idnits 2.17.1 draft-ietf-httpbis-semantics-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC7230, but the abstract doesn't seem to directly say this. It does mention RFC7230 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2, 2018) is 2125 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2145' is defined on line 7506, but no explicit reference was found in the text == Unused Reference: 'RFC7232' is defined on line 7600, but no explicit reference was found in the text == Unused Reference: 'RFC7233' is defined on line 7605, but no explicit reference was found in the text == Unused Reference: 'RFC7235' is defined on line 7610, but no explicit reference was found in the text == Unused Reference: 'RFC7616' is defined on line 7623, but no explicit reference was found in the text == Unused Reference: 'RFC7617' is defined on line 7628, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-cache-02 -- Possible downref: Normative reference to a draft: ref. 'Caching' == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-messaging-02 -- Possible downref: Normative reference to a draft: ref. 'Messaging' ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 1950 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Downref: Normative reference to an Informational RFC: RFC 1952 -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII' -- Possible downref: Non-RFC (?) normative reference: ref. 'Welch' -- Obsolete informational reference (is this intentional?): RFC 2068 (Obsoleted by RFC 2616) -- Obsolete informational reference (is this intentional?): RFC 2145 (Obsoleted by RFC 7230) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7232 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7233 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7235 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7538 (Obsoleted by RFC 9110) Summary: 4 errors (**), 0 flaws (~~), 10 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: 7230,7231,7232,7233,7235 (if M. Nottingham, Ed. 5 approved) Fastly 6 Intended status: Standards Track J. Reschke, Ed. 7 Expires: January 3, 2019 greenbytes 8 July 2, 2018 10 HTTP Semantics 11 draft-ietf-httpbis-semantics-02 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is a stateless application- 16 level protocol for distributed, collaborative, hypertext information 17 systems. This document defines the semantics of HTTP: its 18 architecture, terminology, the "http" and "https" Uniform Resource 19 Identifier (URI) schemes, core request methods, request header 20 fields, response status codes, response header fields, and content 21 negotiation. 23 This document obsoletes RFC 7231, RFC 7232, RFC 7233, RFC 7235, and 24 portions of RFC 7230. 26 Editorial Note 28 This note is to be removed before publishing as an RFC. 30 Discussion of this draft takes place on the HTTP working group 31 mailing list (ietf-http-wg@w3.org), which is archived at 32 . 34 Working Group information can be found at ; 35 source code and issues list for this draft can be found at 36 . 38 The changes in this draft are summarized in Appendix G.3. 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at https://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on January 3, 2019. 57 Copyright Notice 59 Copyright (c) 2018 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (https://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 This document may contain material from IETF Documents or IETF 73 Contributions published or made publicly available before November 74 10, 2008. The person(s) controlling the copyright in some of this 75 material may not have granted the IETF Trust the right to allow 76 modifications of such material outside the IETF Standards Process. 77 Without obtaining an adequate license from the person(s) controlling 78 the copyright in such materials, this document may not be modified 79 outside the IETF Standards Process, and derivative works of it may 80 not be created outside the IETF Standards Process, except to format 81 it for publication as an RFC or to translate it into languages other 82 than English. 84 Table of Contents 86 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 87 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 88 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 9 89 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 9 90 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 10 91 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 11 92 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . 13 93 2.4. Uniform Resource Identifiers . . . . . . . . . . . . . . 14 94 2.5. Resources . . . . . . . . . . . . . . . . . . . . . . . . 15 95 2.5.1. http URI Scheme . . . . . . . . . . . . . . . . . . . 16 96 2.5.2. https URI Scheme . . . . . . . . . . . . . . . . . . 17 97 2.5.3. http and https URI Normalization and Comparison . . . 18 99 3. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 18 100 3.1. Implementation Diversity . . . . . . . . . . . . . . . . 18 101 3.2. Role-based Requirements . . . . . . . . . . . . . . . . . 19 102 3.3. Parsing Elements . . . . . . . . . . . . . . . . . . . . 20 103 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . 20 104 3.5. Protocol Versioning . . . . . . . . . . . . . . . . . . . 21 105 4. Message Abstraction . . . . . . . . . . . . . . . . . . . . . 22 106 4.1. Field Names . . . . . . . . . . . . . . . . . . . . . . . 22 107 4.1.1. Field Name Registry . . . . . . . . . . . . . . . . . 24 108 4.1.2. Field Extensibility . . . . . . . . . . . . . . . . . 24 109 4.1.3. Considerations for New Fields . . . . . . . . . . . . 24 110 4.2. Field Values . . . . . . . . . . . . . . . . . . . . . . 26 111 4.2.1. Field Order . . . . . . . . . . . . . . . . . . . . . 26 112 4.2.2. Field Limits . . . . . . . . . . . . . . . . . . . . 27 113 4.2.3. Field Value Components . . . . . . . . . . . . . . . 27 114 4.2.4. Designing New Field Values . . . . . . . . . . . . . 28 115 4.3. Whitespace . . . . . . . . . . . . . . . . . . . . . . . 29 116 4.4. Trailer . . . . . . . . . . . . . . . . . . . . . . . . . 30 117 5. Message Routing . . . . . . . . . . . . . . . . . . . . . . . 30 118 5.1. Identifying a Target Resource . . . . . . . . . . . . . . 30 119 5.2. Routing Inbound . . . . . . . . . . . . . . . . . . . . . 30 120 5.3. Effective Request URI . . . . . . . . . . . . . . . . . . 31 121 5.4. Host . . . . . . . . . . . . . . . . . . . . . . . . . . 32 122 5.5. Associating a Response to a Request . . . . . . . . . . . 33 123 5.6. Message Forwarding . . . . . . . . . . . . . . . . . . . 33 124 5.6.1. Via . . . . . . . . . . . . . . . . . . . . . . . . . 34 125 5.6.2. Transformations . . . . . . . . . . . . . . . . . . . 35 126 6. Representations . . . . . . . . . . . . . . . . . . . . . . . 37 127 6.1. Representation Data . . . . . . . . . . . . . . . . . . . 37 128 6.1.1. Media Type . . . . . . . . . . . . . . . . . . . . . 37 129 6.1.2. Content Codings . . . . . . . . . . . . . . . . . . . 40 130 6.1.3. Language Tags . . . . . . . . . . . . . . . . . . . . 41 131 6.1.4. Range Units . . . . . . . . . . . . . . . . . . . . . 42 132 6.2. Representation Metadata . . . . . . . . . . . . . . . . . 45 133 6.2.1. Content-Type . . . . . . . . . . . . . . . . . . . . 45 134 6.2.2. Content-Encoding . . . . . . . . . . . . . . . . . . 46 135 6.2.3. Content-Language . . . . . . . . . . . . . . . . . . 47 136 6.2.4. Content-Length . . . . . . . . . . . . . . . . . . . 48 137 6.2.5. Content-Location . . . . . . . . . . . . . . . . . . 49 138 6.3. Payload . . . . . . . . . . . . . . . . . . . . . . . . . 51 139 6.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 51 140 6.3.2. Identification . . . . . . . . . . . . . . . . . . . 52 141 6.3.3. Content-Range . . . . . . . . . . . . . . . . . . . . 53 142 6.3.4. Media Type multipart/byteranges . . . . . . . . . . . 55 143 6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 57 144 6.4.1. Proactive Negotiation . . . . . . . . . . . . . . . . 57 145 6.4.2. Reactive Negotiation . . . . . . . . . . . . . . . . 58 146 7. Request Methods . . . . . . . . . . . . . . . . . . . . . . . 59 147 7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 59 148 7.2. Common Method Properties . . . . . . . . . . . . . . . . 61 149 7.2.1. Safe Methods . . . . . . . . . . . . . . . . . . . . 61 150 7.2.2. Idempotent Methods . . . . . . . . . . . . . . . . . 62 151 7.2.3. Cacheable Methods . . . . . . . . . . . . . . . . . . 62 152 7.3. Method Definitions . . . . . . . . . . . . . . . . . . . 63 153 7.3.1. GET . . . . . . . . . . . . . . . . . . . . . . . . . 63 154 7.3.2. HEAD . . . . . . . . . . . . . . . . . . . . . . . . 63 155 7.3.3. POST . . . . . . . . . . . . . . . . . . . . . . . . 64 156 7.3.4. PUT . . . . . . . . . . . . . . . . . . . . . . . . . 65 157 7.3.5. DELETE . . . . . . . . . . . . . . . . . . . . . . . 68 158 7.3.6. CONNECT . . . . . . . . . . . . . . . . . . . . . . . 69 159 7.3.7. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 70 160 7.3.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . 71 161 7.4. Method Extensibility . . . . . . . . . . . . . . . . . . 72 162 7.4.1. Method Registry . . . . . . . . . . . . . . . . . . . 72 163 7.4.2. Considerations for New Methods . . . . . . . . . . . 72 164 8. Request Header Fields . . . . . . . . . . . . . . . . . . . . 73 165 8.1. Controls . . . . . . . . . . . . . . . . . . . . . . . . 73 166 8.1.1. Expect . . . . . . . . . . . . . . . . . . . . . . . 74 167 8.1.2. Max-Forwards . . . . . . . . . . . . . . . . . . . . 76 168 8.2. Preconditions . . . . . . . . . . . . . . . . . . . . . . 76 169 8.2.1. Evaluation . . . . . . . . . . . . . . . . . . . . . 77 170 8.2.2. Precedence . . . . . . . . . . . . . . . . . . . . . 78 171 8.2.3. If-Match . . . . . . . . . . . . . . . . . . . . . . 80 172 8.2.4. If-None-Match . . . . . . . . . . . . . . . . . . . . 81 173 8.2.5. If-Modified-Since . . . . . . . . . . . . . . . . . . 82 174 8.2.6. If-Unmodified-Since . . . . . . . . . . . . . . . . . 83 175 8.2.7. If-Range . . . . . . . . . . . . . . . . . . . . . . 85 176 8.3. Range . . . . . . . . . . . . . . . . . . . . . . . . . . 86 177 8.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 87 178 8.4.1. Quality Values . . . . . . . . . . . . . . . . . . . 88 179 8.4.2. Accept . . . . . . . . . . . . . . . . . . . . . . . 88 180 8.4.3. Accept-Charset . . . . . . . . . . . . . . . . . . . 90 181 8.4.4. Accept-Encoding . . . . . . . . . . . . . . . . . . . 91 182 8.4.5. Accept-Language . . . . . . . . . . . . . . . . . . . 93 183 8.5. Authentication Credentials . . . . . . . . . . . . . . . 94 184 8.5.1. Challenge and Response . . . . . . . . . . . . . . . 94 185 8.5.2. Protection Space (Realm) . . . . . . . . . . . . . . 96 186 8.5.3. Authorization . . . . . . . . . . . . . . . . . . . . 97 187 8.5.4. Proxy-Authorization . . . . . . . . . . . . . . . . . 97 188 8.5.5. Authentication Scheme Extensibility . . . . . . . . . 98 189 8.6. Request Context . . . . . . . . . . . . . . . . . . . . . 100 190 8.6.1. From . . . . . . . . . . . . . . . . . . . . . . . . 100 191 8.6.2. Referer . . . . . . . . . . . . . . . . . . . . . . . 101 192 8.6.3. User-Agent . . . . . . . . . . . . . . . . . . . . . 102 193 9. Response Status Codes . . . . . . . . . . . . . . . . . . . . 103 194 9.1. Overview of Status Codes . . . . . . . . . . . . . . . . 104 195 9.2. Informational 1xx . . . . . . . . . . . . . . . . . . . . 106 196 9.2.1. 100 Continue . . . . . . . . . . . . . . . . . . . . 106 197 9.2.2. 101 Switching Protocols . . . . . . . . . . . . . . . 106 198 9.3. Successful 2xx . . . . . . . . . . . . . . . . . . . . . 107 199 9.3.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . 107 200 9.3.2. 201 Created . . . . . . . . . . . . . . . . . . . . . 108 201 9.3.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . 108 202 9.3.4. 203 Non-Authoritative Information . . . . . . . . . . 108 203 9.3.5. 204 No Content . . . . . . . . . . . . . . . . . . . 109 204 9.3.6. 205 Reset Content . . . . . . . . . . . . . . . . . . 109 205 9.3.7. 206 Partial Content . . . . . . . . . . . . . . . . . 110 206 9.4. Redirection 3xx . . . . . . . . . . . . . . . . . . . . . 113 207 9.4.1. 300 Multiple Choices . . . . . . . . . . . . . . . . 114 208 9.4.2. 301 Moved Permanently . . . . . . . . . . . . . . . . 115 209 9.4.3. 302 Found . . . . . . . . . . . . . . . . . . . . . . 116 210 9.4.4. 303 See Other . . . . . . . . . . . . . . . . . . . . 116 211 9.4.5. 304 Not Modified . . . . . . . . . . . . . . . . . . 117 212 9.4.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . . 117 213 9.4.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . 118 214 9.4.8. 307 Temporary Redirect . . . . . . . . . . . . . . . 118 215 9.5. Client Error 4xx . . . . . . . . . . . . . . . . . . . . 118 216 9.5.1. 400 Bad Request . . . . . . . . . . . . . . . . . . . 118 217 9.5.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . 118 218 9.5.3. 402 Payment Required . . . . . . . . . . . . . . . . 119 219 9.5.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . . 119 220 9.5.5. 404 Not Found . . . . . . . . . . . . . . . . . . . . 119 221 9.5.6. 405 Method Not Allowed . . . . . . . . . . . . . . . 120 222 9.5.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . 120 223 9.5.8. 407 Proxy Authentication Required . . . . . . . . . . 120 224 9.5.9. 408 Request Timeout . . . . . . . . . . . . . . . . . 120 225 9.5.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . 121 226 9.5.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . 121 227 9.5.12. 411 Length Required . . . . . . . . . . . . . . . . . 121 228 9.5.13. 412 Precondition Failed . . . . . . . . . . . . . . . 122 229 9.5.14. 413 Payload Too Large . . . . . . . . . . . . . . . . 122 230 9.5.15. 414 URI Too Long . . . . . . . . . . . . . . . . . . 122 231 9.5.16. 415 Unsupported Media Type . . . . . . . . . . . . . 122 232 9.5.17. 416 Range Not Satisfiable . . . . . . . . . . . . . . 123 233 9.5.18. 417 Expectation Failed . . . . . . . . . . . . . . . 123 234 9.5.19. 426 Upgrade Required . . . . . . . . . . . . . . . . 123 235 9.6. Server Error 5xx . . . . . . . . . . . . . . . . . . . . 124 236 9.6.1. 500 Internal Server Error . . . . . . . . . . . . . . 124 237 9.6.2. 501 Not Implemented . . . . . . . . . . . . . . . . . 124 238 9.6.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . . 124 239 9.6.4. 503 Service Unavailable . . . . . . . . . . . . . . . 125 240 9.6.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . . 125 241 9.6.6. 505 HTTP Version Not Supported . . . . . . . . . . . 125 242 9.7. Status Code Extensibility . . . . . . . . . . . . . . . . 125 243 9.7.1. Status Code Registry . . . . . . . . . . . . . . . . 125 244 9.7.2. Considerations for New Status Codes . . . . . . . . . 126 245 10. Response Header Fields . . . . . . . . . . . . . . . . . . . 127 246 10.1. Control Data . . . . . . . . . . . . . . . . . . . . . . 127 247 10.1.1. Origination Date . . . . . . . . . . . . . . . . . . 127 248 10.1.2. Location . . . . . . . . . . . . . . . . . . . . . . 131 249 10.1.3. Retry-After . . . . . . . . . . . . . . . . . . . . 132 250 10.1.4. Vary . . . . . . . . . . . . . . . . . . . . . . . . 133 251 10.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 134 252 10.2.1. Weak versus Strong . . . . . . . . . . . . . . . . . 135 253 10.2.2. Last-Modified . . . . . . . . . . . . . . . . . . . 137 254 10.2.3. ETag . . . . . . . . . . . . . . . . . . . . . . . . 139 255 10.2.4. When to Use Entity-Tags and Last-Modified Dates . . 142 256 10.3. Authentication Challenges . . . . . . . . . . . . . . . 143 257 10.3.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . 143 258 10.3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . 144 259 10.4. Response Context . . . . . . . . . . . . . . . . . . . . 144 260 10.4.1. Accept-Ranges . . . . . . . . . . . . . . . . . . . 145 261 10.4.2. Allow . . . . . . . . . . . . . . . . . . . . . . . 145 262 10.4.3. Server . . . . . . . . . . . . . . . . . . . . . . . 146 263 11. ABNF List Extension: #rule . . . . . . . . . . . . . . . . . 146 264 12. Security Considerations . . . . . . . . . . . . . . . . . . . 148 265 12.1. Establishing Authority . . . . . . . . . . . . . . . . . 148 266 12.2. Risks of Intermediaries . . . . . . . . . . . . . . . . 149 267 12.3. Attacks Based on File and Path Names . . . . . . . . . . 149 268 12.4. Attacks Based on Command, Code, or Query Injection . . . 150 269 12.5. Attacks via Protocol Element Length . . . . . . . . . . 151 270 12.6. Disclosure of Personal Information . . . . . . . . . . . 151 271 12.7. Privacy of Server Log Information . . . . . . . . . . . 151 272 12.8. Disclosure of Sensitive Information in URIs . . . . . . 152 273 12.9. Disclosure of Fragment after Redirects . . . . . . . . . 152 274 12.10. Disclosure of Product Information . . . . . . . . . . . 153 275 12.11. Browser Fingerprinting . . . . . . . . . . . . . . . . . 153 276 12.12. Validator Retention . . . . . . . . . . . . . . . . . . 154 277 12.13. Denial-of-Service Attacks Using Range . . . . . . . . . 154 278 12.14. Authentication Considerations . . . . . . . . . . . . . 155 279 12.14.1. Confidentiality of Credentials . . . . . . . . . . 155 280 12.14.2. Credentials and Idle Clients . . . . . . . . . . . 155 281 12.14.3. Protection Spaces . . . . . . . . . . . . . . . . . 156 282 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 156 283 13.1. URI Scheme Registration . . . . . . . . . . . . . . . . 156 284 13.2. Method Registration . . . . . . . . . . . . . . . . . . 157 285 13.3. Status Code Registration . . . . . . . . . . . . . . . . 157 286 13.4. Header Field Registration . . . . . . . . . . . . . . . 157 287 13.5. Authentication Scheme Registration . . . . . . . . . . . 157 288 13.6. Content Coding Registration . . . . . . . . . . . . . . 157 289 13.7. Range Unit Registration . . . . . . . . . . . . . . . . 157 290 13.8. Media Type Registration . . . . . . . . . . . . . . . . 157 292 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 158 293 14.1. Normative References . . . . . . . . . . . . . . . . . . 158 294 14.2. Informative References . . . . . . . . . . . . . . . . . 159 295 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 165 296 Appendix B. Changes from RFC 7230 . . . . . . . . . . . . . . . 169 297 Appendix C. Changes from RFC 7231 . . . . . . . . . . . . . . . 170 298 Appendix D. Changes from RFC 7232 . . . . . . . . . . . . . . . 170 299 Appendix E. Changes from RFC 7233 . . . . . . . . . . . . . . . 170 300 Appendix F. Changes from RFC 7235 . . . . . . . . . . . . . . . 170 301 Appendix G. Change Log . . . . . . . . . . . . . . . . . . . . . 170 302 G.1. Between RFC723x and draft 00 . . . . . . . . . . . . . . 170 303 G.2. Since draft-ietf-httpbis-semantics-00 . . . . . . . . . . 170 304 G.3. Since draft-ietf-httpbis-semantics-01 . . . . . . . . . . 171 305 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 306 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 180 307 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 180 309 1. Introduction 311 The Hypertext Transfer Protocol (HTTP) is a stateless application- 312 level request/response protocol that uses extensible semantics and 313 self-descriptive messages for flexible interaction with network-based 314 hypertext information systems. HTTP is defined by a series of 315 documents that collectively form the HTTP/1.1 specification: 317 o "HTTP Semantics" (this document) 319 o "HTTP Caching" [Caching] 321 o "HTTP/1.1 Messaging" [Messaging] 323 HTTP is a generic interface protocol for information systems. It is 324 designed to hide the details of how a service is implemented by 325 presenting a uniform interface to clients that is independent of the 326 types of resources provided. Likewise, servers do not need to be 327 aware of each client's purpose: an HTTP request can be considered in 328 isolation rather than being associated with a specific type of client 329 or a predetermined sequence of application steps. The result is a 330 protocol that can be used effectively in many different contexts and 331 for which implementations can evolve independently over time. 333 HTTP is also designed for use as an intermediation protocol for 334 translating communication to and from non-HTTP information systems. 335 HTTP proxies and gateways can provide access to alternative 336 information services by translating their diverse protocols into a 337 hypertext format that can be viewed and manipulated by clients in the 338 same way as HTTP services. 340 One consequence of this flexibility is that the protocol cannot be 341 defined in terms of what occurs behind the interface. Instead, we 342 are limited to defining the syntax of communication, the intent of 343 received communication, and the expected behavior of recipients. If 344 the communication is considered in isolation, then successful actions 345 ought to be reflected in corresponding changes to the observable 346 interface provided by servers. However, since multiple clients might 347 act in parallel and perhaps at cross-purposes, we cannot require that 348 such changes be observable beyond the scope of a single response. 350 Each HTTP message is either a request or a response. A server 351 listens on a connection for a request, parses each message received, 352 interprets the message semantics in relation to the identified 353 request target, and responds to that request with one or more 354 response messages. A client constructs request messages to 355 communicate specific intentions, examines received responses to see 356 if the intentions were carried out, and determines how to interpret 357 the results. 359 HTTP provides a uniform interface for interacting with a resource 360 (Section 2.5), regardless of its type, nature, or implementation, via 361 the manipulation and transfer of representations (Section 6). 363 This document defines semantics that are common to all versions of 364 HTTP. HTTP semantics include the intentions defined by each request 365 method (Section 7), extensions to those semantics that might be 366 described in request header fields (Section 8), the meaning of status 367 codes to indicate a machine-readable response (Section 9), and the 368 meaning of other control data and resource metadata that might be 369 given in response header fields (Section 10). 371 This document also defines representation metadata that describe how 372 a payload is intended to be interpreted by a recipient, the request 373 header fields that might influence content selection, and the various 374 selection algorithms that are collectively referred to as "content 375 negotiation" (Section 6.4). 377 This document defines HTTP range requests, partial responses, and the 378 multipart/byteranges media type. 380 This document obsoletes the portions of RFC 7230 that are independent 381 of the HTTP/1.1 messaging syntax and connection management, with the 382 changes being summarized in Appendix B. The other parts of RFC 7230 383 are obsoleted by "HTTP/1.1 Messaging" [Messaging]. This document 384 also obsoletes RFC 7231 (see Appendix C), RFC 7232 (see Appendix D), 385 RFC 7233 (see Appendix E), and RFC 7235 (see Appendix F). 387 1.1. Requirements Notation 389 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 390 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 391 document are to be interpreted as described in [RFC2119]. 393 Conformance criteria and considerations regarding error handling are 394 defined in Section 3. 396 1.2. Syntax Notation 398 This specification uses the Augmented Backus-Naur Form (ABNF) 399 notation of [RFC5234] with a list extension, defined in Section 11, 400 that allows for compact definition of comma-separated lists using a 401 '#' operator (similar to how the '*' operator indicates repetition). 402 Appendix A shows the collected grammar with all list operators 403 expanded to standard ABNF notation. 405 As a convention, ABNF rule names prefixed with "obs-" denote 406 "obsolete" grammar rules that appear for historical reasons. 408 The following core rules are included by reference, as defined in 409 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 410 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 411 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF 412 (line feed), OCTET (any 8-bit sequence of data), SP (space), and 413 VCHAR (any visible US-ASCII character). 415 The rules below are defined in [Messaging]: 417 obs-fold = 418 protocol-name = 419 protocol-version = 420 request-target = 422 This specification uses the terms "character", "character encoding 423 scheme", "charset", and "protocol element" as they are defined in 424 [RFC6365]. 426 2. Architecture 428 HTTP was created for the World Wide Web (WWW) architecture and has 429 evolved over time to support the scalability needs of a worldwide 430 hypertext system. Much of that architecture is reflected in the 431 terminology and syntax productions used to define HTTP. 433 2.1. Client/Server Messaging 435 HTTP is a stateless request/response protocol that operates by 436 exchanging messages (Section 2 of [Messaging]) across a reliable 437 transport- or session-layer "connection" (Section 9 of [Messaging]). 438 An HTTP "client" is a program that establishes a connection to a 439 server for the purpose of sending one or more HTTP requests. An HTTP 440 "server" is a program that accepts connections in order to service 441 HTTP requests by sending HTTP responses. 443 The terms "client" and "server" refer only to the roles that these 444 programs perform for a particular connection. The same program might 445 act as a client on some connections and a server on others. The term 446 "user agent" refers to any of the various client programs that 447 initiate a request, including (but not limited to) browsers, spiders 448 (web-based robots), command-line tools, custom applications, and 449 mobile apps. The term "origin server" refers to the program that can 450 originate authoritative responses for a given target resource. The 451 terms "sender" and "recipient" refer to any implementation that sends 452 or receives a given message, respectively. 454 HTTP relies upon the Uniform Resource Identifier (URI) standard 455 [RFC3986] to indicate the target resource (Section 5.1) and 456 relationships between resources. 458 Most HTTP communication consists of a retrieval request (GET) for a 459 representation of some resource identified by a URI. In the simplest 460 case, this might be accomplished via a single bidirectional 461 connection (===) between the user agent (UA) and the origin server 462 (O). 464 request > 465 UA ======================================= O 466 < response 468 A client sends an HTTP request to a server in the form of a request 469 message, beginning with a request-line that includes a method, URI, 470 and protocol version (Section 3 of [Messaging]), followed by header 471 fields containing request modifiers, client information, and 472 representation metadata (Section 5 of [Messaging]), an empty line to 473 indicate the end of the header section, and finally a message body 474 containing the payload body (if any, Section 6 of [Messaging]). 476 A server responds to a client's request by sending one or more HTTP 477 response messages, each beginning with a status line that includes 478 the protocol version, a success or error code, and textual reason 479 phrase (Section 4 of [Messaging]), possibly followed by header fields 480 containing server information, resource metadata, and representation 481 metadata (Section 5 of [Messaging]), an empty line to indicate the 482 end of the header section, and finally a message body containing the 483 payload body (if any, Section 6 of [Messaging]). 485 A connection might be used for multiple request/response exchanges, 486 as defined in Section 9.3 of [Messaging]. 488 The following example illustrates a typical message exchange for a 489 GET request (Section 7.3.1) on the URI "http://www.example.com/ 490 hello.txt": 492 Client request: 494 GET /hello.txt HTTP/1.1 495 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 496 Host: www.example.com 497 Accept-Language: en, mi 499 Server response: 501 HTTP/1.1 200 OK 502 Date: Mon, 27 Jul 2009 12:28:53 GMT 503 Server: Apache 504 Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT 505 ETag: "34aa387-d-1568eb00" 506 Accept-Ranges: bytes 507 Content-Length: 51 508 Vary: Accept-Encoding 509 Content-Type: text/plain 511 Hello World! My payload includes a trailing CRLF. 513 2.2. Intermediaries 515 HTTP enables the use of intermediaries to satisfy requests through a 516 chain of connections. There are three common forms of HTTP 517 intermediary: proxy, gateway, and tunnel. In some cases, a single 518 intermediary might act as an origin server, proxy, gateway, or 519 tunnel, switching behavior based on the nature of each request. 521 > > > > 522 UA =========== A =========== B =========== C =========== O 523 < < < < 525 The figure above shows three intermediaries (A, B, and C) between the 526 user agent and origin server. A request or response message that 527 travels the whole chain will pass through four separate connections. 529 Some HTTP communication options might apply only to the connection 530 with the nearest, non-tunnel neighbor, only to the endpoints of the 531 chain, or to all connections along the chain. Although the diagram 532 is linear, each participant might be engaged in multiple, 533 simultaneous communications. For example, B might be receiving 534 requests from many clients other than A, and/or forwarding requests 535 to servers other than C, at the same time that it is handling A's 536 request. Likewise, later requests might be sent through a different 537 path of connections, often based on dynamic configuration for load 538 balancing. 540 The terms "upstream" and "downstream" are used to describe 541 directional requirements in relation to the message flow: all 542 messages flow from upstream to downstream. The terms "inbound" and 543 "outbound" are used to describe directional requirements in relation 544 to the request route: "inbound" means toward the origin server and 545 "outbound" means toward the user agent. 547 A "proxy" is a message-forwarding agent that is selected by the 548 client, usually via local configuration rules, to receive requests 549 for some type(s) of absolute URI and attempt to satisfy those 550 requests via translation through the HTTP interface. Some 551 translations are minimal, such as for proxy requests for "http" URIs, 552 whereas other requests might require translation to and from entirely 553 different application-level protocols. Proxies are often used to 554 group an organization's HTTP requests through a common intermediary 555 for the sake of security, annotation services, or shared caching. 556 Some proxies are designed to apply transformations to selected 557 messages or payloads while they are being forwarded, as described in 558 Section 5.6.2. 560 A "gateway" (a.k.a. "reverse proxy") is an intermediary that acts as 561 an origin server for the outbound connection but translates received 562 requests and forwards them inbound to another server or servers. 563 Gateways are often used to encapsulate legacy or untrusted 564 information services, to improve server performance through 565 "accelerator" caching, and to enable partitioning or load balancing 566 of HTTP services across multiple machines. 568 All HTTP requirements applicable to an origin server also apply to 569 the outbound communication of a gateway. A gateway communicates with 570 inbound servers using any protocol that it desires, including private 571 extensions to HTTP that are outside the scope of this specification. 572 However, an HTTP-to-HTTP gateway that wishes to interoperate with 573 third-party HTTP servers ought to conform to user agent requirements 574 on the gateway's inbound connection. 576 A "tunnel" acts as a blind relay between two connections without 577 changing the messages. Once active, a tunnel is not considered a 578 party to the HTTP communication, though the tunnel might have been 579 initiated by an HTTP request. A tunnel ceases to exist when both 580 ends of the relayed connection are closed. Tunnels are used to 581 extend a virtual connection through an intermediary, such as when 582 Transport Layer Security (TLS, [RFC5246]) is used to establish 583 confidential communication through a shared firewall proxy. 585 The above categories for intermediary only consider those acting as 586 participants in the HTTP communication. There are also 587 intermediaries that can act on lower layers of the network protocol 588 stack, filtering or redirecting HTTP traffic without the knowledge or 589 permission of message senders. Network intermediaries are 590 indistinguishable (at a protocol level) from a man-in-the-middle 591 attack, often introducing security flaws or interoperability problems 592 due to mistakenly violating HTTP semantics. 594 For example, an "interception proxy" [RFC3040] (also commonly known 595 as a "transparent proxy" [RFC1919] or "captive portal") differs from 596 an HTTP proxy because it is not selected by the client. Instead, an 597 interception proxy filters or redirects outgoing TCP port 80 packets 598 (and occasionally other common port traffic). Interception proxies 599 are commonly found on public network access points, as a means of 600 enforcing account subscription prior to allowing use of non-local 601 Internet services, and within corporate firewalls to enforce network 602 usage policies. 604 HTTP is defined as a stateless protocol, meaning that each request 605 message can be understood in isolation. Many implementations depend 606 on HTTP's stateless design in order to reuse proxied connections or 607 dynamically load balance requests across multiple servers. Hence, a 608 server MUST NOT assume that two requests on the same connection are 609 from the same user agent unless the connection is secured and 610 specific to that agent. Some non-standard HTTP extensions (e.g., 611 [RFC4559]) have been known to violate this requirement, resulting in 612 security and interoperability problems. 614 2.3. Caches 616 A "cache" is a local store of previous response messages and the 617 subsystem that controls its message storage, retrieval, and deletion. 618 A cache stores cacheable responses in order to reduce the response 619 time and network bandwidth consumption on future, equivalent 620 requests. Any client or server MAY employ a cache, though a cache 621 cannot be used by a server while it is acting as a tunnel. 623 The effect of a cache is that the request/response chain is shortened 624 if one of the participants along the chain has a cached response 625 applicable to that request. The following illustrates the resulting 626 chain if B has a cached copy of an earlier response from O (via C) 627 for a request that has not been cached by UA or A. 629 > > 630 UA =========== A =========== B - - - - - - C - - - - - - O 631 < < 633 A response is "cacheable" if a cache is allowed to store a copy of 634 the response message for use in answering subsequent requests. Even 635 when a response is cacheable, there might be additional constraints 636 placed by the client or by the origin server on when that cached 637 response can be used for a particular request. HTTP requirements for 638 cache behavior and cacheable responses are defined in Section 2 of 639 [Caching]. 641 There is a wide variety of architectures and configurations of caches 642 deployed across the World Wide Web and inside large organizations. 643 These include national hierarchies of proxy caches to save 644 transoceanic bandwidth, collaborative systems that broadcast or 645 multicast cache entries, archives of pre-fetched cache entries for 646 use in off-line or high-latency environments, and so on. 648 2.4. Uniform Resource Identifiers 650 Uniform Resource Identifiers (URIs) [RFC3986] are used throughout 651 HTTP as the means for identifying resources (Section 2.5). URI 652 references are used to target requests, indicate redirects, and 653 define relationships. 655 The definitions of "URI-reference", "absolute-URI", "relative-part", 656 "authority", "port", "host", "path-abempty", "segment", "query", and 657 "fragment" are adopted from the URI generic syntax. An "absolute- 658 path" rule is defined for protocol elements that can contain a non- 659 empty path component. (This rule differs slightly from the path- 660 abempty rule of RFC 3986, which allows for an empty path to be used 661 in references, and path-absolute rule, which does not allow paths 662 that begin with "//".) A "partial-URI" rule is defined for protocol 663 elements that can contain a relative URI but not a fragment 664 component. 666 URI-reference = 667 absolute-URI = 668 relative-part = 669 authority = 670 uri-host = 671 port = 672 path-abempty = 673 segment = 674 query = 675 fragment = 677 absolute-path = 1*( "/" segment ) 678 partial-URI = relative-part [ "?" query ] 680 Each protocol element in HTTP that allows a URI reference will 681 indicate in its ABNF production whether the element allows any form 682 of reference (URI-reference), only a URI in absolute form (absolute- 683 URI), only the path and optional query components, or some 684 combination of the above. Unless otherwise indicated, URI references 685 are parsed relative to the effective request URI (Section 5.3). 687 2.5. Resources 689 The target of an HTTP request is called a "resource". HTTP does not 690 limit the nature of a resource; it merely defines an interface that 691 might be used to interact with resources. Each resource is 692 identified by a Uniform Resource Identifier (URI), as described in 693 Section 2.4. 695 One design goal of HTTP is to separate resource identification from 696 request semantics, which is made possible by vesting the request 697 semantics in the request method (Section 7) and a few request- 698 modifying header fields (Section 8). If there is a conflict between 699 the method semantics and any semantic implied by the URI itself, as 700 described in Section 7.2.1, the method semantics take precedence. 702 IANA maintains the registry of URI Schemes [BCP35] at 703 . Although requests 704 might target any URI scheme, the following schemes are inherent to 705 HTTP servers: 707 +------------+------------------------------------+---------------+ 708 | URI Scheme | Description | Reference | 709 +------------+------------------------------------+---------------+ 710 | http | Hypertext Transfer Protocol | Section 2.5.1 | 711 | https | Hypertext Transfer Protocol Secure | Section 2.5.2 | 712 +------------+------------------------------------+---------------+ 714 2.5.1. http URI Scheme 716 The "http" URI scheme is hereby defined for the purpose of minting 717 identifiers according to their association with the hierarchical 718 namespace governed by a potential HTTP origin server listening for 719 TCP ([RFC0793]) connections on a given port. 721 http-URI = "http:" "//" authority path-abempty [ "?" query ] 722 [ "#" fragment ] 724 The origin server for an "http" URI is identified by the authority 725 component, which includes a host identifier and optional TCP port 726 ([RFC3986], Section 3.2.2). The hierarchical path component and 727 optional query component serve as an identifier for a potential 728 target resource within that origin server's name space. The optional 729 fragment component allows for indirect identification of a secondary 730 resource, independent of the URI scheme, as defined in Section 3.5 of 731 [RFC3986]. 733 A sender MUST NOT generate an "http" URI with an empty host 734 identifier. A recipient that processes such a URI reference MUST 735 reject it as invalid. 737 If the host identifier is provided as an IP address, the origin 738 server is the listener (if any) on the indicated TCP port at that IP 739 address. If host is a registered name, the registered name is an 740 indirect identifier for use with a name resolution service, such as 741 DNS, to find an address for that origin server. If the port 742 subcomponent is empty or not given, TCP port 80 (the reserved port 743 for WWW services) is the default. 745 Note that the presence of a URI with a given authority component does 746 not imply that there is always an HTTP server listening for 747 connections on that host and port. Anyone can mint a URI. What the 748 authority component determines is who has the right to respond 749 authoritatively to requests that target the identified resource. The 750 delegated nature of registered names and IP addresses creates a 751 federated namespace, based on control over the indicated host and 752 port, whether or not an HTTP server is present. See Section 12.1 for 753 security considerations related to establishing authority. 755 When an "http" URI is used within a context that calls for access to 756 the indicated resource, a client MAY attempt access by resolving the 757 host to an IP address, establishing a TCP connection to that address 758 on the indicated port, and sending an HTTP request message (Section 2 759 of [Messaging]) containing the URI's identifying data to the server. 760 If the server responds to that request with a non-interim HTTP 761 response message, as described in Section 9, then that response is 762 considered an authoritative answer to the client's request. 764 Although HTTP is independent of the transport protocol, the "http" 765 scheme is specific to TCP-based services because the name delegation 766 process depends on TCP for establishing authority. An HTTP service 767 based on some other underlying connection protocol would presumably 768 be identified using a different URI scheme, just as the "https" 769 scheme (below) is used for resources that require an end-to-end 770 secured connection. Other protocols might also be used to provide 771 access to "http" identified resources -- it is only the authoritative 772 interface that is specific to TCP. 774 The URI generic syntax for authority also includes a deprecated 775 userinfo subcomponent ([RFC3986], Section 3.2.1) for including user 776 authentication information in the URI. Some implementations make use 777 of the userinfo component for internal configuration of 778 authentication information, such as within command invocation 779 options, configuration files, or bookmark lists, even though such 780 usage might expose a user identifier or password. A sender MUST NOT 781 generate the userinfo subcomponent (and its "@" delimiter) when an 782 "http" URI reference is generated within a message as a request 783 target or header field value. Before making use of an "http" URI 784 reference received from an untrusted source, a recipient SHOULD parse 785 for userinfo and treat its presence as an error; it is likely being 786 used to obscure the authority for the sake of phishing attacks. 788 2.5.2. https URI Scheme 790 The "https" URI scheme is hereby defined for the purpose of minting 791 identifiers according to their association with the hierarchical 792 namespace governed by a potential HTTP origin server listening to a 793 given TCP port for TLS-secured connections ([RFC5246]). 795 All of the requirements listed above for the "http" scheme are also 796 requirements for the "https" scheme, except that TCP port 443 is the 797 default if the port subcomponent is empty or not given, and the user 798 agent MUST ensure that its connection to the origin server is secured 799 through the use of strong encryption, end-to-end, prior to sending 800 the first HTTP request. 802 https-URI = "https:" "//" authority path-abempty [ "?" query ] 803 [ "#" fragment ] 805 Note that the "https" URI scheme depends on both TLS and TCP for 806 establishing authority. Resources made available via the "https" 807 scheme have no shared identity with the "http" scheme even if their 808 resource identifiers indicate the same authority (the same host 809 listening to the same TCP port). They are distinct namespaces and 810 are considered to be distinct origin servers. However, an extension 811 to HTTP that is defined to apply to entire host domains, such as the 812 Cookie protocol [RFC6265], can allow information set by one service 813 to impact communication with other services within a matching group 814 of host domains. 816 The process for authoritative access to an "https" identified 817 resource is defined in [RFC2818]. 819 2.5.3. http and https URI Normalization and Comparison 821 Since the "http" and "https" schemes conform to the URI generic 822 syntax, such URIs are normalized and compared according to the 823 algorithm defined in Section 6 of [RFC3986], using the defaults 824 described above for each scheme. 826 If the port is equal to the default port for a scheme, the normal 827 form is to omit the port subcomponent. When not being used in 828 absolute form as the request target of an OPTIONS request, an empty 829 path component is equivalent to an absolute path of "/", so the 830 normal form is to provide a path of "/" instead. The scheme and host 831 are case-insensitive and normally provided in lowercase; all other 832 components are compared in a case-sensitive manner. Characters other 833 than those in the "reserved" set are equivalent to their percent- 834 encoded octets: the normal form is to not encode them (see Sections 835 2.1 and 2.2 of [RFC3986]). 837 For example, the following three URIs are equivalent: 839 http://example.com:80/~smith/home.html 840 http://EXAMPLE.com/%7Esmith/home.html 841 http://EXAMPLE.com:/%7esmith/home.html 843 3. Conformance 845 3.1. Implementation Diversity 847 When considering the design of HTTP, it is easy to fall into a trap 848 of thinking that all user agents are general-purpose browsers and all 849 origin servers are large public websites. That is not the case in 850 practice. Common HTTP user agents include household appliances, 851 stereos, scales, firmware update scripts, command-line programs, 852 mobile apps, and communication devices in a multitude of shapes and 853 sizes. Likewise, common HTTP origin servers include home automation 854 units, configurable networking components, office machines, 855 autonomous robots, news feeds, traffic cameras, ad selectors, and 856 video-delivery platforms. 858 The term "user agent" does not imply that there is a human user 859 directly interacting with the software agent at the time of a 860 request. In many cases, a user agent is installed or configured to 861 run in the background and save its results for later inspection (or 862 save only a subset of those results that might be interesting or 863 erroneous). Spiders, for example, are typically given a start URI 864 and configured to follow certain behavior while crawling the Web as a 865 hypertext graph. 867 The implementation diversity of HTTP means that not all user agents 868 can make interactive suggestions to their user or provide adequate 869 warning for security or privacy concerns. In the few cases where 870 this specification requires reporting of errors to the user, it is 871 acceptable for such reporting to only be observable in an error 872 console or log file. Likewise, requirements that an automated action 873 be confirmed by the user before proceeding might be met via advance 874 configuration choices, run-time options, or simple avoidance of the 875 unsafe action; confirmation does not imply any specific user 876 interface or interruption of normal processing if the user has 877 already made that choice. 879 3.2. Role-based Requirements 881 This specification targets conformance criteria according to the role 882 of a participant in HTTP communication. Hence, HTTP requirements are 883 placed on senders, recipients, clients, servers, user agents, 884 intermediaries, origin servers, proxies, gateways, or caches, 885 depending on what behavior is being constrained by the requirement. 886 Additional (social) requirements are placed on implementations, 887 resource owners, and protocol element registrations when they apply 888 beyond the scope of a single communication. 890 The verb "generate" is used instead of "send" where a requirement 891 differentiates between creating a protocol element and merely 892 forwarding a received element downstream. 