idnits 2.17.1 draft-ietf-httpbis-semantics-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC7230, but the abstract doesn't seem to directly say this. It does mention RFC7230 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 18, 2018) is 2016 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC2145' is defined on line 7654, but no explicit reference was found in the text == Unused Reference: 'RFC7232' is defined on line 7752, but no explicit reference was found in the text == Unused Reference: 'RFC7233' is defined on line 7757, but no explicit reference was found in the text == Unused Reference: 'RFC7235' is defined on line 7762, but no explicit reference was found in the text == Unused Reference: 'RFC7615' is defined on line 7775, but no explicit reference was found in the text == Unused Reference: 'RFC7617' is defined on line 7785, but no explicit reference was found in the text == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-cache-03 -- Possible downref: Normative reference to a draft: ref. 'Caching' == Outdated reference: A later version (-19) exists of draft-ietf-httpbis-messaging-03 -- Possible downref: Normative reference to a draft: ref. 'Messaging' ** Obsolete normative reference: RFC 793 (Obsoleted by RFC 9293) ** Downref: Normative reference to an Informational RFC: RFC 1950 ** Downref: Normative reference to an Informational RFC: RFC 1951 ** Downref: Normative reference to an Informational RFC: RFC 1952 -- Possible downref: Non-RFC (?) normative reference: ref. 'USASCII' -- Possible downref: Non-RFC (?) normative reference: ref. 'Welch' -- Duplicate reference: RFC2978, mentioned in 'Err5433', was also mentioned in 'Err1912'. -- Obsolete informational reference (is this intentional?): RFC 2068 (Obsoleted by RFC 2616) -- Obsolete informational reference (is this intentional?): RFC 2145 (Obsoleted by RFC 7230) -- Obsolete informational reference (is this intentional?): RFC 2616 (Obsoleted by RFC 7230, RFC 7231, RFC 7232, RFC 7233, RFC 7234, RFC 7235) -- Obsolete informational reference (is this intentional?): RFC 2617 (Obsoleted by RFC 7235, RFC 7615, RFC 7616, RFC 7617) -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Duplicate reference: RFC2978, mentioned in 'RFC2978', was also mentioned in 'Err5433'. -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) -- Obsolete informational reference (is this intentional?): RFC 7231 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7232 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7233 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7235 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7538 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 7615 (Obsoleted by RFC 9110) Summary: 4 errors (**), 0 flaws (~~), 10 warnings (==), 22 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 HTTP Working Group R. Fielding, Ed. 3 Internet-Draft Adobe 4 Obsoletes: 7230,7231,7232,7233,7235,7615 M. Nottingham, Ed. 5 (if approved) Fastly 6 Intended status: Standards Track J. Reschke, Ed. 7 Expires: April 21, 2019 greenbytes 8 October 18, 2018 10 HTTP Semantics 11 draft-ietf-httpbis-semantics-03 13 Abstract 15 The Hypertext Transfer Protocol (HTTP) is a stateless application- 16 level protocol for distributed, collaborative, hypertext information 17 systems. This document defines the semantics of HTTP: its 18 architecture, terminology, the "http" and "https" Uniform Resource 19 Identifier (URI) schemes, core request methods, request header 20 fields, response status codes, response header fields, and content 21 negotiation. 23 This document obsoletes RFC 7231, RFC 7232, RFC 7233, RFC 7235, RFC 24 7615, and portions of RFC 7230. 26 Editorial Note 28 This note is to be removed before publishing as an RFC. 30 Discussion of this draft takes place on the HTTP working group 31 mailing list (ietf-http-wg@w3.org), which is archived at 32 . 34 Working Group information can be found at ; 35 source code and issues list for this draft can be found at 36 . 38 The changes in this draft are summarized in Appendix H.4. 40 Status of This Memo 42 This Internet-Draft is submitted in full conformance with the 43 provisions of BCP 78 and BCP 79. 45 Internet-Drafts are working documents of the Internet Engineering 46 Task Force (IETF). Note that other groups may also distribute 47 working documents as Internet-Drafts. The list of current Internet- 48 Drafts is at https://datatracker.ietf.org/drafts/current/. 50 Internet-Drafts are draft documents valid for a maximum of six months 51 and may be updated, replaced, or obsoleted by other documents at any 52 time. It is inappropriate to use Internet-Drafts as reference 53 material or to cite them other than as "work in progress." 55 This Internet-Draft will expire on April 21, 2019. 57 Copyright Notice 59 Copyright (c) 2018 IETF Trust and the persons identified as the 60 document authors. All rights reserved. 62 This document is subject to BCP 78 and the IETF Trust's Legal 63 Provisions Relating to IETF Documents 64 (https://trustee.ietf.org/license-info) in effect on the date of 65 publication of this document. Please review these documents 66 carefully, as they describe your rights and restrictions with respect 67 to this document. Code Components extracted from this document must 68 include Simplified BSD License text as described in Section 4.e of 69 the Trust Legal Provisions and are provided without warranty as 70 described in the Simplified BSD License. 72 This document may contain material from IETF Documents or IETF 73 Contributions published or made publicly available before November 74 10, 2008. The person(s) controlling the copyright in some of this 75 material may not have granted the IETF Trust the right to allow 76 modifications of such material outside the IETF Standards Process. 77 Without obtaining an adequate license from the person(s) controlling 78 the copyright in such materials, this document may not be modified 79 outside the IETF Standards Process, and derivative works of it may 80 not be created outside the IETF Standards Process, except to format 81 it for publication as an RFC or to translate it into languages other 82 than English. 84 Table of Contents 86 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 7 87 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 9 88 1.2. Syntax Notation . . . . . . . . . . . . . . . . . . . . . 9 89 2. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10 90 2.1. Client/Server Messaging . . . . . . . . . . . . . . . . . 10 91 2.2. Intermediaries . . . . . . . . . . . . . . . . . . . . . 12 92 2.3. Caches . . . . . . . . . . . . . . . . . . . . . . . . . 14 93 2.4. Uniform Resource Identifiers . . . . . . . . . . . . . . 15 94 2.5. Resources . . . . . . . . . . . . . . . . . . . . . . . . 16 95 2.5.1. http URI Scheme . . . . . . . . . . . . . . . . . . . 16 96 2.5.2. https URI Scheme . . . . . . . . . . . . . . . . . . 18 97 2.5.3. Fragment Identifiers on http(s) URI References . . . 18 98 2.5.4. http and https URI Normalization and Comparison . . . 19 99 3. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 19 100 3.1. Implementation Diversity . . . . . . . . . . . . . . . . 19 101 3.2. Role-based Requirements . . . . . . . . . . . . . . . . . 20 102 3.3. Parsing Elements . . . . . . . . . . . . . . . . . . . . 20 103 3.4. Error Handling . . . . . . . . . . . . . . . . . . . . . 21 104 3.5. Protocol Versioning . . . . . . . . . . . . . . . . . . . 21 105 4. Message Abstraction . . . . . . . . . . . . . . . . . . . . . 23 106 4.1. Header Field Names . . . . . . . . . . . . . . . . . . . 23 107 4.1.1. Header Field Name Registry . . . . . . . . . . . . . 25 108 4.1.2. Header Field Extensibility . . . . . . . . . . . . . 25 109 4.1.3. Considerations for New Header Fields . . . . . . . . 25 110 4.2. Header Field Values . . . . . . . . . . . . . . . . . . . 27 111 4.2.1. Header Field Order . . . . . . . . . . . . . . . . . 27 112 4.2.2. Header Field Limits . . . . . . . . . . . . . . . . . 28 113 4.2.3. Header Field Value Components . . . . . . . . . . . . 28 114 4.2.4. Designing New Header Field Values . . . . . . . . . . 29 115 4.3. Whitespace . . . . . . . . . . . . . . . . . . . . . . . 30 116 4.4. Trailer . . . . . . . . . . . . . . . . . . . . . . . . . 31 117 5. Message Routing . . . . . . . . . . . . . . . . . . . . . . . 31 118 5.1. Identifying a Target Resource . . . . . . . . . . . . . . 31 119 5.2. Routing Inbound . . . . . . . . . . . . . . . . . . . . . 31 120 5.3. Effective Request URI . . . . . . . . . . . . . . . . . . 32 121 5.4. Host . . . . . . . . . . . . . . . . . . . . . . . . . . 33 122 5.5. Message Forwarding . . . . . . . . . . . . . . . . . . . 34 123 5.5.1. Via . . . . . . . . . . . . . . . . . . . . . . . . . 34 124 5.5.2. Transformations . . . . . . . . . . . . . . . . . . . 36 125 6. Representations . . . . . . . . . . . . . . . . . . . . . . . 37 126 6.1. Representation Data . . . . . . . . . . . . . . . . . . . 38 127 6.1.1. Media Type . . . . . . . . . . . . . . . . . . . . . 38 128 6.1.2. Content Codings . . . . . . . . . . . . . . . . . . . 40 129 6.1.3. Language Tags . . . . . . . . . . . . . . . . . . . . 42 130 6.1.4. Range Units . . . . . . . . . . . . . . . . . . . . . 43 131 6.2. Representation Metadata . . . . . . . . . . . . . . . . . 46 132 6.2.1. Content-Type . . . . . . . . . . . . . . . . . . . . 46 133 6.2.2. Content-Encoding . . . . . . . . . . . . . . . . . . 47 134 6.2.3. Content-Language . . . . . . . . . . . . . . . . . . 48 135 6.2.4. Content-Length . . . . . . . . . . . . . . . . . . . 49 136 6.2.5. Content-Location . . . . . . . . . . . . . . . . . . 50 137 6.3. Payload . . . . . . . . . . . . . . . . . . . . . . . . . 52 138 6.3.1. Purpose . . . . . . . . . . . . . . . . . . . . . . . 52 139 6.3.2. Identification . . . . . . . . . . . . . . . . . . . 53 140 6.3.3. Content-Range . . . . . . . . . . . . . . . . . . . . 54 141 6.3.4. Media Type multipart/byteranges . . . . . . . . . . . 55 142 6.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 57 143 6.4.1. Proactive Negotiation . . . . . . . . . . . . . . . . 58 144 6.4.2. Reactive Negotiation . . . . . . . . . . . . . . . . 59 145 7. Request Methods . . . . . . . . . . . . . . . . . . . . . . . 60 146 7.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 60 147 7.2. Common Method Properties . . . . . . . . . . . . . . . . 62 148 7.2.1. Safe Methods . . . . . . . . . . . . . . . . . . . . 62 149 7.2.2. Idempotent Methods . . . . . . . . . . . . . . . . . 63 150 7.2.3. Cacheable Methods . . . . . . . . . . . . . . . . . . 63 151 7.3. Method Definitions . . . . . . . . . . . . . . . . . . . 64 152 7.3.1. GET . . . . . . . . . . . . . . . . . . . . . . . . . 64 153 7.3.2. HEAD . . . . . . . . . . . . . . . . . . . . . . . . 64 154 7.3.3. POST . . . . . . . . . . . . . . . . . . . . . . . . 65 155 7.3.4. PUT . . . . . . . . . . . . . . . . . . . . . . . . . 66 156 7.3.5. DELETE . . . . . . . . . . . . . . . . . . . . . . . 68 157 7.3.6. CONNECT . . . . . . . . . . . . . . . . . . . . . . . 70 158 7.3.7. OPTIONS . . . . . . . . . . . . . . . . . . . . . . . 71 159 7.3.8. TRACE . . . . . . . . . . . . . . . . . . . . . . . . 72 160 7.4. Method Extensibility . . . . . . . . . . . . . . . . . . 73 161 7.4.1. Method Registry . . . . . . . . . . . . . . . . . . . 73 162 7.4.2. Considerations for New Methods . . . . . . . . . . . 73 163 8. Request Header Fields . . . . . . . . . . . . . . . . . . . . 74 164 8.1. Controls . . . . . . . . . . . . . . . . . . . . . . . . 74 165 8.1.1. Expect . . . . . . . . . . . . . . . . . . . . . . . 74 166 8.1.2. Max-Forwards . . . . . . . . . . . . . . . . . . . . 77 167 8.2. Preconditions . . . . . . . . . . . . . . . . . . . . . . 77 168 8.2.1. Evaluation . . . . . . . . . . . . . . . . . . . . . 78 169 8.2.2. Precedence . . . . . . . . . . . . . . . . . . . . . 79 170 8.2.3. If-Match . . . . . . . . . . . . . . . . . . . . . . 81 171 8.2.4. If-None-Match . . . . . . . . . . . . . . . . . . . . 82 172 8.2.5. If-Modified-Since . . . . . . . . . . . . . . . . . . 83 173 8.2.6. If-Unmodified-Since . . . . . . . . . . . . . . . . . 84 174 8.2.7. If-Range . . . . . . . . . . . . . . . . . . . . . . 85 175 8.3. Range . . . . . . . . . . . . . . . . . . . . . . . . . . 87 176 8.4. Content Negotiation . . . . . . . . . . . . . . . . . . . 88 177 8.4.1. Quality Values . . . . . . . . . . . . . . . . . . . 89 178 8.4.2. Accept . . . . . . . . . . . . . . . . . . . . . . . 89 179 8.4.3. Accept-Charset . . . . . . . . . . . . . . . . . . . 91 180 8.4.4. Accept-Encoding . . . . . . . . . . . . . . . . . . . 92 181 8.4.5. Accept-Language . . . . . . . . . . . . . . . . . . . 94 182 8.5. Authentication Credentials . . . . . . . . . . . . . . . 95 183 8.5.1. Challenge and Response . . . . . . . . . . . . . . . 95 184 8.5.2. Protection Space (Realm) . . . . . . . . . . . . . . 97 185 8.5.3. Authorization . . . . . . . . . . . . . . . . . . . . 98 186 8.5.4. Proxy-Authorization . . . . . . . . . . . . . . . . . 98 187 8.5.5. Authentication Scheme Extensibility . . . . . . . . . 99 188 8.6. Request Context . . . . . . . . . . . . . . . . . . . . . 101 189 8.6.1. From . . . . . . . . . . . . . . . . . . . . . . . . 101 190 8.6.2. Referer . . . . . . . . . . . . . . . . . . . . . . . 102 191 8.6.3. User-Agent . . . . . . . . . . . . . . . . . . . . . 103 192 9. Response Status Codes . . . . . . . . . . . . . . . . . . . . 104 193 9.1. Overview of Status Codes . . . . . . . . . . . . . . . . 105 194 9.2. Informational 1xx . . . . . . . . . . . . . . . . . . . . 107 195 9.2.1. 100 Continue . . . . . . . . . . . . . . . . . . . . 107 196 9.2.2. 101 Switching Protocols . . . . . . . . . . . . . . . 107 197 9.3. Successful 2xx . . . . . . . . . . . . . . . . . . . . . 108 198 9.3.1. 200 OK . . . . . . . . . . . . . . . . . . . . . . . 108 199 9.3.2. 201 Created . . . . . . . . . . . . . . . . . . . . . 109 200 9.3.3. 202 Accepted . . . . . . . . . . . . . . . . . . . . 109 201 9.3.4. 203 Non-Authoritative Information . . . . . . . . . . 109 202 9.3.5. 204 No Content . . . . . . . . . . . . . . . . . . . 110 203 9.3.6. 205 Reset Content . . . . . . . . . . . . . . . . . . 110 204 9.3.7. 206 Partial Content . . . . . . . . . . . . . . . . . 111 205 9.4. Redirection 3xx . . . . . . . . . . . . . . . . . . . . . 114 206 9.4.1. 300 Multiple Choices . . . . . . . . . . . . . . . . 115 207 9.4.2. 301 Moved Permanently . . . . . . . . . . . . . . . . 116 208 9.4.3. 302 Found . . . . . . . . . . . . . . . . . . . . . . 117 209 9.4.4. 303 See Other . . . . . . . . . . . . . . . . . . . . 117 210 9.4.5. 304 Not Modified . . . . . . . . . . . . . . . . . . 118 211 9.4.6. 305 Use Proxy . . . . . . . . . . . . . . . . . . . . 118 212 9.4.7. 306 (Unused) . . . . . . . . . . . . . . . . . . . . 119 213 9.4.8. 307 Temporary Redirect . . . . . . . . . . . . . . . 119 214 9.5. Client Error 4xx . . . . . . . . . . . . . . . . . . . . 119 215 9.5.1. 400 Bad Request . . . . . . . . . . . . . . . . . . . 119 216 9.5.2. 401 Unauthorized . . . . . . . . . . . . . . . . . . 119 217 9.5.3. 402 Payment Required . . . . . . . . . . . . . . . . 120 218 9.5.4. 403 Forbidden . . . . . . . . . . . . . . . . . . . . 120 219 9.5.5. 404 Not Found . . . . . . . . . . . . . . . . . . . . 120 220 9.5.6. 405 Method Not Allowed . . . . . . . . . . . . . . . 121 221 9.5.7. 406 Not Acceptable . . . . . . . . . . . . . . . . . 121 222 9.5.8. 407 Proxy Authentication Required . . . . . . . . . . 121 223 9.5.9. 408 Request Timeout . . . . . . . . . . . . . . . . . 121 224 9.5.10. 409 Conflict . . . . . . . . . . . . . . . . . . . . 122 225 9.5.11. 410 Gone . . . . . . . . . . . . . . . . . . . . . . 122 226 9.5.12. 411 Length Required . . . . . . . . . . . . . . . . . 122 227 9.5.13. 412 Precondition Failed . . . . . . . . . . . . . . . 123 228 9.5.14. 413 Payload Too Large . . . . . . . . . . . . . . . . 123 229 9.5.15. 414 URI Too Long . . . . . . . . . . . . . . . . . . 123 230 9.5.16. 415 Unsupported Media Type . . . . . . . . . . . . . 123 231 9.5.17. 416 Range Not Satisfiable . . . . . . . . . . . . . . 124 232 9.5.18. 417 Expectation Failed . . . . . . . . . . . . . . . 124 233 9.5.19. 418 (Unused) . . . . . . . . . . . . . . . . . . . . 124 234 9.5.20. 422 Unprocessable Entity . . . . . . . . . . . . . . 125 235 9.5.21. 426 Upgrade Required . . . . . . . . . . . . . . . . 125 236 9.6. Server Error 5xx . . . . . . . . . . . . . . . . . . . . 125 237 9.6.1. 500 Internal Server Error . . . . . . . . . . . . . . 126 238 9.6.2. 501 Not Implemented . . . . . . . . . . . . . . . . . 126 239 9.6.3. 502 Bad Gateway . . . . . . . . . . . . . . . . . . . 126 240 9.6.4. 503 Service Unavailable . . . . . . . . . . . . . . . 126 241 9.6.5. 504 Gateway Timeout . . . . . . . . . . . . . . . . . 126 242 9.6.6. 505 HTTP Version Not Supported . . . . . . . . . . . 126 243 9.7. Status Code Extensibility . . . . . . . . . . . . . . . . 127 244 9.7.1. Status Code Registry . . . . . . . . . . . . . . . . 127 245 9.7.2. Considerations for New Status Codes . . . . . . . . . 127 246 10. Response Header Fields . . . . . . . . . . . . . . . . . . . 128 247 10.1. Control Data . . . . . . . . . . . . . . . . . . . . . . 128 248 10.1.1. Origination Date . . . . . . . . . . . . . . . . . . 129 249 10.1.2. Location . . . . . . . . . . . . . . . . . . . . . . 132 250 10.1.3. Retry-After . . . . . . . . . . . . . . . . . . . . 133 251 10.1.4. Vary . . . . . . . . . . . . . . . . . . . . . . . . 134 252 10.2. Validators . . . . . . . . . . . . . . . . . . . . . . . 135 253 10.2.1. Weak versus Strong . . . . . . . . . . . . . . . . . 136 254 10.2.2. Last-Modified . . . . . . . . . . . . . . . . . . . 138 255 10.2.3. ETag . . . . . . . . . . . . . . . . . . . . . . . . 140 256 10.2.4. When to Use Entity-Tags and Last-Modified Dates . . 143 257 10.3. Authentication Challenges . . . . . . . . . . . . . . . 144 258 10.3.1. WWW-Authenticate . . . . . . . . . . . . . . . . . . 144 259 10.3.2. Proxy-Authenticate . . . . . . . . . . . . . . . . . 145 260 10.3.3. Authentication-Info . . . . . . . . . . . . . . . . 146 261 10.3.4. Proxy-Authentication-Info . . . . . . . . . . . . . 147 262 10.4. Response Context . . . . . . . . . . . . . . . . . . . . 147 263 10.4.1. Accept-Ranges . . . . . . . . . . . . . . . . . . . 147 264 10.4.2. Allow . . . . . . . . . . . . . . . . . . . . . . . 148 265 10.4.3. Server . . . . . . . . . . . . . . . . . . . . . . . 148 266 11. ABNF List Extension: #rule . . . . . . . . . . . . . . . . . 149 267 12. Security Considerations . . . . . . . . . . . . . . . . . . . 150 268 12.1. Establishing Authority . . . . . . . . . . . . . . . . . 150 269 12.2. Risks of Intermediaries . . . . . . . . . . . . . . . . 151 270 12.3. Attacks Based on File and Path Names . . . . . . . . . . 152 271 12.4. Attacks Based on Command, Code, or Query Injection . . . 152 272 12.5. Attacks via Protocol Element Length . . . . . . . . . . 153 273 12.6. Disclosure of Personal Information . . . . . . . . . . . 154 274 12.7. Privacy of Server Log Information . . . . . . . . . . . 154 275 12.8. Disclosure of Sensitive Information in URIs . . . . . . 154 276 12.9. Disclosure of Fragment after Redirects . . . . . . . . . 155 277 12.10. Disclosure of Product Information . . . . . . . . . . . 155 278 12.11. Browser Fingerprinting . . . . . . . . . . . . . . . . . 155 279 12.12. Validator Retention . . . . . . . . . . . . . . . . . . 156 280 12.13. Denial-of-Service Attacks Using Range . . . . . . . . . 157 281 12.14. Authentication Considerations . . . . . . . . . . . . . 157 282 12.14.1. Confidentiality of Credentials . . . . . . . . . . 157 283 12.14.2. Credentials and Idle Clients . . . . . . . . . . . 158 284 12.14.3. Protection Spaces . . . . . . . . . . . . . . . . . 158 285 12.14.4. Additional Response Header Fields . . . . . . . . . 159 286 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 159 287 13.1. URI Scheme Registration . . . . . . . . . . . . . . . . 159 288 13.2. Method Registration . . . . . . . . . . . . . . . . . . 159 289 13.3. Status Code Registration . . . . . . . . . . . . . . . . 159 290 13.4. Header Field Registration . . . . . . . . . . . . . . . 160 291 13.5. Authentication Scheme Registration . . . . . . . . . . . 160 292 13.6. Content Coding Registration . . . . . . . . . . . . . . 160 293 13.7. Range Unit Registration . . . . . . . . . . . . . . . . 160 294 13.8. Media Type Registration . . . . . . . . . . . . . . . . 160 295 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 161 296 14.1. Normative References . . . . . . . . . . . . . . . . . . 161 297 14.2. Informative References . . . . . . . . . . . . . . . . . 162 298 Appendix A. Collected ABNF . . . . . . . . . . . . . . . . . . . 168 299 Appendix B. Changes from RFC 7230 . . . . . . . . . . . . . . . 172 300 Appendix C. Changes from RFC 7231 . . . . . . . . . . . . . . . 173 301 Appendix D. Changes from RFC 7232 . . . . . . . . . . . . . . . 173 302 Appendix E. Changes from RFC 7233 . . . . . . . . . . . . . . . 173 303 Appendix F. Changes from RFC 7235 . . . . . . . . . . . . . . . 173 304 Appendix G. Changes from RFC 7615 . . . . . . . . . . . . . . . 173 305 Appendix H. Change Log . . . . . . . . . . . . . . . . . . . . . 173 306 H.1. Between RFC723x and draft 00 . . . . . . . . . . . . . . 173 307 H.2. Since draft-ietf-httpbis-semantics-00 . . . . . . . . . . 174 308 H.3. Since draft-ietf-httpbis-semantics-01 . . . . . . . . . . 174 309 H.4. Since draft-ietf-httpbis-semantics-02 . . . . . . . . . . 176 310 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 311 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 184 312 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 185 314 1. Introduction 316 The Hypertext Transfer Protocol (HTTP) is a stateless application- 317 level request/response protocol that uses extensible semantics and 318 self-descriptive messages for flexible interaction with network-based 319 hypertext information systems. HTTP is defined by a series of 320 documents that collectively form the HTTP/1.1 specification: 322 o "HTTP Semantics" (this document) 324 o "HTTP Caching" [Caching] 326 o "HTTP/1.1 Messaging" [Messaging] 328 HTTP is a generic interface protocol for information systems. It is 329 designed to hide the details of how a service is implemented by 330 presenting a uniform interface to clients that is independent of the 331 types of resources provided. Likewise, servers do not need to be 332 aware of each client's purpose: an HTTP request can be considered in 333 isolation rather than being associated with a specific type of client 334 or a predetermined sequence of application steps. The result is a 335 protocol that can be used effectively in many different contexts and 336 for which implementations can evolve independently over time. 338 HTTP is also designed for use as an intermediation protocol for 339 translating communication to and from non-HTTP information systems. 340 HTTP proxies and gateways can provide access to alternative 341 information services by translating their diverse protocols into a 342 hypertext format that can be viewed and manipulated by clients in the 343 same way as HTTP services. 345 One consequence of this flexibility is that the protocol cannot be 346 defined in terms of what occurs behind the interface. Instead, we 347 are limited to defining the syntax of communication, the intent of 348 received communication, and the expected behavior of recipients. If 349 the communication is considered in isolation, then successful actions 350 ought to be reflected in corresponding changes to the observable 351 interface provided by servers. However, since multiple clients might 352 act in parallel and perhaps at cross-purposes, we cannot require that 353 such changes be observable beyond the scope of a single response. 355 Each HTTP message is either a request or a response. A server 356 listens on a connection for a request, parses each message received, 357 interprets the message semantics in relation to the identified 358 request target, and responds to that request with one or more 359 response messages. A client constructs request messages to 360 communicate specific intentions, examines received responses to see 361 if the intentions were carried out, and determines how to interpret 362 the results. 364 HTTP provides a uniform interface for interacting with a resource 365 (Section 2.5), regardless of its type, nature, or implementation, via 366 the manipulation and transfer of representations (Section 6). 368 This document defines semantics that are common to all versions of 369 HTTP. HTTP semantics include the intentions defined by each request 370 method (Section 7), extensions to those semantics that might be 371 described in request header fields (Section 8), the meaning of status 372 codes to indicate a machine-readable response (Section 9), and the 373 meaning of other control data and resource metadata that might be 374 given in response header fields (Section 10). 376 This document also defines representation metadata that describe how 377 a payload is intended to be interpreted by a recipient, the request 378 header fields that might influence content selection, and the various 379 selection algorithms that are collectively referred to as "content 380 negotiation" (Section 6.4). 382 This document defines HTTP range requests, partial responses, and the 383 multipart/byteranges media type. 385 This document obsoletes the portions of RFC 7230 that are independent 386 of the HTTP/1.1 messaging syntax and connection management, with the 387 changes being summarized in Appendix B. The other parts of RFC 7230 388 are obsoleted by "HTTP/1.1 Messaging" [Messaging]. This document 389 also obsoletes RFC 7231 (see Appendix C), RFC 7232 (see Appendix D), 390 RFC 7233 (see Appendix E), and RFC 7235 (see Appendix F), and RFC 391 7615 (see Appendix G). 393 1.1. Requirements Notation 395 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 396 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 397 document are to be interpreted as described in [RFC2119]. 399 Conformance criteria and considerations regarding error handling are 400 defined in Section 3. 402 1.2. Syntax Notation 404 This specification uses the Augmented Backus-Naur Form (ABNF) 405 notation of [RFC5234] with a list extension, defined in Section 11, 406 that allows for compact definition of comma-separated lists using a 407 '#' operator (similar to how the '*' operator indicates repetition). 408 Appendix A shows the collected grammar with all list operators 409 expanded to standard ABNF notation. 411 As a convention, ABNF rule names prefixed with "obs-" denote 412 "obsolete" grammar rules that appear for historical reasons. 414 The following core rules are included by reference, as defined in 415 Appendix B.1 of [RFC5234]: ALPHA (letters), CR (carriage return), 416 CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double 417 quote), HEXDIG (hexadecimal 0-9/A-F/a-f), HTAB (horizontal tab), LF 418 (line feed), OCTET (any 8-bit sequence of data), SP (space), and 419 VCHAR (any visible US-ASCII character). 421 The rules below are defined in [Messaging]: 423 obs-fold = 424 protocol-name = 425 protocol-version = 426 request-target = 428 This specification uses the terms "character", "character encoding 429 scheme", "charset", and "protocol element" as they are defined in 430 [RFC6365]. 432 2. Architecture 434 HTTP was created for the World Wide Web (WWW) architecture and has 435 evolved over time to support the scalability needs of a worldwide 436 hypertext system. Much of that architecture is reflected in the 437 terminology and syntax productions used to define HTTP. 439 2.1. Client/Server Messaging 441 HTTP is a stateless request/response protocol that operates by 442 exchanging messages (Section 2 of [Messaging]) across a reliable 443 transport- or session-layer "connection" (Section 9 of [Messaging]). 444 An HTTP "client" is a program that establishes a connection to a 445 server for the purpose of sending one or more HTTP requests. An HTTP 446 "server" is a program that accepts connections in order to service 447 HTTP requests by sending HTTP responses. 449 The terms "client" and "server" refer only to the roles that these 450 programs perform for a particular connection. The same program might 451 act as a client on some connections and a server on others. The term 452 "user agent" refers to any of the various client programs that 453 initiate a request, including (but not limited to) browsers, spiders 454 (web-based robots), command-line tools, custom applications, and 455 mobile apps. The term "origin server" refers to the program that can 456 originate authoritative responses for a given target resource. The 457 terms "sender" and "recipient" refer to any implementation that sends 458 or receives a given message, respectively. 460 HTTP relies upon the Uniform Resource Identifier (URI) standard 461 [RFC3986] to indicate the target resource (Section 5.1) and 462 relationships between resources. 464 Most HTTP communication consists of a retrieval request (GET) for a 465 representation of some resource identified by a URI. In the simplest 466 case, this might be accomplished via a single bidirectional 467 connection (===) between the user agent (UA) and the origin server 468 (O). 470 request > 471 UA ======================================= O 472 < response 474 A client sends an HTTP request to a server in the form of a request 475 message, beginning with a request-line that includes a method, URI, 476 and protocol version (Section 3 of [Messaging]), followed by header 477 fields containing request modifiers, client information, and 478 representation metadata (Section 5 of [Messaging]), an empty line to 479 indicate the end of the header section, and finally a message body 480 containing the payload body (if any, Section 6 of [Messaging]). 482 A server responds to a client's request by sending one or more HTTP 483 response messages, each beginning with a status line that includes 484 the protocol version, a success or error code, and textual reason 485 phrase (Section 4 of [Messaging]), possibly followed by header fields 486 containing server information, resource metadata, and representation 487 metadata (Section 5 of [Messaging]), an empty line to indicate the 488 end of the header section, and finally a message body containing the 489 payload body (if any, Section 6 of [Messaging]). 491 The mechanism used to correlate between request and response messages 492 is version dependent; some versions of HTTP use implicit ordering of 493 messages, while others use an explicit identifier. 495 A connection might be used for multiple request/response exchanges, 496 as defined in Section 9.4 of [Messaging]. 498 Responses (both final and non-final) can be sent at any time after a 499 request is received, even if it is not yet complete. However, 500 clients (including intermediaries) might abandon a request if the 501 response is not forthcoming within a reasonable period of time. 503 The following example illustrates a typical message exchange for a 504 GET request (Section 7.3.1) on the URI "http://www.example.com/ 505 hello.txt": 507 Client request: 509 GET /hello.txt HTTP/1.1 510 User-Agent: curl/7.16.3 libcurl/7.16.3 OpenSSL/0.9.7l zlib/1.2.3 511 Host: www.example.com 512 Accept-Language: en, mi 514 Server response: 516 HTTP/1.1 200 OK 517 Date: Mon, 27 Jul 2009 12:28:53 GMT 518 Server: Apache 519 Last-Modified: Wed, 22 Jul 2009 19:15:56 GMT 520 ETag: "34aa387-d-1568eb00" 521 Accept-Ranges: bytes 522 Content-Length: 51 523 Vary: Accept-Encoding 524 Content-Type: text/plain 526 Hello World! My payload includes a trailing CRLF. 528 2.2. Intermediaries 530 HTTP enables the use of intermediaries to satisfy requests through a 531 chain of connections. There are three common forms of HTTP 532 intermediary: proxy, gateway, and tunnel. In some cases, a single 533 intermediary might act as an origin server, proxy, gateway, or 534 tunnel, switching behavior based on the nature of each request. 536 > > > > 537 UA =========== A =========== B =========== C =========== O 538 < < < < 540 The figure above shows three intermediaries (A, B, and C) between the 541 user agent and origin server. A request or response message that 542 travels the whole chain will pass through four separate connections. 543 Some HTTP communication options might apply only to the connection 544 with the nearest, non-tunnel neighbor, only to the endpoints of the 545 chain, or to all connections along the chain. Although the diagram 546 is linear, each participant might be engaged in multiple, 547 simultaneous communications. For example, B might be receiving 548 requests from many clients other than A, and/or forwarding requests 549 to servers other than C, at the same time that it is handling A's 550 request. Likewise, later requests might be sent through a different 551 path of connections, often based on dynamic configuration for load 552 balancing. 554 The terms "upstream" and "downstream" are used to describe 555 directional requirements in relation to the message flow: all 556 messages flow from upstream to downstream. The terms "inbound" and 557 "outbound" are used to describe directional requirements in relation 558 to the request route: "inbound" means toward the origin server and 559 "outbound" means toward the user agent. 561 A "proxy" is a message-forwarding agent that is selected by the 562 client, usually via local configuration rules, to receive requests 563 for some type(s) of absolute URI and attempt to satisfy those 564 requests via translation through the HTTP interface. Some 565 translations are minimal, such as for proxy requests for "http" URIs, 566 whereas other requests might require translation to and from entirely 567 different application-level protocols. Proxies are often used to 568 group an organization's HTTP requests through a common intermediary 569 for the sake of security, annotation services, or shared caching. 570 Some proxies are designed to apply transformations to selected 571 messages or payloads while they are being forwarded, as described in 572 Section 5.5.2. 574 A "gateway" (a.k.a. "reverse proxy") is an intermediary that acts as 575 an origin server for the outbound connection but translates received 576 requests and forwards them inbound to another server or servers. 577 Gateways are often used to encapsulate legacy or untrusted 578 information services, to improve server performance through 579 "accelerator" caching, and to enable partitioning or load balancing 580 of HTTP services across multiple machines. 582 All HTTP requirements applicable to an origin server also apply to 583 the outbound communication of a gateway. A gateway communicates with 584 inbound servers using any protocol that it desires, including private 585 extensions to HTTP that are outside the scope of this specification. 586 However, an HTTP-to-HTTP gateway that wishes to interoperate with 587 third-party HTTP servers ought to conform to user agent requirements 588 on the gateway's inbound connection. 590 A "tunnel" acts as a blind relay between two connections without 591 changing the messages. Once active, a tunnel is not considered a 592 party to the HTTP communication, though the tunnel might have been 593 initiated by an HTTP request. A tunnel ceases to exist when both 594 ends of the relayed connection are closed. Tunnels are used to 595 extend a virtual connection through an intermediary, such as when 596 Transport Layer Security (TLS, [RFC5246]) is used to establish 597 confidential communication through a shared firewall proxy. 599 The above categories for intermediary only consider those acting as 600 participants in the HTTP communication. There are also 601 intermediaries that can act on lower layers of the network protocol 602 stack, filtering or redirecting HTTP traffic without the knowledge or 603 permission of message senders. Network intermediaries are 604 indistinguishable (at a protocol level) from a man-in-the-middle 605 attack, often introducing security flaws or interoperability problems 606 due to mistakenly violating HTTP semantics. 608 For example, an "interception proxy" [RFC3040] (also commonly known 609 as a "transparent proxy" [RFC1919] or "captive portal") differs from 610 an HTTP proxy because it is not selected by the client. Instead, an 611 interception proxy filters or redirects outgoing TCP port 80 packets 612 (and occasionally other common port traffic). Interception proxies 613 are commonly found on public network access points, as a means of 614 enforcing account subscription prior to allowing use of non-local 615 Internet services, and within corporate firewalls to enforce network 616 usage policies. 618 HTTP is defined as a stateless protocol, meaning that each request 619 message can be understood in isolation. Many implementations depend 620 on HTTP's stateless design in order to reuse proxied connections or 621 dynamically load balance requests across multiple servers. Hence, a 622 server MUST NOT assume that two requests on the same connection are 623 from the same user agent unless the connection is secured and 624 specific to that agent. Some non-standard HTTP extensions (e.g., 625 [RFC4559]) have been known to violate this requirement, resulting in 626 security and interoperability problems. 628 2.3. Caches 630 A "cache" is a local store of previous response messages and the 631 subsystem that controls its message storage, retrieval, and deletion. 632 A cache stores cacheable responses in order to reduce the response 633 time and network bandwidth consumption on future, equivalent 634 requests. Any client or server MAY employ a cache, though a cache 635 cannot be used by a server while it is acting as a tunnel. 637 The effect of a cache is that the request/response chain is shortened 638 if one of the participants along the chain has a cached response 639 applicable to that request. The following illustrates the resulting 640 chain if B has a cached copy of an earlier response from O (via C) 641 for a request that has not been cached by UA or A. 643 > > 644 UA =========== A =========== B - - - - - - C - - - - - - O 645 < < 647 A response is "cacheable" if a cache is allowed to store a copy of 648 the response message for use in answering subsequent requests. Even 649 when a response is cacheable, there might be additional constraints 650 placed by the client or by the origin server on when that cached 651 response can be used for a particular request. HTTP requirements for 652 cache behavior and cacheable responses are defined in Section 2 of 653 [Caching]. 655 There is a wide variety of architectures and configurations of caches 656 deployed across the World Wide Web and inside large organizations. 657 These include national hierarchies of proxy caches to save 658 transoceanic bandwidth, collaborative systems that broadcast or 659 multicast cache entries, archives of pre-fetched cache entries for 660 use in off-line or high-latency environments, and so on. 662 2.4. Uniform Resource Identifiers 664 Uniform Resource Identifiers (URIs) [RFC3986] are used throughout 665 HTTP as the means for identifying resources (Section 2.5). URI 666 references are used to target requests, indicate redirects, and 667 define relationships. 669 The definitions of "URI-reference", "absolute-URI", "relative-part", 670 "authority", "port", "host", "path-abempty", "segment", and "query" 671 are adopted from the URI generic syntax. An "absolute-path" rule is 672 defined for protocol elements that can contain a non-empty path 673 component. (This rule differs slightly from the path-abempty rule of 674 RFC 3986, which allows for an empty path to be used in references, 675 and path-absolute rule, which does not allow paths that begin with 676 "//".) A "partial-URI" rule is defined for protocol elements that 677 can contain a relative URI but not a fragment component. 679 URI-reference = 680 absolute-URI = 681 relative-part = 682 authority = 683 uri-host = 684 port = 685 path-abempty = 686 segment = 687 query = 689 absolute-path = 1*( "/" segment ) 690 partial-URI = relative-part [ "?" query ] 692 Each protocol element in HTTP that allows a URI reference will 693 indicate in its ABNF production whether the element allows any form 694 of reference (URI-reference), only a URI in absolute form (absolute- 695 URI), only the path and optional query components, or some 696 combination of the above. Unless otherwise indicated, URI references 697 are parsed relative to the effective request URI (Section 5.3). 699 2.5. Resources 701 The target of an HTTP request is called a "resource". HTTP does not 702 limit the nature of a resource; it merely defines an interface that 703 might be used to interact with resources. Each resource is 704 identified by a Uniform Resource Identifier (URI), as described in 705 Section 2.4. 707 One design goal of HTTP is to separate resource identification from 708 request semantics, which is made possible by vesting the request 709 semantics in the request method (Section 7) and a few request- 710 modifying header fields (Section 8). If there is a conflict between 711 the method semantics and any semantic implied by the URI itself, as 712 described in Section 7.2.1, the method semantics take precedence. 714 IANA maintains the registry of URI Schemes [BCP35] at 715 . Although requests 716 might target any URI scheme, the following schemes are inherent to 717 HTTP servers: 719 +------------+------------------------------------+---------------+ 720 | URI Scheme | Description | Reference | 721 +------------+------------------------------------+---------------+ 722 | http | Hypertext Transfer Protocol | Section 2.5.1 | 723 | https | Hypertext Transfer Protocol Secure | Section 2.5.2 | 724 +------------+------------------------------------+---------------+ 726 2.5.1. http URI Scheme 728 The "http" URI scheme is hereby defined for the purpose of minting 729 identifiers according to their association with the hierarchical 730 namespace governed by a potential HTTP origin server listening for 731 TCP ([RFC0793]) connections on a given port. 733 http-URI = "http:" "//" authority path-abempty [ "?" query ] 735 The origin server for an "http" URI is identified by the authority 736 component, which includes a host identifier and optional TCP port 737 ([RFC3986], Section 3.2.2). The hierarchical path component and 738 optional query component serve as an identifier for a potential 739 target resource within that origin server's name space. 741 A sender MUST NOT generate an "http" URI with an empty host 742 identifier. A recipient that processes such a URI reference MUST 743 reject it as invalid. 745 If the host identifier is provided as an IP address, the origin 746 server is the listener (if any) on the indicated TCP port at that IP 747 address. If host is a registered name, the registered name is an 748 indirect identifier for use with a name resolution service, such as 749 DNS, to find an address for that origin server. If the port 750 subcomponent is empty or not given, TCP port 80 (the reserved port 751 for WWW services) is the default. 753 Note that the presence of a URI with a given authority component does 754 not imply that there is always an HTTP server listening for 755 connections on that host and port. Anyone can mint a URI. What the 756 authority component determines is who has the right to respond 757 authoritatively to requests that target the identified resource. The 758 delegated nature of registered names and IP addresses creates a 759 federated namespace, based on control over the indicated host and 760 port, whether or not an HTTP server is present. See Section 12.1 for 761 security considerations related to establishing authority. 763 When an "http" URI is used within a context that calls for access to 764 the indicated resource, a client MAY attempt access by resolving the 765 host to an IP address, establishing a TCP connection to that address 766 on the indicated port, and sending an HTTP request message (Section 2 767 of [Messaging]) containing the URI's identifying data to the server. 768 If the server responds to that request with a non-interim HTTP 769 response message, as described in Section 9, then that response is 770 considered an authoritative answer to the client's request. 772 Although HTTP is independent of the transport protocol, the "http" 773 scheme is specific to TCP-based services because the name delegation 774 process depends on TCP for establishing authority. An HTTP service 775 based on some other underlying connection protocol would presumably 776 be identified using a different URI scheme, just as the "https" 777 scheme (below) is used for resources that require an end-to-end 778 secured connection. Other protocols might also be used to provide 779 access to "http" identified resources -- it is only the authoritative 780 interface that is specific to TCP. 782 The URI generic syntax for authority also includes a deprecated 783 userinfo subcomponent ([RFC3986], Section 3.2.1) for including user 784 authentication information in the URI. Some implementations make use 785 of the userinfo component for internal configuration of 786 authentication information, such as within command invocation 787 options, configuration files, or bookmark lists, even though such 788 usage might expose a user identifier or password. A sender MUST NOT 789 generate the userinfo subcomponent (and its "@" delimiter) when an 790 "http" URI reference is generated within a message as a request 791 target or header field value. Before making use of an "http" URI 792 reference received from an untrusted source, a recipient SHOULD parse 793 for userinfo and treat its presence as an error; it is likely being 794 used to obscure the authority for the sake of phishing attacks. 796 2.5.2. https URI Scheme 798 The "https" URI scheme is hereby defined for the purpose of minting 799 identifiers according to their association with the hierarchical 800 namespace governed by a potential HTTP origin server listening to a 801 given TCP port for TLS-secured connections ([RFC5246]). 803 All of the requirements listed above for the "http" scheme are also 804 requirements for the "https" scheme, except that TCP port 443 is the 805 default if the port subcomponent is empty or not given, and the user 806 agent MUST ensure that its connection to the origin server is secured 807 through the use of strong encryption, end-to-end, prior to sending 808 the first HTTP request. 810 https-URI = "https:" "//" authority path-abempty [ "?" query ] 812 Note that the "https" URI scheme depends on both TLS and TCP for 813 establishing authority. Resources made available via the "https" 814 scheme have no shared identity with the "http" scheme even if their 815 resource identifiers indicate the same authority (the same host 816 listening to the same TCP port). They are distinct namespaces and 817 are considered to be distinct origin servers. However, an extension 818 to HTTP that is defined to apply to entire host domains, such as the 819 Cookie protocol [RFC6265], can allow information set by one service 820 to impact communication with other services within a matching group 821 of host domains. 823 The process for authoritative access to an "https" identified 824 resource is defined in [RFC2818]. 826 2.5.3. Fragment Identifiers on http(s) URI References 828 Fragment identifiers allow for indirect identification of a secondary 829 resource, independent of the URI scheme, as defined in Section 3.5 of 830 [RFC3986]. Some protocol elements that refer to a URI allow 831 inclusion of a fragment, while others do not. They are distinguished 832 by use of the ABNF rule for elements where fragment is allowed; 833 otherwise, a specific rule that excludes fragments is used (see 834 Section 5.1). 836 Note: the fragment identifier component is not part of the actual 837 scheme definition for a URI scheme (see Section 4.3 of [RFC3986]), 838 thus does not appear in the ABNF definitions for the "http" and 839 "https" URI schemes above. 841 2.5.4. http and https URI Normalization and Comparison 843 Since the "http" and "https" schemes conform to the URI generic 844 syntax, such URIs are normalized and compared according to the 845 algorithm defined in Section 6 of [RFC3986], using the defaults 846 described above for each scheme. 848 If the port is equal to the default port for a scheme, the normal 849 form is to omit the port subcomponent. When not being used in 850 absolute form as the request target of an OPTIONS request, an empty 851 path component is equivalent to an absolute path of "/", so the 852 normal form is to provide a path of "/" instead. The scheme and host 853 are case-insensitive and normally provided in lowercase; all other 854 components are compared in a case-sensitive manner. Characters other 855 than those in the "reserved" set are equivalent to their percent- 856 encoded octets: the normal form is to not encode them (see Sections 857 2.1 and 2.2 of [RFC3986]). 859 For example, the following three URIs are equivalent: 861 http://example.com:80/~smith/home.html 862 http://EXAMPLE.com/%7Esmith/home.html 863 http://EXAMPLE.com:/%7esmith/home.html 865 3. Conformance 867 3.1. Implementation Diversity 869 When considering the design of HTTP, it is easy to fall into a trap 870 of thinking that all user agents are general-purpose browsers and all 871 origin servers are large public websites. That is not the case in 872 practice. Common HTTP user agents include household appliances, 873 stereos, scales, firmware update scripts, command-line programs, 874 mobile apps, and communication devices in a multitude of shapes and 875 sizes. Likewise, common HTTP origin servers include home automation 876 units, configurable networking components, office machines, 877 autonomous robots, news feeds, traffic cameras, ad selectors, and 878 video-delivery platforms. 