary resource, independent of the URI scheme, as defined in
<xref target="RFC3986" x:fmt="of" x:sec="3.5"/>.
</t>
<t>
A sender &MUST-NOT; generate an "http" URI with an empty host identifier.
A recipient that processes such a URI reference &MUST; reject it as invalid.
</t>
<t>
If the host identifier is provided as an IP address, the origin server is
the listener (if any) on the indicated TCP port at that IP address.
If host is a registered name, the registered name is an indirect identifier
for use with a name resolution service, such as DNS, to find an address for
that origin server.
If the port subcomponent is empty or not given, TCP port 80 (the
reserved port for WWW services) is the default.
</t>
<t>
Note that the presence of a URI with a given authority component does not
imply that there is always an HTTP server listening for connections on
that host and port. Anyone can mint a URI. What the authority component
determines is who has the right to respond authoritatively to requests that
target the identified resource. The delegated nature of registered names
and IP addresses creates a federated namespace, based on control over the
indicated host and port, whether or not an HTTP server is present.
See <xref target="establishing.authority"/> for security considerations
related to establishing authority.
</t>
<t>
When an "http" URI is used within a context that calls for access to the
indicated resource, a client &MAY; attempt access by resolving
the host to an IP address, establishing a TCP connection to that address
on the indicated port, and sending an HTTP request message
(<xref target="http.message"/>) containing the URI's identifying data
to the server.
If the server responds to that request with a non-interim HTTP response
message, as described in <xref target="status.codes"/>, then that response
is considered an authoritative answer to the client's request.
</t>
<t>
Although HTTP is independent of the transport protocol, the "http"
scheme is specific to TCP-based services because the name delegation
process depends on TCP for establishing authority.
An HTTP service based on some other underlying connection protocol
would presumably be identified using a different URI scheme, just as
the "https" scheme (below) is used for resources that require an
end-to-end secured connection. Other protocols might also be used to
provide access to "http" identified resources — it is only the
authoritative interface that is specific to TCP.
</t>
<t>
The URI generic syntax for authority also includes a deprecated
userinfo subcomponent (<xref target="RFC3986" x:fmt="," x:sec="3.2.1"/>)
for including user authentication information in the URI. Some
implementations make use of the userinfo component for internal
configuration of authentication information, such as within command
invocation options, configuration files, or bookmark lists, even
though such usage might expose a user identifier or password.
A sender &MUST-NOT; generate the userinfo subcomponent (and its "@"
delimiter) when an "http" URI reference is generated within a message as a
request target or header field value.
Before making use of an "http" URI reference received from an untrusted
source, a recipient &SHOULD; parse for userinfo and treat its presence as
an error; it is likely being used to obscure the authority for the sake of
phishing attacks.
</t>
</section>
<section title="https URI Scheme" anchor="https.uri">
<x:anchor-alias value="https-URI"/>
<iref item="https URI scheme"/>
<iref item="URI scheme" subitem="https"/>
<t>
The "https" URI scheme is hereby defined for the purpose of minting
identifiers according to their association with the hierarchical
namespace governed by a potential HTTP origin server listening to a
given TCP port for TLS-secured connections (<xref target="RFC5246"/>).
</t>
<t>
All of the requirements listed above for the "http" scheme are also
requirements for the "https" scheme, except that TCP port 443 is the
default if the port subcomponent is empty or not given,
and the user agent &MUST; ensure that its connection to the origin
server is secured through the use of strong encryption, end-to-end,
prior to sending the first HTTP request.
</t>
<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="https-URI"><!--terminal production--></iref>
<x:ref>https-URI</x:ref> = "https:" "//" <x:ref>authority</x:ref> <x:ref>path-abempty</x:ref> [ "?" <x:ref>query</x:ref> ]
[ "#" <x:ref>fragment</x:ref> ]
</artwork></figure>
<t>
Note that the "https" URI scheme depends on both TLS and TCP for
establishing authority.