894 An implementation is considered conformant if it complies with all of 895 the requirements associated with the roles it partakes in HTTP. 897 Conformance includes both the syntax and semantics of protocol 898 elements. A sender MUST NOT generate protocol elements that convey a 899 meaning that is known by that sender to be false. A sender MUST NOT 900 generate protocol elements that do not match the grammar defined by 901 the corresponding ABNF rules. Within a given message, a sender MUST 902 NOT generate protocol elements or syntax alternatives that are only 903 allowed to be generated by participants in other roles (i.e., a role 904 that the sender does not have for that message). 906 3.3. Parsing Elements 908 When a received protocol element is parsed, the recipient MUST be 909 able to parse any value of reasonable length that is applicable to 910 the recipient's role and that matches the grammar defined by the 911 corresponding ABNF rules. Note, however, that some received protocol 912 elements might not be parsed. For example, an intermediary 913 forwarding a message might parse a header-field into generic field- 914 name and field-value components, but then forward the header field 915 without further parsing inside the field-value. 917 HTTP does not have specific length limitations for many of its 918 protocol elements because the lengths that might be appropriate will 919 vary widely, depending on the deployment context and purpose of the 920 implementation. Hence, interoperability between senders and 921 recipients depends on shared expectations regarding what is a 922 reasonable length for each protocol element. Furthermore, what is 923 commonly understood to be a reasonable length for some protocol 924 elements has changed over the course of the past two decades of HTTP 925 use and is expected to continue changing in the future. 927 At a minimum, a recipient MUST be able to parse and process protocol 928 element lengths that are at least as long as the values that it 929 generates for those same protocol elements in other messages. For 930 example, an origin server that publishes very long URI references to 931 its own resources needs to be able to parse and process those same 932 references when received as a request target. 934 3.4. Error Handling 936 A recipient MUST interpret a received protocol element according to 937 the semantics defined for it by this specification, including 938 extensions to this specification, unless the recipient has determined 939 (through experience or configuration) that the sender incorrectly 940 implements what is implied by those semantics. For example, an 941 origin server might disregard the contents of a received Accept- 942 Encoding header field if inspection of the User-Agent header field 943 indicates a specific implementation version that is known to fail on 944 receipt of certain content codings. 946 Unless noted otherwise, a recipient MAY attempt to recover a usable 947 protocol element from an invalid construct. HTTP does not define 948 specific error handling mechanisms except when they have a direct 949 impact on security, since different applications of the protocol 950 require different error handling strategies. For example, a Web 951 browser might wish to transparently recover from a response where the 952 Location header field doesn't parse according to the ABNF, whereas a 953 systems control client might consider any form of error recovery to 954 be dangerous. 956 3.5. Protocol Versioning 958 The HTTP version number consists of two decimal digits separated by a 959 "." (period or decimal point). The first digit ("major version") 960 indicates the HTTP messaging syntax, whereas the second digit ("minor 961 version") indicates the highest minor version within that major 962 version to which the sender is conformant and able to understand for 963 future communication. 965 The protocol version as a whole indicates the sender's conformance 966 with the set of requirements laid out in that version's corresponding 967 specification of HTTP. For example, the version "HTTP/1.1" is 968 defined by the combined specifications of this document, "HTTP 969 Caching" [Caching], and "HTTP/1.1 Messaging" [Messaging]. 971 The minor version advertises the sender's communication capabilities 972 even when the sender is only using a backwards-compatible subset of 973 the protocol, thereby letting the recipient know that more advanced 974 features can be used in response (by servers) or in future requests 975 (by clients). 977 A client SHOULD send a request version equal to the highest version 978 to which the client is conformant and whose major version is no 979 higher than the highest version supported by the server, if this is 980 known. A client MUST NOT send a version to which it is not 981 conformant. 983 A client MAY send a lower request version if it is known that the 984 server incorrectly implements the HTTP specification, but only after 985 the client has attempted at least one normal request and determined 986 from the response status code or header fields (e.g., Server) that 987 the server improperly handles higher request versions. 989 A server SHOULD send a response version equal to the highest version 990 to which the server is conformant that has a major version less than 991 or equal to the one received in the request. A server MUST NOT send 992 a version to which it is not conformant. A server can send a 505 993 (HTTP Version Not Supported) response if it wishes, for any reason, 994 to refuse service of the client's major protocol version. 996 HTTP's major version number is incremented when an incompatible 997 message syntax is introduced. The minor number is incremented when 998 changes made to the protocol have the effect of adding to the message 999 semantics or implying additional capabilities of the sender. 1001 When an HTTP message is received with a major version number that the 1002 recipient implements, but a higher minor version number than what the 1003 recipient implements, the recipient SHOULD process the message as if 1004 it were in the highest minor version within that major version to 1005 which the recipient is conformant. A recipient can assume that a 1006 message with a higher minor version, when sent to a recipient that 1007 has not yet indicated support for that higher version, is 1008 sufficiently backwards-compatible to be safely processed by any 1009 implementation of the same major version. 1011 [[CREF1: When a major version of HTTP does not define any minor 1012 versions, the minor version "0" is implied and ought to be used when 1013 referring to that protocol within a protocol element that requires 1014 sending a minor version. ]] 1016 4. Message Abstraction 1018 Each major version of HTTP defines its own syntax for the inclusion 1019 of information in messages. Nevertheless, a common abstraction is 1020 that a message includes some form of envelope/framing, a potential 1021 set of named data fields, and a potential body. This section defines 1022 the abstraction for message fields as field-name and field-value 1023 pairs. 1025 4.1. Field Names 1027 Header fields are key:value pairs that can be used to communicate 1028 data about the message, its payload, the target resource, or the 1029 connection (i.e., control data). 1031 The requirements for header field names are defined in [BCP90]. 1033 The field-name token labels the corresponding field-value as having 1034 the semantics defined by that header field. For example, the Date 1035 header field is defined in Section 10.1.1.2 as containing the 1036 origination timestamp for the message in which it appears. 1038 field-name = token 1040 The interpretation of a header field does not change between minor 1041 versions of the same major HTTP version, though the default behavior 1042 of a recipient in the absence of such a field can change. Unless 1043 specified otherwise, header fields are defined for all versions of 1044 HTTP. In particular, the Host and Connection header fields ought to 1045 be implemented by all HTTP/1.x implementations whether or not they 1046 advertise conformance with HTTP/1.1. 1048 New header fields can be introduced without changing the protocol 1049 version if their defined semantics allow them to be safely ignored by 1050 recipients that do not recognize them. Header field extensibility is 1051 discussed in Section 4.1.2. 1053 The following field names are defined by this document: 1055 +---------------------+----------+----------+-------------------+ 1056 | Header Field Name | Protocol | Status | Reference | 1057 +---------------------+----------+----------+-------------------+ 1058 | Accept | http | standard | Section 8.4.2 | 1059 | Accept-Charset | http | standard | Section 8.4.3 | 1060 | Accept-Encoding | http | standard | Section 8.4.4 | 1061 | Accept-Language | http | standard | Section 8.4.5 | 1062 | Accept-Ranges | http | standard | Section 10.4.1 | 1063 | Allow | http | standard | Section 10.4.2 | 1064 | Authorization | http | standard | Section 8.5.3 | 1065 | Content-Encoding | http | standard | Section 6.2.2 | 1066 | Content-Language | http | standard | Section 6.2.3 | 1067 | Content-Length | http | standard | Section 6.2.4 | 1068 | Content-Location | http | standard | Section 6.2.5 | 1069 | Content-Range | http | standard | Section 6.3.3 | 1070 | Content-Type | http | standard | Section 6.2.1 | 1071 | Date | http | standard | Section 10.1.1.2 | 1072 | ETag | http | standard | Section 10.2.3 | 1073 | Expect | http | standard | Section 8.1.1 | 1074 | From | http | standard | Section 8.6.1 | 1075 | Host | http | standard | Section 5.4 | 1076 | If-Match | http | standard | Section 8.2.3 | 1077 | If-Modified-Since | http | standard | Section 8.2.5 | 1078 | If-None-Match | http | standard | Section 8.2.4 | 1079 | If-Range | http | standard | Section 8.2.7 | 1080 | If-Unmodified-Since | http | standard | Section 8.2.6 | 1081 | Last-Modified | http | standard | Section 10.2.2 | 1082 | Location | http | standard | Section 10.1.2 | 1083 | Max-Forwards | http | standard | Section 8.1.2 | 1084 | Proxy-Authenticate | http | standard | Section 10.3.2 | 1085 | Proxy-Authorization | http | standard | Section 8.5.4 | 1086 | Range | http | standard | Section 8.3 | 1087 | Referer | http | standard | Section 8.6.2 | 1088 | Retry-After | http | standard | Section 10.1.3 | 1089 | Server | http | standard | Section 10.4.3 | 1090 | Trailer | http | standard | Section 4.4 | 1091 | User-Agent | http | standard | Section 8.6.3 | 1092 | Vary | http | standard | Section 10.1.4 | 1093 | Via | http | standard | Section 5.6.1 | 1094 | WWW-Authenticate | http | standard | Section 10.3.1 | 1095 +---------------------+----------+----------+-------------------+ 1097 4.1.1. Field Name Registry 1099 HTTP header fields are registered within the "Message Headers" 1100 registry located at , as defined by [BCP90], with the protocol "http". 1103 4.1.2. Field Extensibility 1105 Header fields are fully extensible: there is no limit on the 1106 introduction of new field names, each presumably defining new 1107 semantics, nor on the number of header fields used in a given 1108 message. Existing fields are defined in each part of this 1109 specification and in many other specifications outside this document 1110 set. 1112 New header fields can be defined such that, when they are understood 1113 by a recipient, they might override or enhance the interpretation of 1114 previously defined header fields, define preconditions on request 1115 evaluation, or refine the meaning of responses. 1117 A proxy MUST forward unrecognized header fields unless the field-name 1118 is listed in the Connection header field (Section 9.1 of [Messaging]) 1119 or the proxy is specifically configured to block, or otherwise 1120 transform, such fields. Other recipients SHOULD ignore unrecognized 1121 header fields. These requirements allow HTTP's functionality to be 1122 enhanced without requiring prior update of deployed intermediaries. 1124 All defined header fields ought to be registered with IANA in the 1125 "Message Headers" registry. 1127 4.1.3. Considerations for New Fields 1129 Authors of specifications defining new fields are advised to keep the 1130 name as short as practical and not to prefix the name with "X-" 1131 unless the header field will never be used on the Internet. (The 1132 "X-" prefix idiom has been extensively misused in practice; it was 1133 intended to only be used as a mechanism for avoiding name collisions 1134 inside proprietary software or intranet processing, since the prefix 1135 would ensure that private names never collide with a newly registered 1136 Internet name; see [BCP178] for further information). 1138 Authors of specifications defining new header fields are advised to 1139 consider documenting: 1141 o Whether the field is a single value or whether it can be a list 1142 (delimited by commas; see Section 5 of [Messaging]). 1144 If it does not use the list syntax, document how to treat messages 1145 where the field occurs multiple times (a sensible default would be 1146 to ignore the field, but this might not always be the right 1147 choice). 1149 Note that intermediaries and software libraries might combine 1150 multiple header field instances into a single one, despite the 1151 field's definition not allowing the list syntax. A robust format 1152 enables recipients to discover these situations (good example: 1153 "Content-Type", as the comma can only appear inside quoted 1154 strings; bad example: "Location", as a comma can occur inside a 1155 URI). 1157 o Under what conditions the header field can be used; e.g., only in 1158 responses or requests, in all messages, only on responses to a 1159 particular request method, etc. 1161 o Whether the field should be stored by origin servers that 1162 understand it upon a PUT request. 1164 o Whether the field semantics are further refined by the context, 1165 such as by existing request methods or status codes. 1167 o Whether it is appropriate to list the field-name in the Connection 1168 header field (i.e., if the header field is to be hop-by-hop; see 1169 Section 9.1 of [Messaging]). 1171 o Under what conditions intermediaries are allowed to insert, 1172 delete, or modify the field's value. 1174 o Whether it is appropriate to list the field-name in a Vary 1175 response header field (e.g., when the request header field is used 1176 by an origin server's content selection algorithm; see 1177 Section 10.1.4). 1179 o Whether the header field is useful or allowable in trailers (see 1180 Section 7.1 of [Messaging]). 1182 o Whether the header field ought to be preserved across redirects. 1184 o Whether it introduces any additional security considerations, such 1185 as disclosure of privacy-related data. 1187 4.2. Field Values 1189 This specification does not use ABNF rules to define each "Field- 1190 Name: Field Value" pair, as was done in earlier editions. Instead, 1191 this specification uses ABNF rules that are named according to each 1192 registered field name, wherein the rule defines the valid grammar for 1193 that field's corresponding field values (i.e., after the field-value 1194 has been extracted by a generic field parser). 1196 field-value = *( field-content / obs-fold ) 1197 field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] 1198 field-vchar = VCHAR / obs-text 1200 Historically, HTTP header field values could be extended over 1201 multiple lines by preceding each extra line with at least one space 1202 or horizontal tab (obs-fold). [[CREF2: This document assumes that 1203 any such obs-fold has been replaced with one or more SP octets prior 1204 to interpreting the field value, as described in Section 5.2 of 1205 [Messaging].]] 1207 Historically, HTTP has allowed field content with text in the 1208 ISO-8859-1 charset [ISO-8859-1], supporting other charsets only 1209 through use of [RFC2047] encoding. In practice, most HTTP header 1210 field values use only a subset of the US-ASCII charset [USASCII]. 1211 Newly defined header fields SHOULD limit their field values to 1212 US-ASCII octets. A recipient SHOULD treat other octets in field 1213 content (obs-text) as opaque data. 1215 4.2.1. Field Order 1217 The order in which header fields with differing field names are 1218 received is not significant. However, it is good practice to send 1219 header fields that contain control data first, such as Host on 1220 requests and Date on responses, so that implementations can decide 1221 when not to handle a message as early as possible. A server MUST NOT 1222 apply a request to the target resource until the entire request 1223 header section is received, since later header fields might include 1224 conditionals, authentication credentials, or deliberately misleading 1225 duplicate header fields that would impact request processing. 1227 A sender MUST NOT generate multiple header fields with the same field 1228 name in a message unless either the entire field value for that 1229 header field is defined as a comma-separated list [i.e., #(values)] 1230 or the header field is a well-known exception (as noted below). 1232 A recipient MAY combine multiple header fields with the same field 1233 name into one "field-name: field-value" pair, without changing the 1234 semantics of the message, by appending each subsequent field value to 1235 the combined field value in order, separated by a comma. The order 1236 in which header fields with the same field name are received is 1237 therefore significant to the interpretation of the combined field 1238 value; a proxy MUST NOT change the order of these field values when 1239 forwarding a message. 1241 Note: In practice, the "Set-Cookie" header field ([RFC6265]) often 1242 appears multiple times in a response message and does not use the 1243 list syntax, violating the above requirements on multiple header 1244 fields with the same name. Since it cannot be combined into a 1245 single field-value, recipients ought to handle "Set-Cookie" as a 1246 special case while processing header fields. (See Appendix A.2.3 1247 of [Kri2001] for details.) 1249 4.2.2. Field Limits 1251 HTTP does not place a predefined limit on the length of each header 1252 field or on the length of the header section as a whole, as described 1253 in Section 3. Various ad hoc limitations on individual header field 1254 length are found in practice, often depending on the specific field 1255 semantics. 1257 A server that receives a request header field, or set of fields, 1258 larger than it wishes to process MUST respond with an appropriate 4xx 1259 (Client Error) status code. Ignoring such header fields would 1260 increase the server's vulnerability to request smuggling attacks 1261 (Section 11.2 of [Messaging]). 1263 A client MAY discard or truncate received header fields that are 1264 larger than the client wishes to process if the field semantics are 1265 such that the dropped value(s) can be safely ignored without changing 1266 the message framing or response semantics. 1268 4.2.3. Field Value Components 1270 Most HTTP header field values are defined using common syntax 1271 components (token, quoted-string, and comment) separated by 1272 whitespace or specific delimiting characters. Delimiters are chosen 1273 from the set of US-ASCII visual characters not allowed in a token 1274 (DQUOTE and "(),/:;<=>?@[\]{}"). 1276 token = 1*tchar 1278 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" 1279 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" 1280 / DIGIT / ALPHA 1281 ; any VCHAR, except delimiters 1283 A string of text is parsed as a single value if it is quoted using 1284 double-quote marks. 1286 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 1287 qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text 1288 obs-text = %x80-FF 1290 Comments can be included in some HTTP header fields by surrounding 1291 the comment text with parentheses. Comments are only allowed in 1292 fields containing "comment" as part of their field value definition. 1294 comment = "(" *( ctext / quoted-pair / comment ) ")" 1295 ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text 1297 The backslash octet ("\") can be used as a single-octet quoting 1298 mechanism within quoted-string and comment constructs. Recipients 1299 that process the value of a quoted-string MUST handle a quoted-pair 1300 as if it were replaced by the octet following the backslash. 1302 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 1304 A sender SHOULD NOT generate a quoted-pair in a quoted-string except 1305 where necessary to quote DQUOTE and backslash octets occurring within 1306 that string. A sender SHOULD NOT generate a quoted-pair in a comment 1307 except where necessary to quote parentheses ["(" and ")"] and 1308 backslash octets occurring within that comment. 1310 4.2.4. Designing New Field Values 1312 New header field values typically have their syntax defined using 1313 ABNF ([RFC5234]), using the extension defined in Section 11 as 1314 necessary, and are usually constrained to the range of US-ASCII 1315 characters. Header fields needing a greater range of characters can 1316 use an encoding such as the one defined in [RFC8187]. 1318 Leading and trailing whitespace in raw field values is removed upon 1319 field parsing (Section 5.1 of [Messaging]). Field definitions where 1320 leading or trailing whitespace in values is significant will have to 1321 use a container syntax such as quoted-string (Section 4.2.3). 1323 Because commas (",") are used as a generic delimiter between field- 1324 values, they need to be treated with care if they are allowed in the 1325 field-value. Typically, components that might contain a comma are 1326 protected with double-quotes using the quoted-string ABNF production. 1328 For example, a textual date and a URI (either of which might contain 1329 a comma) could be safely carried in field-values like these: 1331 Example-URI-Field: "http://example.com/a.html,foo", 1332 "http://without-a-comma.example.com/" 1333 Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" 1335 Note that double-quote delimiters almost always are used with the 1336 quoted-string production; using a different syntax inside double- 1337 quotes will likely cause unnecessary confusion. 1339 Many header fields use a format including (case-insensitively) named 1340 parameters (for instance, Content-Type, defined in Section 6.2.1). 1341 Allowing both unquoted (token) and quoted (quoted-string) syntax for 1342 the parameter value enables recipients to use existing parser 1343 components. When allowing both forms, the meaning of a parameter 1344 value ought to be independent of the syntax used for it (for an 1345 example, see the notes on parameter handling for media types in 1346 Section 6.1.1). 1348 4.3. Whitespace 1350 This specification uses three rules to denote the use of linear 1351 whitespace: OWS (optional whitespace), RWS (required whitespace), and 1352 BWS ("bad" whitespace). 1354 The OWS rule is used where zero or more linear whitespace octets 1355 might appear. For protocol elements where optional whitespace is 1356 preferred to improve readability, a sender SHOULD generate the 1357 optional whitespace as a single SP; otherwise, a sender SHOULD NOT 1358 generate optional whitespace except as needed to white out invalid or 1359 unwanted protocol elements during in-place message filtering. 1361 The RWS rule is used when at least one linear whitespace octet is 1362 required to separate field tokens. A sender SHOULD generate RWS as a 1363 single SP. 1365 The BWS rule is used where the grammar allows optional whitespace 1366 only for historical reasons. A sender MUST NOT generate BWS in 1367 messages. A recipient MUST parse for such bad whitespace and remove 1368 it before interpreting the protocol element. 1370 OWS = *( SP / HTAB ) 1371 ; optional whitespace 1372 RWS = 1*( SP / HTAB ) 1373 ; required whitespace 1374 BWS = OWS 1375 ; "bad" whitespace 1377 4.4. Trailer 1379 [[CREF3: The "Trailer" header field in a message indicates fields 1380 that the sender anticipates sending after the message header block 1381 (i.e., during or after the payload is sent). This is typically used 1382 to supply metadata that might be dynamically generated while the data 1383 is sent, such as a message integrity check, digital signature, or 1384 post-processing status. ]] 1386 Trailer = 1#field-name 1388 [[CREF4: How, where, and when trailer fields might be sent depends on 1389 both the protocol in use (HTTP version and/or transfer coding) and 1390 the semantics of each named header field. Many header fields cannot 1391 be processed outside the header section because their evaluation is 1392 necessary for message routing, authentication, or configuration prior 1393 to receiving the representation data. ]] 1395 5. Message Routing 1397 HTTP request message routing is determined by each client based on 1398 the target resource, the client's proxy configuration, and 1399 establishment or reuse of an inbound connection. The corresponding 1400 response routing follows the same connection chain back to the 1401 client. 1403 5.1. Identifying a Target Resource 1405 HTTP is used in a wide variety of applications, ranging from general- 1406 purpose computers to home appliances. In some cases, communication 1407 options are hard-coded in a client's configuration. However, most 1408 HTTP clients rely on the same resource identification mechanism and 1409 configuration techniques as general-purpose Web browsers. 1411 HTTP communication is initiated by a user agent for some purpose. 1412 The purpose is a combination of request semantics and a target 1413 resource upon which to apply those semantics. A URI reference 1414 (Section 2.4) is typically used as an identifier for the "target 1415 resource", which a user agent would resolve to its absolute form in 1416 order to obtain the "target URI". The target URI excludes the 1417 reference's fragment component, if any, since fragment identifiers 1418 are reserved for client-side processing ([RFC3986], Section 3.5). 1420 5.2. Routing Inbound 1422 Once the target URI is determined, a client needs to decide whether a 1423 network request is necessary to accomplish the desired semantics and, 1424 if so, where that request is to be directed. 1426 If the client has a cache [Caching] and the request can be satisfied 1427 by it, then the request is usually directed there first. 1429 If the request is not satisfied by a cache, then a typical client 1430 will check its configuration to determine whether a proxy is to be 1431 used to satisfy the request. Proxy configuration is implementation- 1432 dependent, but is often based on URI prefix matching, selective 1433 authority matching, or both, and the proxy itself is usually 1434 identified by an "http" or "https" URI. If a proxy is applicable, 1435 the client connects inbound by establishing (or reusing) a connection 1436 to that proxy. 1438 If no proxy is applicable, a typical client will invoke a handler 1439 routine, usually specific to the target URI's scheme, to connect 1440 directly to an authority for the target resource. How that is 1441 accomplished is dependent on the target URI scheme and defined by its 1442 associated specification, similar to how this specification defines 1443 origin server access for resolution of the "http" (Section 2.5.1) and 1444 "https" (Section 2.5.2) schemes. 1446 HTTP requirements regarding connection management are defined in 1447 Section 9 of [Messaging]. 1449 5.3. Effective Request URI 1451 Once an inbound connection is obtained, the client sends an HTTP 1452 request message (Section 2 of [Messaging]). 1454 Depending on the nature of the request, the client's target URI might 1455 be split into components and transmitted (or implied) within various 1456 parts of a request message. These parts are recombined by each 1457 recipient, in accordance with their local configuration and incoming 1458 connection context, to form an "effective request URI" for 1459 identifying the intended target resource with respect to that server. 1460 Section 3.3 of [Messaging] defines how a server determines the 1461 effective request URI for an HTTP/1.1 request. 1463 For a user agent, the effective request URI is the target URI. 1465 Once the effective request URI has been constructed, an origin server 1466 needs to decide whether or not to provide service for that URI via 1467 the connection in which the request was received. For example, the 1468 request might have been misdirected, deliberately or accidentally, 1469 such that the information within a received request-target or Host 1470 header field differs from the host or port upon which the connection 1471 has been made. If the connection is from a trusted gateway, that 1472 inconsistency might be expected; otherwise, it might indicate an 1473 attempt to bypass security filters, trick the server into delivering 1474 non-public content, or poison a cache. See Section 12 for security 1475 considerations regarding message routing. 1477 5.4. Host 1479 The "Host" header field in a request provides the host and port 1480 information from the target URI, enabling the origin server to 1481 distinguish among resources while servicing requests for multiple 1482 host names on a single IP address. 1484 Host = uri-host [ ":" port ] ; Section 2.4 1486 A client MUST send a Host header field in all HTTP/1.1 request 1487 messages. If the target URI includes an authority component, then a 1488 client MUST send a field-value for Host that is identical to that 1489 authority component, excluding any userinfo subcomponent and its "@" 1490 delimiter (Section 2.5.1). If the authority component is missing or 1491 undefined for the target URI, then a client MUST send a Host header 1492 field with an empty field-value. 1494 Since the Host field-value is critical information for handling a 1495 request, a user agent SHOULD generate Host as the first header field 1496 following the request-line. 1498 For example, a GET request to the origin server for 1499 would begin with: 1501 GET /pub/WWW/ HTTP/1.1 1502 Host: www.example.org 1504 A client MUST send a Host header field in an HTTP/1.1 request even if 1505 the request-target is in the absolute-form, since this allows the 1506 Host information to be forwarded through ancient HTTP/1.0 proxies 1507 that might not have implemented Host. 1509 When a proxy receives a request with an absolute-form of request- 1510 target, the proxy MUST ignore the received Host header field (if any) 1511 and instead replace it with the host information of the request- 1512 target. A proxy that forwards such a request MUST generate a new 1513 Host field-value based on the received request-target rather than 1514 forward the received Host field-value. 1516 Since the Host header field acts as an application-level routing 1517 mechanism, it is a frequent target for malware seeking to poison a 1518 shared cache or redirect a request to an unintended server. An 1519 interception proxy is particularly vulnerable if it relies on the 1520 Host field-value for redirecting requests to internal servers, or for 1521 use as a cache key in a shared cache, without first verifying that 1522 the intercepted connection is targeting a valid IP address for that 1523 host. 1525 A server MUST respond with a 400 (Bad Request) status code to any 1526 HTTP/1.1 request message that lacks a Host header field and to any 1527 request message that contains more than one Host header field or a 1528 Host header field with an invalid field-value. 1530 5.5. Associating a Response to a Request 1532 HTTP does not include a request identifier for associating a given 1533 request message with its corresponding one or more response messages. 1534 Hence, it relies on the order of response arrival to correspond 1535 exactly to the order in which requests are made on the same 1536 connection. More than one response message per request only occurs 1537 when one or more informational responses (1xx, see Section 9.2) 1538 precede a final response to the same request. 1540 A client that has more than one outstanding request on a connection 1541 MUST maintain a list of outstanding requests in the order sent and 1542 MUST associate each received response message on that connection to 1543 the highest ordered request that has not yet received a final (non- 1544 1xx) response. 1546 5.6. Message Forwarding 1548 As described in Section 2.2, intermediaries can serve a variety of 1549 roles in the processing of HTTP requests and responses. Some 1550 intermediaries are used to improve performance or availability. 1551 Others are used for access control or to filter content. Since an 1552 HTTP stream has characteristics similar to a pipe-and-filter 1553 architecture, there are no inherent limits to the extent an 1554 intermediary can enhance (or interfere) with either direction of the 1555 stream. 1557 An intermediary not acting as a tunnel MUST implement the Connection 1558 header field, as specified in Section 9.1 of [Messaging], and exclude 1559 fields from being forwarded that are only intended for the incoming 1560 connection. 1562 An intermediary MUST NOT forward a message to itself unless it is 1563 protected from an infinite request loop. In general, an intermediary 1564 ought to recognize its own server names, including any aliases, local 1565 variations, or literal IP addresses, and respond to such requests 1566 directly. 1568 An HTTP message can be parsed as a stream for incremental processing 1569 or forwarding downstream. However, recipients cannot rely on 1570 incremental delivery of partial messages, since some implementations 1571 will buffer or delay message forwarding for the sake of network 1572 efficiency, security checks, or payload transformations. 1574 5.6.1. Via 1576 The "Via" header field indicates the presence of intermediate 1577 protocols and recipients between the user agent and the server (on 1578 requests) or between the origin server and the client (on responses), 1579 similar to the "Received" header field in email (Section 3.6.7 of 1580 [RFC5322]). Via can be used for tracking message forwards, avoiding 1581 request loops, and identifying the protocol capabilities of senders 1582 along the request/response chain. 1584 Via = 1#( received-protocol RWS received-by [ RWS comment ] ) 1586 received-protocol = [ protocol-name "/" ] protocol-version 1587 ; see [Messaging], Section 9.7 1588 received-by = ( uri-host [ ":" port ] ) / pseudonym 1589 pseudonym = token 1591 Multiple Via field values represent each proxy or gateway that has 1592 forwarded the message. Each intermediary appends its own information 1593 about how the message was received, such that the end result is 1594 ordered according to the sequence of forwarding recipients. 1596 A proxy MUST send an appropriate Via header field, as described 1597 below, in each message that it forwards. An HTTP-to-HTTP gateway 1598 MUST send an appropriate Via header field in each inbound request 1599 message and MAY send a Via header field in forwarded response 1600 messages. 1602 For each intermediary, the received-protocol indicates the protocol 1603 and protocol version used by the upstream sender of the message. 1604 Hence, the Via field value records the advertised protocol 1605 capabilities of the request/response chain such that they remain 1606 visible to downstream recipients; this can be useful for determining 1607 what backwards-incompatible features might be safe to use in 1608 response, or within a later request, as described in Section 3.5. 1609 For brevity, the protocol-name is omitted when the received protocol 1610 is HTTP. 1612 The received-by portion of the field value is normally the host and 1613 optional port number of a recipient server or client that 1614 subsequently forwarded the message. However, if the real host is 1615 considered to be sensitive information, a sender MAY replace it with 1616 a pseudonym. If a port is not provided, a recipient MAY interpret 1617 that as meaning it was received on the default TCP port, if any, for 1618 the received-protocol. 1620 A sender MAY generate comments in the Via header field to identify 1621 the software of each recipient, analogous to the User-Agent and 1622 Server header fields. However, all comments in the Via field are 1623 optional, and a recipient MAY remove them prior to forwarding the 1624 message. 1626 For example, a request message could be sent from an HTTP/1.0 user 1627 agent to an internal proxy code-named "fred", which uses HTTP/1.1 to 1628 forward the request to a public proxy at p.example.net, which 1629 completes the request by forwarding it to the origin server at 1630 www.example.com. The request received by www.example.com would then 1631 have the following Via header field: 1633 Via: 1.0 fred, 1.1 p.example.net 1635 An intermediary used as a portal through a network firewall SHOULD 1636 NOT forward the names and ports of hosts within the firewall region 1637 unless it is explicitly enabled to do so. If not enabled, such an 1638 intermediary SHOULD replace each received-by host of any host behind 1639 the firewall by an appropriate pseudonym for that host. 1641 An intermediary MAY combine an ordered subsequence of Via header 1642 field entries into a single such entry if the entries have identical 1643 received-protocol values. For example, 1645 Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy 1647 could be collapsed to 1649 Via: 1.0 ricky, 1.1 mertz, 1.0 lucy 1651 A sender SHOULD NOT combine multiple entries unless they are all 1652 under the same organizational control and the hosts have already been 1653 replaced by pseudonyms. A sender MUST NOT combine entries that have 1654 different received-protocol values. 1656 5.6.2. Transformations 1658 Some intermediaries include features for transforming messages and 1659 their payloads. A proxy might, for example, convert between image 1660 formats in order to save cache space or to reduce the amount of 1661 traffic on a slow link. However, operational problems might occur 1662 when these transformations are applied to payloads intended for 1663 critical applications, such as medical imaging or scientific data 1664 analysis, particularly when integrity checks or digital signatures 1665 are used to ensure that the payload received is identical to the 1666 original. 1668 An HTTP-to-HTTP proxy is called a "transforming proxy" if it is 1669 designed or configured to modify messages in a semantically 1670 meaningful way (i.e., modifications, beyond those required by normal 1671 HTTP processing, that change the message in a way that would be 1672 significant to the original sender or potentially significant to 1673 downstream recipients). For example, a transforming proxy might be 1674 acting as a shared annotation server (modifying responses to include 1675 references to a local annotation database), a malware filter, a 1676 format transcoder, or a privacy filter. Such transformations are 1677 presumed to be desired by whichever client (or client organization) 1678 selected the proxy. 1680 If a proxy receives a request-target with a host name that is not a 1681 fully qualified domain name, it MAY add its own domain to the host 1682 name it received when forwarding the request. A proxy MUST NOT 1683 change the host name if the request-target contains a fully qualified 1684 domain name. 1686 A proxy MUST NOT modify the "absolute-path" and "query" parts of the 1687 received request-target when forwarding it to the next inbound 1688 server, except as noted above to replace an empty path with "/" or 1689 "*". 1691 A proxy MAY modify the message body through application or removal of 1692 a transfer coding (Section 7 of [Messaging]). 1694 A proxy MUST NOT transform the payload (Section 6.3) of a message 1695 that contains a no-transform cache-control directive (Section 5.2 of 1696 [Caching]). 1698 A proxy MAY transform the payload of a message that does not contain 1699 a no-transform cache-control directive. A proxy that transforms a 1700 payload MUST add a Warning header field with the warn-code of 214 1701 ("Transformation Applied") if one is not already in the message (see 1702 Section 5.5 of [Caching]). A proxy that transforms the payload of a 1703 200 (OK) response can further inform downstream recipients that a 1704 transformation has been applied by changing the response status code 1705 to 203 (Non-Authoritative Information) (Section 9.3.4). 1707 A proxy SHOULD NOT modify header fields that provide information 1708 about the endpoints of the communication chain, the resource state, 1709 or the selected representation (other than the payload) unless the 1710 field's definition specifically allows such modification or the 1711 modification is deemed necessary for privacy or security. 1713 6. Representations 1715 Considering that a resource could be anything, and that the uniform 1716 interface provided by HTTP is similar to a window through which one 1717 can observe and act upon such a thing only through the communication 1718 of messages to some independent actor on the other side, an 1719 abstraction is needed to represent ("take the place of") the current 1720 or desired state of that thing in our communications. That 1721 abstraction is called a representation [REST]. 1723 For the purposes of HTTP, a "representation" is information that is 1724 intended to reflect a past, current, or desired state of a given 1725 resource, in a format that can be readily communicated via the 1726 protocol, and that consists of a set of representation metadata and a 1727 potentially unbounded stream of representation data. 1729 An origin server might be provided with, or be capable of generating, 1730 multiple representations that are each intended to reflect the 1731 current state of a target resource. In such cases, some algorithm is 1732 used by the origin server to select one of those representations as 1733 most applicable to a given request, usually based on content 1734 negotiation. This "selected representation" is used to provide the 1735 data and metadata for evaluating conditional requests Section 8.2 and 1736 constructing the payload for 200 (OK) and 304 (Not Modified) 1737 responses to GET (Section 7.3.1). 1739 6.1. Representation Data 1741 The representation data associated with an HTTP message is either 1742 provided as the payload body of the message or referred to by the 1743 message semantics and the effective request URI. The representation 1744 data is in a format and encoding defined by the representation 1745 metadata header fields. 1747 The data type of the representation data is determined via the header 1748 fields Content-Type and Content-Encoding. These define a two-layer, 1749 ordered encoding model: 1751 representation-data := Content-Encoding( Content-Type( bits ) ) 1753 6.1.1. Media Type 1755 HTTP uses media types [RFC2046] in the Content-Type (Section 6.2.1) 1756 and Accept (Section 8.4.2) header fields in order to provide open and 1757 extensible data typing and type negotiation. Media types define both 1758 a data format and various processing models: how to process that data 1759 in accordance with each context in which it is received. 1761 media-type = type "/" subtype *( OWS ";" OWS parameter ) 1762 type = token 1763 subtype = token 1765 The type/subtype MAY be followed by parameters in the form of 1766 name=value pairs. 1768 parameter = token "=" ( token / quoted-string ) 1770 The type, subtype, and parameter name tokens are case-insensitive. 1771 Parameter values might or might not be case-sensitive, depending on 1772 the semantics of the parameter name. The presence or absence of a 1773 parameter might be significant to the processing of a media-type, 1774 depending on its definition within the media type registry. 1776 A parameter value that matches the token production can be 1777 transmitted either as a token or within a quoted-string. The quoted 1778 and unquoted values are equivalent. For example, the following 1779 examples are all equivalent, but the first is preferred for 1780 consistency: 1782 text/html;charset=utf-8 1783 text/html;charset=UTF-8 1784 Text/HTML;Charset="utf-8" 1785 text/html; charset="utf-8" 1787 Media types ought to be registered with IANA according to the 1788 procedures defined in [BCP13]. 1790 Note: Unlike some similar constructs in other header fields, media 1791 type parameters do not allow whitespace (even "bad" whitespace) 1792 around the "=" character. 1794 6.1.1.1. Charset 1796 HTTP uses charset names to indicate or negotiate the character 1797 encoding scheme of a textual representation [RFC6365]. A charset is 1798 identified by a case-insensitive token. 1800 charset = token 1802 Charset names ought to be registered in the IANA "Character Sets" 1803 registry () 1804 according to the procedures defined in [RFC2978]. 1806 6.1.1.2. Canonicalization and Text Defaults 1808 Media types are registered with a canonical form in order to be 1809 interoperable among systems with varying native encoding formats. 1810 Representations selected or transferred via HTTP ought to be in 1811 canonical form, for many of the same reasons described by the 1812 Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the 1813 performance characteristics of email deployments (i.e., store and 1814 forward messages to peers) are significantly different from those 1815 common to HTTP and the Web (server-based information services). 1816 Furthermore, MIME's constraints for the sake of compatibility with 1817 older mail transfer protocols do not apply to HTTP (see Appendix B of 1818 [Messaging]). 1820 MIME's canonical form requires that media subtypes of the "text" type 1821 use CRLF as the text line break. HTTP allows the transfer of text 1822 media with plain CR or LF alone representing a line break, when such 1823 line breaks are consistent for an entire representation. An HTTP 1824 sender MAY generate, and a recipient MUST be able to parse, line 1825 breaks in text media that consist of CRLF, bare CR, or bare LF. In 1826 addition, text media in HTTP is not limited to charsets that use 1827 octets 13 and 10 for CR and LF, respectively. This flexibility 1828 regarding line breaks applies only to text within a representation 1829 that has been assigned a "text" media type; it does not apply to 1830 "multipart" types or HTTP elements outside the payload body (e.g., 1831 header fields). 1833 If a representation is encoded with a content-coding, the underlying 1834 data ought to be in a form defined above prior to being encoded. 1836 6.1.1.3. Multipart Types 1838 MIME provides for a number of "multipart" types -- encapsulations of 1839 one or more representations within a single message body. All 1840 multipart types share a common syntax, as defined in Section 5.1.1 of 1841 [RFC2046], and include a boundary parameter as part of the media type 1842 value. The message body is itself a protocol element; a sender MUST 1843 generate only CRLF to represent line breaks between body parts. 1845 HTTP message framing does not use the multipart boundary as an 1846 indicator of message body length, though it might be used by 1847 implementations that generate or process the payload. For example, 1848 the "multipart/form-data" type is often used for carrying form data 1849 in a request, as described in [RFC7578], and the "multipart/ 1850 byteranges" type is defined by this specification for use in some 206 1851 (Partial Content) responses (see Section 9.3.7). 1853 6.1.2. Content Codings 1855 Content coding values indicate an encoding transformation that has 1856 been or can be applied to a representation. Content codings are 1857 primarily used to allow a representation to be compressed or 1858 otherwise usefully transformed without losing the identity of its 1859 underlying media type and without loss of information. Frequently, 1860 the representation is stored in coded form, transmitted directly, and 1861 only decoded by the final recipient. 1863 content-coding = token 1865 Content-coding values are used in the Accept-Encoding (Section 8.4.4) 1866 and Content-Encoding (Section 6.2.2) header fields. 