880 The term "user agent" does not imply that there is a human user 881 directly interacting with the software agent at the time of a 882 request. In many cases, a user agent is installed or configured to 883 run in the background and save its results for later inspection (or 884 save only a subset of those results that might be interesting or 885 erroneous). Spiders, for example, are typically given a start URI 886 and configured to follow certain behavior while crawling the Web as a 887 hypertext graph. 889 The implementation diversity of HTTP means that not all user agents 890 can make interactive suggestions to their user or provide adequate 891 warning for security or privacy concerns. In the few cases where 892 this specification requires reporting of errors to the user, it is 893 acceptable for such reporting to only be observable in an error 894 console or log file. Likewise, requirements that an automated action 895 be confirmed by the user before proceeding might be met via advance 896 configuration choices, run-time options, or simple avoidance of the 897 unsafe action; confirmation does not imply any specific user 898 interface or interruption of normal processing if the user has 899 already made that choice. 901 3.2. Role-based Requirements 903 This specification targets conformance criteria according to the role 904 of a participant in HTTP communication. Hence, HTTP requirements are 905 placed on senders, recipients, clients, servers, user agents, 906 intermediaries, origin servers, proxies, gateways, or caches, 907 depending on what behavior is being constrained by the requirement. 908 Additional (social) requirements are placed on implementations, 909 resource owners, and protocol element registrations when they apply 910 beyond the scope of a single communication. 912 The verb "generate" is used instead of "send" where a requirement 913 differentiates between creating a protocol element and merely 914 forwarding a received element downstream. 916 An implementation is considered conformant if it complies with all of 917 the requirements associated with the roles it partakes in HTTP. 919 Conformance includes both the syntax and semantics of protocol 920 elements. A sender MUST NOT generate protocol elements that convey a 921 meaning that is known by that sender to be false. A sender MUST NOT 922 generate protocol elements that do not match the grammar defined by 923 the corresponding ABNF rules. Within a given message, a sender MUST 924 NOT generate protocol elements or syntax alternatives that are only 925 allowed to be generated by participants in other roles (i.e., a role 926 that the sender does not have for that message). 928 3.3. Parsing Elements 930 When a received protocol element is parsed, the recipient MUST be 931 able to parse any value of reasonable length that is applicable to 932 the recipient's role and that matches the grammar defined by the 933 corresponding ABNF rules. Note, however, that some received protocol 934 elements might not be parsed. For example, an intermediary 935 forwarding a message might parse a header-field into generic field- 936 name and field-value components, but then forward the header field 937 without further parsing inside the field-value. 939 HTTP does not have specific length limitations for many of its 940 protocol elements because the lengths that might be appropriate will 941 vary widely, depending on the deployment context and purpose of the 942 implementation. Hence, interoperability between senders and 943 recipients depends on shared expectations regarding what is a 944 reasonable length for each protocol element. Furthermore, what is 945 commonly understood to be a reasonable length for some protocol 946 elements has changed over the course of the past two decades of HTTP 947 use and is expected to continue changing in the future. 949 At a minimum, a recipient MUST be able to parse and process protocol 950 element lengths that are at least as long as the values that it 951 generates for those same protocol elements in other messages. For 952 example, an origin server that publishes very long URI references to 953 its own resources needs to be able to parse and process those same 954 references when received as a request target. 956 3.4. Error Handling 958 A recipient MUST interpret a received protocol element according to 959 the semantics defined for it by this specification, including 960 extensions to this specification, unless the recipient has determined 961 (through experience or configuration) that the sender incorrectly 962 implements what is implied by those semantics. For example, an 963 origin server might disregard the contents of a received Accept- 964 Encoding header field if inspection of the User-Agent header field 965 indicates a specific implementation version that is known to fail on 966 receipt of certain content codings. 968 Unless noted otherwise, a recipient MAY attempt to recover a usable 969 protocol element from an invalid construct. HTTP does not define 970 specific error handling mechanisms except when they have a direct 971 impact on security, since different applications of the protocol 972 require different error handling strategies. For example, a Web 973 browser might wish to transparently recover from a response where the 974 Location header field doesn't parse according to the ABNF, whereas a 975 systems control client might consider any form of error recovery to 976 be dangerous. 978 3.5. Protocol Versioning 980 The HTTP version number consists of two decimal digits separated by a 981 "." (period or decimal point). The first digit ("major version") 982 indicates the HTTP messaging syntax, whereas the second digit ("minor 983 version") indicates the highest minor version within that major 984 version to which the sender is conformant and able to understand for 985 future communication. 987 The protocol version as a whole indicates the sender's conformance 988 with the set of requirements laid out in that version's corresponding 989 specification of HTTP. For example, the version "HTTP/1.1" is 990 defined by the combined specifications of this document, "HTTP 991 Caching" [Caching], and "HTTP/1.1 Messaging" [Messaging]. 993 The minor version advertises the sender's communication capabilities 994 even when the sender is only using a backwards-compatible subset of 995 the protocol, thereby letting the recipient know that more advanced 996 features can be used in response (by servers) or in future requests 997 (by clients). 999 A client SHOULD send a request version equal to the highest version 1000 to which the client is conformant and whose major version is no 1001 higher than the highest version supported by the server, if this is 1002 known. A client MUST NOT send a version to which it is not 1003 conformant. 1005 A client MAY send a lower request version if it is known that the 1006 server incorrectly implements the HTTP specification, but only after 1007 the client has attempted at least one normal request and determined 1008 from the response status code or header fields (e.g., Server) that 1009 the server improperly handles higher request versions. 1011 A server SHOULD send a response version equal to the highest version 1012 to which the server is conformant that has a major version less than 1013 or equal to the one received in the request. A server MUST NOT send 1014 a version to which it is not conformant. A server can send a 505 1015 (HTTP Version Not Supported) response if it wishes, for any reason, 1016 to refuse service of the client's major protocol version. 1018 HTTP's major version number is incremented when an incompatible 1019 message syntax is introduced. The minor number is incremented when 1020 changes made to the protocol have the effect of adding to the message 1021 semantics or implying additional capabilities of the sender. 1023 When an HTTP message is received with a major version number that the 1024 recipient implements, but a higher minor version number than what the 1025 recipient implements, the recipient SHOULD process the message as if 1026 it were in the highest minor version within that major version to 1027 which the recipient is conformant. A recipient can assume that a 1028 message with a higher minor version, when sent to a recipient that 1029 has not yet indicated support for that higher version, is 1030 sufficiently backwards-compatible to be safely processed by any 1031 implementation of the same major version. 1033 When a major version of HTTP does not define any minor versions, the 1034 minor version "0" is implied and is used when referring to that 1035 protocol within a protocol element that requires sending a minor 1036 version. 1038 4. Message Abstraction 1040 Each major version of HTTP defines its own syntax for the inclusion 1041 of information in messages. Nevertheless, a common abstraction is 1042 that a message includes some form of envelope/framing, a potential 1043 set of named data fields, and a potential body. This section defines 1044 the abstraction for message fields as field-name and field-value 1045 pairs. 1047 4.1. Header Field Names 1049 Header fields are key:value pairs that can be used to communicate 1050 data about the message, its payload, the target resource, or the 1051 connection (i.e., control data). 1053 The requirements for header field names are defined in [BCP90]. 1055 The field-name token labels the corresponding field-value as having 1056 the semantics defined by that header field. For example, the Date 1057 header field is defined in Section 10.1.1.2 as containing the 1058 origination timestamp for the message in which it appears. 1060 field-name = token 1062 The interpretation of a header field does not change between minor 1063 versions of the same major HTTP version, though the default behavior 1064 of a recipient in the absence of such a field can change. Unless 1065 specified otherwise, header fields are defined for all versions of 1066 HTTP. In particular, the Host and Connection header fields ought to 1067 be implemented by all HTTP/1.x implementations whether or not they 1068 advertise conformance with HTTP/1.1. 1070 New header fields can be introduced without changing the protocol 1071 version if their defined semantics allow them to be safely ignored by 1072 recipients that do not recognize them. Header field extensibility is 1073 discussed in Section 4.1.2. 1075 The following field names are defined by this document: 1077 +---------------------------+----------+----------+-----------------+ 1078 | Header Field Name | Protocol | Status | Reference | 1079 +---------------------------+----------+----------+-----------------+ 1080 | Accept | http | standard | Section 8.4.2 | 1081 | Accept-Charset | http | standard | Section 8.4.3 | 1082 | Accept-Encoding | http | standard | Section 8.4.4 | 1083 | Accept-Language | http | standard | Section 8.4.5 | 1084 | Accept-Ranges | http | standard | Section 10.4.1 | 1085 | Allow | http | standard | Section 10.4.2 | 1086 | Authentication-Info | http | standard | Section 10.3.3 | 1087 | Authorization | http | standard | Section 8.5.3 | 1088 | Content-Encoding | http | standard | Section 6.2.2 | 1089 | Content-Language | http | standard | Section 6.2.3 | 1090 | Content-Length | http | standard | Section 6.2.4 | 1091 | Content-Location | http | standard | Section 6.2.5 | 1092 | Content-Range | http | standard | Section 6.3.3 | 1093 | Content-Type | http | standard | Section 6.2.1 | 1094 | Date | http | standard | Section 10.1.1. | 1095 | | | | 2 | 1096 | ETag | http | standard | Section 10.2.3 | 1097 | Expect | http | standard | Section 8.1.1 | 1098 | From | http | standard | Section 8.6.1 | 1099 | Host | http | standard | Section 5.4 | 1100 | If-Match | http | standard | Section 8.2.3 | 1101 | If-Modified-Since | http | standard | Section 8.2.5 | 1102 | If-None-Match | http | standard | Section 8.2.4 | 1103 | If-Range | http | standard | Section 8.2.7 | 1104 | If-Unmodified-Since | http | standard | Section 8.2.6 | 1105 | Last-Modified | http | standard | Section 10.2.2 | 1106 | Location | http | standard | Section 10.1.2 | 1107 | Max-Forwards | http | standard | Section 8.1.2 | 1108 | Proxy-Authenticate | http | standard | Section 10.3.2 | 1109 | Proxy-Authentication-Info | http | standard | Section 10.3.4 | 1110 | Proxy-Authorization | http | standard | Section 8.5.4 | 1111 | Range | http | standard | Section 8.3 | 1112 | Referer | http | standard | Section 8.6.2 | 1113 | Retry-After | http | standard | Section 10.1.3 | 1114 | Server | http | standard | Section 10.4.3 | 1115 | Trailer | http | standard | Section 4.4 | 1116 | User-Agent | http | standard | Section 8.6.3 | 1117 | Vary | http | standard | Section 10.1.4 | 1118 | Via | http | standard | Section 5.5.1 | 1119 | WWW-Authenticate | http | standard | Section 10.3.1 | 1120 +---------------------------+----------+----------+-----------------+ 1122 4.1.1. Header Field Name Registry 1124 HTTP header fields are registered within the "Message Headers" 1125 registry located at , as defined by [BCP90], with the protocol "http". 1128 4.1.2. Header Field Extensibility 1130 Header fields are fully extensible: there is no limit on the 1131 introduction of new field names, each presumably defining new 1132 semantics, nor on the number of header fields used in a given 1133 message. Existing fields are defined in each part of this 1134 specification and in many other specifications outside this document 1135 set. 1137 New header fields can be defined such that, when they are understood 1138 by a recipient, they might override or enhance the interpretation of 1139 previously defined header fields, define preconditions on request 1140 evaluation, or refine the meaning of responses. 1142 A proxy MUST forward unrecognized header fields unless the field-name 1143 is listed in the Connection header field (Section 9.1 of [Messaging]) 1144 or the proxy is specifically configured to block, or otherwise 1145 transform, such fields. Other recipients SHOULD ignore unrecognized 1146 header fields. These requirements allow HTTP's functionality to be 1147 enhanced without requiring prior update of deployed intermediaries. 1149 All defined header fields ought to be registered with IANA in the 1150 "Message Headers" registry. 1152 4.1.3. Considerations for New Header Fields 1154 Authors of specifications defining new fields are advised to keep the 1155 name as short as practical and not to prefix the name with "X-" 1156 unless the header field will never be used on the Internet. (The 1157 "X-" prefix idiom has been extensively misused in practice; it was 1158 intended to only be used as a mechanism for avoiding name collisions 1159 inside proprietary software or intranet processing, since the prefix 1160 would ensure that private names never collide with a newly registered 1161 Internet name; see [BCP178] for further information). 1163 Authors of specifications defining new header fields are advised to 1164 consider documenting: 1166 o Whether the field is a single value or whether it can be a list 1167 (delimited by commas; see Section 5 of [Messaging]). 1169 If it does not use the list syntax, document how to treat messages 1170 where the field occurs multiple times (a sensible default would be 1171 to ignore the field, but this might not always be the right 1172 choice). 1174 Note that intermediaries and software libraries might combine 1175 multiple header field instances into a single one, despite the 1176 field's definition not allowing the list syntax. A robust format 1177 enables recipients to discover these situations (good example: 1178 "Content-Type", as the comma can only appear inside quoted 1179 strings; bad example: "Location", as a comma can occur inside a 1180 URI). 1182 o Under what conditions the header field can be used; e.g., only in 1183 responses or requests, in all messages, only on responses to a 1184 particular request method, etc. 1186 o Whether the field should be stored by origin servers that 1187 understand it upon a PUT request. 1189 o Whether the field semantics are further refined by the context, 1190 such as by existing request methods or status codes. 1192 o Whether it is appropriate to list the field-name in the Connection 1193 header field (i.e., if the header field is to be hop-by-hop; see 1194 Section 9.1 of [Messaging]). 1196 o Under what conditions intermediaries are allowed to insert, 1197 delete, or modify the field's value. 1199 o Whether it is appropriate to list the field-name in a Vary 1200 response header field (e.g., when the request header field is used 1201 by an origin server's content selection algorithm; see 1202 Section 10.1.4). 1204 o Whether the header field is useful or allowable in trailers (see 1205 Section 7.1 of [Messaging]). 1207 o Whether the header field ought to be preserved across redirects. 1209 o Whether it introduces any additional security considerations, such 1210 as disclosure of privacy-related data. 1212 4.2. Header Field Values 1214 This specification does not use ABNF rules to define each "Field- 1215 Name: Field Value" pair, as was done in earlier editions. Instead, 1216 this specification uses ABNF rules that are named according to each 1217 registered field name, wherein the rule defines the valid grammar for 1218 that field's corresponding field values (i.e., after the field-value 1219 has been extracted by a generic field parser). 1221 field-value = *( field-content / obs-fold ) 1222 field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] 1223 field-vchar = VCHAR / obs-text 1225 Historically, HTTP header field values could be extended over 1226 multiple lines by preceding each extra line with at least one space 1227 or horizontal tab (obs-fold). [[CREF1: This document assumes that 1228 any such obs-fold has been replaced with one or more SP octets prior 1229 to interpreting the field value, as described in Section 5.2 of 1230 [Messaging].]] 1232 Historically, HTTP has allowed field content with text in the 1233 ISO-8859-1 charset [ISO-8859-1], supporting other charsets only 1234 through use of [RFC2047] encoding. In practice, most HTTP header 1235 field values use only a subset of the US-ASCII charset [USASCII]. 1236 Newly defined header fields SHOULD limit their field values to 1237 US-ASCII octets. A recipient SHOULD treat other octets in field 1238 content (obs-text) as opaque data. 1240 4.2.1. Header Field Order 1242 The order in which header fields with differing field names are 1243 received is not significant. However, it is good practice to send 1244 header fields that contain control data first, such as Host on 1245 requests and Date on responses, so that implementations can decide 1246 when not to handle a message as early as possible. A server MUST NOT 1247 apply a request to the target resource until the entire request 1248 header section is received, since later header fields might include 1249 conditionals, authentication credentials, or deliberately misleading 1250 duplicate header fields that would impact request processing. 1252 A sender MUST NOT generate multiple header fields with the same field 1253 name in a message unless either the entire field value for that 1254 header field is defined as a comma-separated list [i.e., #(values)] 1255 or the header field is a well-known exception (as noted below). 1257 A recipient MAY combine multiple header fields with the same field 1258 name into one "field-name: field-value" pair, without changing the 1259 semantics of the message, by appending each subsequent field value to 1260 the combined field value in order, separated by a comma. The order 1261 in which header fields with the same field name are received is 1262 therefore significant to the interpretation of the combined field 1263 value; a proxy MUST NOT change the order of these field values when 1264 forwarding a message. 1266 Note: In practice, the "Set-Cookie" header field ([RFC6265]) often 1267 appears multiple times in a response message and does not use the 1268 list syntax, violating the above requirements on multiple header 1269 fields with the same name. Since it cannot be combined into a 1270 single field-value, recipients ought to handle "Set-Cookie" as a 1271 special case while processing header fields. (See Appendix A.2.3 1272 of [Kri2001] for details.) 1274 4.2.2. Header Field Limits 1276 HTTP does not place a predefined limit on the length of each header 1277 field or on the length of the header section as a whole, as described 1278 in Section 3. Various ad hoc limitations on individual header field 1279 length are found in practice, often depending on the specific field 1280 semantics. 1282 A server that receives a request header field, or set of fields, 1283 larger than it wishes to process MUST respond with an appropriate 4xx 1284 (Client Error) status code. Ignoring such header fields would 1285 increase the server's vulnerability to request smuggling attacks 1286 (Section 11.2 of [Messaging]). 1288 A client MAY discard or truncate received header fields that are 1289 larger than the client wishes to process if the field semantics are 1290 such that the dropped value(s) can be safely ignored without changing 1291 the message framing or response semantics. 1293 4.2.3. Header Field Value Components 1295 Most HTTP header field values are defined using common syntax 1296 components (token, quoted-string, and comment) separated by 1297 whitespace or specific delimiting characters. Delimiters are chosen 1298 from the set of US-ASCII visual characters not allowed in a token 1299 (DQUOTE and "(),/:;<=>?@[\]{}"). 1301 token = 1*tchar 1303 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" 1304 / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~" 1305 / DIGIT / ALPHA 1306 ; any VCHAR, except delimiters 1308 A string of text is parsed as a single value if it is quoted using 1309 double-quote marks. 1311 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 1312 qdtext = HTAB / SP / %x21 / %x23-5B / %x5D-7E / obs-text 1313 obs-text = %x80-FF 1315 Comments can be included in some HTTP header fields by surrounding 1316 the comment text with parentheses. Comments are only allowed in 1317 fields containing "comment" as part of their field value definition. 1319 comment = "(" *( ctext / quoted-pair / comment ) ")" 1320 ctext = HTAB / SP / %x21-27 / %x2A-5B / %x5D-7E / obs-text 1322 The backslash octet ("\") can be used as a single-octet quoting 1323 mechanism within quoted-string and comment constructs. Recipients 1324 that process the value of a quoted-string MUST handle a quoted-pair 1325 as if it were replaced by the octet following the backslash. 1327 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 1329 A sender SHOULD NOT generate a quoted-pair in a quoted-string except 1330 where necessary to quote DQUOTE and backslash octets occurring within 1331 that string. A sender SHOULD NOT generate a quoted-pair in a comment 1332 except where necessary to quote parentheses ["(" and ")"] and 1333 backslash octets occurring within that comment. 1335 4.2.4. Designing New Header Field Values 1337 New header field values typically have their syntax defined using 1338 ABNF ([RFC5234]), using the extension defined in Section 11 as 1339 necessary, and are usually constrained to the range of US-ASCII 1340 characters. Header fields needing a greater range of characters can 1341 use an encoding such as the one defined in [RFC8187]. 1343 Leading and trailing whitespace in raw field values is removed upon 1344 field parsing (Section 5.1 of [Messaging]). Field definitions where 1345 leading or trailing whitespace in values is significant will have to 1346 use a container syntax such as quoted-string (Section 4.2.3). 1348 Because commas (",") are used as a generic delimiter between field- 1349 values, they need to be treated with care if they are allowed in the 1350 field-value. Typically, components that might contain a comma are 1351 protected with double-quotes using the quoted-string ABNF production. 1353 For example, a textual date and a URI (either of which might contain 1354 a comma) could be safely carried in field-values like these: 1356 Example-URI-Field: "http://example.com/a.html,foo", 1357 "http://without-a-comma.example.com/" 1358 Example-Date-Field: "Sat, 04 May 1996", "Wed, 14 Sep 2005" 1360 Note that double-quote delimiters almost always are used with the 1361 quoted-string production; using a different syntax inside double- 1362 quotes will likely cause unnecessary confusion. 1364 Many header fields use a format including (case-insensitively) named 1365 parameters (for instance, Content-Type, defined in Section 6.2.1). 1366 Allowing both unquoted (token) and quoted (quoted-string) syntax for 1367 the parameter value enables recipients to use existing parser 1368 components. When allowing both forms, the meaning of a parameter 1369 value ought to be independent of the syntax used for it (for an 1370 example, see the notes on parameter handling for media types in 1371 Section 6.1.1). 1373 4.3. Whitespace 1375 This specification uses three rules to denote the use of linear 1376 whitespace: OWS (optional whitespace), RWS (required whitespace), and 1377 BWS ("bad" whitespace). 1379 The OWS rule is used where zero or more linear whitespace octets 1380 might appear. For protocol elements where optional whitespace is 1381 preferred to improve readability, a sender SHOULD generate the 1382 optional whitespace as a single SP; otherwise, a sender SHOULD NOT 1383 generate optional whitespace except as needed to white out invalid or 1384 unwanted protocol elements during in-place message filtering. 1386 The RWS rule is used when at least one linear whitespace octet is 1387 required to separate field tokens. A sender SHOULD generate RWS as a 1388 single SP. 1390 The BWS rule is used where the grammar allows optional whitespace 1391 only for historical reasons. A sender MUST NOT generate BWS in 1392 messages. A recipient MUST parse for such bad whitespace and remove 1393 it before interpreting the protocol element. 1395 OWS = *( SP / HTAB ) 1396 ; optional whitespace 1397 RWS = 1*( SP / HTAB ) 1398 ; required whitespace 1399 BWS = OWS 1400 ; "bad" whitespace 1402 4.4. Trailer 1404 [[CREF2: The "Trailer" header field in a message indicates fields 1405 that the sender anticipates sending after the message header block 1406 (i.e., during or after the payload is sent). This is typically used 1407 to supply metadata that might be dynamically generated while the data 1408 is sent, such as a message integrity check, digital signature, or 1409 post-processing status. ]] 1411 Trailer = 1#field-name 1413 [[CREF3: How, where, and when trailer fields might be sent depends on 1414 both the protocol in use (HTTP version and/or transfer coding) and 1415 the semantics of each named header field. Many header fields cannot 1416 be processed outside the header section because their evaluation is 1417 necessary for message routing, authentication, or configuration prior 1418 to receiving the representation data. ]] 1420 5. Message Routing 1422 HTTP request message routing is determined by each client based on 1423 the target resource, the client's proxy configuration, and 1424 establishment or reuse of an inbound connection. The corresponding 1425 response routing follows the same connection chain back to the 1426 client. 1428 5.1. Identifying a Target Resource 1430 HTTP is used in a wide variety of applications, ranging from general- 1431 purpose computers to home appliances. In some cases, communication 1432 options are hard-coded in a client's configuration. However, most 1433 HTTP clients rely on the same resource identification mechanism and 1434 configuration techniques as general-purpose Web browsers. 1436 HTTP communication is initiated by a user agent for some purpose. 1437 The purpose is a combination of request semantics and a target 1438 resource upon which to apply those semantics. A URI reference 1439 (Section 2.4) is typically used as an identifier for the "target 1440 resource", which a user agent would resolve to its absolute form in 1441 order to obtain the "target URI". The target URI excludes the 1442 reference's fragment component, if any, since fragment identifiers 1443 are reserved for client-side processing ([RFC3986], Section 3.5). 1445 5.2. Routing Inbound 1447 Once the target URI is determined, a client needs to decide whether a 1448 network request is necessary to accomplish the desired semantics and, 1449 if so, where that request is to be directed. 1451 If the client has a cache [Caching] and the request can be satisfied 1452 by it, then the request is usually directed there first. 1454 If the request is not satisfied by a cache, then a typical client 1455 will check its configuration to determine whether a proxy is to be 1456 used to satisfy the request. Proxy configuration is implementation- 1457 dependent, but is often based on URI prefix matching, selective 1458 authority matching, or both, and the proxy itself is usually 1459 identified by an "http" or "https" URI. If a proxy is applicable, 1460 the client connects inbound by establishing (or reusing) a connection 1461 to that proxy. 1463 If no proxy is applicable, a typical client will invoke a handler 1464 routine, usually specific to the target URI's scheme, to connect 1465 directly to an authority for the target resource. How that is 1466 accomplished is dependent on the target URI scheme and defined by its 1467 associated specification, similar to how this specification defines 1468 origin server access for resolution of the "http" (Section 2.5.1) and 1469 "https" (Section 2.5.2) schemes. 1471 HTTP requirements regarding connection management are defined in 1472 Section 9 of [Messaging]. 1474 5.3. Effective Request URI 1476 Once an inbound connection is obtained, the client sends an HTTP 1477 request message (Section 2 of [Messaging]). 1479 Depending on the nature of the request, the client's target URI might 1480 be split into components and transmitted (or implied) within various 1481 parts of a request message. These parts are recombined by each 1482 recipient, in accordance with their local configuration and incoming 1483 connection context, to form an "effective request URI" for 1484 identifying the intended target resource with respect to that server. 1485 Section 3.3 of [Messaging] defines how a server determines the 1486 effective request URI for an HTTP/1.1 request. 1488 For a user agent, the effective request URI is the target URI. 1490 Once the effective request URI has been constructed, an origin server 1491 needs to decide whether or not to provide service for that URI via 1492 the connection in which the request was received. For example, the 1493 request might have been misdirected, deliberately or accidentally, 1494 such that the information within a received request-target or Host 1495 header field differs from the host or port upon which the connection 1496 has been made. If the connection is from a trusted gateway, that 1497 inconsistency might be expected; otherwise, it might indicate an 1498 attempt to bypass security filters, trick the server into delivering 1499 non-public content, or poison a cache. See Section 12 for security 1500 considerations regarding message routing. 1502 5.4. Host 1504 The "Host" header field in a request provides the host and port 1505 information from the target URI, enabling the origin server to 1506 distinguish among resources while servicing requests for multiple 1507 host names on a single IP address. 1509 Host = uri-host [ ":" port ] ; Section 2.4 1511 A client MUST send a Host header field in all HTTP/1.1 request 1512 messages. If the target URI includes an authority component, then a 1513 client MUST send a field-value for Host that is identical to that 1514 authority component, excluding any userinfo subcomponent and its "@" 1515 delimiter (Section 2.5.1). If the authority component is missing or 1516 undefined for the target URI, then a client MUST send a Host header 1517 field with an empty field-value. 1519 Since the Host field-value is critical information for handling a 1520 request, a user agent SHOULD generate Host as the first header field 1521 following the request-line. 1523 For example, a GET request to the origin server for 1524 would begin with: 1526 GET /pub/WWW/ HTTP/1.1 1527 Host: www.example.org 1529 A client MUST send a Host header field in an HTTP/1.1 request even if 1530 the request-target is in the absolute-form, since this allows the 1531 Host information to be forwarded through ancient HTTP/1.0 proxies 1532 that might not have implemented Host. 1534 When a proxy receives a request with an absolute-form of request- 1535 target, the proxy MUST ignore the received Host header field (if any) 1536 and instead replace it with the host information of the request- 1537 target. A proxy that forwards such a request MUST generate a new 1538 Host field-value based on the received request-target rather than 1539 forward the received Host field-value. 1541 Since the Host header field acts as an application-level routing 1542 mechanism, it is a frequent target for malware seeking to poison a 1543 shared cache or redirect a request to an unintended server. An 1544 interception proxy is particularly vulnerable if it relies on the 1545 Host field-value for redirecting requests to internal servers, or for 1546 use as a cache key in a shared cache, without first verifying that 1547 the intercepted connection is targeting a valid IP address for that 1548 host. 1550 A server MUST respond with a 400 (Bad Request) status code to any 1551 HTTP/1.1 request message that lacks a Host header field and to any 1552 request message that contains more than one Host header field or a 1553 Host header field with an invalid field-value. 1555 5.5. Message Forwarding 1557 As described in Section 2.2, intermediaries can serve a variety of 1558 roles in the processing of HTTP requests and responses. Some 1559 intermediaries are used to improve performance or availability. 1560 Others are used for access control or to filter content. Since an 1561 HTTP stream has characteristics similar to a pipe-and-filter 1562 architecture, there are no inherent limits to the extent an 1563 intermediary can enhance (or interfere) with either direction of the 1564 stream. 1566 An intermediary not acting as a tunnel MUST implement the Connection 1567 header field, as specified in Section 9.1 of [Messaging], and exclude 1568 fields from being forwarded that are only intended for the incoming 1569 connection. 1571 An intermediary MUST NOT forward a message to itself unless it is 1572 protected from an infinite request loop. In general, an intermediary 1573 ought to recognize its own server names, including any aliases, local 1574 variations, or literal IP addresses, and respond to such requests 1575 directly. 1577 An HTTP message can be parsed as a stream for incremental processing 1578 or forwarding downstream. However, recipients cannot rely on 1579 incremental delivery of partial messages, since some implementations 1580 will buffer or delay message forwarding for the sake of network 1581 efficiency, security checks, or payload transformations. 1583 5.5.1. Via 1585 The "Via" header field indicates the presence of intermediate 1586 protocols and recipients between the user agent and the server (on 1587 requests) or between the origin server and the client (on responses), 1588 similar to the "Received" header field in email (Section 3.6.7 of 1589 [RFC5322]). Via can be used for tracking message forwards, avoiding 1590 request loops, and identifying the protocol capabilities of senders 1591 along the request/response chain. 1593 Via = 1#( received-protocol RWS received-by [ RWS comment ] ) 1595 received-protocol = [ protocol-name "/" ] protocol-version 1596 ; see [Messaging], Section 9.8 1597 received-by = ( uri-host [ ":" port ] ) / pseudonym 1598 pseudonym = token 1600 Multiple Via field values represent each proxy or gateway that has 1601 forwarded the message. Each intermediary appends its own information 1602 about how the message was received, such that the end result is 1603 ordered according to the sequence of forwarding recipients. 1605 A proxy MUST send an appropriate Via header field, as described 1606 below, in each message that it forwards. An HTTP-to-HTTP gateway 1607 MUST send an appropriate Via header field in each inbound request 1608 message and MAY send a Via header field in forwarded response 1609 messages. 1611 For each intermediary, the received-protocol indicates the protocol 1612 and protocol version used by the upstream sender of the message. 1613 Hence, the Via field value records the advertised protocol 1614 capabilities of the request/response chain such that they remain 1615 visible to downstream recipients; this can be useful for determining 1616 what backwards-incompatible features might be safe to use in 1617 response, or within a later request, as described in Section 3.5. 1618 For brevity, the protocol-name is omitted when the received protocol 1619 is HTTP. 1621 The received-by portion of the field value is normally the host and 1622 optional port number of a recipient server or client that 1623 subsequently forwarded the message. However, if the real host is 1624 considered to be sensitive information, a sender MAY replace it with 1625 a pseudonym. If a port is not provided, a recipient MAY interpret 1626 that as meaning it was received on the default TCP port, if any, for 1627 the received-protocol. 1629 A sender MAY generate comments in the Via header field to identify 1630 the software of each recipient, analogous to the User-Agent and 1631 Server header fields. However, all comments in the Via field are 1632 optional, and a recipient MAY remove them prior to forwarding the 1633 message. 1635 For example, a request message could be sent from an HTTP/1.0 user 1636 agent to an internal proxy code-named "fred", which uses HTTP/1.1 to 1637 forward the request to a public proxy at p.example.net, which 1638 completes the request by forwarding it to the origin server at 1639 www.example.com. The request received by www.example.com would then 1640 have the following Via header field: 1642 Via: 1.0 fred, 1.1 p.example.net 1644 An intermediary used as a portal through a network firewall SHOULD 1645 NOT forward the names and ports of hosts within the firewall region 1646 unless it is explicitly enabled to do so. If not enabled, such an 1647 intermediary SHOULD replace each received-by host of any host behind 1648 the firewall by an appropriate pseudonym for that host. 1650 An intermediary MAY combine an ordered subsequence of Via header 1651 field entries into a single such entry if the entries have identical 1652 received-protocol values. For example, 1654 Via: 1.0 ricky, 1.1 ethel, 1.1 fred, 1.0 lucy 1656 could be collapsed to 1658 Via: 1.0 ricky, 1.1 mertz, 1.0 lucy 1660 A sender SHOULD NOT combine multiple entries unless they are all 1661 under the same organizational control and the hosts have already been 1662 replaced by pseudonyms. A sender MUST NOT combine entries that have 1663 different received-protocol values. 1665 5.5.2. Transformations 1667 Some intermediaries include features for transforming messages and 1668 their payloads. A proxy might, for example, convert between image 1669 formats in order to save cache space or to reduce the amount of 1670 traffic on a slow link. However, operational problems might occur 1671 when these transformations are applied to payloads intended for 1672 critical applications, such as medical imaging or scientific data 1673 analysis, particularly when integrity checks or digital signatures 1674 are used to ensure that the payload received is identical to the 1675 original. 1677 An HTTP-to-HTTP proxy is called a "transforming proxy" if it is 1678 designed or configured to modify messages in a semantically 1679 meaningful way (i.e., modifications, beyond those required by normal 1680 HTTP processing, that change the message in a way that would be 1681 significant to the original sender or potentially significant to 1682 downstream recipients). For example, a transforming proxy might be 1683 acting as a shared annotation server (modifying responses to include 1684 references to a local annotation database), a malware filter, a 1685 format transcoder, or a privacy filter. Such transformations are 1686 presumed to be desired by whichever client (or client organization) 1687 selected the proxy. 1689 If a proxy receives a request-target with a host name that is not a 1690 fully qualified domain name, it MAY add its own domain to the host 1691 name it received when forwarding the request. A proxy MUST NOT 1692 change the host name if the request-target contains a fully qualified 1693 domain name. 1695 A proxy MUST NOT modify the "absolute-path" and "query" parts of the 1696 received request-target when forwarding it to the next inbound 1697 server, except as noted above to replace an empty path with "/" or 1698 "*". 1700 A proxy MAY modify the message body through application or removal of 1701 a transfer coding (Section 7 of [Messaging]). 1703 A proxy MUST NOT transform the payload (Section 6.3) of a message 1704 that contains a no-transform cache-control directive (Section 5.2 of 1705 [Caching]). 1707 A proxy MAY transform the payload of a message that does not contain 1708 a no-transform cache-control directive. A proxy that transforms the 1709 payload of a 200 (OK) response can inform downstream recipients that 1710 a transformation has been applied by changing the response status 1711 code to 203 (Non-Authoritative Information) (Section 9.3.4). 1713 A proxy SHOULD NOT modify header fields that provide information 1714 about the endpoints of the communication chain, the resource state, 1715 or the selected representation (other than the payload) unless the 1716 field's definition specifically allows such modification or the 1717 modification is deemed necessary for privacy or security. 1719 6. Representations 1721 Considering that a resource could be anything, and that the uniform 1722 interface provided by HTTP is similar to a window through which one 1723 can observe and act upon such a thing only through the communication 1724 of messages to some independent actor on the other side, an 1725 abstraction is needed to represent ("take the place of") the current 1726 or desired state of that thing in our communications. That 1727 abstraction is called a representation [REST]. 1729 For the purposes of HTTP, a "representation" is information that is 1730 intended to reflect a past, current, or desired state of a given 1731 resource, in a format that can be readily communicated via the 1732 protocol, and that consists of a set of representation metadata and a 1733 potentially unbounded stream of representation data. 1735 An origin server might be provided with, or be capable of generating, 1736 multiple representations that are each intended to reflect the 1737 current state of a target resource. In such cases, some algorithm is 1738 used by the origin server to select one of those representations as 1739 most applicable to a given request, usually based on content 1740 negotiation. This "selected representation" is used to provide the 1741 data and metadata for evaluating conditional requests Section 8.2 and 1742 constructing the payload for 200 (OK) and 304 (Not Modified) 1743 responses to GET (Section 7.3.1). 1745 6.1. Representation Data 1747 The representation data associated with an HTTP message is either 1748 provided as the payload body of the message or referred to by the 1749 message semantics and the effective request URI. The representation 1750 data is in a format and encoding defined by the representation 1751 metadata header fields. 1753 The data type of the representation data is determined via the header 1754 fields Content-Type and Content-Encoding. These define a two-layer, 1755 ordered encoding model: 1757 representation-data := Content-Encoding( Content-Type( bits ) ) 1759 6.1.1. Media Type 1761 HTTP uses media types [RFC2046] in the Content-Type (Section 6.2.1) 1762 and Accept (Section 8.4.2) header fields in order to provide open and 1763 extensible data typing and type negotiation. Media types define both 1764 a data format and various processing models: how to process that data 1765 in accordance with each context in which it is received. 1767 media-type = type "/" subtype *( OWS ";" OWS parameter ) 1768 type = token 1769 subtype = token 1771 The type/subtype MAY be followed by parameters in the form of 1772 name=value pairs. 1774 parameter = token "=" ( token / quoted-string ) 1776 The type, subtype, and parameter name tokens are case-insensitive. 1777 Parameter values might or might not be case-sensitive, depending on 1778 the semantics of the parameter name. The presence or absence of a 1779 parameter might be significant to the processing of a media-type, 1780 depending on its definition within the media type registry. 1782 A parameter value that matches the token production can be 1783 transmitted either as a token or within a quoted-string. The quoted 1784 and unquoted values are equivalent. For example, the following 1785 examples are all equivalent, but the first is preferred for 1786 consistency: 1788 text/html;charset=utf-8 1789 text/html;charset=UTF-8 1790 Text/HTML;Charset="utf-8" 1791 text/html; charset="utf-8" 1793 Media types ought to be registered with IANA according to the 1794 procedures defined in [BCP13]. 1796 Note: Unlike some similar constructs in other header fields, media 1797 type parameters do not allow whitespace (even "bad" whitespace) 1798 around the "=" character. 1800 6.1.1.1. Charset 1802 HTTP uses charset names to indicate or negotiate the character 1803 encoding scheme of a textual representation [RFC6365]. A charset is 1804 identified by a case-insensitive token. 1806 charset = token 1808 Charset names ought to be registered in the IANA "Character Sets" 1809 registry () 1810 according to the procedures defined in Section 2 of [RFC2978]. 1812 Note: in practice, charset names are furthermore restricted by the 1813 "mime-charset" ABNF rule defined in Section 2.3 of [RFC2978] (as 1814 corrected in [Err1912]). However, that rule allows two characters 1815 not included in "token" ("{" and "}"), but at the time of this 1816 writing no character set using these was registered (see 1817 [Err5433]). 1819 6.1.1.2. Canonicalization and Text Defaults 1821 Media types are registered with a canonical form in order to be 1822 interoperable among systems with varying native encoding formats. 1823 Representations selected or transferred via HTTP ought to be in 1824 canonical form, for many of the same reasons described by the 1825 Multipurpose Internet Mail Extensions (MIME) [RFC2045]. However, the 1826 performance characteristics of email deployments (i.e., store and 1827 forward messages to peers) are significantly different from those 1828 common to HTTP and the Web (server-based information services). 1829 Furthermore, MIME's constraints for the sake of compatibility with 1830 older mail transfer protocols do not apply to HTTP (see Appendix B of 1831 [Messaging]). 1833 MIME's canonical form requires that media subtypes of the "text" type 1834 use CRLF as the text line break. HTTP allows the transfer of text 1835 media with plain CR or LF alone representing a line break, when such 1836 line breaks are consistent for an entire representation. An HTTP 1837 sender MAY generate, and a recipient MUST be able to parse, line 1838 breaks in text media that consist of CRLF, bare CR, or bare LF. In 1839 addition, text media in HTTP is not limited to charsets that use 1840 octets 13 and 10 for CR and LF, respectively. This flexibility 1841 regarding line breaks applies only to text within a representation 1842 that has been assigned a "text" media type; it does not apply to 1843 "multipart" types or HTTP elements outside the payload body (e.g., 1844 header fields). 1846 If a representation is encoded with a content-coding, the underlying 1847 data ought to be in a form defined above prior to being encoded. 1849 6.1.1.3. Multipart Types 1851 MIME provides for a number of "multipart" types -- encapsulations of 1852 one or more representations within a single message body. All 1853 multipart types share a common syntax, as defined in Section 5.1.1 of 1854 [RFC2046], and include a boundary parameter as part of the media type 1855 value. The message body is itself a protocol element; a sender MUST 1856 generate only CRLF to represent line breaks between body parts. 1858 HTTP message framing does not use the multipart boundary as an 1859 indicator of message body length, though it might be used by 1860 implementations that generate or process the payload. For example, 1861 the "multipart/form-data" type is often used for carrying form data 1862 in a request, as described in [RFC7578], and the "multipart/ 1863 byteranges" type is defined by this specification for use in some 206 1864 (Partial Content) responses (see Section 9.3.7). 1866 6.1.2. Content Codings 1868 Content coding values indicate an encoding transformation that has 1869 been or can be applied to a representation. Content codings are 1870 primarily used to allow a representation to be compressed or 1871 otherwise usefully transformed without losing the identity of its 1872 underlying media type and without loss of information. Frequently, 1873 the representation is stored in coded form, transmitted directly, and 1874 only decoded by the final recipient. 1876 content-coding = token 1878 Content-coding values are used in the Accept-Encoding (Section 8.4.4) 1879 and Content-Encoding (Section 6.2.2) header fields. 