Resources made available via the "https" scheme have no shared
identity with the "http" scheme even if their resource identifiers
indicate the same authority (the same host listening to the same
TCP port). They are distinct namespaces and are considered to be
distinct origin servers. However, an extension to HTTP that is
defined to apply to entire host domains, such as the Cookie protocol
<xref target="RFC6265"/>, can allow information
set by one service to impact communication with other services
within a matching group of host domains.
</t>
<t>
The process for authoritative access to an "https" identified
resource is defined in <xref target="RFC2818"/>.
</t>
</section>
<section title="http and https URI Normalization and Comparison" anchor="uri.comparison">
<t>
Since the "http" and "https" schemes conform to the URI generic syntax,
such URIs are normalized and compared according to the algorithm defined
in <xref target="RFC3986" x:fmt="of" x:sec="6"/>, using the defaults
described above for each scheme.
</t>
<t>
If the port is equal to the default port for a scheme, the normal form is
to omit the port subcomponent. When not being used in absolute form as the
request target of an OPTIONS request, an empty path component is equivalent
to an absolute path of "/", so the normal form is to provide a path of "/"
instead. The scheme and host are case-insensitive and normally provided in
lowercase; all other components are compared in a case-sensitive manner.
Characters other than those in the "reserved" set are equivalent to their
percent-encoded octets: the normal form is to not encode them
(see Sections <xref target="RFC3986" x:fmt="number" x:sec="2.1"/> and
<xref target="RFC3986" x:fmt="number" x:sec="2.2"/> of
<xref target="RFC3986"/>).
</t>
<t>
For example, the following three URIs are equivalent:
</t>
<figure><artwork type="example">
http://example.com:80/~smith/home.html
http://EXAMPLE.com/%7Esmith/home.html
http://EXAMPLE.com:/%7esmith/home.html
</artwork></figure>
</section>
</section>
</section>
<section title="Conformance" anchor="conformance">
<section title="Implementation Diversity" anchor="implementation-diversity">
<t>
When considering the design of HTTP, it is easy to fall into a trap of
thinking that all user agents are general-purpose browsers and all origin
servers are large public websites. That is not the case in practice.
Common HTTP user agents include household appliances, stereos, scales,
firmware update scripts, command-line programs, mobile apps,
and communication devices in a multitude of shapes and sizes. Likewise,
common HTTP origin servers include home automation units, configurable
networking components, office machines, autonomous robots, news feeds,
traffic cameras, ad selectors, and video-delivery platforms.
</t>
<t>
The term "user agent" does not imply that there is a human user directly
interacting with the software agent at the time of a request. In many
cases, a user agent is installed or configured to run in the background
and save its results for later inspection (or save only a subset of those
results that might be interesting or erroneous). Spiders, for example, are
typically given a start URI and configured to follow certain behavior while
crawling the Web as a hypertext graph.
</t>
<t>
The implementation diversity of HTTP means that not all user agents can
make interactive suggestions to their user or provide adequate warning for
security or privacy concerns. In the few cases where this
specification requires reporting of errors to the user, it is acceptable
for such reporting to only be observable in an error console or log file.
Likewise, requirements that an automated action be confirmed by the user
before proceeding might be met via advance configuration choices,
run-time options, or simple avoidance of the unsafe action; confirmation
does not imply any specific user interface or interruption of normal
processing if the user has already made that choice.
</t>
</section>
<section title="Role-based Requirements" anchor="role-requirements">
<t>
This specification targets conformance criteria according to the role of
a participant in HTTP communication. Hence, HTTP requirements are placed
on senders, recipients, clients, servers, user agents, intermediaries,
origin servers, proxies, gateways, or caches, depending on what behavior
is being constrained by the requirement. Additional (social) requirements
are placed on implementations, resource owners, and protocol element
registrations when they apply beyond the scope of a single communication.
</t>
<t>
The verb "generate" is used instead of "send" where a requirement
differentiates between creating a protocol element and merely forwarding a
received element downstream.