1868 The following content-coding values are defined by this 1869 specification: 1871 +------------+------------------------------------------+-----------+ 1872 | Name | Description | Reference | 1873 +------------+------------------------------------------+-----------+ 1874 | compress | UNIX "compress" data format [Welch] | Section 6 | 1875 | | | .1.2.1 | 1876 | deflate | "deflate" compressed data ([RFC1951]) | Section 6 | 1877 | | inside the "zlib" data format | .1.2.2 | 1878 | | ([RFC1950]) | | 1879 | gzip | GZIP file format [RFC1952] | Section 6 | 1880 | | | .1.2.3 | 1881 | identity | Reserved (synonym for "no encoding" in | Section 8 | 1882 | | Accept-Encoding) | .4.4 | 1883 | x-compress | Deprecated (alias for compress) | Section 6 | 1884 | | | .1.2.1 | 1885 | x-gzip | Deprecated (alias for gzip) | Section 6 | 1886 | | | .1.2.3 | 1887 +------------+------------------------------------------+-----------+ 1889 6.1.2.1. Compress Coding 1891 The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding 1892 [Welch] that is commonly produced by the UNIX file compression 1893 program "compress". A recipient SHOULD consider "x-compress" to be 1894 equivalent to "compress". 1896 6.1.2.2. Deflate Coding 1898 The "deflate" coding is a "zlib" data format [RFC1950] containing a 1899 "deflate" compressed data stream [RFC1951] that uses a combination of 1900 the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. 1902 Note: Some non-conformant implementations send the "deflate" 1903 compressed data without the zlib wrapper. 1905 6.1.2.3. Gzip Coding 1907 The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy 1908 Check (CRC) that is commonly produced by the gzip file compression 1909 program [RFC1952]. A recipient SHOULD consider "x-gzip" to be 1910 equivalent to "gzip". 1912 6.1.2.4. Content Coding Extensibility 1914 Additional content codings, outside the scope of this specification, 1915 have been specified for use in HTTP. All such content codings ought 1916 to be registered within the "HTTP Content Coding Registry". 1918 6.1.2.4.1. Content Coding Registry 1920 The "HTTP Content Coding Registry", maintained by IANA at 1921 , registers 1922 content-coding names. 1924 Content coding registrations MUST include the following fields: 1926 o Name 1928 o Description 1930 o Pointer to specification text 1932 Names of content codings MUST NOT overlap with names of transfer 1933 codings (Section 7 of [Messaging]), unless the encoding 1934 transformation is identical (as is the case for the compression 1935 codings defined in Section 6.1.2). 1937 Values to be added to this namespace require IETF Review (see 1938 Section 4.8 of [RFC8126]) and MUST conform to the purpose of content 1939 coding defined in Section 6.1.2. 1941 6.1.3. Language Tags 1943 A language tag, as defined in [RFC5646], identifies a natural 1944 language spoken, written, or otherwise conveyed by human beings for 1945 communication of information to other human beings. Computer 1946 languages are explicitly excluded. 1948 HTTP uses language tags within the Accept-Language and Content- 1949 Language header fields. Accept-Language uses the broader language- 1950 range production defined in Section 8.4.5, whereas Content-Language 1951 uses the language-tag production defined below. 1953 language-tag = 1955 A language tag is a sequence of one or more case-insensitive subtags, 1956 each separated by a hyphen character ("-", %x2D). In most cases, a 1957 language tag consists of a primary language subtag that identifies a 1958 broad family of related languages (e.g., "en" = English), which is 1959 optionally followed by a series of subtags that refine or narrow that 1960 language's range (e.g., "en-CA" = the variety of English as 1961 communicated in Canada). Whitespace is not allowed within a language 1962 tag. Example tags include: 1964 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 1966 See [RFC5646] for further information. 1968 6.1.4. Range Units 1970 A representation can be partitioned into subranges according to 1971 various structural units, depending on the structure inherent in the 1972 representation's media type. This "range unit" is used in the 1973 Accept-Ranges (Section 10.4.1) response header field to advertise 1974 support for range requests, the Range (Section 8.3) request header 1975 field to delineate the parts of a representation that are requested, 1976 and the Content-Range (Section 6.3.3) payload header field to 1977 describe which part of a representation is being transferred. 1979 range-unit = bytes-unit / other-range-unit 1981 The following range unit names are defined by this document: 1983 +-------------+---------------------------------------+-------------+ 1984 | Range Unit | Description | Reference | 1985 | Name | | | 1986 +-------------+---------------------------------------+-------------+ 1987 | bytes | a range of octets | Section 6.1 | 1988 | | | .4.1 | 1989 | none | reserved as keyword, indicating no | Section 10. | 1990 | | ranges are supported | 4.1 | 1991 +-------------+---------------------------------------+-------------+ 1993 6.1.4.1. Byte Ranges 1995 Since representation data is transferred in payloads as a sequence of 1996 octets, a byte range is a meaningful substructure for any 1997 representation transferable over HTTP (Section 6). The "bytes" range 1998 unit is defined for expressing subranges of the data's octet 1999 sequence. 2001 bytes-unit = "bytes" 2003 A byte-range request can specify a single range of bytes or a set of 2004 ranges within a single representation. 2006 byte-ranges-specifier = bytes-unit "=" byte-range-set 2007 byte-range-set = 1#( byte-range-spec / suffix-byte-range-spec ) 2008 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 2009 first-byte-pos = 1*DIGIT 2010 last-byte-pos = 1*DIGIT 2012 The first-byte-pos value in a byte-range-spec gives the byte-offset 2013 of the first byte in a range. The last-byte-pos value gives the 2014 byte-offset of the last byte in the range; that is, the byte 2015 positions specified are inclusive. Byte offsets start at zero. 2017 Examples of byte-ranges-specifier values: 2019 o The first 500 bytes (byte offsets 0-499, inclusive): 2021 bytes=0-499 2023 o The second 500 bytes (byte offsets 500-999, inclusive): 2025 bytes=500-999 2027 A byte-range-spec is invalid if the last-byte-pos value is present 2028 and less than the first-byte-pos. 2030 A client can limit the number of bytes requested without knowing the 2031 size of the selected representation. If the last-byte-pos value is 2032 absent, or if the value is greater than or equal to the current 2033 length of the representation data, the byte range is interpreted as 2034 the remainder of the representation (i.e., the server replaces the 2035 value of last-byte-pos with a value that is one less than the current 2036 length of the selected representation). 2038 A client can request the last N bytes of the selected representation 2039 using a suffix-byte-range-spec. 2041 suffix-byte-range-spec = "-" suffix-length 2042 suffix-length = 1*DIGIT 2044 If the selected representation is shorter than the specified suffix- 2045 length, the entire representation is used. 2047 Additional examples, assuming a representation of length 10000: 2049 o The final 500 bytes (byte offsets 9500-9999, inclusive): 2051 bytes=-500 2053 Or: 2055 bytes=9500- 2057 o The first and last bytes only (bytes 0 and 9999): 2059 bytes=0-0,-1 2061 o Other valid (but not canonical) specifications of the second 500 2062 bytes (byte offsets 500-999, inclusive): 2064 bytes=500-600,601-999 2065 bytes=500-700,601-999 2067 If a valid byte-range-set includes at least one byte-range-spec with 2068 a first-byte-pos that is less than the current length of the 2069 representation, or at least one suffix-byte-range-spec with a non- 2070 zero suffix-length, then the byte-range-set is satisfiable. 2071 Otherwise, the byte-range-set is unsatisfiable. 2073 In the byte-range syntax, first-byte-pos, last-byte-pos, and suffix- 2074 length are expressed as decimal number of octets. Since there is no 2075 predefined limit to the length of a payload, recipients MUST 2076 anticipate potentially large decimal numerals and prevent parsing 2077 errors due to integer conversion overflows. 2079 6.1.4.2. Other Range Units 2081 Range units are intended to be extensible. New range units ought to 2082 be registered with IANA, as defined in Section 6.1.4.3. 2084 other-range-unit = token 2086 6.1.4.3. Range Unit Registry 2088 The "HTTP Range Unit Registry" defines the namespace for the range 2089 unit names and refers to their corresponding specifications. It is 2090 maintained at . 2092 Registration of an HTTP Range Unit MUST include the following fields: 2094 o Name 2095 o Description 2097 o Pointer to specification text 2099 Values to be added to this namespace require IETF Review (see 2100 [RFC8126], Section 4.8). 2102 6.2. Representation Metadata 2104 Representation header fields provide metadata about the 2105 representation. When a message includes a payload body, the 2106 representation header fields describe how to interpret the 2107 representation data enclosed in the payload body. In a response to a 2108 HEAD request, the representation header fields describe the 2109 representation data that would have been enclosed in the payload body 2110 if the same request had been a GET. 2112 The following header fields convey representation metadata: 2114 +-------------------+---------------+ 2115 | Header Field Name | Defined in... | 2116 +-------------------+---------------+ 2117 | Content-Type | Section 6.2.1 | 2118 | Content-Encoding | Section 6.2.2 | 2119 | Content-Language | Section 6.2.3 | 2120 | Content-Length | Section 6.2.4 | 2121 | Content-Location | Section 6.2.5 | 2122 +-------------------+---------------+ 2124 6.2.1. Content-Type 2126 The "Content-Type" header field indicates the media type of the 2127 associated representation: either the representation enclosed in the 2128 message payload or the selected representation, as determined by the 2129 message semantics. The indicated media type defines both the data 2130 format and how that data is intended to be processed by a recipient, 2131 within the scope of the received message semantics, after any content 2132 codings indicated by Content-Encoding are decoded. 2134 Content-Type = media-type 2136 Media types are defined in Section 6.1.1. An example of the field is 2138 Content-Type: text/html; charset=ISO-8859-4 2140 A sender that generates a message containing a payload body SHOULD 2141 generate a Content-Type header field in that message unless the 2142 intended media type of the enclosed representation is unknown to the 2143 sender. If a Content-Type header field is not present, the recipient 2144 MAY either assume a media type of "application/octet-stream" 2145 ([RFC2046], Section 4.5.1) or examine the data to determine its type. 2147 In practice, resource owners do not always properly configure their 2148 origin server to provide the correct Content-Type for a given 2149 representation, with the result that some clients will examine a 2150 payload's content and override the specified type. Clients that do 2151 so risk drawing incorrect conclusions, which might expose additional 2152 security risks (e.g., "privilege escalation"). Furthermore, it is 2153 impossible to determine the sender's intent by examining the data 2154 format: many data formats match multiple media types that differ only 2155 in processing semantics. Implementers are encouraged to provide a 2156 means of disabling such "content sniffing" when it is used. 2158 6.2.2. Content-Encoding 2160 The "Content-Encoding" header field indicates what content codings 2161 have been applied to the representation, beyond those inherent in the 2162 media type, and thus what decoding mechanisms have to be applied in 2163 order to obtain data in the media type referenced by the Content-Type 2164 header field. Content-Encoding is primarily used to allow a 2165 representation's data to be compressed without losing the identity of 2166 its underlying media type. 2168 Content-Encoding = 1#content-coding 2170 An example of its use is 2172 Content-Encoding: gzip 2174 If one or more encodings have been applied to a representation, the 2175 sender that applied the encodings MUST generate a Content-Encoding 2176 header field that lists the content codings in the order in which 2177 they were applied. Additional information about the encoding 2178 parameters can be provided by other header fields not defined by this 2179 specification. 2181 Unlike Transfer-Encoding (Section 6.1 of [Messaging]), the codings 2182 listed in Content-Encoding are a characteristic of the 2183 representation; the representation is defined in terms of the coded 2184 form, and all other metadata about the representation is about the 2185 coded form unless otherwise noted in the metadata definition. 2186 Typically, the representation is only decoded just prior to rendering 2187 or analogous usage. 2189 If the media type includes an inherent encoding, such as a data 2190 format that is always compressed, then that encoding would not be 2191 restated in Content-Encoding even if it happens to be the same 2192 algorithm as one of the content codings. Such a content coding would 2193 only be listed if, for some bizarre reason, it is applied a second 2194 time to form the representation. Likewise, an origin server might 2195 choose to publish the same data as multiple representations that 2196 differ only in whether the coding is defined as part of Content-Type 2197 or Content-Encoding, since some user agents will behave differently 2198 in their handling of each response (e.g., open a "Save as ..." dialog 2199 instead of automatic decompression and rendering of content). 2201 An origin server MAY respond with a status code of 415 (Unsupported 2202 Media Type) if a representation in the request message has a content 2203 coding that is not acceptable. 2205 6.2.3. Content-Language 2207 The "Content-Language" header field describes the natural language(s) 2208 of the intended audience for the representation. Note that this 2209 might not be equivalent to all the languages used within the 2210 representation. 2212 Content-Language = 1#language-tag 2214 Language tags are defined in Section 6.1.3. The primary purpose of 2215 Content-Language is to allow a user to identify and differentiate 2216 representations according to the users' own preferred language. 2217 Thus, if the content is intended only for a Danish-literate audience, 2218 the appropriate field is 2220 Content-Language: da 2222 If no Content-Language is specified, the default is that the content 2223 is intended for all language audiences. This might mean that the 2224 sender does not consider it to be specific to any natural language, 2225 or that the sender does not know for which language it is intended. 2227 Multiple languages MAY be listed for content that is intended for 2228 multiple audiences. For example, a rendition of the "Treaty of 2229 Waitangi", presented simultaneously in the original Maori and English 2230 versions, would call for 2232 Content-Language: mi, en 2234 However, just because multiple languages are present within a 2235 representation does not mean that it is intended for multiple 2236 linguistic audiences. An example would be a beginner's language 2237 primer, such as "A First Lesson in Latin", which is clearly intended 2238 to be used by an English-literate audience. In this case, the 2239 Content-Language would properly only include "en". 2241 Content-Language MAY be applied to any media type -- it is not 2242 limited to textual documents. 2244 6.2.4. Content-Length 2246 [[CREF5: The "Content-Length" header field indicates the number of 2247 data octets (body length) for the representation. In some cases, 2248 Content-Length is used to define or estimate message framing. ]] 2250 Content-Length = 1*DIGIT 2252 An example is 2254 Content-Length: 3495 2256 A sender MUST NOT send a Content-Length header field in any message 2257 that contains a Transfer-Encoding header field. 2259 A user agent SHOULD send a Content-Length in a request message when 2260 no Transfer-Encoding is sent and the request method defines a meaning 2261 for an enclosed payload body. For example, a Content-Length header 2262 field is normally sent in a POST request even when the value is 0 2263 (indicating an empty payload body). A user agent SHOULD NOT send a 2264 Content-Length header field when the request message does not contain 2265 a payload body and the method semantics do not anticipate such a 2266 body. 2268 A server MAY send a Content-Length header field in a response to a 2269 HEAD request (Section 7.3.2); a server MUST NOT send Content-Length 2270 in such a response unless its field-value equals the decimal number 2271 of octets that would have been sent in the payload body of a response 2272 if the same request had used the GET method. 2274 A server MAY send a Content-Length header field in a 304 (Not 2275 Modified) response to a conditional GET request (Section 9.4.5); a 2276 server MUST NOT send Content-Length in such a response unless its 2277 field-value equals the decimal number of octets that would have been 2278 sent in the payload body of a 200 (OK) response to the same request. 2280 A server MUST NOT send a Content-Length header field in any response 2281 with a status code of 1xx (Informational) or 204 (No Content). A 2282 server MUST NOT send a Content-Length header field in any 2xx 2283 (Successful) response to a CONNECT request (Section 7.3.6). 2285 Aside from the cases defined above, in the absence of Transfer- 2286 Encoding, an origin server SHOULD send a Content-Length header field 2287 when the payload body size is known prior to sending the complete 2288 header section. This will allow downstream recipients to measure 2289 transfer progress, know when a received message is complete, and 2290 potentially reuse the connection for additional requests. 2292 Any Content-Length field value greater than or equal to zero is 2293 valid. Since there is no predefined limit to the length of a 2294 payload, a recipient MUST anticipate potentially large decimal 2295 numerals and prevent parsing errors due to integer conversion 2296 overflows (Section 12.5). 2298 If a message is received that has multiple Content-Length header 2299 fields with field-values consisting of the same decimal value, or a 2300 single Content-Length header field with a field value containing a 2301 list of identical decimal values (e.g., "Content-Length: 42, 42"), 2302 indicating that duplicate Content-Length header fields have been 2303 generated or combined by an upstream message processor, then the 2304 recipient MUST either reject the message as invalid or replace the 2305 duplicated field-values with a single valid Content-Length field 2306 containing that decimal value prior to determining the message body 2307 length or forwarding the message. 2309 6.2.5. Content-Location 2311 The "Content-Location" header field references a URI that can be used 2312 as an identifier for a specific resource corresponding to the 2313 representation in this message's payload. In other words, if one 2314 were to perform a GET request on this URI at the time of this 2315 message's generation, then a 200 (OK) response would contain the same 2316 representation that is enclosed as payload in this message. 2318 Content-Location = absolute-URI / partial-URI 2320 The Content-Location value is not a replacement for the effective 2321 Request URI (Section 5.3). It is representation metadata. It has 2322 the same syntax and semantics as the header field of the same name 2323 defined for MIME body parts in Section 4 of [RFC2557]. However, its 2324 appearance in an HTTP message has some special implications for HTTP 2325 recipients. 2327 If Content-Location is included in a 2xx (Successful) response 2328 message and its value refers (after conversion to absolute form) to a 2329 URI that is the same as the effective request URI, then the recipient 2330 MAY consider the payload to be a current representation of that 2331 resource at the time indicated by the message origination date. For 2332 a GET (Section 7.3.1) or HEAD (Section 7.3.2) request, this is the 2333 same as the default semantics when no Content-Location is provided by 2334 the server. For a state-changing request like PUT (Section 7.3.4) or 2335 POST (Section 7.3.3), it implies that the server's response contains 2336 the new representation of that resource, thereby distinguishing it 2337 from representations that might only report about the action (e.g., 2338 "It worked!"). This allows authoring applications to update their 2339 local copies without the need for a subsequent GET request. 2341 If Content-Location is included in a 2xx (Successful) response 2342 message and its field-value refers to a URI that differs from the 2343 effective request URI, then the origin server claims that the URI is 2344 an identifier for a different resource corresponding to the enclosed 2345 representation. Such a claim can only be trusted if both identifiers 2346 share the same resource owner, which cannot be programmatically 2347 determined via HTTP. 2349 o For a response to a GET or HEAD request, this is an indication 2350 that the effective request URI refers to a resource that is 2351 subject to content negotiation and the Content-Location field- 2352 value is a more specific identifier for the selected 2353 representation. 2355 o For a 201 (Created) response to a state-changing method, a 2356 Content-Location field-value that is identical to the Location 2357 field-value indicates that this payload is a current 2358 representation of the newly created resource. 2360 o Otherwise, such a Content-Location indicates that this payload is 2361 a representation reporting on the requested action's status and 2362 that the same report is available (for future access with GET) at 2363 the given URI. For example, a purchase transaction made via a 2364 POST request might include a receipt document as the payload of 2365 the 200 (OK) response; the Content-Location field-value provides 2366 an identifier for retrieving a copy of that same receipt in the 2367 future. 2369 A user agent that sends Content-Location in a request message is 2370 stating that its value refers to where the user agent originally 2371 obtained the content of the enclosed representation (prior to any 2372 modifications made by that user agent). In other words, the user 2373 agent is providing a back link to the source of the original 2374 representation. 2376 An origin server that receives a Content-Location field in a request 2377 message MUST treat the information as transitory request context 2378 rather than as metadata to be saved verbatim as part of the 2379 representation. An origin server MAY use that context to guide in 2380 processing the request or to save it for other uses, such as within 2381 source links or versioning metadata. However, an origin server MUST 2382 NOT use such context information to alter the request semantics. 2384 For example, if a client makes a PUT request on a negotiated resource 2385 and the origin server accepts that PUT (without redirection), then 2386 the new state of that resource is expected to be consistent with the 2387 one representation supplied in that PUT; the Content-Location cannot 2388 be used as a form of reverse content selection identifier to update 2389 only one of the negotiated representations. If the user agent had 2390 wanted the latter semantics, it would have applied the PUT directly 2391 to the Content-Location URI. 2393 6.3. Payload 2395 Some HTTP messages transfer a complete or partial representation as 2396 the message "payload". In some cases, a payload might contain only 2397 the associated representation's header fields (e.g., responses to 2398 HEAD) or only some part(s) of the representation data (e.g., the 206 2399 (Partial Content) status code). 2401 Header fields that specifically describe the payload, rather than the 2402 associated representation, are referred to as "payload header 2403 fields". Payload header fields are defined in other parts of this 2404 specification, due to their impact on message parsing. 2406 +-------------------+----------------------------+ 2407 | Header Field Name | Defined in... | 2408 +-------------------+----------------------------+ 2409 | Content-Range | Section 6.3.3 | 2410 | Trailer | Section 4.4 | 2411 | Transfer-Encoding | Section 6.1 of [Messaging] | 2412 +-------------------+----------------------------+ 2414 6.3.1. Purpose 2416 The purpose of a payload in a request is defined by the method 2417 semantics. For example, a representation in the payload of a PUT 2418 request (Section 7.3.4) represents the desired state of the target 2419 resource if the request is successfully applied, whereas a 2420 representation in the payload of a POST request (Section 7.3.3) 2421 represents information to be processed by the target resource. 2423 In a response, the payload's purpose is defined by both the request 2424 method and the response status code. For example, the payload of a 2425 200 (OK) response to GET (Section 7.3.1) represents the current state 2426 of the target resource, as observed at the time of the message 2427 origination date (Section 10.1.1.2), whereas the payload of the same 2428 status code in a response to POST might represent either the 2429 processing result or the new state of the target resource after 2430 applying the processing. Response messages with an error status code 2431 usually contain a payload that represents the error condition, such 2432 that it describes the error state and what next steps are suggested 2433 for resolving it. 2435 6.3.2. Identification 2437 When a complete or partial representation is transferred in a message 2438 payload, it is often desirable for the sender to supply, or the 2439 recipient to determine, an identifier for a resource corresponding to 2440 that representation. 2442 For a request message: 2444 o If the request has a Content-Location header field, then the 2445 sender asserts that the payload is a representation of the 2446 resource identified by the Content-Location field-value. However, 2447 such an assertion cannot be trusted unless it can be verified by 2448 other means (not defined by this specification). The information 2449 might still be useful for revision history links. 2451 o Otherwise, the payload is unidentified. 2453 For a response message, the following rules are applied in order 2454 until a match is found: 2456 1. If the request method is GET or HEAD and the response status code 2457 is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not 2458 Modified), the payload is a representation of the resource 2459 identified by the effective request URI (Section 5.3). 2461 2. If the request method is GET or HEAD and the response status code 2462 is 203 (Non-Authoritative Information), the payload is a 2463 potentially modified or enhanced representation of the target 2464 resource as provided by an intermediary. 2466 3. If the response has a Content-Location header field and its 2467 field-value is a reference to the same URI as the effective 2468 request URI, the payload is a representation of the resource 2469 identified by the effective request URI. 2471 4. If the response has a Content-Location header field and its 2472 field-value is a reference to a URI different from the effective 2473 request URI, then the sender asserts that the payload is a 2474 representation of the resource identified by the Content-Location 2475 field-value. However, such an assertion cannot be trusted unless 2476 it can be verified by other means (not defined by this 2477 specification). 2479 5. Otherwise, the payload is unidentified. 2481 6.3.3. Content-Range 2483 The "Content-Range" header field is sent in a single part 206 2484 (Partial Content) response to indicate the partial range of the 2485 selected representation enclosed as the message payload, sent in each 2486 part of a multipart 206 response to indicate the range enclosed 2487 within each body part, and sent in 416 (Range Not Satisfiable) 2488 responses to provide information about the selected representation. 2490 Content-Range = byte-content-range 2491 / other-content-range 2493 byte-content-range = bytes-unit SP 2494 ( byte-range-resp / unsatisfied-range ) 2496 byte-range-resp = byte-range "/" ( complete-length / "*" ) 2497 byte-range = first-byte-pos "-" last-byte-pos 2498 unsatisfied-range = "*/" complete-length 2500 complete-length = 1*DIGIT 2502 other-content-range = other-range-unit SP other-range-resp 2503 other-range-resp = *VCHAR 2505 If a 206 (Partial Content) response contains a Content-Range header 2506 field with a range unit (Section 6.1.4) that the recipient does not 2507 understand, the recipient MUST NOT attempt to recombine it with a 2508 stored representation. A proxy that receives such a message SHOULD 2509 forward it downstream. 2511 For byte ranges, a sender SHOULD indicate the complete length of the 2512 representation from which the range has been extracted, unless the 2513 complete length is unknown or difficult to determine. An asterisk 2514 character ("*") in place of the complete-length indicates that the 2515 representation length was unknown when the header field was 2516 generated. 2518 The following example illustrates when the complete length of the 2519 selected representation is known by the sender to be 1234 bytes: 2521 Content-Range: bytes 42-1233/1234 2523 and this second example illustrates when the complete length is 2524 unknown: 2526 Content-Range: bytes 42-1233/* 2528 A Content-Range field value is invalid if it contains a byte-range- 2529 resp that has a last-byte-pos value less than its first-byte-pos 2530 value, or a complete-length value less than or equal to its last- 2531 byte-pos value. The recipient of an invalid Content-Range MUST NOT 2532 attempt to recombine the received content with a stored 2533 representation. 2535 A server generating a 416 (Range Not Satisfiable) response to a byte- 2536 range request SHOULD send a Content-Range header field with an 2537 unsatisfied-range value, as in the following example: 2539 Content-Range: bytes */1234 2541 The complete-length in a 416 response indicates the current length of 2542 the selected representation. 2544 The Content-Range header field has no meaning for status codes that 2545 do not explicitly describe its semantic. For this specification, 2546 only the 206 (Partial Content) and 416 (Range Not Satisfiable) status 2547 codes describe a meaning for Content-Range. 2549 The following are examples of Content-Range values in which the 2550 selected representation contains a total of 1234 bytes: 2552 o The first 500 bytes: 2554 Content-Range: bytes 0-499/1234 2556 o The second 500 bytes: 2558 Content-Range: bytes 500-999/1234 2560 o All except for the first 500 bytes: 2562 Content-Range: bytes 500-1233/1234 2564 o The last 500 bytes: 2566 Content-Range: bytes 734-1233/1234 2568 6.3.4. Media Type multipart/byteranges 2570 When a 206 (Partial Content) response message includes the content of 2571 multiple ranges, they are transmitted as body parts in a multipart 2572 message body ([RFC2046], Section 5.1) with the media type of 2573 "multipart/byteranges". 2575 The multipart/byteranges media type includes one or more body parts, 2576 each with its own Content-Type and Content-Range fields. The 2577 required boundary parameter specifies the boundary string used to 2578 separate each body part. 2580 Implementation Notes: 2582 1. Additional CRLFs might precede the first boundary string in the 2583 body. 2585 2. Although [RFC2046] permits the boundary string to be quoted, some 2586 existing implementations handle a quoted boundary string 2587 incorrectly. 2589 3. A number of clients and servers were coded to an early draft of 2590 the byteranges specification that used a media type of multipart/ 2591 x-byteranges, which is almost (but not quite) compatible with 2592 this type. 2594 Despite the name, the "multipart/byteranges" media type is not 2595 limited to byte ranges. The following example uses an "exampleunit" 2596 range unit: 2598 HTTP/1.1 206 Partial Content 2599 Date: Tue, 14 Nov 1995 06:25:24 GMT 2600 Last-Modified: Tue, 14 July 04:58:08 GMT 2601 Content-Length: 2331785 2602 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 2604 --THIS_STRING_SEPARATES 2605 Content-Type: video/example 2606 Content-Range: exampleunit 1.2-4.3/25 2608 ...the first range... 2609 --THIS_STRING_SEPARATES 2610 Content-Type: video/example 2611 Content-Range: exampleunit 11.2-14.3/25 2613 ...the second range 2614 --THIS_STRING_SEPARATES-- 2616 The following information serves as the registration form for the 2617 multipart/byteranges media type. 2619 Type name: multipart 2621 Subtype name: byteranges 2623 Required parameters: boundary 2625 Optional parameters: N/A 2627 Encoding considerations: only "7bit", "8bit", or "binary" are 2628 permitted 2630 Security considerations: see Section 12 2632 Interoperability considerations: N/A 2634 Published specification: This specification (see Section 6.3.4). 2636 Applications that use this media type: HTTP components supporting 2637 multiple ranges in a single request. 2639 Fragment identifier considerations: N/A 2641 Additional information: 2643 Deprecated alias names for this type: N/A 2645 Magic number(s): N/A 2647 File extension(s): N/A 2649 Macintosh file type code(s): N/A 2651 Person and email address to contact for further information: See Aut 2652 hors' Addresses section. 2654 Intended usage: COMMON 2656 Restrictions on usage: N/A 2658 Author: See Authors' Addresses section. 2660 Change controller: IESG 2662 6.4. Content Negotiation 2664 When responses convey payload information, whether indicating a 2665 success or an error, the origin server often has different ways of 2666 representing that information; for example, in different formats, 2667 languages, or encodings. Likewise, different users or user agents 2668 might have differing capabilities, characteristics, or preferences 2669 that could influence which representation, among those available, 2670 would be best to deliver. For this reason, HTTP provides mechanisms 2671 for content negotiation. 2673 This specification defines two patterns of content negotiation that 2674 can be made visible within the protocol: "proactive", where the 2675 server selects the representation based upon the user agent's stated 2676 preferences, and "reactive" negotiation, where the server provides a 2677 list of representations for the user agent to choose from. Other 2678 patterns of content negotiation include "conditional content", where 2679 the representation consists of multiple parts that are selectively 2680 rendered based on user agent parameters, "active content", where the 2681 representation contains a script that makes additional (more 2682 specific) requests based on the user agent characteristics, and 2683 "Transparent Content Negotiation" ([RFC2295]), where content 2684 selection is performed by an intermediary. These patterns are not 2685 mutually exclusive, and each has trade-offs in applicability and 2686 practicality. 2688 Note that, in all cases, HTTP is not aware of the resource semantics. 2689 The consistency with which an origin server responds to requests, 2690 over time and over the varying dimensions of content negotiation, and 2691 thus the "sameness" of a resource's observed representations over 2692 time, is determined entirely by whatever entity or algorithm selects 2693 or generates those responses. HTTP pays no attention to the man 2694 behind the curtain. 2696 6.4.1. Proactive Negotiation 2698 When content negotiation preferences are sent by the user agent in a 2699 request to encourage an algorithm located at the server to select the 2700 preferred representation, it is called proactive negotiation (a.k.a., 2701 server-driven negotiation). Selection is based on the available 2702 representations for a response (the dimensions over which it might 2703 vary, such as language, content-coding, etc.) compared to various 2704 information supplied in the request, including both the explicit 2705 negotiation fields of Section 8.4 and implicit characteristics, such 2706 as the client's network address or parts of the User-Agent field. 2708 Proactive negotiation is advantageous when the algorithm for 2709 selecting from among the available representations is difficult to 2710 describe to a user agent, or when the server desires to send its 2711 "best guess" to the user agent along with the first response (hoping 2712 to avoid the round trip delay of a subsequent request if the "best 2713 guess" is good enough for the user). In order to improve the 2714 server's guess, a user agent MAY send request header fields that 2715 describe its preferences. 2717 Proactive negotiation has serious disadvantages: 2719 o It is impossible for the server to accurately determine what might 2720 be "best" for any given user, since that would require complete 2721 knowledge of both the capabilities of the user agent and the 2722 intended use for the response (e.g., does the user want to view it 2723 on screen or print it on paper?); 2725 o Having the user agent describe its capabilities in every request 2726 can be both very inefficient (given that only a small percentage 2727 of responses have multiple representations) and a potential risk 2728 to the user's privacy; 2730 o It complicates the implementation of an origin server and the 2731 algorithms for generating responses to a request; and, 2733 o It limits the reusability of responses for shared caching. 2735 A user agent cannot rely on proactive negotiation preferences being 2736 consistently honored, since the origin server might not implement 2737 proactive negotiation for the requested resource or might decide that 2738 sending a response that doesn't conform to the user agent's 2739 preferences is better than sending a 406 (Not Acceptable) response. 2741 A Vary header field (Section 10.1.4) is often sent in a response 2742 subject to proactive negotiation to indicate what parts of the 2743 request information were used in the selection algorithm. 2745 6.4.2. Reactive Negotiation 2747 With reactive negotiation (a.k.a., agent-driven negotiation), 2748 selection of the best response representation (regardless of the 2749 status code) is performed by the user agent after receiving an 2750 initial response from the origin server that contains a list of 2751 resources for alternative representations. If the user agent is not 2752 satisfied by the initial response representation, it can perform a 2753 GET request on one or more of the alternative resources, selected 2754 based on metadata included in the list, to obtain a different form of 2755 representation for that response. Selection of alternatives might be 2756 performed automatically by the user agent or manually by the user 2757 selecting from a generated (possibly hypertext) menu. 2759 Note that the above refers to representations of the response, in 2760 general, not representations of the resource. The alternative 2761 representations are only considered representations of the target 2762 resource if the response in which those alternatives are provided has 2763 the semantics of being a representation of the target resource (e.g., 2764 a 200 (OK) response to a GET request) or has the semantics of 2765 providing links to alternative representations for the target 2766 resource (e.g., a 300 (Multiple Choices) response to a GET request). 2768 A server might choose not to send an initial representation, other 2769 than the list of alternatives, and thereby indicate that reactive 2770 negotiation by the user agent is preferred. For example, the 2771 alternatives listed in responses with the 300 (Multiple Choices) and 2772 406 (Not Acceptable) status codes include information about the 2773 available representations so that the user or user agent can react by 2774 making a selection. 2776 Reactive negotiation is advantageous when the response would vary 2777 over commonly used dimensions (such as type, language, or encoding), 2778 when the origin server is unable to determine a user agent's 2779 capabilities from examining the request, and generally when public 2780 caches are used to distribute server load and reduce network usage. 2782 Reactive negotiation suffers from the disadvantages of transmitting a 2783 list of alternatives to the user agent, which degrades user-perceived 2784 latency if transmitted in the header section, and needing a second 2785 request to obtain an alternate representation. Furthermore, this 2786 specification does not define a mechanism for supporting automatic 2787 selection, though it does not prevent such a mechanism from being 2788 developed as an extension. 2790 7. Request Methods 2792 7.1. Overview 2794 The request method token is the primary source of request semantics; 2795 it indicates the purpose for which the client has made this request 2796 and what is expected by the client as a successful result. 2798 The request method's semantics might be further specialized by the 2799 semantics of some header fields when present in a request (Section 8) 2800 if those additional semantics do not conflict with the method. For 2801 example, a client can send conditional request header fields 2802 (Section 8.2) to make the requested action conditional on the current 2803 state of the target resource. 2805 method = token 2807 HTTP was originally designed to be usable as an interface to 2808 distributed object systems. The request method was envisioned as 2809 applying semantics to a target resource in much the same way as 2810 invoking a defined method on an identified object would apply 2811 semantics. The method token is case-sensitive because it might be 2812 used as a gateway to object-based systems with case-sensitive method 2813 names. 2815 Unlike distributed objects, the standardized request methods in HTTP 2816 are not resource-specific, since uniform interfaces provide for 2817 better visibility and reuse in network-based systems [REST]. Once 2818 defined, a standardized method ought to have the same semantics when 2819 applied to any resource, though each resource determines for itself 2820 whether those semantics are implemented or allowed. 2822 This specification defines a number of standardized methods that are 2823 commonly used in HTTP, as outlined by the following table. By 2824 convention, standardized methods are defined in all-uppercase US- 2825 ASCII letters. 2827 +---------+-------------------------------------------------+-------+ 2828 | Method | Description | Sec. | 2829 +---------+-------------------------------------------------+-------+ 2830 | GET | Transfer a current representation of the target | 7.3.1 | 2831 | | resource. | | 2832 | HEAD | Same as GET, but only transfer the status line | 7.3.2 | 2833 | | and header section. | | 2834 | POST | Perform resource-specific processing on the | 7.3.3 | 2835 | | request payload. | | 2836 | PUT | Replace all current representations of the | 7.3.4 | 2837 | | target resource with the request payload. | | 2838 | DELETE | Remove all current representations of the | 7.3.5 | 2839 | | target resource. | | 2840 | CONNECT | Establish a tunnel to the server identified by | 7.3.6 | 2841 | | the target resource. | | 2842 | OPTIONS | Describe the communication options for the | 7.3.7 | 2843 | | target resource. | | 2844 | TRACE | Perform a message loop-back test along the path | 7.3.8 | 2845 | | to the target resource. | | 2846 +---------+-------------------------------------------------+-------+ 2848 All general-purpose servers MUST support the methods GET and HEAD. 2849 All other methods are OPTIONAL. 2851 The set of methods allowed by a target resource can be listed in an 2852 Allow header field (Section 10.4.2). However, the set of allowed 2853 methods can change dynamically. When a request method is received 2854 that is unrecognized or not implemented by an origin server, the 2855 origin server SHOULD respond with the 501 (Not Implemented) status 2856 code. When a request method is received that is known by an origin 2857 server but not allowed for the target resource, the origin server 2858 SHOULD respond with the 405 (Method Not Allowed) status code. 2860 7.2. Common Method Properties 2862 +---------+------+------------+----------------+ 2863 | Method | Safe | Idempotent | Reference | 2864 +---------+------+------------+----------------+ 2865 | CONNECT | no | no | Section 7.3.6 | 2866 | DELETE | no | yes | Section 7.3.5 | 2867 | GET | yes | yes | Section 7.3.1 | 2868 | HEAD | yes | yes | Section 7.3.2 | 2869 | OPTIONS | yes | yes | Section 7.3.7 | 2870 | POST | no | no | Section 7.3.3 | 2871 | PUT | no | yes | Section 7.3.4 | 2872 | TRACE | yes | yes | Section 7.3.8 | 2873 +---------+------+------------+----------------+ 2875 7.2.1. Safe Methods 2877 Request methods are considered "safe" if their defined semantics are 2878 essentially read-only; i.e., the client does not request, and does 2879 not expect, any state change on the origin server as a result of 2880 applying a safe method to a target resource. Likewise, reasonable 2881 use of a safe method is not expected to cause any harm, loss of 2882 property, or unusual burden on the origin server. 2884 This definition of safe methods does not prevent an implementation 2885 from including behavior that is potentially harmful, that is not 2886 entirely read-only, or that causes side effects while invoking a safe 2887 method. What is important, however, is that the client did not 2888 request that additional behavior and cannot be held accountable for 2889 it. For example, most servers append request information to access 2890 log files at the completion of every response, regardless of the 2891 method, and that is considered safe even though the log storage might 2892 become full and crash the server. Likewise, a safe request initiated 2893 by selecting an advertisement on the Web will often have the side 2894 effect of charging an advertising account. 2896 Of the request methods defined by this specification, the GET, HEAD, 2897 OPTIONS, and TRACE methods are defined to be safe. 2899 The purpose of distinguishing between safe and unsafe methods is to 2900 allow automated retrieval processes (spiders) and cache performance 2901 optimization (pre-fetching) to work without fear of causing harm. In 2902 addition, it allows a user agent to apply appropriate constraints on 2903 the automated use of unsafe methods when processing potentially 2904 untrusted content. 2906 A user agent SHOULD distinguish between safe and unsafe methods when 2907 presenting potential actions to a user, such that the user can be 2908 made aware of an unsafe action before it is requested. 2910 When a resource is constructed such that parameters within the 2911 effective request URI have the effect of selecting an action, it is 2912 the resource owner's responsibility to ensure that the action is 2913 consistent with the request method semantics. For example, it is 2914 common for Web-based content editing software to use actions within 2915 query parameters, such as "page?do=delete". If the purpose of such a 2916 resource is to perform an unsafe action, then the resource owner MUST 2917 disable or disallow that action when it is accessed using a safe 2918 request method. Failure to do so will result in unfortunate side 2919 effects when automated processes perform a GET on every URI reference 2920 for the sake of link maintenance, pre-fetching, building a search 2921 index, etc. 2923 7.2.2. Idempotent Methods 2925 A request method is considered "idempotent" if the intended effect on 2926 the server of multiple identical requests with that method is the 2927 same as the effect for a single such request. Of the request methods 2928 defined by this specification, PUT, DELETE, and safe request methods 2929 are idempotent. 2931 Like the definition of safe, the idempotent property only applies to 2932 what has been requested by the user; a server is free to log each 2933 request separately, retain a revision control history, or implement 2934 other non-idempotent side effects for each idempotent request. 2936 Idempotent methods are distinguished because the request can be 2937 repeated automatically if a communication failure occurs before the 2938 client is able to read the server's response. For example, if a 2939 client sends a PUT request and the underlying connection is closed 2940 before any response is received, then the client can establish a new 2941 connection and retry the idempotent request. It knows that repeating 2942 the request will have the same intended effect, even if the original 2943 request succeeded, though the response might differ. 