1881 The following content-coding values are defined by this 1882 specification: 1884 +------------+------------------------------------------+-----------+ 1885 | Name | Description | Reference | 1886 +------------+------------------------------------------+-----------+ 1887 | compress | UNIX "compress" data format [Welch] | Section 6 | 1888 | | | .1.2.1 | 1889 | deflate | "deflate" compressed data ([RFC1951]) | Section 6 | 1890 | | inside the "zlib" data format | .1.2.2 | 1891 | | ([RFC1950]) | | 1892 | gzip | GZIP file format [RFC1952] | Section 6 | 1893 | | | .1.2.3 | 1894 | identity | Reserved (synonym for "no encoding" in | Section 8 | 1895 | | Accept-Encoding) | .4.4 | 1896 | x-compress | Deprecated (alias for compress) | Section 6 | 1897 | | | .1.2.1 | 1898 | x-gzip | Deprecated (alias for gzip) | Section 6 | 1899 | | | .1.2.3 | 1900 +------------+------------------------------------------+-----------+ 1902 6.1.2.1. Compress Coding 1904 The "compress" coding is an adaptive Lempel-Ziv-Welch (LZW) coding 1905 [Welch] that is commonly produced by the UNIX file compression 1906 program "compress". A recipient SHOULD consider "x-compress" to be 1907 equivalent to "compress". 1909 6.1.2.2. Deflate Coding 1911 The "deflate" coding is a "zlib" data format [RFC1950] containing a 1912 "deflate" compressed data stream [RFC1951] that uses a combination of 1913 the Lempel-Ziv (LZ77) compression algorithm and Huffman coding. 1915 Note: Some non-conformant implementations send the "deflate" 1916 compressed data without the zlib wrapper. 1918 6.1.2.3. Gzip Coding 1920 The "gzip" coding is an LZ77 coding with a 32-bit Cyclic Redundancy 1921 Check (CRC) that is commonly produced by the gzip file compression 1922 program [RFC1952]. A recipient SHOULD consider "x-gzip" to be 1923 equivalent to "gzip". 1925 6.1.2.4. Content Coding Extensibility 1927 Additional content codings, outside the scope of this specification, 1928 have been specified for use in HTTP. All such content codings ought 1929 to be registered within the "HTTP Content Coding Registry". 1931 6.1.2.4.1. Content Coding Registry 1933 The "HTTP Content Coding Registry", maintained by IANA at 1934 , registers 1935 content-coding names. 1937 Content coding registrations MUST include the following fields: 1939 o Name 1941 o Description 1943 o Pointer to specification text 1945 Names of content codings MUST NOT overlap with names of transfer 1946 codings (Section 7 of [Messaging]), unless the encoding 1947 transformation is identical (as is the case for the compression 1948 codings defined in Section 6.1.2). 1950 Values to be added to this namespace require IETF Review (see 1951 Section 4.8 of [RFC8126]) and MUST conform to the purpose of content 1952 coding defined in Section 6.1.2. 1954 6.1.3. Language Tags 1956 A language tag, as defined in [RFC5646], identifies a natural 1957 language spoken, written, or otherwise conveyed by human beings for 1958 communication of information to other human beings. Computer 1959 languages are explicitly excluded. 1961 HTTP uses language tags within the Accept-Language and Content- 1962 Language header fields. Accept-Language uses the broader language- 1963 range production defined in Section 8.4.5, whereas Content-Language 1964 uses the language-tag production defined below. 1966 language-tag = 1968 A language tag is a sequence of one or more case-insensitive subtags, 1969 each separated by a hyphen character ("-", %x2D). In most cases, a 1970 language tag consists of a primary language subtag that identifies a 1971 broad family of related languages (e.g., "en" = English), which is 1972 optionally followed by a series of subtags that refine or narrow that 1973 language's range (e.g., "en-CA" = the variety of English as 1974 communicated in Canada). Whitespace is not allowed within a language 1975 tag. Example tags include: 1977 fr, en-US, es-419, az-Arab, x-pig-latin, man-Nkoo-GN 1979 See [RFC5646] for further information. 1981 6.1.4. Range Units 1983 A representation can be partitioned into subranges according to 1984 various structural units, depending on the structure inherent in the 1985 representation's media type. This "range unit" is used in the 1986 Accept-Ranges (Section 10.4.1) response header field to advertise 1987 support for range requests, the Range (Section 8.3) request header 1988 field to delineate the parts of a representation that are requested, 1989 and the Content-Range (Section 6.3.3) payload header field to 1990 describe which part of a representation is being transferred. 1992 range-unit = bytes-unit / other-range-unit 1994 The following range unit names are defined by this document: 1996 +-------------+---------------------------------------+-------------+ 1997 | Range Unit | Description | Reference | 1998 | Name | | | 1999 +-------------+---------------------------------------+-------------+ 2000 | bytes | a range of octets | Section 6.1 | 2001 | | | .4.1 | 2002 | none | reserved as keyword, indicating no | Section 10. | 2003 | | ranges are supported | 4.1 | 2004 +-------------+---------------------------------------+-------------+ 2006 6.1.4.1. Byte Ranges 2008 Since representation data is transferred in payloads as a sequence of 2009 octets, a byte range is a meaningful substructure for any 2010 representation transferable over HTTP (Section 6). The "bytes" range 2011 unit is defined for expressing subranges of the data's octet 2012 sequence. 2014 bytes-unit = "bytes" 2016 A byte-range request can specify a single range of bytes or a set of 2017 ranges within a single representation. 2019 byte-ranges-specifier = bytes-unit "=" byte-range-set 2020 byte-range-set = 1#( byte-range-spec / suffix-byte-range-spec ) 2021 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 2022 first-byte-pos = 1*DIGIT 2023 last-byte-pos = 1*DIGIT 2025 The first-byte-pos value in a byte-range-spec gives the byte-offset 2026 of the first byte in a range. The last-byte-pos value gives the 2027 byte-offset of the last byte in the range; that is, the byte 2028 positions specified are inclusive. Byte offsets start at zero. 2030 Examples of byte-ranges-specifier values: 2032 o The first 500 bytes (byte offsets 0-499, inclusive): 2034 bytes=0-499 2036 o The second 500 bytes (byte offsets 500-999, inclusive): 2038 bytes=500-999 2040 A byte-range-spec is invalid if the last-byte-pos value is present 2041 and less than the first-byte-pos. 2043 A client can limit the number of bytes requested without knowing the 2044 size of the selected representation. If the last-byte-pos value is 2045 absent, or if the value is greater than or equal to the current 2046 length of the representation data, the byte range is interpreted as 2047 the remainder of the representation (i.e., the server replaces the 2048 value of last-byte-pos with a value that is one less than the current 2049 length of the selected representation). 2051 A client can request the last N bytes of the selected representation 2052 using a suffix-byte-range-spec. 2054 suffix-byte-range-spec = "-" suffix-length 2055 suffix-length = 1*DIGIT 2057 If the selected representation is shorter than the specified suffix- 2058 length, the entire representation is used. 2060 Additional examples, assuming a representation of length 10000: 2062 o The final 500 bytes (byte offsets 9500-9999, inclusive): 2064 bytes=-500 2066 Or: 2068 bytes=9500- 2070 o The first and last bytes only (bytes 0 and 9999): 2072 bytes=0-0,-1 2074 o Other valid (but not canonical) specifications of the second 500 2075 bytes (byte offsets 500-999, inclusive): 2077 bytes=500-600,601-999 2078 bytes=500-700,601-999 2080 If a valid byte-range-set includes at least one byte-range-spec with 2081 a first-byte-pos that is less than the current length of the 2082 representation, or at least one suffix-byte-range-spec with a non- 2083 zero suffix-length, then the byte-range-set is satisfiable. 2084 Otherwise, the byte-range-set is unsatisfiable. 2086 In the byte-range syntax, first-byte-pos, last-byte-pos, and suffix- 2087 length are expressed as decimal number of octets. Since there is no 2088 predefined limit to the length of a payload, recipients MUST 2089 anticipate potentially large decimal numerals and prevent parsing 2090 errors due to integer conversion overflows. 2092 6.1.4.2. Other Range Units 2094 Range units are intended to be extensible. New range units ought to 2095 be registered with IANA, as defined in Section 6.1.4.3. 2097 other-range-unit = token 2099 6.1.4.3. Range Unit Registry 2101 The "HTTP Range Unit Registry" defines the namespace for the range 2102 unit names and refers to their corresponding specifications. It is 2103 maintained at . 2105 Registration of an HTTP Range Unit MUST include the following fields: 2107 o Name 2109 o Description 2111 o Pointer to specification text 2113 Values to be added to this namespace require IETF Review (see 2114 [RFC8126], Section 4.8). 2116 6.2. Representation Metadata 2118 Representation header fields provide metadata about the 2119 representation. When a message includes a payload body, the 2120 representation header fields describe how to interpret the 2121 representation data enclosed in the payload body. In a response to a 2122 HEAD request, the representation header fields describe the 2123 representation data that would have been enclosed in the payload body 2124 if the same request had been a GET. 2126 The following header fields convey representation metadata: 2128 +-------------------+---------------+ 2129 | Header Field Name | Defined in... | 2130 +-------------------+---------------+ 2131 | Content-Type | Section 6.2.1 | 2132 | Content-Encoding | Section 6.2.2 | 2133 | Content-Language | Section 6.2.3 | 2134 | Content-Length | Section 6.2.4 | 2135 | Content-Location | Section 6.2.5 | 2136 +-------------------+---------------+ 2138 6.2.1. Content-Type 2140 The "Content-Type" header field indicates the media type of the 2141 associated representation: either the representation enclosed in the 2142 message payload or the selected representation, as determined by the 2143 message semantics. The indicated media type defines both the data 2144 format and how that data is intended to be processed by a recipient, 2145 within the scope of the received message semantics, after any content 2146 codings indicated by Content-Encoding are decoded. 2148 Content-Type = media-type 2150 Media types are defined in Section 6.1.1. An example of the field is 2152 Content-Type: text/html; charset=ISO-8859-4 2154 A sender that generates a message containing a payload body SHOULD 2155 generate a Content-Type header field in that message unless the 2156 intended media type of the enclosed representation is unknown to the 2157 sender. If a Content-Type header field is not present, the recipient 2158 MAY either assume a media type of "application/octet-stream" 2159 ([RFC2046], Section 4.5.1) or examine the data to determine its type. 2161 In practice, resource owners do not always properly configure their 2162 origin server to provide the correct Content-Type for a given 2163 representation, with the result that some clients will examine a 2164 payload's content and override the specified type. Clients that do 2165 so risk drawing incorrect conclusions, which might expose additional 2166 security risks (e.g., "privilege escalation"). Furthermore, it is 2167 impossible to determine the sender's intent by examining the data 2168 format: many data formats match multiple media types that differ only 2169 in processing semantics. Implementers are encouraged to provide a 2170 means of disabling such "content sniffing" when it is used. 2172 6.2.2. Content-Encoding 2174 The "Content-Encoding" header field indicates what content codings 2175 have been applied to the representation, beyond those inherent in the 2176 media type, and thus what decoding mechanisms have to be applied in 2177 order to obtain data in the media type referenced by the Content-Type 2178 header field. Content-Encoding is primarily used to allow a 2179 representation's data to be compressed without losing the identity of 2180 its underlying media type. 2182 Content-Encoding = 1#content-coding 2184 An example of its use is 2186 Content-Encoding: gzip 2188 If one or more encodings have been applied to a representation, the 2189 sender that applied the encodings MUST generate a Content-Encoding 2190 header field that lists the content codings in the order in which 2191 they were applied. Additional information about the encoding 2192 parameters can be provided by other header fields not defined by this 2193 specification. 2195 Unlike Transfer-Encoding (Section 6.1 of [Messaging]), the codings 2196 listed in Content-Encoding are a characteristic of the 2197 representation; the representation is defined in terms of the coded 2198 form, and all other metadata about the representation is about the 2199 coded form unless otherwise noted in the metadata definition. 2200 Typically, the representation is only decoded just prior to rendering 2201 or analogous usage. 2203 If the media type includes an inherent encoding, such as a data 2204 format that is always compressed, then that encoding would not be 2205 restated in Content-Encoding even if it happens to be the same 2206 algorithm as one of the content codings. Such a content coding would 2207 only be listed if, for some bizarre reason, it is applied a second 2208 time to form the representation. Likewise, an origin server might 2209 choose to publish the same data as multiple representations that 2210 differ only in whether the coding is defined as part of Content-Type 2211 or Content-Encoding, since some user agents will behave differently 2212 in their handling of each response (e.g., open a "Save as ..." dialog 2213 instead of automatic decompression and rendering of content). 2215 An origin server MAY respond with a status code of 415 (Unsupported 2216 Media Type) if a representation in the request message has a content 2217 coding that is not acceptable. 2219 6.2.3. Content-Language 2221 The "Content-Language" header field describes the natural language(s) 2222 of the intended audience for the representation. Note that this 2223 might not be equivalent to all the languages used within the 2224 representation. 2226 Content-Language = 1#language-tag 2228 Language tags are defined in Section 6.1.3. The primary purpose of 2229 Content-Language is to allow a user to identify and differentiate 2230 representations according to the users' own preferred language. 2231 Thus, if the content is intended only for a Danish-literate audience, 2232 the appropriate field is 2234 Content-Language: da 2236 If no Content-Language is specified, the default is that the content 2237 is intended for all language audiences. This might mean that the 2238 sender does not consider it to be specific to any natural language, 2239 or that the sender does not know for which language it is intended. 2241 Multiple languages MAY be listed for content that is intended for 2242 multiple audiences. For example, a rendition of the "Treaty of 2243 Waitangi", presented simultaneously in the original Maori and English 2244 versions, would call for 2246 Content-Language: mi, en 2248 However, just because multiple languages are present within a 2249 representation does not mean that it is intended for multiple 2250 linguistic audiences. An example would be a beginner's language 2251 primer, such as "A First Lesson in Latin", which is clearly intended 2252 to be used by an English-literate audience. In this case, the 2253 Content-Language would properly only include "en". 2255 Content-Language MAY be applied to any media type -- it is not 2256 limited to textual documents. 2258 6.2.4. Content-Length 2260 [[CREF4: The "Content-Length" header field indicates the number of 2261 data octets (body length) for the representation. In some cases, 2262 Content-Length is used to define or estimate message framing. ]] 2264 Content-Length = 1*DIGIT 2266 An example is 2268 Content-Length: 3495 2270 A sender MUST NOT send a Content-Length header field in any message 2271 that contains a Transfer-Encoding header field. 2273 A user agent SHOULD send a Content-Length in a request message when 2274 no Transfer-Encoding is sent and the request method defines a meaning 2275 for an enclosed payload body. For example, a Content-Length header 2276 field is normally sent in a POST request even when the value is 0 2277 (indicating an empty payload body). A user agent SHOULD NOT send a 2278 Content-Length header field when the request message does not contain 2279 a payload body and the method semantics do not anticipate such a 2280 body. 2282 A server MAY send a Content-Length header field in a response to a 2283 HEAD request (Section 7.3.2); a server MUST NOT send Content-Length 2284 in such a response unless its field-value equals the decimal number 2285 of octets that would have been sent in the payload body of a response 2286 if the same request had used the GET method. 2288 A server MAY send a Content-Length header field in a 304 (Not 2289 Modified) response to a conditional GET request (Section 9.4.5); a 2290 server MUST NOT send Content-Length in such a response unless its 2291 field-value equals the decimal number of octets that would have been 2292 sent in the payload body of a 200 (OK) response to the same request. 2294 A server MUST NOT send a Content-Length header field in any response 2295 with a status code of 1xx (Informational) or 204 (No Content). A 2296 server MUST NOT send a Content-Length header field in any 2xx 2297 (Successful) response to a CONNECT request (Section 7.3.6). 2299 Aside from the cases defined above, in the absence of Transfer- 2300 Encoding, an origin server SHOULD send a Content-Length header field 2301 when the payload body size is known prior to sending the complete 2302 header section. This will allow downstream recipients to measure 2303 transfer progress, know when a received message is complete, and 2304 potentially reuse the connection for additional requests. 2306 Any Content-Length field value greater than or equal to zero is 2307 valid. Since there is no predefined limit to the length of a 2308 payload, a recipient MUST anticipate potentially large decimal 2309 numerals and prevent parsing errors due to integer conversion 2310 overflows (Section 12.5). 2312 If a message is received that has multiple Content-Length header 2313 fields with field-values consisting of the same decimal value, or a 2314 single Content-Length header field with a field value containing a 2315 list of identical decimal values (e.g., "Content-Length: 42, 42"), 2316 indicating that duplicate Content-Length header fields have been 2317 generated or combined by an upstream message processor, then the 2318 recipient MUST either reject the message as invalid or replace the 2319 duplicated field-values with a single valid Content-Length field 2320 containing that decimal value prior to determining the message body 2321 length or forwarding the message. 2323 6.2.5. Content-Location 2325 The "Content-Location" header field references a URI that can be used 2326 as an identifier for a specific resource corresponding to the 2327 representation in this message's payload. In other words, if one 2328 were to perform a GET request on this URI at the time of this 2329 message's generation, then a 200 (OK) response would contain the same 2330 representation that is enclosed as payload in this message. 2332 Content-Location = absolute-URI / partial-URI 2334 The Content-Location value is not a replacement for the effective 2335 Request URI (Section 5.3). It is representation metadata. It has 2336 the same syntax and semantics as the header field of the same name 2337 defined for MIME body parts in Section 4 of [RFC2557]. However, its 2338 appearance in an HTTP message has some special implications for HTTP 2339 recipients. 2341 If Content-Location is included in a 2xx (Successful) response 2342 message and its value refers (after conversion to absolute form) to a 2343 URI that is the same as the effective request URI, then the recipient 2344 MAY consider the payload to be a current representation of that 2345 resource at the time indicated by the message origination date. For 2346 a GET (Section 7.3.1) or HEAD (Section 7.3.2) request, this is the 2347 same as the default semantics when no Content-Location is provided by 2348 the server. For a state-changing request like PUT (Section 7.3.4) or 2349 POST (Section 7.3.3), it implies that the server's response contains 2350 the new representation of that resource, thereby distinguishing it 2351 from representations that might only report about the action (e.g., 2352 "It worked!"). This allows authoring applications to update their 2353 local copies without the need for a subsequent GET request. 2355 If Content-Location is included in a 2xx (Successful) response 2356 message and its field-value refers to a URI that differs from the 2357 effective request URI, then the origin server claims that the URI is 2358 an identifier for a different resource corresponding to the enclosed 2359 representation. Such a claim can only be trusted if both identifiers 2360 share the same resource owner, which cannot be programmatically 2361 determined via HTTP. 2363 o For a response to a GET or HEAD request, this is an indication 2364 that the effective request URI refers to a resource that is 2365 subject to content negotiation and the Content-Location field- 2366 value is a more specific identifier for the selected 2367 representation. 2369 o For a 201 (Created) response to a state-changing method, a 2370 Content-Location field-value that is identical to the Location 2371 field-value indicates that this payload is a current 2372 representation of the newly created resource. 2374 o Otherwise, such a Content-Location indicates that this payload is 2375 a representation reporting on the requested action's status and 2376 that the same report is available (for future access with GET) at 2377 the given URI. For example, a purchase transaction made via a 2378 POST request might include a receipt document as the payload of 2379 the 200 (OK) response; the Content-Location field-value provides 2380 an identifier for retrieving a copy of that same receipt in the 2381 future. 2383 A user agent that sends Content-Location in a request message is 2384 stating that its value refers to where the user agent originally 2385 obtained the content of the enclosed representation (prior to any 2386 modifications made by that user agent). In other words, the user 2387 agent is providing a back link to the source of the original 2388 representation. 2390 An origin server that receives a Content-Location field in a request 2391 message MUST treat the information as transitory request context 2392 rather than as metadata to be saved verbatim as part of the 2393 representation. An origin server MAY use that context to guide in 2394 processing the request or to save it for other uses, such as within 2395 source links or versioning metadata. However, an origin server MUST 2396 NOT use such context information to alter the request semantics. 2398 For example, if a client makes a PUT request on a negotiated resource 2399 and the origin server accepts that PUT (without redirection), then 2400 the new state of that resource is expected to be consistent with the 2401 one representation supplied in that PUT; the Content-Location cannot 2402 be used as a form of reverse content selection identifier to update 2403 only one of the negotiated representations. If the user agent had 2404 wanted the latter semantics, it would have applied the PUT directly 2405 to the Content-Location URI. 2407 6.3. Payload 2409 Some HTTP messages transfer a complete or partial representation as 2410 the message "payload". In some cases, a payload might contain only 2411 the associated representation's header fields (e.g., responses to 2412 HEAD) or only some part(s) of the representation data (e.g., the 206 2413 (Partial Content) status code). 2415 Header fields that specifically describe the payload, rather than the 2416 associated representation, are referred to as "payload header 2417 fields". Payload header fields are defined in other parts of this 2418 specification, due to their impact on message parsing. 2420 +-------------------+----------------------------+ 2421 | Header Field Name | Defined in... | 2422 +-------------------+----------------------------+ 2423 | Content-Range | Section 6.3.3 | 2424 | Trailer | Section 4.4 | 2425 | Transfer-Encoding | Section 6.1 of [Messaging] | 2426 +-------------------+----------------------------+ 2428 6.3.1. Purpose 2430 The purpose of a payload in a request is defined by the method 2431 semantics. For example, a representation in the payload of a PUT 2432 request (Section 7.3.4) represents the desired state of the target 2433 resource if the request is successfully applied, whereas a 2434 representation in the payload of a POST request (Section 7.3.3) 2435 represents information to be processed by the target resource. 2437 In a response, the payload's purpose is defined by both the request 2438 method and the response status code. For example, the payload of a 2439 200 (OK) response to GET (Section 7.3.1) represents the current state 2440 of the target resource, as observed at the time of the message 2441 origination date (Section 10.1.1.2), whereas the payload of the same 2442 status code in a response to POST might represent either the 2443 processing result or the new state of the target resource after 2444 applying the processing. Response messages with an error status code 2445 usually contain a payload that represents the error condition, such 2446 that it describes the error state and what next steps are suggested 2447 for resolving it. 2449 6.3.2. Identification 2451 When a complete or partial representation is transferred in a message 2452 payload, it is often desirable for the sender to supply, or the 2453 recipient to determine, an identifier for a resource corresponding to 2454 that representation. 2456 For a request message: 2458 o If the request has a Content-Location header field, then the 2459 sender asserts that the payload is a representation of the 2460 resource identified by the Content-Location field-value. However, 2461 such an assertion cannot be trusted unless it can be verified by 2462 other means (not defined by this specification). The information 2463 might still be useful for revision history links. 2465 o Otherwise, the payload is unidentified. 2467 For a response message, the following rules are applied in order 2468 until a match is found: 2470 1. If the request method is GET or HEAD and the response status code 2471 is 200 (OK), 204 (No Content), 206 (Partial Content), or 304 (Not 2472 Modified), the payload is a representation of the resource 2473 identified by the effective request URI (Section 5.3). 2475 2. If the request method is GET or HEAD and the response status code 2476 is 203 (Non-Authoritative Information), the payload is a 2477 potentially modified or enhanced representation of the target 2478 resource as provided by an intermediary. 2480 3. If the response has a Content-Location header field and its 2481 field-value is a reference to the same URI as the effective 2482 request URI, the payload is a representation of the resource 2483 identified by the effective request URI. 2485 4. If the response has a Content-Location header field and its 2486 field-value is a reference to a URI different from the effective 2487 request URI, then the sender asserts that the payload is a 2488 representation of the resource identified by the Content-Location 2489 field-value. However, such an assertion cannot be trusted unless 2490 it can be verified by other means (not defined by this 2491 specification). 2493 5. Otherwise, the payload is unidentified. 2495 6.3.3. Content-Range 2497 The "Content-Range" header field is sent in a single part 206 2498 (Partial Content) response to indicate the partial range of the 2499 selected representation enclosed as the message payload, sent in each 2500 part of a multipart 206 response to indicate the range enclosed 2501 within each body part, and sent in 416 (Range Not Satisfiable) 2502 responses to provide information about the selected representation. 2504 Content-Range = byte-content-range 2505 / other-content-range 2507 byte-content-range = bytes-unit SP 2508 ( byte-range-resp / unsatisfied-range ) 2510 byte-range-resp = byte-range "/" ( complete-length / "*" ) 2511 byte-range = first-byte-pos "-" last-byte-pos 2512 unsatisfied-range = "*/" complete-length 2514 complete-length = 1*DIGIT 2516 other-content-range = other-range-unit SP other-range-resp 2517 other-range-resp = *VCHAR 2519 If a 206 (Partial Content) response contains a Content-Range header 2520 field with a range unit (Section 6.1.4) that the recipient does not 2521 understand, the recipient MUST NOT attempt to recombine it with a 2522 stored representation. A proxy that receives such a message SHOULD 2523 forward it downstream. 2525 For byte ranges, a sender SHOULD indicate the complete length of the 2526 representation from which the range has been extracted, unless the 2527 complete length is unknown or difficult to determine. An asterisk 2528 character ("*") in place of the complete-length indicates that the 2529 representation length was unknown when the header field was 2530 generated. 2532 The following example illustrates when the complete length of the 2533 selected representation is known by the sender to be 1234 bytes: 2535 Content-Range: bytes 42-1233/1234 2537 and this second example illustrates when the complete length is 2538 unknown: 2540 Content-Range: bytes 42-1233/* 2542 A Content-Range field value is invalid if it contains a byte-range- 2543 resp that has a last-byte-pos value less than its first-byte-pos 2544 value, or a complete-length value less than or equal to its last- 2545 byte-pos value. The recipient of an invalid Content-Range MUST NOT 2546 attempt to recombine the received content with a stored 2547 representation. 2549 A server generating a 416 (Range Not Satisfiable) response to a byte- 2550 range request SHOULD send a Content-Range header field with an 2551 unsatisfied-range value, as in the following example: 2553 Content-Range: bytes */1234 2555 The complete-length in a 416 response indicates the current length of 2556 the selected representation. 2558 The Content-Range header field has no meaning for status codes that 2559 do not explicitly describe its semantic. For this specification, 2560 only the 206 (Partial Content) and 416 (Range Not Satisfiable) status 2561 codes describe a meaning for Content-Range. 2563 The following are examples of Content-Range values in which the 2564 selected representation contains a total of 1234 bytes: 2566 o The first 500 bytes: 2568 Content-Range: bytes 0-499/1234 2570 o The second 500 bytes: 2572 Content-Range: bytes 500-999/1234 2574 o All except for the first 500 bytes: 2576 Content-Range: bytes 500-1233/1234 2578 o The last 500 bytes: 2580 Content-Range: bytes 734-1233/1234 2582 6.3.4. Media Type multipart/byteranges 2584 When a 206 (Partial Content) response message includes the content of 2585 multiple ranges, they are transmitted as body parts in a multipart 2586 message body ([RFC2046], Section 5.1) with the media type of 2587 "multipart/byteranges". 2589 The multipart/byteranges media type includes one or more body parts, 2590 each with its own Content-Type and Content-Range fields. The 2591 required boundary parameter specifies the boundary string used to 2592 separate each body part. 2594 Implementation Notes: 2596 1. Additional CRLFs might precede the first boundary string in the 2597 body. 2599 2. Although [RFC2046] permits the boundary string to be quoted, some 2600 existing implementations handle a quoted boundary string 2601 incorrectly. 2603 3. A number of clients and servers were coded to an early draft of 2604 the byteranges specification that used a media type of multipart/ 2605 x-byteranges, which is almost (but not quite) compatible with 2606 this type. 2608 Despite the name, the "multipart/byteranges" media type is not 2609 limited to byte ranges. The following example uses an "exampleunit" 2610 range unit: 2612 HTTP/1.1 206 Partial Content 2613 Date: Tue, 14 Nov 1995 06:25:24 GMT 2614 Last-Modified: Tue, 14 July 04:58:08 GMT 2615 Content-Length: 2331785 2616 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 2618 --THIS_STRING_SEPARATES 2619 Content-Type: video/example 2620 Content-Range: exampleunit 1.2-4.3/25 2622 ...the first range... 2623 --THIS_STRING_SEPARATES 2624 Content-Type: video/example 2625 Content-Range: exampleunit 11.2-14.3/25 2627 ...the second range 2628 --THIS_STRING_SEPARATES-- 2630 The following information serves as the registration form for the 2631 multipart/byteranges media type. 2633 Type name: multipart 2635 Subtype name: byteranges 2636 Required parameters: boundary 2638 Optional parameters: N/A 2640 Encoding considerations: only "7bit", "8bit", or "binary" are 2641 permitted 2643 Security considerations: see Section 12 2645 Interoperability considerations: N/A 2647 Published specification: This specification (see Section 6.3.4). 2649 Applications that use this media type: HTTP components supporting 2650 multiple ranges in a single request. 2652 Fragment identifier considerations: N/A 2654 Additional information: 2656 Deprecated alias names for this type: N/A 2658 Magic number(s): N/A 2660 File extension(s): N/A 2662 Macintosh file type code(s): N/A 2664 Person and email address to contact for further information: See Aut 2665 hors' Addresses section. 2667 Intended usage: COMMON 2669 Restrictions on usage: N/A 2671 Author: See Authors' Addresses section. 2673 Change controller: IESG 2675 6.4. Content Negotiation 2677 When responses convey payload information, whether indicating a 2678 success or an error, the origin server often has different ways of 2679 representing that information; for example, in different formats, 2680 languages, or encodings. Likewise, different users or user agents 2681 might have differing capabilities, characteristics, or preferences 2682 that could influence which representation, among those available, 2683 would be best to deliver. For this reason, HTTP provides mechanisms 2684 for content negotiation. 2686 This specification defines two patterns of content negotiation that 2687 can be made visible within the protocol: "proactive", where the 2688 server selects the representation based upon the user agent's stated 2689 preferences, and "reactive" negotiation, where the server provides a 2690 list of representations for the user agent to choose from. Other 2691 patterns of content negotiation include "conditional content", where 2692 the representation consists of multiple parts that are selectively 2693 rendered based on user agent parameters, "active content", where the 2694 representation contains a script that makes additional (more 2695 specific) requests based on the user agent characteristics, and 2696 "Transparent Content Negotiation" ([RFC2295]), where content 2697 selection is performed by an intermediary. These patterns are not 2698 mutually exclusive, and each has trade-offs in applicability and 2699 practicality. 2701 Note that, in all cases, HTTP is not aware of the resource semantics. 2702 The consistency with which an origin server responds to requests, 2703 over time and over the varying dimensions of content negotiation, and 2704 thus the "sameness" of a resource's observed representations over 2705 time, is determined entirely by whatever entity or algorithm selects 2706 or generates those responses. HTTP pays no attention to the man 2707 behind the curtain. 2709 6.4.1. Proactive Negotiation 2711 When content negotiation preferences are sent by the user agent in a 2712 request to encourage an algorithm located at the server to select the 2713 preferred representation, it is called proactive negotiation (a.k.a., 2714 server-driven negotiation). Selection is based on the available 2715 representations for a response (the dimensions over which it might 2716 vary, such as language, content-coding, etc.) compared to various 2717 information supplied in the request, including both the explicit 2718 negotiation fields of Section 8.4 and implicit characteristics, such 2719 as the client's network address or parts of the User-Agent field. 2721 Proactive negotiation is advantageous when the algorithm for 2722 selecting from among the available representations is difficult to 2723 describe to a user agent, or when the server desires to send its 2724 "best guess" to the user agent along with the first response (hoping 2725 to avoid the round trip delay of a subsequent request if the "best 2726 guess" is good enough for the user). In order to improve the 2727 server's guess, a user agent MAY send request header fields that 2728 describe its preferences. 2730 Proactive negotiation has serious disadvantages: 2732 o It is impossible for the server to accurately determine what might 2733 be "best" for any given user, since that would require complete 2734 knowledge of both the capabilities of the user agent and the 2735 intended use for the response (e.g., does the user want to view it 2736 on screen or print it on paper?); 2738 o Having the user agent describe its capabilities in every request 2739 can be both very inefficient (given that only a small percentage 2740 of responses have multiple representations) and a potential risk 2741 to the user's privacy; 2743 o It complicates the implementation of an origin server and the 2744 algorithms for generating responses to a request; and, 2746 o It limits the reusability of responses for shared caching. 2748 A user agent cannot rely on proactive negotiation preferences being 2749 consistently honored, since the origin server might not implement 2750 proactive negotiation for the requested resource or might decide that 2751 sending a response that doesn't conform to the user agent's 2752 preferences is better than sending a 406 (Not Acceptable) response. 2754 A Vary header field (Section 10.1.4) is often sent in a response 2755 subject to proactive negotiation to indicate what parts of the 2756 request information were used in the selection algorithm. 2758 6.4.2. Reactive Negotiation 2760 With reactive negotiation (a.k.a., agent-driven negotiation), 2761 selection of the best response representation (regardless of the 2762 status code) is performed by the user agent after receiving an 2763 initial response from the origin server that contains a list of 2764 resources for alternative representations. If the user agent is not 2765 satisfied by the initial response representation, it can perform a 2766 GET request on one or more of the alternative resources, selected 2767 based on metadata included in the list, to obtain a different form of 2768 representation for that response. Selection of alternatives might be 2769 performed automatically by the user agent or manually by the user 2770 selecting from a generated (possibly hypertext) menu. 2772 Note that the above refers to representations of the response, in 2773 general, not representations of the resource. The alternative 2774 representations are only considered representations of the target 2775 resource if the response in which those alternatives are provided has 2776 the semantics of being a representation of the target resource (e.g., 2777 a 200 (OK) response to a GET request) or has the semantics of 2778 providing links to alternative representations for the target 2779 resource (e.g., a 300 (Multiple Choices) response to a GET request). 2781 A server might choose not to send an initial representation, other 2782 than the list of alternatives, and thereby indicate that reactive 2783 negotiation by the user agent is preferred. For example, the 2784 alternatives listed in responses with the 300 (Multiple Choices) and 2785 406 (Not Acceptable) status codes include information about the 2786 available representations so that the user or user agent can react by 2787 making a selection. 2789 Reactive negotiation is advantageous when the response would vary 2790 over commonly used dimensions (such as type, language, or encoding), 2791 when the origin server is unable to determine a user agent's 2792 capabilities from examining the request, and generally when public 2793 caches are used to distribute server load and reduce network usage. 2795 Reactive negotiation suffers from the disadvantages of transmitting a 2796 list of alternatives to the user agent, which degrades user-perceived 2797 latency if transmitted in the header section, and needing a second 2798 request to obtain an alternate representation. Furthermore, this 2799 specification does not define a mechanism for supporting automatic 2800 selection, though it does not prevent such a mechanism from being 2801 developed as an extension. 2803 7. Request Methods 2805 7.1. Overview 2807 The request method token is the primary source of request semantics; 2808 it indicates the purpose for which the client has made this request 2809 and what is expected by the client as a successful result. 2811 The request method's semantics might be further specialized by the 2812 semantics of some header fields when present in a request (Section 8) 2813 if those additional semantics do not conflict with the method. For 2814 example, a client can send conditional request header fields 2815 (Section 8.2) to make the requested action conditional on the current 2816 state of the target resource. 2818 method = token 2820 HTTP was originally designed to be usable as an interface to 2821 distributed object systems. The request method was envisioned as 2822 applying semantics to a target resource in much the same way as 2823 invoking a defined method on an identified object would apply 2824 semantics. 2826 The method token is case-sensitive because it might be used as a 2827 gateway to object-based systems with case-sensitive method names. By 2828 convention, standardized methods are defined in all-uppercase US- 2829 ASCII letters. 2831 Unlike distributed objects, the standardized request methods in HTTP 2832 are not resource-specific, since uniform interfaces provide for 2833 better visibility and reuse in network-based systems [REST]. Once 2834 defined, a standardized method ought to have the same semantics when 2835 applied to any resource, though each resource determines for itself 2836 whether those semantics are implemented or allowed. 2838 This specification defines a number of standardized methods that are 2839 commonly used in HTTP, as outlined by the following table. 2841 +---------+-------------------------------------------------+-------+ 2842 | Method | Description | Sec. | 2843 +---------+-------------------------------------------------+-------+ 2844 | GET | Transfer a current representation of the target | 7.3.1 | 2845 | | resource. | | 2846 | HEAD | Same as GET, but only transfer the status line | 7.3.2 | 2847 | | and header section. | | 2848 | POST | Perform resource-specific processing on the | 7.3.3 | 2849 | | request payload. | | 2850 | PUT | Replace all current representations of the | 7.3.4 | 2851 | | target resource with the request payload. | | 2852 | DELETE | Remove all current representations of the | 7.3.5 | 2853 | | target resource. | | 2854 | CONNECT | Establish a tunnel to the server identified by | 7.3.6 | 2855 | | the target resource. | | 2856 | OPTIONS | Describe the communication options for the | 7.3.7 | 2857 | | target resource. | | 2858 | TRACE | Perform a message loop-back test along the path | 7.3.8 | 2859 | | to the target resource. | | 2860 +---------+-------------------------------------------------+-------+ 2862 All general-purpose servers MUST support the methods GET and HEAD. 2863 All other methods are OPTIONAL. 2865 The set of methods allowed by a target resource can be listed in an 2866 Allow header field (Section 10.4.2). However, the set of allowed 2867 methods can change dynamically. When a request method is received 2868 that is unrecognized or not implemented by an origin server, the 2869 origin server SHOULD respond with the 501 (Not Implemented) status 2870 code. When a request method is received that is known by an origin 2871 server but not allowed for the target resource, the origin server 2872 SHOULD respond with the 405 (Method Not Allowed) status code. 2874 7.2. Common Method Properties 2876 +---------+------+------------+----------------+ 2877 | Method | Safe | Idempotent | Reference | 2878 +---------+------+------------+----------------+ 2879 | CONNECT | no | no | Section 7.3.6 | 2880 | DELETE | no | yes | Section 7.3.5 | 2881 | GET | yes | yes | Section 7.3.1 | 2882 | HEAD | yes | yes | Section 7.3.2 | 2883 | OPTIONS | yes | yes | Section 7.3.7 | 2884 | POST | no | no | Section 7.3.3 | 2885 | PUT | no | yes | Section 7.3.4 | 2886 | TRACE | yes | yes | Section 7.3.8 | 2887 +---------+------+------------+----------------+ 2889 7.2.1. Safe Methods 2891 Request methods are considered "safe" if their defined semantics are 2892 essentially read-only; i.e., the client does not request, and does 2893 not expect, any state change on the origin server as a result of 2894 applying a safe method to a target resource. Likewise, reasonable 2895 use of a safe method is not expected to cause any harm, loss of 2896 property, or unusual burden on the origin server. 2898 This definition of safe methods does not prevent an implementation 2899 from including behavior that is potentially harmful, that is not 2900 entirely read-only, or that causes side effects while invoking a safe 2901 method. What is important, however, is that the client did not 2902 request that additional behavior and cannot be held accountable for 2903 it. For example, most servers append request information to access 2904 log files at the completion of every response, regardless of the 2905 method, and that is considered safe even though the log storage might 2906 become full and crash the server. Likewise, a safe request initiated 2907 by selecting an advertisement on the Web will often have the side 2908 effect of charging an advertising account. 2910 Of the request methods defined by this specification, the GET, HEAD, 2911 OPTIONS, and TRACE methods are defined to be safe. 2913 The purpose of distinguishing between safe and unsafe methods is to 2914 allow automated retrieval processes (spiders) and cache performance 2915 optimization (pre-fetching) to work without fear of causing harm. In 2916 addition, it allows a user agent to apply appropriate constraints on 2917 the automated use of unsafe methods when processing potentially 2918 untrusted content. 2920 A user agent SHOULD distinguish between safe and unsafe methods when 2921 presenting potential actions to a user, such that the user can be 2922 made aware of an unsafe action before it is requested. 2924 When a resource is constructed such that parameters within the 2925 effective request URI have the effect of selecting an action, it is 2926 the resource owner's responsibility to ensure that the action is 2927 consistent with the request method semantics. For example, it is 2928 common for Web-based content editing software to use actions within 2929 query parameters, such as "page?do=delete". If the purpose of such a 2930 resource is to perform an unsafe action, then the resource owner MUST 2931 disable or disallow that action when it is accessed using a safe 2932 request method. Failure to do so will result in unfortunate side 2933 effects when automated processes perform a GET on every URI reference 2934 for the sake of link maintenance, pre-fetching, building a search 2935 index, etc. 2937 7.2.2. Idempotent Methods 2939 A request method is considered "idempotent" if the intended effect on 2940 the server of multiple identical requests with that method is the 2941 same as the effect for a single such request. Of the request methods 2942 defined by this specification, PUT, DELETE, and safe request methods 2943 are idempotent. 2945 Like the definition of safe, the idempotent property only applies to 2946 what has been requested by the user; a server is free to log each 2947 request separately, retain a revision control history, or implement 2948 other non-idempotent side effects for each idempotent request. 2950 Idempotent methods are distinguished because the request can be 2951 repeated automatically if a communication failure occurs before the 2952 client is able to read the server's response. For example, if a 2953 client sends a PUT request and the underlying connection is closed 2954 before any response is received, then the client can establish a new 2955 connection and retry the idempotent request. It knows that repeating 2956 the request will have the same intended effect, even if the original 2957 request succeeded, though the response might differ. 2959 7.2.3. Cacheable Methods 2961 Request methods can be defined as "cacheable" to indicate that 2962 responses to them are allowed to be stored for future reuse; for 2963 specific requirements see [Caching]. In general, safe methods that 2964 do not depend on a current or authoritative response are defined as 2965 cacheable; this specification defines GET, HEAD, and POST as 2966 cacheable, although the overwhelming majority of cache 2967 implementations only support GET and HEAD. 2969 7.3. Method Definitions 2971 7.3.1. GET 2973 The GET method requests transfer of a current selected representation 2974 for the target resource. GET is the primary mechanism of information 2975 retrieval and the focus of almost all performance optimizations. 