</t>
<t>
An implementation is considered conformant if it complies with all of the
requirements associated with the roles it partakes in HTTP.
</t>
<t>
Conformance includes both the syntax and semantics of protocol
elements. A sender &MUST-NOT; generate protocol elements that convey a
meaning that is known by that sender to be false. A sender &MUST-NOT;
generate protocol elements that do not match the grammar defined by the
corresponding ABNF rules. Within a given message, a sender &MUST-NOT;
generate protocol elements or syntax alternatives that are only allowed to
be generated by participants in other roles (i.e., a role that the sender
does not have for that message).
</t>
</section>
<section title="Parsing Elements" anchor="parsing-elements">
<t>
When a received protocol element is parsed, the recipient &MUST; be able to
parse any value of reasonable length that is applicable to the recipient's
role and that matches the grammar defined by the corresponding ABNF rules.
Note, however, that some received protocol elements might not be parsed.
For example, an intermediary forwarding a message might parse a
header-field into generic field-name and field-value components, but then
forward the header field without further parsing inside the field-value.
</t>
<t>
HTTP does not have specific length limitations for many of its protocol
elements because the lengths that might be appropriate will vary widely,
depending on the deployment context and purpose of the implementation.
Hence, interoperability between senders and recipients depends on shared
expectations regarding what is a reasonable length for each protocol
element. Furthermore, what is commonly understood to be a reasonable length
for some protocol elements has changed over the course of the past two
decades of HTTP use and is expected to continue changing in the future.
</t>
<t>
At a minimum, a recipient &MUST; be able to parse and process protocol
element lengths that are at least as long as the values that it generates
for those same protocol elements in other messages. For example, an origin
server that publishes very long URI references to its own resources needs
to be able to parse and process those same references when received as a
request target.
</t>
</section>
<section title="Error Handling" anchor="error-handling">
<t>
A recipient &MUST; interpret a received protocol element according to the
semantics defined for it by this specification, including extensions to
this specification, unless the recipient has determined (through experience
or configuration) that the sender incorrectly implements what is implied by
those semantics.
For example, an origin server might disregard the contents of a received
<x:ref>Accept-Encoding</x:ref> header field if inspection of the
<x:ref>User-Agent</x:ref> header field indicates a specific implementation
version that is known to fail on receipt of certain content codings.
</t>
<t>
Unless noted otherwise, a recipient &MAY; attempt to recover a usable
protocol element from an invalid construct. HTTP does not define
specific error handling mechanisms except when they have a direct impact
on security, since different applications of the protocol require
different error handling strategies. For example, a Web browser might
wish to transparently recover from a response where the
<x:ref>Location</x:ref> header field doesn't parse according to the ABNF,
whereas a systems control client might consider any form of error recovery
to be dangerous.
</t>
</section>
<section title="Protocol Versioning" anchor="protocol.version">
<t>
The HTTP version number consists of two decimal digits separated by a "."
(period or decimal point). The first digit ("major version") indicates the
HTTP messaging syntax, whereas the second digit ("minor version")
indicates the highest minor version within that major version to which the
sender is conformant and able to understand for future communication.
</t>
<t>
The protocol version as a whole indicates the sender's conformance with
the set of requirements laid out in that version's corresponding
specification of HTTP.
<cref>
For example, the version "HTTP/1.1" is defined by the combined
specifications of this document, "HTTP Caching" <xref target="Caching"/>,
and "HTTP/1.1 Messaging" <xref target="Messaging"/>.
</cref></t>
<t>
The minor version advertises the sender's communication capabilities even
when the sender is only using a backwards-compatible subset of the
protocol, thereby letting the recipient know that more advanced features
can be used in response (by servers) or in future requests (by clients).
</t>
<t>
A client &SHOULD; send a request version equal to the highest
version to which the client is conformant and
whose major version is no higher than the highest version supported
by the server, if this is known. A client &MUST-NOT; send a
version to which it is not conformant.
</t>
<t>