2945 7.2.3. Cacheable Methods 2947 Request methods can be defined as "cacheable" to indicate that 2948 responses to them are allowed to be stored for future reuse; for 2949 specific requirements see [Caching]. In general, safe methods that 2950 do not depend on a current or authoritative response are defined as 2951 cacheable; this specification defines GET, HEAD, and POST as 2952 cacheable, although the overwhelming majority of cache 2953 implementations only support GET and HEAD. 2955 7.3. Method Definitions 2957 7.3.1. GET 2959 The GET method requests transfer of a current selected representation 2960 for the target resource. GET is the primary mechanism of information 2961 retrieval and the focus of almost all performance optimizations. 2962 Hence, when people speak of retrieving some identifiable information 2963 via HTTP, they are generally referring to making a GET request. 2965 It is tempting to think of resource identifiers as remote file system 2966 pathnames and of representations as being a copy of the contents of 2967 such files. In fact, that is how many resources are implemented (see 2968 Section 12.3 for related security considerations). However, there 2969 are no such limitations in practice. The HTTP interface for a 2970 resource is just as likely to be implemented as a tree of content 2971 objects, a programmatic view on various database records, or a 2972 gateway to other information systems. Even when the URI mapping 2973 mechanism is tied to a file system, an origin server might be 2974 configured to execute the files with the request as input and send 2975 the output as the representation rather than transfer the files 2976 directly. Regardless, only the origin server needs to know how each 2977 of its resource identifiers corresponds to an implementation and how 2978 each implementation manages to select and send a current 2979 representation of the target resource in a response to GET. 2981 A client can alter the semantics of GET to be a "range request", 2982 requesting transfer of only some part(s) of the selected 2983 representation, by sending a Range header field in the request 2984 (Section 8.3). 2986 A payload within a GET request message has no defined semantics; 2987 sending a payload body on a GET request might cause some existing 2988 implementations to reject the request. 2990 The response to a GET request is cacheable; a cache MAY use it to 2991 satisfy subsequent GET and HEAD requests unless otherwise indicated 2992 by the Cache-Control header field (Section 5.2 of [Caching]). 2994 7.3.2. HEAD 2996 The HEAD method is identical to GET except that the server MUST NOT 2997 send a message body in the response (i.e., the response terminates at 2998 the end of the header section). The server SHOULD send the same 2999 header fields in response to a HEAD request as it would have sent if 3000 the request had been a GET, except that the payload header fields 3001 (Section 6.3) MAY be omitted. This method can be used for obtaining 3002 metadata about the selected representation without transferring the 3003 representation data and is often used for testing hypertext links for 3004 validity, accessibility, and recent modification. 3006 A payload within a HEAD request message has no defined semantics; 3007 sending a payload body on a HEAD request might cause some existing 3008 implementations to reject the request. 3010 The response to a HEAD request is cacheable; a cache MAY use it to 3011 satisfy subsequent HEAD requests unless otherwise indicated by the 3012 Cache-Control header field (Section 5.2 of [Caching]). A HEAD 3013 response might also have an effect on previously cached responses to 3014 GET; see Section 4.3.5 of [Caching]. 3016 7.3.3. POST 3018 The POST method requests that the target resource process the 3019 representation enclosed in the request according to the resource's 3020 own specific semantics. For example, POST is used for the following 3021 functions (among others): 3023 o Providing a block of data, such as the fields entered into an HTML 3024 form, to a data-handling process; 3026 o Posting a message to a bulletin board, newsgroup, mailing list, 3027 blog, or similar group of articles; 3029 o Creating a new resource that has yet to be identified by the 3030 origin server; and 3032 o Appending data to a resource's existing representation(s). 3034 An origin server indicates response semantics by choosing an 3035 appropriate status code depending on the result of processing the 3036 POST request; almost all of the status codes defined by this 3037 specification might be received in a response to POST (the exceptions 3038 being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not 3039 Satisfiable)). 3041 If one or more resources has been created on the origin server as a 3042 result of successfully processing a POST request, the origin server 3043 SHOULD send a 201 (Created) response containing a Location header 3044 field that provides an identifier for the primary resource created 3045 (Section 10.1.2) and a representation that describes the status of 3046 the request while referring to the new resource(s). 3048 Responses to POST requests are only cacheable when they include 3049 explicit freshness information (see Section 4.2.1 of [Caching]). 3050 However, POST caching is not widely implemented. For cases where an 3051 origin server wishes the client to be able to cache the result of a 3052 POST in a way that can be reused by a later GET, the origin server 3053 MAY send a 200 (OK) response containing the result and a Content- 3054 Location header field that has the same value as the POST's effective 3055 request URI (Section 6.2.5). 3057 If the result of processing a POST would be equivalent to a 3058 representation of an existing resource, an origin server MAY redirect 3059 the user agent to that resource by sending a 303 (See Other) response 3060 with the existing resource's identifier in the Location field. This 3061 has the benefits of providing the user agent a resource identifier 3062 and transferring the representation via a method more amenable to 3063 shared caching, though at the cost of an extra request if the user 3064 agent does not already have the representation cached. 3066 7.3.4. PUT 3068 The PUT method requests that the state of the target resource be 3069 created or replaced with the state defined by the representation 3070 enclosed in the request message payload. A successful PUT of a given 3071 representation would suggest that a subsequent GET on that same 3072 target resource will result in an equivalent representation being 3073 sent in a 200 (OK) response. However, there is no guarantee that 3074 such a state change will be observable, since the target resource 3075 might be acted upon by other user agents in parallel, or might be 3076 subject to dynamic processing by the origin server, before any 3077 subsequent GET is received. A successful response only implies that 3078 the user agent's intent was achieved at the time of its processing by 3079 the origin server. 3081 If the target resource does not have a current representation and the 3082 PUT successfully creates one, then the origin server MUST inform the 3083 user agent by sending a 201 (Created) response. If the target 3084 resource does have a current representation and that representation 3085 is successfully modified in accordance with the state of the enclosed 3086 representation, then the origin server MUST send either a 200 (OK) or 3087 a 204 (No Content) response to indicate successful completion of the 3088 request. 3090 An origin server SHOULD ignore unrecognized header fields received in 3091 a PUT request (i.e., do not save them as part of the resource state). 3093 An origin server SHOULD verify that the PUT representation is 3094 consistent with any constraints the server has for the target 3095 resource that cannot or will not be changed by the PUT. This is 3096 particularly important when the origin server uses internal 3097 configuration information related to the URI in order to set the 3098 values for representation metadata on GET responses. When a PUT 3099 representation is inconsistent with the target resource, the origin 3100 server SHOULD either make them consistent, by transforming the 3101 representation or changing the resource configuration, or respond 3102 with an appropriate error message containing sufficient information 3103 to explain why the representation is unsuitable. The 409 (Conflict) 3104 or 415 (Unsupported Media Type) status codes are suggested, with the 3105 latter being specific to constraints on Content-Type values. 3107 For example, if the target resource is configured to always have a 3108 Content-Type of "text/html" and the representation being PUT has a 3109 Content-Type of "image/jpeg", the origin server ought to do one of: 3111 a. reconfigure the target resource to reflect the new media type; 3113 b. transform the PUT representation to a format consistent with that 3114 of the resource before saving it as the new resource state; or, 3116 c. reject the request with a 415 (Unsupported Media Type) response 3117 indicating that the target resource is limited to "text/html", 3118 perhaps including a link to a different resource that would be a 3119 suitable target for the new representation. 3121 HTTP does not define exactly how a PUT method affects the state of an 3122 origin server beyond what can be expressed by the intent of the user 3123 agent request and the semantics of the origin server response. It 3124 does not define what a resource might be, in any sense of that word, 3125 beyond the interface provided via HTTP. It does not define how 3126 resource state is "stored", nor how such storage might change as a 3127 result of a change in resource state, nor how the origin server 3128 translates resource state into representations. Generally speaking, 3129 all implementation details behind the resource interface are 3130 intentionally hidden by the server. 3132 An origin server MUST NOT send a validator header field 3133 (Section 10.2), such as an ETag or Last-Modified field, in a 3134 successful response to PUT unless the request's representation data 3135 was saved without any transformation applied to the body (i.e., the 3136 resource's new representation data is identical to the representation 3137 data received in the PUT request) and the validator field value 3138 reflects the new representation. This requirement allows a user 3139 agent to know when the representation body it has in memory remains 3140 current as a result of the PUT, thus not in need of being retrieved 3141 again from the origin server, and that the new validator(s) received 3142 in the response can be used for future conditional requests in order 3143 to prevent accidental overwrites (Section 8.2). 3145 The fundamental difference between the POST and PUT methods is 3146 highlighted by the different intent for the enclosed representation. 3147 The target resource in a POST request is intended to handle the 3148 enclosed representation according to the resource's own semantics, 3149 whereas the enclosed representation in a PUT request is defined as 3150 replacing the state of the target resource. Hence, the intent of PUT 3151 is idempotent and visible to intermediaries, even though the exact 3152 effect is only known by the origin server. 3154 Proper interpretation of a PUT request presumes that the user agent 3155 knows which target resource is desired. A service that selects a 3156 proper URI on behalf of the client, after receiving a state-changing 3157 request, SHOULD be implemented using the POST method rather than PUT. 3158 If the origin server will not make the requested PUT state change to 3159 the target resource and instead wishes to have it applied to a 3160 different resource, such as when the resource has been moved to a 3161 different URI, then the origin server MUST send an appropriate 3xx 3162 (Redirection) response; the user agent MAY then make its own decision 3163 regarding whether or not to redirect the request. 3165 A PUT request applied to the target resource can have side effects on 3166 other resources. For example, an article might have a URI for 3167 identifying "the current version" (a resource) that is separate from 3168 the URIs identifying each particular version (different resources 3169 that at one point shared the same state as the current version 3170 resource). A successful PUT request on "the current version" URI 3171 might therefore create a new version resource in addition to changing 3172 the state of the target resource, and might also cause links to be 3173 added between the related resources. 3175 An origin server that allows PUT on a given target resource MUST send 3176 a 400 (Bad Request) response to a PUT request that contains a 3177 Content-Range header field (Section 6.3.3), since the payload is 3178 likely to be partial content that has been mistakenly PUT as a full 3179 representation. Partial content updates are possible by targeting a 3180 separately identified resource with state that overlaps a portion of 3181 the larger resource, or by using a different method that has been 3182 specifically defined for partial updates (for example, the PATCH 3183 method defined in [RFC5789]). 3185 Responses to the PUT method are not cacheable. If a successful PUT 3186 request passes through a cache that has one or more stored responses 3187 for the effective request URI, those stored responses will be 3188 invalidated (see Section 4.4 of [Caching]). 3190 7.3.5. DELETE 3192 The DELETE method requests that the origin server remove the 3193 association between the target resource and its current 3194 functionality. In effect, this method is similar to the rm command 3195 in UNIX: it expresses a deletion operation on the URI mapping of the 3196 origin server rather than an expectation that the previously 3197 associated information be deleted. 3199 If the target resource has one or more current representations, they 3200 might or might not be destroyed by the origin server, and the 3201 associated storage might or might not be reclaimed, depending 3202 entirely on the nature of the resource and its implementation by the 3203 origin server (which are beyond the scope of this specification). 3204 Likewise, other implementation aspects of a resource might need to be 3205 deactivated or archived as a result of a DELETE, such as database or 3206 gateway connections. In general, it is assumed that the origin 3207 server will only allow DELETE on resources for which it has a 3208 prescribed mechanism for accomplishing the deletion. 3210 Relatively few resources allow the DELETE method -- its primary use 3211 is for remote authoring environments, where the user has some 3212 direction regarding its effect. For example, a resource that was 3213 previously created using a PUT request, or identified via the 3214 Location header field after a 201 (Created) response to a POST 3215 request, might allow a corresponding DELETE request to undo those 3216 actions. Similarly, custom user agent implementations that implement 3217 an authoring function, such as revision control clients using HTTP 3218 for remote operations, might use DELETE based on an assumption that 3219 the server's URI space has been crafted to correspond to a version 3220 repository. 3222 If a DELETE method is successfully applied, the origin server SHOULD 3223 send 3225 o a 202 (Accepted) status code if the action will likely succeed but 3226 has not yet been enacted, 3228 o a 204 (No Content) status code if the action has been enacted and 3229 no further information is to be supplied, or 3231 o a 200 (OK) status code if the action has been enacted and the 3232 response message includes a representation describing the status. 3234 A payload within a DELETE request message has no defined semantics; 3235 sending a payload body on a DELETE request might cause some existing 3236 implementations to reject the request. 3238 Responses to the DELETE method are not cacheable. If a DELETE 3239 request passes through a cache that has one or more stored responses 3240 for the effective request URI, those stored responses will be 3241 invalidated (see Section 4.4 of [Caching]). 3243 7.3.6. CONNECT 3245 The CONNECT method requests that the recipient establish a tunnel to 3246 the destination origin server identified by the request-target and, 3247 if successful, thereafter restrict its behavior to blind forwarding 3248 of packets, in both directions, until the tunnel is closed. Tunnels 3249 are commonly used to create an end-to-end virtual connection, through 3250 one or more proxies, which can then be secured using TLS (Transport 3251 Layer Security, [RFC5246]). 3253 CONNECT is intended only for use in requests to a proxy. An origin 3254 server that receives a CONNECT request for itself MAY respond with a 3255 2xx (Successful) status code to indicate that a connection is 3256 established. However, most origin servers do not implement CONNECT. 3258 A client sending a CONNECT request MUST send the authority form of 3259 request-target (Section 3.2 of [Messaging]); i.e., the request-target 3260 consists of only the host name and port number of the tunnel 3261 destination, separated by a colon. For example, 3263 CONNECT server.example.com:80 HTTP/1.1 3264 Host: server.example.com:80 3266 The recipient proxy can establish a tunnel either by directly 3267 connecting to the request-target or, if configured to use another 3268 proxy, by forwarding the CONNECT request to the next inbound proxy. 3269 Any 2xx (Successful) response indicates that the sender (and all 3270 inbound proxies) will switch to tunnel mode immediately after the 3271 blank line that concludes the successful response's header section; 3272 data received after that blank line is from the server identified by 3273 the request-target. Any response other than a successful response 3274 indicates that the tunnel has not yet been formed and that the 3275 connection remains governed by HTTP. 3277 A tunnel is closed when a tunnel intermediary detects that either 3278 side has closed its connection: the intermediary MUST attempt to send 3279 any outstanding data that came from the closed side to the other 3280 side, close both connections, and then discard any remaining data 3281 left undelivered. 3283 Proxy authentication might be used to establish the authority to 3284 create a tunnel. For example, 3285 CONNECT server.example.com:80 HTTP/1.1 3286 Host: server.example.com:80 3287 Proxy-Authorization: basic aGVsbG86d29ybGQ= 3289 There are significant risks in establishing a tunnel to arbitrary 3290 servers, particularly when the destination is a well-known or 3291 reserved TCP port that is not intended for Web traffic. For example, 3292 a CONNECT to a request-target of "example.com:25" would suggest that 3293 the proxy connect to the reserved port for SMTP traffic; if allowed, 3294 that could trick the proxy into relaying spam email. Proxies that 3295 support CONNECT SHOULD restrict its use to a limited set of known 3296 ports or a configurable whitelist of safe request targets. 3298 A server MUST NOT send any Transfer-Encoding or Content-Length header 3299 fields in a 2xx (Successful) response to CONNECT. A client MUST 3300 ignore any Content-Length or Transfer-Encoding header fields received 3301 in a successful response to CONNECT. 3303 A payload within a CONNECT request message has no defined semantics; 3304 sending a payload body on a CONNECT request might cause some existing 3305 implementations to reject the request. 3307 Responses to the CONNECT method are not cacheable. 3309 7.3.7. OPTIONS 3311 The OPTIONS method requests information about the communication 3312 options available for the target resource, at either the origin 3313 server or an intervening intermediary. This method allows a client 3314 to determine the options and/or requirements associated with a 3315 resource, or the capabilities of a server, without implying a 3316 resource action. 3318 An OPTIONS request with an asterisk ("*") as the request-target 3319 (Section 3.2 of [Messaging]) applies to the server in general rather 3320 than to a specific resource. Since a server's communication options 3321 typically depend on the resource, the "*" request is only useful as a 3322 "ping" or "no-op" type of method; it does nothing beyond allowing the 3323 client to test the capabilities of the server. For example, this can 3324 be used to test a proxy for HTTP/1.1 conformance (or lack thereof). 3326 If the request-target is not an asterisk, the OPTIONS request applies 3327 to the options that are available when communicating with the target 3328 resource. 3330 A server generating a successful response to OPTIONS SHOULD send any 3331 header fields that might indicate optional features implemented by 3332 the server and applicable to the target resource (e.g., Allow), 3333 including potential extensions not defined by this specification. 3334 The response payload, if any, might also describe the communication 3335 options in a machine or human-readable representation. A standard 3336 format for such a representation is not defined by this 3337 specification, but might be defined by future extensions to HTTP. A 3338 server MUST generate a Content-Length field with a value of "0" if no 3339 payload body is to be sent in the response. 3341 A client MAY send a Max-Forwards header field in an OPTIONS request 3342 to target a specific recipient in the request chain (see 3343 Section 8.1.2). A proxy MUST NOT generate a Max-Forwards header 3344 field while forwarding a request unless that request was received 3345 with a Max-Forwards field. 3347 A client that generates an OPTIONS request containing a payload body 3348 MUST send a valid Content-Type header field describing the 3349 representation media type. Although this specification does not 3350 define any use for such a payload, future extensions to HTTP might 3351 use the OPTIONS body to make more detailed queries about the target 3352 resource. 3354 Responses to the OPTIONS method are not cacheable. 3356 7.3.8. TRACE 3358 The TRACE method requests a remote, application-level loop-back of 3359 the request message. The final recipient of the request SHOULD 3360 reflect the message received, excluding some fields described below, 3361 back to the client as the message body of a 200 (OK) response with a 3362 Content-Type of "message/http" (Section 10.1 of [Messaging]). The 3363 final recipient is either the origin server or the first server to 3364 receive a Max-Forwards value of zero (0) in the request 3365 (Section 8.1.2). 3367 A client MUST NOT generate header fields in a TRACE request 3368 containing sensitive data that might be disclosed by the response. 3369 For example, it would be foolish for a user agent to send stored user 3370 credentials Section 8.5 or cookies [RFC6265] in a TRACE request. The 3371 final recipient of the request SHOULD exclude any request header 3372 fields that are likely to contain sensitive data when that recipient 3373 generates the response body. 3375 TRACE allows the client to see what is being received at the other 3376 end of the request chain and use that data for testing or diagnostic 3377 information. The value of the Via header field (Section 5.6.1) is of 3378 particular interest, since it acts as a trace of the request chain. 3379 Use of the Max-Forwards header field allows the client to limit the 3380 length of the request chain, which is useful for testing a chain of 3381 proxies forwarding messages in an infinite loop. 3383 A client MUST NOT send a message body in a TRACE request. 3385 Responses to the TRACE method are not cacheable. 3387 7.4. Method Extensibility 3389 Additional methods, outside the scope of this specification, have 3390 been specified for use in HTTP. All such methods ought to be 3391 registered within the "Hypertext Transfer Protocol (HTTP) Method 3392 Registry". 3394 7.4.1. Method Registry 3396 The "Hypertext Transfer Protocol (HTTP) Method Registry", maintained 3397 by IANA at , registers 3398 method names. 3400 HTTP method registrations MUST include the following fields: 3402 o Method Name (see Section 7) 3404 o Safe ("yes" or "no", see Section 7.2.1) 3406 o Idempotent ("yes" or "no", see Section 7.2.2) 3408 o Pointer to specification text 3410 Values to be added to this namespace require IETF Review (see 3411 [RFC8126], Section 4.8). 3413 7.4.2. Considerations for New Methods 3415 Standardized methods are generic; that is, they are potentially 3416 applicable to any resource, not just one particular media type, kind 3417 of resource, or application. As such, it is preferred that new 3418 methods be registered in a document that isn't specific to a single 3419 application or data format, since orthogonal technologies deserve 3420 orthogonal specification. 3422 Since message parsing (Section 6 of [Messaging]) needs to be 3423 independent of method semantics (aside from responses to HEAD), 3424 definitions of new methods cannot change the parsing algorithm or 3425 prohibit the presence of a message body on either the request or the 3426 response message. Definitions of new methods can specify that only a 3427 zero-length message body is allowed by requiring a Content-Length 3428 header field with a value of "0". 3430 A new method definition needs to indicate whether it is safe 3431 (Section 7.2.1), idempotent (Section 7.2.2), cacheable 3432 (Section 7.2.3), what semantics are to be associated with the payload 3433 body if any is present in the request and what refinements the method 3434 makes to header field or status code semantics. If the new method is 3435 cacheable, its definition ought to describe how, and under what 3436 conditions, a cache can store a response and use it to satisfy a 3437 subsequent request. The new method ought to describe whether it can 3438 be made conditional (Section 8.2) and, if so, how a server responds 3439 when the condition is false. Likewise, if the new method might have 3440 some use for partial response semantics (Section 8.3), it ought to 3441 document this, too. 3443 Note: Avoid defining a method name that starts with "M-", since 3444 that prefix might be misinterpreted as having the semantics 3445 assigned to it by [RFC2774]. 3447 8. Request Header Fields 3449 A client sends request header fields to provide more information 3450 about the request context, make the request conditional based on the 3451 target resource state, suggest preferred formats for the response, 3452 supply authentication credentials, or modify the expected request 3453 processing. These fields act as request modifiers, similar to the 3454 parameters on a programming language method invocation. 3456 8.1. Controls 3458 Controls are request header fields that direct specific handling of 3459 the request. 3461 +-------------------+----------------------------+ 3462 | Header Field Name | Defined in... | 3463 +-------------------+----------------------------+ 3464 | Cache-Control | Section 5.2 of [Caching] | 3465 | Expect | Section 8.1.1 | 3466 | Host | Section 5.4 | 3467 | Max-Forwards | Section 8.1.2 | 3468 | Pragma | Section 5.4 of [Caching] | 3469 | TE | Section 7.4 of [Messaging] | 3470 +-------------------+----------------------------+ 3472 8.1.1. Expect 3474 The "Expect" header field in a request indicates a certain set of 3475 behaviors (expectations) that need to be supported by the server in 3476 order to properly handle this request. The only such expectation 3477 defined by this specification is 100-continue. 3479 Expect = "100-continue" 3481 The Expect field-value is case-insensitive. 3483 A server that receives an Expect field-value other than 100-continue 3484 MAY respond with a 417 (Expectation Failed) status code to indicate 3485 that the unexpected expectation cannot be met. 3487 A 100-continue expectation informs recipients that the client is 3488 about to send a (presumably large) message body in this request and 3489 wishes to receive a 100 (Continue) interim response if the request- 3490 line and header fields are not sufficient to cause an immediate 3491 success, redirect, or error response. This allows the client to wait 3492 for an indication that it is worthwhile to send the message body 3493 before actually doing so, which can improve efficiency when the 3494 message body is huge or when the client anticipates that an error is 3495 likely (e.g., when sending a state-changing method, for the first 3496 time, without previously verified authentication credentials). 3498 For example, a request that begins with 3500 PUT /somewhere/fun HTTP/1.1 3501 Host: origin.example.com 3502 Content-Type: video/h264 3503 Content-Length: 1234567890987 3504 Expect: 100-continue 3506 allows the origin server to immediately respond with an error 3507 message, such as 401 (Unauthorized) or 405 (Method Not Allowed), 3508 before the client starts filling the pipes with an unnecessary data 3509 transfer. 3511 Requirements for clients: 3513 o A client MUST NOT generate a 100-continue expectation in a request 3514 that does not include a message body. 3516 o A client that will wait for a 100 (Continue) response before 3517 sending the request message body MUST send an Expect header field 3518 containing a 100-continue expectation. 3520 o A client that sends a 100-continue expectation is not required to 3521 wait for any specific length of time; such a client MAY proceed to 3522 send the message body even if it has not yet received a response. 3523 Furthermore, since 100 (Continue) responses cannot be sent through 3524 an HTTP/1.0 intermediary, such a client SHOULD NOT wait for an 3525 indefinite period before sending the message body. 3527 o A client that receives a 417 (Expectation Failed) status code in 3528 response to a request containing a 100-continue expectation SHOULD 3529 repeat that request without a 100-continue expectation, since the 3530 417 response merely indicates that the response chain does not 3531 support expectations (e.g., it passes through an HTTP/1.0 server). 3533 Requirements for servers: 3535 o A server that receives a 100-continue expectation in an HTTP/1.0 3536 request MUST ignore that expectation. 3538 o A server MAY omit sending a 100 (Continue) response if it has 3539 already received some or all of the message body for the 3540 corresponding request, or if the framing indicates that there is 3541 no message body. 3543 o A server that sends a 100 (Continue) response MUST ultimately send 3544 a final status code, once the message body is received and 3545 processed, unless the connection is closed prematurely. 3547 o A server that responds with a final status code before reading the 3548 entire message body SHOULD indicate in that response whether it 3549 intends to close the connection or continue reading and discarding 3550 the request message (see Section 9.6 of [Messaging]). 3552 An origin server MUST, upon receiving an HTTP/1.1 (or later) request- 3553 line and a complete header section that contains a 100-continue 3554 expectation and indicates a request message body will follow, either 3555 send an immediate response with a final status code, if that status 3556 can be determined by examining just the request-line and header 3557 fields, or send an immediate 100 (Continue) response to encourage the 3558 client to send the request's message body. The origin server MUST 3559 NOT wait for the message body before sending the 100 (Continue) 3560 response. 3562 A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and 3563 a complete header section that contains a 100-continue expectation 3564 and indicates a request message body will follow, either send an 3565 immediate response with a final status code, if that status can be 3566 determined by examining just the request-line and header fields, or 3567 begin forwarding the request toward the origin server by sending a 3568 corresponding request-line and header section to the next inbound 3569 server. If the proxy believes (from configuration or past 3570 interaction) that the next inbound server only supports HTTP/1.0, the 3571 proxy MAY generate an immediate 100 (Continue) response to encourage 3572 the client to begin sending the message body. 3574 Note: The Expect header field was added after the original 3575 publication of HTTP/1.1 [RFC2068] as both the means to request an 3576 interim 100 (Continue) response and the general mechanism for 3577 indicating must-understand extensions. However, the extension 3578 mechanism has not been used by clients and the must-understand 3579 requirements have not been implemented by many servers, rendering 3580 the extension mechanism useless. This specification has removed 3581 the extension mechanism in order to simplify the definition and 3582 processing of 100-continue. 3584 8.1.2. Max-Forwards 3586 The "Max-Forwards" header field provides a mechanism with the TRACE 3587 (Section 7.3.8) and OPTIONS (Section 7.3.7) request methods to limit 3588 the number of times that the request is forwarded by proxies. This 3589 can be useful when the client is attempting to trace a request that 3590 appears to be failing or looping mid-chain. 3592 Max-Forwards = 1*DIGIT 3594 The Max-Forwards value is a decimal integer indicating the remaining 3595 number of times this request message can be forwarded. 3597 Each intermediary that receives a TRACE or OPTIONS request containing 3598 a Max-Forwards header field MUST check and update its value prior to 3599 forwarding the request. If the received value is zero (0), the 3600 intermediary MUST NOT forward the request; instead, the intermediary 3601 MUST respond as the final recipient. If the received Max-Forwards 3602 value is greater than zero, the intermediary MUST generate an updated 3603 Max-Forwards field in the forwarded message with a field-value that 3604 is the lesser of a) the received value decremented by one (1) or b) 3605 the recipient's maximum supported value for Max-Forwards. 3607 A recipient MAY ignore a Max-Forwards header field received with any 3608 other request methods. 3610 8.2. Preconditions 3612 A conditional request is an HTTP request with one or more request 3613 header fields that indicate a precondition to be tested before 3614 applying the request method to the target resource. Section 8.2.1 3615 defines when preconditions are applied. Section 8.2.2 defines the 3616 order of evaluation when more than one precondition is present. 3618 Conditional GET requests are the most efficient mechanism for HTTP 3619 cache updates [Caching]. Conditionals can also be applied to state- 3620 changing methods, such as PUT and DELETE, to prevent the "lost 3621 update" problem: one client accidentally overwriting the work of 3622 another client that has been acting in parallel. 3624 Conditional request preconditions are based on the state of the 3625 target resource as a whole (its current value set) or the state as 3626 observed in a previously obtained representation (one value in that 3627 set). A resource might have multiple current representations, each 3628 with its own observable state. The conditional request mechanisms 3629 assume that the mapping of requests to a "selected representation" 3630 (Section 6) will be consistent over time if the server intends to 3631 take advantage of conditionals. Regardless, if the mapping is 3632 inconsistent and the server is unable to select the appropriate 3633 representation, then no harm will result when the precondition 3634 evaluates to false. 3636 The following request header fields allow a client to place a 3637 precondition on the state of the target resource, so that the action 3638 corresponding to the method semantics will not be applied if the 3639 precondition evaluates to false. Each precondition defined by this 3640 specification consists of a comparison between a set of validators 3641 obtained from prior representations of the target resource to the 3642 current state of validators for the selected representation 3643 (Section 10.2). Hence, these preconditions evaluate whether the 3644 state of the target resource has changed since a given state known by 3645 the client. The effect of such an evaluation depends on the method 3646 semantics and choice of conditional, as defined in Section 8.2.1. 3648 +---------------------+---------------+ 3649 | Header Field Name | Defined in... | 3650 +---------------------+---------------+ 3651 | If-Match | Section 8.2.3 | 3652 | If-None-Match | Section 8.2.4 | 3653 | If-Modified-Since | Section 8.2.5 | 3654 | If-Unmodified-Since | Section 8.2.6 | 3655 | If-Range | Section 8.2.7 | 3656 +---------------------+---------------+ 3658 8.2.1. Evaluation 3660 Except when excluded below, a recipient cache or origin server MUST 3661 evaluate received request preconditions after it has successfully 3662 performed its normal request checks and just before it would perform 3663 the action associated with the request method. A server MUST ignore 3664 all received preconditions if its response to the same request 3665 without those conditions would have been a status code other than a 3666 2xx (Successful) or 412 (Precondition Failed). In other words, 3667 redirects and failures take precedence over the evaluation of 3668 preconditions in conditional requests. 3670 A server that is not the origin server for the target resource and 3671 cannot act as a cache for requests on the target resource MUST NOT 3672 evaluate the conditional request header fields defined by this 3673 specification, and it MUST forward them if the request is forwarded, 3674 since the generating client intends that they be evaluated by a 3675 server that can provide a current representation. Likewise, a server 3676 MUST ignore the conditional request header fields defined by this 3677 specification when received with a request method that does not 3678 involve the selection or modification of a selected representation, 3679 such as CONNECT, OPTIONS, or TRACE. 3681 Conditional request header fields that are defined by extensions to 3682 HTTP might place conditions on all recipients, on the state of the 3683 target resource in general, or on a group of resources. For 3684 instance, the "If" header field in WebDAV can make a request 3685 conditional on various aspects of multiple resources, such as locks, 3686 if the recipient understands and implements that field ([RFC4918], 3687 Section 10.4). 3689 Although conditional request header fields are defined as being 3690 usable with the HEAD method (to keep HEAD's semantics consistent with 3691 those of GET), there is no point in sending a conditional HEAD 3692 because a successful response is around the same size as a 304 (Not 3693 Modified) response and more useful than a 412 (Precondition Failed) 3694 response. 3696 8.2.2. Precedence 3698 When more than one conditional request header field is present in a 3699 request, the order in which the fields are evaluated becomes 3700 important. In practice, the fields defined in this document are 3701 consistently implemented in a single, logical order, since "lost 3702 update" preconditions have more strict requirements than cache 3703 validation, a validated cache is more efficient than a partial 3704 response, and entity tags are presumed to be more accurate than date 3705 validators. 3707 A recipient cache or origin server MUST evaluate the request 3708 preconditions defined by this specification in the following order: 3710 1. When recipient is the origin server and If-Match is present, 3711 evaluate the If-Match precondition: 3713 * if true, continue to step 3 3715 * if false, respond 412 (Precondition Failed) unless it can be 3716 determined that the state-changing request has already 3717 succeeded (see Section 8.2.3) 3719 2. When recipient is the origin server, If-Match is not present, and 3720 If-Unmodified-Since is present, evaluate the If-Unmodified-Since 3721 precondition: 3723 * if true, continue to step 3 3725 * if false, respond 412 (Precondition Failed) unless it can be 3726 determined that the state-changing request has already 3727 succeeded (see Section 8.2.6) 3729 3. When If-None-Match is present, evaluate the If-None-Match 3730 precondition: 3732 * if true, continue to step 5 3734 * if false for GET/HEAD, respond 304 (Not Modified) 3736 * if false for other methods, respond 412 (Precondition Failed) 3738 4. When the method is GET or HEAD, If-None-Match is not present, and 3739 If-Modified-Since is present, evaluate the If-Modified-Since 3740 precondition: 3742 * if true, continue to step 5 3744 * if false, respond 304 (Not Modified) 3746 5. When the method is GET and both Range and If-Range are present, 3747 evaluate the If-Range precondition: 3749 * if the validator matches and the Range specification is 3750 applicable to the selected representation, respond 206 3751 (Partial Content) 3753 6. Otherwise, 3755 * all conditions are met, so perform the requested action and 3756 respond according to its success or failure. 3758 Any extension to HTTP/1.1 that defines additional conditional request 3759 header fields ought to define its own expectations regarding the 3760 order for evaluating such fields in relation to those defined in this 3761 document and other conditionals that might be found in practice. 3763 8.2.3. If-Match 3765 The "If-Match" header field makes the request method conditional on 3766 the recipient origin server either having at least one current 3767 representation of the target resource, when the field-value is "*", 3768 or having a current representation of the target resource that has an 3769 entity-tag matching a member of the list of entity-tags provided in 3770 the field-value. 3772 An origin server MUST use the strong comparison function when 3773 comparing entity-tags for If-Match (Section 10.2.3.2), since the 3774 client intends this precondition to prevent the method from being 3775 applied if there have been any changes to the representation data. 3777 If-Match = "*" / 1#entity-tag 3779 Examples: 3781 If-Match: "xyzzy" 3782 If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3783 If-Match: * 3785 If-Match is most often used with state-changing methods (e.g., POST, 3786 PUT, DELETE) to prevent accidental overwrites when multiple user 3787 agents might be acting in parallel on the same resource (i.e., to 3788 prevent the "lost update" problem). It can also be used with safe 3789 methods to abort a request if the selected representation does not 3790 match one already stored (or partially stored) from a prior request. 3792 An origin server that receives an If-Match header field MUST evaluate 3793 the condition prior to performing the method (Section 8.2.1). If the 3794 field-value is "*", the condition is false if the origin server does 3795 not have a current representation for the target resource. If the 3796 field-value is a list of entity-tags, the condition is false if none 3797 of the listed tags match the entity-tag of the selected 3798 representation. 3800 An origin server MUST NOT perform the requested method if a received 3801 If-Match condition evaluates to false; instead, the origin server 3802 MUST respond with either a) the 412 (Precondition Failed) status code 3803 or b) one of the 2xx (Successful) status codes if the origin server 3804 has verified that a state change is being requested and the final 3805 state is already reflected in the current state of the target 3806 resource (i.e., the change requested by the user agent has already 3807 succeeded, but the user agent might not be aware of it, perhaps 3808 because the prior response was lost or a compatible change was made 3809 by some other user agent). In the latter case, the origin server 3810 MUST NOT send a validator header field in the response unless it can 3811 verify that the request is a duplicate of an immediately prior change 3812 made by the same user agent. 3814 The If-Match header field can be ignored by caches and intermediaries 3815 because it is not applicable to a stored response. 3817 8.2.4. If-None-Match 3819 The "If-None-Match" header field makes the request method conditional 3820 on a recipient cache or origin server either not having any current 3821 representation of the target resource, when the field-value is "*", 3822 or having a selected representation with an entity-tag that does not 3823 match any of those listed in the field-value. 3825 A recipient MUST use the weak comparison function when comparing 3826 entity-tags for If-None-Match (Section 10.2.3.2), since weak entity- 3827 tags can be used for cache validation even if there have been changes 3828 to the representation data. 3830 If-None-Match = "*" / 1#entity-tag 3832 Examples: 3834 If-None-Match: "xyzzy" 3835 If-None-Match: W/"xyzzy" 3836 If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3837 If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" 3838 If-None-Match: * 3840 If-None-Match is primarily used in conditional GET requests to enable 3841 efficient updates of cached information with a minimum amount of 3842 transaction overhead. When a client desires to update one or more 3843 stored responses that have entity-tags, the client SHOULD generate an 3844 If-None-Match header field containing a list of those entity-tags 3845 when making a GET request; this allows recipient servers to send a 3846 304 (Not Modified) response to indicate when one of those stored 3847 responses matches the selected representation. 3849 If-None-Match can also be used with a value of "*" to prevent an 3850 unsafe request method (e.g., PUT) from inadvertently modifying an 3851 existing representation of the target resource when the client 3852 believes that the resource does not have a current representation 3853 (Section 7.2.1). This is a variation on the "lost update" problem 3854 that might arise if more than one client attempts to create an 3855 initial representation for the target resource. 3857 An origin server that receives an If-None-Match header field MUST 3858 evaluate the condition prior to performing the method 3859 (Section 8.2.1). If the field-value is "*", the condition is false 3860 if the origin server has a current representation for the target 3861 resource. If the field-value is a list of entity-tags, the condition 3862 is false if one of the listed tags match the entity-tag of the 3863 selected representation. 3865 An origin server MUST NOT perform the requested method if the 3866 condition evaluates to false; instead, the origin server MUST respond 3867 with either a) the 304 (Not Modified) status code if the request 3868 method is GET or HEAD or b) the 412 (Precondition Failed) status code 3869 for all other request methods. 3871 Requirements on cache handling of a received If-None-Match header 3872 field are defined in Section 4.3.2 of [Caching]. 3874 8.2.5. If-Modified-Since 3876 The "If-Modified-Since" header field makes a GET or HEAD request 3877 method conditional on the selected representation's modification date 3878 being more recent than the date provided in the field-value. 3879 Transfer of the selected representation's data is avoided if that 3880 data has not changed. 3882 If-Modified-Since = HTTP-date 3884 An example of the field is: 3886 If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT 3888 A recipient MUST ignore If-Modified-Since if the request contains an 3889 If-None-Match header field; the condition in If-None-Match is 3890 considered to be a more accurate replacement for the condition in If- 3891 Modified-Since, and the two are only combined for the sake of 3892 interoperating with older intermediaries that might not implement If- 3893 None-Match. 3895 A recipient MUST ignore the If-Modified-Since header field if the 3896 received field-value is not a valid HTTP-date, or if the request 3897 method is neither GET nor HEAD. 3899 A recipient MUST interpret an If-Modified-Since field-value's 3900 timestamp in terms of the origin server's clock. 3902 If-Modified-Since is typically used for two distinct purposes: 1) to 3903 allow efficient updates of a cached representation that does not have 3904 an entity-tag and 2) to limit the scope of a web traversal to 3905 resources that have recently changed. 