2976 Hence, when people speak of retrieving some identifiable information 2977 via HTTP, they are generally referring to making a GET request. 2979 It is tempting to think of resource identifiers as remote file system 2980 pathnames and of representations as being a copy of the contents of 2981 such files. In fact, that is how many resources are implemented (see 2982 Section 12.3 for related security considerations). However, there 2983 are no such limitations in practice. The HTTP interface for a 2984 resource is just as likely to be implemented as a tree of content 2985 objects, a programmatic view on various database records, or a 2986 gateway to other information systems. Even when the URI mapping 2987 mechanism is tied to a file system, an origin server might be 2988 configured to execute the files with the request as input and send 2989 the output as the representation rather than transfer the files 2990 directly. Regardless, only the origin server needs to know how each 2991 of its resource identifiers corresponds to an implementation and how 2992 each implementation manages to select and send a current 2993 representation of the target resource in a response to GET. 2995 A client can alter the semantics of GET to be a "range request", 2996 requesting transfer of only some part(s) of the selected 2997 representation, by sending a Range header field in the request 2998 (Section 8.3). 3000 A payload within a GET request message has no defined semantics; 3001 sending a payload body on a GET request might cause some existing 3002 implementations to reject the request. 3004 The response to a GET request is cacheable; a cache MAY use it to 3005 satisfy subsequent GET and HEAD requests unless otherwise indicated 3006 by the Cache-Control header field (Section 5.2 of [Caching]). 3008 7.3.2. HEAD 3010 The HEAD method is identical to GET except that the server MUST NOT 3011 send a message body in the response (i.e., the response terminates at 3012 the end of the header section). The server SHOULD send the same 3013 header fields in response to a HEAD request as it would have sent if 3014 the request had been a GET, except that the payload header fields 3015 (Section 6.3) MAY be omitted. This method can be used for obtaining 3016 metadata about the selected representation without transferring the 3017 representation data and is often used for testing hypertext links for 3018 validity, accessibility, and recent modification. 3020 A payload within a HEAD request message has no defined semantics; 3021 sending a payload body on a HEAD request might cause some existing 3022 implementations to reject the request. 3024 The response to a HEAD request is cacheable; a cache MAY use it to 3025 satisfy subsequent HEAD requests unless otherwise indicated by the 3026 Cache-Control header field (Section 5.2 of [Caching]). A HEAD 3027 response might also have an effect on previously cached responses to 3028 GET; see Section 4.3.5 of [Caching]. 3030 7.3.3. POST 3032 The POST method requests that the target resource process the 3033 representation enclosed in the request according to the resource's 3034 own specific semantics. For example, POST is used for the following 3035 functions (among others): 3037 o Providing a block of data, such as the fields entered into an HTML 3038 form, to a data-handling process; 3040 o Posting a message to a bulletin board, newsgroup, mailing list, 3041 blog, or similar group of articles; 3043 o Creating a new resource that has yet to be identified by the 3044 origin server; and 3046 o Appending data to a resource's existing representation(s). 3048 An origin server indicates response semantics by choosing an 3049 appropriate status code depending on the result of processing the 3050 POST request; almost all of the status codes defined by this 3051 specification might be received in a response to POST (the exceptions 3052 being 206 (Partial Content), 304 (Not Modified), and 416 (Range Not 3053 Satisfiable)). 3055 If one or more resources has been created on the origin server as a 3056 result of successfully processing a POST request, the origin server 3057 SHOULD send a 201 (Created) response containing a Location header 3058 field that provides an identifier for the primary resource created 3059 (Section 10.1.2) and a representation that describes the status of 3060 the request while referring to the new resource(s). 3062 Responses to POST requests are only cacheable when they include 3063 explicit freshness information (see Section 4.2.1 of [Caching]) and a 3064 Content-Location header field that has the same value as the POST's 3065 effective request URI (Section 6.2.5). A cached POST response can be 3066 reused to satisfy a later GET or HEAD request, but not a POST 3067 request, since POST is required to be written through to the origin 3068 server, because it is unsafe; see Section 4 of [Caching]. 3070 If the result of processing a POST would be equivalent to a 3071 representation of an existing resource, an origin server MAY redirect 3072 the user agent to that resource by sending a 303 (See Other) response 3073 with the existing resource's identifier in the Location field. This 3074 has the benefits of providing the user agent a resource identifier 3075 and transferring the representation via a method more amenable to 3076 shared caching, though at the cost of an extra request if the user 3077 agent does not already have the representation cached. 3079 7.3.4. PUT 3081 The PUT method requests that the state of the target resource be 3082 created or replaced with the state defined by the representation 3083 enclosed in the request message payload. A successful PUT of a given 3084 representation would suggest that a subsequent GET on that same 3085 target resource will result in an equivalent representation being 3086 sent in a 200 (OK) response. However, there is no guarantee that 3087 such a state change will be observable, since the target resource 3088 might be acted upon by other user agents in parallel, or might be 3089 subject to dynamic processing by the origin server, before any 3090 subsequent GET is received. A successful response only implies that 3091 the user agent's intent was achieved at the time of its processing by 3092 the origin server. 3094 If the target resource does not have a current representation and the 3095 PUT successfully creates one, then the origin server MUST inform the 3096 user agent by sending a 201 (Created) response. If the target 3097 resource does have a current representation and that representation 3098 is successfully modified in accordance with the state of the enclosed 3099 representation, then the origin server MUST send either a 200 (OK) or 3100 a 204 (No Content) response to indicate successful completion of the 3101 request. 3103 An origin server SHOULD ignore unrecognized header fields received in 3104 a PUT request (i.e., do not save them as part of the resource state). 3106 An origin server SHOULD verify that the PUT representation is 3107 consistent with any constraints the server has for the target 3108 resource that cannot or will not be changed by the PUT. This is 3109 particularly important when the origin server uses internal 3110 configuration information related to the URI in order to set the 3111 values for representation metadata on GET responses. When a PUT 3112 representation is inconsistent with the target resource, the origin 3113 server SHOULD either make them consistent, by transforming the 3114 representation or changing the resource configuration, or respond 3115 with an appropriate error message containing sufficient information 3116 to explain why the representation is unsuitable. The 409 (Conflict) 3117 or 415 (Unsupported Media Type) status codes are suggested, with the 3118 latter being specific to constraints on Content-Type values. 3120 For example, if the target resource is configured to always have a 3121 Content-Type of "text/html" and the representation being PUT has a 3122 Content-Type of "image/jpeg", the origin server ought to do one of: 3124 a. reconfigure the target resource to reflect the new media type; 3126 b. transform the PUT representation to a format consistent with that 3127 of the resource before saving it as the new resource state; or, 3129 c. reject the request with a 415 (Unsupported Media Type) response 3130 indicating that the target resource is limited to "text/html", 3131 perhaps including a link to a different resource that would be a 3132 suitable target for the new representation. 3134 HTTP does not define exactly how a PUT method affects the state of an 3135 origin server beyond what can be expressed by the intent of the user 3136 agent request and the semantics of the origin server response. It 3137 does not define what a resource might be, in any sense of that word, 3138 beyond the interface provided via HTTP. It does not define how 3139 resource state is "stored", nor how such storage might change as a 3140 result of a change in resource state, nor how the origin server 3141 translates resource state into representations. Generally speaking, 3142 all implementation details behind the resource interface are 3143 intentionally hidden by the server. 3145 An origin server MUST NOT send a validator header field 3146 (Section 10.2), such as an ETag or Last-Modified field, in a 3147 successful response to PUT unless the request's representation data 3148 was saved without any transformation applied to the body (i.e., the 3149 resource's new representation data is identical to the representation 3150 data received in the PUT request) and the validator field value 3151 reflects the new representation. This requirement allows a user 3152 agent to know when the representation body it has in memory remains 3153 current as a result of the PUT, thus not in need of being retrieved 3154 again from the origin server, and that the new validator(s) received 3155 in the response can be used for future conditional requests in order 3156 to prevent accidental overwrites (Section 8.2). 3158 The fundamental difference between the POST and PUT methods is 3159 highlighted by the different intent for the enclosed representation. 3160 The target resource in a POST request is intended to handle the 3161 enclosed representation according to the resource's own semantics, 3162 whereas the enclosed representation in a PUT request is defined as 3163 replacing the state of the target resource. Hence, the intent of PUT 3164 is idempotent and visible to intermediaries, even though the exact 3165 effect is only known by the origin server. 3167 Proper interpretation of a PUT request presumes that the user agent 3168 knows which target resource is desired. A service that selects a 3169 proper URI on behalf of the client, after receiving a state-changing 3170 request, SHOULD be implemented using the POST method rather than PUT. 3171 If the origin server will not make the requested PUT state change to 3172 the target resource and instead wishes to have it applied to a 3173 different resource, such as when the resource has been moved to a 3174 different URI, then the origin server MUST send an appropriate 3xx 3175 (Redirection) response; the user agent MAY then make its own decision 3176 regarding whether or not to redirect the request. 3178 A PUT request applied to the target resource can have side effects on 3179 other resources. For example, an article might have a URI for 3180 identifying "the current version" (a resource) that is separate from 3181 the URIs identifying each particular version (different resources 3182 that at one point shared the same state as the current version 3183 resource). A successful PUT request on "the current version" URI 3184 might therefore create a new version resource in addition to changing 3185 the state of the target resource, and might also cause links to be 3186 added between the related resources. 3188 An origin server that allows PUT on a given target resource MUST send 3189 a 400 (Bad Request) response to a PUT request that contains a 3190 Content-Range header field (Section 6.3.3), since the payload is 3191 likely to be partial content that has been mistakenly PUT as a full 3192 representation. Partial content updates are possible by targeting a 3193 separately identified resource with state that overlaps a portion of 3194 the larger resource, or by using a different method that has been 3195 specifically defined for partial updates (for example, the PATCH 3196 method defined in [RFC5789]). 3198 Responses to the PUT method are not cacheable. If a successful PUT 3199 request passes through a cache that has one or more stored responses 3200 for the effective request URI, those stored responses will be 3201 invalidated (see Section 4.4 of [Caching]). 3203 7.3.5. DELETE 3205 The DELETE method requests that the origin server remove the 3206 association between the target resource and its current 3207 functionality. In effect, this method is similar to the rm command 3208 in UNIX: it expresses a deletion operation on the URI mapping of the 3209 origin server rather than an expectation that the previously 3210 associated information be deleted. 3212 If the target resource has one or more current representations, they 3213 might or might not be destroyed by the origin server, and the 3214 associated storage might or might not be reclaimed, depending 3215 entirely on the nature of the resource and its implementation by the 3216 origin server (which are beyond the scope of this specification). 3217 Likewise, other implementation aspects of a resource might need to be 3218 deactivated or archived as a result of a DELETE, such as database or 3219 gateway connections. In general, it is assumed that the origin 3220 server will only allow DELETE on resources for which it has a 3221 prescribed mechanism for accomplishing the deletion. 3223 Relatively few resources allow the DELETE method -- its primary use 3224 is for remote authoring environments, where the user has some 3225 direction regarding its effect. For example, a resource that was 3226 previously created using a PUT request, or identified via the 3227 Location header field after a 201 (Created) response to a POST 3228 request, might allow a corresponding DELETE request to undo those 3229 actions. Similarly, custom user agent implementations that implement 3230 an authoring function, such as revision control clients using HTTP 3231 for remote operations, might use DELETE based on an assumption that 3232 the server's URI space has been crafted to correspond to a version 3233 repository. 3235 If a DELETE method is successfully applied, the origin server SHOULD 3236 send 3238 o a 202 (Accepted) status code if the action will likely succeed but 3239 has not yet been enacted, 3241 o a 204 (No Content) status code if the action has been enacted and 3242 no further information is to be supplied, or 3244 o a 200 (OK) status code if the action has been enacted and the 3245 response message includes a representation describing the status. 3247 A payload within a DELETE request message has no defined semantics; 3248 sending a payload body on a DELETE request might cause some existing 3249 implementations to reject the request. 3251 Responses to the DELETE method are not cacheable. If a DELETE 3252 request passes through a cache that has one or more stored responses 3253 for the effective request URI, those stored responses will be 3254 invalidated (see Section 4.4 of [Caching]). 3256 7.3.6. CONNECT 3258 The CONNECT method requests that the recipient establish a tunnel to 3259 the destination origin server identified by the request-target and, 3260 if successful, thereafter restrict its behavior to blind forwarding 3261 of packets, in both directions, until the tunnel is closed. Tunnels 3262 are commonly used to create an end-to-end virtual connection, through 3263 one or more proxies, which can then be secured using TLS (Transport 3264 Layer Security, [RFC5246]). 3266 CONNECT is intended only for use in requests to a proxy. An origin 3267 server that receives a CONNECT request for itself MAY respond with a 3268 2xx (Successful) status code to indicate that a connection is 3269 established. However, most origin servers do not implement CONNECT. 3271 A client sending a CONNECT request MUST send the authority form of 3272 request-target (Section 3.2 of [Messaging]); i.e., the request-target 3273 consists of only the host name and port number of the tunnel 3274 destination, separated by a colon. For example, 3276 CONNECT server.example.com:80 HTTP/1.1 3277 Host: server.example.com:80 3279 The recipient proxy can establish a tunnel either by directly 3280 connecting to the request-target or, if configured to use another 3281 proxy, by forwarding the CONNECT request to the next inbound proxy. 3282 Any 2xx (Successful) response indicates that the sender (and all 3283 inbound proxies) will switch to tunnel mode immediately after the 3284 blank line that concludes the successful response's header section; 3285 data received after that blank line is from the server identified by 3286 the request-target. Any response other than a successful response 3287 indicates that the tunnel has not yet been formed and that the 3288 connection remains governed by HTTP. 3290 A tunnel is closed when a tunnel intermediary detects that either 3291 side has closed its connection: the intermediary MUST attempt to send 3292 any outstanding data that came from the closed side to the other 3293 side, close both connections, and then discard any remaining data 3294 left undelivered. 3296 Proxy authentication might be used to establish the authority to 3297 create a tunnel. For example, 3299 CONNECT server.example.com:80 HTTP/1.1 3300 Host: server.example.com:80 3301 Proxy-Authorization: basic aGVsbG86d29ybGQ= 3303 There are significant risks in establishing a tunnel to arbitrary 3304 servers, particularly when the destination is a well-known or 3305 reserved TCP port that is not intended for Web traffic. For example, 3306 a CONNECT to a request-target of "example.com:25" would suggest that 3307 the proxy connect to the reserved port for SMTP traffic; if allowed, 3308 that could trick the proxy into relaying spam email. Proxies that 3309 support CONNECT SHOULD restrict its use to a limited set of known 3310 ports or a configurable whitelist of safe request targets. 3312 A server MUST NOT send any Transfer-Encoding or Content-Length header 3313 fields in a 2xx (Successful) response to CONNECT. A client MUST 3314 ignore any Content-Length or Transfer-Encoding header fields received 3315 in a successful response to CONNECT. 3317 A payload within a CONNECT request message has no defined semantics; 3318 sending a payload body on a CONNECT request might cause some existing 3319 implementations to reject the request. 3321 Responses to the CONNECT method are not cacheable. 3323 7.3.7. OPTIONS 3325 The OPTIONS method requests information about the communication 3326 options available for the target resource, at either the origin 3327 server or an intervening intermediary. This method allows a client 3328 to determine the options and/or requirements associated with a 3329 resource, or the capabilities of a server, without implying a 3330 resource action. 3332 An OPTIONS request with an asterisk ("*") as the request-target 3333 (Section 3.2 of [Messaging]) applies to the server in general rather 3334 than to a specific resource. Since a server's communication options 3335 typically depend on the resource, the "*" request is only useful as a 3336 "ping" or "no-op" type of method; it does nothing beyond allowing the 3337 client to test the capabilities of the server. For example, this can 3338 be used to test a proxy for HTTP/1.1 conformance (or lack thereof). 3340 If the request-target is not an asterisk, the OPTIONS request applies 3341 to the options that are available when communicating with the target 3342 resource. 3344 A server generating a successful response to OPTIONS SHOULD send any 3345 header fields that might indicate optional features implemented by 3346 the server and applicable to the target resource (e.g., Allow), 3347 including potential extensions not defined by this specification. 3348 The response payload, if any, might also describe the communication 3349 options in a machine or human-readable representation. A standard 3350 format for such a representation is not defined by this 3351 specification, but might be defined by future extensions to HTTP. A 3352 server MUST generate a Content-Length field with a value of "0" if no 3353 payload body is to be sent in the response. 3355 A client MAY send a Max-Forwards header field in an OPTIONS request 3356 to target a specific recipient in the request chain (see 3357 Section 8.1.2). A proxy MUST NOT generate a Max-Forwards header 3358 field while forwarding a request unless that request was received 3359 with a Max-Forwards field. 3361 A client that generates an OPTIONS request containing a payload body 3362 MUST send a valid Content-Type header field describing the 3363 representation media type. Although this specification does not 3364 define any use for such a payload, future extensions to HTTP might 3365 use the OPTIONS body to make more detailed queries about the target 3366 resource. 3368 Responses to the OPTIONS method are not cacheable. 3370 7.3.8. TRACE 3372 The TRACE method requests a remote, application-level loop-back of 3373 the request message. The final recipient of the request SHOULD 3374 reflect the message received, excluding some fields described below, 3375 back to the client as the message body of a 200 (OK) response with a 3376 Content-Type of "message/http" (Section 10.1 of [Messaging]). The 3377 final recipient is either the origin server or the first server to 3378 receive a Max-Forwards value of zero (0) in the request 3379 (Section 8.1.2). 3381 A client MUST NOT generate header fields in a TRACE request 3382 containing sensitive data that might be disclosed by the response. 3383 For example, it would be foolish for a user agent to send stored user 3384 credentials Section 8.5 or cookies [RFC6265] in a TRACE request. The 3385 final recipient of the request SHOULD exclude any request header 3386 fields that are likely to contain sensitive data when that recipient 3387 generates the response body. 3389 TRACE allows the client to see what is being received at the other 3390 end of the request chain and use that data for testing or diagnostic 3391 information. The value of the Via header field (Section 5.5.1) is of 3392 particular interest, since it acts as a trace of the request chain. 3393 Use of the Max-Forwards header field allows the client to limit the 3394 length of the request chain, which is useful for testing a chain of 3395 proxies forwarding messages in an infinite loop. 3397 A client MUST NOT send a message body in a TRACE request. 3399 Responses to the TRACE method are not cacheable. 3401 7.4. Method Extensibility 3403 Additional methods, outside the scope of this specification, have 3404 been specified for use in HTTP. All such methods ought to be 3405 registered within the "Hypertext Transfer Protocol (HTTP) Method 3406 Registry". 3408 7.4.1. Method Registry 3410 The "Hypertext Transfer Protocol (HTTP) Method Registry", maintained 3411 by IANA at , registers 3412 method names. 3414 HTTP method registrations MUST include the following fields: 3416 o Method Name (see Section 7) 3418 o Safe ("yes" or "no", see Section 7.2.1) 3420 o Idempotent ("yes" or "no", see Section 7.2.2) 3422 o Pointer to specification text 3424 Values to be added to this namespace require IETF Review (see 3425 [RFC8126], Section 4.8). 3427 7.4.2. Considerations for New Methods 3429 Standardized methods are generic; that is, they are potentially 3430 applicable to any resource, not just one particular media type, kind 3431 of resource, or application. As such, it is preferred that new 3432 methods be registered in a document that isn't specific to a single 3433 application or data format, since orthogonal technologies deserve 3434 orthogonal specification. 3436 Since message parsing (Section 6 of [Messaging]) needs to be 3437 independent of method semantics (aside from responses to HEAD), 3438 definitions of new methods cannot change the parsing algorithm or 3439 prohibit the presence of a message body on either the request or the 3440 response message. Definitions of new methods can specify that only a 3441 zero-length message body is allowed by requiring a Content-Length 3442 header field with a value of "0". 3444 A new method definition needs to indicate whether it is safe 3445 (Section 7.2.1), idempotent (Section 7.2.2), cacheable 3446 (Section 7.2.3), what semantics are to be associated with the payload 3447 body if any is present in the request and what refinements the method 3448 makes to header field or status code semantics. If the new method is 3449 cacheable, its definition ought to describe how, and under what 3450 conditions, a cache can store a response and use it to satisfy a 3451 subsequent request. The new method ought to describe whether it can 3452 be made conditional (Section 8.2) and, if so, how a server responds 3453 when the condition is false. Likewise, if the new method might have 3454 some use for partial response semantics (Section 8.3), it ought to 3455 document this, too. 3457 Note: Avoid defining a method name that starts with "M-", since 3458 that prefix might be misinterpreted as having the semantics 3459 assigned to it by [RFC2774]. 3461 8. Request Header Fields 3463 A client sends request header fields to provide more information 3464 about the request context, make the request conditional based on the 3465 target resource state, suggest preferred formats for the response, 3466 supply authentication credentials, or modify the expected request 3467 processing. These fields act as request modifiers, similar to the 3468 parameters on a programming language method invocation. 3470 8.1. Controls 3472 Controls are request header fields that direct specific handling of 3473 the request. 3475 +-------------------+----------------------------+ 3476 | Header Field Name | Defined in... | 3477 +-------------------+----------------------------+ 3478 | Cache-Control | Section 5.2 of [Caching] | 3479 | Expect | Section 8.1.1 | 3480 | Host | Section 5.4 | 3481 | Max-Forwards | Section 8.1.2 | 3482 | Pragma | Section 5.4 of [Caching] | 3483 | TE | Section 7.4 of [Messaging] | 3484 +-------------------+----------------------------+ 3486 8.1.1. Expect 3488 The "Expect" header field in a request indicates a certain set of 3489 behaviors (expectations) that need to be supported by the server in 3490 order to properly handle this request. The only such expectation 3491 defined by this specification is 100-continue. 3493 Expect = "100-continue" 3495 The Expect field-value is case-insensitive. 3497 A server that receives an Expect field-value other than 100-continue 3498 MAY respond with a 417 (Expectation Failed) status code to indicate 3499 that the unexpected expectation cannot be met. 3501 A 100-continue expectation informs recipients that the client is 3502 about to send a (presumably large) message body in this request and 3503 wishes to receive a 100 (Continue) interim response if the request- 3504 line and header fields are not sufficient to cause an immediate 3505 success, redirect, or error response. This allows the client to wait 3506 for an indication that it is worthwhile to send the message body 3507 before actually doing so, which can improve efficiency when the 3508 message body is huge or when the client anticipates that an error is 3509 likely (e.g., when sending a state-changing method, for the first 3510 time, without previously verified authentication credentials). 3512 For example, a request that begins with 3514 PUT /somewhere/fun HTTP/1.1 3515 Host: origin.example.com 3516 Content-Type: video/h264 3517 Content-Length: 1234567890987 3518 Expect: 100-continue 3520 allows the origin server to immediately respond with an error 3521 message, such as 401 (Unauthorized) or 405 (Method Not Allowed), 3522 before the client starts filling the pipes with an unnecessary data 3523 transfer. 3525 Requirements for clients: 3527 o A client MUST NOT generate a 100-continue expectation in a request 3528 that does not include a message body. 3530 o A client that will wait for a 100 (Continue) response before 3531 sending the request message body MUST send an Expect header field 3532 containing a 100-continue expectation. 3534 o A client that sends a 100-continue expectation is not required to 3535 wait for any specific length of time; such a client MAY proceed to 3536 send the message body even if it has not yet received a response. 3537 Furthermore, since 100 (Continue) responses cannot be sent through 3538 an HTTP/1.0 intermediary, such a client SHOULD NOT wait for an 3539 indefinite period before sending the message body. 3541 o A client that receives a 417 (Expectation Failed) status code in 3542 response to a request containing a 100-continue expectation SHOULD 3543 repeat that request without a 100-continue expectation, since the 3544 417 response merely indicates that the response chain does not 3545 support expectations (e.g., it passes through an HTTP/1.0 server). 3547 Requirements for servers: 3549 o A server that receives a 100-continue expectation in an HTTP/1.0 3550 request MUST ignore that expectation. 3552 o A server MAY omit sending a 100 (Continue) response if it has 3553 already received some or all of the message body for the 3554 corresponding request, or if the framing indicates that there is 3555 no message body. 3557 o A server that sends a 100 (Continue) response MUST ultimately send 3558 a final status code, once the message body is received and 3559 processed, unless the connection is closed prematurely. 3561 o A server that responds with a final status code before reading the 3562 entire request payload body SHOULD indicate whether it intends to 3563 close the connection (see Section 9.7 of [Messaging]) or continue 3564 reading the payload body. 3566 An origin server MUST, upon receiving an HTTP/1.1 (or later) request- 3567 line and a complete header section that contains a 100-continue 3568 expectation and indicates a request message body will follow, either 3569 send an immediate response with a final status code, if that status 3570 can be determined by examining just the request-line and header 3571 fields, or send an immediate 100 (Continue) response to encourage the 3572 client to send the request's message body. The origin server MUST 3573 NOT wait for the message body before sending the 100 (Continue) 3574 response. 3576 A proxy MUST, upon receiving an HTTP/1.1 (or later) request-line and 3577 a complete header section that contains a 100-continue expectation 3578 and indicates a request message body will follow, either send an 3579 immediate response with a final status code, if that status can be 3580 determined by examining just the request-line and header fields, or 3581 begin forwarding the request toward the origin server by sending a 3582 corresponding request-line and header section to the next inbound 3583 server. If the proxy believes (from configuration or past 3584 interaction) that the next inbound server only supports HTTP/1.0, the 3585 proxy MAY generate an immediate 100 (Continue) response to encourage 3586 the client to begin sending the message body. 3588 Note: The Expect header field was added after the original 3589 publication of HTTP/1.1 [RFC2068] as both the means to request an 3590 interim 100 (Continue) response and the general mechanism for 3591 indicating must-understand extensions. However, the extension 3592 mechanism has not been used by clients and the must-understand 3593 requirements have not been implemented by many servers, rendering 3594 the extension mechanism useless. This specification has removed 3595 the extension mechanism in order to simplify the definition and 3596 processing of 100-continue. 3598 8.1.2. Max-Forwards 3600 The "Max-Forwards" header field provides a mechanism with the TRACE 3601 (Section 7.3.8) and OPTIONS (Section 7.3.7) request methods to limit 3602 the number of times that the request is forwarded by proxies. This 3603 can be useful when the client is attempting to trace a request that 3604 appears to be failing or looping mid-chain. 3606 Max-Forwards = 1*DIGIT 3608 The Max-Forwards value is a decimal integer indicating the remaining 3609 number of times this request message can be forwarded. 3611 Each intermediary that receives a TRACE or OPTIONS request containing 3612 a Max-Forwards header field MUST check and update its value prior to 3613 forwarding the request. If the received value is zero (0), the 3614 intermediary MUST NOT forward the request; instead, the intermediary 3615 MUST respond as the final recipient. If the received Max-Forwards 3616 value is greater than zero, the intermediary MUST generate an updated 3617 Max-Forwards field in the forwarded message with a field-value that 3618 is the lesser of a) the received value decremented by one (1) or b) 3619 the recipient's maximum supported value for Max-Forwards. 3621 A recipient MAY ignore a Max-Forwards header field received with any 3622 other request methods. 3624 8.2. Preconditions 3626 A conditional request is an HTTP request with one or more request 3627 header fields that indicate a precondition to be tested before 3628 applying the request method to the target resource. Section 8.2.1 3629 defines when preconditions are applied. Section 8.2.2 defines the 3630 order of evaluation when more than one precondition is present. 3632 Conditional GET requests are the most efficient mechanism for HTTP 3633 cache updates [Caching]. Conditionals can also be applied to state- 3634 changing methods, such as PUT and DELETE, to prevent the "lost 3635 update" problem: one client accidentally overwriting the work of 3636 another client that has been acting in parallel. 3638 Conditional request preconditions are based on the state of the 3639 target resource as a whole (its current value set) or the state as 3640 observed in a previously obtained representation (one value in that 3641 set). A resource might have multiple current representations, each 3642 with its own observable state. The conditional request mechanisms 3643 assume that the mapping of requests to a "selected representation" 3644 (Section 6) will be consistent over time if the server intends to 3645 take advantage of conditionals. Regardless, if the mapping is 3646 inconsistent and the server is unable to select the appropriate 3647 representation, then no harm will result when the precondition 3648 evaluates to false. 3650 The following request header fields allow a client to place a 3651 precondition on the state of the target resource, so that the action 3652 corresponding to the method semantics will not be applied if the 3653 precondition evaluates to false. Each precondition defined by this 3654 specification consists of a comparison between a set of validators 3655 obtained from prior representations of the target resource to the 3656 current state of validators for the selected representation 3657 (Section 10.2). Hence, these preconditions evaluate whether the 3658 state of the target resource has changed since a given state known by 3659 the client. The effect of such an evaluation depends on the method 3660 semantics and choice of conditional, as defined in Section 8.2.1. 3662 +---------------------+---------------+ 3663 | Header Field Name | Defined in... | 3664 +---------------------+---------------+ 3665 | If-Match | Section 8.2.3 | 3666 | If-None-Match | Section 8.2.4 | 3667 | If-Modified-Since | Section 8.2.5 | 3668 | If-Unmodified-Since | Section 8.2.6 | 3669 | If-Range | Section 8.2.7 | 3670 +---------------------+---------------+ 3672 8.2.1. Evaluation 3674 Except when excluded below, a recipient cache or origin server MUST 3675 evaluate received request preconditions after it has successfully 3676 performed its normal request checks and just before it would perform 3677 the action associated with the request method. A server MUST ignore 3678 all received preconditions if its response to the same request 3679 without those conditions would have been a status code other than a 3680 2xx (Successful) or 412 (Precondition Failed). In other words, 3681 redirects and failures take precedence over the evaluation of 3682 preconditions in conditional requests. 3684 A server that is not the origin server for the target resource and 3685 cannot act as a cache for requests on the target resource MUST NOT 3686 evaluate the conditional request header fields defined by this 3687 specification, and it MUST forward them if the request is forwarded, 3688 since the generating client intends that they be evaluated by a 3689 server that can provide a current representation. Likewise, a server 3690 MUST ignore the conditional request header fields defined by this 3691 specification when received with a request method that does not 3692 involve the selection or modification of a selected representation, 3693 such as CONNECT, OPTIONS, or TRACE. 3695 Conditional request header fields that are defined by extensions to 3696 HTTP might place conditions on all recipients, on the state of the 3697 target resource in general, or on a group of resources. For 3698 instance, the "If" header field in WebDAV can make a request 3699 conditional on various aspects of multiple resources, such as locks, 3700 if the recipient understands and implements that field ([RFC4918], 3701 Section 10.4). 3703 Although conditional request header fields are defined as being 3704 usable with the HEAD method (to keep HEAD's semantics consistent with 3705 those of GET), there is no point in sending a conditional HEAD 3706 because a successful response is around the same size as a 304 (Not 3707 Modified) response and more useful than a 412 (Precondition Failed) 3708 response. 3710 8.2.2. Precedence 3712 When more than one conditional request header field is present in a 3713 request, the order in which the fields are evaluated becomes 3714 important. In practice, the fields defined in this document are 3715 consistently implemented in a single, logical order, since "lost 3716 update" preconditions have more strict requirements than cache 3717 validation, a validated cache is more efficient than a partial 3718 response, and entity tags are presumed to be more accurate than date 3719 validators. 3721 A recipient cache or origin server MUST evaluate the request 3722 preconditions defined by this specification in the following order: 3724 1. When recipient is the origin server and If-Match is present, 3725 evaluate the If-Match precondition: 3727 * if true, continue to step 3 3729 * if false, respond 412 (Precondition Failed) unless it can be 3730 determined that the state-changing request has already 3731 succeeded (see Section 8.2.3) 3733 2. When recipient is the origin server, If-Match is not present, and 3734 If-Unmodified-Since is present, evaluate the If-Unmodified-Since 3735 precondition: 3737 * if true, continue to step 3 3739 * if false, respond 412 (Precondition Failed) unless it can be 3740 determined that the state-changing request has already 3741 succeeded (see Section 8.2.6) 3743 3. When If-None-Match is present, evaluate the If-None-Match 3744 precondition: 3746 * if true, continue to step 5 3748 * if false for GET/HEAD, respond 304 (Not Modified) 3750 * if false for other methods, respond 412 (Precondition Failed) 3752 4. When the method is GET or HEAD, If-None-Match is not present, and 3753 If-Modified-Since is present, evaluate the If-Modified-Since 3754 precondition: 3756 * if true, continue to step 5 3758 * if false, respond 304 (Not Modified) 3760 5. When the method is GET and both Range and If-Range are present, 3761 evaluate the If-Range precondition: 3763 * if the validator matches and the Range specification is 3764 applicable to the selected representation, respond 206 3765 (Partial Content) 3767 6. Otherwise, 3769 * all conditions are met, so perform the requested action and 3770 respond according to its success or failure. 3772 Any extension to HTTP/1.1 that defines additional conditional request 3773 header fields ought to define its own expectations regarding the 3774 order for evaluating such fields in relation to those defined in this 3775 document and other conditionals that might be found in practice. 3777 8.2.3. If-Match 3779 The "If-Match" header field makes the request method conditional on 3780 the recipient origin server either having at least one current 3781 representation of the target resource, when the field-value is "*", 3782 or having a current representation of the target resource that has an 3783 entity-tag matching a member of the list of entity-tags provided in 3784 the field-value. 3786 An origin server MUST use the strong comparison function when 3787 comparing entity-tags for If-Match (Section 10.2.3.2), since the 3788 client intends this precondition to prevent the method from being 3789 applied if there have been any changes to the representation data. 3791 If-Match = "*" / 1#entity-tag 3793 Examples: 3795 If-Match: "xyzzy" 3796 If-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3797 If-Match: * 3799 If-Match is most often used with state-changing methods (e.g., POST, 3800 PUT, DELETE) to prevent accidental overwrites when multiple user 3801 agents might be acting in parallel on the same resource (i.e., to 3802 prevent the "lost update" problem). It can also be used with safe 3803 methods to abort a request if the selected representation does not 3804 match one already stored (or partially stored) from a prior request. 3806 An origin server that receives an If-Match header field MUST evaluate 3807 the condition prior to performing the method (Section 8.2.1). If the 3808 field-value is "*", the condition is false if the origin server does 3809 not have a current representation for the target resource. If the 3810 field-value is a list of entity-tags, the condition is false if none 3811 of the listed tags match the entity-tag of the selected 3812 representation. 3814 An origin server MUST NOT perform the requested method if a received 3815 If-Match condition evaluates to false; instead, the origin server 3816 MUST respond with either a) the 412 (Precondition Failed) status code 3817 or b) one of the 2xx (Successful) status codes if the origin server 3818 has verified that a state change is being requested and the final 3819 state is already reflected in the current state of the target 3820 resource (i.e., the change requested by the user agent has already 3821 succeeded, but the user agent might not be aware of it, perhaps 3822 because the prior response was lost or a compatible change was made 3823 by some other user agent). In the latter case, the origin server 3824 MUST NOT send a validator header field in the response unless it can 3825 verify that the request is a duplicate of an immediately prior change 3826 made by the same user agent. 3828 The If-Match header field can be ignored by caches and intermediaries 3829 because it is not applicable to a stored response. 3831 8.2.4. If-None-Match 3833 The "If-None-Match" header field makes the request method conditional 3834 on a recipient cache or origin server either not having any current 3835 representation of the target resource, when the field-value is "*", 3836 or having a selected representation with an entity-tag that does not 3837 match any of those listed in the field-value. 3839 A recipient MUST use the weak comparison function when comparing 3840 entity-tags for If-None-Match (Section 10.2.3.2), since weak entity- 3841 tags can be used for cache validation even if there have been changes 3842 to the representation data. 3844 If-None-Match = "*" / 1#entity-tag 3846 Examples: 3848 If-None-Match: "xyzzy" 3849 If-None-Match: W/"xyzzy" 3850 If-None-Match: "xyzzy", "r2d2xxxx", "c3piozzzz" 3851 If-None-Match: W/"xyzzy", W/"r2d2xxxx", W/"c3piozzzz" 3852 If-None-Match: * 3854 If-None-Match is primarily used in conditional GET requests to enable 3855 efficient updates of cached information with a minimum amount of 3856 transaction overhead. When a client desires to update one or more 3857 stored responses that have entity-tags, the client SHOULD generate an 3858 If-None-Match header field containing a list of those entity-tags 3859 when making a GET request; this allows recipient servers to send a 3860 304 (Not Modified) response to indicate when one of those stored 3861 responses matches the selected representation. 3863 If-None-Match can also be used with a value of "*" to prevent an 3864 unsafe request method (e.g., PUT) from inadvertently modifying an 3865 existing representation of the target resource when the client 3866 believes that the resource does not have a current representation 3867 (Section 7.2.1). This is a variation on the "lost update" problem 3868 that might arise if more than one client attempts to create an 3869 initial representation for the target resource. 3871 An origin server that receives an If-None-Match header field MUST 3872 evaluate the condition prior to performing the method 3873 (Section 8.2.1). If the field-value is "*", the condition is false 3874 if the origin server has a current representation for the target 3875 resource. If the field-value is a list of entity-tags, the condition 3876 is false if one of the listed tags match the entity-tag of the 3877 selected representation. 3879 An origin server MUST NOT perform the requested method if the 3880 condition evaluates to false; instead, the origin server MUST respond 3881 with either a) the 304 (Not Modified) status code if the request 3882 method is GET or HEAD or b) the 412 (Precondition Failed) status code 3883 for all other request methods. 3885 Requirements on cache handling of a received If-None-Match header 3886 field are defined in Section 4.3.2 of [Caching]. 3888 8.2.5. If-Modified-Since 3890 The "If-Modified-Since" header field makes a GET or HEAD request 3891 method conditional on the selected representation's modification date 3892 being more recent than the date provided in the field-value. 3893 Transfer of the selected representation's data is avoided if that 3894 data has not changed. 3896 If-Modified-Since = HTTP-date 3898 An example of the field is: 3900 If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT 3902 A recipient MUST ignore If-Modified-Since if the request contains an 3903 If-None-Match header field; the condition in If-None-Match is 3904 considered to be a more accurate replacement for the condition in If- 3905 Modified-Since, and the two are only combined for the sake of 3906 interoperating with older intermediaries that might not implement If- 3907 None-Match. 3909 A recipient MUST ignore the If-Modified-Since header field if the 3910 received field-value is not a valid HTTP-date, or if the request 3911 method is neither GET nor HEAD. 3913 A recipient MUST interpret an If-Modified-Since field-value's 3914 timestamp in terms of the origin server's clock. 3916 If-Modified-Since is typically used for two distinct purposes: 1) to 3917 allow efficient updates of a cached representation that does not have 3918 an entity-tag and 2) to limit the scope of a web traversal to 3919 resources that have recently changed. 3921 When used for cache updates, a cache will typically use the value of 3922 the cached message's Last-Modified field to generate the field value 3923 of If-Modified-Since. This behavior is most interoperable for cases 3924 where clocks are poorly synchronized or when the server has chosen to 3925 only honor exact timestamp matches (due to a problem with Last- 3926 Modified dates that appear to go "back in time" when the origin 3927 server's clock is corrected or a representation is restored from an 3928 archived backup). However, caches occasionally generate the field 3929 value based on other data, such as the Date header field of the 3930 cached message or the local clock time that the message was received, 3931 particularly when the cached message does not contain a Last-Modified 3932 field. 3934 When used for limiting the scope of retrieval to a recent time 3935 window, a user agent will generate an If-Modified-Since field value 3936 based on either its own local clock or a Date header field received 3937 from the server in a prior response. Origin servers that choose an 3938 exact timestamp match based on the selected representation's Last- 3939 Modified field will not be able to help the user agent limit its data 3940 transfers to only those changed during the specified window. 3942 An origin server that receives an If-Modified-Since header field 3943 SHOULD evaluate the condition prior to performing the method 3944 (Section 8.2.1). The origin server SHOULD NOT perform the requested 3945 method if the selected representation's last modification date is 3946 earlier than or equal to the date provided in the field-value; 3947 instead, the origin server SHOULD generate a 304 (Not Modified) 3948 response, including only those metadata that are useful for 3949 identifying or updating a previously cached response. 3951 Requirements on cache handling of a received If-Modified-Since header 3952 field are defined in Section 4.3.2 of [Caching]. 3954 8.2.6. If-Unmodified-Since 3956 The "If-Unmodified-Since" header field makes the request method 3957 conditional on the selected representation's last modification date 3958 being earlier than or equal to the date provided in the field-value. 3959 This field accomplishes the same purpose as If-Match for cases where 3960 the user agent does not have an entity-tag for the representation. 3962 If-Unmodified-Since = HTTP-date 3964 An example of the field is: 3966 If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 GMT 3968 A recipient MUST ignore If-Unmodified-Since if the request contains 3969 an If-Match header field; the condition in If-Match is considered to 3970 be a more accurate replacement for the condition in If-Unmodified- 3971 Since, and the two are only combined for the sake of interoperating 3972 with older intermediaries that might not implement If-Match. 3974 A recipient MUST ignore the If-Unmodified-Since header field if the 3975 received field-value is not a valid HTTP-date. 3977 A recipient MUST interpret an If-Unmodified-Since field-value's 3978 timestamp in terms of the origin server's clock. 3980 If-Unmodified-Since is most often used with state-changing methods 3981 (e.g., POST, PUT, DELETE) to prevent accidental overwrites when 3982 multiple user agents might be acting in parallel on a resource that 3983 does not supply entity-tags with its representations (i.e., to 3984 prevent the "lost update" problem). It can also be used with safe 3985 methods to abort a request if the selected representation does not 3986 match one already stored (or partially stored) from a prior request. 3988 An origin server that receives an If-Unmodified-Since header field 3989 MUST evaluate the condition prior to performing the method 3990 (Section 8.2.1). The origin server MUST NOT perform the requested 3991 method if the selected representation's last modification date is 3992 more recent than the date provided in the field-value; instead the 3993 origin server MUST respond with either a) the 412 (Precondition 3994 Failed) status code or b) one of the 2xx (Successful) status codes if 3995 the origin server has verified that a state change is being requested 3996 and the final state is already reflected in the current state of the 3997 target resource (i.e., the change requested by the user agent has 3998 already succeeded, but the user agent might not be aware of that 3999 because the prior response message was lost or a compatible change 4000 was made by some other user agent). In the latter case, the origin 4001 server MUST NOT send a validator header field in the response unless 4002 it can verify that the request is a duplicate of an immediately prior 4003 change made by the same user agent. 4005 The If-Unmodified-Since header field can be ignored by caches and 4006 intermediaries because it is not applicable to a stored response. 4008 8.2.7. If-Range 4010 The "If-Range" header field provides a special conditional request 4011 mechanism that is similar to the If-Match and If-Unmodified-Since 4012 header fields but that instructs the recipient to ignore the Range 4013 header field if the validator doesn't match, resulting in transfer of 4014 the new selected representation instead of a 412 (Precondition 4015 Failed) response. 4017 If a client has a partial copy of a representation and wishes to have 4018 an up-to-date copy of the entire representation, it could use the 4019 Range header field with a conditional GET (using either or both of 4020 If-Unmodified-Since and If-Match.) However, if the precondition 4021 fails because the representation has been modified, the client would 4022 then have to make a second request to obtain the entire current 4023 representation. 4025 The "If-Range" header field allows a client to "short-circuit" the 4026 second request. Informally, its meaning is as follows: if the 4027 representation is unchanged, send me the part(s) that I am requesting 4028 in Range; otherwise, send me the entire representation. 4030 If-Range = entity-tag / HTTP-date 4032 A client MUST NOT generate an If-Range header field in a request that 4033 does not contain a Range header field. A server MUST ignore an If- 4034 Range header field received in a request that does not contain a 4035 Range header field. An origin server MUST ignore an If-Range header 4036 field received in a request for a target resource that does not 4037 support Range requests. 4039 A client MUST NOT generate an If-Range header field containing an 4040 entity-tag that is marked as weak. A client MUST NOT generate an If- 4041 Range header field containing an HTTP-date unless the client has no 4042 entity-tag for the corresponding representation and the date is a 4043 strong validator in the sense defined by Section 10.2.2.2. 4045 A server that evaluates an If-Range precondition MUST use the strong 4046 comparison function when comparing entity-tags (Section 10.2.3.2) and 4047 MUST evaluate the condition as false if an HTTP-date validator is 4048 provided that is not a strong validator in the sense defined by 4049 Section 10.2.2.2. A valid entity-tag can be distinguished from a 4050 valid HTTP-date by examining the first two characters for a DQUOTE. 4052 If the validator given in the If-Range header field matches the 4053 current validator for the selected representation of the target 4054 resource, then the server SHOULD process the Range header field as 4055 requested. If the validator does not match, the server MUST ignore 4056 the Range header field. Note that this comparison by exact match, 4057 including when the validator is an HTTP-date, differs from the 4058 "earlier than or equal to" comparison used when evaluating an If- 4059 Unmodified-Since conditional. 4061 8.3. Range 4063 The "Range" header field on a GET request modifies the method 4064 semantics to request transfer of only one or more subranges of the 4065 selected representation data, rather than the entire selected 4066 representation data. 4068 Range = byte-ranges-specifier / other-ranges-specifier 4069 other-ranges-specifier = other-range-unit "=" other-range-set 4070 other-range-set = 1*VCHAR 4072 Clients often encounter interrupted data transfers as a result of 4073 canceled requests or dropped connections. When a client has stored a 4074 partial representation, it is desirable to request the remainder of 4075 that representation in a subsequent request rather than transfer the 4076 entire representation. Likewise, devices with limited local storage 4077 might benefit from being able to request only a subset of a larger 4078 representation, such as a single page of a very large document, or 4079 the dimensions of an embedded image. 4081 Range requests are an OPTIONAL feature of HTTP, designed so that 4082 recipients not implementing this feature (or not supporting it for 4083 the target resource) can respond as if it is a normal GET request 4084 without impacting interoperability. Partial responses are indicated 4085 by a distinct status code to not be mistaken for full responses by 4086 caches that might not implement the feature. 4088 A server MAY ignore the Range header field. However, origin servers 4089 and intermediate caches ought to support byte ranges when possible, 4090 since Range supports efficient recovery from partially failed 4091 transfers and partial retrieval of large representations. A server 4092 MUST ignore a Range header field received with a request method other 4093 than GET. 4095 Although the range request mechanism is designed to allow for 4096 extensible range types, this specification only defines requests for 4097 byte ranges. 4099 An origin server MUST ignore a Range header field that contains a 4100 range unit it does not understand. A proxy MAY discard a Range 4101 header field that contains a range unit it does not understand. 4103 A server that supports range requests MAY ignore or reject a Range 4104 header field that consists of more than two overlapping ranges, or a 4105 set of many small ranges that are not listed in ascending order, 4106 since both are indications of either a broken client or a deliberate 4107 denial-of-service attack (Section 12.13). A client SHOULD NOT 4108 request multiple ranges that are inherently less efficient to process 4109 and transfer than a single range that encompasses the same data. 4111 A client that is requesting multiple ranges SHOULD list those ranges 4112 in ascending order (the order in which they would typically be 4113 received in a complete representation) unless there is a specific 4114 need to request a later part earlier. For example, a user agent 4115 processing a large representation with an internal catalog of parts 4116 might need to request later parts first, particularly if the 4117 representation consists of pages stored in reverse order and the user 4118 agent wishes to transfer one page at a time. 4120 The Range header field is evaluated after evaluating the precondition 4121 header fields defined in Section 8.2, and only if the result in 4122 absence of the Range header field would be a 200 (OK) response. In 4123 other words, Range is ignored when a conditional GET would result in 4124 a 304 (Not Modified) response. 4126 The If-Range header field (Section 8.2.7) can be used as a 4127 precondition to applying the Range header field. 4129 If all of the preconditions are true, the server supports the Range 4130 header field for the target resource, and the specified range(s) are 4131 valid and satisfiable (as defined in Section 6.1.4.1), the server 4132 SHOULD send a 206 (Partial Content) response with a payload 4133 containing one or more partial representations that correspond to the 4134 satisfiable ranges requested. 4136 If all of the preconditions are true, the server supports the Range 4137 header field for the target resource, and the specified range(s) are 4138 invalid or unsatisfiable, the server SHOULD send a 416 (Range Not 4139 Satisfiable) response. 4141 8.4. Content Negotiation 4143 The following request header fields are sent by a user agent to 4144 engage in proactive negotiation of the response content, as defined 4145 in Section 6.4.1. The preferences sent in these fields apply to any 4146 content in the response, including representations of the target 4147 resource, representations of error or processing status, and 4148 potentially even the miscellaneous text strings that might appear 4149 within the protocol. 4151 +-------------------+---------------+ 4152 | Header Field Name | Defined in... | 4153 +-------------------+---------------+ 4154 | Accept | Section 8.4.2 | 4155 | Accept-Charset | Section 8.4.3 | 4156 | Accept-Encoding | Section 8.4.4 | 4157 | Accept-Language | Section 8.4.5 | 4158 +-------------------+---------------+ 4160 8.4.1. Quality Values 4162 Many of the request header fields for proactive negotiation use a 4163 common parameter, named "q" (case-insensitive), to assign a relative 4164 "weight" to the preference for that associated kind of content. This 4165 weight is referred to as a "quality value" (or "qvalue") because the 4166 same parameter name is often used within server configurations to 4167 assign a weight to the relative quality of the various 4168 representations that can be selected for a resource. 4170 The weight is normalized to a real number in the range 0 through 1, 4171 where 0.001 is the least preferred and 1 is the most preferred; a 4172 value of 0 means "not acceptable". If no "q" parameter is present, 4173 the default weight is 1. 4175 weight = OWS ";" OWS "q=" qvalue 4176 qvalue = ( "0" [ "." 0*3DIGIT ] ) 4177 / ( "1" [ "." 0*3("0") ] ) 4179 A sender of qvalue MUST NOT generate more than three digits after the 4180 decimal point. User configuration of these values ought to be 4181 limited in the same fashion. 4183 8.4.2. Accept 4185 The "Accept" header field can be used by user agents to specify 4186 response media types that are acceptable. Accept header fields can 4187 be used to indicate that the request is specifically limited to a 4188 small set of desired types, as in the case of a request for an in- 4189 line image. 4191 Accept = #( media-range [ accept-params ] ) 4193 media-range = ( "*/*" 4194 / ( type "/" "*" ) 4195 / ( type "/" subtype ) 4196 ) *( OWS ";" OWS parameter ) 4197 accept-params = weight *( accept-ext ) 4198 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 4200 The asterisk "*" character is used to group media types into ranges, 4201 with "*/*" indicating all media types and "type/*" indicating all 4202 subtypes of that type. The media-range can include media type 4203 parameters that are applicable to that range. 4205 Each media-range might be followed by zero or more applicable media 4206 type parameters (e.g., charset), an optional "q" parameter for 4207 indicating a relative weight (Section 8.4.1), and then zero or more 4208 extension parameters. The "q" parameter is necessary if any 4209 extensions (accept-ext) are present, since it acts as a separator 4210 between the two parameter sets. 4212 Note: Use of the "q" parameter name to separate media type 4213 parameters from Accept extension parameters is due to historical 4214 practice. Although this prevents any media type parameter named 4215 "q" from being used with a media range, such an event is believed 4216 to be unlikely given the lack of any "q" parameters in the IANA 4217 media type registry and the rare usage of any media type 4218 parameters in Accept. Future media types are discouraged from 4219 registering any parameter named "q". 4221 The example 4223 Accept: audio/*; q=0.2, audio/basic 4225 is interpreted as "I prefer audio/basic, but send me any audio type 4226 if it is the best available after an 80% markdown in quality". 4228 A request without any Accept header field implies that the user agent 4229 will accept any media type in response. If the header field is 4230 present in a request and none of the available representations for 4231 the response have a media type that is listed as acceptable, the 4232 origin server can either honor the header field by sending a 406 (Not 4233 Acceptable) response or disregard the header field by treating the 4234 response as if it is not subject to content negotiation. 4236 A more elaborate example is 4238 Accept: text/plain; q=0.5, text/html, 4239 text/x-dvi; q=0.8, text/x-c 4241 Verbally, this would be interpreted as "text/html and text/x-c are 4242 the equally preferred media types, but if they do not exist, then 4243 send the text/x-dvi representation, and if that does not exist, send 4244 the text/plain representation". 4246 Media ranges can be overridden by more specific media ranges or 4247 specific media types. If more than one media range applies to a 4248 given type, the most specific reference has precedence. For example, 4250 Accept: text/*, text/plain, text/plain;format=flowed, */* 4252 have the following precedence: 4254 1. text/plain;format=flowed 4256 2. text/plain 4258 3. text/* 4260 4. */* 4262 The media type quality factor associated with a given type is 4263 determined by finding the media range with the highest precedence 4264 that matches the type. For example, 4266 Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1, 4267 text/html;level=2;q=0.4, */*;q=0.5 4269 would cause the following values to be associated: 4271 +-------------------+---------------+ 4272 | Media Type | Quality Value | 4273 +-------------------+---------------+ 4274 | text/html;level=1 | 1 | 4275 | text/html | 0.7 | 4276 | text/plain | 0.3 | 4277 | image/jpeg | 0.5 | 4278 | text/html;level=2 | 0.4 | 4279 | text/html;level=3 | 0.7 | 4280 +-------------------+---------------+ 4282 Note: A user agent might be provided with a default set of quality 4283 values for certain media ranges. However, unless the user agent is a 4284 closed system that cannot interact with other rendering agents, this 4285 default set ought to be configurable by the user. 4287 8.4.3. Accept-Charset 4289 The "Accept-Charset" header field can be sent by a user agent to 4290 indicate what charsets are acceptable in textual response content. 4291 This field allows user agents capable of understanding more 4292 comprehensive or special-purpose charsets to signal that capability 4293 to an origin server that is capable of representing information in 4294 those charsets. 4296 Accept-Charset = 1#( ( charset / "*" ) [ weight ] ) 4298 Charset names are defined in Section 6.1.1.1. A user agent MAY 4299 associate a quality value with each charset to indicate the user's 4300 relative preference for that charset, as defined in Section 8.4.1. 4301 An example is 4303 Accept-Charset: iso-8859-5, unicode-1-1;q=0.8 4305 The special value "*", if present in the Accept-Charset field, 4306 matches every charset that is not mentioned elsewhere in the Accept- 4307 Charset field. If no "*" is present in an Accept-Charset field, then 4308 any charsets not explicitly mentioned in the field are considered 4309 "not acceptable" to the client. 4311 A request without any Accept-Charset header field implies that the 4312 user agent will accept any charset in response. Most general-purpose 4313 user agents do not send Accept-Charset, unless specifically 4314 configured to do so, because a detailed list of supported charsets 4315 makes it easier for a server to identify an individual by virtue of 4316 the user agent's request characteristics (Section 12.11). 4318 If an Accept-Charset header field is present in a request and none of 4319 the available representations for the response has a charset that is 4320 listed as acceptable, the origin server can either honor the header 4321 field, by sending a 406 (Not Acceptable) response, or disregard the 4322 header field by treating the resource as if it is not subject to 4323 content negotiation. 4325 8.4.4. Accept-Encoding 4327 The "Accept-Encoding" header field can be used by user agents to 4328 indicate what response content-codings (Section 6.1.2) are acceptable 4329 in the response. An "identity" token is used as a synonym for "no 4330 encoding" in order to communicate when no encoding is preferred. 4332 Accept-Encoding = #( codings [ weight ] ) 4333 codings = content-coding / "identity" / "*" 4335 Each codings value MAY be given an associated quality value 4336 representing the preference for that encoding, as defined in 4337 Section 8.4.1. The asterisk "*" symbol in an Accept-Encoding field 4338 matches any available content-coding not explicitly listed in the 4339 header field. 4341 For example, 4343 Accept-Encoding: compress, gzip 4344 Accept-Encoding: 4345 Accept-Encoding: * 4346 Accept-Encoding: compress;q=0.5, gzip;q=1.0 4347 Accept-Encoding: gzip;q=1.0, identity; q=0.5, *;q=0 4349 A request without an Accept-Encoding header field implies that the 4350 user agent has no preferences regarding content-codings. Although 4351 this allows the server to use any content-coding in a response, it 4352 does not imply that the user agent will be able to correctly process 4353 all encodings. 4355 A server tests whether a content-coding for a given representation is 4356 acceptable using these rules: 4358 1. If no Accept-Encoding field is in the request, any content-coding 4359 is considered acceptable by the user agent. 4361 2. If the representation has no content-coding, then it is 4362 acceptable by default unless specifically excluded by the Accept- 4363 Encoding field stating either "identity;q=0" or "*;q=0" without a 4364 more specific entry for "identity". 4366 3. If the representation's content-coding is one of the content- 4367 codings listed in the Accept-Encoding field, then it is 4368 acceptable unless it is accompanied by a qvalue of 0. (As 4369 defined in Section 8.4.1, a qvalue of 0 means "not acceptable".) 4371 4. If multiple content-codings are acceptable, then the acceptable 4372 content-coding with the highest non-zero qvalue is preferred. 4374 An Accept-Encoding header field with a combined field-value that is 4375 empty implies that the user agent does not want any content-coding in 4376 response. If an Accept-Encoding header field is present in a request 4377 and none of the available representations for the response have a 4378 content-coding that is listed as acceptable, the origin server SHOULD 4379 send a response without any content-coding. 4381 Note: Most HTTP/1.0 applications do not recognize or obey qvalues 4382 associated with content-codings. This means that qvalues might 4383 not work and are not permitted with x-gzip or x-compress. 4385 8.4.5. Accept-Language 4387 The "Accept-Language" header field can be used by user agents to 4388 indicate the set of natural languages that are preferred in the 4389 response. Language tags are defined in Section 6.1.3. 4391 Accept-Language = 1#( language-range [ weight ] ) 4392 language-range = 4393 4395 Each language-range can be given an associated quality value 4396 representing an estimate of the user's preference for the languages 4397 specified by that range, as defined in Section 8.4.1. For example, 4399 Accept-Language: da, en-gb;q=0.8, en;q=0.7 4401 would mean: "I prefer Danish, but will accept British English and 4402 other types of English". 4404 A request without any Accept-Language header field implies that the 4405 user agent will accept any language in response. If the header field 4406 is present in a request and none of the available representations for 4407 the response have a matching language tag, the origin server can 4408 either disregard the header field by treating the response as if it 4409 is not subject to content negotiation or honor the header field by 4410 sending a 406 (Not Acceptable) response. However, the latter is not 4411 encouraged, as doing so can prevent users from accessing content that 4412 they might be able to use (with translation software, for example). 4414 Note that some recipients treat the order in which language tags are 4415 listed as an indication of descending priority, particularly for tags 4416 that are assigned equal quality values (no value is the same as q=1). 4417 However, this behavior cannot be relied upon. For consistency and to 4418 maximize interoperability, many user agents assign each language tag 4419 a unique quality value while also listing them in order of decreasing 4420 quality. Additional discussion of language priority lists can be 4421 found in Section 2.3 of [RFC4647]. 4423 For matching, Section 3 of [RFC4647] defines several matching 4424 schemes. Implementations can offer the most appropriate matching 4425 scheme for their requirements. The "Basic Filtering" scheme 4426 ([RFC4647], Section 3.3.1) is identical to the matching scheme that 4427 was previously defined for HTTP in Section 14.4 of [RFC2616]. 4429 It might be contrary to the privacy expectations of the user to send 4430 an Accept-Language header field with the complete linguistic 4431 preferences of the user in every request (Section 12.11). 4433 Since intelligibility is highly dependent on the individual user, 4434 user agents need to allow user control over the linguistic preference 4435 (either through configuration of the user agent itself or by 4436 defaulting to a user controllable system setting). A user agent that 4437 does not provide such control to the user MUST NOT send an Accept- 4438 Language header field. 4440 Note: User agents ought to provide guidance to users when setting 4441 a preference, since users are rarely familiar with the details of 4442 language matching as described above. For example, users might 4443 assume that on selecting "en-gb", they will be served any kind of 4444 English document if British English is not available. A user 4445 agent might suggest, in such a case, to add "en" to the list for 4446 better matching behavior. 4448 8.5. Authentication Credentials 4450 HTTP provides a general framework for access control and 4451 authentication, via an extensible set of challenge-response 4452 authentication schemes, which can be used by a server to challenge a 4453 client request and by a client to provide authentication information. 4455 Two header fields are used for carrying authentication credentials. 4456 Note that various custom mechanisms for user authentication use the 4457 Cookie header field for this purpose, as defined in [RFC6265]. 4459 +---------------------+---------------+ 4460 | Header Field Name | Defined in... | 4461 +---------------------+---------------+ 4462 | Authorization | Section 8.5.3 | 4463 | Proxy-Authorization | Section 8.5.4 | 4464 +---------------------+---------------+ 4466 8.5.1. Challenge and Response 4468 HTTP provides a simple challenge-response authentication framework 4469 that can be used by a server to challenge a client request and by a 4470 client to provide authentication information. It uses a case- 4471 insensitive token as a means to identify the authentication scheme, 4472 followed by additional information necessary for achieving 4473 authentication via that scheme. The latter can be either a comma- 4474 separated list of parameters or a single sequence of characters 4475 capable of holding base64-encoded information. 4477 Authentication parameters are name=value pairs, where the name token 4478 is matched case-insensitively, and each parameter name MUST only 4479 occur once per challenge. 4481 auth-scheme = token 4483 auth-param = token BWS "=" BWS ( token / quoted-string ) 4485 token68 = 1*( ALPHA / DIGIT / 4486 "-" / "." / "_" / "~" / "+" / "/" ) *"=" 4488 The token68 syntax allows the 66 unreserved URI characters 4489 ([RFC3986]), plus a few others, so that it can hold a base64, 4490 base64url (URL and filename safe alphabet), base32, or base16 (hex) 4491 encoding, with or without padding, but excluding whitespace 4492 ([RFC4648]). 4494 A 401 (Unauthorized) response message is used by an origin server to 4495 challenge the authorization of a user agent, including a WWW- 4496 Authenticate header field containing at least one challenge 4497 applicable to the requested resource. 4499 A 407 (Proxy Authentication Required) response message is used by a 4500 proxy to challenge the authorization of a client, including a Proxy- 4501 Authenticate header field containing at least one challenge 4502 applicable to the proxy for the requested resource. 4504 challenge = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4506 Note: Many clients fail to parse a challenge that contains an 4507 unknown scheme. A workaround for this problem is to list well- 4508 supported schemes (such as "basic") first. 4510 A user agent that wishes to authenticate itself with an origin server 4511 -- usually, but not necessarily, after receiving a 401 (Unauthorized) 4512 -- can do so by including an Authorization header field with the 4513 request. 4515 A client that wishes to authenticate itself with a proxy -- usually, 4516 but not necessarily, after receiving a 407 (Proxy Authentication 4517 Required) -- can do so by including a Proxy-Authorization header 4518 field with the request. 4520 Both the Authorization field value and the Proxy-Authorization field 4521 value contain the client's credentials for the realm of the resource 4522 being requested, based upon a challenge received in a response 4523 (possibly at some point in the past). When creating their values, 4524 the user agent ought to do so by selecting the challenge with what it 4525 considers to be the most secure auth-scheme that it understands, 4526 obtaining credentials from the user as appropriate. Transmission of 4527 credentials within header field values implies significant security 4528 considerations regarding the confidentiality of the underlying 4529 connection, as described in Section 12.14.1. 4531 credentials = auth-scheme [ 1*SP ( token68 / #auth-param ) ] 4533 Upon receipt of a request for a protected resource that omits 4534 credentials, contains invalid credentials (e.g., a bad password) or 4535 partial credentials (e.g., when the authentication scheme requires 4536 more than one round trip), an origin server SHOULD send a 401 4537 (Unauthorized) response that contains a WWW-Authenticate header field 4538 with at least one (possibly new) challenge applicable to the 4539 requested resource. 4541 Likewise, upon receipt of a request that omits proxy credentials or 4542 contains invalid or partial proxy credentials, a proxy that requires 4543 authentication SHOULD generate a 407 (Proxy Authentication Required) 4544 response that contains a Proxy-Authenticate header field with at 4545 least one (possibly new) challenge applicable to the proxy. 4547 A server that receives valid credentials that are not adequate to 4548 gain access ought to respond with the 403 (Forbidden) status code 4549 (Section 9.5.4). 4551 HTTP does not restrict applications to this simple challenge-response 4552 framework for access authentication. Additional mechanisms can be 4553 used, such as authentication at the transport level or via message 4554 encapsulation, and with additional header fields specifying 4555 authentication information. However, such additional mechanisms are 4556 not defined by this specification. 4558 8.5.2. Protection Space (Realm) 4560 The "realm" authentication parameter is reserved for use by 4561 authentication schemes that wish to indicate a scope of protection. 4563 A protection space is defined by the canonical root URI (the scheme 4564 and authority components of the effective request URI; see 4565 Section 5.3) of the server being accessed, in combination with the 4566 realm value if present. These realms allow the protected resources 4567 on a server to be partitioned into a set of protection spaces, each 4568 with its own authentication scheme and/or authorization database. 4569 The realm value is a string, generally assigned by the origin server, 4570 that can have additional semantics specific to the authentication 4571 scheme. Note that a response can have multiple challenges with the 4572 same auth-scheme but with different realms. 4574 The protection space determines the domain over which credentials can 4575 be automatically applied. If a prior request has been authorized, 4576 the user agent MAY reuse the same credentials for all other requests 4577 within that protection space for a period of time determined by the 4578 authentication scheme, parameters, and/or user preferences (such as a 4579 configurable inactivity timeout). Unless specifically allowed by the 4580 authentication scheme, a single protection space cannot extend 4581 outside the scope of its server. 4583 For historical reasons, a sender MUST only generate the quoted-string 4584 syntax. Recipients might have to support both token and quoted- 4585 string syntax for maximum interoperability with existing clients that 4586 have been accepting both notations for a long time. 4588 8.5.3. Authorization 4590 The "Authorization" header field allows a user agent to authenticate 4591 itself with an origin server -- usually, but not necessarily, after 4592 receiving a 401 (Unauthorized) response. Its value consists of 4593 credentials containing the authentication information of the user 4594 agent for the realm of the resource being requested. 4596 Authorization = credentials 4598 If a request is authenticated and a realm specified, the same 4599 credentials are presumed to be valid for all other requests within 4600 this realm (assuming that the authentication scheme itself does not 4601 require otherwise, such as credentials that vary according to a 4602 challenge value or using synchronized clocks). 4604 A proxy forwarding a request MUST NOT modify any Authorization fields 4605 in that request. See Section 3.2 of [Caching] for details of and 4606 requirements pertaining to handling of the Authorization field by 4607 HTTP caches. 4609 8.5.4. Proxy-Authorization 4611 The "Proxy-Authorization" header field allows the client to identify 4612 itself (or its user) to a proxy that requires authentication. Its 4613 value consists of credentials containing the authentication 4614 information of the client for the proxy and/or realm of the resource 4615 being requested. 4617 Proxy-Authorization = credentials 4619 Unlike Authorization, the Proxy-Authorization header field applies 4620 only to the next inbound proxy that demanded authentication using the 4621 Proxy-Authenticate field. When multiple proxies are used in a chain, 4622 the Proxy-Authorization header field is consumed by the first inbound 4623 proxy that was expecting to receive credentials. A proxy MAY relay 4624 the credentials from the client request to the next proxy if that is 4625 the mechanism by which the proxies cooperatively authenticate a given 4626 request. 4628 8.5.5. Authentication Scheme Extensibility 4630 Aside from the general framework, this document does not specify any 4631 authentication schemes. New and existing authentication schemes are 4632 specified independently and ought to be registered within the 4633 "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry". 4634 For example, the "basic" and "digest" authentication schemes are 4635 defined by RFC 7617 and RFC 7616, respectively. 4637 8.5.5.1. Authentication Scheme Registry 4639 The "Hypertext Transfer Protocol (HTTP) Authentication Scheme 4640 Registry" defines the namespace for the authentication schemes in 4641 challenges and credentials. It is maintained at 4642 . 4644 Registrations MUST include the following fields: 4646 o Authentication Scheme Name 4648 o Pointer to specification text 4650 o Notes (optional) 4652 Values to be added to this namespace require IETF Review (see 4653 [RFC8126], Section 4.8). 4655 8.5.5.2. Considerations for New Authentication Schemes 4657 There are certain aspects of the HTTP Authentication framework that 4658 put constraints on how new authentication schemes can work: 4660 o HTTP authentication is presumed to be stateless: all of the 4661 information necessary to authenticate a request MUST be provided 4662 in the request, rather than be dependent on the server remembering 4663 prior requests. Authentication based on, or bound to, the 4664 underlying connection is outside the scope of this specification 4665 and inherently flawed unless steps are taken to ensure that the 4666 connection cannot be used by any party other than the 4667 authenticated user (see Section 2.2). 4669 o The authentication parameter "realm" is reserved for defining 4670 protection spaces as described in Section 8.5.2. New schemes MUST 4671 NOT use it in a way incompatible with that definition. 4673 o The "token68" notation was introduced for compatibility with 4674 existing authentication schemes and can only be used once per 4675 challenge or credential. Thus, new schemes ought to use the auth- 4676 param syntax instead, because otherwise future extensions will be 4677 impossible. 4679 o The parsing of challenges and credentials is defined by this 4680 specification and cannot be modified by new authentication 4681 schemes. When the auth-param syntax is used, all parameters ought 4682 to support both token and quoted-string syntax, and syntactical 4683 constraints ought to be defined on the field value after parsing 4684 (i.e., quoted-string processing). This is necessary so that 4685 recipients can use a generic parser that applies to all 4686 authentication schemes. 4688 Note: The fact that the value syntax for the "realm" parameter is 4689 restricted to quoted-string was a bad design choice not to be 4690 repeated for new parameters. 4692 o Definitions of new schemes ought to define the treatment of 4693 unknown extension parameters. In general, a "must-ignore" rule is 4694 preferable to a "must-understand" rule, because otherwise it will 4695 be hard to introduce new parameters in the presence of legacy 4696 recipients. Furthermore, it's good to describe the policy for 4697 defining new parameters (such as "update the specification" or 4698 "use this registry"). 4700 o Authentication schemes need to document whether they are usable in 4701 origin-server authentication (i.e., using WWW-Authenticate), and/ 4702 or proxy authentication (i.e., using Proxy-Authenticate). 4704 o The credentials carried in an Authorization header field are 4705 specific to the user agent and, therefore, have the same effect on 4706 HTTP caches as the "private" Cache-Control response directive 4707 (Section 5.2.2.6 of [Caching]), within the scope of the request in 4708 which they appear. 4710 Therefore, new authentication schemes that choose not to carry 4711 credentials in the Authorization header field (e.g., using a newly 4712 defined header field) will need to explicitly disallow caching, by 4713 mandating the use of either Cache-Control request directives 4714 (e.g., "no-store", Section 5.2.1.5 of [Caching]) or response 4715 directives (e.g., "private"). 4717 o Schemes using Authentication-Info, Proxy-Authentication-Info, or 4718 any other authentication related response header field need to 4719 consider and document the related security considerations (see 4720 Section 12.14.4). 4722 8.6. Request Context 4724 The following request header fields provide additional information 4725 about the request context, including information about the user, user 4726 agent, and resource behind the request. 4728 +-------------------+---------------+ 4729 | Header Field Name | Defined in... | 4730 +-------------------+---------------+ 4731 | From | Section 8.6.1 | 4732 | Referer | Section 8.6.2 | 4733 | User-Agent | Section 8.6.3 | 4734 +-------------------+---------------+ 4736 8.6.1. From 4738 The "From" header field contains an Internet email address for a 4739 human user who controls the requesting user agent. The address ought 4740 to be machine-usable, as defined by "mailbox" in Section 3.4 of 4741 [RFC5322]: 4743 From = mailbox 4745 mailbox = 4747 An example is: 4749 From: webmaster@example.org 4751 The From header field is rarely sent by non-robotic user agents. A 4752 user agent SHOULD NOT send a From header field without explicit 4753 configuration by the user, since that might conflict with the user's 4754 privacy interests or their site's security policy. 4756 A robotic user agent SHOULD send a valid From header field so that 4757 the person responsible for running the robot can be contacted if 4758 problems occur on servers, such as if the robot is sending excessive, 4759 unwanted, or invalid requests. 4761 A server SHOULD NOT use the From header field for access control or 4762 authentication, since most recipients will assume that the field 4763 value is public information. 4765 8.6.2. Referer 4767 The "Referer" [sic] header field allows the user agent to specify a 4768 URI reference for the resource from which the target URI was obtained 4769 (i.e., the "referrer", though the field name is misspelled). A user 4770 agent MUST NOT include the fragment and userinfo components of the 4771 URI reference [RFC3986], if any, when generating the Referer field 4772 value. 4774 Referer = absolute-URI / partial-URI 4776 The Referer header field allows servers to generate back-links to 4777 other resources for simple analytics, logging, optimized caching, 4778 etc. It also allows obsolete or mistyped links to be found for 4779 maintenance. Some servers use the Referer header field as a means of 4780 denying links from other sites (so-called "deep linking") or 4781 restricting cross-site request forgery (CSRF), but not all requests 4782 contain it. 4784 Example: 4786 Referer: http://www.example.org/hypertext/Overview.html 4788 If the target URI was obtained from a source that does not have its 4789 own URI (e.g., input from the user keyboard, or an entry within the 4790 user's bookmarks/favorites), the user agent MUST either exclude the 4791 Referer field or send it with a value of "about:blank". 4793 The Referer field has the potential to reveal information about the 4794 request context or browsing history of the user, which is a privacy 4795 concern if the referring resource's identifier reveals personal 4796 information (such as an account name) or a resource that is supposed 4797 to be confidential (such as behind a firewall or internal to a 4798 secured service). Most general-purpose user agents do not send the 4799 Referer header field when the referring resource is a local "file" or 4800 "data" URI. A user agent MUST NOT send a Referer header field in an 4801 unsecured HTTP request if the referring page was received with a 4802 secure protocol. See Section 12.8 for additional security 4803 considerations. 4805 Some intermediaries have been known to indiscriminately remove 4806 Referer header fields from outgoing requests. This has the 4807 unfortunate side effect of interfering with protection against CSRF 4808 attacks, which can be far more harmful to their users. 4809 Intermediaries and user agent extensions that wish to limit 4810 information disclosure in Referer ought to restrict their changes to 4811 specific edits, such as replacing internal domain names with 4812 pseudonyms or truncating the query and/or path components. An 4813 intermediary SHOULD NOT modify or delete the Referer header field 4814 when the field value shares the same scheme and host as the request 4815 target. 4817 8.6.3. User-Agent 4819 The "User-Agent" header field contains information about the user 4820 agent originating the request, which is often used by servers to help 4821 identify the scope of reported interoperability problems, to work 4822 around or tailor responses to avoid particular user agent 4823 limitations, and for analytics regarding browser or operating system 4824 use. A user agent SHOULD send a User-Agent field in each request 4825 unless specifically configured not to do so. 4827 User-Agent = product *( RWS ( product / comment ) ) 4829 The User-Agent field-value consists of one or more product 4830 identifiers, each followed by zero or more comments (Section 5 of 4831 [Messaging]), which together identify the user agent software and its 4832 significant subproducts. By convention, the product identifiers are 4833 listed in decreasing order of their significance for identifying the 4834 user agent software. Each product identifier consists of a name and 4835 optional version. 4837 product = token ["/" product-version] 4838 product-version = token 4840 A sender SHOULD limit generated product identifiers to what is 4841 necessary to identify the product; a sender MUST NOT generate 4842 advertising or other nonessential information within the product 4843 identifier. A sender SHOULD NOT generate information in product- 4844 version that is not a version identifier (i.e., successive versions 4845 of the same product name ought to differ only in the product-version 4846 portion of the product identifier). 4848 Example: 4850 User-Agent: CERN-LineMode/2.15 libwww/2.17b3 4852 A user agent SHOULD NOT generate a User-Agent field containing 4853 needlessly fine-grained detail and SHOULD limit the addition of 4854 subproducts by third parties. Overly long and detailed User-Agent 4855 field values increase request latency and the risk of a user being 4856 identified against their wishes ("fingerprinting"). 4858 Likewise, implementations are encouraged not to use the product 4859 tokens of other implementations in order to declare compatibility 4860 with them, as this circumvents the purpose of the field. If a user 4861 agent masquerades as a different user agent, recipients can assume 4862 that the user intentionally desires to see responses tailored for 4863 that identified user agent, even if they might not work as well for 4864 the actual user agent being used. 4866 9. Response Status Codes 4868 The (response) status code is a three-digit integer code giving the 4869 result of the attempt to understand and satisfy the request. 4871 HTTP status codes are extensible. HTTP clients are not required to 4872 understand the meaning of all registered status codes, though such 4873 understanding is obviously desirable. However, a client MUST 4874 understand the class of any status code, as indicated by the first 4875 digit, and treat an unrecognized status code as being equivalent to 4876 the x00 status code of that class, with the exception that a 4877 recipient MUST NOT cache a response with an unrecognized status code. 4879 For example, if an unrecognized status code of 471 is received by a 4880 client, the client can assume that there was something wrong with its 4881 request and treat the response as if it had received a 400 (Bad 4882 Request) status code. The response message will usually contain a 4883 representation that explains the status. 4885 The first digit of the status code defines the class of response. 4886 The last two digits do not have any categorization role. There are 4887 five values for the first digit: 4889 o 1xx (Informational): The request was received, continuing process 4891 o 2xx (Successful): The request was successfully received, 4892 understood, and accepted 4894 o 3xx (Redirection): Further action needs to be taken in order to 4895 complete the request 4897 o 4xx (Client Error): The request contains bad syntax or cannot be 4898 fulfilled 4900 o 5xx (Server Error): The server failed to fulfill an apparently 4901 valid request 4903 9.1. Overview of Status Codes 4905 The status codes listed below are defined in this specification. The 4906 reason phrases listed here are only recommendations -- they can be 4907 replaced by local equivalents without affecting the protocol. 4909 Responses with status codes that are defined as cacheable by default 4910 (e.g., 200, 203, 204, 206, 300, 301, 404, 405, 410, 414, and 501 in 4911 this specification) can be reused by a cache with heuristic 4912 expiration unless otherwise indicated by the method definition or 4913 explicit cache controls [Caching]; all other status codes are not 4914 cacheable by default. 4916 +-------+-------------------------------+-----------------+ 4917 | Value | Description | Reference | 4918 +-------+-------------------------------+-----------------+ 4919 | 100 | Continue | Section 9.2.1 | 4920 | 101 | Switching Protocols | Section 9.2.2 | 4921 | 200 | OK | Section 9.3.1 | 4922 | 201 | Created | Section 9.3.2 | 4923 | 202 | Accepted | Section 9.3.3 | 4924 | 203 | Non-Authoritative Information | Section 9.3.4 | 4925 | 204 | No Content | Section 9.3.5 | 4926 | 205 | Reset Content | Section 9.3.6 | 4927 | 206 | Partial Content | Section 9.3.7 | 4928 | 300 | Multiple Choices | Section 9.4.1 | 4929 | 301 | Moved Permanently | Section 9.4.2 | 4930 | 302 | Found | Section 9.4.3 | 4931 | 303 | See Other | Section 9.4.4 | 4932 | 304 | Not Modified | Section 9.4.5 | 4933 | 305 | Use Proxy | Section 9.4.6 | 4934 | 306 | (Unused) | Section 9.4.7 | 4935 | 307 | Temporary Redirect | Section 9.4.8 | 4936 | 400 | Bad Request | Section 9.5.1 | 4937 | 401 | Unauthorized | Section 9.5.2 | 4938 | 402 | Payment Required | Section 9.5.3 | 4939 | 403 | Forbidden | Section 9.5.4 | 4940 | 404 | Not Found | Section 9.5.5 | 4941 | 405 | Method Not Allowed | Section 9.5.6 | 4942 | 406 | Not Acceptable | Section 9.5.7 | 4943 | 407 | Proxy Authentication Required | Section 9.5.8 | 4944 | 408 | Request Timeout | Section 9.5.9 | 4945 | 409 | Conflict | Section 9.5.10 | 4946 | 410 | Gone | Section 9.5.11 | 4947 | 411 | Length Required | Section 9.5.12 | 4948 | 412 | Precondition Failed | Section 9.5.13 | 4949 | 413 | Payload Too Large | Section 9.5.14 | 4950 | 414 | URI Too Long | Section 9.5.15 | 4951 | 415 | Unsupported Media Type | Section 9.5.16 | 4952 | 416 | Range Not Satisfiable | Section 9.5.17 | 4953 | 417 | Expectation Failed | Section 9.5.18 | 4954 | 418 | (Unused) | Section 9.5.19 | 4955 | 422 | Unprocessable Entity | Section 9.5.20 | 4956 | 426 | Upgrade Required | Section 9.5.21 | 4957 | 500 | Internal Server Error | Section 9.6.1 | 4958 | 501 | Not Implemented | Section 9.6.2 | 4959 | 502 | Bad Gateway | Section 9.6.3 | 4960 | 503 | Service Unavailable | Section 9.6.4 | 4961 | 504 | Gateway Timeout | Section 9.6.5 | 4962 | 505 | HTTP Version Not Supported | Section 9.6.6 | 4963 +-------+-------------------------------+-----------------+ 4964 Note that this list is not exhaustive -- it does not include 4965 extension status codes defined in other specifications (Section 9.7). 4967 9.2. Informational 1xx 4969 The 1xx (Informational) class of status code indicates an interim 4970 response for communicating connection status or request progress 4971 prior to completing the requested action and sending a final 4972 response. 1xx responses are terminated by the first empty line after 4973 the status-line (the empty line signaling the end of the header 4974 section). Since HTTP/1.0 did not define any 1xx status codes, a 4975 server MUST NOT send a 1xx response to an HTTP/1.0 client. 4977 A client MUST be able to parse one or more 1xx responses received 4978 prior to a final response, even if the client does not expect one. A 4979 user agent MAY ignore unexpected 1xx responses. 4981 A proxy MUST forward 1xx responses unless the proxy itself requested 4982 the generation of the 1xx response. For example, if a proxy adds an 4983 "Expect: 100-continue" field when it forwards a request, then it need 4984 not forward the corresponding 100 (Continue) response(s). 4986 9.2.1. 100 Continue 4988 The 100 (Continue) status code indicates that the initial part of a 4989 request has been received and has not yet been rejected by the 4990 server. The server intends to send a final response after the 4991 request has been fully received and acted upon. 4993 When the request contains an Expect header field that includes a 4994 100-continue expectation, the 100 response indicates that the server 4995 wishes to receive the request payload body, as described in 4996 Section 8.1.1. The client ought to continue sending the request and 4997 discard the 100 response. 4999 If the request did not contain an Expect header field containing the 5000 100-continue expectation, the client can simply discard this interim 5001 response. 5003 9.2.2. 101 Switching Protocols 5005 The 101 (Switching Protocols) status code indicates that the server 5006 understands and is willing to comply with the client's request, via 5007 the Upgrade header field (Section 9.8 of [Messaging]), for a change 5008 in the application protocol being used on this connection. The 5009 server MUST generate an Upgrade header field in the response that 5010 indicates which protocol(s) will be switched to immediately after the 5011 empty line that terminates the 101 response. 