3907 When used for cache updates, a cache will typically use the value of 3908 the cached message's Last-Modified field to generate the field value 3909 of If-Modified-Since. This behavior is most interoperable for cases 3910 where clocks are poorly synchronized or when the server has chosen to 3911 only honor exact timestamp matches (due to a problem with Last- 3912 Modified dates that appear to go "back in time" when the origin 3913 server's clock is corrected or a representation is restored from an 3914 archived backup). However, caches occasionally generate the field 3915 value based on other data, such as the Date header field of the 3916 cached message or the local clock time that the message was received, 3917 particularly when the cached message does not contain a Last-Modified 3918 field. 3920 When used for limiting the scope of retrieval to a recent time 3921 window, a user agent will generate an If-Modified-Since field value 3922 based on either its own local clock or a Date header field received 3923 from the server in a prior response. Origin servers that choose an 3924 exact timestamp match based on the selected representation's Last- 3925 Modified field will not be able to help the user agent limit its data 3926 transfers to only those changed during the specified window. 3928 An origin server that receives an If-Modified-Since header field 3929 SHOULD evaluate the condition prior to performing the method 3930 (Section 8.2.1). The origin server SHOULD NOT perform the requested 3931 method if the selected representation's last modification date is 3932 earlier than or equal to the date provided in the field-value; 3933 instead, the origin server SHOULD generate a 304 (Not Modified) 3934 response, including only those metadata that are useful for 3935 identifying or updating a previously cached response. 3937 Requirements on cache handling of a received If-Modified-Since header 3938 field are defined in Section 4.3.2 of [Caching]. 3940 8.2.6. If-Unmodified-Since 3942 The "If-Unmodified-Since" header field makes the request method 3943 conditional on the selected representation's last modification date 3944 being earlier than or equal to the date provided in the field-value. 3945 This field accomplishes the same purpose as If-Match for cases where 3946 the user agent does not have an entity-tag for the representation. 3948 If-Unmodified-Since = HTTP-date 3950 An example of the field is: 3952 If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT 3954 A recipient MUST ignore If-Unmodified-Since if the request contains 3955 an If-Match header field; the condition in If-Match is considered to 3956 be a more accurate replacement for the condition in If-Unmodified- 3957 Since, and the two are only combined for the sake of interoperating 3958 with older intermediaries that might not implement If-Match. 3960 A recipient MUST ignore the If-Unmodified-Since header field if the 3961 received field-value is not a valid HTTP-date. 3963 A recipient MUST interpret an If-Unmodified-Since field-value's 3964 timestamp in terms of the origin server's clock. 3966 If-Unmodified-Since is most often used with state-changing methods 3967 (e.g., POST, PUT, DELETE) to prevent accidental overwrites when 3968 multiple user agents might be acting in parallel on a resource that 3969 does not supply entity-tags with its representations (i.e., to 3970 prevent the "lost update" problem). It can also be used with safe 3971 methods to abort a request if the selected representation does not 3972 match one already stored (or partially stored) from a prior request. 3974 An origin server that receives an If-Unmodified-Since header field 3975 MUST evaluate the condition prior to performing the method 3976 (Section 8.2.1). The origin server MUST NOT perform the requested 3977 method if the selected representation's last modification date is 3978 more recent than the date provided in the field-value; instead the 3979 origin server MUST respond with either a) the 412 (Precondition 3980 Failed) status code or b) one of the 2xx (Successful) status codes if 3981 the origin server has verified that a state change is being requested 3982 and the final state is already reflected in the current state of the 3983 target resource (i.e., the change requested by the user agent has 3984 already succeeded, but the user agent might not be aware of that 3985 because the prior response message was lost or a compatible change 3986 was made by some other user agent). In the latter case, the origin 3987 server MUST NOT send a validator header field in the response unless 3988 it can verify that the request is a duplicate of an immediately prior 3989 change made by the same user agent. 3991 The If-Unmodified-Since header field can be ignored by caches and 3992 intermediaries because it is not applicable to a stored response. 3994 8.2.7. If-Range 3996 The "If-Range" header field provides a special conditional request 3997 mechanism that is similar to the If-Match and If-Unmodified-Since 3998 header fields but that instructs the recipient to ignore the Range 3999 header field if the validator doesn't match, resulting in transfer of 4000 the new selected representation instead of a 412 (Precondition 4001 Failed) response. 4003 If a client has a partial copy of a representation and wishes to have 4004 an up-to-date copy of the entire representation, it could use the 4005 Range header field with a conditional GET (using either or both of 4006 If-Unmodified-Since and If-Match.) However, if the precondition 4007 fails because the representation has been modified, the client would 4008 then have to make a second request to obtain the entire current 4009 representation. 4011 The "If-Range" header field allows a client to "short-circuit" the 4012 second request. Informally, its meaning is as follows: if the 4013 representation is unchanged, send me the part(s) that I am requesting 4014 in Range; otherwise, send me the entire representation. 4016 If-Range = entity-tag / HTTP-date 4018 A client MUST NOT generate an If-Range header field in a request that 4019 does not contain a Range header field. A server MUST ignore an If- 4020 Range header field received in a request that does not contain a 4021 Range header field. An origin server MUST ignore an If-Range header 4022 field received in a request for a target resource that does not 4023 support Range requests. 4025 A client MUST NOT generate an If-Range header field containing an 4026 entity-tag that is marked as weak. A client MUST NOT generate an If- 4027 Range header field containing an HTTP-date unless the client has no 4028 entity-tag for the corresponding representation and the date is a 4029 strong validator in the sense defined by Section 10.2.2.2. 4031 A server that evaluates an If-Range precondition MUST use the strong 4032 comparison function when comparing entity-tags (Section 10.2.3.2) and 4033 MUST evaluate the condition as false if an HTTP-date validator is 4034 provided that is not a strong validator in the sense defined by 4035 Section 10.2.2.2. A valid entity-tag can be distinguished from a 4036 valid HTTP-date by examining the first two characters for a DQUOTE. 4038 If the validator given in the If-Range header field matches the 4039 current validator for the selected representation of the target 4040 resource, then the server SHOULD process the Range header field as 4041 requested. If the validator does not match, the server MUST ignore 4042 the Range header field. Note that this comparison by exact match, 4043 including when the validator is an HTTP-date, differs from the 4044 "earlier than or equal to" comparison used when evaluating an If- 4045 Unmodified-Since conditional. 4047 8.3. Range 4049 The "Range" header field on a GET request modifies the method 4050 semantics to request transfer of only one or more subranges of the 4051 selected representation data, rather than the entire selected 4052 representation data. 4054 Range = byte-ranges-specifier / other-ranges-specifier 4055 other-ranges-specifier = other-range-unit "=" other-range-set 4056 other-range-set = 1*VCHAR 4058 Clients often encounter interrupted data transfers as a result of 4059 canceled requests or dropped connections. When a client has stored a 4060 partial representation, it is desirable to request the remainder of 4061 that representation in a subsequent request rather than transfer the 4062 entire representation. Likewise, devices with limited local storage 4063 might benefit from being able to request only a subset of a larger 4064 representation, such as a single page of a very large document, or 4065 the dimensions of an embedded image. 4067 Range requests are an OPTIONAL feature of HTTP, designed so that 4068 recipients not implementing this feature (or not supporting it for 4069 the target resource) can respond as if it is a normal GET request 4070 without impacting interoperability. Partial responses are indicated 4071 by a distinct status code to not be mistaken for full responses by 4072 caches that might not implement the feature. 4074 A server MAY ignore the Range header field. However, origin servers 4075 and intermediate caches ought to support byte ranges when possible, 4076 since Range supports efficient recovery from partially failed 4077 transfers and partial retrieval of large representations. A server 4078 MUST ignore a Range header field received with a request method other 4079 than GET. 4081 Although the range request mechanism is designed to allow for 4082 extensible range types, this specification only defines requests for 4083 byte ranges. 4085 An origin server MUST ignore a Range header field that contains a 4086 range unit it does not understand. A proxy MAY discard a Range 4087 header field that contains a range unit it does not understand. 4089 A server that supports range requests MAY ignore or reject a Range 4090 header field that consists of more than two overlapping ranges, or a 4091 set of many small ranges that are not listed in ascending order, 4092 since both are indications of either a broken client or a deliberate 4093 denial-of-service attack (Section 12.13). A client SHOULD NOT 4094 request multiple ranges that are inherently less efficient to process 4095 and transfer than a single range that encompasses the same data. 4097 A client that is requesting multiple ranges SHOULD list those ranges 4098 in ascending order (the order in which they would typically be 4099 received in a complete representation) unless there is a specific 4100 need to request a later part earlier. For example, a user agent 4101 processing a large representation with an internal catalog of parts 4102 might need to request later parts first, particularly if the 4103 representation consists of pages stored in reverse order and the user 4104 agent wishes to transfer one page at a time. 4106 The Range header field is evaluated after evaluating the precondition 4107 header fields defined in Section 8.2, and only if the result in 4108 absence of the Range header field would be a 200 (OK) response. In 4109 other words, Range is ignored when a conditional GET would result in 4110 a 304 (Not Modified) response. 4112 The If-Range header field (Section 8.2.7) can be used as a 4113 precondition to applying the Range header field. 4115 If all of the preconditions are true, the server supports the Range 4116 header field for the target resource, and the specified range(s) are 4117 valid and satisfiable (as defined in Section 6.1.4.1), the server 4118 SHOULD send a 206 (Partial Content) response with a payload 4119 containing one or more partial representations that correspond to the 4120 satisfiable ranges requested. 4122 If all of the preconditions are true, the server supports the Range 4123 header field for the target resource, and the specified range(s) are 4124 invalid or unsatisfiable, the server SHOULD send a 416 (Range Not 4125 Satisfiable) response. 4127 8.4. Content Negotiation 4129 The following request header fields are sent by a user agent to 4130 engage in proactive negotiation of the response content, as defined 4131 in Section 6.4.1. The preferences sent in these fields apply to any 4132 content in the response, including representations of the target 4133 resource, representations of error or processing status, and 4134 potentially even the miscellaneous text strings that might appear 4135 within the protocol. 4137 +-------------------+---------------+ 4138 | Header Field Name | Defined in... | 4139 +-------------------+---------------+ 4140 | Accept | Section 8.4.2 | 4141 | Accept-Charset | Section 8.4.3 | 4142 | Accept-Encoding | Section 8.4.4 | 4143 | Accept-Language | Section 8.4.5 | 4144 +-------------------+---------------+ 4146 8.4.1. Quality Values 4148 Many of the request header fields for proactive negotiation use a 4149 common parameter, named "q" (case-insensitive), to assign a relative 4150 "weight" to the preference for that associated kind of content. This 4151 weight is referred to as a "quality value" (or "qvalue") because the 4152 same parameter name is often used within server configurations to 4153 assign a weight to the relative quality of the various 4154 representations that can be selected for a resource. 4156 The weight is normalized to a real number in the range 0 through 1, 4157 where 0.001 is the least preferred and 1 is the most preferred; a 4158 value of 0 means "not acceptable". If no "q" parameter is present, 4159 the default weight is 1. 4161 weight = OWS ";" OWS "q=" qvalue 4162 qvalue = ( "0" [ "." 0*3DIGIT ] ) 4163 / ( "1" [ "." 0*3("0") ] ) 4165 A sender of qvalue MUST NOT generate more than three digits after the 4166 decimal point. User configuration of these values ought to be 4167 limited in the same fashion. 4169 8.4.2. Accept 4171 The "Accept" header field can be used by user agents to specify 4172 response media types that are acceptable. Accept header fields can 4173 be used to indicate that the request is specifically limited to a 4174 small set of desired types, as in the case of a request for an in- 4175 line image. 4177 Accept = #( media-range [ accept-params ] ) 4179 media-range = ( "*/*" 4180 / ( type "/" "*" ) 4181 / ( type "/" subtype ) 4182 ) *( OWS ";" OWS parameter ) 4183 accept-params = weight *( accept-ext ) 4184 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 4186 The asterisk "*" character is used to group media types into ranges, 4187 with "*/*" indicating all media types and "type/*" indicating all 4188 subtypes of that type. The media-range can include media type 4189 parameters that are applicable to that range. 4191 Each media-range might be followed by zero or more applicable media 4192 type parameters (e.g., charset), an optional "q" parameter for 4193 indicating a relative weight (Section 8.4.1), and then zero or more 4194 extension parameters. The "q" parameter is necessary if any 4195 extensions (accept-ext) are present, since it acts as a separator 4196 between the two parameter sets. 4198 Note: Use of the "q" parameter name to separate media type 4199 parameters from Accept extension parameters is due to historical 4200 practice. Although this prevents any media type parameter named 4201 "q" from being used with a media range, such an event is believed 4202 to be unlikely given the lack of any "q" parameters in the IANA 4203 media type registry and the rare usage of any media type 4204 parameters in Accept. Future media types are discouraged from 4205 registering any parameter named "q". 4207 The example 4209 Accept: audio/*; q=0.2, audio/basic 4211 is interpreted as "I prefer audio/basic, but send me any audio type 4212 if it is the best available after an 80% markdown in quality". 4214 A request without any Accept header field implies that the user agent 4215 will accept any media type in response. If the header field is 4216 present in a request and none of the available representations for 4217 the response have a media type that is listed as acceptable, the 4218 origin server can either honor the header field by sending a 406 (Not 4219 Acceptable) response or disregard the header field by treating the 4220 response as if it is not subject to content negotiation. 4222 A more elaborate example is 4224 Accept: text/plain; q=0.5, text/html, 4225 text/x-dvi; q=0.8, text/x-c 4227 Verbally, this would be interpreted as "text/html and text/x-c are 4228 the equally preferred media types, but if they do not exist, then 4229 send the text/x-dvi representation, and if that does not exist, send 4230 the text/plain representation". 4232 Media ranges can be overridden by more specific media ranges or 4233 specific media types. If more than one media range applies to a 4234 given type, the most specific reference has precedence. For example, 4236 Accept: text/*, text/plain, text/plain;format=flowed, */* 4238 have the following precedence: 4240 1. text/plain;format=flowed 4242 2. text/plain 4244 3. text/* 4246 4. */* 4248 The media type quality factor associated with a given type is 4249 determined by finding the media range with the highest precedence 4250 that matches the type. For example, 4252 Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1, 4253 text/html;level=2;q=0.4, */*;q=0.5 4255 would cause the following values to be associated: 4257 +-------------------+---------------+ 4258 | Media Type | Quality Value | 4259 +-------------------+---------------+ 4260 | text/html;level=1 | 1 | 4261 | text/html | 0.7 | 4262 | text/plain | 0.3 | 4263 | image/jpeg | 0.5 | 4264 | text/html;level=2 | 0.4 | 4265 | text/html;level=3 | 0.7 | 4266 +-------------------+---------------+ 4268 Note: A user agent might be provided with a default set of quality 4269 values for certain media ranges. However, unless the user agent is a 4270 closed system that cannot interact with other rendering agents, this 4271 default set ought to be configurable by the user. 4273 8.4.3. Accept-Charset 4275 The "Accept-Charset" header field can be sent by a user agent to 4276 indicate what charsets are acceptable in textual response content. 4277 This field allows user agents capable of understanding more 4278 comprehensive or special-purpose charsets to signal that capability 4279 to an origin server that is capable of representing information in 4280 those charsets. 4282 Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) 4284 Charset names are defined in Section 6.1.1.1. A user agent MAY 4285 associate a quality value with each charset to indicate the user's 4286 relative preference for that charset, as defined in Section 8.4.1. 4287 An example is 4289 Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 4291 The special value "*", if present in the Accept-Charset field, 4292 matches every charset that is not mentioned elsewhere in the Accept- 4293 Charset field. If no "*" is present in an Accept-Charset field, then 4294 any charsets not explicitly mentioned in the field are considered 4295 "not acceptable" to the client. 4297 A request without any Accept-Charset header field implies that the 4298 user agent will accept any charset in response. Most general-purpose 4299 user agents do not send Accept-Charset, unless specifically 4300 configured to do so, because a detailed list of supported charsets 4301 makes it easier for a server to identify an individual by virtue of 4302 the user agent's request characteristics (Section 12.11). 4304 If an Accept-Charset header field is present in a request and none of 4305 the available representations for the response has a charset that is 4306 listed as acceptable, the origin server can either honor the header 4307 field, by sending a 406 (Not Acceptable) response, or disregard the 4308 header field by treating the resource as if it is not subject to 4309 content negotiation. 4311 8.4.4. Accept-Encoding 4313 The "Accept-Encoding" header field can be used by user agents to 4314 indicate what response content-codings (Section 6.1.2) are acceptable 4315 in the response. An "identity" token is used as a synonym for "no 4316 encoding" in order to communicate when no encoding is preferred. 4318 Accept-Encoding = #( codings [ weight ] ) 4319 codings = content-coding / "identity" / "*" 4321 Each codings value MAY be given an associated quality value 4322 representing the preference for that encoding, as defined in 4323 Section 8.4.1. The asterisk "*" symbol in an Accept-Encoding field 4324 matches any available content-coding not explicitly listed in the 4325 header field. 4327 For example, 4329 Accept-Encoding: compress, gzip 4330 Accept-Encoding: 4331 Accept-Encoding: * 4332 Accept-Encoding: compress;q=0.5, gzip;q=1.0 4333 Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 4335 A request without an Accept-Encoding header field implies that the 4336 user agent has no preferences regarding content-codings. Although 4337 this allows the server to use any content-coding in a response, it 4338 does not imply that the user agent will be able to correctly process 4339 all encodings. 4341 A server tests whether a content-coding for a given representation is 4342 acceptable using these rules: 4344 1. If no Accept-Encoding field is in the request, any content-coding 4345 is considered acceptable by the user agent. 4347 2. If the representation has no content-coding, then it is 4348 acceptable by default unless specifically excluded by the Accept- 4349 Encoding field stating either "identity;q=0" or "*;q=0" without a 4350 more specific entry for "identity". 4352 3. If the representation's content-coding is one of the content- 4353 codings listed in the Accept-Encoding field, then it is 4354 acceptable unless it is accompanied by a qvalue of 0. (As 4355 defined in Section 8.4.1, a qvalue of 0 means "not acceptable".) 4357 4. If multiple content-codings are acceptable, then the acceptable 4358 content-coding with the highest non-zero qvalue is preferred. 4360 An Accept-Encoding header field with a combined field-value that is 4361 empty implies that the user agent does not want any content-coding in 4362 response. If an Accept-Encoding header field is present in a request 4363 and none of the available representations for the response have a 4364 content-coding that is listed as acceptable, the origin server SHOULD 4365 send a response without any content-coding. 4367 Note: Most HTTP/1.0 applications do not recognize or obey qvalues 4368 associated with content-codings. This means that qvalues might 4369 not work and are not permitted with x-gzip or x-compress. 4371 8.4.5. Accept-Language 4373 The "Accept-Language" header field can be used by user agents to 4374 indicate the set of natural languages that are preferred in the 4375 response. Language tags are defined in Section 6.1.3. 4377 Accept-Language = 1#( language-range [ weight ] ) 4378 language-range = 4379 4381 Each language-range can be given an associated quality value 4382 representing an estimate of the user's preference for the languages 4383 specified by that range, as defined in Section 8.4.1. For example, 4385 Accept-Language: da, en-gb;q=0.8, en;q=0.7 4387 would mean: "I prefer Danish, but will accept British English and 4388 other types of English". 4390 A request without any Accept-Language header field implies that the 4391 user agent will accept any language in response. If the header field 4392 is present in a request and none of the available representations for 4393 the response have a matching language tag, the origin server can 4394 either disregard the header field by treating the response as if it 4395 is not subject to content negotiation or honor the header field by 4396 sending a 406 (Not Acceptable) response. However, the latter is not 4397 encouraged, as doing so can prevent users from accessing content that 4398 they might be able to use (with translation software, for example). 4400 Note that some recipients treat the order in which language tags are 4401 listed as an indication of descending priority, particularly for tags 4402 that are assigned equal quality values (no value is the same as q=1). 4403 However, this behavior cannot be relied upon. For consistency and to 4404 maximize interoperability, many user agents assign each language tag 4405 a unique quality value while also listing them in order of decreasing 4406 quality. Additional discussion of language priority lists can be 4407 found in Section 2.3 of [RFC4647]. 4409 For matching, Section 3 of [RFC4647] defines several matching 4410 schemes. Implementations can offer the most appropriate matching 4411 scheme for their requirements. The "Basic Filtering" scheme 4412 ([RFC4647], Section 3.3.1) is identical to the matching scheme that 4413 was previously defined for HTTP in Section 14.4 of [RFC2616]. 4415 It might be contrary to the privacy expectations of the user to send 4416 an Accept-Language header field with the complete linguistic 4417 preferences of the user in every request (Section 12.11). 4419 Since intelligibility is highly dependent on the individual user, 4420 user agents need to allow user control over the linguistic preference 4421 (either through configuration of the user agent itself or by 4422 defaulting to a user controllable system setting). A user agent that 4423 does not provide such control to the user MUST NOT send an Accept- 4424 Language header field. 4426 Note: User agents ought to provide guidance to users when setting 4427 a preference, since users are rarely familiar with the details of 4428 language matching as described above. For example, users might 4429 assume that on selecting "en-gb", they will be served any kind of 4430 English document if British English is not available. A user 4431 agent might suggest, in such a case, to add "en" to the list for 4432 better matching behavior. 4434 8.5. Authentication Credentials 4436 HTTP provides a general framework for access control and 4437 authentication, via an extensible set of challenge-response 4438 authentication schemes, which can be used by a server to challenge a 4439 client request and by a client to provide authentication information. 4441 Two header fields are used for carrying authentication credentials. 4442 Note that various custom mechanisms for user authentication use the 4443 Cookie header field for this purpose, as defined in [RFC6265]. 4445 +---------------------+---------------+ 4446 | Header Field Name | Defined in... | 4447 +---------------------+---------------+ 4448 | Authorization | Section 8.5.3 | 4449 | Proxy-Authorization | Section 8.5.4 | 4450 +---------------------+---------------+ 4452 8.5.1. Challenge and Response 4454 HTTP provides a simple challenge-response authentication framework 4455 that can be used by a server to challenge a client request and by a 4456 client to provide authentication information. It uses a case- 4457 insensitive token as a means to identify the authentication scheme, 4458 followed by additional information necessary for achieving 4459 authentication via that scheme. The latter can be either a comma- 4460 separated list of parameters or a single sequence of characters 4461 capable of holding base64-encoded information. 4463 Authentication parameters are name=value pairs, where the name token 4464 is matched case-insensitively, and each parameter name MUST only 4465 occur once per challenge. 4467 auth-scheme = token 4469 auth-param = token BWS "=" BWS ( token / quoted-string ) 4471 token68 = 1*( ALPHA / DIGIT / 4472 "-" / "." / "_" / "~" / "+" / "/" ) *"=" 4474 The token68 syntax allows the 66 unreserved URI characters 4475 ([RFC3986]), plus a few others, so that it can hold a base64, 4476 base64url (URL and filename safe alphabet), base32, or base16 (hex) 4477 encoding, with or without padding, but excluding whitespace 4478 ([RFC4648]). 4480 A 401 (Unauthorized) response message is used by an origin server to 4481 challenge the authorization of a user agent, including a WWW- 4482 Authenticate header field containing at least one challenge 4483 applicable to the requested resource. 4485 A 407 (Proxy Authentication Required) response message is used by a 4486 proxy to challenge the authorization of a client, including a Proxy- 4487 Authenticate header field containing at least one challenge 4488 applicable to the proxy for the requested resource. 4490 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4492 Note: Many clients fail to parse a challenge that contains an 4493 unknown scheme. A workaround for this problem is to list well- 4494 supported schemes (such as "basic") first. 4496 A user agent that wishes to authenticate itself with an origin server 4497 -- usually, but not necessarily, after receiving a 401 (Unauthorized) 4498 -- can do so by including an Authorization header field with the 4499 request. 4501 A client that wishes to authenticate itself with a proxy -- usually, 4502 but not necessarily, after receiving a 407 (Proxy Authentication 4503 Required) -- can do so by including a Proxy-Authorization header 4504 field with the request. 4506 Both the Authorization field value and the Proxy-Authorization field 4507 value contain the client's credentials for the realm of the resource 4508 being requested, based upon a challenge received in a response 4509 (possibly at some point in the past). When creating their values, 4510 the user agent ought to do so by selecting the challenge with what it 4511 considers to be the most secure auth-scheme that it understands, 4512 obtaining credentials from the user as appropriate. Transmission of 4513 credentials within header field values implies significant security 4514 considerations regarding the confidentiality of the underlying 4515 connection, as described in Section 12.14.1. 4517 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4519 Upon receipt of a request for a protected resource that omits 4520 credentials, contains invalid credentials (e.g., a bad password) or 4521 partial credentials (e.g., when the authentication scheme requires 4522 more than one round trip), an origin server SHOULD send a 401 4523 (Unauthorized) response that contains a WWW-Authenticate header field 4524 with at least one (possibly new) challenge applicable to the 4525 requested resource. 4527 Likewise, upon receipt of a request that omits proxy credentials or 4528 contains invalid or partial proxy credentials, a proxy that requires 4529 authentication SHOULD generate a 407 (Proxy Authentication Required) 4530 response that contains a Proxy-Authenticate header field with at 4531 least one (possibly new) challenge applicable to the proxy. 4533 A server that receives valid credentials that are not adequate to 4534 gain access ought to respond with the 403 (Forbidden) status code 4535 (Section 9.5.4). 4537 HTTP does not restrict applications to this simple challenge-response 4538 framework for access authentication. Additional mechanisms can be 4539 used, such as authentication at the transport level or via message 4540 encapsulation, and with additional header fields specifying 4541 authentication information. However, such additional mechanisms are 4542 not defined by this specification. 4544 8.5.2. Protection Space (Realm) 4546 The "realm" authentication parameter is reserved for use by 4547 authentication schemes that wish to indicate a scope of protection. 4549 A protection space is defined by the canonical root URI (the scheme 4550 and authority components of the effective request URI; see 4551 Section 5.3) of the server being accessed, in combination with the 4552 realm value if present. These realms allow the protected resources 4553 on a server to be partitioned into a set of protection spaces, each 4554 with its own authentication scheme and/or authorization database. 4555 The realm value is a string, generally assigned by the origin server, 4556 that can have additional semantics specific to the authentication 4557 scheme. Note that a response can have multiple challenges with the 4558 same auth-scheme but with different realms. 4560 The protection space determines the domain over which credentials can 4561 be automatically applied. If a prior request has been authorized, 4562 the user agent MAY reuse the same credentials for all other requests 4563 within that protection space for a period of time determined by the 4564 authentication scheme, parameters, and/or user preferences (such as a 4565 configurable inactivity timeout). Unless specifically allowed by the 4566 authentication scheme, a single protection space cannot extend 4567 outside the scope of its server. 4569 For historical reasons, a sender MUST only generate the quoted-string 4570 syntax. Recipients might have to support both token and quoted- 4571 string syntax for maximum interoperability with existing clients that 4572 have been accepting both notations for a long time. 4574 8.5.3. Authorization 4576 The "Authorization" header field allows a user agent to authenticate 4577 itself with an origin server -- usually, but not necessarily, after 4578 receiving a 401 (Unauthorized) response. Its value consists of 4579 credentials containing the authentication information of the user 4580 agent for the realm of the resource being requested. 4582 Authorization = credentials 4584 If a request is authenticated and a realm specified, the same 4585 credentials are presumed to be valid for all other requests within 4586 this realm (assuming that the authentication scheme itself does not 4587 require otherwise, such as credentials that vary according to a 4588 challenge value or using synchronized clocks). 4590 A proxy forwarding a request MUST NOT modify any Authorization fields 4591 in that request. See Section 3.2 of [Caching] for details of and 4592 requirements pertaining to handling of the Authorization field by 4593 HTTP caches. 4595 8.5.4. Proxy-Authorization 4597 The "Proxy-Authorization" header field allows the client to identify 4598 itself (or its user) to a proxy that requires authentication. Its 4599 value consists of credentials containing the authentication 4600 information of the client for the proxy and/or realm of the resource 4601 being requested. 4603 Proxy-Authorization = credentials 4605 Unlike Authorization, the Proxy-Authorization header field applies 4606 only to the next inbound proxy that demanded authentication using the 4607 Proxy-Authenticate field. When multiple proxies are used in a chain, 4608 the Proxy-Authorization header field is consumed by the first inbound 4609 proxy that was expecting to receive credentials. A proxy MAY relay 4610 the credentials from the client request to the next proxy if that is 4611 the mechanism by which the proxies cooperatively authenticate a given 4612 request. 4614 8.5.5. Authentication Scheme Extensibility 4616 Aside from the general framework, this document does not specify any 4617 authentication schemes. New and existing authentication schemes are 4618 specified independently and ought to be registered within the 4619 "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry". 4620 For example, the "basic" and "digest" authentication schemes are 4621 defined by RFC 7617 and RFC 7616, respectively. 4623 8.5.5.1. Authentication Scheme Registry 4625 The "Hypertext Transfer Protocol (HTTP) Authentication Scheme 4626 Registry" defines the namespace for the authentication schemes in 4627 challenges and credentials. It is maintained at 4628 . 4630 Registrations MUST include the following fields: 4632 o Authentication Scheme Name 4634 o Pointer to specification text 4636 o Notes (optional) 4638 Values to be added to this namespace require IETF Review (see 4639 [RFC8126], Section 4.8). 4641 8.5.5.2. Considerations for New Authentication Schemes 4643 There are certain aspects of the HTTP Authentication framework that 4644 put constraints on how new authentication schemes can work: 4646 o HTTP authentication is presumed to be stateless: all of the 4647 information necessary to authenticate a request MUST be provided 4648 in the request, rather than be dependent on the server remembering 4649 prior requests. Authentication based on, or bound to, the 4650 underlying connection is outside the scope of this specification 4651 and inherently flawed unless steps are taken to ensure that the 4652 connection cannot be used by any party other than the 4653 authenticated user (see Section 2.2). 4655 o The authentication parameter "realm" is reserved for defining 4656 protection spaces as described in Section 8.5.2. New schemes MUST 4657 NOT use it in a way incompatible with that definition. 4659 o The "token68" notation was introduced for compatibility with 4660 existing authentication schemes and can only be used once per 4661 challenge or credential. Thus, new schemes ought to use the auth- 4662 param syntax instead, because otherwise future extensions will be 4663 impossible. 4665 o The parsing of challenges and credentials is defined by this 4666 specification and cannot be modified by new authentication 4667 schemes. When the auth-param syntax is used, all parameters ought 4668 to support both token and quoted-string syntax, and syntactical 4669 constraints ought to be defined on the field value after parsing 4670 (i.e., quoted-string processing). This is necessary so that 4671 recipients can use a generic parser that applies to all 4672 authentication schemes. 4674 Note: The fact that the value syntax for the "realm" parameter is 4675 restricted to quoted-string was a bad design choice not to be 4676 repeated for new parameters. 4678 o Definitions of new schemes ought to define the treatment of 4679 unknown extension parameters. In general, a "must-ignore" rule is 4680 preferable to a "must-understand" rule, because otherwise it will 4681 be hard to introduce new parameters in the presence of legacy 4682 recipients. Furthermore, it's good to describe the policy for 4683 defining new parameters (such as "update the specification" or 4684 "use this registry"). 4686 o Authentication schemes need to document whether they are usable in 4687 origin-server authentication (i.e., using WWW-Authenticate), and/ 4688 or proxy authentication (i.e., using Proxy-Authenticate). 4690 o The credentials carried in an Authorization header field are 4691 specific to the user agent and, therefore, have the same effect on 4692 HTTP caches as the "private" Cache-Control response directive 4693 (Section 5.2.2.6 of [Caching]), within the scope of the request in 4694 which they appear. 4696 Therefore, new authentication schemes that choose not to carry 4697 credentials in the Authorization header field (e.g., using a newly 4698 defined header field) will need to explicitly disallow caching, by 4699 mandating the use of either Cache-Control request directives 4700 (e.g., "no-store", Section 5.2.1.5 of [Caching]) or response 4701 directives (e.g., "private"). 4703 8.6. Request Context 4705 The following request header fields provide additional information 4706 about the request context, including information about the user, user 4707 agent, and resource behind the request. 4709 +-------------------+---------------+ 4710 | Header Field Name | Defined in... | 4711 +-------------------+---------------+ 4712 | From | Section 8.6.1 | 4713 | Referer | Section 8.6.2 | 4714 | User-Agent | Section 8.6.3 | 4715 +-------------------+---------------+ 4717 8.6.1. From 4719 The "From" header field contains an Internet email address for a 4720 human user who controls the requesting user agent. The address ought 4721 to be machine-usable, as defined by "mailbox" in Section 3.4 of 4722 [RFC5322]: 4724 From = mailbox 4726 mailbox = 4728 An example is: 4730 From: webmaster@example.org 4732 The From header field is rarely sent by non-robotic user agents. A 4733 user agent SHOULD NOT send a From header field without explicit 4734 configuration by the user, since that might conflict with the user's 4735 privacy interests or their site's security policy. 4737 A robotic user agent SHOULD send a valid From header field so that 4738 the person responsible for running the robot can be contacted if 4739 problems occur on servers, such as if the robot is sending excessive, 4740 unwanted, or invalid requests. 4742 A server SHOULD NOT use the From header field for access control or 4743 authentication, since most recipients will assume that the field 4744 value is public information. 4746 8.6.2. Referer 4748 The "Referer" [sic] header field allows the user agent to specify a 4749 URI reference for the resource from which the target URI was obtained 4750 (i.e., the "referrer", though the field name is misspelled). A user 4751 agent MUST NOT include the fragment and userinfo components of the 4752 URI reference [RFC3986], if any, when generating the Referer field 4753 value. 4755 Referer = absolute-URI / partial-URI 4757 The Referer header field allows servers to generate back-links to 4758 other resources for simple analytics, logging, optimized caching, 4759 etc. It also allows obsolete or mistyped links to be found for 4760 maintenance. Some servers use the Referer header field as a means of 4761 denying links from other sites (so-called "deep linking") or 4762 restricting cross-site request forgery (CSRF), but not all requests 4763 contain it. 4765 Example: 4767 Referer: http://www.example.org/hypertext/Overview.html 4769 If the target URI was obtained from a source that does not have its 4770 own URI (e.g., input from the user keyboard, or an entry within the 4771 user's bookmarks/favorites), the user agent MUST either exclude the 4772 Referer field or send it with a value of "about:blank". 4774 The Referer field has the potential to reveal information about the 4775 request context or browsing history of the user, which is a privacy 4776 concern if the referring resource's identifier reveals personal 4777 information (such as an account name) or a resource that is supposed 4778 to be confidential (such as behind a firewall or internal to a 4779 secured service). Most general-purpose user agents do not send the 4780 Referer header field when the referring resource is a local "file" or 4781 "data" URI. A user agent MUST NOT send a Referer header field in an 4782 unsecured HTTP request if the referring page was received with a 4783 secure protocol. See Section 12.8 for additional security 4784 considerations. 4786 Some intermediaries have been known to indiscriminately remove 4787 Referer header fields from outgoing requests. This has the 4788 unfortunate side effect of interfering with protection against CSRF 4789 attacks, which can be far more harmful to their users. 4790 Intermediaries and user agent extensions that wish to limit 4791 information disclosure in Referer ought to restrict their changes to 4792 specific edits, such as replacing internal domain names with 4793 pseudonyms or truncating the query and/or path components. An 4794 intermediary SHOULD NOT modify or delete the Referer header field 4795 when the field value shares the same scheme and host as the request 4796 target. 4798 8.6.3. User-Agent 4800 The "User-Agent" header field contains information about the user 4801 agent originating the request, which is often used by servers to help 4802 identify the scope of reported interoperability problems, to work 4803 around or tailor responses to avoid particular user agent 4804 limitations, and for analytics regarding browser or operating system 4805 use. A user agent SHOULD send a User-Agent field in each request 4806 unless specifically configured not to do so. 4808 User-Agent = product *( RWS ( product / comment ) ) 4810 The User-Agent field-value consists of one or more product 4811 identifiers, each followed by zero or more comments (Section 5 of 4812 [Messaging]), which together identify the user agent software and its 4813 significant subproducts. By convention, the product identifiers are 4814 listed in decreasing order of their significance for identifying the 4815 user agent software. Each product identifier consists of a name and 4816 optional version. 4818 product = token ["/" product-version] 4819 product-version = token 4821 A sender SHOULD limit generated product identifiers to what is 4822 necessary to identify the product; a sender MUST NOT generate 4823 advertising or other nonessential information within the product 4824 identifier. A sender SHOULD NOT generate information in product- 4825 version that is not a version identifier (i.e., successive versions 4826 of the same product name ought to differ only in the product-version 4827 portion of the product identifier). 4829 Example: 4831 User-Agent: CERN-LineMode/2.15 libwww/2.17b3 4833 A user agent SHOULD NOT generate a User-Agent field containing 4834 needlessly fine-grained detail and SHOULD limit the addition of 4835 subproducts by third parties. Overly long and detailed User-Agent 4836 field values increase request latency and the risk of a user being 4837 identified against their wishes ("fingerprinting"). 4839 Likewise, implementations are encouraged not to use the product 4840 tokens of other implementations in order to declare compatibility 4841 with them, as this circumvents the purpose of the field. If a user 4842 agent masquerades as a different user agent, recipients can assume 4843 that the user intentionally desires to see responses tailored for 4844 that identified user agent, even if they might not work as well for 4845 the actual user agent being used. 4847 9. Response Status Codes 4849 The (response) status code is a three-digit integer code giving the 4850 result of the attempt to understand and satisfy the request. 4852 HTTP status codes are extensible. HTTP clients are not required to 4853 understand the meaning of all registered status codes, though such 4854 understanding is obviously desirable. However, a client MUST 4855 understand the class of any status code, as indicated by the first 4856 digit, and treat an unrecognized status code as being equivalent to 4857 the x00 status code of that class, with the exception that a 4858 recipient MUST NOT cache a response with an unrecognized status code. 4860 For example, if an unrecognized status code of 471 is received by a 4861 client, the client can assume that there was something wrong with its 4862 request and treat the response as if it had received a 400 (Bad 4863 Request) status code. The response message will usually contain a 4864 representation that explains the status. 4866 The first digit of the status code defines the class of response. 4867 The last two digits do not have any categorization role. There are 4868 five values for the first digit: 4870 o 1xx (Informational): The request was received, continuing process 4872 o 2xx (Successful): The request was successfully received, 4873 understood, and accepted 4875 o 3xx (Redirection): Further action needs to be taken in order to 4876 complete the request 4878 o 4xx (Client Error): The request contains bad syntax or cannot be 4879 fulfilled 4881 o 5xx (Server Error): The server failed to fulfill an apparently 4882 valid request 4884 9.1. Overview of Status Codes 4886 The status codes listed below are defined in this specification. The 4887 reason phrases listed here are only recommendations -- they can be 4888 replaced by local equivalents without affecting the protocol. 4890 Responses with status codes that are defined as cacheable by default 4891 (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in 4892 this specification) can be reused by a cache with heuristic 4893 expiration unless otherwise indicated by the method definition or 4894 explicit cache controls [Caching]; all other status codes are not 4895 cacheable by default. 