5013 It is assumed that the server will only agree to switch protocols 5014 when it is advantageous to do so. For example, switching to a newer 5015 version of HTTP might be advantageous over older versions, and 5016 switching to a real-time, synchronous protocol might be advantageous 5017 when delivering resources that use such features. 5019 9.3. Successful 2xx 5021 The 2xx (Successful) class of status code indicates that the client's 5022 request was successfully received, understood, and accepted. 5024 9.3.1. 200 OK 5026 The 200 (OK) status code indicates that the request has succeeded. 5027 The payload sent in a 200 response depends on the request method. 5028 For the methods defined by this specification, the intended meaning 5029 of the payload can be summarized as: 5031 GET a representation of the target resource; 5033 HEAD the same representation as GET, but without the representation 5034 data; 5036 POST a representation of the status of, or results obtained from, 5037 the action; 5039 PUT, DELETE a representation of the status of the action; 5041 OPTIONS a representation of the communications options; 5043 TRACE a representation of the request message as received by the end 5044 server. 5046 Aside from responses to CONNECT, a 200 response always has a payload, 5047 though an origin server MAY generate a payload body of zero length. 5048 If no payload is desired, an origin server ought to send 204 (No 5049 Content) instead. For CONNECT, no payload is allowed because the 5050 successful result is a tunnel, which begins immediately after the 200 5051 response header section. 5053 A 200 response is cacheable by default; i.e., unless otherwise 5054 indicated by the method definition or explicit cache controls (see 5055 Section 4.2.2 of [Caching]). 5057 9.3.2. 201 Created 5059 The 201 (Created) status code indicates that the request has been 5060 fulfilled and has resulted in one or more new resources being 5061 created. The primary resource created by the request is identified 5062 by either a Location header field in the response or, if no Location 5063 field is received, by the effective request URI. 5065 The 201 response payload typically describes and links to the 5066 resource(s) created. See Section 10.2 for a discussion of the 5067 meaning and purpose of validator header fields, such as ETag and 5068 Last-Modified, in a 201 response. 5070 9.3.3. 202 Accepted 5072 The 202 (Accepted) status code indicates that the request has been 5073 accepted for processing, but the processing has not been completed. 5074 The request might or might not eventually be acted upon, as it might 5075 be disallowed when processing actually takes place. There is no 5076 facility in HTTP for re-sending a status code from an asynchronous 5077 operation. 5079 The 202 response is intentionally noncommittal. Its purpose is to 5080 allow a server to accept a request for some other process (perhaps a 5081 batch-oriented process that is only run once per day) without 5082 requiring that the user agent's connection to the server persist 5083 until the process is completed. The representation sent with this 5084 response ought to describe the request's current status and point to 5085 (or embed) a status monitor that can provide the user with an 5086 estimate of when the request will be fulfilled. 5088 9.3.4. 203 Non-Authoritative Information 5090 The 203 (Non-Authoritative Information) status code indicates that 5091 the request was successful but the enclosed payload has been modified 5092 from that of the origin server's 200 (OK) response by a transforming 5093 proxy (Section 5.5.2). This status code allows the proxy to notify 5094 recipients when a transformation has been applied, since that 5095 knowledge might impact later decisions regarding the content. For 5096 example, future cache validation requests for the content might only 5097 be applicable along the same request path (through the same proxies). 5099 The 203 response is similar to the Warning code of 214 Transformation 5100 Applied (Section 5.5 of [Caching]), which has the advantage of being 5101 applicable to responses with any status code. 5103 A 203 response is cacheable by default; i.e., unless otherwise 5104 indicated by the method definition or explicit cache controls (see 5105 Section 4.2.2 of [Caching]). 5107 9.3.5. 204 No Content 5109 The 204 (No Content) status code indicates that the server has 5110 successfully fulfilled the request and that there is no additional 5111 content to send in the response payload body. Metadata in the 5112 response header fields refer to the target resource and its selected 5113 representation after the requested action was applied. 5115 For example, if a 204 status code is received in response to a PUT 5116 request and the response contains an ETag header field, then the PUT 5117 was successful and the ETag field-value contains the entity-tag for 5118 the new representation of that target resource. 5120 The 204 response allows a server to indicate that the action has been 5121 successfully applied to the target resource, while implying that the 5122 user agent does not need to traverse away from its current "document 5123 view" (if any). The server assumes that the user agent will provide 5124 some indication of the success to its user, in accord with its own 5125 interface, and apply any new or updated metadata in the response to 5126 its active representation. 5128 For example, a 204 status code is commonly used with document editing 5129 interfaces corresponding to a "save" action, such that the document 5130 being saved remains available to the user for editing. It is also 5131 frequently used with interfaces that expect automated data transfers 5132 to be prevalent, such as within distributed version control systems. 5134 A 204 response is terminated by the first empty line after the header 5135 fields because it cannot contain a message body. 5137 A 204 response is cacheable by default; i.e., unless otherwise 5138 indicated by the method definition or explicit cache controls (see 5139 Section 4.2.2 of [Caching]). 5141 9.3.6. 205 Reset Content 5143 The 205 (Reset Content) status code indicates that the server has 5144 fulfilled the request and desires that the user agent reset the 5145 "document view", which caused the request to be sent, to its original 5146 state as received from the origin server. 5148 This response is intended to support a common data entry use case 5149 where the user receives content that supports data entry (a form, 5150 notepad, canvas, etc.), enters or manipulates data in that space, 5151 causes the entered data to be submitted in a request, and then the 5152 data entry mechanism is reset for the next entry so that the user can 5153 easily initiate another input action. 5155 Since the 205 status code implies that no additional content will be 5156 provided, a server MUST NOT generate a payload in a 205 response. In 5157 other words, a server MUST do one of the following for a 205 5158 response: a) indicate a zero-length body for the response by 5159 including a Content-Length header field with a value of 0; b) 5160 indicate a zero-length payload for the response by including a 5161 Transfer-Encoding header field with a value of chunked and a message 5162 body consisting of a single chunk of zero-length; or, c) close the 5163 connection immediately after sending the blank line terminating the 5164 header section. 5166 9.3.7. 206 Partial Content 5168 The 206 (Partial Content) status code indicates that the server is 5169 successfully fulfilling a range request for the target resource by 5170 transferring one or more parts of the selected representation. 5172 When a 206 response is generated, the server MUST generate the 5173 following header fields, in addition to those required in the 5174 subsections below, if the field would have been sent in a 200 (OK) 5175 response to the same request: Date, Cache-Control, ETag, Expires, 5176 Content-Location, and Vary. 5178 If a 206 is generated in response to a request with an If-Range 5179 header field, the sender SHOULD NOT generate other representation 5180 header fields beyond those required, because the client is understood 5181 to already have a prior response containing those header fields. 5182 Otherwise, the sender MUST generate all of the representation header 5183 fields that would have been sent in a 200 (OK) response to the same 5184 request. 5186 A 206 response is cacheable by default; i.e., unless otherwise 5187 indicated by explicit cache controls (see Section 4.2.2 of 5188 [Caching]). 5190 9.3.7.1. Single Part 5192 If a single part is being transferred, the server generating the 206 5193 response MUST generate a Content-Range header field, describing what 5194 range of the selected representation is enclosed, and a payload 5195 consisting of the range. For example: 5197 HTTP/1.1 206 Partial Content 5198 Date: Wed, 15 Nov 1995 06:25:24 GMT 5199 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5200 Content-Range: bytes 21010-47021/47022 5201 Content-Length: 26012 5202 Content-Type: image/gif 5204 ... 26012 bytes of partial image data ... 5206 9.3.7.2. Multiple Parts 5208 If multiple parts are being transferred, the server generating the 5209 206 response MUST generate a "multipart/byteranges" payload, as 5210 defined in Section 6.3.4, and a Content-Type header field containing 5211 the multipart/byteranges media type and its required boundary 5212 parameter. To avoid confusion with single-part responses, a server 5213 MUST NOT generate a Content-Range header field in the HTTP header 5214 section of a multiple part response (this field will be sent in each 5215 part instead). 5217 Within the header area of each body part in the multipart payload, 5218 the server MUST generate a Content-Range header field corresponding 5219 to the range being enclosed in that body part. If the selected 5220 representation would have had a Content-Type header field in a 200 5221 (OK) response, the server SHOULD generate that same Content-Type 5222 field in the header area of each body part. For example: 5224 HTTP/1.1 206 Partial Content 5225 Date: Wed, 15 Nov 1995 06:25:24 GMT 5226 Last-Modified: Wed, 15 Nov 1995 04:58:08 GMT 5227 Content-Length: 1741 5228 Content-Type: multipart/byteranges; boundary=THIS_STRING_SEPARATES 5230 --THIS_STRING_SEPARATES 5231 Content-Type: application/pdf 5232 Content-Range: bytes 500-999/8000 5234 ...the first range... 5235 --THIS_STRING_SEPARATES 5236 Content-Type: application/pdf 5237 Content-Range: bytes 7000-7999/8000 5239 ...the second range 5240 --THIS_STRING_SEPARATES-- 5242 When multiple ranges are requested, a server MAY coalesce any of the 5243 ranges that overlap, or that are separated by a gap that is smaller 5244 than the overhead of sending multiple parts, regardless of the order 5245 in which the corresponding byte-range-spec appeared in the received 5246 Range header field. Since the typical overhead between parts of a 5247 multipart/byteranges payload is around 80 bytes, depending on the 5248 selected representation's media type and the chosen boundary 5249 parameter length, it can be less efficient to transfer many small 5250 disjoint parts than it is to transfer the entire selected 5251 representation. 5253 A server MUST NOT generate a multipart response to a request for a 5254 single range, since a client that does not request multiple parts 5255 might not support multipart responses. However, a server MAY 5256 generate a multipart/byteranges payload with only a single body part 5257 if multiple ranges were requested and only one range was found to be 5258 satisfiable or only one range remained after coalescing. A client 5259 that cannot process a multipart/byteranges response MUST NOT generate 5260 a request that asks for multiple ranges. 5262 When a multipart response payload is generated, the server SHOULD 5263 send the parts in the same order that the corresponding byte-range- 5264 spec appeared in the received Range header field, excluding those 5265 ranges that were deemed unsatisfiable or that were coalesced into 5266 other ranges. A client that receives a multipart response MUST 5267 inspect the Content-Range header field present in each body part in 5268 order to determine which range is contained in that body part; a 5269 client cannot rely on receiving the same ranges that it requested, 5270 nor the same order that it requested. 5272 9.3.7.3. Combining Parts 5274 A response might transfer only a subrange of a representation if the 5275 connection closed prematurely or if the request used one or more 5276 Range specifications. After several such transfers, a client might 5277 have received several ranges of the same representation. These 5278 ranges can only be safely combined if they all have in common the 5279 same strong validator (Section 10.2.1). 5281 A client that has received multiple partial responses to GET requests 5282 on a target resource MAY combine those responses into a larger 5283 continuous range if they share the same strong validator. 5285 If the most recent response is an incomplete 200 (OK) response, then 5286 the header fields of that response are used for any combined response 5287 and replace those of the matching stored responses. 5289 If the most recent response is a 206 (Partial Content) response and 5290 at least one of the matching stored responses is a 200 (OK), then the 5291 combined response header fields consist of the most recent 200 5292 response's header fields. If all of the matching stored responses 5293 are 206 responses, then the stored response with the most recent 5294 header fields is used as the source of header fields for the combined 5295 response, except that the client MUST use other header fields 5296 provided in the new response, aside from Content-Range, to replace 5297 all instances of the corresponding header fields in the stored 5298 response. 5300 The combined response message body consists of the union of partial 5301 content ranges in the new response and each of the selected 5302 responses. If the union consists of the entire range of the 5303 representation, then the client MUST process the combined response as 5304 if it were a complete 200 (OK) response, including a Content-Length 5305 header field that reflects the complete length. Otherwise, the 5306 client MUST process the set of continuous ranges as one of the 5307 following: an incomplete 200 (OK) response if the combined response 5308 is a prefix of the representation, a single 206 (Partial Content) 5309 response containing a multipart/byteranges body, or multiple 206 5310 (Partial Content) responses, each with one continuous range that is 5311 indicated by a Content-Range header field. 5313 9.4. Redirection 3xx 5315 The 3xx (Redirection) class of status code indicates that further 5316 action needs to be taken by the user agent in order to fulfill the 5317 request. If a Location header field (Section 10.1.2) is provided, 5318 the user agent MAY automatically redirect its request to the URI 5319 referenced by the Location field value, even if the specific status 5320 code is not understood. Automatic redirection needs to be done with 5321 care for methods not known to be safe, as defined in Section 7.2.1, 5322 since the user might not wish to redirect an unsafe request. 5324 There are several types of redirects: 5326 1. Redirects that indicate the resource might be available at a 5327 different URI, as provided by the Location field, as in the 5328 status codes 301 (Moved Permanently), 302 (Found), and 307 5329 (Temporary Redirect). 5331 2. Redirection that offers a choice of matching resources, each 5332 capable of representing the original request target, as in the 5333 300 (Multiple Choices) status code. 5335 3. Redirection to a different resource, identified by the Location 5336 field, that can represent an indirect response to the request, as 5337 in the 303 (See Other) status code. 5339 4. Redirection to a previously cached result, as in the 304 (Not 5340 Modified) status code. 5342 Note: In HTTP/1.0, the status codes 301 (Moved Permanently) and 5343 302 (Found) were defined for the first type of redirect 5344 ([RFC1945], Section 9.3). Early user agents split on whether the 5345 method applied to the redirect target would be the same as the 5346 original request or would be rewritten as GET. Although HTTP 5347 originally defined the former semantics for 301 and 302 (to match 5348 its original implementation at CERN), and defined 303 (See Other) 5349 to match the latter semantics, prevailing practice gradually 5350 converged on the latter semantics for 301 and 302 as well. The 5351 first revision of HTTP/1.1 added 307 (Temporary Redirect) to 5352 indicate the former semantics without being impacted by divergent 5353 practice. Over 10 years later, most user agents still do method 5354 rewriting for 301 and 302; therefore, this specification makes 5355 that behavior conformant when the original request is POST. 5357 A client SHOULD detect and intervene in cyclical redirections (i.e., 5358 "infinite" redirection loops). 5360 Note: An earlier version of this specification recommended a 5361 maximum of five redirections ([RFC2068], Section 10.3). Content 5362 developers need to be aware that some clients might implement such 5363 a fixed limitation. 5365 9.4.1. 300 Multiple Choices 5367 The 300 (Multiple Choices) status code indicates that the target 5368 resource has more than one representation, each with its own more 5369 specific identifier, and information about the alternatives is being 5370 provided so that the user (or user agent) can select a preferred 5371 representation by redirecting its request to one or more of those 5372 identifiers. In other words, the server desires that the user agent 5373 engage in reactive negotiation to select the most appropriate 5374 representation(s) for its needs (Section 6.4). 5376 If the server has a preferred choice, the server SHOULD generate a 5377 Location header field containing a preferred choice's URI reference. 5379 The user agent MAY use the Location field value for automatic 5380 redirection. 5382 For request methods other than HEAD, the server SHOULD generate a 5383 payload in the 300 response containing a list of representation 5384 metadata and URI reference(s) from which the user or user agent can 5385 choose the one most preferred. The user agent MAY make a selection 5386 from that list automatically if it understands the provided media 5387 type. A specific format for automatic selection is not defined by 5388 this specification because HTTP tries to remain orthogonal to the 5389 definition of its payloads. In practice, the representation is 5390 provided in some easily parsed format believed to be acceptable to 5391 the user agent, as determined by shared design or content 5392 negotiation, or in some commonly accepted hypertext format. 5394 A 300 response is cacheable by default; i.e., unless otherwise 5395 indicated by the method definition or explicit cache controls (see 5396 Section 4.2.2 of [Caching]). 5398 Note: The original proposal for the 300 status code defined the 5399 URI header field as providing a list of alternative 5400 representations, such that it would be usable for 200, 300, and 5401 406 responses and be transferred in responses to the HEAD method. 5402 However, lack of deployment and disagreement over syntax led to 5403 both URI and Alternates (a subsequent proposal) being dropped from 5404 this specification. It is possible to communicate the list using 5405 a set of Link header fields [RFC8288], each with a relationship of 5406 "alternate", though deployment is a chicken-and-egg problem. 5408 9.4.2. 301 Moved Permanently 5410 The 301 (Moved Permanently) status code indicates that the target 5411 resource has been assigned a new permanent URI and any future 5412 references to this resource ought to use one of the enclosed URIs. 5413 Clients with link-editing capabilities ought to automatically re-link 5414 references to the effective request URI to one or more of the new 5415 references sent by the server, where possible. 5417 The server SHOULD generate a Location header field in the response 5418 containing a preferred URI reference for the new permanent URI. The 5419 user agent MAY use the Location field value for automatic 5420 redirection. The server's response payload usually contains a short 5421 hypertext note with a hyperlink to the new URI(s). 5423 Note: For historical reasons, a user agent MAY change the request 5424 method from POST to GET for the subsequent request. If this 5425 behavior is undesired, the 307 (Temporary Redirect) status code 5426 can be used instead. 5428 A 301 response is cacheable by default; i.e., unless otherwise 5429 indicated by the method definition or explicit cache controls (see 5430 Section 4.2.2 of [Caching]). 5432 9.4.3. 302 Found 5434 The 302 (Found) status code indicates that the target resource 5435 resides temporarily under a different URI. Since the redirection 5436 might be altered on occasion, the client ought to continue to use the 5437 effective request URI for future requests. 5439 The server SHOULD generate a Location header field in the response 5440 containing a URI reference for the different URI. The user agent MAY 5441 use the Location field value for automatic redirection. The server's 5442 response payload usually contains a short hypertext note with a 5443 hyperlink to the different URI(s). 5445 Note: For historical reasons, a user agent MAY change the request 5446 method from POST to GET for the subsequent request. If this 5447 behavior is undesired, the 307 (Temporary Redirect) status code 5448 can be used instead. 5450 9.4.4. 303 See Other 5452 The 303 (See Other) status code indicates that the server is 5453 redirecting the user agent to a different resource, as indicated by a 5454 URI in the Location header field, which is intended to provide an 5455 indirect response to the original request. A user agent can perform 5456 a retrieval request targeting that URI (a GET or HEAD request if 5457 using HTTP), which might also be redirected, and present the eventual 5458 result as an answer to the original request. Note that the new URI 5459 in the Location header field is not considered equivalent to the 5460 effective request URI. 5462 This status code is applicable to any HTTP method. It is primarily 5463 used to allow the output of a POST action to redirect the user agent 5464 to a selected resource, since doing so provides the information 5465 corresponding to the POST response in a form that can be separately 5466 identified, bookmarked, and cached, independent of the original 5467 request. 5469 A 303 response to a GET request indicates that the origin server does 5470 not have a representation of the target resource that can be 5471 transferred by the server over HTTP. However, the Location field 5472 value refers to a resource that is descriptive of the target 5473 resource, such that making a retrieval request on that other resource 5474 might result in a representation that is useful to recipients without 5475 implying that it represents the original target resource. Note that 5476 answers to the questions of what can be represented, what 5477 representations are adequate, and what might be a useful description 5478 are outside the scope of HTTP. 5480 Except for responses to a HEAD request, the representation of a 303 5481 response ought to contain a short hypertext note with a hyperlink to 5482 the same URI reference provided in the Location header field. 5484 9.4.5. 304 Not Modified 5486 The 304 (Not Modified) status code indicates that a conditional GET 5487 or HEAD request has been received and would have resulted in a 200 5488 (OK) response if it were not for the fact that the condition 5489 evaluated to false. In other words, there is no need for the server 5490 to transfer a representation of the target resource because the 5491 request indicates that the client, which made the request 5492 conditional, already has a valid representation; the server is 5493 therefore redirecting the client to make use of that stored 5494 representation as if it were the payload of a 200 (OK) response. 5496 The server generating a 304 response MUST generate any of the 5497 following header fields that would have been sent in a 200 (OK) 5498 response to the same request: Cache-Control, Content-Location, Date, 5499 ETag, Expires, and Vary. 5501 Since the goal of a 304 response is to minimize information transfer 5502 when the recipient already has one or more cached representations, a 5503 sender SHOULD NOT generate representation metadata other than the 5504 above listed fields unless said metadata exists for the purpose of 5505 guiding cache updates (e.g., Last-Modified might be useful if the 5506 response does not have an ETag field). 5508 Requirements on a cache that receives a 304 response are defined in 5509 Section 4.3.4 of [Caching]. If the conditional request originated 5510 with an outbound client, such as a user agent with its own cache 5511 sending a conditional GET to a shared proxy, then the proxy SHOULD 5512 forward the 304 response to that client. 5514 A 304 response cannot contain a message-body; it is always terminated 5515 by the first empty line after the header fields. 5517 9.4.6. 305 Use Proxy 5519 The 305 (Use Proxy) status code was defined in a previous version of 5520 this specification and is now deprecated (Appendix B of [RFC7231]). 5522 9.4.7. 306 (Unused) 5524 The 306 status code was defined in a previous version of this 5525 specification, is no longer used, and the code is reserved. 5527 9.4.8. 307 Temporary Redirect 5529 The 307 (Temporary Redirect) status code indicates that the target 5530 resource resides temporarily under a different URI and the user agent 5531 MUST NOT change the request method if it performs an automatic 5532 redirection to that URI. Since the redirection can change over time, 5533 the client ought to continue using the original effective request URI 5534 for future requests. 5536 The server SHOULD generate a Location header field in the response 5537 containing a URI reference for the different URI. The user agent MAY 5538 use the Location field value for automatic redirection. The server's 5539 response payload usually contains a short hypertext note with a 5540 hyperlink to the different URI(s). 5542 Note: This status code is similar to 302 (Found), except that it 5543 does not allow changing the request method from POST to GET. This 5544 specification defines no equivalent counterpart for 301 (Moved 5545 Permanently) ([RFC7538], however, defines the status code 308 5546 (Permanent Redirect) for this purpose). 5548 9.5. Client Error 4xx 5550 The 4xx (Client Error) class of status code indicates that the client 5551 seems to have erred. Except when responding to a HEAD request, the 5552 server SHOULD send a representation containing an explanation of the 5553 error situation, and whether it is a temporary or permanent 5554 condition. These status codes are applicable to any request method. 5555 User agents SHOULD display any included representation to the user. 5557 9.5.1. 400 Bad Request 5559 The 400 (Bad Request) status code indicates that the server cannot or 5560 will not process the request due to something that is perceived to be 5561 a client error (e.g., malformed request syntax, invalid request 5562 message framing, or deceptive request routing). 5564 9.5.2. 401 Unauthorized 5566 The 401 (Unauthorized) status code indicates that the request has not 5567 been applied because it lacks valid authentication credentials for 5568 the target resource. The server generating a 401 response MUST send 5569 a WWW-Authenticate header field (Section 10.3.1) containing at least 5570 one challenge applicable to the target resource. 5572 If the request included authentication credentials, then the 401 5573 response indicates that authorization has been refused for those 5574 credentials. The user agent MAY repeat the request with a new or 5575 replaced Authorization header field (Section 8.5.3). If the 401 5576 response contains the same challenge as the prior response, and the 5577 user agent has already attempted authentication at least once, then 5578 the user agent SHOULD present the enclosed representation to the 5579 user, since it usually contains relevant diagnostic information. 5581 9.5.3. 402 Payment Required 5583 The 402 (Payment Required) status code is reserved for future use. 5585 9.5.4. 403 Forbidden 5587 The 403 (Forbidden) status code indicates that the server understood 5588 the request but refuses to authorize it. A server that wishes to 5589 make public why the request has been forbidden can describe that 5590 reason in the response payload (if any). 5592 If authentication credentials were provided in the request, the 5593 server considers them insufficient to grant access. The client 5594 SHOULD NOT automatically repeat the request with the same 5595 credentials. The client MAY repeat the request with new or different 5596 credentials. However, a request might be forbidden for reasons 5597 unrelated to the credentials. 5599 An origin server that wishes to "hide" the current existence of a 5600 forbidden target resource MAY instead respond with a status code of 5601 404 (Not Found). 5603 9.5.5. 404 Not Found 5605 The 404 (Not Found) status code indicates that the origin server did 5606 not find a current representation for the target resource or is not 5607 willing to disclose that one exists. A 404 status code does not 5608 indicate whether this lack of representation is temporary or 5609 permanent; the 410 (Gone) status code is preferred over 404 if the 5610 origin server knows, presumably through some configurable means, that 5611 the condition is likely to be permanent. 5613 A 404 response is cacheable by default; i.e., unless otherwise 5614 indicated by the method definition or explicit cache controls (see 5615 Section 4.2.2 of [Caching]). 5617 9.5.6. 405 Method Not Allowed 5619 The 405 (Method Not Allowed) status code indicates that the method 5620 received in the request-line is known by the origin server but not 5621 supported by the target resource. The origin server MUST generate an 5622 Allow header field in a 405 response containing a list of the target 5623 resource's currently supported methods. 5625 A 405 response is cacheable by default; i.e., unless otherwise 5626 indicated by the method definition or explicit cache controls (see 5627 Section 4.2.2 of [Caching]). 5629 9.5.7. 406 Not Acceptable 5631 The 406 (Not Acceptable) status code indicates that the target 5632 resource does not have a current representation that would be 5633 acceptable to the user agent, according to the proactive negotiation 5634 header fields received in the request (Section 8.4), and the server 5635 is unwilling to supply a default representation. 5637 The server SHOULD generate a payload containing a list of available 5638 representation characteristics and corresponding resource identifiers 5639 from which the user or user agent can choose the one most 5640 appropriate. A user agent MAY automatically select the most 5641 appropriate choice from that list. However, this specification does 5642 not define any standard for such automatic selection, as described in 5643 Section 9.4.1. 5645 9.5.8. 407 Proxy Authentication Required 5647 The 407 (Proxy Authentication Required) status code is similar to 401 5648 (Unauthorized), but it indicates that the client needs to 5649 authenticate itself in order to use a proxy. The proxy MUST send a 5650 Proxy-Authenticate header field (Section 10.3.2) containing a 5651 challenge applicable to that proxy for the target resource. The 5652 client MAY repeat the request with a new or replaced Proxy- 5653 Authorization header field (Section 8.5.4). 5655 9.5.9. 408 Request Timeout 5657 The 408 (Request Timeout) status code indicates that the server did 5658 not receive a complete request message within the time that it was 5659 prepared to wait. A server SHOULD send the "close" connection option 5660 (Section 9.1 of [Messaging]) in the response, since 408 implies that 5661 the server has decided to close the connection rather than continue 5662 waiting. If the client has an outstanding request in transit, the 5663 client MAY repeat that request on a new connection. 5665 9.5.10. 409 Conflict 5667 The 409 (Conflict) status code indicates that the request could not 5668 be completed due to a conflict with the current state of the target 5669 resource. This code is used in situations where the user might be 5670 able to resolve the conflict and resubmit the request. The server 5671 SHOULD generate a payload that includes enough information for a user 5672 to recognize the source of the conflict. 5674 Conflicts are most likely to occur in response to a PUT request. For 5675 example, if versioning were being used and the representation being 5676 PUT included changes to a resource that conflict with those made by 5677 an earlier (third-party) request, the origin server might use a 409 5678 response to indicate that it can't complete the request. In this 5679 case, the response representation would likely contain information 5680 useful for merging the differences based on the revision history. 5682 9.5.11. 410 Gone 5684 The 410 (Gone) status code indicates that access to the target 5685 resource is no longer available at the origin server and that this 5686 condition is likely to be permanent. If the origin server does not 5687 know, or has no facility to determine, whether or not the condition 5688 is permanent, the status code 404 (Not Found) ought to be used 5689 instead. 5691 The 410 response is primarily intended to assist the task of web 5692 maintenance by notifying the recipient that the resource is 5693 intentionally unavailable and that the server owners desire that 5694 remote links to that resource be removed. Such an event is common 5695 for limited-time, promotional services and for resources belonging to 5696 individuals no longer associated with the origin server's site. It 5697 is not necessary to mark all permanently unavailable resources as 5698 "gone" or to keep the mark for any length of time -- that is left to 5699 the discretion of the server owner. 5701 A 410 response is cacheable by default; i.e., unless otherwise 5702 indicated by the method definition or explicit cache controls (see 5703 Section 4.2.2 of [Caching]). 5705 9.5.12. 411 Length Required 5707 The 411 (Length Required) status code indicates that the server 5708 refuses to accept the request without a defined Content-Length 5709 (Section 6.2.4). The client MAY repeat the request if it adds a 5710 valid Content-Length header field containing the length of the 5711 message body in the request message. 5713 9.5.13. 412 Precondition Failed 5715 The 412 (Precondition Failed) status code indicates that one or more 5716 conditions given in the request header fields evaluated to false when 5717 tested on the server. This response status code allows the client to 5718 place preconditions on the current resource state (its current 5719 representations and metadata) and, thus, prevent the request method 5720 from being applied if the target resource is in an unexpected state. 5722 9.5.14. 413 Payload Too Large 5724 The 413 (Payload Too Large) status code indicates that the server is 5725 refusing to process a request because the request payload is larger 5726 than the server is willing or able to process. The server MAY close 5727 the connection to prevent the client from continuing the request. 5729 If the condition is temporary, the server SHOULD generate a Retry- 5730 After header field to indicate that it is temporary and after what 5731 time the client MAY try again. 5733 9.5.15. 414 URI Too Long 5735 The 414 (URI Too Long) status code indicates that the server is 5736 refusing to service the request because the request-target 5737 (Section 3.2 of [Messaging]) is longer than the server is willing to 5738 interpret. This rare condition is only likely to occur when a client 5739 has improperly converted a POST request to a GET request with long 5740 query information, when the client has descended into a "black hole" 5741 of redirection (e.g., a redirected URI prefix that points to a suffix 5742 of itself) or when the server is under attack by a client attempting 5743 to exploit potential security holes. 5745 A 414 response is cacheable by default; i.e., unless otherwise 5746 indicated by the method definition or explicit cache controls (see 5747 Section 4.2.2 of [Caching]). 5749 9.5.16. 415 Unsupported Media Type 5751 The 415 (Unsupported Media Type) status code indicates that the 5752 origin server is refusing to service the request because the payload 5753 is in a format not supported by this method on the target resource. 5754 The format problem might be due to the request's indicated Content- 5755 Type or Content-Encoding, or as a result of inspecting the data 5756 directly. 5758 9.5.17. 416 Range Not Satisfiable 5760 The 416 (Range Not Satisfiable) status code indicates that none of 5761 the ranges in the request's Range header field (Section 8.3) overlap 5762 the current extent of the selected representation or that the set of 5763 ranges requested has been rejected due to invalid ranges or an 5764 excessive request of small or overlapping ranges. 5766 For byte ranges, failing to overlap the current extent means that the 5767 first-byte-pos of all of the byte-range-spec values were greater than 5768 or equal to the current length of the selected representation. When 5769 this status code is generated in response to a byte-range request, 5770 the sender SHOULD generate a Content-Range header field specifying 5771 the current length of the selected representation (Section 6.3.3). 5773 For example: 5775 HTTP/1.1 416 Range Not Satisfiable 5776 Date: Fri, 20 Jan 2012 15:41:54 GMT 5777 Content-Range: bytes */47022 5779 Note: Because servers are free to ignore Range, many 5780 implementations will simply respond with the entire selected 5781 representation in a 200 (OK) response. That is partly because 5782 most clients are prepared to receive a 200 (OK) to complete the 5783 task (albeit less efficiently) and partly because clients might 5784 not stop making an invalid partial request until they have 5785 received a complete representation. Thus, clients cannot depend 5786 on receiving a 416 (Range Not Satisfiable) response even when it 5787 is most appropriate. 5789 9.5.18. 417 Expectation Failed 5791 The 417 (Expectation Failed) status code indicates that the 5792 expectation given in the request's Expect header field 5793 (Section 8.1.1) could not be met by at least one of the inbound 5794 servers. 5796 9.5.19. 418 (Unused) 5798 [RFC2324] was an April 1 RFC that lampooned the various ways HTTP was 5799 abused; one such abuse was the definition of an application-specific 5800 418 status code. In the intervening years, this status code has been 5801 widely implemented as an "Easter Egg", and therefore is effectively 5802 consumed by this use. 5804 Therefore, the 418 status code is reserved in the IANA HTTP Status 5805 Code registry. This indicates that the status code cannot be 5806 assigned to other applications currently. If future circumstances 5807 require its use (e.g., exhaustion of 4NN status codes), it can be re- 5808 assigned to another use. 5810 9.5.20. 422 Unprocessable Entity 5812 The 422 (Unprocessable Entity) status code indicates that the server 5813 understands the content type of the request entity (hence a 415 5814 (Unsupported Media Type) status code is inappropriate), and the 5815 syntax of the request entity is correct but was unable to process the 5816 contained instructions. For example, this error condition may occur 5817 if an XML request body contains well-formed (i.e., syntactically 5818 correct), but semantically erroneous, XML instructions. 5820 9.5.21. 426 Upgrade Required 5822 The 426 (Upgrade Required) status code indicates that the server 5823 refuses to perform the request using the current protocol but might 5824 be willing to do so after the client upgrades to a different 5825 protocol. The server MUST send an Upgrade header field in a 426 5826 response to indicate the required protocol(s) (Section 9.8 of 5827 [Messaging]). 5829 Example: 5831 HTTP/1.1 426 Upgrade Required 5832 Upgrade: HTTP/3.0 5833 Connection: Upgrade 5834 Content-Length: 53 5835 Content-Type: text/plain 5837 This service requires use of the HTTP/3.0 protocol. 5839 9.6. Server Error 5xx 5841 The 5xx (Server Error) class of status code indicates that the server 5842 is aware that it has erred or is incapable of performing the 5843 requested method. Except when responding to a HEAD request, the 5844 server SHOULD send a representation containing an explanation of the 5845 error situation, and whether it is a temporary or permanent 5846 condition. A user agent SHOULD display any included representation 5847 to the user. These response codes are applicable to any request 5848 method. 5850 9.6.1. 500 Internal Server Error 5852 The 500 (Internal Server Error) status code indicates that the server 5853 encountered an unexpected condition that prevented it from fulfilling 5854 the request. 5856 9.6.2. 501 Not Implemented 5858 The 501 (Not Implemented) status code indicates that the server does 5859 not support the functionality required to fulfill the request. This 5860 is the appropriate response when the server does not recognize the 5861 request method and is not capable of supporting it for any resource. 5863 A 501 response is cacheable by default; i.e., unless otherwise 5864 indicated by the method definition or explicit cache controls (see 5865 Section 4.2.2 of [Caching]). 5867 9.6.3. 502 Bad Gateway 5869 The 502 (Bad Gateway) status code indicates that the server, while 5870 acting as a gateway or proxy, received an invalid response from an 5871 inbound server it accessed while attempting to fulfill the request. 5873 9.6.4. 503 Service Unavailable 5875 The 503 (Service Unavailable) status code indicates that the server 5876 is currently unable to handle the request due to a temporary overload 5877 or scheduled maintenance, which will likely be alleviated after some 5878 delay. The server MAY send a Retry-After header field 5879 (Section 10.1.3) to suggest an appropriate amount of time for the 5880 client to wait before retrying the request. 5882 Note: The existence of the 503 status code does not imply that a 5883 server has to use it when becoming overloaded. Some servers might 5884 simply refuse the connection. 5886 9.6.5. 504 Gateway Timeout 5888 The 504 (Gateway Timeout) status code indicates that the server, 5889 while acting as a gateway or proxy, did not receive a timely response 5890 from an upstream server it needed to access in order to complete the 5891 request. 5893 9.6.6. 505 HTTP Version Not Supported 5895 The 505 (HTTP Version Not Supported) status code indicates that the 5896 server does not support, or refuses to support, the major version of 5897 HTTP that was used in the request message. The server is indicating 5898 that it is unable or unwilling to complete the request using the same 5899 major version as the client, as described in Section 3.5, other than 5900 with this error message. The server SHOULD generate a representation 5901 for the 505 response that describes why that version is not supported 5902 and what other protocols are supported by that server. 5904 9.7. Status Code Extensibility 5906 Additional status codes, outside the scope of this specification, 5907 have been specified for use in HTTP. All such status codes ought to 5908 be registered within the "Hypertext Transfer Protocol (HTTP) Status 5909 Code Registry". 5911 9.7.1. Status Code Registry 5913 The "Hypertext Transfer Protocol (HTTP) Status Code Registry", 5914 maintained by IANA at , registers status code numbers. 5917 A registration MUST include the following fields: 5919 o Status Code (3 digits) 5921 o Short Description 5923 o Pointer to specification text 5925 Values to be added to the HTTP status code namespace require IETF 5926 Review (see [RFC8126], Section 4.8). 5928 9.7.2. Considerations for New Status Codes 5930 When it is necessary to express semantics for a response that are not 5931 defined by current status codes, a new status code can be registered. 5932 Status codes are generic; they are potentially applicable to any 5933 resource, not just one particular media type, kind of resource, or 5934 application of HTTP. As such, it is preferred that new status codes 5935 be registered in a document that isn't specific to a single 5936 application. 5938 New status codes are required to fall under one of the categories 5939 defined in Section 9. To allow existing parsers to process the 5940 response message, new status codes cannot disallow a payload, 5941 although they can mandate a zero-length payload body. 5943 Proposals for new status codes that are not yet widely deployed ought 5944 to avoid allocating a specific number for the code until there is 5945 clear consensus that it will be registered; instead, early drafts can 5946 use a notation such as "4NN", or "3N0" .. "3N9", to indicate the 5947 class of the proposed status code(s) without consuming a number 5948 prematurely. 5950 The definition of a new status code ought to explain the request 5951 conditions that would cause a response containing that status code 5952 (e.g., combinations of request header fields and/or method(s)) along 5953 with any dependencies on response header fields (e.g., what fields 5954 are required, what fields can modify the semantics, and what header 5955 field semantics are further refined when used with the new status 5956 code). 5958 The definition of a new status code ought to specify whether or not 5959 it is cacheable. Note that all status codes can be cached if the 5960 response they occur in has explicit freshness information; however, 5961 status codes that are defined as being cacheable are allowed to be 5962 cached without explicit freshness information. Likewise, the 5963 definition of a status code can place constraints upon cache 5964 behavior. See [Caching] for more information. 5966 Finally, the definition of a new status code ought to indicate 5967 whether the payload has any implied association with an identified 5968 resource (Section 6.3.2). 5970 10. Response Header Fields 5972 The response header fields allow the server to pass additional 5973 information about the response beyond what is placed in the status- 5974 line. These header fields give information about the server, about 5975 further access to the target resource, or about related resources. 5977 Although each response header field has a defined meaning, in 5978 general, the precise semantics might be further refined by the 5979 semantics of the request method and/or response status code. 5981 10.1. Control Data 5983 Response header fields can supply control data that supplements the 5984 status code, directs caching, or instructs the client where to go 5985 next. 5987 +-------------------+--------------------------+ 5988 | Header Field Name | Defined in... | 5989 +-------------------+--------------------------+ 5990 | Age | Section 5.1 of [Caching] | 5991 | Cache-Control | Section 5.2 of [Caching] | 5992 | Expires | Section 5.3 of [Caching] | 5993 | Date | Section 10.1.1.2 | 5994 | Location | Section 10.1.2 | 5995 | Retry-After | Section 10.1.3 | 5996 | Vary | Section 10.1.4 | 5997 | Warning | Section 5.5 of [Caching] | 5998 +-------------------+--------------------------+ 6000 10.1.1. Origination Date 6002 10.1.1.1. Date/Time Formats 6004 Prior to 1995, there were three different formats commonly used by 6005 servers to communicate timestamps. For compatibility with old 6006 implementations, all three are defined here. The preferred format is 6007 a fixed-length and single-zone subset of the date and time 6008 specification used by the Internet Message Format [RFC5322]. 6010 HTTP-date = IMF-fixdate / obs-date 6012 An example of the preferred format is 6014 Sun, 06 Nov 1994 08:49:37 GMT ; IMF-fixdate 6016 Examples of the two obsolete formats are 6018 Sunday, 06-Nov-94 08:49:37 GMT ; obsolete RFC 850 format 6019 Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format 6021 A recipient that parses a timestamp value in an HTTP header field 6022 MUST accept all three HTTP-date formats. When a sender generates a 6023 header field that contains one or more timestamps defined as HTTP- 6024 date, the sender MUST generate those timestamps in the IMF-fixdate 6025 format. 6027 An HTTP-date value represents time as an instance of Coordinated 6028 Universal Time (UTC). The first two formats indicate UTC by the 6029 three-letter abbreviation for Greenwich Mean Time, "GMT", a 6030 predecessor of the UTC name; values in the asctime format are assumed 6031 to be in UTC. A sender that generates HTTP-date values from a local 6032 clock ought to use NTP ([RFC5905]) or some similar protocol to 6033 synchronize its clock to UTC. 6035 Preferred format: 6037 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 6038 ; fixed length/zone/capitalization subset of the format 6039 ; see Section 3.3 of [RFC5322] 6041 day-name = %x4D.6F.6E ; "Mon", case-sensitive 6042 / %x54.75.65 ; "Tue", case-sensitive 6043 / %x57.65.64 ; "Wed", case-sensitive 6044 / %x54.68.75 ; "Thu", case-sensitive 6045 / %x46.72.69 ; "Fri", case-sensitive 6046 / %x53.61.74 ; "Sat", case-sensitive 6047 / %x53.75.6E ; "Sun", case-sensitive 6049 date1 = day SP month SP year 6050 ; e.g., 02 Jun 1982 6052 day = 2DIGIT 6053 month = %x4A.61.6E ; "Jan", case-sensitive 6054 / %x46.65.62 ; "Feb", case-sensitive 6055 / %x4D.61.72 ; "Mar", case-sensitive 6056 / %x41.70.72 ; "Apr", case-sensitive 6057 / %x4D.61.79 ; "May", case-sensitive 6058 / %x4A.75.6E ; "Jun", case-sensitive 6059 / %x4A.75.6C ; "Jul", case-sensitive 6060 / %x41.75.67 ; "Aug", case-sensitive 6061 / %x53.65.70 ; "Sep", case-sensitive 6062 / %x4F.63.74 ; "Oct", case-sensitive 6063 / %x4E.6F.76 ; "Nov", case-sensitive 6064 / %x44.65.63 ; "Dec", case-sensitive 6065 year = 4DIGIT 6067 GMT = %x47.4D.54 ; "GMT", case-sensitive 6069 time-of-day = hour ":" minute ":" second 6070 ; 00:00:00 - 23:59:60 (leap second) 6072 hour = 2DIGIT 6073 minute = 2DIGIT 6074 second = 2DIGIT 6076 Obsolete formats: 6078 obs-date = rfc850-date / asctime-date 6079 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 6080 date2 = day "-" month "-" 2DIGIT 6081 ; e.g., 02-Jun-82 6083 day-name-l = %x4D.6F.6E.64.61.79 ; "Monday", case-sensitive 6084 / %x54.75.65.73.64.61.79 ; "Tuesday", case-sensitive 6085 / %x57.65.64.6E.65.73.64.61.79 ; "Wednesday", case-sensitive 6086 / %x54.68.75.72.73.64.61.79 ; "Thursday", case-sensitive 6087 / %x46.72.69.64.61.79 ; "Friday", case-sensitive 6088 / %x53.61.74.75.72.64.61.79 ; "Saturday", case-sensitive 6089 / %x53.75.6E.64.61.79 ; "Sunday", case-sensitive 6091 asctime-date = day-name SP date3 SP time-of-day SP year 6092 date3 = month SP ( 2DIGIT / ( SP 1DIGIT )) 6093 ; e.g., Jun 2 6095 HTTP-date is case sensitive. A sender MUST NOT generate additional 6096 whitespace in an HTTP-date beyond that specifically included as SP in 6097 the grammar. The semantics of day-name, day, month, year, and time- 6098 of-day are the same as those defined for the Internet Message Format 6099 constructs with the corresponding name ([RFC5322], Section 3.3). 6101 Recipients of a timestamp value in rfc850-date format, which uses a 6102 two-digit year, MUST interpret a timestamp that appears to be more 6103 than 50 years in the future as representing the most recent year in 6104 the past that had the same last two digits. 6106 Recipients of timestamp values are encouraged to be robust in parsing 6107 timestamps unless otherwise restricted by the field definition. For 6108 example, messages are occasionally forwarded over HTTP from a non- 6109 HTTP source that might generate any of the date and time 6110 specifications defined by the Internet Message Format. 6112 Note: HTTP requirements for the date/time stamp format apply only 6113 to their usage within the protocol stream. Implementations are 6114 not required to use these formats for user presentation, request 6115 logging, etc. 6117 10.1.1.2. Date 6119 The "Date" header field represents the date and time at which the 6120 message was originated, having the same semantics as the Origination 6121 Date Field (orig-date) defined in Section 3.6.1 of [RFC5322]. The 6122 field value is an HTTP-date, as defined in Section 10.1.1.1. 6124 Date = HTTP-date 6126 An example is 6127 Date: Tue, 15 Nov 1994 08:12:31 GMT 6129 When a Date header field is generated, the sender SHOULD generate its 6130 field value as the best available approximation of the date and time 6131 of message generation. In theory, the date ought to represent the 6132 moment just before the payload is generated. In practice, the date 6133 can be generated at any time during message origination. 6135 An origin server MUST NOT send a Date header field if it does not 6136 have a clock capable of providing a reasonable approximation of the 6137 current instance in Coordinated Universal Time. An origin server MAY 6138 send a Date header field if the response is in the 1xx 6139 (Informational) or 5xx (Server Error) class of status codes. An 6140 origin server MUST send a Date header field in all other cases. 6142 A recipient with a clock that receives a response message without a 6143 Date header field MUST record the time it was received and append a 6144 corresponding Date header field to the message's header section if it 6145 is cached or forwarded downstream. 6147 A user agent MAY send a Date header field in a request, though 6148 generally will not do so unless it is believed to convey useful 6149 information to the server. For example, custom applications of HTTP 6150 might convey a Date if the server is expected to adjust its 6151 interpretation of the user's request based on differences between the 6152 user agent and server clocks. 6154 10.1.2. Location 6156 The "Location" header field is used in some responses to refer to a 6157 specific resource in relation to the response. The type of 6158 relationship is defined by the combination of request method and 6159 status code semantics. 6161 Location = URI-reference 6163 The field value consists of a single URI-reference. When it has the 6164 form of a relative reference ([RFC3986], Section 4.2), the final 6165 value is computed by resolving it against the effective request URI 6166 ([RFC3986], Section 5). 6168 For 201 (Created) responses, the Location value refers to the primary 6169 resource created by the request. For 3xx (Redirection) responses, 6170 the Location value refers to the preferred target resource for 6171 automatically redirecting the request. 6173 If the Location value provided in a 3xx (Redirection) response does 6174 not have a fragment component, a user agent MUST process the 6175 redirection as if the value inherits the fragment component of the 6176 URI reference used to generate the request target (i.e., the 6177 redirection inherits the original reference's fragment, if any). 6179 For example, a GET request generated for the URI reference 6180 "http://www.example.org/~tim" might result in a 303 (See Other) 6181 response containing the header field: 6183 Location: /People.html#tim 6185 which suggests that the user agent redirect to 6186 "http://www.example.org/People.html#tim" 6188 Likewise, a GET request generated for the URI reference 6189 "http://www.example.org/index.html#larry" might result in a 301 6190 (Moved Permanently) response containing the header field: 6192 Location: http://www.example.net/index.html 6194 which suggests that the user agent redirect to 6195 "http://www.example.net/index.html#larry", preserving the original 6196 fragment identifier. 6198 There are circumstances in which a fragment identifier in a Location 6199 value would not be appropriate. For example, the Location header 6200 field in a 201 (Created) response is supposed to provide a URI that 6201 is specific to the created resource. 6203 Note: Some recipients attempt to recover from Location fields that 6204 are not valid URI references. This specification does not mandate 6205 or define such processing, but does allow it for the sake of 6206 robustness. 6208 Note: The Content-Location header field (Section 6.2.5) differs 6209 from Location in that the Content-Location refers to the most 6210 specific resource corresponding to the enclosed representation. 6211 It is therefore possible for a response to contain both the 6212 Location and Content-Location header fields. 6214 10.1.3. Retry-After 6216 Servers send the "Retry-After" header field to indicate how long the 6217 user agent ought to wait before making a follow-up request. When 6218 sent with a 503 (Service Unavailable) response, Retry-After indicates 6219 how long the service is expected to be unavailable to the client. 6220 When sent with any 3xx (Redirection) response, Retry-After indicates 6221 the minimum time that the user agent is asked to wait before issuing 6222 the redirected request. 6224 The value of this field can be either an HTTP-date or a number of 6225 seconds to delay after the response is received. 6227 Retry-After = HTTP-date / delay-seconds 6229 A delay-seconds value is a non-negative decimal integer, representing 6230 time in seconds. 6232 delay-seconds = 1*DIGIT 6234 Two examples of its use are 6236 Retry-After: Fri, 31 Dec 1999 23:59:59 GMT 6237 Retry-After: 120 6239 In the latter example, the delay is 2 minutes. 6241 10.1.4. Vary 6243 The "Vary" header field in a response describes what parts of a 6244 request message, aside from the method, Host header field, and 6245 request target, might influence the origin server's process for 6246 selecting and representing this response. The value consists of 6247 either a single asterisk ("*") or a list of header field names (case- 6248 insensitive). 6250 Vary = "*" / 1#field-name 6252 A Vary field value of "*" signals that anything about the request 6253 might play a role in selecting the response representation, possibly 6254 including elements outside the message syntax (e.g., the client's 6255 network address). A recipient will not be able to determine whether 6256 this response is appropriate for a later request without forwarding 6257 the request to the origin server. A proxy MUST NOT generate a Vary 6258 field with a "*" value. 6260 A Vary field value consisting of a comma-separated list of names 6261 indicates that the named request header fields, known as the 6262 selecting header fields, might have a role in selecting the 6263 representation. The potential selecting header fields are not 6264 limited to those defined by this specification. 6266 For example, a response that contains 6268 Vary: accept-encoding, accept-language 6270 indicates that the origin server might have used the request's 6271 Accept-Encoding and Accept-Language fields (or lack thereof) as 6272 determining factors while choosing the content for this response. 6274 An origin server might send Vary with a list of fields for two 6275 purposes: 6277 1. To inform cache recipients that they MUST NOT use this response 6278 to satisfy a later request unless the later request has the same 6279 values for the listed fields as the original request (Section 4.1 6280 of [Caching]). In other words, Vary expands the cache key 6281 required to match a new request to the stored cache entry. 6283 2. To inform user agent recipients that this response is subject to 6284 content negotiation (Section 8.4) and that a different 6285 representation might be sent in a subsequent request if 6286 additional parameters are provided in the listed header fields 6287 (proactive negotiation). 6289 An origin server SHOULD send a Vary header field when its algorithm 6290 for selecting a representation varies based on aspects of the request 6291 message other than the method and request target, unless the variance 6292 cannot be crossed or the origin server has been deliberately 6293 configured to prevent cache transparency. For example, there is no 6294 need to send the Authorization field name in Vary because reuse 6295 across users is constrained by the field definition (Section 8.5.3). 6296 Likewise, an origin server might use Cache-Control directives 6297 (Section 5.2 of [Caching]) to supplant Vary if it considers the 6298 variance less significant than the performance cost of Vary's impact 6299 on caching. 6301 10.2. Validators 6303 Validator header fields convey metadata about the selected 6304 representation (Section 6). In responses to safe requests, validator 6305 fields describe the selected representation chosen by the origin 6306 server while handling the response. Note that, depending on the 6307 status code semantics, the selected representation for a given 6308 response is not necessarily the same as the representation enclosed 6309 as response payload. 6311 In a successful response to a state-changing request, validator 6312 fields describe the new representation that has replaced the prior 6313 selected representation as a result of processing the request. 6315 For example, an ETag header field in a 201 (Created) response 6316 communicates the entity-tag of the newly created resource's 6317 representation, so that it can be used in later conditional requests 6318 to prevent the "lost update" problem Section 8.2. 6320 +-------------------+----------------+ 6321 | Header Field Name | Defined in... | 6322 +-------------------+----------------+ 6323 | ETag | Section 10.2.3 | 6324 | Last-Modified | Section 10.2.2 | 6325 +-------------------+----------------+ 6327 This specification defines two forms of metadata that are commonly 6328 used to observe resource state and test for preconditions: 6329 modification dates (Section 10.2.2) and opaque entity tags 6330 (Section 10.2.3). Additional metadata that reflects resource state 6331 has been defined by various extensions of HTTP, such as Web 6332 Distributed Authoring and Versioning (WebDAV, [RFC4918]), that are 6333 beyond the scope of this specification. A resource metadata value is 6334 referred to as a "validator" when it is used within a precondition. 6336 10.2.1. Weak versus Strong 6338 Validators come in two flavors: strong or weak. Weak validators are 6339 easy to generate but are far less useful for comparisons. Strong 6340 validators are ideal for comparisons but can be very difficult (and 6341 occasionally impossible) to generate efficiently. Rather than impose 6342 that all forms of resource adhere to the same strength of validator, 6343 HTTP exposes the type of validator in use and imposes restrictions on 6344 when weak validators can be used as preconditions. 6346 A "strong validator" is representation metadata that changes value 6347 whenever a change occurs to the representation data that would be 6348 observable in the payload body of a 200 (OK) response to GET. 6350 A strong validator might change for reasons other than a change to 6351 the representation data, such as when a semantically significant part 6352 of the representation metadata is changed (e.g., Content-Type), but 6353 it is in the best interests of the origin server to only change the 6354 value when it is necessary to invalidate the stored responses held by 6355 remote caches and authoring tools. 6357 Cache entries might persist for arbitrarily long periods, regardless 6358 of expiration times. Thus, a cache might attempt to validate an 6359 entry using a validator that it obtained in the distant past. A 6360 strong validator is unique across all versions of all representations 6361 associated with a particular resource over time. However, there is 6362 no implication of uniqueness across representations of different 6363 resources (i.e., the same strong validator might be in use for 6364 representations of multiple resources at the same time and does not 6365 imply that those representations are equivalent). 6367 There are a variety of strong validators used in practice. The best 6368 are based on strict revision control, wherein each change to a 6369 representation always results in a unique node name and revision 6370 identifier being assigned before the representation is made 6371 accessible to GET. A collision-resistant hash function applied to 6372 the representation data is also sufficient if the data is available 6373 prior to the response header fields being sent and the digest does 6374 not need to be recalculated every time a validation request is 6375 received. However, if a resource has distinct representations that 6376 differ only in their metadata, such as might occur with content 6377 negotiation over media types that happen to share the same data 6378 format, then the origin server needs to incorporate additional 6379 information in the validator to distinguish those representations. 6381 In contrast, a "weak validator" is representation metadata that might 6382 not change for every change to the representation data. This 6383 weakness might be due to limitations in how the value is calculated, 6384 such as clock resolution, an inability to ensure uniqueness for all 6385 possible representations of the resource, or a desire of the resource 6386 owner to group representations by some self-determined set of 6387 equivalency rather than unique sequences of data. An origin server 6388 SHOULD change a weak entity-tag whenever it considers prior 6389 representations to be unacceptable as a substitute for the current 6390 representation. In other words, a weak entity-tag ought to change 6391 whenever the origin server wants caches to invalidate old responses. 6393 For example, the representation of a weather report that changes in 6394 content every second, based on dynamic measurements, might be grouped 6395 into sets of equivalent representations (from the origin server's 6396 perspective) with the same weak validator in order to allow cached 6397 representations to be valid for a reasonable period of time (perhaps 6398 adjusted dynamically based on server load or weather quality). 6399 Likewise, a representation's modification time, if defined with only 6400 one-second resolution, might be a weak validator if it is possible 6401 for the representation to be modified twice during a single second 6402 and retrieved between those modifications. 6404 Likewise, a validator is weak if it is shared by two or more 6405 representations of a given resource at the same time, unless those 6406 representations have identical representation data. For example, if 6407 the origin server sends the same validator for a representation with 6408 a gzip content coding applied as it does for a representation with no 6409 content coding, then that validator is weak. However, two 6410 simultaneous representations might share the same strong validator if 6411 they differ only in the representation metadata, such as when two 6412 different media types are available for the same representation data. 6414 Strong validators are usable for all conditional requests, including 6415 cache validation, partial content ranges, and "lost update" 6416 avoidance. Weak validators are only usable when the client does not 6417 require exact equality with previously obtained representation data, 6418 such as when validating a cache entry or limiting a web traversal to 6419 recent changes. 6421 10.2.2. Last-Modified 6423 The "Last-Modified" header field in a response provides a timestamp 6424 indicating the date and time at which the origin server believes the 6425 selected representation was last modified, as determined at the 6426 conclusion of handling the request. 6428 Last-Modified = HTTP-date 6430 An example of its use is 6432 Last-Modified: Tue, 15 Nov 1994 12:45:26 GMT 6434 10.2.2.1. Generation 6436 An origin server SHOULD send Last-Modified for any selected 6437 representation for which a last modification date can be reasonably 6438 and consistently determined, since its use in conditional requests 6439 and evaluating cache freshness ([Caching]) results in a substantial 6440 reduction of HTTP traffic on the Internet and can be a significant 6441 factor in improving service scalability and reliability. 6443 A representation is typically the sum of many parts behind the 6444 resource interface. The last-modified time would usually be the most 6445 recent time that any of those parts were changed. How that value is 6446 determined for any given resource is an implementation detail beyond 6447 the scope of this specification. What matters to HTTP is how 6448 recipients of the Last-Modified header field can use its value to 6449 make conditional requests and test the validity of locally cached 6450 responses. 6452 An origin server SHOULD obtain the Last-Modified value of the 6453 representation as close as possible to the time that it generates the 6454 Date field value for its response. This allows a recipient to make 6455 an accurate assessment of the representation's modification time, 6456 especially if the representation changes near the time that the 6457 response is generated. 6459 An origin server with a clock MUST NOT send a Last-Modified date that 6460 is later than the server's time of message origination (Date). If 6461 the last modification time is derived from implementation-specific 6462 metadata that evaluates to some time in the future, according to the 6463 origin server's clock, then the origin server MUST replace that value 6464 with the message origination date. This prevents a future 6465 modification date from having an adverse impact on cache validation. 6467 An origin server without a clock MUST NOT assign Last-Modified values 6468 to a response unless these values were associated with the resource 6469 by some other system or user with a reliable clock. 6471 10.2.2.2. Comparison 6473 A Last-Modified time, when used as a validator in a request, is 6474 implicitly weak unless it is possible to deduce that it is strong, 6475 using the following rules: 6477 o The validator is being compared by an origin server to the actual 6478 current validator for the representation and, 6480 o That origin server reliably knows that the associated 6481 representation did not change twice during the second covered by 6482 the presented validator. 6484 or 6486 o The validator is about to be used by a client in an If-Modified- 6487 Since, If-Unmodified-Since, or If-Range header field, because the 6488 client has a cache entry for the associated representation, and 6490 o That cache entry includes a Date value, which gives the time when 6491 the origin server sent the original response, and 6493 o The presented Last-Modified time is at least 60 seconds before the 6494 Date value. 6496 or 6498 o The validator is being compared by an intermediate cache to the 6499 validator stored in its cache entry for the representation, and 6501 o That cache entry includes a Date value, which gives the time when 6502 the origin server sent the original response, and 6504 o The presented Last-Modified time is at least 60 seconds before the 6505 Date value. 6507 This method relies on the fact that if two different responses were 6508 sent by the origin server during the same second, but both had the 6509 same Last-Modified time, then at least one of those responses would 6510 have a Date value equal to its Last-Modified time. The arbitrary 6511 60-second limit guards against the possibility that the Date and 6512 Last-Modified values are generated from different clocks or at 6513 somewhat different times during the preparation of the response. An 6514 implementation MAY use a value larger than 60 seconds, if it is 6515 believed that 60 seconds is too short. 6517 10.2.3. ETag 6519 The "ETag" header field in a response provides the current entity-tag 6520 for the selected representation, as determined at the conclusion of 6521 handling the request. An entity-tag is an opaque validator for 6522 differentiating between multiple representations of the same 6523 resource, regardless of whether those multiple representations are 6524 due to resource state changes over time, content negotiation 6525 resulting in multiple representations being valid at the same time, 6526 or both. An entity-tag consists of an opaque quoted string, possibly 6527 prefixed by a weakness indicator. 6529 ETag = entity-tag 6531 entity-tag = [ weak ] opaque-tag 6532 weak = %x57.2F ; "W/", case-sensitive 6533 opaque-tag = DQUOTE *etagc DQUOTE 6534 etagc = %x21 / %x23-7E / obs-text 6535 ; VCHAR except double quotes, plus obs-text 6537 Note: Previously, opaque-tag was defined to be a quoted-string 6538 ([RFC2616], Section 3.11); thus, some recipients might perform 6539 backslash unescaping. Servers therefore ought to avoid backslash 6540 characters in entity tags. 6542 An entity-tag can be more reliable for validation than a modification 6543 date in situations where it is inconvenient to store modification 6544 dates, where the one-second resolution of HTTP date values is not 6545 sufficient, or where modification dates are not consistently 6546 maintained. 6548 Examples: 6550 ETag: "xyzzy" 6551 ETag: W/"xyzzy" 6552 ETag: "" 6554 An entity-tag can be either a weak or strong validator, with strong 6555 being the default. If an origin server provides an entity-tag for a 6556 representation and the generation of that entity-tag does not satisfy 6557 all of the characteristics of a strong validator (Section 10.2.1), 6558 then the origin server MUST mark the entity-tag as weak by prefixing 6559 its opaque value with "W/" (case-sensitive). 6561 10.2.3.1. Generation 6563 The principle behind entity-tags is that only the service author 6564 knows the implementation of a resource well enough to select the most 6565 accurate and efficient validation mechanism for that resource, and 6566 that any such mechanism can be mapped to a simple sequence of octets 6567 for easy comparison. Since the value is opaque, there is no need for 6568 the client to be aware of how each entity-tag is constructed. 6570 For example, a resource that has implementation-specific versioning 6571 applied to all changes might use an internal revision number, perhaps 6572 combined with a variance identifier for content negotiation, to 6573 accurately differentiate between representations. Other 6574 implementations might use a collision-resistant hash of 6575 representation content, a combination of various file attributes, or 6576 a modification timestamp that has sub-second resolution. 6578 An origin server SHOULD send an ETag for any selected representation 6579 for which detection of changes can be reasonably and consistently 6580 determined, since the entity-tag's use in conditional requests and 6581 evaluating cache freshness ([Caching]) can result in a substantial 6582 reduction of HTTP network traffic and can be a significant factor in 6583 improving service scalability and reliability. 6585 10.2.3.2. Comparison 6587 There are two entity-tag comparison functions, depending on whether 6588 or not the comparison context allows the use of weak validators: 6590 o Strong comparison: two entity-tags are equivalent if both are not 6591 weak and their opaque-tags match character-by-character. 6593 o Weak comparison: two entity-tags are equivalent if their opaque- 6594 tags match character-by-character, regardless of either or both 6595 being tagged as "weak". 6597 The example below shows the results for a set of entity-tag pairs and 6598 both the weak and strong comparison function results: 6600 +--------+--------+-------------------+-----------------+ 6601 | ETag 1 | ETag 2 | Strong Comparison | Weak Comparison | 6602 +--------+--------+-------------------+-----------------+ 6603 | W/"1" | W/"1" | no match | match | 6604 | W/"1" | W/"2" | no match | no match | 6605 | W/"1" | "1" | no match | match | 6606 | "1" | "1" | match | match | 6607 +--------+--------+-------------------+-----------------+ 6609 10.2.3.3. Example: Entity-Tags Varying on Content-Negotiated Resources 6611 Consider a resource that is subject to content negotiation 6612 (Section 6.4), and where the representations sent in response to a 6613 GET request vary based on the Accept-Encoding request header field 6614 (Section 8.4.4): 6616 >> Request: 6618 GET /index HTTP/1.1 6619 Host: www.example.com 6620 Accept-Encoding: gzip 6622 In this case, the response might or might not use the gzip content 6623 coding. If it does not, the response might look like: 6625 >> Response: 6627 HTTP/1.1 200 OK 6628 Date: Fri, 26 Mar 2010 00:05:00 GMT 6629 ETag: "123-a" 6630 Content-Length: 70 6631 Vary: Accept-Encoding 6632 Content-Type: text/plain 6634 Hello World! 6635 Hello World! 6636 Hello World! 6637 Hello World! 6638 Hello World! 6640 An alternative representation that does use gzip content coding would 6641 be: 6643 >> Response: 6645 HTTP/1.1 200 OK 6646 Date: Fri, 26 Mar 2010 00:05:00 GMT 6647 ETag: "123-b" 6648 Content-Length: 43 6649 Vary: Accept-Encoding 6650 Content-Type: text/plain 6651 Content-Encoding: gzip 6653 ...binary data... 6655 Note: Content codings are a property of the representation data, 6656 so a strong entity-tag for a content-encoded representation has to 6657 be distinct from the entity tag of an unencoded representation to 6658 prevent potential conflicts during cache updates and range 6659 requests. In contrast, transfer codings (Section 7 of 6660 [Messaging]) apply only during message transfer and do not result 6661 in distinct entity-tags. 6663 10.2.4. When to Use Entity-Tags and Last-Modified Dates 6665 In 200 (OK) responses to GET or HEAD, an origin server: 6667 o SHOULD send an entity-tag validator unless it is not feasible to 6668 generate one. 6670 o MAY send a weak entity-tag instead of a strong entity-tag, if 6671 performance considerations support the use of weak entity-tags, or 6672 if it is unfeasible to send a strong entity-tag. 6674 o SHOULD send a Last-Modified value if it is feasible to send one. 6676 In other words, the preferred behavior for an origin server is to 6677 send both a strong entity-tag and a Last-Modified value in successful 6678 responses to a retrieval request. 6680 A client: 6682 o MUST send that entity-tag in any cache validation request (using 6683 If-Match or If-None-Match) if an entity-tag has been provided by 6684 the origin server. 6686 o SHOULD send the Last-Modified value in non-subrange cache 6687 validation requests (using If-Modified-Since) if only a Last- 6688 Modified value has been provided by the origin server. 6690 o MAY send the Last-Modified value in subrange cache validation 6691 requests (using If-Unmodified-Since) if only a Last-Modified value 6692 has been provided by an HTTP/1.0 origin server. The user agent 6693 SHOULD provide a way to disable this, in case of difficulty. 6695 o SHOULD send both validators in cache validation requests if both 6696 an entity-tag and a Last-Modified value have been provided by the 6697 origin server. This allows both HTTP/1.0 and HTTP/1.1 caches to 6698 respond appropriately. 6700 10.3. Authentication Challenges 6702 Authentication challenges indicate what mechanisms are available for 6703 the client to provide authentication credentials in future requests. 6705 +--------------------+----------------+ 6706 | Header Field Name | Defined in... | 6707 +--------------------+----------------+ 6708 | WWW-Authenticate | Section 10.3.1 | 6709 | Proxy-Authenticate | Section 10.3.2 | 6710 +--------------------+----------------+ 6712 Furthermore, the "Authentication-Info" and "Proxy-Authentication- 6713 Info" response header fields are defined for use in authentication 6714 schemes that need to return information once the client's 6715 authentication credentials have been accepted. 6717 +---------------------------+----------------+ 6718 | Header Field Name | Defined in... | 6719 +---------------------------+----------------+ 6720 | Authentication-Info | Section 10.3.3 | 6721 | Proxy-Authentication-Info | Section 10.3.4 | 6722 +---------------------------+----------------+ 6724 10.3.1. WWW-Authenticate 6726 The "WWW-Authenticate" header field indicates the authentication 6727 scheme(s) and parameters applicable to the target resource. 6729 WWW-Authenticate = 1#challenge 6731 A server generating a 401 (Unauthorized) response MUST send a WWW- 6732 Authenticate header field containing at least one challenge. A 6733 server MAY generate a WWW-Authenticate header field in other response 6734 messages to indicate that supplying credentials (or different 6735 credentials) might affect the response. 6737 A proxy forwarding a response MUST NOT modify any WWW-Authenticate 6738 fields in that response. 6740 User agents are advised to take special care in parsing the field 6741 value, as it might contain more than one challenge, and each 6742 challenge can contain a comma-separated list of authentication 6743 parameters. Furthermore, the header field itself can occur multiple 6744 times. 6746 For instance: 6748 WWW-Authenticate: Newauth realm="apps", type=1, 6749 title="Login to \"apps\"", Basic realm="simple" 6751 This header field contains two challenges; one for the "Newauth" 6752 scheme with a realm value of "apps", and two additional parameters 6753 "type" and "title", and another one for the "Basic" scheme with a 6754 realm value of "simple". 6756 Note: The challenge grammar production uses the list syntax as 6757 well. Therefore, a sequence of comma, whitespace, and comma can 6758 be considered either as applying to the preceding challenge, or to 6759 be an empty entry in the list of challenges. In practice, this 6760 ambiguity does not affect the semantics of the header field value 6761 and thus is harmless. 6763 10.3.2. Proxy-Authenticate 6765 The "Proxy-Authenticate" header field consists of at least one 6766 challenge that indicates the authentication scheme(s) and parameters 6767 applicable to the proxy for this effective request URI (Section 5.3). 6768 A proxy MUST send at least one Proxy-Authenticate header field in 6769 each 407 (Proxy Authentication Required) response that it generates. 6771 Proxy-Authenticate = 1#challenge 6773 Unlike WWW-Authenticate, the Proxy-Authenticate header field applies 6774 only to the next outbound client on the response chain. This is 6775 because only the client that chose a given proxy is likely to have 6776 the credentials necessary for authentication. However, when multiple 6777 proxies are used within the same administrative domain, such as 6778 office and regional caching proxies within a large corporate network, 6779 it is common for credentials to be generated by the user agent and 6780 passed through the hierarchy until consumed. Hence, in such a 6781 configuration, it will appear as if Proxy-Authenticate is being 6782 forwarded because each proxy will send the same challenge set. 6784 Note that the parsing considerations for WWW-Authenticate apply to 6785 this header field as well; see Section 10.3.1 for details. 6787 10.3.3. Authentication-Info 6789 HTTP authentication schemes can use the Authentication-Info response 6790 header field to communicate information after the client's 6791 authentication credentials have been accepted. This information can 6792 include a finalization message from the server (e.g., it can contain 6793 the server authentication). 6795 The field value is a list of parameters (name/value pairs), using the 6796 "auth-param" syntax defined in Section 8.5.1. This specification 6797 only describes the generic format; authentication schemes using 6798 Authentication-Info will define the individual parameters. The 6799 "Digest" Authentication Scheme, for instance, defines multiple 6800 parameters in Section 3.5 of [RFC7616]. 6802 Authentication-Info = #auth-param 6804 The Authentication-Info header field can be used in any HTTP 6805 response, independently of request method and status code. Its 6806 semantics are defined by the authentication scheme indicated by the 6807 Authorization header field (Section 8.5.3) of the corresponding 6808 request. 6810 A proxy forwarding a response is not allowed to modify the field 6811 value in any way. 6813 Authentication-Info can be used inside trailers (Section 7.1.2 of 6814 [Messaging]) when the authentication scheme explicitly allows this. 6816 10.3.3.1. Parameter Value Format 6818 Parameter values can be expressed either as "token" or as "quoted- 6819 string" (Section 4.2.3). 6821 Authentication scheme definitions need to allow both notations, both 6822 for senders and recipients. This allows recipients to use generic 6823 parsing components, independent of the authentication scheme in use. 6825 For backwards compatibility, authentication scheme definitions can 6826 restrict the format for senders to one of the two variants. This can 6827 be important when it is known that deployed implementations will fail 6828 when encountering one of the two formats. 6830 10.3.4. Proxy-Authentication-Info 6832 The Proxy-Authentication-Info response header field is equivalent to 6833 Authentication-Info, except that it applies to proxy authentication 6834 (Section 8.5.1) and its semantics are defined by the authentication 6835 scheme indicated by the Proxy-Authorization header field 6836 (Section 8.5.4) of the corresponding request: 6838 Proxy-Authentication-Info = #auth-param 6840 However, unlike Authentication-Info, the Proxy-Authentication-Info 6841 header field applies only to the next outbound client on the response 6842 chain. This is because only the client that chose a given proxy is 6843 likely to have the credentials necessary for authentication. 6844 However, when multiple proxies are used within the same 6845 administrative domain, such as office and regional caching proxies 6846 within a large corporate network, it is common for credentials to be 6847 generated by the user agent and passed through the hierarchy until 6848 consumed. Hence, in such a configuration, it will appear as if 6849 Proxy-Authentication-Info is being forwarded because each proxy will 6850 send the same field value. 6852 10.4. Response Context 6854 The remaining response header fields provide more information about 6855 the target resource for potential use in later requests. 6857 +-------------------+----------------+ 6858 | Header Field Name | Defined in... | 6859 +-------------------+----------------+ 6860 | Accept-Ranges | Section 10.4.1 | 6861 | Allow | Section 10.4.2 | 6862 | Server | Section 10.4.3 | 6863 +-------------------+----------------+ 6865 10.4.1. Accept-Ranges 6867 The "Accept-Ranges" header field allows a server to indicate that it 6868 supports range requests for the target resource. 6870 Accept-Ranges = acceptable-ranges 6871 acceptable-ranges = 1#range-unit / "none" 6873 An origin server that supports byte-range requests for a given target 6874 resource MAY send 6876 Accept-Ranges: bytes 6878 to indicate what range units are supported. A client MAY generate 6879 range requests without having received this header field for the 6880 resource involved. Range units are defined in Section 6.1.4. 6882 A server that does not support any kind of range request for the 6883 target resource MAY send 6885 Accept-Ranges: none 6887 to advise the client not to attempt a range request. 6889 10.4.2. Allow 6891 The "Allow" header field lists the set of methods advertised as 6892 supported by the target resource. The purpose of this field is 6893 strictly to inform the recipient of valid request methods associated 6894 with the resource. 6896 Allow = #method 6898 Example of use: 6900 Allow: GET, HEAD, PUT 6902 The actual set of allowed methods is defined by the origin server at 6903 the time of each request. An origin server MUST generate an Allow 6904 field in a 405 (Method Not Allowed) response and MAY do so in any 6905 other response. An empty Allow field value indicates that the 6906 resource allows no methods, which might occur in a 405 response if 6907 the resource has been temporarily disabled by configuration. 6909 A proxy MUST NOT modify the Allow header field -- it does not need to 6910 understand all of the indicated methods in order to handle them 6911 according to the generic message handling rules. 6913 10.4.3. Server 6915 The "Server" header field contains information about the software 6916 used by the origin server to handle the request, which is often used 6917 by clients to help identify the scope of reported interoperability 6918 problems, to work around or tailor requests to avoid particular 6919 server limitations, and for analytics regarding server or operating 6920 system use. An origin server MAY generate a Server field in its 6921 responses. 6923 Server = product *( RWS ( product / comment ) ) 6925 The Server field-value consists of one or more product identifiers, 6926 each followed by zero or more comments (Section 5 of [Messaging]), 6927 which together identify the origin server software and its 6928 significant subproducts. By convention, the product identifiers are 6929 listed in decreasing order of their significance for identifying the 6930 origin server software. Each product identifier consists of a name 6931 and optional version, as defined in Section 8.6.3. 6933 Example: 6935 Server: CERN/3.0 libwww/2.17 6937 An origin server SHOULD NOT generate a Server field containing 6938 needlessly fine-grained detail and SHOULD limit the addition of 6939 subproducts by third parties. Overly long and detailed Server field 6940 values increase response latency and potentially reveal internal 6941 implementation details that might make it (slightly) easier for 6942 attackers to find and exploit known security holes. 6944 11. ABNF List Extension: #rule 6946 A #rule extension to the ABNF rules of [RFC5234] is used to improve 6947 readability in the definitions of some header field values. 6949 A construct "#" is defined, similar to "*", for defining comma- 6950 delimited lists of elements. The full form is "#element" 6951 indicating at least and at most elements, each separated by a 6952 single comma (",") and optional whitespace (OWS). 6954 In any production that uses the list construct, a sender MUST NOT 6955 generate empty list elements. In other words, a sender MUST generate 6956 lists that satisfy the following syntax: 6958 1#element => element *( OWS "," OWS element ) 6960 and: 6962 #element => [ 1#element ] 6964 and for n >= 1 and m > 1: 6966 #element => element *( OWS "," OWS element ) 6968 For compatibility with legacy list rules, a recipient MUST parse and 6969 ignore a reasonable number of empty list elements: enough to handle 6970 common mistakes by senders that merge values, but not so much that 6971 they could be used as a denial-of-service mechanism. In other words, 6972 a recipient MUST accept lists that satisfy the following syntax: 6974 #element => [ ( "," / element ) *( OWS "," [ OWS element ] ) ] 6976 1#element => *( "," OWS ) element *( OWS "," [ OWS element ] ) 6978 Empty elements do not contribute to the count of elements present. 6979 For example, given these ABNF productions: 6981 example-list = 1#example-list-elmt 6982 example-list-elmt = token ; see Section 4.2.3 6984 Then the following are valid values for example-list (not including 6985 the double quotes, which are present for delimitation only): 6987 "foo,bar" 6988 "foo ,bar," 6989 "foo , ,bar,charlie" 6991 In contrast, the following values would be invalid, since at least 6992 one non-empty element is required by the example-list production: 6994 "" 6995 "," 6996 ", ," 6998 Appendix A shows the collected ABNF for recipients after the list 6999 constructs have been expanded. 7001 12. Security Considerations 7003 This section is meant to inform developers, information providers, 7004 and users of known security concerns relevant to HTTP semantics and 7005 its use for transferring information over the Internet. 7006 Considerations related to message syntax, parsing, and routing are 7007 discussed in Section 11 of [Messaging]. 7009 The list of considerations below is not exhaustive. Most security 7010 concerns related to HTTP semantics are about securing server-side 7011 applications (code behind the HTTP interface), securing user agent 7012 processing of payloads received via HTTP, or secure use of the 7013 Internet in general, rather than security of the protocol. Various 7014 organizations maintain topical information and links to current 7015 research on Web application security (e.g., [OWASP]). 7017 12.1. Establishing Authority 7019 HTTP relies on the notion of an authoritative response: a response 7020 that has been determined by (or at the direction of) the authority 7021 identified within the target URI to be the most appropriate response 7022 for that request given the state of the target resource at the time 7023 of response message origination. Providing a response from a non- 7024 authoritative source, such as a shared cache, is often useful to 7025 improve performance and availability, but only to the extent that the 7026 source can be trusted or the distrusted response can be safely used. 7028 Unfortunately, establishing authority can be difficult. For example, 7029 phishing is an attack on the user's perception of authority, where 7030 that perception can be misled by presenting similar branding in 7031 hypertext, possibly aided by userinfo obfuscating the authority 7032 component (see Section 2.5.1). User agents can reduce the impact of 7033 phishing attacks by enabling users to easily inspect a target URI 7034 prior to making an action, by prominently distinguishing (or 7035 rejecting) userinfo when present, and by not sending stored 7036 credentials and cookies when the referring document is from an 7037 unknown or untrusted source. 7039 When a registered name is used in the authority component, the "http" 7040 URI scheme (Section 2.5.1) relies on the user's local name resolution 7041 service to determine where it can find authoritative responses. This 7042 means that any attack on a user's network host table, cached names, 7043 or name resolution libraries becomes an avenue for attack on 7044 establishing authority. Likewise, the user's choice of server for 7045 Domain Name Service (DNS), and the hierarchy of servers from which it 7046 obtains resolution results, could impact the authenticity of address 7047 mappings; DNS Security Extensions (DNSSEC, [RFC4033]) are one way to 7048 improve authenticity. 7050 Furthermore, after an IP address is obtained, establishing authority 7051 for an "http" URI is vulnerable to attacks on Internet Protocol 7052 routing. 7054 The "https" scheme (Section 2.5.2) is intended to prevent (or at 7055 least reveal) many of these potential attacks on establishing 7056 authority, provided that the negotiated TLS connection is secured and 7057 the client properly verifies that the communicating server's identity 7058 matches the target URI's authority component (see [RFC2818]). 7059 Correctly implementing such verification can be difficult (see 7060 [Georgiev]). 7062 12.2. Risks of Intermediaries 7064 By their very nature, HTTP intermediaries are men-in-the-middle and, 7065 thus, represent an opportunity for man-in-the-middle attacks. 7066 Compromise of the systems on which the intermediaries run can result 7067 in serious security and privacy problems. Intermediaries might have 7068 access to security-related information, personal information about 7069 individual users and organizations, and proprietary information 7070 belonging to users and content providers. A compromised 7071 intermediary, or an intermediary implemented or configured without 7072 regard to security and privacy considerations, might be used in the 7073 commission of a wide range of potential attacks. 7075 Intermediaries that contain a shared cache are especially vulnerable 7076 to cache poisoning attacks, as described in Section 7 of [Caching]. 7078 Implementers need to consider the privacy and security implications 7079 of their design and coding decisions, and of the configuration 7080 options they provide to operators (especially the default 7081 configuration). 7083 Users need to be aware that intermediaries are no more trustworthy 7084 than the people who run them; HTTP itself cannot solve this problem. 7086 12.3. Attacks Based on File and Path Names 7088 Origin servers frequently make use of their local file system to 7089 manage the mapping from effective request URI to resource 7090 representations. Most file systems are not designed to protect 7091 against malicious file or path names. Therefore, an origin server 7092 needs to avoid accessing names that have a special significance to 7093 the system when mapping the request target to files, folders, or 7094 directories. 7096 For example, UNIX, Microsoft Windows, and other operating systems use 7097 ".." as a path component to indicate a directory level above the 7098 current one, and they use specially named paths or file names to send 7099 data to system devices. Similar naming conventions might exist 7100 within other types of storage systems. Likewise, local storage 7101 systems have an annoying tendency to prefer user-friendliness over 7102 security when handling invalid or unexpected characters, 7103 recomposition of decomposed characters, and case-normalization of 7104 case-insensitive names. 7106 Attacks based on such special names tend to focus on either denial- 7107 of-service (e.g., telling the server to read from a COM port) or 7108 disclosure of configuration and source files that are not meant to be 7109 served. 7111 12.4. Attacks Based on Command, Code, or Query Injection 7113 Origin servers often use parameters within the URI as a means of 7114 identifying system services, selecting database entries, or choosing 7115 a data source. However, data received in a request cannot be 7116 trusted. An attacker could construct any of the request data 7117 elements (method, request-target, header fields, or body) to contain 7118 data that might be misinterpreted as a command, code, or query when 7119 passed through a command invocation, language interpreter, or 7120 database interface. 7122 For example, SQL injection is a common attack wherein additional 7123 query language is inserted within some part of the request-target or 7124 header fields (e.g., Host, Referer, etc.). If the received data is 7125 used directly within a SELECT statement, the query language might be 7126 interpreted as a database command instead of a simple string value. 7127 This type of implementation vulnerability is extremely common, in 7128 spite of being easy to prevent. 7130 In general, resource implementations ought to avoid use of request 7131 data in contexts that are processed or interpreted as instructions. 7132 Parameters ought to be compared to fixed strings and acted upon as a 7133 result of that comparison, rather than passed through an interface 7134 that is not prepared for untrusted data. Received data that isn't 7135 based on fixed parameters ought to be carefully filtered or encoded 7136 to avoid being misinterpreted. 7138 Similar considerations apply to request data when it is stored and 7139 later processed, such as within log files, monitoring tools, or when 7140 included within a data format that allows embedded scripts. 7142 12.5. Attacks via Protocol Element Length 7144 Because HTTP uses mostly textual, character-delimited fields, parsers 7145 are often vulnerable to attacks based on sending very long (or very 7146 slow) streams of data, particularly where an implementation is 7147 expecting a protocol element with no predefined length (Section 3.3). 