4897 +-------+-------------------------------+-----------------+ 4898 | Value | Description | Reference | 4899 +-------+-------------------------------+-----------------+ 4900 | 100 | Continue | Section 9.2.1 | 4901 | 101 | Switching Protocols | Section 9.2.2 | 4902 | 200 | OK | Section 9.3.1 | 4903 | 201 | Created | Section 9.3.2 | 4904 | 202 | Accepted | Section 9.3.3 | 4905 | 203 | Non-Authoritative Information | Section 9.3.4 | 4906 | 204 | No Content | Section 9.3.5 | 4907 | 205 | Reset Content | Section 9.3.6 | 4908 | 206 | Partial Content | Section 9.3.7 | 4909 | 300 | Multiple Choices | Section 9.4.1 | 4910 | 301 | Moved Permanently | Section 9.4.2 | 4911 | 302 | Found | Section 9.4.3 | 4912 | 303 | See Other | Section 9.4.4 | 4913 | 304 | Not Modified | Section 9.4.5 | 4914 | 305 | Use Proxy | Section 9.4.6 | 4915 | 306 | (Unused) | Section 9.4.7 | 4916 | 307 | Temporary Redirect | Section 9.4.8 | 4917 | 400 | Bad Request | Section 9.5.1 | 4918 | 401 | Unauthorized | Section 9.5.2 | 4919 | 402 | Payment Required | Section 9.5.3 | 4920 | 403 | Forbidden | Section 9.5.4 | 4921 | 404 | Not Found | Section 9.5.5 | 4922 | 405 | Method Not Allowed | Section 9.5.6 | 4923 | 406 | Not Acceptable | Section 9.5.7 | 4924 | 407 | Proxy Authentication Required | Section 9.5.8 | 4925 | 408 | Request Timeout | Section 9.5.9 | 4926 | 409 | Conflict | Section 9.5.10 | 4927 | 410 | Gone | Section 9.5.11 | 4928 | 411 | Length Required | Section 9.5.12 | 4929 | 412 | Precondition Failed | Section 9.5.13 | 4930 | 413 | Payload Too Large | Section 9.5.14 | 4931 | 414 | URI Too Long | Section 9.5.15 | 4932 | 415 | Unsupported Media Type | Section 9.5.16 | 4933 | 416 | Range Not Satisfiable | Section 9.5.17 | 4934 | 417 | Expectation Failed | Section 9.5.18 | 4935 | 426 | Upgrade Required | Section 9.5.19 | 4936 | 500 | Internal Server Error | Section 9.6.1 | 4937 | 501 | Not Implemented | Section 9.6.2 | 4938 | 502 | Bad Gateway | Section 9.6.3 | 4939 | 503 | Service Unavailable | Section 9.6.4 | 4940 | 504 | Gateway Timeout | Section 9.6.5 | 4941 | 505 | HTTP Version Not Supported | Section 9.6.6 | 4942 +-------+-------------------------------+-----------------+ 4943 Note that this list is not exhaustive -- it does not include 4944 extension status codes defined in other specifications (Section 9.7). 4946 9.2. Informational 1xx 4948 The 1xx (Informational) class of status code indicates an interim 4949 response for communicating connection status or request progress 4950 prior to completing the requested action and sending a final 4951 response. 1xx responses are terminated by the first empty line after 4952 the status-line (the empty line signaling the end of the header 4953 section). Since HTTP/1.0 did not define any 1xx status codes, a 4954 server MUST NOT send a 1xx response to an HTTP/1.0 client. 4956 A client MUST be able to parse one or more 1xx responses received 4957 prior to a final response, even if the client does not expect one. A 4958 user agent MAY ignore unexpected 1xx responses. 4960 A proxy MUST forward 1xx responses unless the proxy itself requested 4961 the generation of the 1xx response. For example, if a proxy adds an 4962 "Expect: 100-continue" field when it forwards a request, then it need 4963 not forward the corresponding 100 (Continue) response(s). 4965 9.2.1. 100 Continue 4967 The 100 (Continue) status code indicates that the initial part of a 4968 request has been received and has not yet been rejected by the 4969 server. The server intends to send a final response after the 4970 request has been fully received and acted upon. 4972 When the request contains an Expect header field that includes a 4973 100-continue expectation, the 100 response indicates that the server 4974 wishes to receive the request payload body, as described in 4975 Section 8.1.1. The client ought to continue sending the request and 4976 discard the 100 response. 4978 If the request did not contain an Expect header field containing the 4979 100-continue expectation, the client can simply discard this interim 4980 response. 4982 9.2.2. 101 Switching Protocols 4984 The 101 (Switching Protocols) status code indicates that the server 4985 understands and is willing to comply with the client's request, via 4986 the Upgrade header field (Section 9.7 of [Messaging]), for a change 4987 in the application protocol being used on this connection. The 4988 server MUST generate an Upgrade header field in the response that 4989 indicates which protocol(s) will be switched to immediately after the 4990 empty line that terminates the 101 response. 4992 It is assumed that the server will only agree to switch protocols 4993 when it is advantageous to do so. For example, switching to a newer 4994 version of HTTP might be advantageous over older versions, and 4995 switching to a real-time, synchronous protocol might be advantageous 4996 when delivering resources that use such features. 4998 9.3. Successful 2xx 5000 The 2xx (Successful) class of status code indicates that the client's 5001 request was successfully received, understood, and accepted. 5003 9.3.1. 200 OK 5005 The 200 (OK) status code indicates that the request has succeeded. 5006 The payload sent in a 200 response depends on the request method. 5007 For the methods defined by this specification, the intended meaning 5008 of the payload can be summarized as: 5010 GET a representation of the target resource; 5012 HEAD the same representation as GET, but without the representation 5013 data; 5015 POST a representation of the status of, or results obtained from, 5016 the action; 5018 PUT, DELETE a representation of the status of the action; 5020 OPTIONS a representation of the communications options; 5022 TRACE a representation of the request message as received by the end 5023 server. 5025 Aside from responses to CONNECT, a 200 response always has a payload, 5026 though an origin server MAY generate a payload body of zero length. 5027 If no payload is desired, an origin server ought to send 204 (No 5028 Content) instead. For CONNECT, no payload is allowed because the 5029 successful result is a tunnel, which begins immediately after the 200 5030 response header section. 5032 A 200 response is cacheable by default; i.e., unless otherwise 5033 indicated by the method definition or explicit cache controls (see 5034 Section 4.2.2 of [Caching]). 5036 9.3.2. 201 Created 5038 The 201 (Created) status code indicates that the request has been 5039 fulfilled and has resulted in one or more new resources being 5040 created. The primary resource created by the request is identified 5041 by either a Location header field in the response or, if no Location 5042 field is received, by the effective request URI. 5044 The 201 response payload typically describes and links to the 5045 resource(s) created. See Section 10.2 for a discussion of the 5046 meaning and purpose of validator header fields, such as ETag and 5047 Last-Modified, in a 201 response. 5049 9.3.3. 202 Accepted 5051 The 202 (Accepted) status code indicates that the request has been 5052 accepted for processing, but the processing has not been completed. 5053 The request might or might not eventually be acted upon, as it might 5054 be disallowed when processing actually takes place. There is no 5055 facility in HTTP for re-sending a status code from an asynchronous 5056 operation. 5058 The 202 response is intentionally noncommittal. Its purpose is to 5059 allow a server to accept a request for some other process (perhaps a 5060 batch-oriented process that is only run once per day) without 5061 requiring that the user agent's connection to the server persist 5062 until the process is completed. The representation sent with this 5063 response ought to describe the request's current status and point to 5064 (or embed) a status monitor that can provide the user with an 5065 estimate of when the request will be fulfilled. 5067 9.3.4. 203 Non-Authoritative Information 5069 The 203 (Non-Authoritative Information) status code indicates that 5070 the request was successful but the enclosed payload has been modified 5071 from that of the origin server's 200 (OK) response by a transforming 5072 proxy (Section 5.6.2). This status code allows the proxy to notify 5073 recipients when a transformation has been applied, since that 5074 knowledge might impact later decisions regarding the content. For 5075 example, future cache validation requests for the content might only 5076 be applicable along the same request path (through the same proxies). 5078 The 203 response is similar to the Warning code of 214 Transformation 5079 Applied (Section 5.5 of [Caching]), which has the advantage of being 5080 applicable to responses with any status code. 5082 A 203 response is cacheable by default; i.e., unless otherwise 5083 indicated by the method definition or explicit cache controls (see 5084 Section 4.2.2 of [Caching]). 5086 9.3.5. 204 No Content 5088 The 204 (No Content) status code indicates that the server has 5089 successfully fulfilled the request and that there is no additional 5090 content to send in the response payload body. Metadata in the 5091 response header fields refer to the target resource and its selected 5092 representation after the requested action was applied. 5094 For example, if a 204 status code is received in response to a PUT 5095 request and the response contains an ETag header field, then the PUT 5096 was successful and the ETag field-value contains the entity-tag for 5097 the new representation of that target resource. 5099 The 204 response allows a server to indicate that the action has been 5100 successfully applied to the target resource, while implying that the 5101 user agent does not need to traverse away from its current "document 5102 view" (if any). The server assumes that the user agent will provide 5103 some indication of the success to its user, in accord with its own 5104 interface, and apply any new or updated metadata in the response to 5105 its active representation. 5107 For example, a 204 status code is commonly used with document editing 5108 interfaces corresponding to a "save" action, such that the document 5109 being saved remains available to the user for editing. It is also 5110 frequently used with interfaces that expect automated data transfers 5111 to be prevalent, such as within distributed version control systems. 5113 A 204 response is terminated by the first empty line after the header 5114 fields because it cannot contain a message body. 5116 A 204 response is cacheable by default; i.e., unless otherwise 5117 indicated by the method definition or explicit cache controls (see 5118 Section 4.2.2 of [Caching]). 5120 9.3.6. 205 Reset Content 5122 The 205 (Reset Content) status code indicates that the server has 5123 fulfilled the request and desires that the user agent reset the 5124 "document view", which caused the request to be sent, to its original 5125 state as received from the origin server. 5127 This response is intended to support a common data entry use case 5128 where the user receives content that supports data entry (a form, 5129 notepad, canvas, etc.), enters or manipulates data in that space, 5130 causes the entered data to be submitted in a request, and then the 5131 data entry mechanism is reset for the next entry so that the user can 5132 easily initiate another input action. 5134 Since the 205 status code implies that no additional content will be 5135 provided, a server MUST NOT generate a payload in a 205 response. In 5136 other words, a server MUST do one of the following for a 205 5137 response: a) indicate a zero-length body for the response by 5138 including a Content-Length header field with a value of 0; b) 5139 indicate a zero-length payload for the response by including a 5140 Transfer-Encoding header field with a value of chunked and a message 5141 body consisting of a single chunk of zero-length; or, c) close the 5142 connection immediately after sending the blank line terminating the 5143 header section. 5145 9.3.7. 206 Partial Content 5147 The 206 (Partial Content) status code indicates that the server is 5148 successfully fulfilling a range request for the target resource by 5149 transferring one or more parts of the selected representation. 5151 When a 206 response is generated, the server MUST generate the 5152 following header fields, in addition to those required in the 5153 subsections below, if the field would have been sent in a 200 (OK) 5154 response to the same request: Date, Cache-Control, ETag, Expires, 5155 Content-Location, and Vary. 5157 If a 206 is generated in response to a request with an If-Range 5158 header field, the sender SHOULD NOT generate other representation 5159 header fields beyond those required, because the client is understood 5160 to already have a prior response containing those header fields. 5161 Otherwise, the sender MUST generate all of the representation header 5162 fields that would have been sent in a 200 (OK) response to the same 5163 request. 5165 A 206 response is cacheable by default; i.e., unless otherwise 5166 indicated by explicit cache controls (see Section 4.2.2 of 5167 [Caching]). 5169 9.3.7.1. Single Part 5171 If a single part is being transferred, the server generating the 206 5172 response MUST generate a Content-Range header field, describing what 5173 range of the selected representation is enclosed, and a payload 5174 consisting of the range. For example: 5176 HTTP/1.1 206 Partial Content 5177 Date: Wed, 15 Nov 1995 06:25:24 GMT 5178 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5179 Content-Range: bytes 21010-47021/47022 5180 Content-Length: 26012 5181 Content-Type: image/gif 5183 ... 26012 bytes of partial image data ... 5185 9.3.7.2. Multiple Parts 5187 If multiple parts are being transferred, the server generating the 5188 206 response MUST generate a "multipart/byteranges" payload, as 5189 defined in Section 6.3.4, and a Content-Type header field containing 5190 the multipart/byteranges media type and its required boundary 5191 parameter. To avoid confusion with single-part responses, a server 5192 MUST NOT generate a Content-Range header field in the HTTP header 5193 section of a multiple part response (this field will be sent in each 5194 part instead). 5196 Within the header area of each body part in the multipart payload, 5197 the server MUST generate a Content-Range header field corresponding 5198 to the range being enclosed in that body part. If the selected 5199 representation would have had a Content-Type header field in a 200 5200 (OK) response, the server SHOULD generate that same Content-Type 5201 field in the header area of each body part. For example: 5203 HTTP/1.1 206 Partial Content 5204 Date: Wed, 15 Nov 1995 06:25:24 GMT 5205 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5206 Content-Length: 1741 5207 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 5209 --THIS_STRING_SEPARATES 5210 Content-Type: application/pdf 5211 Content-Range: bytes 500-999/8000 5213 ...the first range... 5214 --THIS_STRING_SEPARATES 5215 Content-Type: application/pdf 5216 Content-Range: bytes 7000-7999/8000 5218 ...the second range 5219 --THIS_STRING_SEPARATES-- 5221 When multiple ranges are requested, a server MAY coalesce any of the 5222 ranges that overlap, or that are separated by a gap that is smaller 5223 than the overhead of sending multiple parts, regardless of the order 5224 in which the corresponding byte-range-spec appeared in the received 5225 Range header field. Since the typical overhead between parts of a 5226 multipart/byteranges payload is around 80 bytes, depending on the 5227 selected representation's media type and the chosen boundary 5228 parameter length, it can be less efficient to transfer many small 5229 disjoint parts than it is to transfer the entire selected 5230 representation. 5232 A server MUST NOT generate a multipart response to a request for a 5233 single range, since a client that does not request multiple parts 5234 might not support multipart responses. However, a server MAY 5235 generate a multipart/byteranges payload with only a single body part 5236 if multiple ranges were requested and only one range was found to be 5237 satisfiable or only one range remained after coalescing. A client 5238 that cannot process a multipart/byteranges response MUST NOT generate 5239 a request that asks for multiple ranges. 5241 When a multipart response payload is generated, the server SHOULD 5242 send the parts in the same order that the corresponding byte-range- 5243 spec appeared in the received Range header field, excluding those 5244 ranges that were deemed unsatisfiable or that were coalesced into 5245 other ranges. A client that receives a multipart response MUST 5246 inspect the Content-Range header field present in each body part in 5247 order to determine which range is contained in that body part; a 5248 client cannot rely on receiving the same ranges that it requested, 5249 nor the same order that it requested. 5251 9.3.7.3. Combining Parts 5253 A response might transfer only a subrange of a representation if the 5254 connection closed prematurely or if the request used one or more 5255 Range specifications. After several such transfers, a client might 5256 have received several ranges of the same representation. These 5257 ranges can only be safely combined if they all have in common the 5258 same strong validator (Section 10.2.1). 5260 A client that has received multiple partial responses to GET requests 5261 on a target resource MAY combine those responses into a larger 5262 continuous range if they share the same strong validator. 5264 If the most recent response is an incomplete 200 (OK) response, then 5265 the header fields of that response are used for any combined response 5266 and replace those of the matching stored responses. 5268 If the most recent response is a 206 (Partial Content) response and 5269 at least one of the matching stored responses is a 200 (OK), then the 5270 combined response header fields consist of the most recent 200 5271 response's header fields. If all of the matching stored responses 5272 are 206 responses, then the stored response with the most recent 5273 header fields is used as the source of header fields for the combined 5274 response, except that the client MUST use other header fields 5275 provided in the new response, aside from Content-Range, to replace 5276 all instances of the corresponding header fields in the stored 5277 response. 5279 The combined response message body consists of the union of partial 5280 content ranges in the new response and each of the selected 5281 responses. If the union consists of the entire range of the 5282 representation, then the client MUST process the combined response as 5283 if it were a complete 200 (OK) response, including a Content-Length 5284 header field that reflects the complete length. Otherwise, the 5285 client MUST process the set of continuous ranges as one of the 5286 following: an incomplete 200 (OK) response if the combined response 5287 is a prefix of the representation, a single 206 (Partial Content) 5288 response containing a multipart/byteranges body, or multiple 206 5289 (Partial Content) responses, each with one continuous range that is 5290 indicated by a Content-Range header field. 5292 9.4. Redirection 3xx 5294 The 3xx (Redirection) class of status code indicates that further 5295 action needs to be taken by the user agent in order to fulfill the 5296 request. If a Location header field (Section 10.1.2) is provided, 5297 the user agent MAY automatically redirect its request to the URI 5298 referenced by the Location field value, even if the specific status 5299 code is not understood. Automatic redirection needs to be done with 5300 care for methods not known to be safe, as defined in Section 7.2.1, 5301 since the user might not wish to redirect an unsafe request. 5303 There are several types of redirects: 5305 1. Redirects that indicate the resource might be available at a 5306 different URI, as provided by the Location field, as in the 5307 status codes 301 (Moved Permanently), 302 (Found), and 307 5308 (Temporary Redirect). 5310 2. Redirection that offers a choice of matching resources, each 5311 capable of representing the original request target, as in the 5312 300 (Multiple Choices) status code. 5314 3. Redirection to a different resource, identified by the Location 5315 field, that can represent an indirect response to the request, as 5316 in the 303 (See Other) status code. 5318 4. Redirection to a previously cached result, as in the 304 (Not 5319 Modified) status code. 5321 Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and 5322 302 (Found) were defined for the first type of redirect 5323 ([RFC1945], Section 9.3). Early user agents split on whether the 5324 method applied to the redirect target would be the same as the 5325 original request or would be rewritten as GET. Although HTTP 5326 originally defined the former semantics for 301 and 302 (to match 5327 its original implementation at CERN), and defined 303 (See Other) 5328 to match the latter semantics, prevailing practice gradually 5329 converged on the latter semantics for 301 and 302 as well. The 5330 first revision of HTTP/1.1 added 307 (Temporary Redirect) to 5331 indicate the former semantics without being impacted by divergent 5332 practice. Over 10 years later, most user agents still do method 5333 rewriting for 301 and 302; therefore, this specification makes 5334 that behavior conformant when the original request is POST. 5336 A client SHOULD detect and intervene in cyclical redirections (i.e., 5337 "infinite" redirection loops). 5339 Note: An earlier version of this specification recommended a 5340 maximum of five redirections ([RFC2068], Section 10.3). Content 5341 developers need to be aware that some clients might implement such 5342 a fixed limitation. 5344 9.4.1. 300 Multiple Choices 5346 The 300 (Multiple Choices) status code indicates that the target 5347 resource has more than one representation, each with its own more 5348 specific identifier, and information about the alternatives is being 5349 provided so that the user (or user agent) can select a preferred 5350 representation by redirecting its request to one or more of those 5351 identifiers. In other words, the server desires that the user agent 5352 engage in reactive negotiation to select the most appropriate 5353 representation(s) for its needs (Section 6.4). 5355 If the server has a preferred choice, the server SHOULD generate a 5356 Location header field containing a preferred choice's URI reference. 5358 The user agent MAY use the Location field value for automatic 5359 redirection. 5361 For request methods other than HEAD, the server SHOULD generate a 5362 payload in the 300 response containing a list of representation 5363 metadata and URI reference(s) from which the user or user agent can 5364 choose the one most preferred. The user agent MAY make a selection 5365 from that list automatically if it understands the provided media 5366 type. A specific format for automatic selection is not defined by 5367 this specification because HTTP tries to remain orthogonal to the 5368 definition of its payloads. In practice, the representation is 5369 provided in some easily parsed format believed to be acceptable to 5370 the user agent, as determined by shared design or content 5371 negotiation, or in some commonly accepted hypertext format. 5373 A 300 response is cacheable by default; i.e., unless otherwise 5374 indicated by the method definition or explicit cache controls (see 5375 Section 4.2.2 of [Caching]). 5377 Note: The original proposal for the 300 status code defined the 5378 URI header field as providing a list of alternative 5379 representations, such that it would be usable for 200, 300, and 5380 406 responses and be transferred in responses to the HEAD method. 5381 However, lack of deployment and disagreement over syntax led to 5382 both URI and Alternates (a subsequent proposal) being dropped from 5383 this specification. It is possible to communicate the list using 5384 a set of Link header fields [RFC8288], each with a relationship of 5385 "alternate", though deployment is a chicken-and-egg problem. 5387 9.4.2. 301 Moved Permanently 5389 The 301 (Moved Permanently) status code indicates that the target 5390 resource has been assigned a new permanent URI and any future 5391 references to this resource ought to use one of the enclosed URIs. 5392 Clients with link-editing capabilities ought to automatically re-link 5393 references to the effective request URI to one or more of the new 5394 references sent by the server, where possible. 5396 The server SHOULD generate a Location header field in the response 5397 containing a preferred URI reference for the new permanent URI. The 5398 user agent MAY use the Location field value for automatic 5399 redirection. The server's response payload usually contains a short 5400 hypertext note with a hyperlink to the new URI(s). 5402 Note: For historical reasons, a user agent MAY change the request 5403 method from POST to GET for the subsequent request. If this 5404 behavior is undesired, the 307 (Temporary Redirect) status code 5405 can be used instead. 5407 A 301 response is cacheable by default; i.e., unless otherwise 5408 indicated by the method definition or explicit cache controls (see 5409 Section 4.2.2 of [Caching]). 5411 9.4.3. 302 Found 5413 The 302 (Found) status code indicates that the target resource 5414 resides temporarily under a different URI. Since the redirection 5415 might be altered on occasion, the client ought to continue to use the 5416 effective request URI for future requests. 5418 The server SHOULD generate a Location header field in the response 5419 containing a URI reference for the different URI. The user agent MAY 5420 use the Location field value for automatic redirection. The server's 5421 response payload usually contains a short hypertext note with a 5422 hyperlink to the different URI(s). 5424 Note: For historical reasons, a user agent MAY change the request 5425 method from POST to GET for the subsequent request. If this 5426 behavior is undesired, the 307 (Temporary Redirect) status code 5427 can be used instead. 5429 9.4.4. 303 See Other 5431 The 303 (See Other) status code indicates that the server is 5432 redirecting the user agent to a different resource, as indicated by a 5433 URI in the Location header field, which is intended to provide an 5434 indirect response to the original request. A user agent can perform 5435 a retrieval request targeting that URI (a GET or HEAD request if 5436 using HTTP), which might also be redirected, and present the eventual 5437 result as an answer to the original request. Note that the new URI 5438 in the Location header field is not considered equivalent to the 5439 effective request URI. 5441 This status code is applicable to any HTTP method. It is primarily 5442 used to allow the output of a POST action to redirect the user agent 5443 to a selected resource, since doing so provides the information 5444 corresponding to the POST response in a form that can be separately 5445 identified, bookmarked, and cached, independent of the original 5446 request. 5448 A 303 response to a GET request indicates that the origin server does 5449 not have a representation of the target resource that can be 5450 transferred by the server over HTTP. However, the Location field 5451 value refers to a resource that is descriptive of the target 5452 resource, such that making a retrieval request on that other resource 5453 might result in a representation that is useful to recipients without 5454 implying that it represents the original target resource. Note that 5455 answers to the questions of what can be represented, what 5456 representations are adequate, and what might be a useful description 5457 are outside the scope of HTTP. 5459 Except for responses to a HEAD request, the representation of a 303 5460 response ought to contain a short hypertext note with a hyperlink to 5461 the same URI reference provided in the Location header field. 5463 9.4.5. 304 Not Modified 5465 The 304 (Not Modified) status code indicates that a conditional GET 5466 or HEAD request has been received and would have resulted in a 200 5467 (OK) response if it were not for the fact that the condition 5468 evaluated to false. In other words, there is no need for the server 5469 to transfer a representation of the target resource because the 5470 request indicates that the client, which made the request 5471 conditional, already has a valid representation; the server is 5472 therefore redirecting the client to make use of that stored 5473 representation as if it were the payload of a 200 (OK) response. 5475 The server generating a 304 response MUST generate any of the 5476 following header fields that would have been sent in a 200 (OK) 5477 response to the same request: Cache-Control, Content-Location, Date, 5478 ETag, Expires, and Vary. 5480 Since the goal of a 304 response is to minimize information transfer 5481 when the recipient already has one or more cached representations, a 5482 sender SHOULD NOT generate representation metadata other than the 5483 above listed fields unless said metadata exists for the purpose of 5484 guiding cache updates (e.g., Last-Modified might be useful if the 5485 response does not have an ETag field). 5487 Requirements on a cache that receives a 304 response are defined in 5488 Section 4.3.4 of [Caching]. If the conditional request originated 5489 with an outbound client, such as a user agent with its own cache 5490 sending a conditional GET to a shared proxy, then the proxy SHOULD 5491 forward the 304 response to that client. 5493 A 304 response cannot contain a message-body; it is always terminated 5494 by the first empty line after the header fields. 5496 9.4.6. 305 Use Proxy 5498 The 305 (Use Proxy) status code was defined in a previous version of 5499 this specification and is now deprecated (Appendix B of [RFC7231]). 5501 9.4.7. 306 (Unused) 5503 The 306 status code was defined in a previous version of this 5504 specification, is no longer used, and the code is reserved. 5506 9.4.8. 307 Temporary Redirect 5508 The 307 (Temporary Redirect) status code indicates that the target 5509 resource resides temporarily under a different URI and the user agent 5510 MUST NOT change the request method if it performs an automatic 5511 redirection to that URI. Since the redirection can change over time, 5512 the client ought to continue using the original effective request URI 5513 for future requests. 5515 The server SHOULD generate a Location header field in the response 5516 containing a URI reference for the different URI. The user agent MAY 5517 use the Location field value for automatic redirection. The server's 5518 response payload usually contains a short hypertext note with a 5519 hyperlink to the different URI(s). 5521 Note: This status code is similar to 302 (Found), except that it 5522 does not allow changing the request method from POST to GET. This 5523 specification defines no equivalent counterpart for 301 (Moved 5524 Permanently) ([RFC7538], however, defines the status code 308 5525 (Permanent Redirect) for this purpose). 5527 9.5. Client Error 4xx 5529 The 4xx (Client Error) class of status code indicates that the client 5530 seems to have erred. Except when responding to a HEAD request, the 5531 server SHOULD send a representation containing an explanation of the 5532 error situation, and whether it is a temporary or permanent 5533 condition. These status codes are applicable to any request method. 5534 User agents SHOULD display any included representation to the user. 5536 9.5.1. 400 Bad Request 5538 The 400 (Bad Request) status code indicates that the server cannot or 5539 will not process the request due to something that is perceived to be 5540 a client error (e.g., malformed request syntax, invalid request 5541 message framing, or deceptive request routing). 5543 9.5.2. 401 Unauthorized 5545 The 401 (Unauthorized) status code indicates that the request has not 5546 been applied because it lacks valid authentication credentials for 5547 the target resource. The server generating a 401 response MUST send 5548 a WWW-Authenticate header field (Section 10.3.1) containing at least 5549 one challenge applicable to the target resource. 5551 If the request included authentication credentials, then the 401 5552 response indicates that authorization has been refused for those 5553 credentials. The user agent MAY repeat the request with a new or 5554 replaced Authorization header field (Section 8.5.3). If the 401 5555 response contains the same challenge as the prior response, and the 5556 user agent has already attempted authentication at least once, then 5557 the user agent SHOULD present the enclosed representation to the 5558 user, since it usually contains relevant diagnostic information. 5560 9.5.3. 402 Payment Required 5562 The 402 (Payment Required) status code is reserved for future use. 5564 9.5.4. 403 Forbidden 5566 The 403 (Forbidden) status code indicates that the server understood 5567 the request but refuses to authorize it. A server that wishes to 5568 make public why the request has been forbidden can describe that 5569 reason in the response payload (if any). 5571 If authentication credentials were provided in the request, the 5572 server considers them insufficient to grant access. The client 5573 SHOULD NOT automatically repeat the request with the same 5574 credentials. The client MAY repeat the request with new or different 5575 credentials. However, a request might be forbidden for reasons 5576 unrelated to the credentials. 5578 An origin server that wishes to "hide" the current existence of a 5579 forbidden target resource MAY instead respond with a status code of 5580 404 (Not Found). 5582 9.5.5. 404 Not Found 5584 The 404 (Not Found) status code indicates that the origin server did 5585 not find a current representation for the target resource or is not 5586 willing to disclose that one exists. A 404 status code does not 5587 indicate whether this lack of representation is temporary or 5588 permanent; the 410 (Gone) status code is preferred over 404 if the 5589 origin server knows, presumably through some configurable means, that 5590 the condition is likely to be permanent. 5592 A 404 response is cacheable by default; i.e., unless otherwise 5593 indicated by the method definition or explicit cache controls (see 5594 Section 4.2.2 of [Caching]). 5596 9.5.6. 405 Method Not Allowed 5598 The 405 (Method Not Allowed) status code indicates that the method 5599 received in the request-line is known by the origin server but not 5600 supported by the target resource. The origin server MUST generate an 5601 Allow header field in a 405 response containing a list of the target 5602 resource's currently supported methods. 5604 A 405 response is cacheable by default; i.e., unless otherwise 5605 indicated by the method definition or explicit cache controls (see 5606 Section 4.2.2 of [Caching]). 5608 9.5.7. 406 Not Acceptable 5610 The 406 (Not Acceptable) status code indicates that the target 5611 resource does not have a current representation that would be 5612 acceptable to the user agent, according to the proactive negotiation 5613 header fields received in the request (Section 8.4), and the server 5614 is unwilling to supply a default representation. 5616 The server SHOULD generate a payload containing a list of available 5617 representation characteristics and corresponding resource identifiers 5618 from which the user or user agent can choose the one most 5619 appropriate. A user agent MAY automatically select the most 5620 appropriate choice from that list. However, this specification does 5621 not define any standard for such automatic selection, as described in 5622 Section 9.4.1. 5624 9.5.8. 407 Proxy Authentication Required 5626 The 407 (Proxy Authentication Required) status code is similar to 401 5627 (Unauthorized), but it indicates that the client needs to 5628 authenticate itself in order to use a proxy. The proxy MUST send a 5629 Proxy-Authenticate header field (Section 10.3.2) containing a 5630 challenge applicable to that proxy for the target resource. The 5631 client MAY repeat the request with a new or replaced Proxy- 5632 Authorization header field (Section 8.5.4). 5634 9.5.9. 408 Request Timeout 5636 The 408 (Request Timeout) status code indicates that the server did 5637 not receive a complete request message within the time that it was 5638 prepared to wait. A server SHOULD send the "close" connection option 5639 (Section 9.1 of [Messaging]) in the response, since 408 implies that 5640 the server has decided to close the connection rather than continue 5641 waiting. If the client has an outstanding request in transit, the 5642 client MAY repeat that request on a new connection. 5644 9.5.10. 409 Conflict 5646 The 409 (Conflict) status code indicates that the request could not 5647 be completed due to a conflict with the current state of the target 5648 resource. This code is used in situations where the user might be 5649 able to resolve the conflict and resubmit the request. The server 5650 SHOULD generate a payload that includes enough information for a user 5651 to recognize the source of the conflict. 5653 Conflicts are most likely to occur in response to a PUT request. For 5654 example, if versioning were being used and the representation being 5655 PUT included changes to a resource that conflict with those made by 5656 an earlier (third-party) request, the origin server might use a 409 5657 response to indicate that it can't complete the request. In this 5658 case, the response representation would likely contain information 5659 useful for merging the differences based on the revision history. 5661 9.5.11. 410 Gone 5663 The 410 (Gone) status code indicates that access to the target 5664 resource is no longer available at the origin server and that this 5665 condition is likely to be permanent. If the origin server does not 5666 know, or has no facility to determine, whether or not the condition 5667 is permanent, the status code 404 (Not Found) ought to be used 5668 instead. 5670 The 410 response is primarily intended to assist the task of web 5671 maintenance by notifying the recipient that the resource is 5672 intentionally unavailable and that the server owners desire that 5673 remote links to that resource be removed. Such an event is common 5674 for limited-time, promotional services and for resources belonging to 5675 individuals no longer associated with the origin server's site. It 5676 is not necessary to mark all permanently unavailable resources as 5677 "gone" or to keep the mark for any length of time -- that is left to 5678 the discretion of the server owner. 5680 A 410 response is cacheable by default; i.e., unless otherwise 5681 indicated by the method definition or explicit cache controls (see 5682 Section 4.2.2 of [Caching]). 5684 9.5.12. 411 Length Required 5686 The 411 (Length Required) status code indicates that the server 5687 refuses to accept the request without a defined Content-Length 5688 (Section 6.2.4). The client MAY repeat the request if it adds a 5689 valid Content-Length header field containing the length of the 5690 message body in the request message. 5692 9.5.13. 412 Precondition Failed 5694 The 412 (Precondition Failed) status code indicates that one or more 5695 conditions given in the request header fields evaluated to false when 5696 tested on the server. This response status code allows the client to 5697 place preconditions on the current resource state (its current 5698 representations and metadata) and, thus, prevent the request method 5699 from being applied if the target resource is in an unexpected state. 5701 9.5.14. 413 Payload Too Large 5703 The 413 (Payload Too Large) status code indicates that the server is 5704 refusing to process a request because the request payload is larger 5705 than the server is willing or able to process. The server MAY close 5706 the connection to prevent the client from continuing the request. 5708 If the condition is temporary, the server SHOULD generate a Retry- 5709 After header field to indicate that it is temporary and after what 5710 time the client MAY try again. 5712 9.5.15. 414 URI Too Long 5714 The 414 (URI Too Long) status code indicates that the server is 5715 refusing to service the request because the request-target 5716 (Section 3.2 of [Messaging]) is longer than the server is willing to 5717 interpret. This rare condition is only likely to occur when a client 5718 has improperly converted a POST request to a GET request with long 5719 query information, when the client has descended into a "black hole" 5720 of redirection (e.g., a redirected URI prefix that points to a suffix 5721 of itself) or when the server is under attack by a client attempting 5722 to exploit potential security holes. 5724 A 414 response is cacheable by default; i.e., unless otherwise 5725 indicated by the method definition or explicit cache controls (see 5726 Section 4.2.2 of [Caching]). 5728 9.5.16. 415 Unsupported Media Type 5730 The 415 (Unsupported Media Type) status code indicates that the 5731 origin server is refusing to service the request because the payload 5732 is in a format not supported by this method on the target resource. 5733 The format problem might be due to the request's indicated Content- 5734 Type or Content-Encoding, or as a result of inspecting the data 5735 directly. 5737 9.5.17. 416 Range Not Satisfiable 5739 The 416 (Range Not Satisfiable) status code indicates that none of 5740 the ranges in the request's Range header field (Section 8.3) overlap 5741 the current extent of the selected representation or that the set of 5742 ranges requested has been rejected due to invalid ranges or an 5743 excessive request of small or overlapping ranges. 5745 For byte ranges, failing to overlap the current extent means that the 5746 first-byte-pos of all of the byte-range-spec values were greater than 5747 the current length of the selected representation. When this status 5748 code is generated in response to a byte-range request, the sender 5749 SHOULD generate a Content-Range header field specifying the current 5750 length of the selected representation (Section 6.3.3). 5752 For example: 5754 HTTP/1.1 416 Range Not Satisfiable 5755 Date: Fri, 20 Jan 2012 15:41:54 GMT 5756 Content-Range: bytes */47022 5758 Note: Because servers are free to ignore Range, many 5759 implementations will simply respond with the entire selected 5760 representation in a 200 (OK) response. That is partly because 5761 most clients are prepared to receive a 200 (OK) to complete the 5762 task (albeit less efficiently) and partly because clients might 5763 not stop making an invalid partial request until they have 5764 received a complete representation. Thus, clients cannot depend 5765 on receiving a 416 (Range Not Satisfiable) response even when it 5766 is most appropriate. 5768 9.5.18. 417 Expectation Failed 5770 The 417 (Expectation Failed) status code indicates that the 5771 expectation given in the request's Expect header field 5772 (Section 8.1.1) could not be met by at least one of the inbound 5773 servers. 5775 9.5.19. 426 Upgrade Required 5777 The 426 (Upgrade Required) status code indicates that the server 5778 refuses to perform the request using the current protocol but might 5779 be willing to do so after the client upgrades to a different 5780 protocol. The server MUST send an Upgrade header field in a 426 5781 response to indicate the required protocol(s) (Section 9.7 of 5782 [Messaging]). 5784 Example: 5786 HTTP/1.1 426 Upgrade Required 5787 Upgrade: HTTP/3.0 5788 Connection: Upgrade 5789 Content-Length: 53 5790 Content-Type: text/plain 5792 This service requires use of the HTTP/3.0 protocol. 5794 9.6. Server Error 5xx 5796 The 5xx (Server Error) class of status code indicates that the server 5797 is aware that it has erred or is incapable of performing the 5798 requested method. Except when responding to a HEAD request, the 5799 server SHOULD send a representation containing an explanation of the 5800 error situation, and whether it is a temporary or permanent 5801 condition. A user agent SHOULD display any included representation 5802 to the user. These response codes are applicable to any request 5803 method. 5805 9.6.1. 500 Internal Server Error 5807 The 500 (Internal Server Error) status code indicates that the server 5808 encountered an unexpected condition that prevented it from fulfilling 5809 the request. 5811 9.6.2. 501 Not Implemented 5813 The 501 (Not Implemented) status code indicates that the server does 5814 not support the functionality required to fulfill the request. This 5815 is the appropriate response when the server does not recognize the 5816 request method and is not capable of supporting it for any resource. 5818 A 501 response is cacheable by default; i.e., unless otherwise 5819 indicated by the method definition or explicit cache controls (see 5820 Section 4.2.2 of [Caching]). 5822 9.6.3. 502 Bad Gateway 5824 The 502 (Bad Gateway) status code indicates that the server, while 5825 acting as a gateway or proxy, received an invalid response from an 5826 inbound server it accessed while attempting to fulfill the request. 5828 9.6.4. 503 Service Unavailable 5830 The 503 (Service Unavailable) status code indicates that the server 5831 is currently unable to handle the request due to a temporary overload 5832 or scheduled maintenance, which will likely be alleviated after some 5833 delay. The server MAY send a Retry-After header field 5834 (Section 10.1.3) to suggest an appropriate amount of time for the 5835 client to wait before retrying the request. 5837 Note: The existence of the 503 status code does not imply that a 5838 server has to use it when becoming overloaded. Some servers might 5839 simply refuse the connection. 5841 9.6.5. 504 Gateway Timeout 5843 The 504 (Gateway Timeout) status code indicates that the server, 5844 while acting as a gateway or proxy, did not receive a timely response 5845 from an upstream server it needed to access in order to complete the 5846 request. 5848 9.6.6. 505 HTTP Version Not Supported 5850 The 505 (HTTP Version Not Supported) status code indicates that the 5851 server does not support, or refuses to support, the major version of 5852 HTTP that was used in the request message. The server is indicating 5853 that it is unable or unwilling to complete the request using the same 5854 major version as the client, as described in Section 3.5, other than 5855 with this error message. The server SHOULD generate a representation 5856 for the 505 response that describes why that version is not supported 5857 and what other protocols are supported by that server. 5859 9.7. Status Code Extensibility 5861 Additional status codes, outside the scope of this specification, 5862 have been specified for use in HTTP. All such status codes ought to 5863 be registered within the "Hypertext Transfer Protocol (HTTP) Status 5864 Code Registry". 5866 9.7.1. Status Code Registry 5868 The "Hypertext Transfer Protocol (HTTP) Status Code Registry", 5869 maintained by IANA at , registers status code numbers. 5872 A registration MUST include the following fields: 5874 o Status Code (3 digits) 5875 o Short Description 5877 o Pointer to specification text 5879 Values to be added to the HTTP status code namespace require IETF 5880 Review (see [RFC8126], Section 4.8). 5882 9.7.2. Considerations for New Status Codes 5884 When it is necessary to express semantics for a response that are not 5885 defined by current status codes, a new status code can be registered. 5886 Status codes are generic; they are potentially applicable to any 5887 resource, not just one particular media type, kind of resource, or 5888 application of HTTP. As such, it is preferred that new status codes 5889 be registered in a document that isn't specific to a single 5890 application. 5892 New status codes are required to fall under one of the categories 5893 defined in Section 9. To allow existing parsers to process the 5894 response message, new status codes cannot disallow a payload, 5895 although they can mandate a zero-length payload body. 5897 Proposals for new status codes that are not yet widely deployed ought 5898 to avoid allocating a specific number for the code until there is 5899 clear consensus that it will be registered; instead, early drafts can 5900 use a notation such as "4NN", or "3N0" .. "3N9", to indicate the 5901 class of the proposed status code(s) without consuming a number 5902 prematurely. 5904 The definition of a new status code ought to explain the request 5905 conditions that would cause a response containing that status code 5906 (e.g., combinations of request header fields and/or method(s)) along 5907 with any dependencies on response header fields (e.g., what fields 5908 are required, what fields can modify the semantics, and what header 5909 field semantics are further refined when used with the new status 5910 code). 5912 The definition of a new status code ought to specify whether or not 5913 it is cacheable. Note that all status codes can be cached if the 5914 response they occur in has explicit freshness information; however, 5915 status codes that are defined as being cacheable are allowed to be 5916 cached without explicit freshness information. Likewise, the 5917 definition of a status code can place constraints upon cache 5918 behavior. See [Caching] for more information. 5920 Finally, the definition of a new status code ought to indicate 5921 whether the payload has any implied association with an identified 5922 resource (Section 6.3.2). 5924 10. Response Header Fields 5926 The response header fields allow the server to pass additional 5927 information about the response beyond what is placed in the status- 5928 line. These header fields give information about the server, about 5929 further access to the target resource, or about related resources. 5931 Although each response header field has a defined meaning, in 5932 general, the precise semantics might be further refined by the 5933 semantics of the request method and/or response status code. 5935 10.1. Control Data 5937 Response header fields can supply control data that supplements the 5938 status code, directs caching, or instructs the client where to go 5939 next. 5941 +-------------------+--------------------------+ 5942 | Header Field Name | Defined in... | 5943 +-------------------+--------------------------+ 5944 | Age | Section 5.1 of [Caching] | 5945 | Cache-Control | Section 5.2 of [Caching] | 5946 | Expires | Section 5.3 of [Caching] | 5947 | Date | Section 10.1.1.2 | 5948 | Location | Section 10.1.2 | 5949 | Retry-After | Section 10.1.3 | 5950 | Vary | Section 10.1.4 | 5951 | Warning | Section 5.5 of [Caching] | 5952 +-------------------+--------------------------+ 5954 10.1.1. Origination Date 5956 10.1.1.1. Date/Time Formats 5958 Prior to 1995, there were three different formats commonly used by 5959 servers to communicate timestamps. For compatibility with old 5960 implementations, all three are defined here. The preferred format is 5961 a fixed-length and single-zone subset of the date and time 5962 specification used by the Internet Message Format [RFC5322]. 5964 HTTP-date = IMF-fixdate / obs-date 5966 An example of the preferred format is 5968 Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate 5970 Examples of the two obsolete formats are 5972 Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format 5973 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format 5975 A recipient that parses a timestamp value in an HTTP header field 5976 MUST accept all three HTTP-date formats. When a sender generates a 5977 header field that contains one or more timestamps defined as HTTP- 5978 date, the sender MUST generate those timestamps in the IMF-fixdate 5979 format. 5981 An HTTP-date value represents time as an instance of Coordinated 5982 Universal Time (UTC). The first two formats indicate UTC by the 5983 three-letter abbreviation for Greenwich Mean Time, "GMT", a 5984 predecessor of the UTC name; values in the asctime format are assumed 5985 to be in UTC. A sender that generates HTTP-date values from a local 5986 clock ought to use NTP ([RFC5905]) or some similar protocol to 5987 synchronize its clock to UTC. 5989 Preferred format: 5991 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 5992 ; fixed length/zone/capitalization subset of the format 5993 ; see Section 3.3 of [RFC5322] 5995 day-name = %x4D.6F.6E ; "Mon", case-sensitive 5996 / %x54.75.65 ; "Tue", case-sensitive 5997 / %x57.65.64 ; "Wed", case-sensitive 5998 / %x54.68.75 ; "Thu", case-sensitive 5999 / %x46.72.69 ; "Fri", case-sensitive 6000 / %x53.61.74 ; "Sat", case-sensitive 6001 / %x53.75.6E ; "Sun", case-sensitive 6003 date1 = day SP month SP year 6004 ; e.g., 02 Jun 1982 6006 day = 2DIGIT 6007 month = %x4A.61.6E ; "Jan", case-sensitive 6008 / %x46.65.62 ; "Feb", case-sensitive 6009 / %x4D.61.72 ; "Mar", case-sensitive 6010 / %x41.70.72 ; "Apr", case-sensitive 6011 / %x4D.61.79 ; "May", case-sensitive 6012 / %x4A.75.6E ; "Jun", case-sensitive 6013 / %x4A.75.6C ; "Jul", case-sensitive 6014 / %x41.75.67 ; "Aug", case-sensitive 6015 / %x53.65.70 ; "Sep", case-sensitive 6016 / %x4F.63.74 ; "Oct", case-sensitive 6017 / %x4E.6F.76 ; "Nov", case-sensitive 6018 / %x44.65.63 ; "Dec", case-sensitive 6019 year = 4DIGIT 6021 GMT = %x47.4D.54 ; "GMT", case-sensitive 6023 time-of-day = hour ":" minute ":" second 6024 ; 00:00:00 - 23:59:60 (leap second) 6026 hour = 2DIGIT 6027 minute = 2DIGIT 6028 second = 2DIGIT 6030 Obsolete formats: 6032 obs-date = rfc850-date / asctime-date 6033 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 6034 date2 = day "-" month "-" 2DIGIT 6035 ; e.g., 02-Jun-82 6037 day-name-l = %x4D.6F.6E.64.61.79 ; "Monday", case-sensitive 6038 / %x54.75.65.73.64.61.79 ; "Tuesday", case-sensitive 6039 / %x57.65.64.6E.65.73.64.61.79 ; "Wednesday", case-sensitive 6040 / %x54.68.75.72.73.64.61.79 ; "Thursday", case-sensitive 6041 / %x46.72.69.64.61.79 ; "Friday", case-sensitive 6042 / %x53.61.74.75.72.64.61.79 ; "Saturday", case-sensitive 6043 / %x53.75.6E.64.61.79 ; "Sunday", case-sensitive 6045 asctime-date = day-name SP date3 SP time-of-day SP year 6046 date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) 6047 ; e.g., Jun 2 6049 HTTP-date is case sensitive. A sender MUST NOT generate additional 6050 whitespace in an HTTP-date beyond that specifically included as SP in 6051 the grammar. The semantics of day-name, day, month, year, and time- 6052 of-day are the same as those defined for the Internet Message Format 6053 constructs with the corresponding name ([RFC5322], Section 3.3). 6055 Recipients of a timestamp value in rfc850-date format, which uses a 6056 two-digit year, MUST interpret a timestamp that appears to be more 6057 than 50 years in the future as representing the most recent year in 6058 the past that had the same last two digits. 6060 Recipients of timestamp values are encouraged to be robust in parsing 6061 timestamps unless otherwise restricted by the field definition. For 6062 example, messages are occasionally forwarded over HTTP from a non- 6063 HTTP source that might generate any of the date and time 6064 specifications defined by the Internet Message Format. 6066 Note: HTTP requirements for the date/time stamp format apply only 6067 to their usage within the protocol stream. Implementations are 6068 not required to use these formats for user presentation, request 6069 logging, etc. 6071 10.1.1.2. Date 6073 The "Date" header field represents the date and time at which the 6074 message was originated, having the same semantics as the Origination 6075 Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The 6076 field value is an HTTP-date, as defined in Section 10.1.1.1. 6078 Date = HTTP-date 6080 An example is 6081 Date: Tue, 15 Nov 1994 08:12:31 GMT 6083 When a Date header field is generated, the sender SHOULD generate its 6084 field value as the best available approximation of the date and time 6085 of message generation. In theory, the date ought to represent the 6086 moment just before the payload is generated. In practice, the date 6087 can be generated at any time during message origination. 6089 An origin server MUST NOT send a Date header field if it does not 6090 have a clock capable of providing a reasonable approximation of the 6091 current instance in Coordinated Universal Time. An origin server MAY 6092 send a Date header field if the response is in the 1xx 6093 (Informational) or 5xx (Server Error) class of status codes. An 6094 origin server MUST send a Date header field in all other cases. 6096 A recipient with a clock that receives a response message without a 6097 Date header field MUST record the time it was received and append a 6098 corresponding Date header field to the message's header section if it 6099 is cached or forwarded downstream. 6101 A user agent MAY send a Date header field in a request, though 6102 generally will not do so unless it is believed to convey useful 6103 information to the server. For example, custom applications of HTTP 6104 might convey a Date if the server is expected to adjust its 6105 interpretation of the user's request based on differences between the 6106 user agent and server clocks. 6108 10.1.2. Location 6110 The "Location" header field is used in some responses to refer to a 6111 specific resource in relation to the response. The type of 6112 relationship is defined by the combination of request method and 6113 status code semantics. 6115 Location = URI-reference 6117 The field value consists of a single URI-reference. When it has the 6118 form of a relative reference ([RFC3986], Section 4.2), the final 6119 value is computed by resolving it against the effective request URI 6120 ([RFC3986], Section 5). 6122 For 201 (Created) responses, the Location value refers to the primary 6123 resource created by the request. For 3xx (Redirection) responses, 6124 the Location value refers to the preferred target resource for 6125 automatically redirecting the request. 6127 If the Location value provided in a 3xx (Redirection) response does 6128 not have a fragment component, a user agent MUST process the 6129 redirection as if the value inherits the fragment component of the 6130 URI reference used to generate the request target (i.e., the 6131 redirection inherits the original reference's fragment, if any). 6133 For example, a GET request generated for the URI reference 6134 "http://www.example.org/~tim" might result in a 303 (See Other) 6135 response containing the header field: 6137 Location: /People.html#tim 6139 which suggests that the user agent redirect to 6140 "http://www.example.org/People.html#tim" 6142 Likewise, a GET request generated for the URI reference 6143 "http://www.example.org/index.html#larry" might result in a 301 6144 (Moved Permanently) response containing the header field: 6146 Location: http://www.example.net/index.html 6148 which suggests that the user agent redirect to 6149 "http://www.example.net/index.html#larry", preserving the original 6150 fragment identifier. 6152 There are circumstances in which a fragment identifier in a Location 6153 value would not be appropriate. For example, the Location header 6154 field in a 201 (Created) response is supposed to provide a URI that 6155 is specific to the created resource. 6157 Note: Some recipients attempt to recover from Location fields that 6158 are not valid URI references. This specification does not mandate 6159 or define such processing, but does allow it for the sake of 6160 robustness. 6162 Note: The Content-Location header field (Section 6.2.5) differs 6163 from Location in that the Content-Location refers to the most 6164 specific resource corresponding to the enclosed representation. 6165 It is therefore possible for a response to contain both the 6166 Location and Content-Location header fields. 6168 10.1.3. Retry-After 6170 Servers send the "Retry-After" header field to indicate how long the 6171 user agent ought to wait before making a follow-up request. When 6172 sent with a 503 (Service Unavailable) response, Retry-After indicates 6173 how long the service is expected to be unavailable to the client. 6174 When sent with any 3xx (Redirection) response, Retry-After indicates 6175 the minimum time that the user agent is asked to wait before issuing 6176 the redirected request. 6178 The value of this field can be either an HTTP-date or a number of 6179 seconds to delay after the response is received. 6181 Retry-After = HTTP-date / delay-seconds 6183 A delay-seconds value is a non-negative decimal integer, representing 6184 time in seconds. 6186 delay-seconds = 1*DIGIT 6188 Two examples of its use are 6190 Retry-After: Fri, 31 Dec 1999 23:59:59 GMT 6191 Retry-After: 120 6193 In the latter example, the delay is 2 minutes. 6195 10.1.4. Vary 6197 The "Vary" header field in a response describes what parts of a 6198 request message, aside from the method, Host header field, and 6199 request target, might influence the origin server's process for 6200 selecting and representing this response. The value consists of 6201 either a single asterisk ("*") or a list of header field names (case- 6202 insensitive). 6204 Vary = "*" / 1#field-name 6206 A Vary field value of "*" signals that anything about the request 6207 might play a role in selecting the response representation, possibly 6208 including elements outside the message syntax (e.g., the client's 6209 network address). A recipient will not be able to determine whether 6210 this response is appropriate for a later request without forwarding 6211 the request to the origin server. A proxy MUST NOT generate a Vary 6212 field with a "*" value. 6214 A Vary field value consisting of a comma-separated list of names 6215 indicates that the named request header fields, known as the 6216 selecting header fields, might have a role in selecting the 6217 representation. The potential selecting header fields are not 6218 limited to those defined by this specification. 6220 For example, a response that contains 6222 Vary: accept-encoding, accept-language 6224 indicates that the origin server might have used the request's 6225 Accept-Encoding and Accept-Language fields (or lack thereof) as 6226 determining factors while choosing the content for this response. 6228 An origin server might send Vary with a list of fields for two 6229 purposes: 6231 1. To inform cache recipients that they MUST NOT use this response 6232 to satisfy a later request unless the later request has the same 6233 values for the listed fields as the original request (Section 4.1 6234 of [Caching]). In other words, Vary expands the cache key 6235 required to match a new request to the stored cache entry. 6237 2. To inform user agent recipients that this response is subject to 6238 content negotiation (Section 8.4) and that a different 6239 representation might be sent in a subsequent request if 6240 additional parameters are provided in the listed header fields 6241 (proactive negotiation). 6243 An origin server SHOULD send a Vary header field when its algorithm 6244 for selecting a representation varies based on aspects of the request 6245 message other than the method and request target, unless the variance 6246 cannot be crossed or the origin server has been deliberately 6247 configured to prevent cache transparency. For example, there is no 6248 need to send the Authorization field name in Vary because reuse 6249 across users is constrained by the field definition (Section 8.5.3). 6250 Likewise, an origin server might use Cache-Control directives 6251 (Section 5.2 of [Caching]) to supplant Vary if it considers the 6252 variance less significant than the performance cost of Vary's impact 6253 on caching. 6255 10.2. Validators 6257 Validator header fields convey metadata about the selected 6258 representation (Section 6). In responses to safe requests, validator 6259 fields describe the selected representation chosen by the origin 6260 server while handling the response. Note that, depending on the 6261 status code semantics, the selected representation for a given 6262 response is not necessarily the same as the representation enclosed 6263 as response payload. 6265 In a successful response to a state-changing request, validator 6266 fields describe the new representation that has replaced the prior 6267 selected representation as a result of processing the request. 6269 For example, an ETag header field in a 201 (Created) response 6270 communicates the entity-tag of the newly created resource's 6271 representation, so that it can be used in later conditional requests 6272 to prevent the "lost update" problem Section 8.2. 6274 +-------------------+----------------+ 6275 | Header Field Name | Defined in... | 6276 +-------------------+----------------+ 6277 | ETag | Section 10.2.3 | 6278 | Last-Modified | Section 10.2.2 | 6279 +-------------------+----------------+ 6281 This specification defines two forms of metadata that are commonly 6282 used to observe resource state and test for preconditions: 6283 modification dates (Section 10.2.2) and opaque entity tags 6284 (Section 10.2.3). Additional metadata that reflects resource state 6285 has been defined by various extensions of HTTP, such as Web 6286 Distributed Authoring and Versioning (WebDAV, [RFC4918]), that are 6287 beyond the scope of this specification. A resource metadata value is 6288 referred to as a "validator" when it is used within a precondition. 6290 10.2.1. Weak versus Strong 6292 Validators come in two flavors: strong or weak. Weak validators are 6293 easy to generate but are far less useful for comparisons. Strong 6294 validators are ideal for comparisons but can be very difficult (and 6295 occasionally impossible) to generate efficiently. Rather than impose 6296 that all forms of resource adhere to the same strength of validator, 6297 HTTP exposes the type of validator in use and imposes restrictions on 6298 when weak validators can be used as preconditions. 6300 A "strong validator" is representation metadata that changes value 6301 whenever a change occurs to the representation data that would be 6302 observable in the payload body of a 200 (OK) response to GET. 6304 A strong validator might change for reasons other than a change to 6305 the representation data, such as when a semantically significant part 6306 of the representation metadata is changed (e.g., Content-Type), but 6307 it is in the best interests of the origin server to only change the 6308 value when it is necessary to invalidate the stored responses held by 6309 remote caches and authoring tools. 6311 Cache entries might persist for arbitrarily long periods, regardless 6312 of expiration times. Thus, a cache might attempt to validate an 6313 entry using a validator that it obtained in the distant past. A 6314 strong validator is unique across all versions of all representations 6315 associated with a particular resource over time. However, there is 6316 no implication of uniqueness across representations of different 6317 resources (i.e., the same strong validator might be in use for 6318 representations of multiple resources at the same time and does not 6319 imply that those representations are equivalent). 6321 There are a variety of strong validators used in practice. The best 6322 are based on strict revision control, wherein each change to a 6323 representation always results in a unique node name and revision 6324 identifier being assigned before the representation is made 6325 accessible to GET. A collision-resistant hash function applied to 6326 the representation data is also sufficient if the data is available 6327 prior to the response header fields being sent and the digest does 6328 not need to be recalculated every time a validation request is 6329 received. However, if a resource has distinct representations that 6330 differ only in their metadata, such as might occur with content 6331 negotiation over media types that happen to share the same data 6332 format, then the origin server needs to incorporate additional 6333 information in the validator to distinguish those representations. 6335 In contrast, a "weak validator" is representation metadata that might 6336 not change for every change to the representation data. This 6337 weakness might be due to limitations in how the value is calculated, 6338 such as clock resolution, an inability to ensure uniqueness for all 6339 possible representations of the resource, or a desire of the resource 6340 owner to group representations by some self-determined set of 6341 equivalency rather than unique sequences of data. An origin server 6342 SHOULD change a weak entity-tag whenever it considers prior 6343 representations to be unacceptable as a substitute for the current 6344 representation. In other words, a weak entity-tag ought to change 6345 whenever the origin server wants caches to invalidate old responses. 6347 For example, the representation of a weather report that changes in 6348 content every second, based on dynamic measurements, might be grouped 6349 into sets of equivalent representations (from the origin server's 6350 perspective) with the same weak validator in order to allow cached 6351 representations to be valid for a reasonable period of time (perhaps 6352 adjusted dynamically based on server load or weather quality). 6353 Likewise, a representation's modification time, if defined with only 6354 one-second resolution, might be a weak validator if it is possible 6355 for the representation to be modified twice during a single second 6356 and retrieved between those modifications. 6358 Likewise, a validator is weak if it is shared by two or more 6359 representations of a given resource at the same time, unless those 6360 representations have identical representation data. For example, if 6361 the origin server sends the same validator for a representation with 6362 a gzip content coding applied as it does for a representation with no 6363 content coding, then that validator is weak. However, two 6364 simultaneous representations might share the same strong validator if 6365 they differ only in the representation metadata, such as when two 6366 different media types are available for the same representation data. 6368 Strong validators are usable for all conditional requests, including 6369 cache validation, partial content ranges, and "lost update" 6370 avoidance. Weak validators are only usable when the client does not 6371 require exact equality with previously obtained representation data, 6372 such as when validating a cache entry or limiting a web traversal to 6373 recent changes. 6375 10.2.2. Last-Modified 6377 The "Last-Modified" header field in a response provides a timestamp 6378 indicating the date and time at which the origin server believes the 6379 selected representation was last modified, as determined at the 6380 conclusion of handling the request. 6382 Last-Modified = HTTP-date 6384 An example of its use is 6386 Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT 6388 10.2.2.1. Generation 6390 An origin server SHOULD send Last-Modified for any selected 6391 representation for which a last modification date can be reasonably 6392 and consistently determined, since its use in conditional requests 6393 and evaluating cache freshness ([Caching]) results in a substantial 6394 reduction of HTTP traffic on the Internet and can be a significant 6395 factor in improving service scalability and reliability. 6397 A representation is typically the sum of many parts behind the 6398 resource interface. The last-modified time would usually be the most 6399 recent time that any of those parts were changed. How that value is 6400 determined for any given resource is an implementation detail beyond 6401 the scope of this specification. What matters to HTTP is how 6402 recipients of the Last-Modified header field can use its value to 6403 make conditional requests and test the validity of locally cached 6404 responses. 6406 An origin server SHOULD obtain the Last-Modified value of the 6407 representation as close as possible to the time that it generates the 6408 Date field value for its response. This allows a recipient to make 6409 an accurate assessment of the representation's modification time, 6410 especially if the representation changes near the time that the 6411 response is generated. 6413 An origin server with a clock MUST NOT send a Last-Modified date that 6414 is later than the server's time of message origination (Date). If 6415 the last modification time is derived from implementation-specific 6416 metadata that evaluates to some time in the future, according to the 6417 origin server's clock, then the origin server MUST replace that value 6418 with the message origination date. This prevents a future 6419 modification date from having an adverse impact on cache validation. 6421 An origin server without a clock MUST NOT assign Last-Modified values 6422 to a response unless these values were associated with the resource 6423 by some other system or user with a reliable clock. 6425 10.2.2.2. Comparison 6427 A Last-Modified time, when used as a validator in a request, is 6428 implicitly weak unless it is possible to deduce that it is strong, 6429 using the following rules: 6431 o The validator is being compared by an origin server to the actual 6432 current validator for the representation and, 6434 o That origin server reliably knows that the associated 6435 representation did not change twice during the second covered by 6436 the presented validator. 6438 or 6440 o The validator is about to be used by a client in an If-Modified- 6441 Since, If-Unmodified-Since, or If-Range header field, because the 6442 client has a cache entry for the associated representation, and 6444 o That cache entry includes a Date value, which gives the time when 6445 the origin server sent the original response, and 6447 o The presented Last-Modified time is at least 60 seconds before the 6448 Date value. 6450 or 6452 o The validator is being compared by an intermediate cache to the 6453 validator stored in its cache entry for the representation, and 6455 o That cache entry includes a Date value, which gives the time when 6456 the origin server sent the original response, and 6458 o The presented Last-Modified time is at least 60 seconds before the 6459 Date value. 6461 This method relies on the fact that if two different responses were 6462 sent by the origin server during the same second, but both had the 6463 same Last-Modified time, then at least one of those responses would 6464 have a Date value equal to its Last-Modified time. The arbitrary 6465 60-second limit guards against the possibility that the Date and 6466 Last-Modified values are generated from different clocks or at 6467 somewhat different times during the preparation of the response. An 6468 implementation MAY use a value larger than 60 seconds, if it is 6469 believed that 60 seconds is too short. 6471 10.2.3. ETag 6473 The "ETag" header field in a response provides the current entity-tag 6474 for the selected representation, as determined at the conclusion of 6475 handling the request. An entity-tag is an opaque validator for 6476 differentiating between multiple representations of the same 6477 resource, regardless of whether those multiple representations are 6478 due to resource state changes over time, content negotiation 6479 resulting in multiple representations being valid at the same time, 6480 or both. An entity-tag consists of an opaque quoted string, possibly 6481 prefixed by a weakness indicator. 6483 ETag = entity-tag 6485 entity-tag = [ weak ] opaque-tag 6486 weak = %x57.2F ; "W/", case-sensitive 6487 opaque-tag = DQUOTE *etagc DQUOTE 6488 etagc = %x21 / %x23-7E / obs-text 6489 ; VCHAR except double quotes, plus obs-text 6491 Note: Previously, opaque-tag was defined to be a quoted-string 6492 ([RFC2616], Section 3.11); thus, some recipients might perform 6493 backslash unescaping. Servers therefore ought to avoid backslash 6494 characters in entity tags. 6496 An entity-tag can be more reliable for validation than a modification 6497 date in situations where it is inconvenient to store modification 6498 dates, where the one-second resolution of HTTP date values is not 6499 sufficient, or where modification dates are not consistently 6500 maintained. 6502 Examples: 6504 ETag: "xyzzy" 6505 ETag: W/"xyzzy" 6506 ETag: "" 6508 An entity-tag can be either a weak or strong validator, with strong 6509 being the default. If an origin server provides an entity-tag for a 6510 representation and the generation of that entity-tag does not satisfy 6511 all of the characteristics of a strong validator (Section 10.2.1), 6512 then the origin server MUST mark the entity-tag as weak by prefixing 6513 its opaque value with "W/" (case-sensitive). 6515 10.2.3.1. Generation 6517 The principle behind entity-tags is that only the service author 6518 knows the implementation of a resource well enough to select the most 6519 accurate and efficient validation mechanism for that resource, and 6520 that any such mechanism can be mapped to a simple sequence of octets 6521 for easy comparison. Since the value is opaque, there is no need for 6522 the client to be aware of how each entity-tag is constructed. 6524 For example, a resource that has implementation-specific versioning 6525 applied to all changes might use an internal revision number, perhaps 6526 combined with a variance identifier for content negotiation, to 6527 accurately differentiate between representations. Other 6528 implementations might use a collision-resistant hash of 6529 representation content, a combination of various file attributes, or 6530 a modification timestamp that has sub-second resolution. 6532 An origin server SHOULD send an ETag for any selected representation 6533 for which detection of changes can be reasonably and consistently 6534 determined, since the entity-tag's use in conditional requests and 6535 evaluating cache freshness ([Caching]) can result in a substantial 6536 reduction of HTTP network traffic and can be a significant factor in 6537 improving service scalability and reliability. 6539 10.2.3.2. Comparison 6541 There are two entity-tag comparison functions, depending on whether 6542 or not the comparison context allows the use of weak validators: 6544 o Strong comparison: two entity-tags are equivalent if both are not 6545 weak and their opaque-tags match character-by-character. 6547 o Weak comparison: two entity-tags are equivalent if their opaque- 6548 tags match character-by-character, regardless of either or both 6549 being tagged as "weak". 6551 The example below shows the results for a set of entity-tag pairs and 6552 both the weak and strong comparison function results: 6554 +--------+--------+-------------------+-----------------+ 6555 | ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | 6556 +--------+--------+-------------------+-----------------+ 6557 | W/"1" | W/"1" | no match | match | 6558 | W/"1" | W/"2" | no match | no match | 6559 | W/"1" | "1" | no match | match | 6560 | "1" | "1" | match | match | 6561 +--------+--------+-------------------+-----------------+ 6563 10.2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources 6565 Consider a resource that is subject to content negotiation 6566 (Section 6.4), and where the representations sent in response to a 6567 GET request vary based on the Accept-Encoding request header field 6568 (Section 8.4.4): 6570 >> Request: 6572 GET /index HTTP/1.1 6573 Host: www.example.com 6574 Accept-Encoding: gzip 6576 In this case, the response might or might not use the gzip content 6577 coding. If it does not, the response might look like: 6579 >> Response: 6581 HTTP/1.1 200 OK 6582 Date: Fri, 26 Mar 2010 00:05:00 GMT 6583 ETag: "123-a" 6584 Content-Length: 70 6585 Vary: Accept-Encoding 6586 Content-Type: text/plain 6588 Hello World! 6589 Hello World! 6590 Hello World! 6591 Hello World! 6592 Hello World! 6594 An alternative representation that does use gzip content coding would 6595 be: 6597 >> Response: 6599 HTTP/1.1 200 OK 6600 Date: Fri, 26 Mar 2010 00:05:00 GMT 6601 ETag: "123-b" 6602 Content-Length: 43 6603 Vary: Accept-Encoding 6604 Content-Type: text/plain 6605 Content-Encoding: gzip 6607 ...binary data... 6609 Note: Content codings are a property of the representation data, 6610 so a strong entity-tag for a content-encoded representation has to 6611 be distinct from the entity tag of an unencoded representation to 6612 prevent potential conflicts during cache updates and range 6613 requests. In contrast, transfer codings (Section 7 of 6614 [Messaging]) apply only during message transfer and do not result 6615 in distinct entity-tags. 6617 10.2.4. When to Use Entity-Tags and Last-Modified Dates 6619 In 200 (OK) responses to GET or HEAD, an origin server: 6621 o SHOULD send an entity-tag validator unless it is not feasible to 6622 generate one. 6624 o MAY send a weak entity-tag instead of a strong entity-tag, if 6625 performance considerations support the use of weak entity-tags, or 6626 if it is unfeasible to send a strong entity-tag. 6628 o SHOULD send a Last-Modified value if it is feasible to send one. 6630 In other words, the preferred behavior for an origin server is to 6631 send both a strong entity-tag and a Last-Modified value in successful 6632 responses to a retrieval request. 6634 A client: 6636 o MUST send that entity-tag in any cache validation request (using 6637 If-Match or If-None-Match) if an entity-tag has been provided by 6638 the origin server. 6640 o SHOULD send the Last-Modified value in non-subrange cache 6641 validation requests (using If-Modified-Since) if only a Last- 6642 Modified value has been provided by the origin server. 6644 o MAY send the Last-Modified value in subrange cache validation 6645 requests (using If-Unmodified-Since) if only a Last-Modified value 6646 has been provided by an HTTP/1.0 origin server. The user agent 6647 SHOULD provide a way to disable this, in case of difficulty. 6649 o SHOULD send both validators in cache validation requests if both 6650 an entity-tag and a Last-Modified value have been provided by the 6651 origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to 6652 respond appropriately. 6654 10.3. Authentication Challenges 6656 Authentication challenges indicate what mechanisms are available for 6657 the client to provide authentication credentials in future requests. 6659 +--------------------+----------------+ 6660 | Header Field Name | Defined in... | 6661 +--------------------+----------------+ 6662 | WWW-Authenticate | Section 10.3.1 | 6663 | Proxy-Authenticate | Section 10.3.2 | 6664 +--------------------+----------------+ 6666 10.3.1. WWW-Authenticate 6668 The "WWW-Authenticate" header field indicates the authentication 6669 scheme(s) and parameters applicable to the target resource. 6671 WWW-Authenticate = 1#challenge 6673 A server generating a 401 (Unauthorized) response MUST send a WWW- 6674 Authenticate header field containing at least one challenge. A 6675 server MAY generate a WWW-Authenticate header field in other response 6676 messages to indicate that supplying credentials (or different 6677 credentials) might affect the response. 6679 A proxy forwarding a response MUST NOT modify any WWW-Authenticate 6680 fields in that response. 6682 User agents are advised to take special care in parsing the field 6683 value, as it might contain more than one challenge, and each 6684 challenge can contain a comma-separated list of authentication 6685 parameters. Furthermore, the header field itself can occur multiple 6686 times. 6688 For instance: 6690 WWW-Authenticate: Newauth realm="apps", type=1, 6691 title="Login to \"apps\"", Basic realm="simple" 6693 This header field contains two challenges; one for the "Newauth" 6694 scheme with a realm value of "apps", and two additional parameters 6695 "type" and "title", and another one for the "Basic" scheme with a 6696 realm value of "simple". 6698 Note: The challenge grammar production uses the list syntax as 6699 well. Therefore, a sequence of comma, whitespace, and comma can 6700 be considered either as applying to the preceding challenge, or to 6701 be an empty entry in the list of challenges. In practice, this 6702 ambiguity does not affect the semantics of the header field value 6703 and thus is harmless. 6705 10.3.2. Proxy-Authenticate 6707 The "Proxy-Authenticate" header field consists of at least one 6708 challenge that indicates the authentication scheme(s) and parameters 6709 applicable to the proxy for this effective request URI (Section 5.3). 6710 A proxy MUST send at least one Proxy-Authenticate header field in 6711 each 407 (Proxy Authentication Required) response that it generates. 6713 Proxy-Authenticate = 1#challenge 6715 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 6716 only to the next outbound client on the response chain. This is 6717 because only the client that chose a given proxy is likely to have 6718 the credentials necessary for authentication. However, when multiple 6719 proxies are used within the same administrative domain, such as 6720 office and regional caching proxies within a large corporate network, 6721 it is common for credentials to be generated by the user agent and 6722 passed through the hierarchy until consumed. Hence, in such a 6723 configuration, it will appear as if Proxy-Authenticate is being 6724 forwarded because each proxy will send the same challenge set. 6726 Note that the parsing considerations for WWW-Authenticate apply to 6727 this header field as well; see Section 10.3.1 for details. 6729 10.4. Response Context 6731 The remaining response header fields provide more information about 6732 the target resource for potential use in later requests. 6734 +-------------------+----------------+ 6735 | Header Field Name | Defined in... | 6736 +-------------------+----------------+ 6737 | Accept-Ranges | Section 10.4.1 | 6738 | Allow | Section 10.4.2 | 6739 | Server | Section 10.4.3 | 6740 +-------------------+----------------+ 6742 10.4.1. Accept-Ranges 6744 The "Accept-Ranges" header field allows a server to indicate that it 6745 supports range requests for the target resource. 6747 Accept-Ranges = acceptable-ranges 6748 acceptable-ranges = 1#range-unit / "none" 6750 An origin server that supports byte-range requests for a given target 6751 resource MAY send 6753 Accept-Ranges: bytes 6755 to indicate what range units are supported. A client MAY generate 6756 range requests without having received this header field for the 6757 resource involved. Range units are defined in Section 6.1.4. 6759 A server that does not support any kind of range request for the 6760 target resource MAY send 6762 Accept-Ranges: none 6764 to advise the client not to attempt a range request. 6766 10.4.2. Allow 6768 The "Allow" header field lists the set of methods advertised as 6769 supported by the target resource. The purpose of this field is 6770 strictly to inform the recipient of valid request methods associated 6771 with the resource. 6773 Allow = #method 6775 Example of use: 6777 Allow: GET, HEAD, PUT 6779 The actual set of allowed methods is defined by the origin server at 6780 the time of each request. An origin server MUST generate an Allow 6781 field in a 405 (Method Not Allowed) response and MAY do so in any 6782 other response. An empty Allow field value indicates that the 6783 resource allows no methods, which might occur in a 405 response if 6784 the resource has been temporarily disabled by configuration. 6786 A proxy MUST NOT modify the Allow header field -- it does not need to 6787 understand all of the indicated methods in order to handle them 6788 according to the generic message handling rules. 6790 10.4.3. Server 6792 The "Server" header field contains information about the software 6793 used by the origin server to handle the request, which is often used 6794 by clients to help identify the scope of reported interoperability 6795 problems, to work around or tailor requests to avoid particular 6796 server limitations, and for analytics regarding server or operating 6797 system use. An origin server MAY generate a Server field in its 6798 responses. 6800 Server = product *( RWS ( product / comment ) ) 6802 The Server field-value consists of one or more product identifiers, 6803 each followed by zero or more comments (Section 5 of [Messaging]), 6804 which together identify the origin server software and its 6805 significant subproducts. By convention, the product identifiers are 6806 listed in decreasing order of their significance for identifying the 6807 origin server software. Each product identifier consists of a name 6808 and optional version, as defined in Section 8.6.3. 6810 Example: 6812 Server: CERN/3.0 libwww/2.17 6814 An origin server SHOULD NOT generate a Server field containing 6815 needlessly fine-grained detail and SHOULD limit the addition of 6816 subproducts by third parties. Overly long and detailed Server field 6817 values increase response latency and potentially reveal internal 6818 implementation details that might make it (slightly) easier for 6819 attackers to find and exploit known security holes. 6821 11. ABNF List Extension: #rule 6823 A #rule extension to the ABNF rules of [RFC5234] is used to improve 6824 readability in the definitions of some header field values. 6826 A construct "#" is defined, similar to "*", for defining comma- 6827 delimited lists of elements. The full form is "#element" 6828 indicating at least and at most elements, each separated by a 6829 single comma (",") and optional whitespace (OWS). 6831 In any production that uses the list construct, a sender MUST NOT 6832 generate empty list elements. In other words, a sender MUST generate 6833 lists that satisfy the following syntax: 6835 1#element => element *( OWS "," OWS element ) 6837 and: 6839 #element => [ 1#element ] 6841 and for n >= 1 and m > 1: 6843 #element => element *( OWS "," OWS element ) 6845 For compatibility with legacy list rules, a recipient MUST parse and 6846 ignore a reasonable number of empty list elements: enough to handle 6847 common mistakes by senders that merge values, but not so much that 6848 they could be used as a denial-of-service mechanism. In other words, 6849 a recipient MUST accept lists that satisfy the following syntax: 6851 #element => [ ( "," / element ) *( OWS "," [ OWS element ] ) ] 6853 1#element => *( "," OWS ) element *( OWS "," [ OWS element ] ) 6855 Empty elements do not contribute to the count of elements present. 6856 For example, given these ABNF productions: 6858 example-list = 1#example-list-elmt 6859 example-list-elmt = token ; see Section 4.2.3 6861 Then the following are valid values for example-list (not including 6862 the double quotes, which are present for delimitation only): 6864 "foo,bar" 6865 "foo ,bar," 6866 "foo , ,bar,charlie" 6868 In contrast, the following values would be invalid, since at least 6869 one non-empty element is required by the example-list production: 6871 "" 6872 "," 6873 ", ," 6875 Appendix A shows the collected ABNF for recipients after the list 6876 constructs have been expanded. 6878 12. Security Considerations 6880 This section is meant to inform developers, information providers, 6881 and users of known security concerns relevant to HTTP semantics and 6882 its use for transferring information over the Internet. 6883 Considerations related to message syntax, parsing, and routing are 6884 discussed in Section 11 of [Messaging]. 6886 The list of considerations below is not exhaustive. Most security 6887 concerns related to HTTP semantics are about securing server-side 6888 applications (code behind the HTTP interface), securing user agent 6889 processing of payloads received via HTTP, or secure use of the 6890 Internet in general, rather than security of the protocol. Various 6891 organizations maintain topical information and links to current 6892 research on Web application security (e.g., [OWASP]). 6894 12.1. Establishing Authority 6896 HTTP relies on the notion of an authoritative response: a response 6897 that has been determined by (or at the direction of) the authority 6898 identified within the target URI to be the most appropriate response 6899 for that request given the state of the target resource at the time 6900 of response message origination. Providing a response from a non- 6901 authoritative source, such as a shared cache, is often useful to 6902 improve performance and availability, but only to the extent that the 6903 source can be trusted or the distrusted response can be safely used. 6905 Unfortunately, establishing authority can be difficult. For example, 6906 phishing is an attack on the user's perception of authority, where 6907 that perception can be misled by presenting similar branding in 6908 hypertext, possibly aided by userinfo obfuscating the authority 6909 component (see Section 2.5.1). User agents can reduce the impact of 6910 phishing attacks by enabling users to easily inspect a target URI 6911 prior to making an action, by prominently distinguishing (or 6912 rejecting) userinfo when present, and by not sending stored 6913 credentials and cookies when the referring document is from an 6914 unknown or untrusted source. 6916 When a registered name is used in the authority component, the "http" 6917 URI scheme (Section 2.5.1) relies on the user's local name resolution 6918 service to determine where it can find authoritative responses. This 6919 means that any attack on a user's network host table, cached names, 6920 or name resolution libraries becomes an avenue for attack on 6921 establishing authority. Likewise, the user's choice of server for 6922 Domain Name Service (DNS), and the hierarchy of servers from which it 6923 obtains resolution results, could impact the authenticity of address 6924 mappings; DNS Security Extensions (DNSSEC, [RFC4033]) are one way to 6925 improve authenticity. 6927 Furthermore, after an IP address is obtained, establishing authority 6928 for an "http" URI is vulnerable to attacks on Internet Protocol 6929 routing. 6931 The "https" scheme (Section 2.5.2) is intended to prevent (or at 6932 least reveal) many of these potential attacks on establishing 6933 authority, provided that the negotiated TLS connection is secured and 6934 the client properly verifies that the communicating server's identity 6935 matches the target URI's authority component (see [RFC2818]). 6936 Correctly implementing such verification can be difficult (see 6937 [Georgiev]). 6939 12.2. Risks of Intermediaries 6941 By their very nature, HTTP intermediaries are men-in-the-middle and, 6942 thus, represent an opportunity for man-in-the-middle attacks. 6943 Compromise of the systems on which the intermediaries run can result 6944 in serious security and privacy problems. Intermediaries might have 6945 access to security-related information, personal information about 6946 individual users and organizations, and proprietary information 6947 belonging to users and content providers. A compromised 6948 intermediary, or an intermediary implemented or configured without 6949 regard to security and privacy considerations, might be used in the 6950 commission of a wide range of potential attacks. 6952 Intermediaries that contain a shared cache are especially vulnerable 6953 to cache poisoning attacks, as described in Section 7 of [Caching]. 6955 Implementers need to consider the privacy and security implications 6956 of their design and coding decisions, and of the configuration 6957 options they provide to operators (especially the default 6958 configuration). 6960 Users need to be aware that intermediaries are no more trustworthy 6961 than the people who run them; HTTP itself cannot solve this problem. 6963 12.3. Attacks Based on File and Path Names 6965 Origin servers frequently make use of their local file system to 6966 manage the mapping from effective request URI to resource 6967 representations. Most file systems are not designed to protect 6968 against malicious file or path names. Therefore, an origin server 6969 needs to avoid accessing names that have a special significance to 6970 the system when mapping the request target to files, folders, or 6971 directories. 6973 For example, UNIX, Microsoft Windows, and other operating systems use 6974 ".." as a path component to indicate a directory level above the 6975 current one, and they use specially named paths or file names to send 6976 data to system devices. Similar naming conventions might exist 6977 within other types of storage systems. Likewise, local storage 6978 systems have an annoying tendency to prefer user-friendliness over 6979 security when handling invalid or unexpected characters, 6980 recomposition of decomposed characters, and case-normalization of 6981 case-insensitive names. 6983 Attacks based on such special names tend to focus on either denial- 6984 of-service (e.g., telling the server to read from a COM port) or 6985 disclosure of configuration and source files that are not meant to be 6986 served. 