7149 To promote interoperability, specific recommendations are made for 7150 minimum size limits on request-line (Section 3 of [Messaging]) and 7151 header fields (Section 5 of [Messaging]). These are minimum 7152 recommendations, chosen to be supportable even by implementations 7153 with limited resources; it is expected that most implementations will 7154 choose substantially higher limits. 7156 A server can reject a message that has a request-target that is too 7157 long (Section 9.5.15) or a request payload that is too large 7158 (Section 9.5.14). Additional status codes related to capacity limits 7159 have been defined by extensions to HTTP [RFC6585]. 7161 Recipients ought to carefully limit the extent to which they process 7162 other protocol elements, including (but not limited to) request 7163 methods, response status phrases, header field-names, numeric values, 7164 and body chunks. Failure to limit such processing can result in 7165 buffer overflows, arithmetic overflows, or increased vulnerability to 7166 denial-of-service attacks. 7168 12.6. Disclosure of Personal Information 7170 Clients are often privy to large amounts of personal information, 7171 including both information provided by the user to interact with 7172 resources (e.g., the user's name, location, mail address, passwords, 7173 encryption keys, etc.) and information about the user's browsing 7174 activity over time (e.g., history, bookmarks, etc.). Implementations 7175 need to prevent unintentional disclosure of personal information. 7177 12.7. Privacy of Server Log Information 7179 A server is in the position to save personal data about a user's 7180 requests over time, which might identify their reading patterns or 7181 subjects of interest. In particular, log information gathered at an 7182 intermediary often contains a history of user agent interaction, 7183 across a multitude of sites, that can be traced to individual users. 7185 HTTP log information is confidential in nature; its handling is often 7186 constrained by laws and regulations. Log information needs to be 7187 securely stored and appropriate guidelines followed for its analysis. 7188 Anonymization of personal information within individual entries 7189 helps, but it is generally not sufficient to prevent real log traces 7190 from being re-identified based on correlation with other access 7191 characteristics. As such, access traces that are keyed to a specific 7192 client are unsafe to publish even if the key is pseudonymous. 7194 To minimize the risk of theft or accidental publication, log 7195 information ought to be purged of personally identifiable 7196 information, including user identifiers, IP addresses, and user- 7197 provided query parameters, as soon as that information is no longer 7198 necessary to support operational needs for security, auditing, or 7199 fraud control. 7201 12.8. Disclosure of Sensitive Information in URIs 7203 URIs are intended to be shared, not secured, even when they identify 7204 secure resources. URIs are often shown on displays, added to 7205 templates when a page is printed, and stored in a variety of 7206 unprotected bookmark lists. It is therefore unwise to include 7207 information within a URI that is sensitive, personally identifiable, 7208 or a risk to disclose. 7210 Authors of services ought to avoid GET-based forms for the submission 7211 of sensitive data because that data will be placed in the request- 7212 target. Many existing servers, proxies, and user agents log or 7213 display the request-target in places where it might be visible to 7214 third parties. Such services ought to use POST-based form submission 7215 instead. 7217 Since the Referer header field tells a target site about the context 7218 that resulted in a request, it has the potential to reveal 7219 information about the user's immediate browsing history and any 7220 personal information that might be found in the referring resource's 7221 URI. Limitations on the Referer header field are described in 7222 Section 8.6.2 to address some of its security considerations. 7224 12.9. Disclosure of Fragment after Redirects 7226 Although fragment identifiers used within URI references are not sent 7227 in requests, implementers ought to be aware that they will be visible 7228 to the user agent and any extensions or scripts running as a result 7229 of the response. In particular, when a redirect occurs and the 7230 original request's fragment identifier is inherited by the new 7231 reference in Location (Section 10.1.2), this might have the effect of 7232 disclosing one site's fragment to another site. If the first site 7233 uses personal information in fragments, it ought to ensure that 7234 redirects to other sites include a (possibly empty) fragment 7235 component in order to block that inheritance. 7237 12.10. Disclosure of Product Information 7239 The User-Agent (Section 8.6.3), Via (Section 5.5.1), and Server 7240 (Section 10.4.3) header fields often reveal information about the 7241 respective sender's software systems. In theory, this can make it 7242 easier for an attacker to exploit known security holes; in practice, 7243 attackers tend to try all potential holes regardless of the apparent 7244 software versions being used. 7246 Proxies that serve as a portal through a network firewall ought to 7247 take special precautions regarding the transfer of header information 7248 that might identify hosts behind the firewall. The Via header field 7249 allows intermediaries to replace sensitive machine names with 7250 pseudonyms. 7252 12.11. Browser Fingerprinting 7254 Browser fingerprinting is a set of techniques for identifying a 7255 specific user agent over time through its unique set of 7256 characteristics. These characteristics might include information 7257 related to its TCP behavior, feature capabilities, and scripting 7258 environment, though of particular interest here is the set of unique 7259 characteristics that might be communicated via HTTP. Fingerprinting 7260 is considered a privacy concern because it enables tracking of a user 7261 agent's behavior over time without the corresponding controls that 7262 the user might have over other forms of data collection (e.g., 7263 cookies). Many general-purpose user agents (i.e., Web browsers) have 7264 taken steps to reduce their fingerprints. 7266 There are a number of request header fields that might reveal 7267 information to servers that is sufficiently unique to enable 7268 fingerprinting. The From header field is the most obvious, though it 7269 is expected that From will only be sent when self-identification is 7270 desired by the user. Likewise, Cookie header fields are deliberately 7271 designed to enable re-identification, so fingerprinting concerns only 7272 apply to situations where cookies are disabled or restricted by the 7273 user agent's configuration. 7275 The User-Agent header field might contain enough information to 7276 uniquely identify a specific device, usually when combined with other 7277 characteristics, particularly if the user agent sends excessive 7278 details about the user's system or extensions. However, the source 7279 of unique information that is least expected by users is proactive 7280 negotiation (Section 8.4), including the Accept, Accept-Charset, 7281 Accept-Encoding, and Accept-Language header fields. 7283 In addition to the fingerprinting concern, detailed use of the 7284 Accept-Language header field can reveal information the user might 7285 consider to be of a private nature. For example, understanding a 7286 given language set might be strongly correlated to membership in a 7287 particular ethnic group. An approach that limits such loss of 7288 privacy would be for a user agent to omit the sending of Accept- 7289 Language except for sites that have been whitelisted, perhaps via 7290 interaction after detecting a Vary header field that indicates 7291 language negotiation might be useful. 7293 In environments where proxies are used to enhance privacy, user 7294 agents ought to be conservative in sending proactive negotiation 7295 header fields. General-purpose user agents that provide a high 7296 degree of header field configurability ought to inform users about 7297 the loss of privacy that might result if too much detail is provided. 7298 As an extreme privacy measure, proxies could filter the proactive 7299 negotiation header fields in relayed requests. 7301 12.12. Validator Retention 7303 The validators defined by this specification are not intended to 7304 ensure the validity of a representation, guard against malicious 7305 changes, or detect man-in-the-middle attacks. At best, they enable 7306 more efficient cache updates and optimistic concurrent writes when 7307 all participants are behaving nicely. At worst, the conditions will 7308 fail and the client will receive a response that is no more harmful 7309 than an HTTP exchange without conditional requests. 7311 An entity-tag can be abused in ways that create privacy risks. For 7312 example, a site might deliberately construct a semantically invalid 7313 entity-tag that is unique to the user or user agent, send it in a 7314 cacheable response with a long freshness time, and then read that 7315 entity-tag in later conditional requests as a means of re-identifying 7316 that user or user agent. Such an identifying tag would become a 7317 persistent identifier for as long as the user agent retained the 7318 original cache entry. User agents that cache representations ought 7319 to ensure that the cache is cleared or replaced whenever the user 7320 performs privacy-maintaining actions, such as clearing stored cookies 7321 or changing to a private browsing mode. 7323 12.13. Denial-of-Service Attacks Using Range 7325 Unconstrained multiple range requests are susceptible to denial-of- 7326 service attacks because the effort required to request many 7327 overlapping ranges of the same data is tiny compared to the time, 7328 memory, and bandwidth consumed by attempting to serve the requested 7329 data in many parts. Servers ought to ignore, coalesce, or reject 7330 egregious range requests, such as requests for more than two 7331 overlapping ranges or for many small ranges in a single set, 7332 particularly when the ranges are requested out of order for no 7333 apparent reason. Multipart range requests are not designed to 7334 support random access. 7336 12.14. Authentication Considerations 7338 Everything about the topic of HTTP authentication is a security 7339 consideration, so the list of considerations below is not exhaustive. 7340 Furthermore, it is limited to security considerations regarding the 7341 authentication framework, in general, rather than discussing all of 7342 the potential considerations for specific authentication schemes 7343 (which ought to be documented in the specifications that define those 7344 schemes). Various organizations maintain topical information and 7345 links to current research on Web application security (e.g., 7346 [OWASP]), including common pitfalls for implementing and using the 7347 authentication schemes found in practice. 7349 12.14.1. Confidentiality of Credentials 7351 The HTTP authentication framework does not define a single mechanism 7352 for maintaining the confidentiality of credentials; instead, each 7353 authentication scheme defines how the credentials are encoded prior 7354 to transmission. While this provides flexibility for the development 7355 of future authentication schemes, it is inadequate for the protection 7356 of existing schemes that provide no confidentiality on their own, or 7357 that do not sufficiently protect against replay attacks. 7358 Furthermore, if the server expects credentials that are specific to 7359 each individual user, the exchange of those credentials will have the 7360 effect of identifying that user even if the content within 7361 credentials remains confidential. 7363 HTTP depends on the security properties of the underlying transport- 7364 or session-level connection to provide confidential transmission of 7365 header fields. In other words, if a server limits access to 7366 authenticated users using this framework, the server needs to ensure 7367 that the connection is properly secured in accordance with the nature 7368 of the authentication scheme used. For example, services that depend 7369 on individual user authentication often require a connection to be 7370 secured with TLS ("Transport Layer Security", [RFC5246]) prior to 7371 exchanging any credentials. 7373 12.14.2. Credentials and Idle Clients 7375 Existing HTTP clients and user agents typically retain authentication 7376 information indefinitely. HTTP does not provide a mechanism for the 7377 origin server to direct clients to discard these cached credentials, 7378 since the protocol has no awareness of how credentials are obtained 7379 or managed by the user agent. The mechanisms for expiring or 7380 revoking credentials can be specified as part of an authentication 7381 scheme definition. 7383 Circumstances under which credential caching can interfere with the 7384 application's security model include but are not limited to: 7386 o Clients that have been idle for an extended period, following 7387 which the server might wish to cause the client to re-prompt the 7388 user for credentials. 7390 o Applications that include a session termination indication (such 7391 as a "logout" or "commit" button on a page) after which the server 7392 side of the application "knows" that there is no further reason 7393 for the client to retain the credentials. 7395 User agents that cache credentials are encouraged to provide a 7396 readily accessible mechanism for discarding cached credentials under 7397 user control. 7399 12.14.3. Protection Spaces 7401 Authentication schemes that solely rely on the "realm" mechanism for 7402 establishing a protection space will expose credentials to all 7403 resources on an origin server. Clients that have successfully made 7404 authenticated requests with a resource can use the same 7405 authentication credentials for other resources on the same origin 7406 server. This makes it possible for a different resource to harvest 7407 authentication credentials for other resources. 7409 This is of particular concern when an origin server hosts resources 7410 for multiple parties under the same canonical root URI 7411 (Section 8.5.2). Possible mitigation strategies include restricting 7412 direct access to authentication credentials (i.e., not making the 7413 content of the Authorization request header field available), and 7414 separating protection spaces by using a different host name (or port 7415 number) for each party. 7417 12.14.4. Additional Response Header Fields 7419 Adding information to responses that are sent over an unencrypted 7420 channel can affect security and privacy. The presence of the 7421 Authentication-Info and Proxy-Authentication-Info header fields alone 7422 indicates that HTTP authentication is in use. Additional information 7423 could be exposed by the contents of the authentication-scheme 7424 specific parameters; this will have to be considered in the 7425 definitions of these schemes. 7427 13. IANA Considerations 7429 The change controller for the following registrations is: "IETF 7430 (iesg@ietf.org) - Internet Engineering Task Force". 7432 13.1. URI Scheme Registration 7434 Please update the registry of URI Schemes [BCP35] at 7435 with the permanent 7436 schemes listed in the first table of Section 2.5. 7438 13.2. Method Registration 7440 Please update the "Hypertext Transfer Protocol (HTTP) Method 7441 Registry" at with the 7442 registration procedure of Section 7.4.1 and the method names 7443 summarized in the table of Section 7.2. 7445 13.3. Status Code Registration 7447 Please update the "Hypertext Transfer Protocol (HTTP) Status Code 7448 Registry" at 7449 with the registration procedure of Section 9.7.1 and the status code 7450 values summarized in the table of Section 9.1. 7452 Additionally, please update the following entry in the Hypertext 7453 Transfer Protocol (HTTP) Status Code Registry: 7455 Value: 418 7457 Description: (Unused) 7459 Reference Section 9.5.19 7461 13.4. Header Field Registration 7463 Please update the "Message Headers" registry of "Permanent Message 7464 Header Field Names" at with the header field names listed in the table of 7466 Section 4.1. 7468 13.5. Authentication Scheme Registration 7470 Please update the "Hypertext Transfer Protocol (HTTP) Authentication 7471 Scheme Registry" at with the registration procedure of Section 8.5.5.1. No 7473 authentication schemes are defined in this document. 7475 13.6. Content Coding Registration 7477 Please update the "HTTP Content Coding Registry" at 7478 with the 7479 registration procedure of Section 6.1.2.4.1 and the content coding 7480 names summarized in the table of Section 6.1.2. 7482 13.7. Range Unit Registration 7484 Please update the "HTTP Range Unit Registry" at 7485 with the 7486 registration procedure of Section 6.1.4.3 and the range unit names 7487 summarized in the table of Section 6.1.4. 7489 13.8. Media Type Registration 7491 Please update the "Media Types" registry at 7492 with the registration 7493 information in Section 6.3.4 for the media type "multipart/ 7494 byteranges". 7496 14. References 7498 14.1. Normative References 7500 [Caching] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7501 Ed., "HTTP Caching", draft-ietf-httpbis-cache-03 (work in 7502 progress), October 2018. 7504 [Messaging] 7505 Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke, 7506 Ed., "HTTP/1.1 Messaging", draft-ietf-httpbis-messaging-03 7507 (work in progress), October 2018. 7509 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 7510 RFC 793, DOI 10.17487/RFC0793, September 1981, 7511 . 7513 [RFC1950] Deutsch, L. and J-L. Gailly, "ZLIB Compressed Data Format 7514 Specification version 3.3", RFC 1950, 7515 DOI 10.17487/RFC1950, May 1996, 7516 . 7518 [RFC1951] Deutsch, P., "DEFLATE Compressed Data Format Specification 7519 version 1.3", RFC 1951, DOI 10.17487/RFC1951, May 1996, 7520 . 7522 [RFC1952] Deutsch, P., Gailly, J-L., Adler, M., Deutsch, L., and G. 7523 Randers-Pehrson, "GZIP file format specification version 7524 4.3", RFC 1952, DOI 10.17487/RFC1952, May 1996, 7525 . 7527 [RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7528 Extensions (MIME) Part One: Format of Internet Message 7529 Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996, 7530 . 7532 [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 7533 Extensions (MIME) Part Two: Media Types", RFC 2046, 7534 DOI 10.17487/RFC2046, November 1996, 7535 . 7537 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 7538 Requirement Levels", BCP 14, RFC 2119, 7539 DOI 10.17487/RFC2119, March 1997, 7540 . 7542 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 7543 Resource Identifier (URI): Generic Syntax", STD 66, 7544 RFC 3986, DOI 10.17487/RFC3986, January 2005, 7545 . 7547 [RFC4647] Phillips, A., Ed. and M. Davis, Ed., "Matching of Language 7548 Tags", BCP 47, RFC 4647, DOI 10.17487/RFC4647, September 7549 2006, . 7551 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 7552 Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, 7553 . 7555 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 7556 Specifications: ABNF", STD 68, RFC 5234, 7557 DOI 10.17487/RFC5234, January 2008, 7558 . 7560 [RFC5646] Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying 7561 Languages", BCP 47, RFC 5646, DOI 10.17487/RFC5646, 7562 September 2009, . 7564 [RFC6365] Hoffman, P. and J. Klensin, "Terminology Used in 7565 Internationalization in the IETF", BCP 166, RFC 6365, 7566 DOI 10.17487/RFC6365, September 2011, 7567 . 7569 [USASCII] American National Standards Institute, "Coded Character 7570 Set -- 7-bit American Standard Code for Information 7571 Interchange", ANSI X3.4, 1986. 7573 [Welch] Welch, T., "A Technique for High-Performance Data 7574 Compression", IEEE Computer 17(6), 7575 DOI 10.1109/MC.1984.1659158, June 1984, 7576 . 7578 14.2. Informative References 7580 [BCP13] Freed, N., Klensin, J., and T. Hansen, "Media Type 7581 Specifications and Registration Procedures", BCP 13, 7582 RFC 6838, January 2013, 7583 . 7585 [BCP178] Saint-Andre, P., Crocker, D., and M. Nottingham, 7586 "Deprecating the "X-" Prefix and Similar Constructs in 7587 Application Protocols", BCP 178, RFC 6648, June 2012, 7588 . 7590 [BCP35] Thaler, D., Ed., Hansen, T., and T. Hardie, "Guidelines 7591 and Registration Procedures for URI Schemes", BCP 35, 7592 RFC 7595, June 2015, 7593 . 7595 [BCP90] Klyne, G., Nottingham, M., and J. Mogul, "Registration 7596 Procedures for Message Header Fields", BCP 90, RFC 3864, 7597 September 2004, . 7599 [Err1912] RFC Errata, Erratum ID 1912, RFC 2978, 7600 . 7602 [Err5433] RFC Errata, Erratum ID 5433, RFC 2978, 7603 . 7605 [Georgiev] 7606 Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, 7607 D., and V. Shmatikov, "The Most Dangerous Code in the 7608 World: Validating SSL Certificates in Non-browser 7609 Software", In Proceedings of the 2012 ACM Conference on 7610 Computer and Communications Security (CCS '12), pp. 38-49, 7611 October 2012, 7612 . 7614 [ISO-8859-1] 7615 International Organization for Standardization, 7616 "Information technology -- 8-bit single-byte coded graphic 7617 character sets -- Part 1: Latin alphabet No. 1", ISO/ 7618 IEC 8859-1:1998, 1998. 7620 [Kri2001] Kristol, D., "HTTP Cookies: Standards, Privacy, and 7621 Politics", ACM Transactions on Internet Technology 1(2), 7622 November 2001, . 7624 [OWASP] van der Stock, A., Ed., "A Guide to Building Secure Web 7625 Applications and Web Services", The Open Web Application 7626 Security Project (OWASP) 2.0.1, July 2005, 7627 . 7629 [REST] Fielding, R., "Architectural Styles and the Design of 7630 Network-based Software Architectures", 7631 Doctoral Dissertation, University of California, Irvine, 7632 September 2000, 7633 . 7635 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 7636 RFC 1919, DOI 10.17487/RFC1919, March 1996, 7637 . 7639 [RFC1945] Berners-Lee, T., Fielding, R., and H. Nielsen, "Hypertext 7640 Transfer Protocol -- HTTP/1.0", RFC 1945, 7641 DOI 10.17487/RFC1945, May 1996, 7642 . 7644 [RFC2047] Moore, K., "MIME (Multipurpose Internet Mail Extensions) 7645 Part Three: Message Header Extensions for Non-ASCII Text", 7646 RFC 2047, DOI 10.17487/RFC2047, November 1996, 7647 . 7649 [RFC2068] Fielding, R., Gettys, J., Mogul, J., Nielsen, H., and T. 7650 Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", 7651 RFC 2068, DOI 10.17487/RFC2068, January 1997, 7652 . 7654 [RFC2145] Mogul, J., Fielding, R., Gettys, J., and H. Nielsen, "Use 7655 and Interpretation of HTTP Version Numbers", RFC 2145, 7656 DOI 10.17487/RFC2145, May 1997, 7657 . 7659 [RFC2295] Holtman, K. and A. Mutz, "Transparent Content Negotiation 7660 in HTTP", RFC 2295, DOI 10.17487/RFC2295, March 1998, 7661 . 7663 [RFC2324] Masinter, L., "Hyper Text Coffee Pot Control Protocol 7664 (HTCPCP/1.0)", RFC 2324, DOI 10.17487/RFC2324, April 1998, 7665 . 7667 [RFC2557] Palme, F., Hopmann, A., Shelness, N., and E. Stefferud, 7668 "MIME Encapsulation of Aggregate Documents, such as HTML 7669 (MHTML)", RFC 2557, DOI 10.17487/RFC2557, March 1999, 7670 . 7672 [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., 7673 Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext 7674 Transfer Protocol -- HTTP/1.1", RFC 2616, 7675 DOI 10.17487/RFC2616, June 1999, 7676 . 7678 [RFC2617] Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., 7679 Leach, P., Luotonen, A., and L. Stewart, "HTTP 7680 Authentication: Basic and Digest Access Authentication", 7681 RFC 2617, DOI 10.17487/RFC2617, June 1999, 7682 . 7684 [RFC2774] Frystyk, H., Leach, P., and S. Lawrence, "An HTTP 7685 Extension Framework", RFC 2774, DOI 10.17487/RFC2774, 7686 February 2000, . 7688 [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, 7689 DOI 10.17487/RFC2818, May 2000, 7690 . 7692 [RFC2978] Freed, N. and J. Postel, "IANA Charset Registration 7693 Procedures", BCP 19, RFC 2978, DOI 10.17487/RFC2978, 7694 October 2000, . 7696 [RFC3040] Cooper, I., Melve, I., and G. Tomlinson, "Internet Web 7697 Replication and Caching Taxonomy", RFC 3040, 7698 DOI 10.17487/RFC3040, January 2001, 7699 . 7701 [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. 7702 Rose, "DNS Security Introduction and Requirements", 7703 RFC 4033, DOI 10.17487/RFC4033, March 2005, 7704 . 7706 [RFC4559] Jaganathan, K., Zhu, L., and J. Brezak, "SPNEGO-based 7707 Kerberos and NTLM HTTP Authentication in Microsoft 7708 Windows", RFC 4559, DOI 10.17487/RFC4559, June 2006, 7709 . 7711 [RFC4918] Dusseault, L., Ed., "HTTP Extensions for Web Distributed 7712 Authoring and Versioning (WebDAV)", RFC 4918, 7713 DOI 10.17487/RFC4918, June 2007, 7714 . 7716 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 7717 (TLS) Protocol Version 1.2", RFC 5246, 7718 DOI 10.17487/RFC5246, August 2008, 7719 . 7721 [RFC5322] Resnick, P., "Internet Message Format", RFC 5322, 7722 DOI 10.17487/RFC5322, October 2008, 7723 . 7725 [RFC5789] Dusseault, L. and J. Snell, "PATCH Method for HTTP", 7726 RFC 5789, DOI 10.17487/RFC5789, March 2010, 7727 . 7729 [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, 7730 "Network Time Protocol Version 4: Protocol and Algorithms 7731 Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, 7732 . 7734 [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, 7735 DOI 10.17487/RFC6265, April 2011, 7736 . 7738 [RFC6585] Nottingham, M. and R. Fielding, "Additional HTTP Status 7739 Codes", RFC 6585, DOI 10.17487/RFC6585, April 2012, 7740 . 7742 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7743 Protocol (HTTP/1.1): Message Syntax and Routing", 7744 RFC 7230, DOI 10.17487/RFC7230, June 2014, 7745 . 7747 [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7748 Protocol (HTTP/1.1): Semantics and Content", RFC 7231, 7749 DOI 10.17487/RFC7231, June 2014, 7750 . 7752 [RFC7232] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7753 Protocol (HTTP/1.1): Conditional Requests", RFC 7232, 7754 DOI 10.17487/RFC7232, June 2014, 7755 . 7757 [RFC7233] Fielding, R., Ed., Lafon, Y., Ed., and J. Reschke, Ed., 7758 "Hypertext Transfer Protocol (HTTP): Range Requests", 7759 RFC 7233, DOI 10.17487/RFC7233, June 2014, 7760 . 7762 [RFC7235] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 7763 Protocol (HTTP/1.1): Authentication", RFC 7235, 7764 DOI 10.17487/RFC7235, June 2014, 7765 . 7767 [RFC7538] Reschke, J., "The Hypertext Transfer Protocol Status Code 7768 308 (Permanent Redirect)", RFC 7538, DOI 10.17487/RFC7538, 7769 April 2015, . 7771 [RFC7578] Masinter, L., "Returning Values from Forms: multipart/ 7772 form-data", RFC 7578, DOI 10.17487/RFC7578, July 2015, 7773 . 7775 [RFC7615] Reschke, J., "HTTP Authentication-Info and Proxy- 7776 Authentication-Info Response Header Fields", RFC 7615, 7777 DOI 10.17487/RFC7615, September 2015, 7778 . 7780 [RFC7616] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP 7781 Digest Access Authentication", RFC 7616, 7782 DOI 10.17487/RFC7616, September 2015, 7783 . 7785 [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", 7786 RFC 7617, DOI 10.17487/RFC7617, September 2015, 7787 . 7789 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 7790 Writing an IANA Considerations Section in RFCs", BCP 26, 7791 RFC 8126, DOI 10.17487/RFC8126, June 2017, 7792 . 7794 [RFC8187] Reschke, J., "Indicating Character Encoding and Language 7795 for HTTP Header Field Parameters", RFC 8187, 7796 DOI 10.17487/RFC8187, September 2017, 7797 . 7799 [RFC8288] Nottingham, M., "Web Linking", RFC 8288, 7800 DOI 10.17487/RFC8288, October 2017, 7801 . 7803 Appendix A. Collected ABNF 7805 In the collected ABNF below, list rules are expanded as per 7806 Section 11. 7808 Accept = [ ( "," / ( media-range [ accept-params ] ) ) *( OWS "," [ 7809 OWS ( media-range [ accept-params ] ) ] ) ] 7810 Accept-Charset = *( "," OWS ) ( ( charset / "*" ) [ weight ] ) *( OWS 7811 "," [ OWS ( ( charset / "*" ) [ weight ] ) ] ) 7812 Accept-Encoding = [ ( "," / ( codings [ weight ] ) ) *( OWS "," [ OWS 7813 ( codings [ weight ] ) ] ) ] 7814 Accept-Language = *( "," OWS ) ( language-range [ weight ] ) *( OWS 7815 "," [ OWS ( language-range [ weight ] ) ] ) 7816 Accept-Ranges = acceptable-ranges 7817 Allow = [ ( "," / method ) *( OWS "," [ OWS method ] ) ] 7818 Authentication-Info = [ ( "," / auth-param ) *( OWS "," [ OWS 7819 auth-param ] ) ] 7820 Authorization = credentials 7822 BWS = OWS 7824 Content-Encoding = *( "," OWS ) content-coding *( OWS "," [ OWS 7825 content-coding ] ) 7826 Content-Language = *( "," OWS ) language-tag *( OWS "," [ OWS 7827 language-tag ] ) 7828 Content-Length = 1*DIGIT 7829 Content-Location = absolute-URI / partial-URI 7830 Content-Range = byte-content-range / other-content-range 7831 Content-Type = media-type 7833 Date = HTTP-date 7835 ETag = entity-tag 7836 Expect = "100-continue" 7838 From = mailbox 7840 GMT = %x47.4D.54 ; GMT 7842 HTTP-date = IMF-fixdate / obs-date 7843 Host = uri-host [ ":" port ] 7845 IMF-fixdate = day-name "," SP date1 SP time-of-day SP GMT 7846 If-Match = "*" / ( *( "," OWS ) entity-tag *( OWS "," [ OWS 7847 entity-tag ] ) ) 7848 If-Modified-Since = HTTP-date 7849 If-None-Match = "*" / ( *( "," OWS ) entity-tag *( OWS "," [ OWS 7850 entity-tag ] ) ) 7851 If-Range = entity-tag / HTTP-date 7852 If-Unmodified-Since = HTTP-date 7854 Last-Modified = HTTP-date 7855 Location = URI-reference 7857 Max-Forwards = 1*DIGIT 7859 OWS = *( SP / HTAB ) 7861 Proxy-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS 7862 challenge ] ) 7863 Proxy-Authentication-Info = [ ( "," / auth-param ) *( OWS "," [ OWS 7864 auth-param ] ) ] 7865 Proxy-Authorization = credentials 7867 RWS = 1*( SP / HTAB ) 7868 Range = byte-ranges-specifier / other-ranges-specifier 7869 Referer = absolute-URI / partial-URI 7870 Retry-After = HTTP-date / delay-seconds 7872 Server = product *( RWS ( product / comment ) ) 7874 Trailer = *( "," OWS ) field-name *( OWS "," [ OWS field-name ] ) 7876 URI-reference = 7877 User-Agent = product *( RWS ( product / comment ) ) 7879 Vary = "*" / ( *( "," OWS ) field-name *( OWS "," [ OWS field-name ] 7880 ) ) 7881 Via = *( "," OWS ) ( received-protocol RWS received-by [ RWS comment 7882 ] ) *( OWS "," [ OWS ( received-protocol RWS received-by [ RWS 7883 comment ] ) ] ) 7885 WWW-Authenticate = *( "," OWS ) challenge *( OWS "," [ OWS challenge 7886 ] ) 7888 absolute-URI = 7889 absolute-path = 1*( "/" segment ) 7890 accept-ext = OWS ";" OWS token [ "=" ( token / quoted-string ) ] 7891 accept-params = weight *accept-ext 7892 acceptable-ranges = ( *( "," OWS ) range-unit *( OWS "," [ OWS 7893 range-unit ] ) ) / "none" 7894 asctime-date = day-name SP date3 SP time-of-day SP year 7895 auth-param = token BWS "=" BWS ( token / quoted-string ) 7896 auth-scheme = token 7897 authority = 7898 byte-content-range = bytes-unit SP ( byte-range-resp / 7899 unsatisfied-range ) 7900 byte-range = first-byte-pos "-" last-byte-pos 7901 byte-range-resp = byte-range "/" ( complete-length / "*" ) 7902 byte-range-set = *( "," OWS ) ( byte-range-spec / 7903 suffix-byte-range-spec ) *( OWS "," [ OWS ( byte-range-spec / 7904 suffix-byte-range-spec ) ] ) 7905 byte-range-spec = first-byte-pos "-" [ last-byte-pos ] 7906 byte-ranges-specifier = bytes-unit "=" byte-range-set 7907 bytes-unit = "bytes" 7909 challenge = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *( 7910 OWS "," [ OWS auth-param ] ) ] ) ] 7911 charset = token 7912 codings = content-coding / "identity" / "*" 7913 comment = "(" *( ctext / quoted-pair / comment ) ")" 7914 complete-length = 1*DIGIT 7915 content-coding = token 7916 credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) 7917 *( OWS "," [ OWS auth-param ] ) ] ) ] 7918 ctext = HTAB / SP / %x21-27 ; '!'-''' 7919 / %x2A-5B ; '*'-'[' 7920 / %x5D-7E ; ']'-'~' 7921 / obs-text 7923 date1 = day SP month SP year 7924 date2 = day "-" month "-" 2DIGIT 7925 date3 = month SP ( 2DIGIT / ( SP DIGIT ) ) 7926 day = 2DIGIT 7927 day-name = %x4D.6F.6E ; Mon 7928 / %x54.75.65 ; Tue 7929 / %x57.65.64 ; Wed 7930 / %x54.68.75 ; Thu 7931 / %x46.72.69 ; Fri 7932 / %x53.61.74 ; Sat 7933 / %x53.75.6E ; Sun 7934 day-name-l = %x4D.6F.6E.64.61.79 ; Monday 7935 / %x54.75.65.73.64.61.79 ; Tuesday 7936 / %x57.65.64.6E.65.73.64.61.79 ; Wednesday 7937 / %x54.68.75.72.73.64.61.79 ; Thursday 7938 / %x46.72.69.64.61.79 ; Friday 7939 / %x53.61.74.75.72.64.61.79 ; Saturday 7940 / %x53.75.6E.64.61.79 ; Sunday 7941 delay-seconds = 1*DIGIT 7943 entity-tag = [ weak ] opaque-tag 7944 etagc = "!" / %x23-7E ; '#'-'~' 7945 / obs-text 7947 field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ] 7948 field-name = token 7949 field-value = *( field-content / obs-fold ) 7950 field-vchar = VCHAR / obs-text 7951 first-byte-pos = 1*DIGIT 7953 hour = 2DIGIT 7954 http-URI = "http://" authority path-abempty [ "?" query ] 7955 https-URI = "https://" authority path-abempty [ "?" query ] 7957 language-range = 7958 language-tag = 7959 last-byte-pos = 1*DIGIT 7961 mailbox = 7962 media-range = ( "*/*" / ( type "/*" ) / ( type "/" subtype ) ) *( OWS 7963 ";" OWS parameter ) 7964 media-type = type "/" subtype *( OWS ";" OWS parameter ) 7965 method = token 7966 minute = 2DIGIT 7967 month = %x4A.61.6E ; Jan 7968 / %x46.65.62 ; Feb 7969 / %x4D.61.72 ; Mar 7970 / %x41.70.72 ; Apr 7971 / %x4D.61.79 ; May 7972 / %x4A.75.6E ; Jun 7973 / %x4A.75.6C ; Jul 7974 / %x41.75.67 ; Aug 7975 / %x53.65.70 ; Sep 7976 / %x4F.63.74 ; Oct 7977 / %x4E.6F.76 ; Nov 7978 / %x44.65.63 ; Dec 7980 obs-date = rfc850-date / asctime-date 7981 obs-fold = 7982 obs-text = %x80-FF 7983 opaque-tag = DQUOTE *etagc DQUOTE 7984 other-content-range = other-range-unit SP other-range-resp 7985 other-range-resp = *VCHAR 7986 other-range-set = 1*VCHAR 7987 other-range-unit = token 7988 other-ranges-specifier = other-range-unit "=" other-range-set 7990 parameter = token "=" ( token / quoted-string ) 7991 partial-URI = relative-part [ "?" query ] 7992 path-abempty = 7993 port = 7994 product = token [ "/" product-version ] 7995 product-version = token 7996 protocol-name = 7997 protocol-version = 7998 pseudonym = token 8000 qdtext = HTAB / SP / "!" / %x23-5B ; '#'-'[' 8001 / %x5D-7E ; ']'-'~' 8002 / obs-text 8003 query = 8004 quoted-pair = "\" ( HTAB / SP / VCHAR / obs-text ) 8005 quoted-string = DQUOTE *( qdtext / quoted-pair ) DQUOTE 8006 qvalue = ( "0" [ "." *3DIGIT ] ) / ( "1" [ "." *3"0" ] ) 8008 range-unit = bytes-unit / other-range-unit 8009 received-by = ( uri-host [ ":" port ] ) / pseudonym 8010 received-protocol = [ protocol-name "/" ] protocol-version 8011 relative-part = 8012 request-target = 8013 rfc850-date = day-name-l "," SP date2 SP time-of-day SP GMT 8015 second = 2DIGIT 8016 segment = 8017 subtype = token 8018 suffix-byte-range-spec = "-" suffix-length 8019 suffix-length = 1*DIGIT 8021 tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*" / "+" / "-" / "." / 8022 "^" / "_" / "`" / "|" / "~" / DIGIT / ALPHA 8023 time-of-day = hour ":" minute ":" second 8024 token = 1*tchar 8025 token68 = 1*( ALPHA / DIGIT / "-" / "." / "_" / "~" / "+" / "/" ) 8026 *"=" 8027 type = token 8029 unsatisfied-range = "*/" complete-length 8030 uri-host = 8032 weak = %x57.2F ; W/ 8033 weight = OWS ";" OWS "q=" qvalue 8035 year = 4DIGIT 8037 Appendix B. Changes from RFC 7230 8039 Most of the sections introducing HTTP's design goals, history, 8040 architecture, conformance criteria, protocol versioning, URIs, 8041 message routing, and header field values have been moved here 8042 (without substantive change). 8044 Furthermore: 8046 Add status code 422 (previously defined in Section 11.2 of [RFC4918]) 8047 because of it's general applicability. (Section 9.5.20) 8049 Appendix C. Changes from RFC 7231 8051 None yet. 8053 Appendix D. Changes from RFC 7232 8055 None yet. 8057 Appendix E. Changes from RFC 7233 8059 None yet. 8061 Appendix F. Changes from RFC 7235 8063 None yet. 8065 Appendix G. Changes from RFC 7615 8067 None yet. 8069 Appendix H. Change Log 8071 This section is to be removed before publishing as an RFC. 8073 H.1. Between RFC723x and draft 00 8075 The changes were purely editorial: 8077 o Change boilerplate and abstract to indicate the "draft" status, 8078 and update references to ancestor specifications. 8080 o Remove version "1.1" from document title, indicating that this 8081 specification applies to all HTTP versions. 8083 o Adjust historical notes. 8085 o Update links to sibling specifications. 8087 o Replace sections listing changes from RFC 2616 by new empty 8088 sections referring to RFC 723x. 8090 o Remove acknowledgements specific to RFC 723x. 8092 o Move "Acknowledgements" to the very end and make them unnumbered. 8094 H.2. Since draft-ietf-httpbis-semantics-00 8096 The changes in this draft are editorial, with respect to HTTP as a 8097 whole, to merge core HTTP semantics into this document: 8099 o Merged introduction, architecture, conformance, and ABNF 8100 extensions from RFC 7230 (Messaging). 8102 o Rearranged architecture to extract conformance, http(s) schemes, 8103 and protocol versioning into a separate major section. 8105 o Moved discussion of MIME differences to [Messaging] since that is 8106 primarily concerned with transforming 1.1 messages. 8108 o Merged entire content of RFC 7232 (Conditional Requests). 8110 o Merged entire content of RFC 7233 (Range Requests). 8112 o Merged entire content of RFC 7235 (Auth Framework). 8114 o Moved all extensibility tips, registration procedures, and 8115 registry tables from the IANA considerations to normative 8116 sections, reducing the IANA considerations to just instructions 8117 that will be removed prior to publication as an RFC. 8119 H.3. Since draft-ietf-httpbis-semantics-01 8121 o Improve [Welch] citation () 8124 o Remove HTTP/1.1-ism about Range Requests 8125 () 8127 o Cite RFC 8126 instead of RFC 5226 () 8130 o Cite RFC 7538 instead of RFC 7238 () 8133 o Cite RFC 8288 instead of RFC 5988 () 8136 o Cite RFC 8187 instead of RFC 5987 () 8139 o Cite RFC 7578 instead of RFC 2388 () 8142 o Cite RFC 7595 instead of RFC 4395 () 8145 o improve ABNF readability for qdtext (, ) 8148 o Clarify "resource" vs "representation" in definition of status 8149 code 416 (, 8150 ) 8152 o Resolved erratum 4072, no change needed here 8153 (, 8154 ) 8156 o Clarify DELETE status code suggestions 8157 (, 8158 ) 8160 o In Section 6.3.3, fix ABNF for "other-range-resp" to use VCHAR 8161 instead of CHAR (, 8162 ) 8164 o Resolved erratum 5162, no change needed here 8165 (, 8166 ) 8168 o Replace "response code" with "response status code" and "status- 8169 code" (the ABNF production name from the HTTP/1.1 message format) 8170 by "status code" (, 8171 ) 8173 o Added a missing word in Section 9.4 (, ) 8176 o In Section 11, fixed an example that had trailing whitespace where 8177 it shouldn't (, 8178 ) 8180 o In Section 9.3.7, remove words that were potentially misleading 8181 with respect to the relation to the requested ranges 8182 (, 8183 ) 8185 H.4. Since draft-ietf-httpbis-semantics-02 8187 o Included (Proxy-)Auth-Info header field definition from RFC 7615 8188 () 8190 o In Section 7.3.3, clarify POST caching 8191 () 8193 o Add Section 9.5.19 to reserve the 418 status code 8194 () 8196 o In Section 2.1 and Section 8.1.1, clarified when a response can be 8197 sent () 8199 o In Section 6.1.1.1, explain the difference between the "token" 8200 production, the RFC 2978 ABNF for charset names, and the actual 8201 registration practice (, ) 8204 o In Section 2.5, removed the fragment component in the URI scheme 8205 definitions as per Section 4.3 of [RFC3986], furthermore moved 8206 fragment discussion into a separate section 8207 (, 8208 , ) 8211 o In Section 3.5, add language about minor HTTP version number 8212 defaulting () 8214 o Added Section 9.5.20 for status code 422, previously defined in 8215 Section 11.2 of [RFC4918] () 8218 o In Section 9.5.17, fixed prose about byte range comparison 8219 (, 8220 ) 8222 o In Section 2.1, explain that request/response correlation is 8223 version specific () 8226 Index 8228 1 8229 100 Continue (status code) 107 8230 100-continue (expect value) 74 8231 101 Switching Protocols (status code) 107 8232 1xx Informational (status code class) 107 8234 2 8235 200 OK (status code) 108 8236 201 Created (status code) 109 8237 202 Accepted (status code) 109 8238 203 Non-Authoritative Information (status code) 109 8239 204 No Content (status code) 110 8240 205 Reset Content (status code) 110 8241 206 Partial Content (status code) 111 8242 2xx Successful (status code class) 108 8244 3 8245 300 Multiple Choices (status code) 115 8246 301 Moved Permanently (status code) 116 8247 302 Found (status code) 117 8248 303 See Other (status code) 117 8249 304 Not Modified (status code) 118 8250 305 Use Proxy (status code) 118 8251 306 (Unused) (status code) 119 8252 307 Temporary Redirect (status code) 119 8253 3xx Redirection (status code class) 114 8255 4 8256 400 Bad Request (status code) 119 8257 401 Unauthorized (status code) 119 8258 402 Payment Required (status code) 120 8259 403 Forbidden (status code) 120 8260 404 Not Found (status code) 120 8261 405 Method Not Allowed (status code) 121 8262 406 Not Acceptable (status code) 121 8263 407 Proxy Authentication Required (status code) 121 8264 408 Request Timeout (status code) 121 8265 409 Conflict (status code) 122 8266 410 Gone (status code) 122 8267 411 Length Required (status code) 122 8268 412 Precondition Failed (status code) 123 8269 413 Payload Too Large (status code) 123 8270 414 URI Too Long (status code) 123 8271 415 Unsupported Media Type (status code) 123 8272 416 Range Not Satisfiable (status code) 124 8273 417 Expectation Failed (status code) 124 8274 418 (Unused) (status code) 124 8275 422 Unprocessable Entity (status code) 125 8276 426 Upgrade Required (status code) 125 8277 4xx Client Error (status code class) 119 8279 5 8280 500 Internal Server Error (status code) 126 8281 501 Not Implemented (status code) 126 8282 502 Bad Gateway (status code) 126 8283 503 Service Unavailable (status code) 126 8284 504 Gateway Timeout (status code) 126 8285 505 HTTP Version Not Supported (status code) 126 8286 5xx Server Error (status code class) 125 8288 A 8289 Accept header field 89 8290 Accept-Charset header field 91 8291 Accept-Encoding header field 92 8292 Accept-Language header field 94 8293 Accept-Ranges header field 147 8294 Allow header field 148 8295 Authentication-Info header field 146 8296 Authorization header field 98 8297 accelerator 13 8298 authoritative response 150 8300 B 8301 browser 10 8303 C 8304 CONNECT method 70 8305 Canonical Root URI 97 8306 Content-Encoding header field 47 8307 Content-Language header field 48 8308 Content-Length header field 49 8309 Content-Location header field 50 8310 Content-Range header field 54 8311 Content-Type header field 46 8312 cache 14 8313 cacheable 14, 63 8314 captive portal 14 8315 client 10 8316 compress (Coding Format) 41 8317 compress (content coding) 40 8318 conditional request 77 8319 connection 10 8320 content coding 40 8321 content negotiation 8 8323 D 8324 DELETE method 68 8325 Date header field 131 8326 Delimiters 28 8327 deflate (Coding Format) 41 8328 deflate (content coding) 40 8329 downstream 12 8331 E 8332 ETag header field 140 8333 Expect header field 74 8334 effective request URI 32 8336 F 8337 Fragment Identifiers 18 8338 From header field 101 8340 G 8341 GET method 64 8342 Grammar 8343 absolute-path 15 8344 absolute-URI 15 8345 Accept 89 8346 Accept-Charset 92 8347 Accept-Encoding 92 8348 accept-ext 89 8349 Accept-Language 94 8350 accept-params 89 8351 Accept-Ranges 147 8352 acceptable-ranges 147 8353 Allow 148 8354 ALPHA 9 8355 asctime-date 131 8356 auth-param 96 8357 auth-scheme 96 8358 Authentication-Info 146 8359 authority 15 8360 Authorization 98 8361 BWS 30 8362 byte-content-range 54 8363 byte-range 54 8364 byte-range-resp 54 8365 byte-range-set 44 8366 byte-range-spec 44 8367 byte-ranges-specifier 44 8368 bytes-unit 43 8369 challenge 96 8370 charset 39 8371 codings 92 8372 comment 29 8373 complete-length 54 8374 content-coding 40 8375 Content-Encoding 47 8376 Content-Language 48 8377 Content-Length 49 8378 Content-Location 50 8379 Content-Range 54 8380 Content-Type 46 8381 CR 9 8382 credentials 97 8383 CRLF 9 8384 ctext 29 8385 CTL 9 8386 Date 131 8387 date1 130 8388 day 130 8389 day-name 130 8390 day-name-l 130 8391 delay-seconds 134 8392 DIGIT 9 8393 DQUOTE 9 8394 entity-tag 140 8395 ETag 140 8396 etagc 140 8397 Expect 74 8398 field-content 27 8399 field-name 23, 31 8400 field-value 27 8401 field-vchar 27 8402 first-byte-pos 44 8403 From 101 8404 GMT 130 8405 HEXDIG 9 8406 Host 33 8407 hour 130 8408 HTAB 9 8409 HTTP-date 129 8410 http-URI 16 8411 https-URI 18 8412 If-Match 81 8413 If-Modified-Since 83 8414 If-None-Match 82 8415 If-Range 86 8416 If-Unmodified-Since 84 8417 IMF-fixdate 130 8418 language-range 94 8419 language-tag 42 8420 last-byte-pos 44 8421 Last-Modified 138 8422 LF 9 8423 Location 132 8424 Max-Forwards 77 8425 media-range 89 8426 media-type 38 8427 method 60 8428 minute 130 8429 month 130 8430 obs-date 130 8431 obs-text 29 8432 OCTET 9 8433 opaque-tag 140 8434 other-content-range 54 8435 other-range-resp 54 8436 other-range-unit 43, 45 8437 OWS 30 8438 parameter 38 8439 partial-URI 15 8440 port 15 8441 product 103 8442 product-version 103 8443 protocol-name 35 8444 protocol-version 35 8445 Proxy-Authenticate 145 8446 Proxy-Authentication-Info 147 8447 Proxy-Authorization 98 8448 pseudonym 35 8449 qdtext 29 8450 query 15 8451 quoted-pair 29 8452 quoted-string 29 8453 qvalue 89 8454 Range 87 8455 range-unit 43 8456 ranges-specifier 44 8457 received-by 35 8458 received-protocol 35 8459 Referer 102 8460 Retry-After 134 8461 rfc850-date 131 8462 RWS 30 8463 second 130 8464 segment 15 8465 Server 148 8466 SP 9 8467 subtype 38 8468 suffix-byte-range-spec 44 8469 suffix-length 44 8470 tchar 28 8471 time-of-day 130 8472 token 28 8473 token68 96 8474 Trailer 31 8475 type 38 8476 unsatisfied-range 54 8477 uri-host 15 8478 URI-reference 15 8479 User-Agent 103 8480 Vary 134 8481 VCHAR 9 8482 Via 35 8483 weak 140 8484 weight 89 8485 WWW-Authenticate 144 8486 year 130 8487 gateway 13 8488 gzip (Coding Format) 41 8489 gzip (content coding) 40 8491 H 8492 HEAD method 64 8493 Host header field 33 8494 http URI scheme 16 8495 https URI scheme 18 8497 I 8498 If-Match header field 81 8499 If-Modified-Since header field 83 8500 If-None-Match header field 82 8501 If-Range header field 85 8502 If-Unmodified-Since header field 84 8503 idempotent 63 8504 inbound 12 8505 interception proxy 14 8506 intermediary 12 8508 L 8509 Last-Modified header field 138 8510 Location header field 132 8512 M 8513 Max-Forwards header field 77 8514 Media Type 8515 multipart/byteranges 55 8516 multipart/x-byteranges 56 8517 message 10 8518 metadata 135 8519 multipart/byteranges Media Type 55 8520 multipart/x-byteranges Media Type 56 8522 N 8523 non-transforming proxy 36 8525 O 8526 OPTIONS method 71 8527 origin server 10 8528 outbound 12 8530 P 8531 POST method 65 8532 PUT method 66 8533 Protection Space 97 8534 Proxy-Authenticate header field 145 8535 Proxy-Authentication-Info header field 147 8536 Proxy-Authorization header field 98 8537 payload 52 8538 phishing 150 8539 proxy 13 8541 R 8542 Range header field 87 8543 Realm 97 8544 Referer header field 102 8545 Retry-After header field 133 8546 recipient 10 8547 representation 37 8548 request 10 8549 resource 15 8550 response 10 8551 reverse proxy 13 8553 S 8554 Server header field 148 8555 Status Codes Classes 8556 1xx Informational 107 8557 2xx Successful 108 8558 3xx Redirection 114 8559 4xx Client Error 119 8560 5xx Server Error 125 8561 safe 62 8562 selected representation 37, 78, 135 8563 sender 10 8564 server 10 8565 spider 10 8567 T 8568 TRACE method 72 8569 Trailer header field 31 8570 target URI 31 8571 target resource 31 8572 transforming proxy 36 8573 transparent proxy 14 8574 tunnel 13 8576 U 8577 URI scheme 8578 http 16 8579 https 18 8580 User-Agent header field 103 8581 upstream 12 8582 user agent 10 8584 V 8585 Vary header field 134 8586 Via header field 34 8587 validator 135 8588 strong 136 8589 weak 136 8591 W 8592 WWW-Authenticate header field 144 8594 X 8595 x-compress (content coding) 40 8596 x-gzip (content coding) 40 8598 Acknowledgments 8600 This edition of the HTTP specification builds on the many 8601 contributions that went into RFC 1945, RFC 2068, RFC 2145, and RFC 8602 2616, including substantial contributions made by the previous 8603 authors, editors, and Working Group Chairs: Tim Berners-Lee, Ari 8604 Luotonen, Roy T. Fielding, Henrik Frystyk Nielsen, Jim Gettys, 8605 Jeffrey C. Mogul, Larry Masinter, Paul J. Leach, and Yves Lafon. 8607 See Section 10 of [RFC7230] for further acknowledgements from prior 8608 revisions. 8610 In addition, this document has reincorporated the HTTP Authentication 8611 Framework, previously defined in RFC 7235 and RFC 2617. We thank 8612 John Franks, Phillip M. Hallam-Baker, Jeffery L. Hostetler, Scott 8613 D. Lawrence, Paul J. Leach, Ari Luotonen, and Lawrence C. Stewart 8614 for their work on that specification. See Section 6 of [RFC2617] for 8615 further acknowledgements. 8617 [[newacks: New acks to be added here.]] 8619 Authors' Addresses 8621 Roy T. Fielding (editor) 8622 Adobe 8623 345 Park Ave 8624 San Jose, CA 95110 8625 USA 8627 EMail: fielding@gbiv.com 8628 URI: https://roy.gbiv.com/ 8630 Mark Nottingham (editor) 8631 Fastly 8633 EMail: mnot@mnot.net 8634 URI: https://www.mnot.net/ 8636 Julian F. Reschke (editor) 8637 greenbytes GmbH 8638 Hafenweg 16 8639 Muenster, NW 48155 8640 Germany 8642 EMail: julian.reschke@greenbytes.de 8643 URI: https://greenbytes.de/tech/webdav/