6988 12.4. Attacks Based on Command, Code, or Query Injection 6990 Origin servers often use parameters within the URI as a means of 6991 identifying system services, selecting database entries, or choosing 6992 a data source. However, data received in a request cannot be 6993 trusted. An attacker could construct any of the request data 6994 elements (method, request-target, header fields, or body) to contain 6995 data that might be misinterpreted as a command, code, or query when 6996 passed through a command invocation, language interpreter, or 6997 database interface. 6999 For example, SQL injection is a common attack wherein additional 7000 query language is inserted within some part of the request-target or 7001 header fields (e.g., Host, Referer, etc.). If the received data is 7002 used directly within a SELECT statement, the query language might be 7003 interpreted as a database command instead of a simple string value. 7004 This type of implementation vulnerability is extremely common, in 7005 spite of being easy to prevent. 7007 In general, resource implementations ought to avoid use of request 7008 data in contexts that are processed or interpreted as instructions. 7009 Parameters ought to be compared to fixed strings and acted upon as a 7010 result of that comparison, rather than passed through an interface 7011 that is not prepared for untrusted data. Received data that isn't 7012 based on fixed parameters ought to be carefully filtered or encoded 7013 to avoid being misinterpreted. 7015 Similar considerations apply to request data when it is stored and 7016 later processed, such as within log files, monitoring tools, or when 7017 included within a data format that allows embedded scripts. 7019 12.5. Attacks via Protocol Element Length 7021 Because HTTP uses mostly textual, character-delimited fields, parsers 7022 are often vulnerable to attacks based on sending very long (or very 7023 slow) streams of data, particularly where an implementation is 7024 expecting a protocol element with no predefined length (Section 3.3). 7026 To promote interoperability, specific recommendations are made for 7027 minimum size limits on request-line (Section 3 of [Messaging]) and 7028 header fields (Section 5 of [Messaging]). These are minimum 7029 recommendations, chosen to be supportable even by implementations 7030 with limited resources; it is expected that most implementations will 7031 choose substantially higher limits. 7033 A server can reject a message that has a request-target that is too 7034 long (Section 9.5.15) or a request payload that is too large 7035 (Section 9.5.14). Additional status codes related to capacity limits 7036 have been defined by extensions to HTTP [RFC6585]. 7038 Recipients ought to carefully limit the extent to which they process 7039 other protocol elements, including (but not limited to) request 7040 methods, response status phrases, header field-names, numeric values, 7041 and body chunks. Failure to limit such processing can result in 7042 buffer overflows, arithmetic overflows, or increased vulnerability to 7043 denial-of-service attacks. 7045 12.6. Disclosure of Personal Information 7047 Clients are often privy to large amounts of personal information, 7048 including both information provided by the user to interact with 7049 resources (e.g., the user's name, location, mail address, passwords, 7050 encryption keys, etc.) and information about the user's browsing 7051 activity over time (e.g., history, bookmarks, etc.). Implementations 7052 need to prevent unintentional disclosure of personal information. 7054 12.7. Privacy of Server Log Information 7056 A server is in the position to save personal data about a user's 7057 requests over time, which might identify their reading patterns or 7058 subjects of interest. In particular, log information gathered at an 7059 intermediary often contains a history of user agent interaction, 7060 across a multitude of sites, that can be traced to individual users. 7062 HTTP log information is confidential in nature; its handling is often 7063 constrained by laws and regulations. Log information needs to be 7064 securely stored and appropriate guidelines followed for its analysis. 7065 Anonymization of personal information within individual entries 7066 helps, but it is generally not sufficient to prevent real log traces 7067 from being re-identified based on correlation with other access 7068 characteristics. As such, access traces that are keyed to a specific 7069 client are unsafe to publish even if the key is pseudonymous. 7071 To minimize the risk of theft or accidental publication, log 7072 information ought to be purged of personally identifiable 7073 information, including user identifiers, IP addresses, and user- 7074 provided query parameters, as soon as that information is no longer 7075 necessary to support operational needs for security, auditing, or 7076 fraud control. 7078 12.8. Disclosure of Sensitive Information in URIs 7080 URIs are intended to be shared, not secured, even when they identify 7081 secure resources. URIs are often shown on displays, added to 7082 templates when a page is printed, and stored in a variety of 7083 unprotected bookmark lists. It is therefore unwise to include 7084 information within a URI that is sensitive, personally identifiable, 7085 or a risk to disclose. 7087 Authors of services ought to avoid GET-based forms for the submission 7088 of sensitive data because that data will be placed in the request- 7089 target. Many existing servers, proxies, and user agents log or 7090 display the request-target in places where it might be visible to 7091 third parties. Such services ought to use POST-based form submission 7092 instead. 7094 Since the Referer header field tells a target site about the context 7095 that resulted in a request, it has the potential to reveal 7096 information about the user's immediate browsing history and any 7097 personal information that might be found in the referring resource's 7098 URI. Limitations on the Referer header field are described in 7099 Section 8.6.2 to address some of its security considerations. 7101 12.9. Disclosure of Fragment after Redirects 7103 Although fragment identifiers used within URI references are not sent 7104 in requests, implementers ought to be aware that they will be visible 7105 to the user agent and any extensions or scripts running as a result 7106 of the response. In particular, when a redirect occurs and the 7107 original request's fragment identifier is inherited by the new 7108 reference in Location (Section 10.1.2), this might have the effect of 7109 disclosing one site's fragment to another site. If the first site 7110 uses personal information in fragments, it ought to ensure that 7111 redirects to other sites include a (possibly empty) fragment 7112 component in order to block that inheritance. 7114 12.10. Disclosure of Product Information 7116 The User-Agent (Section 8.6.3), Via (Section 5.6.1), and Server 7117 (Section 10.4.3) header fields often reveal information about the 7118 respective sender's software systems. In theory, this can make it 7119 easier for an attacker to exploit known security holes; in practice, 7120 attackers tend to try all potential holes regardless of the apparent 7121 software versions being used. 7123 Proxies that serve as a portal through a network firewall ought to 7124 take special precautions regarding the transfer of header information 7125 that might identify hosts behind the firewall. The Via header field 7126 allows intermediaries to replace sensitive machine names with 7127 pseudonyms. 7129 12.11. Browser Fingerprinting 7131 Browser fingerprinting is a set of techniques for identifying a 7132 specific user agent over time through its unique set of 7133 characteristics. These characteristics might include information 7134 related to its TCP behavior, feature capabilities, and scripting 7135 environment, though of particular interest here is the set of unique 7136 characteristics that might be communicated via HTTP. Fingerprinting 7137 is considered a privacy concern because it enables tracking of a user 7138 agent's behavior over time without the corresponding controls that 7139 the user might have over other forms of data collection (e.g., 7140 cookies). Many general-purpose user agents (i.e., Web browsers) have 7141 taken steps to reduce their fingerprints. 7143 There are a number of request header fields that might reveal 7144 information to servers that is sufficiently unique to enable 7145 fingerprinting. The From header field is the most obvious, though it 7146 is expected that From will only be sent when self-identification is 7147 desired by the user. Likewise, Cookie header fields are deliberately 7148 designed to enable re-identification, so fingerprinting concerns only 7149 apply to situations where cookies are disabled or restricted by the 7150 user agent's configuration. 7152 The User-Agent header field might contain enough information to 7153 uniquely identify a specific device, usually when combined with other 7154 characteristics, particularly if the user agent sends excessive 7155 details about the user's system or extensions. However, the source 7156 of unique information that is least expected by users is proactive 7157 negotiation (Section 8.4), including the Accept, Accept-Charset, 7158 Accept-Encoding, and Accept-Language header fields. 7160 In addition to the fingerprinting concern, detailed use of the 7161 Accept-Language header field can reveal information the user might 7162 consider to be of a private nature. For example, understanding a 7163 given language set might be strongly correlated to membership in a 7164 particular ethnic group. An approach that limits such loss of 7165 privacy would be for a user agent to omit the sending of Accept- 7166 Language except for sites that have been whitelisted, perhaps via 7167 interaction after detecting a Vary header field that indicates 7168 language negotiation might be useful. 7170 In environments where proxies are used to enhance privacy, user 7171 agents ought to be conservative in sending proactive negotiation 7172 header fields. General-purpose user agents that provide a high 7173 degree of header field configurability ought to inform users about 7174 the loss of privacy that might result if too much detail is provided. 7175 As an extreme privacy measure, proxies could filter the proactive 7176 negotiation header fields in relayed requests. 7178 12.12. Validator Retention 7180 The validators defined by this specification are not intended to 7181 ensure the validity of a representation, guard against malicious 7182 changes, or detect man-in-the-middle attacks. At best, they enable 7183 more efficient cache updates and optimistic concurrent writes when 7184 all participants are behaving nicely. At worst, the conditions will 7185 fail and the client will receive a response that is no more harmful 7186 than an HTTP exchange without conditional requests. 7188 An entity-tag can be abused in ways that create privacy risks. For 7189 example, a site might deliberately construct a semantically invalid 7190 entity-tag that is unique to the user or user agent, send it in a 7191 cacheable response with a long freshness time, and then read that 7192 entity-tag in later conditional requests as a means of re-identifying 7193 that user or user agent. Such an identifying tag would become a 7194 persistent identifier for as long as the user agent retained the 7195 original cache entry. User agents that cache representations ought 7196 to ensure that the cache is cleared or replaced whenever the user 7197 performs privacy-maintaining actions, such as clearing stored cookies 7198 or changing to a private browsing mode. 7200 12.13. Denial-of-Service Attacks Using Range 7202 Unconstrained multiple range requests are susceptible to denial-of- 7203 service attacks because the effort required to request many 7204 overlapping ranges of the same data is tiny compared to the time, 7205 memory, and bandwidth consumed by attempting to serve the requested 7206 data in many parts. Servers ought to ignore, coalesce, or reject 7207 egregious range requests, such as requests for more than two 7208 overlapping ranges or for many small ranges in a single set, 7209 particularly when the ranges are requested out of order for no 7210 apparent reason. Multipart range requests are not designed to 7211 support random access. 7213 12.14. Authentication Considerations 7215 Everything about the topic of HTTP authentication is a security 7216 consideration, so the list of considerations below is not exhaustive. 7217 Furthermore, it is limited to security considerations regarding the 7218 authentication framework, in general, rather than discussing all of 7219 the potential considerations for specific authentication schemes 7220 (which ought to be documented in the specifications that define those 7221 schemes). Various organizations maintain topical information and 7222 links to current research on Web application security (e.g., 7223 [OWASP]), including common pitfalls for implementing and using the 7224 authentication schemes found in practice. 7226 12.14.1. Confidentiality of Credentials 7228 The HTTP authentication framework does not define a single mechanism 7229 for maintaining the confidentiality of credentials; instead, each 7230 authentication scheme defines how the credentials are encoded prior 7231 to transmission. While this provides flexibility for the development 7232 of future authentication schemes, it is inadequate for the protection 7233 of existing schemes that provide no confidentiality on their own, or 7234 that do not sufficiently protect against replay attacks. 7235 Furthermore, if the server expects credentials that are specific to 7236 each individual user, the exchange of those credentials will have the 7237 effect of identifying that user even if the content within 7238 credentials remains confidential. 7240 HTTP depends on the security properties of the underlying transport- 7241 or session-level connection to provide confidential transmission of 7242 header fields. In other words, if a server limits access to 7243 authenticated users using this framework, the server needs to ensure 7244 that the connection is properly secured in accordance with the nature 7245 of the authentication scheme used. For example, services that depend 7246 on individual user authentication often require a connection to be 7247 secured with TLS ("Transport Layer Security", [RFC5246]) prior to 7248 exchanging any credentials. 7250 12.14.2. Credentials and Idle Clients 7252 Existing HTTP clients and user agents typically retain authentication 7253 information indefinitely. HTTP does not provide a mechanism for the 7254 origin server to direct clients to discard these cached credentials, 7255 since the protocol has no awareness of how credentials are obtained 7256 or managed by the user agent. The mechanisms for expiring or 7257 revoking credentials can be specified as part of an authentication 7258 scheme definition. 7260 Circumstances under which credential caching can interfere with the 7261 application's security model include but are not limited to: 7263 o Clients that have been idle for an extended period, following 7264 which the server might wish to cause the client to re-prompt the 7265 user for credentials. 7267 o Applications that include a session termination indication (such 7268 as a "logout" or "commit" button on a page) after which the server 7269 side of the application "knows" that there is no further reason 7270 for the client to retain the credentials. 7272 User agents that cache credentials are encouraged to provide a 7273 readily accessible mechanism for discarding cached credentials under 7274 user control. 7276 12.14.3. Protection Spaces 7278 Authentication schemes that solely rely on the "realm" mechanism for 7279 establishing a protection space will expose credentials to all 7280 resources on an origin server. Clients that have successfully made 7281 authenticated requests with a resource can use the same 7282 authentication credentials for other resources on the same origin 7283 server. This makes it possible for a different resource to harvest 7284 authentication credentials for other resources. 7286 This is of particular concern when an origin server hosts resources 7287 for multiple parties under the same canonical root URI 7288 (Section 8.5.2). Possible mitigation strategies include restricting 7289 direct access to authentication credentials (i.e., not making the 7290 content of the Authorization request header field available), and 7291 separating protection spaces by using a different host name (or port 7292 number) for each party. 7294 13. IANA Considerations 7296 The change controller for the following registrations is: "IETF 7297 (iesg@ietf.org) - Internet Engineering Task Force". 7299 13.1. URI Scheme Registration 7301 Please update the registry of URI Schemes [BCP35] at 7302 with the permanent 7303 schemes listed in the first table of Section 2.5. 7305 13.2. Method Registration 7307 Please update the "Hypertext Transfer Protocol (HTTP) Method 7308 Registry" at with the 7309 registration procedure of Section 7.4.1 and the method names 7310 summarized in the table of Section 7.2. 7312 13.3. Status Code Registration 7314 Please update the "Hypertext Transfer Protocol (HTTP) Status Code 7315 Registry" at 7316 with the registration procedure of Section 9.7.1 and the status code 7317 values summarized in the table of Section 9.1. 7319 13.4. Header Field Registration 7321 Please update the "Message Headers" registry of "Permanent Message 7322 Header Field Names" at with the header field names listed in the table of 7324 Section 4.1. 7326 13.5. Authentication Scheme Registration 7328 Please update the "Hypertext Transfer Protocol (HTTP) Authentication 7329 Scheme Registry" at with the registration procedure of Section 8.5.5.1. No 7331 authentication schemes are defined in this document. 7333 13.6. Content Coding Registration 7335 Please update the "HTTP Content Coding Registry" at 7336 with the 7337 registration procedure of Section 6.1.2.4.1 and the content coding 7338 names summarized in the table of Section 6.1.2. 7340 13.7. Range Unit Registration 7342 Please update the "HTTP Range Unit Registry" at 7343 with the 7344 registration procedure of Section 6.1.4.3 and the range unit names 7345 summarized in the table of Section 6.1.4. 7347 13.8. Media Type Registration 7349 Please update the "Media Types" registry at 7350 with the registration 7351 information in Section 6.3.4 for the media type "multipart/ 7352 byteranges". 7354 14. References 7356 14.1. Normative References 7358 [Caching] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7359 Ed., "HTTP Caching", draft-ietf-httpbis-cache-02 (work in 7360 progress), July 2018. 7362 [Messaging] 7363 Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7364 Ed., "HTTP/1.1 Messaging", draft-ietf-httpbis-messaging-02 7365 (work in progress), July 2018. 7367 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 7368 RFC 793, DOI 10.17487/RFC0793, September 1981, 7369 . 7371 [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format 7372 Specification version 3.3", RFC 1950, 7373 DOI 10.17487/RFC1950, May 1996, 7374 . 7376 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 7377 version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, 7378 . 7380 [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. 7381 Randers-Pehrson, "GZIP file format specification version 7382 4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, 7383 . 7385 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7386 Extensions (MIME) Part One: Format of Internet Message 7387 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 7388 . 7390 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7391 Extensions (MIME) Part Two: Media Types", RFC 2046, 7392 DOI 10.17487/RFC2046, November 1996, 7393 . 7395 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7396 Requirement Levels", BCP 14, RFC 2119, 7397 DOI 10.17487/RFC2119, March 1997, 7398 . 7400 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7401 Resource Identifier (URI): Generic Syntax", STD 66, 7402 RFC 3986, DOI 10.17487/RFC3986, January 2005, 7403 . 7405 [RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language 7406 Tags", BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 7407 2006, . 7409 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 7410 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 7411 . 7413 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 7414 Specifications: ABNF", STD 68, RFC 5234, 7415 DOI 10.17487/RFC5234, January 2008, 7416 . 7418 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 7419 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 7420 September 2009, . 7422 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 7423 Internationalization in the IETF", BCP 166, RFC 6365, 7424 DOI 10.17487/RFC6365, September 2011, 7425 . 7427 [USASCII] American National Standards Institute, "Coded Character 7428 Set -- 7-bit American Standard Code for Information 7429 Interchange", ANSI X3.4, 1986. 7431 [Welch] Welch, T., "A Technique for High-Performance Data 7432 Compression", IEEE Computer 17(6), 7433 DOI 10.1109/MC.1984.1659158, June 1984, 7434 . 7436 14.2. Informative References 7438 [BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type 7439 Specifications and Registration Procedures", BCP 13, 7440 RFC 6838, January 2013, 7441 . 7443 [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, 7444 "Deprecating the "X-" Prefix and Similar Constructs in 7445 Application Protocols", BCP 178, RFC 6648, June 2012, 7446 . 7448 [BCP35] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines 7449 and Registration Procedures for URI Schemes", BCP 35, 7450 RFC 7595, June 2015, 7451 . 7453 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration 7454 Procedures for Message Header Fields", BCP 90, RFC 3864, 7455 September 2004, . 7457 [Georgiev] 7458 Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, 7459 D., and V. Shmatikov, "The Most Dangerous Code in the 7460 World: Validating SSL Certificates in Non-browser 7461 Software", In Proceedings of the 2012 ACM Conference on 7462 Computer and Communications Security (CCS '12), pp. 38-49, 7463 October 2012, 7464 . 7466 [ISO-8859-1] 7467 International Organization for Standardization, 7468 "Information technology -- 8-bit single-byte coded graphic 7469 character sets -- Part 1: Latin alphabet No. 1", ISO/ 7470 IEC 8859-1:1998, 1998. 7472 [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and 7473 Politics", ACM Transactions on Internet Technology 1(2), 7474 November 2001, . 7476 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web 7477 Applications and Web Services", The Open Web Application 7478 Security Project (OWASP) 2.0.1, July 2005, 7479 . 7481 [REST] Fielding, R., "Architectural Styles and the Design of 7482 Network-based Software Architectures", 7483 Doctoral Dissertation, University of California, Irvine, 7484 September 2000, 7485 . 7487 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 7488 RFC 1919, DOI 10.17487/RFC1919, March 1996, 7489 . 7491 [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext 7492 Transfer Protocol -- HTTP/1.0", RFC 1945, 7493 DOI 10.17487/RFC1945, May 1996, 7494 . 7496 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 7497 Part Three: Message Header Extensions for Non-ASCII Text", 7498 RFC 2047, DOI 10.17487/RFC2047, November 1996, 7499 . 7501 [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. 7502 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", 7503 RFC 2068, DOI 10.17487/RFC2068, January 1997, 7504 . 7506 [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use 7507 and Interpretation of HTTP Version Numbers", RFC 2145, 7508 DOI 10.17487/RFC2145, May 1997, 7509 . 7511 [RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation 7512 in HTTP", RFC 2295, DOI 10.17487/RFC2295, March 1998, 7513 . 7515 [RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, 7516 "MIME Encapsulation of Aggregate Documents, such as HTML 7517 (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, 7518 . 7520 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 7521 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 7522 Transfer Protocol -- HTTP/1.1", RFC 2616, 7523 DOI 10.17487/RFC2616, June 1999, 7524 . 7526 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 7527 Leach, P., Luotonen, A., and L. Stewart, "HTTP 7528 Authentication: Basic and Digest Access Authentication", 7529 RFC 2617, DOI 10.17487/RFC2617, June 1999, 7530 . 7532 [RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP 7533 Extension Framework", RFC 2774, DOI 10.17487/RFC2774, 7534 February 2000, . 7536 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 7537 DOI 10.17487/RFC2818, May 2000, 7538 . 7540 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 7541 Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, 7542 October 2000, . 7544 [RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web 7545 Replication and Caching Taxonomy", RFC 3040, 7546 DOI 10.17487/RFC3040, January 2001, 7547 . 7549 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 7550 Rose, "DNS Security Introduction and Requirements", 7551 RFC 4033, DOI 10.17487/RFC4033, March 2005, 7552 . 7554 [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based 7555 Kerberos and NTLM HTTP Authentication in Microsoft 7556 Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, 7557 . 7559 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 7560 Authoring and Versioning (WebDAV)", RFC 4918, 7561 DOI 10.17487/RFC4918, June 2007, 7562 . 7564 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 7565 (TLS) Protocol Version 1.2", RFC 5246, 7566 DOI 10.17487/RFC5246, August 2008, 7567 . 7569 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, 7570 DOI 10.17487/RFC5322, October 2008, 7571 . 7573 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 7574 RFC 5789, DOI 10.17487/RFC5789, March 2010, 7575 . 7577 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 7578 "Network Time Protocol Version 4: Protocol and Algorithms 7579 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 7580 . 7582 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 7583 DOI 10.17487/RFC6265, April 2011, 7584 . 7586 [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status 7587 Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, 7588 . 7590 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7591 Protocol (HTTP/1.1): Message Syntax and Routing", 7592 RFC 7230, DOI 10.17487/RFC7230, June 2014, 7593 . 7595 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7596 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 7597 DOI 10.17487/RFC7231, June 2014, 7598 . 7600 [RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7601 Protocol (HTTP/1.1): Conditional Requests", RFC 7232, 7602 DOI 10.17487/RFC7232, June 2014, 7603 . 7605 [RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 7606 "Hypertext Transfer Protocol (HTTP): Range Requests", 7607 RFC 7233, DOI 10.17487/RFC7233, June 2014, 7608 . 7610 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7611 Protocol (HTTP/1.1): Authentication", RFC 7235, 7612 DOI 10.17487/RFC7235, June 2014, 7613 . 7615 [RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code 7616 308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, 7617 April 2015, . 7619 [RFC7578] Masinter, L., "Returning Values from Forms: multipart/ 7620 form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015, 7621 . 7623 [RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 7624 Digest Access Authentication", RFC 7616, 7625 DOI 10.17487/RFC7616, September 2015, 7626 . 7628 [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", 7629 RFC 7617, DOI 10.17487/RFC7617, September 2015, 7630 . 7632 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 7633 Writing an IANA Considerations Section in RFCs", BCP 26, 7634 RFC 8126, DOI 10.17487/RFC8126, June 2017, 7635 . 7637 [RFC8187] Reschke, J., "Indicating Character Encoding and Language 7638 for HTTP Header Field Parameters", RFC 8187, 7639 DOI 10.17487/RFC8187, September 2017, 7640 . 7642 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 7643 DOI 10.17487/RFC8288, October 2017, 7644 . 7646 Appendix A. Collected ABNF 7648 In the collected ABNF below, list rules are expanded as per 7649 Section 11. 7651 Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [ 7652 OWS ( media-range [ accept-params ] ) ] ) ] 7653 Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS 7654 "," [ OWS ( ( charset / "*" ) [ weight ] ) ] ) 7655 Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS 7656 ( codings [ weight ] ) ] ) ] 7657 Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS 7658 "," [ OWS ( language-range [ weight ] ) ] ) 7659 Accept-Ranges = acceptable-ranges 7660 Allow = [ ( "," / method ) *( OWS "," [ OWS method ] ) ] 7661 Authorization = credentials 7663 BWS = OWS 7665 Content-Encoding = *( "," OWS ) content-coding *( OWS "," [ OWS 7666 content-coding ] ) 7667 Content-Language = *( "," OWS ) language-tag *( OWS "," [ OWS 7668 language-tag ] ) 7669 Content-Length = 1*DIGIT 7670 Content-Location = absolute-URI / partial-URI 7671 Content-Range = byte-content-range / other-content-range 7672 Content-Type = media-type 7674 Date = HTTP-date 7676 ETag = entity-tag 7677 Expect = "100-continue" 7679 From = mailbox 7681 GMT = %x47.4D.54 ; GMT 7683 HTTP-date = IMF-fixdate / obs-date 7684 Host = uri-host [ ":" port ] 7686 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 7687 If-Match = "*" / ( *( "," OWS ) entity-tag *( OWS "," [ OWS 7688 entity-tag ] ) ) 7689 If-Modified-Since = HTTP-date 7690 If-None-Match = "*" / ( *( "," OWS ) entity-tag *( OWS "," [ OWS 7691 entity-tag ] ) ) 7692 If-Range = entity-tag / HTTP-date 7693 If-Unmodified-Since = HTTP-date 7694 Last-Modified = HTTP-date 7695 Location = URI-reference 7697 Max-Forwards = 1*DIGIT 7699 OWS = *( SP / HTAB ) 7701 Proxy-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS 7702 challenge ] ) 7703 Proxy-Authorization = credentials 7705 RWS = 1*( SP / HTAB ) 7706 Range = byte-ranges-specifier / other-ranges-specifier 7707 Referer = absolute-URI / partial-URI 7708 Retry-After = HTTP-date / delay-seconds 7710 Server = product *( RWS ( product / comment ) ) 7712 Trailer = *( "," OWS ) field-name *( OWS "," [ OWS field-name ] ) 7714 URI-reference = 7715 User-Agent = product *( RWS ( product / comment ) ) 7717 Vary = "*" / ( *( "," OWS ) field-name *( OWS "," [ OWS field-name ] 7718 ) ) 7719 Via = *( "," OWS ) ( received-protocol RWS received-by [ RWS comment 7720 ] ) *( OWS "," [ OWS ( received-protocol RWS received-by [ RWS 7721 comment ] ) ] ) 7723 WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge 7724 ] ) 7726 absolute-URI = 7727 absolute-path = 1*( "/" segment ) 7728 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 7729 accept-params = weight *accept-ext 7730 acceptable-ranges = ( *( "," OWS ) range-unit *( OWS "," [ OWS 7731 range-unit ] ) ) / "none" 7732 asctime-date = day-name SP date3 SP time-of-day SP year 7733 auth-param = token BWS "=" BWS ( token / quoted-string ) 7734 auth-scheme = token 7735 authority = 7737 byte-content-range = bytes-unit SP ( byte-range-resp / 7738 unsatisfied-range ) 7739 byte-range = first-byte-pos "-" last-byte-pos 7740 byte-range-resp = byte-range "/" ( complete-length / "*" ) 7741 byte-range-set = *( "," OWS ) ( byte-range-spec / 7742 suffix-byte-range-spec ) *( OWS "," [ OWS ( byte-range-spec / 7743 suffix-byte-range-spec ) ] ) 7744 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 7745 byte-ranges-specifier = bytes-unit "=" byte-range-set 7746 bytes-unit = "bytes" 7748 challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *( 7749 OWS "," [ OWS auth-param ] ) ] ) ] 7750 charset = token 7751 codings = content-coding / "identity" / "*" 7752 comment = "(" *( ctext / quoted-pair / comment ) ")" 7753 complete-length = 1*DIGIT 7754 content-coding = token 7755 credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) 7756 *( OWS "," [ OWS auth-param ] ) ] ) ] 7757 ctext = HTAB / SP / %x21-27 ; '!'-''' 7758 / %x2A-5B ; '*'-'[' 7759 / %x5D-7E ; ']'-'~' 7760 / obs-text 7762 date1 = day SP month SP year 7763 date2 = day "-" month "-" 2DIGIT 7764 date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) 7765 day = 2DIGIT 7766 day-name = %x4D.6F.6E ; Mon 7767 / %x54.75.65 ; Tue 7768 / %x57.65.64 ; Wed 7769 / %x54.68.75 ; Thu 7770 / %x46.72.69 ; Fri 7771 / %x53.61.74 ; Sat 7772 / %x53.75.6E ; Sun 7773 day-name-l = %x4D.6F.6E.64.61.79 ; Monday 7774 / %x54.75.65.73.64.61.79 ; Tuesday 7775 / %x57.65.64.6E.65.73.64.61.79 ; Wednesday 7776 / %x54.68.75.72.73.64.61.79 ; Thursday 7777 / %x46.72.69.64.61.79 ; Friday 7778 / %x53.61.74.75.72.64.61.79 ; Saturday 7779 / %x53.75.6E.64.61.79 ; Sunday 7780 delay-seconds = 1*DIGIT 7782 entity-tag = [ weak ] opaque-tag 7783 etagc = "!" / %x23-7E ; '#'-'~' 7784 / obs-text 7786 field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] 7787 field-name = token 7788 field-value = *( field-content / obs-fold ) 7789 field-vchar = VCHAR / obs-text 7790 first-byte-pos = 1*DIGIT 7791 fragment = 7793 hour = 2DIGIT 7794 http-URI = "http://" authority path-abempty [ "?" query ] [ "#" 7795 fragment ] 7796 https-URI = "https://" authority path-abempty [ "?" query ] [ "#" 7797 fragment ] 7799 language-range = 7800 language-tag = 7801 last-byte-pos = 1*DIGIT 7803 mailbox = 7804 media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS 7805 ";" OWS parameter ) 7806 media-type = type "/" subtype *( OWS ";" OWS parameter ) 7807 method = token 7808 minute = 2DIGIT 7809 month = %x4A.61.6E ; Jan 7810 / %x46.65.62 ; Feb 7811 / %x4D.61.72 ; Mar 7812 / %x41.70.72 ; Apr 7813 / %x4D.61.79 ; May 7814 / %x4A.75.6E ; Jun 7815 / %x4A.75.6C ; Jul 7816 / %x41.75.67 ; Aug 7817 / %x53.65.70 ; Sep 7818 / %x4F.63.74 ; Oct 7819 / %x4E.6F.76 ; Nov 7820 / %x44.65.63 ; Dec 7822 obs-date = rfc850-date / asctime-date 7823 obs-fold = 7824 obs-text = %x80-FF 7825 opaque-tag = DQUOTE *etagc DQUOTE 7826 other-content-range = other-range-unit SP other-range-resp 7827 other-range-resp = *VCHAR 7828 other-range-set = 1*VCHAR 7829 other-range-unit = token 7830 other-ranges-specifier = other-range-unit "=" other-range-set 7832 parameter = token "=" ( token / quoted-string ) 7833 partial-URI = relative-part [ "?" query ] 7834 path-abempty = 7835 port = 7836 product = token [ "/" product-version ] 7837 product-version = token 7838 protocol-name = 7839 protocol-version = 7840 pseudonym = token 7842 qdtext = HTAB / SP / "!" / %x23-5B ; '#'-'[' 7843 / %x5D-7E ; ']'-'~' 7844 / obs-text 7845 query = 7846 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 7847 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 7848 qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) 7850 range-unit = bytes-unit / other-range-unit 7851 received-by = ( uri-host [ ":" port ] ) / pseudonym 7852 received-protocol = [ protocol-name "/" ] protocol-version 7853 relative-part = 7854 request-target = 7855 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 7857 second = 2DIGIT 7858 segment = 7859 subtype = token 7860 suffix-byte-range-spec = "-" suffix-length 7861 suffix-length = 1*DIGIT 7863 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / 7864 "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA 7865 time-of-day = hour ":" minute ":" second 7866 token = 1*tchar 7867 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 7868 *"=" 7869 type = token 7871 unsatisfied-range = "*/" complete-length 7872 uri-host = 7874 weak = %x57.2F ; W/ 7875 weight = OWS ";" OWS "q=" qvalue 7877 year = 4DIGIT 7879 Appendix B. Changes from RFC 7230 7881 Most of the sections introducing HTTP's design goals, history, 7882 architecture, conformance criteria, protocol versioning, URIs, 7883 message routing, and header field values have been moved here 7884 (without substantive change). 7886 Appendix C. Changes from RFC 7231 7888 None yet. 7890 Appendix D. Changes from RFC 7232 7892 None yet. 7894 Appendix E. Changes from RFC 7233 7896 None yet. 7898 Appendix F. Changes from RFC 7235 7900 None yet. 7902 Appendix G. Change Log 7904 This section is to be removed before publishing as an RFC. 7906 G.1. Between RFC723x and draft 00 7908 The changes were purely editorial: 7910 o Change boilerplate and abstract to indicate the "draft" status, 7911 and update references to ancestor specifications. 7913 o Remove version "1.1" from document title, indicating that this 7914 specification applies to all HTTP versions. 7916 o Adjust historical notes. 7918 o Update links to sibling specifications. 7920 o Replace sections listing changes from RFC 2616 by new empty 7921 sections referring to RFC 723x. 7923 o Remove acknowledgements specific to RFC 723x. 7925 o Move "Acknowledgements" to the very end and make them unnumbered. 7927 G.2. Since draft-ietf-httpbis-semantics-00 7929 The changes in this draft are editorial, with respect to HTTP as a 7930 whole, to merge core HTTP semantics into this document: 7932 o Merged introduction, architecture, conformance, and ABNF 7933 extensions from RFC 7230 (Messaging). 7935 o Rearranged architecture to extract conformance, http(s) schemes, 7936 and protocol versioning into a separate major section. 7938 o Moved discussion of MIME differences to [Messaging] since that is 7939 primarily concerned with transforming 1.1 messages. 7941 o Merged entire content of RFC 7232 (Conditional Requests). 7943 o Merged entire content of RFC 7233 (Range Requests). 7945 o Merged entire content of RFC 7235 (Auth Framework). 7947 o Moved all extensibility tips, registration procedures, and 7948 registry tables from the IANA considerations to normative 7949 sections, reducing the IANA considerations to just instructions 7950 that will be removed prior to publication as an RFC. 7952 G.3. Since draft-ietf-httpbis-semantics-01 7954 o Improve [Welch] citation () 7957 o Remove HTTP/1.1-ism about Range Requests 7958 () 7960 o Cite RFC 8126 instead of RFC 5226 () 7963 o Cite RFC 7538 instead of RFC 7238 () 7966 o Cite RFC 8288 instead of RFC 5988 () 7969 o Cite RFC 8187 instead of RFC 5987 () 7972 o Cite RFC 7578 instead of RFC 2388 () 7975 o Cite RFC 7595 instead of RFC 4395 () 7978 o improve ABNF readability for qdtext (, ) 7981 o Clarify "resource" vs "representation" in definition of status 7982 code 416 (, 7983 ) 7985 o Resolved erratum 4072, no change needed here 7986 (, 7987 ) 7989 o Clarify DELETE status code suggestions 7990 (, 7991 ) 7993 o In Section 6.3.3, fix ABNF for "other-range-resp" to use VCHAR 7994 instead of CHAR (, 7995 ) 7997 o Resolved erratum 5162, no change needed here 7998 (, 7999 ) 8001 o Replace "response code" with "response status code" and "status- 8002 code" (the ABNF production name from the HTTP/1.1 message format) 8003 by "status code" (, 8004 ) 8006 o Added a missing word in Section 9.4 (, ) 8009 o In Section 11, fixed an example that had trailing whitespace where 8010 it shouldn't (, 8011 ) 8013 o In Section 9.3.7, remove words that were potentially misleading 8014 with respect to the relation to the requested ranges 8015 (, 8016 ) 8018 Index 8020 1 8021 100 Continue (status code) 106 8022 100-continue (expect value) 74 8023 101 Switching Protocols (status code) 106 8024 1xx Informational (status code class) 106 8026 2 8027 200 OK (status code) 107 8028 201 Created (status code) 108 8029 202 Accepted (status code) 108 8030 203 Non-Authoritative Information (status code) 108 8031 204 No Content (status code) 109 8032 205 Reset Content (status code) 109 8033 206 Partial Content (status code) 110 8034 2xx Successful (status code class) 107 8036 3 8037 300 Multiple Choices (status code) 114 8038 301 Moved Permanently (status code) 115 8039 302 Found (status code) 116 8040 303 See Other (status code) 116 8041 304 Not Modified (status code) 117 8042 305 Use Proxy (status code) 117 8043 306 (Unused) (status code) 118 8044 307 Temporary Redirect (status code) 118 8045 3xx Redirection (status code class) 113 8047 4 8048 400 Bad Request (status code) 118 8049 401 Unauthorized (status code) 118 8050 402 Payment Required (status code) 119 8051 403 Forbidden (status code) 119 8052 404 Not Found (status code) 119 8053 405 Method Not Allowed (status code) 120 8054 406 Not Acceptable (status code) 120 8055 407 Proxy Authentication Required (status code) 120 8056 408 Request Timeout (status code) 120 8057 409 Conflict (status code) 121 8058 410 Gone (status code) 121 8059 411 Length Required (status code) 121 8060 412 Precondition Failed (status code) 122 8061 413 Payload Too Large (status code) 122 8062 414 URI Too Long (status code) 122 8063 415 Unsupported Media Type (status code) 122 8064 416 Range Not Satisfiable (status code) 123 8065 417 Expectation Failed (status code) 123 8066 426 Upgrade Required (status code) 123 8067 4xx Client Error (status code class) 118 8069 5 8070 500 Internal Server Error (status code) 124 8071 501 Not Implemented (status code) 124 8072 502 Bad Gateway (status code) 124 8073 503 Service Unavailable (status code) 125 8074 504 Gateway Timeout (status code) 125 8075 505 HTTP Version Not Supported (status code) 125 8076 5xx Server Error (status code class) 124 8078 A 8079 Accept header field 88 8080 Accept-Charset header field 90 8081 Accept-Encoding header field 91 8082 Accept-Language header field 93 8083 Accept-Ranges header field 145 8084 Allow header field 145 8085 Authorization header field 97 8086 accelerator 12 8087 authoritative response 148 8089 B 8090 browser 10 8092 C 8093 CONNECT method 69 8094 Canonical Root URI 96 8095 Content-Encoding header field 46 8096 Content-Language header field 47 8097 Content-Length header field 48 8098 Content-Location header field 49 8099 Content-Range header field 53 8100 Content-Type header field 45 8101 cache 13 8102 cacheable 14, 62 8103 captive portal 13 8104 client 10 8105 compress (Coding Format) 40 8106 compress (content coding) 40 8107 conditional request 76 8108 connection 10 8109 content coding 40 8110 content negotiation 8 8112 D 8113 DELETE method 68 8114 Date header field 130 8115 Delimiters 27 8116 deflate (Coding Format) 40 8117 deflate (content coding) 40 8118 downstream 12 8120 E 8121 ETag header field 139 8122 Expect header field 74 8123 effective request URI 31 8125 F 8126 From header field 100 8128 G 8129 GET method 63 8130 Grammar 8131 absolute-path 15 8132 absolute-URI 15 8133 Accept 88 8134 Accept-Charset 91 8135 Accept-Encoding 91 8136 accept-ext 88 8137 Accept-Language 93 8138 accept-params 88 8139 Accept-Ranges 145 8140 acceptable-ranges 145 8141 Allow 145 8142 ALPHA 9 8143 asctime-date 130 8144 auth-param 95 8145 auth-scheme 95 8146 authority 15 8147 Authorization 97 8148 BWS 29 8149 byte-content-range 53 8150 byte-range 53 8151 byte-range-resp 53 8152 byte-range-set 43 8153 byte-range-spec 43 8154 byte-ranges-specifier 43 8155 bytes-unit 42-43 8156 challenge 95 8157 charset 38 8158 codings 91 8159 comment 28 8160 complete-length 53 8161 content-coding 40 8162 Content-Encoding 46 8163 Content-Language 47 8164 Content-Length 48 8165 Content-Location 49 8166 Content-Range 53 8167 Content-Type 45 8168 CR 9 8169 credentials 96 8170 CRLF 9 8171 ctext 28 8172 CTL 9 8173 Date 130 8174 date1 129 8175 day 129 8176 day-name 129 8177 day-name-l 129 8178 delay-seconds 133 8179 DIGIT 9 8180 DQUOTE 9 8181 entity-tag 139 8182 ETag 139 8183 etagc 139 8184 Expect 74 8185 field-content 26 8186 field-name 22, 30 8187 field-value 26 8188 field-vchar 26 8189 first-byte-pos 43 8190 fragment 15 8191 From 100 8192 GMT 129 8193 HEXDIG 9 8194 Host 32 8195 hour 129 8196 HTAB 9 8197 HTTP-date 127 8198 http-URI 16 8199 https-URI 17 8200 If-Match 80 8201 If-Modified-Since 82 8202 If-None-Match 81 8203 If-Range 85 8204 If-Unmodified-Since 83 8205 IMF-fixdate 129 8206 language-range 93 8207 language-tag 42 8208 last-byte-pos 43 8209 Last-Modified 137 8210 LF 9 8211 Location 131 8212 Max-Forwards 76 8213 media-range 88 8214 media-type 38 8215 method 59 8216 minute 129 8217 month 129 8218 obs-date 129 8219 obs-text 28 8220 OCTET 9 8221 opaque-tag 139 8222 other-content-range 53 8223 other-range-resp 53 8224 other-range-unit 42, 44 8225 OWS 29 8226 parameter 38 8227 partial-URI 15 8228 port 15 8229 product 102 8230 product-version 102 8231 protocol-name 34 8232 protocol-version 34 8233 Proxy-Authenticate 144 8234 Proxy-Authorization 97 8235 pseudonym 34 8236 qdtext 28 8237 query 15 8238 quoted-pair 28 8239 quoted-string 28 8240 qvalue 88 8241 Range 86 8242 range-unit 42 8243 ranges-specifier 43 8244 received-by 34 8245 received-protocol 34 8246 Referer 101 8247 Retry-After 133 8248 rfc850-date 130 8249 RWS 29 8250 second 129 8251 segment 15 8252 Server 146 8253 SP 9 8254 subtype 38 8255 suffix-byte-range-spec 43 8256 suffix-length 43 8257 tchar 27 8258 time-of-day 129 8259 token 27 8260 token68 95 8261 Trailer 30 8262 type 38 8263 unsatisfied-range 53 8264 uri-host 15 8265 URI-reference 15 8266 User-Agent 102 8267 Vary 133 8268 VCHAR 9 8269 Via 34 8270 weak 139 8271 weight 88 8272 WWW-Authenticate 143 8273 year 129 8274 gateway 12 8275 gzip (Coding Format) 41 8276 gzip (content coding) 40 8278 H 8279 HEAD method 63 8280 Host header field 32 8281 http URI scheme 16 8282 https URI scheme 17 8284 I 8285 If-Match header field 80 8286 If-Modified-Since header field 82 8287 If-None-Match header field 81 8288 If-Range header field 85 8289 If-Unmodified-Since header field 83 8290 idempotent 62 8291 inbound 12 8292 interception proxy 13 8293 intermediary 11 8295 L 8296 Last-Modified header field 137 8297 Location header field 131 8299 M 8300 Max-Forwards header field 76 8301 Media Type 8302 multipart/byteranges 55 8303 multipart/x-byteranges 55 8304 message 10 8305 metadata 134 8306 multipart/byteranges Media Type 55 8307 multipart/x-byteranges Media Type 55 8309 N 8310 non-transforming proxy 35 8312 O 8313 OPTIONS method 70 8314 origin server 10 8315 outbound 12 8317 P 8318 POST method 64 8319 PUT method 65 8320 Protection Space 96 8321 Proxy-Authenticate header field 144 8322 Proxy-Authorization header field 97 8323 payload 51 8324 phishing 148 8325 proxy 12 8327 R 8328 Range header field 86 8329 Realm 96 8330 Referer header field 101 8331 Retry-After header field 132 8332 recipient 10 8333 representation 37 8334 request 10 8335 resource 14 8336 response 10 8337 reverse proxy 12 8339 S 8340 Server header field 146 8341 Status Codes Classes 8342 1xx Informational 106 8343 2xx Successful 107 8344 3xx Redirection 113 8345 4xx Client Error 118 8346 5xx Server Error 124 8347 safe 61 8348 selected representation 37, 77, 134 8349 sender 10 8350 server 10 8351 spider 10 8353 T 8354 TRACE method 71 8355 Trailer header field 30 8356 target URI 30 8357 target resource 30 8358 transforming proxy 35 8359 transparent proxy 13 8360 tunnel 13 8362 U 8363 URI scheme 8364 http 16 8365 https 17 8367 User-Agent header field 102 8368 upstream 12 8369 user agent 10 8371 V 8372 Vary header field 133 8373 Via header field 34 8374 validator 134 8375 strong 135 8376 weak 135 8378 W 8379 WWW-Authenticate header field 143 8381 X 8382 x-compress (content coding) 40 8383 x-gzip (content coding) 40 8385 Acknowledgments 8387 This edition of the HTTP specification builds on the many 8388 contributions that went into RFC 1945, RFC 2068, RFC 2145, and RFC 8389 2616, including substantial contributions made by the previous 8390 authors, editors, and Working Group Chairs: Tim Berners-Lee, Ari 8391 Luotonen, Roy T. Fielding, Henrik Frystyk Nielsen, Jim Gettys, 8392 Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, and Yves Lafon. 8394 See Section 10 of [RFC7230] for further acknowledgements from prior 8395 revisions. 8397 In addition, this document has reincorporated the HTTP Authentication 8398 Framework, previously defined in RFC 7235 and RFC 2617. We thank 8399 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott 8400 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart 8401 for their work on that specification. See Section 6 of [RFC2617] for 8402 further acknowledgements. 8404 [[newacks: New acks to be added here.]] 8406 Authors' Addresses 8407 Roy T. Fielding (editor) 8408 Adobe 8409 345 Park Ave 8410 San Jose, CA 95110 8411 USA 8413 EMail: fielding@gbiv.com 8414 URI: https://roy.gbiv.com/ 8416 Mark Nottingham (editor) 8417 Fastly 8419 EMail: mnot@mnot.net 8420 URI: https://www.mnot.net/ 8422 Julian F. Reschke (editor) 8423 greenbytes GmbH 8424 Hafenweg 16 8425 Muenster, NW 48155 8426 Germany 8428 EMail: julian.reschke@greenbytes.de 8429 URI: https://greenbytes.de/tech/webdav/